From nobody Thu Aug 18 16:08:47 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M7qZM5Grsz4ZrFY for ; Thu, 18 Aug 2022 16:08:59 +0000 (UTC) (envelope-from eric@vangyzen.net) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4M7qZM0Bm4z47Mv for ; Thu, 18 Aug 2022 16:08:58 +0000 (UTC) (envelope-from eric@vangyzen.net) Received: from [198.18.2.12] (24-236-44-43-dynamic.midco.net [24.236.44.43]) by smtp.vangyzen.net (Postfix) with ESMTPSA id E00FC56477 for ; Thu, 18 Aug 2022 11:08:51 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=vangyzen.net; s=default; t=1660838931; bh=IrBtEPS+j6dfGaX210IwyLkfeknnDh3gFB+xVCiggzw=; h=Date:To:From:Subject; b=UpZ3ICPIayY6b3q4r9UbrJiEZze06QaWWykSPcsiBIuBWJNW5lPUu9IK8BAUzOiGY TRj+faes6ELArkg5d8e45GdIk3C5+553MVCAxCmVnL7+qNqylSzfIk+FAQOBUkgMp+ s/qz2WmRLXbQJQ16HjjlrwXZaUtK60BR9NxwMMpqJNwb2iWuhNZNzQQf/pJlfU4z6b fzKFma0+OheRtzT3VHRJiBzDyNjKca+TpJ7WRIqeSo+VrRu0Ka+QjdQXKZXv5N3pTA 5U+ksiXHXQFVkJTLwnYc63SM3CUplMKVOWJF6jHAQetf36ZndFK3zp6+qervOsU3Pn gXNKWfiaTsNSg== Message-ID: Date: Thu, 18 Aug 2022 11:08:47 -0500 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Content-Language: en-US To: freebsd-hackers From: Eric van Gyzen Subject: Impact of FreeBSD-SA-22:10.aio Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4M7qZM0Bm4z47Mv X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=vangyzen.net header.s=default header.b=UpZ3ICPI; dmarc=pass (policy=none) header.from=vangyzen.net; spf=pass (mx1.freebsd.org: domain of eric@vangyzen.net designates 199.48.133.146 as permitted sender) smtp.mailfrom=eric@vangyzen.net X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[vangyzen.net,none]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[vangyzen.net:s=default]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:36236, ipnet:199.48.132.0/22, country:US]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; MIME_TRACE(0.00)[0:+]; DKIM_TRACE(0.00)[vangyzen.net:+]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[eric]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N The Impact section of FreeBSD-SA-22:10.aio says An attacker may cause the reference count to overflow, leading to a use after free (UAF). I don't see how the refcount can overflow. That seems to be prevented by REFCOUNT_SATURATED and friends. Does anyone care to enlighten me? There is the small window between fetchadd and detecting saturation; is this the [only] way? Cheers, Eric