Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Nov 2016 13:39:58 -0800
From: Kees Cook <>
To: "Paul E. McKenney" <>
Cc: Elena Reshetova <>, 
	"" <>, Arnd Bergmann <>, 
	Thomas Gleixner <>, Ingo Molnar <>, 
	"H. Peter Anvin" <>, Peter Zijlstra <>, 
	Will Deacon <>, David Windsor <>, 
	Hans Liljestrand <>
Subject: Re: [RFC v4 PATCH 03/13] kernel: identify wrapping atomic usage

On Sat, Nov 19, 2016 at 5:28 AM, Paul E. McKenney
<> wrote:
> On Thu, Nov 10, 2016 at 10:24:38PM +0200, Elena Reshetova wrote:
>> From: David Windsor <>
>> In some cases atomic is not used for reference
>> counting and therefore should be allowed to overflow.
>> Identify such cases and make a switch to non-hardened
>> atomic version.
>> The copyright for the original PAX_REFCOUNT code:
>>   - all REFCOUNT code in general: PaX Team <>
>>   - various false positive fixes: Mathias Krause <>
>> Signed-off-by: Hans Liljestrand <>
>> Signed-off-by: Elena Reshetova <>
>> Signed-off-by: David Windsor <>
> Not a fan of the rename from atomic_t to atomic_wrap_t.

Yeah, the thread has grown considerably now. :) We're most likely
looking at carving off two of the common atomic_t usage patterns into
"stats_t" (with _add(), _sub(), and _read()), and "refcount_t" (with
_inc(), _inc_not_zero(), _dec_and_test(), and _read(), along with a
trap on overflow). With these in place, refcounts will be protected to
avoid use-after-free exploits, things that don't care about wrapping
will be annotated without a risk of them being turned into refcounts,
and the remaining atomic_t uses will be easier to audit for misuse.


Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.