Bug 146105 - CVE-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported)
Summary: CVE-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported)
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: ia64 Linux
medium
medium
Target Milestone: ---
Assignee: Brian Maly
QA Contact: Brian Brock
URL:
Whiteboard: impact=moderate,public=20050110
Keywords: Security
Depends On:
Blocks: 156320
TreeView+ depends on / blocked
 
Reported: 2005-01-25 13:11 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RHSA-2005-663
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-28 14:45:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:663 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 3 Update 6 2005-09-28 04:00:00 UTC

Description Mark J. Cox 2005-01-25 13:11:44 UTC
*** This bug has been split off bug 146102 ***

------- Original comment by Mark J. Cox (Security Response Team) on 2005.01.25
08:07 -------

The moxa char driver is missing a CAP_SYS_RAWIO check which could allow a local
user the ability to do things like replace the firmware.  This is already fixed
in 2.4-bk and in 2.6.10-ac7 from Alan Cox (although it's ommitted from 2.6.10-ac10).

Patch available:
http://linux.bkbits.net:8080/linux-2.4/cset@41e2c5fb3htiRRycYu5I4skGWXcv5g

Note moxa is unsupported

Comment 2 Ernie Petrides 2005-04-28 02:44:43 UTC
Reassigning to Brian.

Brian, Jason posted a Pensacola patch to RHKL here:

http://post-office.corp.redhat.com/archives/rhkernel-list/2005-April/msg00001.html

There were two acks but one objection, though.

Comment 3 Brian Maly 2005-04-28 21:25:50 UTC
Posted the following patch to rhkernel-list (pending approval)



--- drivers/char/moxa.c.orig    2005-04-28 11:40:34.000000000 -0400
+++ drivers/char/moxa.c 2005-04-28 11:45:44.000000000 -0400
@@ -905,6 +905,8 @@ static int moxa_ioctl(struct tty_struct 
        case TIOCSSERIAL:
                return (moxa_set_serial_info(ch, (struct serial_struct *) arg));
        default:
+               if(!capable(CAP_SYS_ADMIN))
+                       return -EACCES;
                retval = MoxaDriverIoctl(cmd, arg, port);
        }
        return (retval);


Comment 4 Brian Maly 2005-05-04 14:16:16 UTC
This patch ended up being better. Already ACKed.


--- linux-2.4.21/drivers/char/moxa.c.orig	2005-05-03 14:48:37.000000000 -0400
+++ linux-2.4.21/drivers/char/moxa.c	2005-05-03 15:29:59.000000000 -0400
@@ -905,6 +905,8 @@ static int moxa_ioctl(struct tty_struct 
 	case TIOCSSERIAL:
 		return (moxa_set_serial_info(ch, (struct serial_struct *) arg));
 	default:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		retval = MoxaDriverIoctl(cmd, arg, port);
 	}
 	return (retval);
@@ -1766,15 +1768,21 @@ int MoxaDriverIoctl(unsigned int cmd, un
 	switch(cmd)
 	{
 	case MOXA_LOAD_BIOS:
+	 	if (!capable(CAP_SYS_RAWIO))
+			return -EPERM;
 		i = moxaloadbios(dltmp.cardno, dltmp.buf, dltmp.len);
 		return (i);
 	case MOXA_FIND_BOARD:
 		return moxafindcard(dltmp.cardno);
 	case MOXA_LOAD_C320B:
+		if (!capable(CAP_SYS_RAWIO))
+			return -EPERM;
 		moxaload320b(dltmp.cardno, dltmp.buf, dltmp.len);
 	default: /* to keep gcc happy */
 		return (0);
 	case MOXA_LOAD_CODE:
+		if (!capable(CAP_SYS_RAWIO))
+			return -EPERM;
 		i = moxaloadcode(dltmp.cardno, dltmp.buf, dltmp.len);
 		if (i == -1)
 			return (-EFAULT);


Comment 5 Ernie Petrides 2005-05-05 00:42:41 UTC
A fix for this problem has just been committed to the RHEL3 U6
patch pool this evening (in kernel version 2.4.21-32.3.EL).


Comment 12 Red Hat Bugzilla 2005-09-28 14:45:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-663.html



Note You need to log in before you can comment on or make changes to this bug.