Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Aug 2022 14:01:58 -0400
From:      Ed Maste <emaste@freebsd.org>
To:        Mark Johnston <markj@freebsd.org>
Cc:        Eric van Gyzen <eric@vangyzen.net>, freebsd-hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Impact of FreeBSD-SA-22:10.aio
Message-ID:  <CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ@mail.gmail.com>
In-Reply-To: <Yv5lt2tDPrmdpJIM@nuc>
References:  <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net> <Yv5lt2tDPrmdpJIM@nuc>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Aug 2022 at 12:16, Mark Johnston <markj@freebsd.org> wrote:
>
> The refcount implementation in 12.3 doesn't handle overflow or underflow
> at all, so it is vulnerable.  I believe you're right that that
> mitigation converts the bug into a memory leak in 13.0, and so the
> advisory erroneously lists 13.0 as vulnerable when it isn't.

I suppose it is really an SA for 12.3 and an EN for 13.0. We should
perhaps update the advisory text to make this clear - e.g.:

 III. Impact

-An attacker may cause the reference count to overflow, leading to a
-use after free (UAF).
+On FreeBSD 12.3 an attacker may cause the reference count to overflow,
+leading to a use after free (UAF).  On FreeBSD 13.0 a mitigation in the
+reference counting implementation limits the impact to a memory leak (which
+may lead to a denial of service).



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2AZeNW3h8tt7D2ueXGsgfZJM5dqi7nbsH%2Bbb6kLtVAAwQ>