Date: Wed, 27 Aug 2025 07:49:35 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem Message-ID: <bug-289120-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289120 Bug ID: 289120 Summary: A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem Product: Base System Version: 14.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: chenqiuji666@gmail.com In gpioc_kqread(), kn->kn_data is computed via number_of_events(), which reads evidx_head, evidx_tail, and numevents without synchronization. For example: static size_t number_of_events(struct gpioc_cdevpriv *priv) { if (priv->evidx_head >= priv->evidx_tail) return (priv->evidx_head - priv->evidx_tail); else return (priv->numevents + priv->evidx_head - priv->evidx_tail); } Because head/tail may change between the check and the use, the “head >= tail” test can fail, and the subtraction may overflow. Impact • Undefined behavior: signed overflow. • Wrong interface semantics: EVFILT_READ kn_data may become a very large value, leading to bogus copyout values and faulty user decisions (e.g., self-DoS). Suggested fix Snapshot head, tail, and numevents once into local variables and compute from that single snapshot, instead of repeatedly reading shared fields. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-289120-227>