Date: Thu, 18 Aug 2022 12:15:51 -0400 From: Mark Johnston <markj@freebsd.org> To: Eric van Gyzen <eric@vangyzen.net> Cc: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Impact of FreeBSD-SA-22:10.aio Message-ID: <Yv5lt2tDPrmdpJIM@nuc> In-Reply-To: <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net> References: <f83e90b0-7ae4-13e1-d9fa-56354d28d195@vangyzen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 18, 2022 at 11:08:47AM -0500, Eric van Gyzen wrote: > The Impact section of FreeBSD-SA-22:10.aio says > > An attacker may cause the reference count to overflow, > leading to a use after free (UAF). > > I don't see how the refcount can overflow. That seems to be prevented > by REFCOUNT_SATURATED and friends. Does anyone care to enlighten me? > There is the small window between fetchadd and detecting saturation; is > this the [only] way? The refcount implementation in 12.3 doesn't handle overflow or underflow at all, so it is vulnerable. I believe you're right that that mitigation converts the bug into a memory leak in 13.0, and so the advisory erroneously lists 13.0 as vulnerable when it isn't.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Yv5lt2tDPrmdpJIM>