Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1432025AbdDYQkE (ORCPT ); Tue, 25 Apr 2017 12:40:04 -0400 Received: from mail-io0-f180.google.com ([209.85.223.180]:34816 "EHLO mail-io0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1431789AbdDYQjy (ORCPT ); Tue, 25 Apr 2017 12:39:54 -0400 MIME-Version: 1.0 In-Reply-To: <58FF3273.8060.1C99E526@pageexec.freemail.hu> References: <20170421220939.GA65363@beast> <58FDDAC2.11341.175B5A99@pageexec.freemail.hu> <58FF3273.8060.1C99E526@pageexec.freemail.hu> From: Kees Cook Date: Tue, 25 Apr 2017 09:39:52 -0700 X-Google-Sender-Auth: LRQwRYCL5NUdRsegQrIMwrU76A4 Message-ID: Subject: Re: [PATCH] x86/refcount: Implement fast refcount_t handling To: PaX Team Cc: Peter Zijlstra , LKML , Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , "x86@kernel.org" , Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , Jann Horn , "David S. Miller" , linux-arch , "kernel-hardening@lists.openwall.com" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1238 Lines: 27 On Tue, Apr 25, 2017 at 4:26 AM, PaX Team wrote: > INT_MAX threads would be needed when the leaking path is locked so > that it can only be exercised once and you'll need to get normal > (balanced) paths preempted just after the increment. if the leaking > path is lockless (can be exercised in parallel without bounds) then > 2 threads are enough where the one triggering the signed overflow > would have to be preempted while the other one does INT_MAX increments > and trigger the UAF. this is where the other mechanisms i talked about > in the past become relevant: preemption or interrupts can be disabled > or negative refcount values can be detected and acted upon (your blind > copy-pasting effort passed upon this latter opportunity by not > specializing the 'jo' into 'js' for the refcount case). Well, it's not "blind" -- I'm trying to bring the code as-is to upstream for discussion/examination with as little functional differences as possible so it's easier to compare apples to apples. (Which already resulted in more eyes looking at the code to find a bug -- thanks Jann!) But yes, jo -> js hugely increases the coverage. I'll make that change for v2. Thanks! -Kees -- Kees Cook Pixel Security