Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp4256481ybh;
        Tue, 17 Mar 2020 15:30:09 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vtx/UcaTaoFA8eFSzJvMVOlmhbs1pi2ta5Z7ilgBVhUlESpeeLTLt9ITMik6I7wd/eTFjgU
X-Received: by 2002:aca:3196:: with SMTP id x144mr940077oix.77.1584484209553;
        Tue, 17 Mar 2020 15:30:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584484209; cv=none;
        d=google.com; s=arc-20160816;
        b=yHeTQokyabJ8QeWNIOEb0rIguLzMxrwGBOaVre/Tt/m9TwQSne4afiZ2BzDNEKv8YC
         EjTBLb7q7bBdusEbJvoA7qo6NMzhELWCvHSuGbuMLBn0ZR9ZQY4I/ezqsvD3ZMk+w5zA
         pud31c3Z/eVWha41u3T8EBa2YV21pSsnHrJNCChHVXOpu6scSHD3xOj0IQPNPxBUd/Vz
         LU9XM8znI8GqAtMrNWI5TelQd2IB64jxDT5dkglBrk/tZPOtIUy2B86ZH7tF3zK1XZrn
         7wDO/JaoMqEURZhnjDa3OBbPz0kETpaTH7TVWHCjnWgX03kOwweS6j1MA1Z/WfxkpLiv
         fqDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=Sw/fCAv6gpTgdTtOchVCFKPDK9uo4jU7v8OZMiAcOxE=;
        b=pAPrB0joTzomNS0ZXcsxpLPMi1hVIYMG3yc9cgm7PXX5Ecc3qJZSgJqVeK9fpNHVWA
         Jsuwgs9wjy0NAr9sQzCge8VDeWhE3DwcdRExQcPuOu25JHtYSQCz3t7NG5LyyZnchYQQ
         lNI0R/KSjRyqUT+kFhFOkkr4Bpe0Pga6fv/5JBJxbRUYpBy0JfwJEG6ifOIvcAbQN4aV
         goxnB4T2OiL4LXOagjZBDthDx2/lIlM+LcWDXM6XGgbhS7tkUZH/YtGlFMfqa0itcyrb
         hpdmtv133xZKinijIbz+7hy501QCGx2ypAhhimxONUXvA429z6kKfbvXTN/2PCituQIN
         ekcg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=2CQnmxee;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n7si1412290otf.266.2020.03.17.15.29.56;
        Tue, 17 Mar 2020 15:30:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=2CQnmxee;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727191AbgCQW1Y (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Tue, 17 Mar 2020 18:27:24 -0400
Received: from mail.kernel.org ([198.145.29.99]:36738 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726530AbgCQW1Y (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Mar 2020 18:27:24 -0400
Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C2AE9206EC;
        Tue, 17 Mar 2020 22:27:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1584484043;
        bh=WSXaZv4sBHYHlVj8zTa5shxvXfP6CX+7XiIDcketcUo=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=2CQnmxeeLHsCdzqgtAmSYikJb9AbHGeb/jxXXqzH4ZEKKagjBEK/gOiAdnVkUX/Pu
         7fV8BVw9jfyrQVgpnp2pEZqG9Z5RJbm3HNoA5K/FJW3KwxhlmslXzqu3Cx33OpW0rA
         NElFjXRUwEy7KPEtGrYSnZxe6FglFSIdfyAQl+Ao=
Date:   Tue, 17 Mar 2020 22:27:18 +0000
From:   Will Deacon <will@kernel.org>
To:     Jann Horn <jannh@google.com>
Cc:     Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Elena Reshetova <elena.reshetova@intel.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Hanjun Guo <guohanjun@huawei.com>,
        Jan Glauber <jglauber@marvell.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v2] lib/refcount: Document interaction with PID_MAX_LIMIT
Message-ID: <20200317222717.GF20788@willie-the-truck>
References: <20200303105427.260620-1-jannh@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200303105427.260620-1-jannh@google.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 03, 2020 at 11:54:27AM +0100, Jann Horn wrote:
> Document the circumstances under which refcount_t's saturation mechanism
> works deterministically.
> 
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
> 
> Notes:
>     v2:
>      - write down the math (Kees)
> 
>  include/linux/refcount.h | 23 ++++++++++++++++++-----
>  1 file changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/include/linux/refcount.h b/include/linux/refcount.h
> index 0ac50cf62d062..0e3ee25eb156a 100644
> --- a/include/linux/refcount.h
> +++ b/include/linux/refcount.h
> @@ -38,11 +38,24 @@
>   * atomic operations, then the count will continue to edge closer to 0. If it
>   * reaches a value of 1 before /any/ of the threads reset it to the saturated
>   * value, then a concurrent refcount_dec_and_test() may erroneously free the
> - * underlying object. Given the precise timing details involved with the
> - * round-robin scheduling of each thread manipulating the refcount and the need
> - * to hit the race multiple times in succession, there doesn't appear to be a
> - * practical avenue of attack even if using refcount_add() operations with
> - * larger increments.
> + * underlying object.
> + * Linux limits the maximum number of tasks to PID_MAX_LIMIT, which is currently
> + * 0x400000 (and can't easily be raised in the future beyond FUTEX_TID_MASK).
> + * With the current PID limit, if no batched refcounting operations are used and
> + * the attacker can't repeatedly trigger kernel oopses in the middle of refcount
> + * operations, this makes it impossible for a saturated refcount to leave the
> + * saturation range, even if it is possible for multiple uses of the same
> + * refcount to nest in the context of a single task:
> + *
> + *     (UINT_MAX+1-REFCOUNT_SATURATED) / PID_MAX_LIMIT =
> + *     0x40000000 / 0x400000 = 0x100 = 256
> + *
> + * If hundreds of references are added/removed with a single refcounting
> + * operation, it may potentially be possible to leave the saturation range; but
> + * given the precise timing details involved with the round-robin scheduling of
> + * each thread manipulating the refcount and the need to hit the race multiple
> + * times in succession, there doesn't appear to be a practical avenue of attack
> + * even if using refcount_add() operations with larger increments.
>   *
>   * Memory ordering
>   * ===============
> 
> base-commit: 98d54f81e36ba3bf92172791eba5ca5bd813989b

Acked-by: Will Deacon <will@kernel.org>

Peter -- would you be able to take this through -tip, please?

Will