Date: Thu, 18 Aug 2022 11:08:47 -0500 From: Eric van Gyzen <eric@vangyzen.net> To: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Impact of FreeBSD-SA-22:10.aio Message-ID: <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net>
next in thread | raw e-mail | index | archive | help
The Impact section of FreeBSD-SA-22:10.aio says An attacker may cause the reference count to overflow, leading to a use after free (UAF). I don't see how the refcount can overflow. That seems to be prevented by REFCOUNT_SATURATED and friends. Does anyone care to enlighten me? There is the small window between fetchadd and detecting saturation; is this the [only] way? Cheers, Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f83e90b0-7ae4-13e1-d9fa-56354d28d195>