netbsd-bugs: kern/24231: x1226 write register unlock (security problem)

Subject: kern/24231: x1226 write register unlock (security problem)
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <kiyohara@kk.iij4u.or.jp>
List: netbsd-bugs
Date: 01/25/2004 06:21:42

>Number:         24231
>Category:       kern
>Synopsis:       x1226 write register unlock (security problem)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 25 06:22:02 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     KIYOHARA Takashi
>Release:        NetBSD 1.6ZG
>Organization:
>Environment:
NetBSD evbppc.fool 1.6ZG NetBSD 1.6ZG (OPENBLOCKS266) #0: Sun Dec 21 12:58:20 JST 2003  lance@evbppc.fool:/sys/arch/evbppc/compile/OPENBLOCKS266 evbppc
>Description:
RTC write register unlock incompletely inside.
It is in a state dangerous after this.

>How-To-Repeat:

>Fix:
Index: x1226.c
===================================================================
RCS file: /cvsroot/src/sys/dev/i2c/x1226.c,v
retrieving revision 1.1
diff -c -r1.1 x1226.c
*** x1226.c     2003/10/06 18:02:02     1.1
--- x1226.c     2004/01/15 15:24:26
***************
*** 390,396 ****
        addr = X1226_REG_SR;
        cmdbuf[0] = (addr & 0xff);
        cmdbuf[1] = ((addr >> 8) & 0xff);
!       cmdbuf[2] = X1226_FLAG_SR_RWEL;
        if (iic_exec(sc->sc_tag,
                I2C_OP_WRITE_WITH_STOP,
                sc->sc_address, cmdbuf, 2, &cmdbuf[2], 1, 0) != 0) {
--- 392,398 ----
        addr = X1226_REG_SR;
        cmdbuf[0] = (addr & 0xff);
        cmdbuf[1] = ((addr >> 8) & 0xff);
!       cmdbuf[2] = X1226_FLAG_SR_WEL | X1226_FLAG_SR_RWEL;
        if (iic_exec(sc->sc_tag,
                I2C_OP_WRITE_WITH_STOP,
                sc->sc_address, cmdbuf, 2, &cmdbuf[2], 1, 0) != 0) {
>Release-Note:
>Audit-Trail:
>Unformatted: