Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3671242rwb; Tue, 8 Nov 2022 07:10:56 -0800 (PST) X-Google-Smtp-Source: AMsMyM6ZHDyKJwkFxLU8pOblR0UBjpadC11DZ7uE+XjOzPtx/c3JdNIQSh1JOFIg5ndXmnVLR9Fr X-Received: by 2002:a05:6402:2685:b0:462:73aa:c23d with SMTP id w5-20020a056402268500b0046273aac23dmr54663342edd.390.1667920256461; Tue, 08 Nov 2022 07:10:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667920256; cv=none; d=google.com; s=arc-20160816; b=KByB6qYb2IDFb5NsC+XS+L9b9y/SOjUiwEwyFFv0U8ssyGraA/Sw3TlIRBtAM3glwX BLBVbtb7zUOJIklXE1NtcgQYJJ5f+SOLa6WaY9Qi3LBestpl1DdxoxnbmNEcuMkP1WRt Loa3mN/qnC9JmS29wHpEcGCAf9dX7YEqs6CQe5tPu4wbCMmaTWMRpKtlPTga6qaKGKt3 YwyDTijaSZnjNLqvKnQ28WDtDQnOP2g4QI0MNhbzIltftX1IVhipa/HOCCx79KoZ+ww4 4dOCNHo93/Q3AYmzncs5HUUIpxsa8Eq0QZdu3m+kSeEi3U3EQRZ42rR4UwWysKpwlt16 ey8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=md7pq5Y61523ftXLUcPOT58RE3lJ/xJd5Ph3p8iEops=; b=fyJGndi4QdAejlWWpKTnYtlw6NXKvik4PCiD61oELvmDbnX4NE4QYYuupY3gEU2OSt 6IyXfOVQtgZS5c0pYfLrAnOA7p+F6vuynUw9niGSTymFD90SUoQKbAo/IOZIQ/kNlucj 5GwKgNaLly1N8LaogByPxkiBtf3EGShDWQ80YVEk60gvWBiDKOla7dLxwPUhA6NXjdvC FkTvs01x9cYivPd0sI+sWbtfAPU7oy0/Ejas+UBX7dEhzuMQ9F64lXDIxZSFbE5ZTzje J5UCYYuBAxx18gzyEvFb3YidCnmgS0uoW5WbHr3F4+bTiuCR+hi/3iIu1JTLO9Irb2wi 3Lqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ZXZdWEAL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dn1-20020a17090794c100b007adb78db1adsi15065019ejc.804.2022.11.08.07.10.30; Tue, 08 Nov 2022 07:10:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ZXZdWEAL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234289AbiKHOxw (ORCPT + 91 others); Tue, 8 Nov 2022 09:53:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234243AbiKHOxp (ORCPT ); Tue, 8 Nov 2022 09:53:45 -0500 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8F60CCE for ; Tue, 8 Nov 2022 06:53:43 -0800 (PST) Received: by mail-io1-xd2a.google.com with SMTP id r81so11629243iod.2 for ; Tue, 08 Nov 2022 06:53:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=md7pq5Y61523ftXLUcPOT58RE3lJ/xJd5Ph3p8iEops=; b=ZXZdWEAL1R1ZVFA2P8fuWqcX2rj1JRkf1sp5+gC2XB9VDMVOHlyvW06sVoWrr0JeLS tvUZupelkiZrBGHM4LVCUF9TJL0PrccBEvLQqTWDh37RAs+5ZOMQgNgQqZsVeWWTWl20 pPi2oeRzwQuqwhUBo7egz7jaC5Dx7kiLJrTQYY5RUrSmxRyaebac4H7gxtQ5lFDXRHkr sDxMbEHOoBWiIPdLSayctyrYpXiHkqYZePXrc4vmmPCakZrhLAjrSdNFi/rT/bSfGjk/ fEaa/X6uGH57UhEHgRxznmXcajiDWhf0/RsixaCP39jbo00AGUVbCIRsqQ9c6UeYwnW5 V0mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=md7pq5Y61523ftXLUcPOT58RE3lJ/xJd5Ph3p8iEops=; b=Dxu9n0QjnyXSPmUpCZY7edc+6cwjUs5PdkthLDlTRkrX8QQE7xRl8FcWfOYB+AeJrE f5MwhAtBWjDURyG176WwNj0YznufCeMt43B4EyNBghq+3L7vAPbpzTEjNNwE6dLqVWAw qCNtdQt/siifWss246vWM4QaRO+9U/NcD/ylF4+u5wUg4z2kHB4KPFSQAmQYXKjtwdwB ICttC6UOirpF9hhz1cBFj60xJl29Nh9Gh4cqM2C+I8uA78CGSuo3JjbQfHbs1yLORUHu ZMn+uSBSfkoheuaHfh6dXIkWdnEu62ANAuFmWlqPUru+2JNMxkvbg21RyfuesA5U51hi nh8g== X-Gm-Message-State: ANoB5pkPK5F7QVz+E5oiqvHUKJ8dqtDuXanAV+5qYdhquzSRPWz7mvjh Sh8Xzf8ILmKfi5gtPM6xFapyMlKwEm5XR1CFb1wjPw== X-Received: by 2002:a6b:b80a:0:b0:6dd:3f5a:32d6 with SMTP id i10-20020a6bb80a000000b006dd3f5a32d6mr2104168iof.154.1667919223019; Tue, 08 Nov 2022 06:53:43 -0800 (PST) MIME-Version: 1.0 References: <20221107201317.324457-1-jannh@google.com> <3e2f7e2cb4f6451a9ef5d0fb9e1f6080@AcuMS.aculab.com> In-Reply-To: <3e2f7e2cb4f6451a9ef5d0fb9e1f6080@AcuMS.aculab.com> From: Jann Horn Date: Tue, 8 Nov 2022 15:53:07 +0100 Message-ID: Subject: Re: [PATCH] exit: Put an upper limit on how often we can oops To: David Laight Cc: Kees Cook , "linux-hardening@vger.kernel.org" , "kernel-hardening@lists.openwall.com" , Greg KH , Linus Torvalds , Seth Jenkins , "Eric W . Biederman" , Andy Lutomirski , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 8, 2022 at 10:26 AM David Laight wrote: > > Many Linux systems are configured to not panic on oops; but allowing an > > attacker to oops the system **really** often can make even bugs that look > > completely unexploitable exploitable (like NULL dereferences and such) if > > each crash elevates a refcount by one or a lock is taken in read mode, and > > this causes a counter to eventually overflow. > > > > The most interesting counters for this are 32 bits wide (like open-coded > > refcounts that don't use refcount_t). (The ldsem reader count on 32-bit > > platforms is just 16 bits, but probably nobody cares about 32-bit platforms > > that much nowadays.) > > > > So let's panic the system if the kernel is constantly oopsing. > > I think you are pretty much guaranteed to run out of memory > (or at least KVA) before any 32bit counter wraps. Not if you repeatedly take a reference and then oops without dropping the reference, and the oops path cleans up all the resources that were allocated for the crashing tasks. In that case, each oops increments the reference count by 1 without causing memory allocation. (Also, as a sidenote: To store 2^32 densely packed pointers, you just need around 8 bytes * (2^32) = 32 GiB of RAM. So on a workstation or server with a decent amount of RAM, there can already be cases where you can overflow a 32-bit reference counter with legitimate references - see . Another example that needs more RAM is , that needs ~140 GiB. Still probably within the realm of what a beefy server might have nowadays? Kernel virtual address space is not a meaningful limit on x86-64 - even with 4-level paging, the kernel has a 64 TiB virtual memory area (the direct mapping) that is used for slab allocations and such, see . With 5-level paging it's even more, 32 PiB.)