From nobody Thu Aug 18 18:01:58 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M7t505t3Sz4YsqG for ; Thu, 18 Aug 2022 18:02:12 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M7t5017qLz3M7t; Thu, 18 Aug 2022 18:02:12 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-ej1-f53.google.com with SMTP id a7so4692701ejp.2; Thu, 18 Aug 2022 11:02:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=O3AYoKZ0itoP7iNsmUSBa40ZPXqV1m8+8YbC83f/fwU=; b=mkYxTx3HLUtKINKkeLIjx671gP8hDFV87hM0DVa/XTDfWhfaXR3ea2gMBCpu5JSBIr /ssKoRcvVEPvnWVWD8/EzJudZn0pfGq1iDN1YvEaFB70WM9yv8+cOWD1J10P8AUXg7Uu d3KfxDl68ko4FBzsZU9NLaEbMajRFGaCxnvXtxSJGl1U9LYgvqQx/IW6Dnv/hxw+DNc7 xyh9/Lsw6ejemQRkBm3B7tkQJdBZP28t3jnv/GJ1cE8nviG1on3kz0WJQA779D7/ZHkg d+2q2obCZeKvdjxdlxtQPFoHXDt8clA53AuZq04RAbbLbF7V4kgD+qAwIpZcJPgQXzUN MbiQ== X-Gm-Message-State: ACgBeo2ZISkXQFySmXOBUblmgNOJE1Kix+qq5wG8bFS0EfKsCtDQwRyx B5bwn9L4be/dyzINtrh6AaCBuWJkz8AqfrO6/KDWzouidJ8= X-Google-Smtp-Source: AA6agR6IKhf/MJKZGTBSBB+pgdBdYmyhb3O6kThOnx1eNm1Qz3WLpxH0sHC49ekh2ybTB86UZcj+WmXCVIP5RzwFg6w= X-Received: by 2002:a17:907:3ea7:b0:730:9a8b:b8f1 with SMTP id hs39-20020a1709073ea700b007309a8bb8f1mr2561906ejc.168.1660845729118; Thu, 18 Aug 2022 11:02:09 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Thu, 18 Aug 2022 14:01:58 -0400 Message-ID: Subject: Re: Impact of FreeBSD-SA-22:10.aio To: Mark Johnston Cc: Eric van Gyzen , freebsd-hackers Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4M7t5017qLz3M7t X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.218.53 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.10 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; RWL_MAILSPIKE_GOOD(-0.10)[209.85.218.53:from]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; MIME_TRACE(0.00)[0:+]; RCVD_IN_DNSWL_NONE(0.00)[209.85.218.53:from]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEFALL_USER(0.00)[carpeddiem]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Thu, 18 Aug 2022 at 12:16, Mark Johnston wrote: > > The refcount implementation in 12.3 doesn't handle overflow or underflow > at all, so it is vulnerable. I believe you're right that that > mitigation converts the bug into a memory leak in 13.0, and so the > advisory erroneously lists 13.0 as vulnerable when it isn't. I suppose it is really an SA for 12.3 and an EN for 13.0. We should perhaps update the advisory text to make this clear - e.g.: III. Impact -An attacker may cause the reference count to overflow, leading to a -use after free (UAF). +On FreeBSD 12.3 an attacker may cause the reference count to overflow, +leading to a use after free (UAF). On FreeBSD 13.0 a mitigation in the +reference counting implementation limits the impact to a memory leak (which +may lead to a denial of service).