Date: Thu, 18 Aug 2022 17:29:09 -0400 From: Ed Maste <emaste@freebsd.org> To: Mark Johnston <markj@freebsd.org> Cc: Eric van Gyzen <eric@vangyzen.net>, freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Impact of FreeBSD-SA-22:10.aio Message-ID: <CAPyFy2BGTipw58=9fB=ebefGKUG0FXxndtrVWFRa6gSVW9LYfw@mail.gmail.com> In-Reply-To: <CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ@mail.gmail.com> References: <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net> <Yv5lt2tDPrmdpJIM@nuc> <CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Aug 2022 at 14:01, Ed Maste <emaste@freebsd.org> wrote: > > On Thu, 18 Aug 2022 at 12:16, Mark Johnston <markj@freebsd.org> wrote: > > > > The refcount implementation in 12.3 doesn't handle overflow or underflow > > at all, so it is vulnerable. I believe you're right that that > > mitigation converts the bug into a memory leak in 13.0, and so the > > advisory erroneously lists 13.0 as vulnerable when it isn't. > > I suppose it is really an SA for 12.3 and an EN for 13.0. Unfortunately this is not the case - crhold() does not currently use the refcount(9) API, so does not benefit from the refcount overflow mitigation that it provides. We'll address this one way or another (for example, using refcount(9) or checking for overflow explicitly) to provide a mitigation in case there's another missing crfree.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2BGTipw58=9fB=ebefGKUG0FXxndtrVWFRa6gSVW9LYfw>