https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266101
Bug ID: 266101
Summary: ucred reference count may overflow
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: ema...@freebsd.org
The refcount(9) API mitigates reference count overflow (by changing it into a
leak) as of 0b21d8949934 ("Handle refcount(9) wraparound.")
As of 1724c563e62f ("cred: distribute reference count per thread") ucred
handling (crhold etc.) does not use refcount(9), and so is vulnerable to
reference count overflow. See for example
https://accessvector.net/2022/freebsd-aio-lpe
Need to either use refcount(9) or add explicit overflow handling.
--
You are receiving this mail because:
You are the assignee for the bug.
