Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Aug 2012 22:00:21 +0400
From: Vasily Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: kref_overflow

Hi,

The light version of PAX_REFCOUNT was backported to Owl kernel.
It protects kref only, not all atomic_t.  The pro is almost zero maintenance
time.  The con is obviously missing protection for counters which were not
explicitly marked as refcounter by using kref instead of atomic_t.

The sysctl for it is kernel.kref_overflow_action.  It can be set to:

0 - no overflow check at all.  Current upstream behaviour.
1 - protection is on (default).  Each overflow emits stack dump and a big log
    warning.
2 - the same as 1 plus the current task is killed.
3 - an overflow leads to kernel panic.

I'd want to implement the same scheme for PAX_USERCOPY with
kernel.usercopy_overflow_action.

-- 
Vasily

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ