[Bug 206680] kbd race attacks

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Jan 27 15:45:10 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206680

            Bug ID: 206680
           Summary: kbd race attacks
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

Whilst analysing my previous bug about the missing `splx` call in one of the
code paths for `genkbd_commonioctl`
(https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206678), I decided to look
at the declaration for the macro itself, in `sys/sys/systm.h`:

/* Stubs for obsolete functions that used to be for interrupt management */
static __inline intrmask_t      splbio(void)            { return 0; }
static __inline intrmask_t      splcam(void)            { return 0; }
static __inline intrmask_t      splclock(void)          { return 0; }
static __inline intrmask_t      splhigh(void)           { return 0; }
static __inline intrmask_t      splimp(void)            { return 0; }
static __inline intrmask_t      splnet(void)            { return 0; }
static __inline intrmask_t      spltty(void)            { return 0; }
static __inline void            splx(intrmask_t ipl __unused)   { return; }

Since these functions have been removed, but kbd has not been updated to
account for this, it means that none of the kbd code is thread safe.

For example, `kbd_realloc_array` contains a lovely, possible race attack:

        s = spltty();
        newsize = ((keyboards + ARRAY_DELTA)/ARRAY_DELTA)*ARRAY_DELTA;
        new_kbd = malloc(sizeof(*new_kbd)*newsize, M_DEVBUF, M_NOWAIT|M_ZERO);
        if (new_kbd == NULL) {
                splx(s);
                return (ENOMEM);
        }
        new_kbdsw = malloc(sizeof(*new_kbdsw)*newsize, M_DEVBUF,
                            M_NOWAIT|M_ZERO);
        if (new_kbdsw == NULL) {
                free(new_kbd, M_DEVBUF);
                splx(s);
                return (ENOMEM);
        }
        bcopy(keyboard, new_kbd, sizeof(*keyboard)*keyboards);
        bcopy(kbdsw, new_kbdsw, sizeof(*kbdsw)*keyboards);
        if (keyboards > 1) {
                free(keyboard, M_DEVBUF);
                free(kbdsw, M_DEVBUF);
        }
        keyboard = new_kbd;
        kbdsw = new_kbdsw;
        keyboards = newsize;
        splx(s);

This code would have been safe because of the `spltty`, and `splx` locks, but
since these functions no longer do anything, we have a very brief window where
the buffers have been freed, but have not been set to the new allocations. If
the thread were to be preempted at this point, and another thread attempted to
use the buffers, a use after free would occur.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list