Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1433645AbdDZAZx (ORCPT ); Tue, 25 Apr 2017 20:25:53 -0400 Received: from mail-io0-f173.google.com ([209.85.223.173]:36395 "EHLO mail-io0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1432366AbdDZAZo (ORCPT ); Tue, 25 Apr 2017 20:25:44 -0400 MIME-Version: 1.0 In-Reply-To: <1493160997-126108-3-git-send-email-keescook@chromium.org> References: <1493160997-126108-1-git-send-email-keescook@chromium.org> <1493160997-126108-3-git-send-email-keescook@chromium.org> From: Jann Horn Date: Wed, 26 Apr 2017 02:25:23 +0200 Message-ID: Subject: Re: [PATCH v2 2/2] x86, refcount: Implement fast refcount overflow protection To: Kees Cook Cc: linux-kernel@vger.kernel.org, Peter Zijlstra , PaX Team , Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , "x86@kernel.org" , Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , "David S. Miller" , Rik van Riel , linux-arch , "kernel-hardening@lists.openwall.com" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 869 Lines: 18 On Wed, Apr 26, 2017 at 12:56 AM, Kees Cook wrote: > This protection is a modified version of the x86 PAX_REFCOUNT > implementation from PaX/grsecurity. This speeds up the refcount_t API by > duplicating the existing atomic_t implementation with a single instruction > added to detect if the refcount has wrapped past INT_MAX (or below 0) > resulting in a signed value. [...] > +static __always_inline void refcount_dec(refcount_t *r) > +{ > + asm volatile(LOCK_PREFIX "decl %0\n\t" > + REFCOUNT_CHECK_UNDERFLOW(4) > + : [counter] "+m" (r->refs.counter) > + : : "cc", "cx"); > +} What purpose do checks on decrement now have? The mitigation is only intended to deal with (positive) overflows, right? AFAICS if you hit this code, similar to the inc-from-0 case, you're already in a UAF situation?