Re: Impact of FreeBSD-SA-22:10.aio

From: Ed Maste <emaste_at_freebsd.org>
Date: Thu, 18 Aug 2022 21:29:09 UTC
On Thu, 18 Aug 2022 at 14:01, Ed Maste <emaste@freebsd.org> wrote:
>
> On Thu, 18 Aug 2022 at 12:16, Mark Johnston <markj@freebsd.org> wrote:
> >
> > The refcount implementation in 12.3 doesn't handle overflow or underflow
> > at all, so it is vulnerable.  I believe you're right that that
> > mitigation converts the bug into a memory leak in 13.0, and so the
> > advisory erroneously lists 13.0 as vulnerable when it isn't.
>
> I suppose it is really an SA for 12.3 and an EN for 13.0.

Unfortunately this is not the case - crhold() does not currently use
the refcount(9) API, so does not benefit from the refcount overflow
mitigation that it provides.

We'll address this one way or another (for example, using refcount(9)
or checking for overflow explicitly) to provide a mitigation in case
there's another missing crfree.