Date: Thu, 28 Aug 2025 02:08:48 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem Message-ID: <bug-289120-227-kk5zTNeln5@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-289120-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289120 --- Comment #1 from Qiu-ji Chen <chenqiuji666@gmail.com> --- Updated description: In gpioc_kqread(), kn->kn_data is computed via number_of_events(), which reads evidx_head, evidx_tail, and numevents without synchronization. For example: static size_t number_of_events(struct gpioc_cdevpriv *priv) { if (priv->evidx_head >= priv->evidx_tail) return (priv->evidx_head - priv->evidx_tail); else return (priv->numevents + priv->evidx_head - priv->evidx_tail); } Because head/tail may change between the check and the use, the “head >= tail” test can fail, and the subtraction may be negative, when converted to an unsigned integer, it wraps to a very large value. Impact • Integer overflow • Wrong interface semantics: EVFILT_READ kn_data may become a very large value, leading to bogus copyout values and faulty user decisions (e.g., self-DoS). Suggested fix Snapshot head, tail, and numevents once into local variables and compute from that single snapshot, instead of repeatedly reading shared fields. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-289120-227-kk5zTNeln5>