Date: Thu, 18 Aug 2022 14:01:58 -0400 From: Ed Maste <emaste@freebsd.org> To: Mark Johnston <markj@freebsd.org> Cc: Eric van Gyzen <eric@vangyzen.net>, freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Impact of FreeBSD-SA-22:10.aio Message-ID: <CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ@mail.gmail.com> In-Reply-To: <Yv5lt2tDPrmdpJIM@nuc> References: <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net> <Yv5lt2tDPrmdpJIM@nuc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Aug 2022 at 12:16, Mark Johnston <markj@freebsd.org> wrote: > > The refcount implementation in 12.3 doesn't handle overflow or underflow > at all, so it is vulnerable. I believe you're right that that > mitigation converts the bug into a memory leak in 13.0, and so the > advisory erroneously lists 13.0 as vulnerable when it isn't. I suppose it is really an SA for 12.3 and an EN for 13.0. We should perhaps update the advisory text to make this clear - e.g.: III. Impact -An attacker may cause the reference count to overflow, leading to a -use after free (UAF). +On FreeBSD 12.3 an attacker may cause the reference count to overflow, +leading to a use after free (UAF). On FreeBSD 13.0 a mitigation in the +reference counting implementation limits the impact to a memory leak (which +may lead to a denial of service).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ>