From nobody Thu Aug 18 21:29:09 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M7yh33kxWz4ZMs9 for ; Thu, 18 Aug 2022 21:29:23 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M7yh22jz8z3nwl; Thu, 18 Aug 2022 21:29:22 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-ej1-f48.google.com with SMTP id j8so5531197ejx.9; Thu, 18 Aug 2022 14:29:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=Qw9rNF6j3yMTLgYK5nnrT3KX191bY/YYTK/ge9IFY7w=; b=37w+acNHhSDae8PARDsmkbgPperE1Wzz62mv0JSRPNV4LxyWTRV6EEYnGP5XBuGMqX N/yg8/p6Yga9yZK9rrdNqsmTvRAwOkiY3CsxlGECeOaFrLgkaR51xGCjSTnDrwCCf6ab 3yK/be5f5GFKBxyK74xDmZ7j0KhcZMyreEgK5+E7CdOX9xFlKfjMytfEL5/XgA31I9fZ 7gDcuCD3/ffj/Y8HF/5wKAXN7ctxvcT/Zksv6fPYW8lf2XRV46ZhI/gy2paxKWKCckEu OGCwUeSrJdz9rCX8DHTA4pIrgszRoq0RpaFdAQ/QR7/gc3zW5fKBgKZlBbEMLyA/13/F MyWQ== X-Gm-Message-State: ACgBeo2CVBKT8ly6CRGXa2aWWSAvq5JxUMH5bP5SkFVWGTBZkuvWP2Rs HqE8VRYsNmKw8rnVRkzsgTV48r0bR4qHKuPEU48mVvGU X-Google-Smtp-Source: AA6agR6BEMu+MEQfHT+FMVJC9autrqQYHu150ka332TKZKrsUd1QMcpOFqDsUTwHTNKwW+L4nT1+IbOMhsRURLOYIvI= X-Received: by 2002:a17:906:9beb:b0:730:8e6c:a8fa with SMTP id de43-20020a1709069beb00b007308e6ca8famr2893189ejc.258.1660858160147; Thu, 18 Aug 2022 14:29:20 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Thu, 18 Aug 2022 17:29:09 -0400 Message-ID: Subject: Re: Impact of FreeBSD-SA-22:10.aio To: Mark Johnston Cc: Eric van Gyzen , freebsd-hackers Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4M7yh22jz8z3nwl X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.218.48 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.218.48:from]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; RCVD_IN_DNSWL_NONE(0.00)[209.85.218.48:from]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Thu, 18 Aug 2022 at 14:01, Ed Maste wrote: > > On Thu, 18 Aug 2022 at 12:16, Mark Johnston wrote: > > > > The refcount implementation in 12.3 doesn't handle overflow or underflow > > at all, so it is vulnerable. I believe you're right that that > > mitigation converts the bug into a memory leak in 13.0, and so the > > advisory erroneously lists 13.0 as vulnerable when it isn't. > > I suppose it is really an SA for 12.3 and an EN for 13.0. Unfortunately this is not the case - crhold() does not currently use the refcount(9) API, so does not benefit from the refcount overflow mitigation that it provides. We'll address this one way or another (for example, using refcount(9) or checking for overflow explicitly) to provide a mitigation in case there's another missing crfree.