Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1946989AbdDYL2a (ORCPT <rfc822;w@1wt.eu>);
        Tue, 25 Apr 2017 07:28:30 -0400
Received: from r00tworld.com ([212.85.137.150]:58426 "EHLO r00tworld.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1946939AbdDYL15 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Apr 2017 07:27:57 -0400
From: "PaX Team" <pageexec@freemail.hu>
To: Kees Cook <keescook@chromium.org>,
        Peter Zijlstra <peterz@infradead.org>
Date: Tue, 25 Apr 2017 13:26:43 +0200
MIME-Version: 1.0
Subject: Re: [PATCH] x86/refcount: Implement fast refcount_t handling
Reply-to: pageexec@freemail.hu
CC: linux-kernel@vger.kernel.org, Eric Biggers <ebiggers3@gmail.com>,
        Christoph Hellwig <hch@infradead.org>,
        "axboe@kernel.dk" <axboe@kernel.dk>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        Elena Reshetova <elena.reshetova@intel.com>,
        Hans Liljestrand <ishkamiel@gmail.com>,
        David Windsor <dwindsor@gmail.com>, x86@kernel.org,
        Ingo Molnar <mingo@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jann Horn <jann@thejh.net>, davem@davemloft.net,
        linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com
Message-ID: <58FF3273.5306.1C99E565@pageexec.freemail.hu>
In-reply-to: <20170425102337.ocdi2v7ivue7x7cc@hirez.programming.kicks-ass.net>
References: <20170421220939.GA65363@beast>, <20170425102337.ocdi2v7ivue7x7cc@hirez.programming.kicks-ass.net>
X-mailer: Pegasus Mail for Windows (4.72.572)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.12 (r00tworld.com [212.85.137.150]); Tue, 25 Apr 2017 13:26:44 +0200 (CEST)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 607
Lines: 39

On 25 Apr 2017 at 12:23, Peter Zijlstra wrote:

> So what avoids this:

simple, you noted it yourself in your previous mail:

> Well, your setup (panic_on_warn et al) would have it panic the box. That
> will effectively stop the exploit by virtue of stopping everything.

with that in mind the actual code looks like this:

>	CPU0				CPU1
>
>
>	lock inc %[val]; # 0x7fffffff
>	jo  2f
>1:	...
>
>					lock dec %[val]; # 0x80000000
>					jo  2f
>				1:	...
>
>
>
>
>2:	mov $0x7fffffff, %[val]

	panic()

>	jmp 1b
>
>				2:	mov $0x80000000, %[val]

					panic()

>					jmp 1b
>

... and we never get this far.