lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20221117142714.GB664755@roeck-us.net>
Date:   Thu, 17 Nov 2022 06:27:14 -0800
From:   Guenter Roeck <linux@...ck-us.net>
To:     Ninad Malwade <nmalwade@...dia.com>
Cc:     treding@...dia.com, jonathanh@...dia.com, jdelvare@...e.com,
        nicolinc@...dia.com, rkasirajan@...dia.com,
        linux-hwmon@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-pm@...r.kernel.org
Subject: Re: [PATCH] hwmon: (ina3221): tighten attribute sysfs permissions

On Thu, Nov 17, 2022 at 04:39:20PM +0800, Ninad Malwade wrote:
> The INA3221 device provides voltage and current measurements for
> various power rails, including the CPU rail, on at least some Jetson
> boards. This raises the possibility of the Platypus attack being relevant
> to Jetson. To prevent this possibility, modify all attribute
> channel permissions so that only root can access the values.

NACK. The hwmon ABI expects all attributes to be readable for everyone.
Forcing userspace to have root privilege to read sensor values just moves
the attack vector into the affected applications.

You have a number of options:

1) Make the values reported vague enough to be useless for attacks
2) Remove the attributes
3) Remove the driver

2) and 3) are obviously unacceptable here. Your option would be to
disable the driver on the affected system.

Having said that, for me to accept any driver change, you would have to
prove that the values reported by the chip are really accurate enough to
be useful in any attack (most chips do not deliver that level of accuracy).
A generic statement along the line of "raises the possibility" is
insufficient.

> This is logically equivalent to 949dd0104c49 ("powercap: restrict energy
> meter to root access") upstream.
 
The change in the powercap driver is not hwmon ABI related and
irrelevant. If you look for an example, use commit 9049572fb145
("hwmon: Remove amd_energy driver").

Guenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ