Page MenuHomeFreeBSD
Differential D57496

firewire: Fix watchdog_clock aliasing and fw_tl2xfer UAF race
ClosedPublic
Actions

Authored by guest-seuros on Sun, Jun 7, 2:47 PM.
Tags
Referenced Files
Unknown Object (File)
Mon, Jun 8, 1:52 AM
Unknown Object (File)
Sun, Jun 7, 11:06 PM
Subscribers
imp

Details

Reviewers
adrian
ngie
zlei
Commits
rGa9519f7821c0: firewire: Fix watchdog_clock aliasing and fw_tl2xfer UAF race
Summary

Two bugs in the firewire bus layer that affect all consumers (
if_fwip, sbp):

watchdog_clock was a static local in firewire_watchdog(), shared across
all firewire_comm instances. With two controllers (e.g. built-in +
Thunderbolt Display), both advance the same counter, so the second
controller's 15-second boot-time timeout guard expires prematurely.

fw_tl2xfer() released tlabel_lock before returning the xfer pointer.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

guest-seuros created this revision.Sun, Jun 7, 2:47 PM
Herald added a subscriber: imp. · View Herald TranscriptSun, Jun 7, 2:47 PM
guest-seuros requested review of this revision.Sun, Jun 7, 2:47 PM
Harbormaster completed remote builds in B73734: Diff 179364.Sun, Jun 7, 2:47 PM
adrian added projects: firewire, drivers.Sun, Jun 7, 3:08 PM
guest-seuros added a reviewer: zlei.Mon, Jun 8, 3:39 AM
adrian added inline comments.Mon, Jun 8, 3:55 AM
sys/dev/firewire/firewire.c
1057

oh god, why are there still spl calls in here?

Are they even needed anymore?

guest-seuros marked an inline comment as done.Mon, Jun 8, 4:19 AM
guest-seuros added inline comments.
sys/dev/firewire/firewire.c
1057

Not used.

adrian accepted this revision.Mon, Jun 8, 4:34 AM

This broadly looks good to me but I am currently unable to test it.

This revision is now accepted and ready to land.Mon, Jun 8, 4:34 AM
zlei accepted this revision.Mon, Jun 8, 7:36 AM

The part watchdog_clock of this change looks good to me.

I know little about AT transmit so I can not speak about it.

sys/dev/firewire/firewire.c
386

Only on callout soft thread is running this, so no lock for firewire_watchdog appears good.

zlei retitled this revision from fix(firewire): fix watchdog_clock aliasing and fw_tl2xfer UAF race to firewire: Fix watchdog_clock aliasing and fw_tl2xfer UAF race.Mon, Jun 8, 7:37 AM
Closed by commit rGa9519f7821c0: firewire: Fix watchdog_clock aliasing and fw_tl2xfer UAF race (authored by guest-seuros, committed by adrian). · Explain WhyMon, Jun 8, 2:34 PM
This revision was automatically updated to reflect the committed changes.
adrian added a commit: rGa9519f7821c0: firewire: Fix watchdog_clock aliasing and fw_tl2xfer UAF race.

Revision Contents
Changeset List

PathSize
sys/
dev/
firewire/
67 lines
1 line

Diff 179385

View Options

sys/dev/firewire/firewire.c

Loading...
View Options

sys/dev/firewire/firewirereg.h

Loading...