Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757562Ab2BXSjP (ORCPT ); Fri, 24 Feb 2012 13:39:15 -0500 Received: from mail-pw0-f46.google.com ([209.85.160.46]:45505 "EHLO mail-pw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756219Ab2BXSjG (ORCPT ); Fri, 24 Feb 2012 13:39:06 -0500 Authentication-Results: mr.google.com; spf=pass (google.com: domain of gregkh@linuxfoundation.org designates 10.68.239.71 as permitted sender) smtp.mail=gregkh@linuxfoundation.org Date: Fri, 24 Feb 2012 10:37:26 -0800 From: Greg KH To: David Windsor Cc: Roland Dreier , Djalal Harouni , Vasiliy Kulikov , kernel-hardening@lists.openwall.com, Kees Cook , Ubuntu security discussion , linux-kernel@vger.kernel.org, pageexec@freemail.hu, spender@grsecurity.net Subject: Re: [kernel-hardening] Re: Add overflow protection to kref Message-ID: <20120224183726.GB23284@kroah.com> References: <20120216204515.GH20420@outflux.net> <20120217002405.GB7746@kroah.com> <20120217075945.GA2831@albatros> <20120217175445.GC29902@kroah.com> <20120217193719.GA4187@albatros> <20120217233908.GA24047@dztty> <20120218161849.GA4176@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2231 Lines: 63 On Fri, Feb 24, 2012 at 12:58:35PM -0500, David Windsor wrote: > > > >> Greg, I'm not sure why you're opposed to adding this checking... > >> it's pretty clear that buggy error paths that forget to do a put are > >> pretty common and will continue to be common in new code, and > >> making them harder to exploit seems pretty sane to me. > >> > >> What's the downside? > > > > The downside is that there has not even been a patch sent for any of > > this. ?Combine that with a lack of understanding about reference > > counting and atomic_t usages in the kernel, and the whole thing is ripe > > for misunderstanding and confusion. > > > > greg k-h > > This approach to adding overflow protection to kref uses > atomic_add_unless to increment the refcounter only if it is not > already at INT_MAX. This > leaks the internal representation of atomic_t, which is defined as an > int in linux/types.h, into kref. > > If we can agree on an approach to adding overflow protection, if it is > indeed desired, we can then discuss adding a Kconfig option and/or a > sysctl for this protection. > > Thanks, > David > > > Signed-off-by: David Windsor > --- > include/linux/kref.h | 6 +++++- > 1 files changed, 5 insertions(+), 1 deletions(-) > > diff --git a/include/linux/kref.h b/include/linux/kref.h > index 9c07dce..fc0756a 100644 > --- a/include/linux/kref.h > +++ b/include/linux/kref.h > @@ -38,8 +38,12 @@ static inline void kref_init(struct kref *kref) > */ > static inline void kref_get(struct kref *kref) > { > + int rc = 0; > WARN_ON(!atomic_read(&kref->refcount)); > - atomic_inc(&kref->refcount); > + smp_mb__before_atomic_inc(); > + rc = atomic_add_unless(&kref->refcount, 1, INT_MAX); > + smp_mb__after_atomic_inc(); > + BUG_ON(!rc); So you are guaranteeing to crash a machine here if this fails? And you were trying to say this is a "security" based fix? And people wonder why I no longer have any hair... greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/