Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S979601AbdDYBLf (ORCPT ); Mon, 24 Apr 2017 21:11:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34298 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S970007AbdDYBL0 (ORCPT ); Mon, 24 Apr 2017 21:11:26 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 541C880473 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=riel@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 541C880473 Message-ID: <1493082680.23190.1.camel@redhat.com> Subject: Re: [kernel-hardening] Re: [PATCH] x86/refcount: Implement fast refcount_t handling From: Rik van Riel To: Kees Cook , Peter Zijlstra Cc: PaX Team , LKML , Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , "x86@kernel.org" , Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , Jann Horn , "David S. Miller" , linux-arch , "kernel-hardening@lists.openwall.com" Date: Mon, 24 Apr 2017 21:11:20 -0400 In-Reply-To: References: <20170421220939.GA65363@beast> <58FDF8C4.5120.17D092B7@pageexec.freemail.hu> <20170424133323.cf3xyd3mmwp6ixaz@hirez.programming.kicks-ass.net> <58FE1687.5511.1844D4FC@pageexec.freemail.hu> <20170424220128.j7nnhuohqdqbiki7@hirez.programming.kicks-ass.net> Organization: Red Hat, Inc Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 25 Apr 2017 01:11:25 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1300 Lines: 35 On Mon, 2017-04-24 at 15:37 -0700, Kees Cook wrote: > On Mon, Apr 24, 2017 at 3:01 PM, Peter Zijlstra > wrote: > > On Mon, Apr 24, 2017 at 01:40:56PM -0700, Kees Cook wrote: > > > I think we're way off in the weeds here. The "cannot inc from 0" > > > check > > > is about general sanity checks on refcounts. > > > > I disagree, although sanity check are good too. > > > > > It should never happen, and if it does, there's a bug. > > > > The very same is true of the overflow thing. > > > > > However, what the refcount hardening protection is trying to do > > > is > > > protect again the exploitable condition: overflow. > > > > Sure.. > > > > > Inc-from-0 isn't an exploitable condition since in theory > > > the memory suddenly becomes correctly managed again. > > > > It does not. It just got free'ed. Nothing will stop the free from > > happening (or already having happened). > > Well, yes, but that's kind of my point. Detecting inc-from-0 is "too > late" to offer a protection. It offers notification of a bug, rather > than stopping an exploit from happening. inc-from-0 could allow the attacker to gain access to an object which gets allocated to a new user afterwards. Certainly much less useful as an exploit, but still a potential privilege escalation.