Kernel Bug Tracker – Bug 12076
Security issue in DebugFS part of ath5k
Last modified: 2008-12-01 15:12:17 UTC
When DebugFS is activated in the kernel, some distro auto-mount it in /sys/kernel/debug and permissions to reset the card, set debug and other stuff are wide open to any users, reset being set 0222 allows anyone to reset the card anytime (and on my computer it crashes the whole thing.)
I would suggest removing any write access to users for all the files created un ath5k/debug.c and even read permissions to user and group to be more secure.
I've made a patch to fix it, it's very simple to fix it:
but I dont' have that hardware, please test it if you have it.
I had a similar patch I forgot to attach I submitted to the ath5k tracker but this one is even better because it uses S_I* constants, here is the result of the test;
p4 sys # ls /sys/kernel/debug/ath5k/phy0/ -l
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 beacon
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 debug
-r--r--r-- 1 root root 0 2008-11-23 10:41 registers
--w--w--w- 1 root root 0 2008-11-23 10:41 reset
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 tsf
p4 sys # cd /usr/src/linux
p4 linux # patch -p1 -i ../linux-2.6.27-gentoo-r1/perm.patch
patching file drivers/net/wireless/ath5k/debug.c
p4 linux # make modules
p4 linux # rmmod ath5k
p4 linux # insmod drivers/net/wireless/ath5k/ath5k.ko
p4 linux # ls /sys/kernel/debug/ath5k/phy1/ -l
-rw-r--r-- 1 root root 0 2008-11-23 11:39 beacon
-rw-r--r-- 1 root root 0 2008-11-23 11:39 debug
-r--r--r-- 1 root root 0 2008-11-23 11:39 registers
--w------- 1 root root 0 2008-11-23 11:39 reset
-rw-r--r-- 1 root root 0 2008-11-23 11:39 tsf
Seems perfect! Thanks.
This is fixed by:
Author: Cheng Renquan <firstname.lastname@example.org>
Date: Sat Nov 22 11:22:49 2008 +0800
ath5k: fix Security issue in DebugFS part of ath5k
Remove any write access to groups and others, only keep write permission
to its owner, usually only root user.
Reported-by: Jérôme Poulin <email@example.com>
Signed-off-by: Cheng Renquan <firstname.lastname@example.org>
Signed-off-by: John W. Linville <email@example.com>
It just need to be propagated to the other kernels.