Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1946989AbdDYL2a (ORCPT ); Tue, 25 Apr 2017 07:28:30 -0400 Received: from r00tworld.com ([212.85.137.150]:58426 "EHLO r00tworld.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1946939AbdDYL15 (ORCPT ); Tue, 25 Apr 2017 07:27:57 -0400 From: "PaX Team" To: Kees Cook , Peter Zijlstra Date: Tue, 25 Apr 2017 13:26:43 +0200 MIME-Version: 1.0 Subject: Re: [PATCH] x86/refcount: Implement fast refcount_t handling Reply-to: pageexec@freemail.hu CC: linux-kernel@vger.kernel.org, Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , x86@kernel.org, Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , Jann Horn , davem@davemloft.net, linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com Message-ID: <58FF3273.5306.1C99E565@pageexec.freemail.hu> In-reply-to: <20170425102337.ocdi2v7ivue7x7cc@hirez.programming.kicks-ass.net> References: <20170421220939.GA65363@beast>, <20170425102337.ocdi2v7ivue7x7cc@hirez.programming.kicks-ass.net> X-mailer: Pegasus Mail for Windows (4.72.572) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.12 (r00tworld.com [212.85.137.150]); Tue, 25 Apr 2017 13:26:44 +0200 (CEST) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 607 Lines: 39 On 25 Apr 2017 at 12:23, Peter Zijlstra wrote: > So what avoids this: simple, you noted it yourself in your previous mail: > Well, your setup (panic_on_warn et al) would have it panic the box. That > will effectively stop the exploit by virtue of stopping everything. with that in mind the actual code looks like this: > CPU0 CPU1 > > > lock inc %[val]; # 0x7fffffff > jo 2f >1: ... > > lock dec %[val]; # 0x80000000 > jo 2f > 1: ... > > > > >2: mov $0x7fffffff, %[val] panic() > jmp 1b > > 2: mov $0x80000000, %[val] panic() > jmp 1b > ... and we never get this far.