Re: Impact of FreeBSD-SA-22:10.aio

Reply: Ed Maste : "Re: Impact of FreeBSD-SA-22:10.aio"
In reply to: Mark Johnston : "Re: Impact of FreeBSD-SA-22:10.aio"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ed Maste <emaste_at_freebsd.org>
Date: Thu, 18 Aug 2022 18:01:58 UTC

On Thu, 18 Aug 2022 at 12:16, Mark Johnston <markj@freebsd.org> wrote:
>
> The refcount implementation in 12.3 doesn't handle overflow or underflow
> at all, so it is vulnerable.  I believe you're right that that
> mitigation converts the bug into a memory leak in 13.0, and so the
> advisory erroneously lists 13.0 as vulnerable when it isn't.

I suppose it is really an SA for 12.3 and an EN for 13.0. We should
perhaps update the advisory text to make this clear - e.g.:

 III. Impact

-An attacker may cause the reference count to overflow, leading to a
-use after free (UAF).
+On FreeBSD 12.3 an attacker may cause the reference count to overflow,
+leading to a use after free (UAF).  On FreeBSD 13.0 a mitigation in the
+reference counting implementation limits the impact to a memory leak (which
+may lead to a denial of service).