Fix: handle reference count overflow

The urcu refcounting API features a look and feel similar to the Linux
kernel reference counting API, which has been the subject of
CVE-2016-0728 (use-after-free). Therefore, improve the urcu refcounting
API by dealing with reference counting overflow.

For urcu_ref_get(), handle this by comparing the prior value with
LONG_MAX before updating it with a cmpxchg. When an overflow would
occur, trigger a abort() rather than allowing the overflow (which is a
use-after-free security concern).

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

diff --git a/urcu/ref.h b/urcu/ref.h
index a422a9906fd787d1482210a5a61b6f3611b7f99c..f2de26a7b0f1b81fbcce6ad6165c1fbe3f8f34aa 100644 (file)
--- a/urcu/ref.h
+++ b/urcu/ref.h
@@ -15,6 +15,8 @@
  */
 
 #include <assert.h>
+#include <limits.h>
+#include <stdlib.h>
 #include <urcu/uatomic.h>
 
 struct urcu_ref {
@@ -33,7 +35,20 @@ static inline void urcu_ref_init(struct urcu_ref *ref)
 
 static inline void urcu_ref_get(struct urcu_ref *ref)
 {
-       uatomic_add(&ref->refcount, 1);
+       long old, _new, res;
+
+       old = uatomic_read(&ref->refcount);
+       for (;;) {
+               if (old == LONG_MAX) {
+                       abort();
+               }
+               _new = old + 1;
+               res = uatomic_cmpxchg(&ref->refcount, old, _new);
+               if (res == old) {
+                       return;
+               }
+               old = res;
+       }
 }
 
 static inline void urcu_ref_put(struct urcu_ref *ref,