catalinv-ncc opened a new issue, #19410:
URL: https://github.com/apache/nuttx/issues/19410

   ### Description / Steps to reproduce the issue
   
   ## Impact
   
   In kernel builds, any unprivileged process running on the NuttX device can 
open `/dev/efuse` and attempt to read/write fuse content. Reading the fuses may 
provide valuable information to an attacker controlling the user process. The 
write operation, in extreme cases where the fuse blocks are not locked, may 
brick the device.
   
   ## Description
   
   There are multiple such cases throughout the NuttX kernel drivers, for 
brevity only one instance is presented in this finding.
   
   The mode argument `0666` gives read and write permissions to the owner, the 
group, and others (world). Also, there are no privilege checks for the 
`ioctl()` operation. The driver is registered (with `/dev/efuse` path) from 
bringup code of various boards that support NuttX. An attacker who controls an 
unprivileged user may be able to read and write fuse content through 
`EFUSEIOC_READ_FIELD` and `EFUSEIOC_WRITE_FIELD` ioctl commands (read and write 
operations are stubbed out).
   
   ```c
   static const struct file_operations g_efuseops =
   {
     NULL,        /* open */
     NULL,        /* close */
     efuse_read,  /* read */
     efuse_write, /* write */
     NULL,        /* seek */
     efuse_ioctl, /* ioctl */
   };
   
   FAR void *efuse_register(FAR const char *path, FAR struct efuse_lowerhalf_s 
*lower)
   {
   ...
     /* Register the efuse timer device */
     ret = register_driver(path, &g_efuseops, 0666, upper);
     if (ret < 0)
       {
         merr("register_driver failed: %d\n", ret);
         goto errout_with_path;
       }
   ...
   }
   ```
   
   ## Recommendation
   
   Update function as follows: `register_driver(path, &g_efuseops, 0600, 
upper)`. If required, `0660` is also acceptable if a dedicated group requires 
access to `/etc/efuse`.
   
   Review all the kernel code and ensure that only the drivers that need to be 
world readable and writable are configured in that way.
   
   
   ### On which OS does this issue occur?
   
   [OS: Linux]
   
   ### What is the version of your OS?
   
   Ubuntu 24.04
   
   ### NuttX Version
   
   master
   
   ### Issue Architecture
   
   [Arch: all]
   
   ### Issue Area
   
   [Area: Drivers]
   
   ### Host information
   
   _No response_
   
   ### Verification
   
   - [x] I have verified before submitting the report.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to