From owner-freebsd-bugs@freebsd.org  Wed Jan 27 15:45:10 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7CFD2A6F03E
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed, 27 Jan 2016 15:45:10 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 617961B2D
 for <freebsd-bugs@FreeBSD.org>; Wed, 27 Jan 2016 15:45:10 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0RFjA48028423
 for <freebsd-bugs@FreeBSD.org>; Wed, 27 Jan 2016 15:45:10 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 206680] kbd race attacks
Date: Wed, 27 Jan 2016 15:45:10 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: cturt@hardenedbsd.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-206680-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 15:45:10 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206680

            Bug ID: 206680
           Summary: kbd race attacks
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cturt@hardenedbsd.org

Whilst analysing my previous bug about the missing `splx` call in one of the
code paths for `genkbd_commonioctl`
(https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206678), I decided to =
look
at the declaration for the macro itself, in `sys/sys/systm.h`:

/* Stubs for obsolete functions that used to be for interrupt management */
static __inline intrmask_t      splbio(void)            { return 0; }
static __inline intrmask_t      splcam(void)            { return 0; }
static __inline intrmask_t      splclock(void)          { return 0; }
static __inline intrmask_t      splhigh(void)           { return 0; }
static __inline intrmask_t      splimp(void)            { return 0; }
static __inline intrmask_t      splnet(void)            { return 0; }
static __inline intrmask_t      spltty(void)            { return 0; }
static __inline void            splx(intrmask_t ipl __unused)   { return; }

Since these functions have been removed, but kbd has not been updated to
account for this, it means that none of the kbd code is thread safe.

For example, `kbd_realloc_array` contains a lovely, possible race attack:

        s =3D spltty();
        newsize =3D ((keyboards + ARRAY_DELTA)/ARRAY_DELTA)*ARRAY_DELTA;
        new_kbd =3D malloc(sizeof(*new_kbd)*newsize, M_DEVBUF, M_NOWAIT|M_Z=
ERO);
        if (new_kbd =3D=3D NULL) {
                splx(s);
                return (ENOMEM);
        }
        new_kbdsw =3D malloc(sizeof(*new_kbdsw)*newsize, M_DEVBUF,
                            M_NOWAIT|M_ZERO);
        if (new_kbdsw =3D=3D NULL) {
                free(new_kbd, M_DEVBUF);
                splx(s);
                return (ENOMEM);
        }
        bcopy(keyboard, new_kbd, sizeof(*keyboard)*keyboards);
        bcopy(kbdsw, new_kbdsw, sizeof(*kbdsw)*keyboards);
        if (keyboards > 1) {
                free(keyboard, M_DEVBUF);
                free(kbdsw, M_DEVBUF);
        }
        keyboard =3D new_kbd;
        kbdsw =3D new_kbdsw;
        keyboards =3D newsize;
        splx(s);

This code would have been safe because of the `spltty`, and `splx` locks, b=
ut
since these functions no longer do anything, we have a very brief window wh=
ere
the buffers have been freed, but have not been set to the new allocations. =
If
the thread were to be preempted at this point, and another thread attempted=
 to
use the buffers, a use after free would occur.

--=20
You are receiving this mail because:
You are the assignee for the bug.=