Skip to content

drivers/: Multiple Drivers Are Registered With World Writable Part 3#19453

Merged
acassis merged 1 commit into
apache:masterfrom
catalinv-ncc:bug/Multiple_Drivers_Are_Registered_World_Writable_Permissions_3
Jul 16, 2026
Merged

drivers/: Multiple Drivers Are Registered With World Writable Part 3#19453
acassis merged 1 commit into
apache:masterfrom
catalinv-ncc:bug/Multiple_Drivers_Are_Registered_World_Writable_Permissions_3

Conversation

@catalinv-ncc

@catalinv-ncc catalinv-ncc commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Permissions (Part 3/3)

Description:

In kernel builds, any unprivileged process running on the NuttX device can open /dev/efuse and attempt to read/write fuse content. Reading the fuses may provide valuable information to an attacker controlling the user process. The write operation, in extreme cases where the fuse blocks are not locked, may brick the device.

DISCLAIMER: I tried to be strict with the settings, better to relax them later if it's needed.

This is part of #19410

Impact

See #19410

Testing

Compiles ok.

Summary

Permissions (Part 3)

Description:

In kernel builds, any unprivileged process running on the NuttX device can
open /dev/efuse and attempt to read/write fuse content. Reading the fuses
may provide valuable information to an attacker controlling the user process.
The write operation, in extreme cases where the fuse blocks are not locked,
may brick the device.

DISCLAIMER: I tried to be strict with the settings, better to relax them
later if it's needed.

This is part of apache#19410

Impact

See apache#19410

Testing

Compiles ok.

Signed-off-by: Catalin Visinescu <catalin_visinescu@yahoo.com>
@github-actions

Copy link
Copy Markdown

MemBrowse Memory Report

No memory changes detected for:

@acassis

acassis commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@catalinv-ncc @xiaoxiang781216 @Abhishekmishra2808 I think these changes should be analyzed with more care. I think removing permission from groups will prevent a user added to a group be able to control a device (that should give him access to read/write a device).

Also @raiden00pl and @linguini1 please review

@catalinv-ncc

catalinv-ncc commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

The thinking was that we start with these strict settings as we wish to be as strict as possible. If we discover that in some situations some group needs specific permissions, we will evaluate and relax the settings. we might change from 0600 to 0640, for instance.

Please let me know if you have other thoughts, thank you.

@xiaoxiang781216

Copy link
Copy Markdown
Contributor

The thinking was that we start with these strict settings as we wish to be as strict as possible. If we discover that in some situations some group needs specific permissions, we will evaluate and relax the settings. we might change from 0600 to 0640, for instance.

Please let me know if you have other thoughts, thank you.

yes, I think so. since the check isn't enabled by default, it isn't bad to use more strict permission initially.

@acassis acassis merged commit a30bbfe into apache:master Jul 16, 2026
57 of 91 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Area: Drivers Drivers issues Size: S The size of the change in this PR is small

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants