Re: Impact of FreeBSD-SA-22:10.aio

Reply: Ed Maste : "Re: Impact of FreeBSD-SA-22:10.aio"
In reply to: Eric van Gyzen : "Impact of FreeBSD-SA-22:10.aio"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mark Johnston <markj_at_freebsd.org>
Date: Thu, 18 Aug 2022 16:15:51 UTC

On Thu, Aug 18, 2022 at 11:08:47AM -0500, Eric van Gyzen wrote:
> The Impact section of FreeBSD-SA-22:10.aio says
> 
> 	An attacker may cause the reference count to overflow,
> 	leading to a use after free (UAF).
> 
> I don't see how the refcount can overflow.  That seems to be prevented 
> by REFCOUNT_SATURATED and friends.  Does anyone care to enlighten me? 
> There is the small window between fetchadd and detecting saturation; is 
> this the [only] way?

The refcount implementation in 12.3 doesn't handle overflow or underflow
at all, so it is vulnerable.  I believe you're right that that
mitigation converts the bug into a memory leak in 13.0, and so the
advisory erroneously lists 13.0 as vulnerable when it isn't.