On Tue, Nov 10, 2020 at 04:03:36PM -0500, Donghai Qiao wrote: > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1844297 > Upstream status: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71 > Build info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=32573686 > CVE: CVE-2020-8694 > > author Len Brown <len.brown@xxxxxxxxx> 2020-11-10 13:00:00 -0800 > committer Len Brown <len.brown@xxxxxxxxx> 2020-11-10 11:40:57 -0500 > commit 949dd0104c496fa7c14991a23c03c62e44637e71 (patch) > tree a90cbfb8ceb195e7160105a272122f97bab99980 > parent 3d7772ea5602b88c7c7f0a50d512171a2eed6659 (diff) > download linux-949dd0104c496fa7c14991a23c03c62e44637e71.tar.gz > powercap: restrict energy meter to root access > Remove non-privileged user access to power data contained in > /sys/class/powercap/intel-rapl*/*/energy_uj > > Non-privileged users currently have read access to power data and can > use this data to form a security attack. Some privileged > drivers/applications need read access to this data, but don't expose it > to non-privileged users. > > For example, thermald uses this data to ensure that power management > works correctly. Thus removing non-privileged access is preferred over > completely disabling this power reporting capability with > CONFIG_INTEL_RAPL=n. > > Fixes: 95677a9a3847 ("PowerCap: Fix mode for energy counter") > > Signed-off-by: Len Brown <len.brown@xxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > > Signed-off-by: Donghai Qiao <dqiao@xxxxxxxxxx> > --- > drivers/powercap/powercap_sys.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c > index e85639f004cc..e2150c00b842 100644 > --- a/drivers/powercap/powercap_sys.c > +++ b/drivers/powercap/powercap_sys.c > @@ -379,9 +379,9 @@ static void create_power_zone_common_attributes( > &dev_attr_max_energy_range_uj.attr; > if (power_zone->ops->get_energy_uj) { > if (power_zone->ops->reset_energy_uj) > - dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO; > + dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUSR; > else > - dev_attr_energy_uj.attr.mode = S_IRUGO; > + dev_attr_energy_uj.attr.mode = S_IRUSR; > power_zone->zone_dev_attrs[count++] = > &dev_attr_energy_uj.attr; > } > -- > 2.18.1 > Acked-by: Tony Camuso <tcamuso@xxxxxxxxxx>
