Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Feb 2012 11:59:45 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: Kees Cook <keescook@...omium.org>,
	Ubuntu security discussion <ubuntu-hardened@...ts.ubuntu.com>,
	linux-kernel@...r.kernel.org, David Windsor <dwindsor@...il.com>,
	Greg KH <gregkh@...uxfoundation.org>, pageexec@...email.hu,
	spender@...ecurity.net, kernel-hardening@...ts.openwall.com
Subject: Re: Re: Add overflow protection to kref

Hi,

> And in all that time, I've never seen an instance where you can overflow
> the reference count,

Do you mean that the overflow is theoretically impossible or that this
type of programmer error is rare?

If the former, it is only 2**32 incs - if you can find open() implementation
with a missing atomic_dec() in error path and you can call open() faster than
10000 times per second, you can overflow the counter in ~4 days.

If the latter, it is just a question of finding missing put() in some triggerable
error path.  Kees has already posted a link to a bug with a missing fput().


BTW, moving from atomic_t to 64 bit refcounter would kill the possibility of
overflow.  Unfortunately, AFAIU, 64 bit operations are not atomic on some 64 bit
archs.

Thanks,

-- 
Vasiliy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.