Impact of FreeBSD-SA-22:10.aio

Reply: Mark Johnston : "Re: Impact of FreeBSD-SA-22:10.aio"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Eric van Gyzen <eric_at_vangyzen.net>
Date: Thu, 18 Aug 2022 16:08:47 UTC

The Impact section of FreeBSD-SA-22:10.aio says

	An attacker may cause the reference count to overflow,
	leading to a use after free (UAF).

I don't see how the refcount can overflow.  That seems to be prevented 
by REFCOUNT_SATURATED and friends.  Does anyone care to enlighten me? 
There is the small window between fetchadd and detecting saturation; is 
this the [only] way?

Cheers,

Eric