Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Aug 2022 17:29:09 -0400
From:      Ed Maste <emaste@freebsd.org>
To:        Mark Johnston <markj@freebsd.org>
Cc:        Eric van Gyzen <eric@vangyzen.net>, freebsd-hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Impact of FreeBSD-SA-22:10.aio
Message-ID:  <CAPyFy2BGTipw58=9fB=ebefGKUG0FXxndtrVWFRa6gSVW9LYfw@mail.gmail.com>
In-Reply-To: <CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ@mail.gmail.com>
References:  <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net> <Yv5lt2tDPrmdpJIM@nuc> <CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Aug 2022 at 14:01, Ed Maste <emaste@freebsd.org> wrote:
>
> On Thu, 18 Aug 2022 at 12:16, Mark Johnston <markj@freebsd.org> wrote:
> >
> > The refcount implementation in 12.3 doesn't handle overflow or underflow
> > at all, so it is vulnerable.  I believe you're right that that
> > mitigation converts the bug into a memory leak in 13.0, and so the
> > advisory erroneously lists 13.0 as vulnerable when it isn't.
>
> I suppose it is really an SA for 12.3 and an EN for 13.0.

Unfortunately this is not the case - crhold() does not currently use
the refcount(9) API, so does not benefit from the refcount overflow
mitigation that it provides.

We'll address this one way or another (for example, using refcount(9)
or checking for overflow explicitly) to provide a mitigation in case
there's another missing crfree.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2BGTipw58=9fB=ebefGKUG0FXxndtrVWFRa6gSVW9LYfw>