From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 19 Jan 2016 20:23:01 +0000 (-0500)
Subject: Fix: handle reference count overflow
X-Git-Tag: v0.10.0~56
X-Git-Url: http://git.liburcu.org/?p=urcu.git;a=commitdiff_plain;h=7ce99d0278e87880d1382cdf791bb84f7b489ea4;hp=7ce99d0278e87880d1382cdf791bb84f7b489ea4

Fix: handle reference count overflow

The urcu refcounting API features a look and feel similar to the Linux
kernel reference counting API, which has been the subject of
CVE-2016-0728 (use-after-free). Therefore, improve the urcu refcounting
API by dealing with reference counting overflow.

For urcu_ref_get(), handle this by comparing the prior value with
LONG_MAX before updating it with a cmpxchg. When an overflow would
occur, trigger a abort() rather than allowing the overflow (which is a
use-after-free security concern).

For urcu_ref_get_unless_zero(), in addition to compare the prior value
to 0, also compare it to LONG_MAX, and return failure (false) in both
cases.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---