[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 27 Aug 2025 07:49:35 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289120
Bug ID: 289120
Summary: A time-of-check to time-of-use race exists in
gpioc_kqread() of GPIO subsystem
Product: Base System
Version: 14.3-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: chenqiuji666@gmail.com
In gpioc_kqread(), kn->kn_data is computed via number_of_events(), which reads
evidx_head, evidx_tail, and numevents without synchronization. For example:
static size_t
number_of_events(struct gpioc_cdevpriv *priv)
{
if (priv->evidx_head >= priv->evidx_tail)
return (priv->evidx_head - priv->evidx_tail);
else
return (priv->numevents + priv->evidx_head - priv->evidx_tail);
}
Because head/tail may change between the check and the use, the “head >= tail”
test can fail, and the subtraction may overflow.
Impact
• Undefined behavior: signed overflow.
• Wrong interface semantics: EVFILT_READ kn_data may become a very large value,
leading to bogus copyout values and faulty user decisions (e.g., self-DoS).
Suggested fix
Snapshot head, tail, and numevents once into local variables and compute from
that single snapshot, instead of repeatedly reading shared fields.
--
You are receiving this mail because:
You are the assignee for the bug.