Bug 146105 - CVE-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported)
CVE-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
ia64 Linux
medium Severity medium
: ---
: ---
Assigned To: Brian Maly
Brian Brock
impact=moderate,public=20050110
: Security
Depends On:
Blocks: 156320
  Show dependency treegraph
 
Reported: 2005-01-25 08:11 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RHSA-2005-663
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-28 10:45:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-01-25 08:11:44 EST
*** This bug has been split off bug 146102 ***

------- Original comment by Mark J. Cox (Security Response Team) on 2005.01.25
08:07 -------

The moxa char driver is missing a CAP_SYS_RAWIO check which could allow a local
user the ability to do things like replace the firmware.  This is already fixed
in 2.4-bk and in 2.6.10-ac7 from Alan Cox (although it's ommitted from 2.6.10-ac10).

Patch available:
http://linux.bkbits.net:8080/linux-2.4/cset@41e2c5fb3htiRRycYu5I4skGWXcv5g

Note moxa is unsupported
Comment 2 Ernie Petrides 2005-04-27 22:44:43 EDT
Reassigning to Brian.

Brian, Jason posted a Pensacola patch to RHKL here:

http://post-office.corp.redhat.com/archives/rhkernel-list/2005-April/msg00001.html

There were two acks but one objection, though.
Comment 3 Brian Maly 2005-04-28 17:25:50 EDT
Posted the following patch to rhkernel-list (pending approval)



--- drivers/char/moxa.c.orig    2005-04-28 11:40:34.000000000 -0400
+++ drivers/char/moxa.c 2005-04-28 11:45:44.000000000 -0400
@@ -905,6 +905,8 @@ static int moxa_ioctl(struct tty_struct 
        case TIOCSSERIAL:
                return (moxa_set_serial_info(ch, (struct serial_struct *) arg));
        default:
+               if(!capable(CAP_SYS_ADMIN))
+                       return -EACCES;
                retval = MoxaDriverIoctl(cmd, arg, port);
        }
        return (retval);
Comment 4 Brian Maly 2005-05-04 10:16:16 EDT
This patch ended up being better. Already ACKed.


--- linux-2.4.21/drivers/char/moxa.c.orig	2005-05-03 14:48:37.000000000 -0400
+++ linux-2.4.21/drivers/char/moxa.c	2005-05-03 15:29:59.000000000 -0400
@@ -905,6 +905,8 @@ static int moxa_ioctl(struct tty_struct 
 	case TIOCSSERIAL:
 		return (moxa_set_serial_info(ch, (struct serial_struct *) arg));
 	default:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		retval = MoxaDriverIoctl(cmd, arg, port);
 	}
 	return (retval);
@@ -1766,15 +1768,21 @@ int MoxaDriverIoctl(unsigned int cmd, un
 	switch(cmd)
 	{
 	case MOXA_LOAD_BIOS:
+	 	if (!capable(CAP_SYS_RAWIO))
+			return -EPERM;
 		i = moxaloadbios(dltmp.cardno, dltmp.buf, dltmp.len);
 		return (i);
 	case MOXA_FIND_BOARD:
 		return moxafindcard(dltmp.cardno);
 	case MOXA_LOAD_C320B:
+		if (!capable(CAP_SYS_RAWIO))
+			return -EPERM;
 		moxaload320b(dltmp.cardno, dltmp.buf, dltmp.len);
 	default: /* to keep gcc happy */
 		return (0);
 	case MOXA_LOAD_CODE:
+		if (!capable(CAP_SYS_RAWIO))
+			return -EPERM;
 		i = moxaloadcode(dltmp.cardno, dltmp.buf, dltmp.len);
 		if (i == -1)
 			return (-EFAULT);
Comment 5 Ernie Petrides 2005-05-04 20:42:41 EDT
A fix for this problem has just been committed to the RHEL3 U6
patch pool this evening (in kernel version 2.4.21-32.3.EL).
Comment 12 Red Hat Bugzilla 2005-09-28 10:45:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-663.html

Note You need to log in before you can comment on or make changes to this bug.