https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289120
--- Comment #1 from Qiu-ji Chen <[email protected]> --- Updated description: In gpioc_kqread(), kn->kn_data is computed via number_of_events(), which reads evidx_head, evidx_tail, and numevents without synchronization. For example: static size_t number_of_events(struct gpioc_cdevpriv *priv) { if (priv->evidx_head >= priv->evidx_tail) return (priv->evidx_head - priv->evidx_tail); else return (priv->numevents + priv->evidx_head - priv->evidx_tail); } Because head/tail may change between the check and the use, the “head >= tail” test can fail, and the subtraction may be negative, when converted to an unsigned integer, it wraps to a very large value. Impact • Integer overflow • Wrong interface semantics: EVFILT_READ kn_data may become a very large value, leading to bogus copyout values and faulty user decisions (e.g., self-DoS). Suggested fix Snapshot head, tail, and numevents once into local variables and compute from that single snapshot, instead of repeatedly reading shared fields. -- You are receiving this mail because: You are the assignee for the bug.
