Date: Fri, 21 Jun 2019 14:12:47 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238748] several race conditions in nandsim Message-ID: <bug-238748-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238748 Bug ID: 238748 Summary: several race conditions in nandsim Product: Base System Version: 12.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: emaste@freebsd.org Reported to secteam (admbugs 795) but does not need to be treated as a secu= rity issue because the NAND framework is not built by default, nandsim is not intended for production use, and the device is root-only. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> the nandsim driver has a global variable called crtls. when it's used no lo= cks are held. this can cause race conditions in several places leading -among o= ther things- to:=20 - double free=20 - NULL deref=20 - memory leak=20 freebsd-master\sys\dev\nand\nandsim.c static int nandsim_create_chip(struct sim_chip *chip) { struct sim_chip *sim_chip; nand_debug(NDBG_SIM,"create chip num:%d at ctrl:%d", chip->num, chip->ctrl_num); if (chip->ctrl_num >=3D MAX_SIM_DEV || chip->num >=3D MAX_CTRL_CS) { return (EINVAL); } if (ctrls[chip->ctrl_num].chips[chip->num]) { return (EEXIST); } sim_chip =3D malloc(sizeof(*sim_chip), M_NANDSIM, M_WAITOK); if (sim_chip =3D=3D NULL) { return (ENOMEM); } memcpy(sim_chip, chip, sizeof(*sim_chip)); ctrls[chip->ctrl_num].chips[chip->num] =3D sim_chip; <-- <-- no ctrls lock = held, this can leak=20 sim_chip->created =3D 1; return (0); } static int nandsim_destroy_chip(struct sim_ctrl_chip *chip) { struct sim_ctrl_conf *ctrl_conf; nand_debug(NDBG_SIM,"destroy chip num:%d at ctrl:%d", chip->chip_num, chip->ctrl_num); if (chip->ctrl_num >=3D MAX_SIM_DEV || chip->chip_num >=3D MAX_CTRL_CS) return (EINVAL); ctrl_conf =3D &ctrls[chip->ctrl_num]; if (!ctrl_conf->created || !ctrl_conf->chips[chip->chip_num]) return (ENODEV); if (ctrl_conf->running) return (EBUSY); free(ctrl_conf->chips[chip->chip_num], M_NANDSIM); <-- no ctrls lock held, = this could double free ctrl_conf->chips[chip->chip_num] =3D NULL; return (0); } static int nandsim_modify(struct sim_mod *mod) { struct sim_chip *sim_conf =3D NULL; struct nandsim_chip *sim_chip =3D NULL; nand_debug(NDBG_SIM,"modify ctlr %d chip %d", mod->ctrl_num, mod->chip_num); if (mod->field !=3D SIM_MOD_LOG_LEVEL) { if (mod->ctrl_num >=3D MAX_SIM_DEV || mod->chip_num >=3D MAX_CTRL_CS) return (EINVAL); sim_conf =3D ctrls[mod->ctrl_num].chips[mod->chip_num]; <-- can be NULL! sim_chip =3D get_nandsim_chip(mod->ctrl_num, mod->chip_num); <-- can be NUL= L! } switch (mod->field) { case SIM_MOD_LOG_LEVEL: nandsim_log_level =3D mod->new_value; <-- NULL deref break; case SIM_MOD_ERASE_TIME: sim_conf->erase_time =3D sim_chip->erase_delay =3D mod->new_value; <-- NULL= deref break; case SIM_MOD_PROG_TIME: sim_conf->prog_time =3D sim_chip->prog_delay =3D mod->new_value; <-- NULL d= eref break; case SIM_MOD_READ_TIME: sim_conf->read_time =3D sim_chip->read_delay =3D mod->new_value; <-- NULL d= eref break; case SIM_MOD_ERROR_RATIO: sim_conf->error_ratio =3D mod->new_value; <-- NULL deref sim_chip->error_ratio =3D mod->new_value; break; default: break; } return (0); } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238748-227>