[PATCH] security issue in firmware system

The firmware loader has a security issue.  Firmware on some devices can
write to all memory through DMA.  Therefore the ability to feed firmware
to the kernel is equivalent to writing to /dev/kmem.  CAP_SYS_RAWIO is
needed to protect itself.

[ Editors note: the firmware file is 0644, and owned by root, so this
  "security issue" is really only an issue for people who use
  capabilities explicitly, rather than the regular Unix permissions.
  This patch makes it do the same checks we do for /dev/mem etc.  ]

Signed-Off-By: Oliver Neukum <oliver@neukum.name>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 9317f3f3191c0b24ce900665974db4eb19f97ee4..6e17867db85ca8b13f626b02681720e1408d0323 100644 (file)
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -235,6 +235,8 @@ firmware_data_write(struct kobject *kobj,
        struct firmware *fw;
        ssize_t retval;
 
+       if (!capable(CAP_SYS_RAWIO))
+               return -EPERM;
        down(&fw_lock);
        fw = fw_priv->fw;
        if (test_bit(FW_STATUS_DONE, &fw_priv->status)) {