Subject: kern/24231: x1226 write register unlock (security problem)
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <kiyohara@kk.iij4u.or.jp>
List: netbsd-bugs
Date: 01/25/2004 06:21:42
>Number: 24231
>Category: kern
>Synopsis: x1226 write register unlock (security problem)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sun Jan 25 06:22:02 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: KIYOHARA Takashi
>Release: NetBSD 1.6ZG
>Organization:
>Environment:
NetBSD evbppc.fool 1.6ZG NetBSD 1.6ZG (OPENBLOCKS266) #0: Sun Dec 21 12:58:20 JST 2003 lance@evbppc.fool:/sys/arch/evbppc/compile/OPENBLOCKS266 evbppc
>Description:
RTC write register unlock incompletely inside.
It is in a state dangerous after this.
>How-To-Repeat:
>Fix:
Index: x1226.c
===================================================================
RCS file: /cvsroot/src/sys/dev/i2c/x1226.c,v
retrieving revision 1.1
diff -c -r1.1 x1226.c
*** x1226.c 2003/10/06 18:02:02 1.1
--- x1226.c 2004/01/15 15:24:26
***************
*** 390,396 ****
addr = X1226_REG_SR;
cmdbuf[0] = (addr & 0xff);
cmdbuf[1] = ((addr >> 8) & 0xff);
! cmdbuf[2] = X1226_FLAG_SR_RWEL;
if (iic_exec(sc->sc_tag,
I2C_OP_WRITE_WITH_STOP,
sc->sc_address, cmdbuf, 2, &cmdbuf[2], 1, 0) != 0) {
--- 392,398 ----
addr = X1226_REG_SR;
cmdbuf[0] = (addr & 0xff);
cmdbuf[1] = ((addr >> 8) & 0xff);
! cmdbuf[2] = X1226_FLAG_SR_WEL | X1226_FLAG_SR_RWEL;
if (iic_exec(sc->sc_tag,
I2C_OP_WRITE_WITH_STOP,
sc->sc_address, cmdbuf, 2, &cmdbuf[2], 1, 0) != 0) {
>Release-Note:
>Audit-Trail:
>Unformatted: