Description / Steps to reproduce the issue
Impact
In kernel builds, any unprivileged process running on the NuttX device can open /dev/efuse and attempt to read/write fuse content. Reading the fuses may provide valuable information to an attacker controlling the user process. The write operation, in extreme cases where the fuse blocks are not locked, may brick the device.
Description
There are multiple such cases throughout the NuttX kernel drivers, for brevity only one instance is presented in this finding.
The mode argument 0666 gives read and write permissions to the owner, the group, and others (world). Also, there are no privilege checks for the ioctl() operation. The driver is registered (with /dev/efuse path) from bringup code of various boards that support NuttX. An attacker who controls an unprivileged user may be able to read and write fuse content through EFUSEIOC_READ_FIELD and EFUSEIOC_WRITE_FIELD ioctl commands (read and write operations are stubbed out).
static const struct file_operations g_efuseops =
{
NULL, /* open */
NULL, /* close */
efuse_read, /* read */
efuse_write, /* write */
NULL, /* seek */
efuse_ioctl, /* ioctl */
};
FAR void *efuse_register(FAR const char *path, FAR struct efuse_lowerhalf_s *lower)
{
...
/* Register the efuse timer device */
ret = register_driver(path, &g_efuseops, 0666, upper);
if (ret < 0)
{
merr("register_driver failed: %d\n", ret);
goto errout_with_path;
}
...
}
Recommendation
Update function as follows: register_driver(path, &g_efuseops, 0600, upper). If required, 0660 is also acceptable if a dedicated group requires access to /etc/efuse.
Review all the kernel code and ensure that only the drivers that need to be world readable and writable are configured in that way.
On which OS does this issue occur?
[OS: Linux]
What is the version of your OS?
Ubuntu 24.04
NuttX Version
master
Issue Architecture
[Arch: all]
Issue Area
[Area: Drivers]
Host information
No response
Verification
Description / Steps to reproduce the issue
Impact
In kernel builds, any unprivileged process running on the NuttX device can open
/dev/efuseand attempt to read/write fuse content. Reading the fuses may provide valuable information to an attacker controlling the user process. The write operation, in extreme cases where the fuse blocks are not locked, may brick the device.Description
There are multiple such cases throughout the NuttX kernel drivers, for brevity only one instance is presented in this finding.
The mode argument
0666gives read and write permissions to the owner, the group, and others (world). Also, there are no privilege checks for theioctl()operation. The driver is registered (with/dev/efusepath) from bringup code of various boards that support NuttX. An attacker who controls an unprivileged user may be able to read and write fuse content throughEFUSEIOC_READ_FIELDandEFUSEIOC_WRITE_FIELDioctl commands (read and write operations are stubbed out).Recommendation
Update function as follows:
register_driver(path, &g_efuseops, 0600, upper). If required,0660is also acceptable if a dedicated group requires access to/etc/efuse.Review all the kernel code and ensure that only the drivers that need to be world readable and writable are configured in that way.
On which OS does this issue occur?
[OS: Linux]
What is the version of your OS?
Ubuntu 24.04
NuttX Version
master
Issue Architecture
[Arch: all]
Issue Area
[Area: Drivers]
Host information
No response
Verification