Add D_NEEDGIANT flag to proto device to fix race condition vulns
Needs ReviewPublic
Actions

Authored by ecturt_gmail.com on May 23 2017, 11:42 AM.

Details

Reviewers

Summary

Proto device is not thread safe. Its ioctl handler in particular exposes multiple exploitable race condition bugs (such as double free UaF).

None of the commands take locks, leading to multiple race condition bugs. For example, PROTO_IOC_BUSDMA_MEM_FREE command presents double linked list removal and double free race conditions, since it leads to calling proto_busdma_md_destroy_internal with no locks taken:

static int
proto_busdma_md_destroy_internal(struct proto_busdma *busdma,
    struct proto_md *md)
{

    LIST_REMOVE(md, mds);
    LIST_REMOVE(md, peers);
    if (md->physaddr)
        bus_dmamap_unload(md->bd_tag, md->bd_map);
    if (md->virtaddr != NULL)
        bus_dmamem_free(md->bd_tag, md->virtaddr, md->bd_map);
    else
        bus_dmamap_destroy(md->bd_tag, md->bd_map);
    bus_dma_tag_destroy(md->bd_tag);
    free(md, M_PROTO_BUSDMA);
    return (0);
}

Since this device is created with permission 0666, these bugs can be used for privilege escalation.

This can be fixed by taking the giant mutex on all method calls, by adding the D_NEEDGIANT flag.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

ecturt_gmail.com created this revision.May 23 2017, 11:42 AM

ecturt_gmail.com edited the summary of this revision. (Show Details)

Revision Contents
Changeset List

Path

Size

sys/

dev/

proto/

proto_core.c

2 lines

Diff 28707

View Options

sys/dev/proto/proto_core.c

Add D_NEEDGIANT flag to proto device to fix race condition vulnsNeeds ReviewPublicActions