Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jJ6Av611YQWvHNzVtEoprk-xnB9Ns9MGgg_rs95OPDMoQ@mail.gmail.com>
Date: Sat, 19 Nov 2016 13:39:58 -0800
From: Kees Cook <keescook@...omium.org>
To: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Cc: Elena Reshetova <elena.reshetova@...el.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Arnd Bergmann <arnd@...db.de>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	"H. Peter Anvin" <h.peter.anvin@...el.com>, Peter Zijlstra <peterz@...radead.org>, 
	Will Deacon <will.deacon@....com>, David Windsor <dwindsor@...il.com>, 
	Hans Liljestrand <ishkamiel@...il.com>
Subject: Re: [RFC v4 PATCH 03/13] kernel: identify wrapping atomic usage

On Sat, Nov 19, 2016 at 5:28 AM, Paul E. McKenney
<paulmck@...ux.vnet.ibm.com> wrote:
> On Thu, Nov 10, 2016 at 10:24:38PM +0200, Elena Reshetova wrote:
>> From: David Windsor <dwindsor@...il.com>
>>
>> In some cases atomic is not used for reference
>> counting and therefore should be allowed to overflow.
>> Identify such cases and make a switch to non-hardened
>> atomic version.
>>
>> The copyright for the original PAX_REFCOUNT code:
>>   - all REFCOUNT code in general: PaX Team <pageexec@...email.hu>
>>   - various false positive fixes: Mathias Krause <minipli@...glemail.com>
>>
>> Signed-off-by: Hans Liljestrand <ishkamiel@...il.com>
>> Signed-off-by: Elena Reshetova <elena.reshetova@...el.com>
>> Signed-off-by: David Windsor <dwindsor@...il.com>
>
> Not a fan of the rename from atomic_t to atomic_wrap_t.

Yeah, the thread has grown considerably now. :) We're most likely
looking at carving off two of the common atomic_t usage patterns into
"stats_t" (with _add(), _sub(), and _read()), and "refcount_t" (with
_inc(), _inc_not_zero(), _dec_and_test(), and _read(), along with a
trap on overflow). With these in place, refcounts will be protected to
avoid use-after-free exploits, things that don't care about wrapping
will be annotated without a risk of them being turned into refcounts,
and the remaining atomic_t uses will be easier to audit for misuse.

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.