Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Jan 2017 08:18:47 +0000
From: "Reshetova, Elena" <elena.reshetova@...el.com>
To: AKASHI Takahiro <takahiro.akashi@...aro.org>, Kees Cook
	<keescook@...omium.org>
CC: "kernel-hardening@...ts.openwall.com"
	<kernel-hardening@...ts.openwall.com>, "arnd@...db.de" <arnd@...db.de>,
	"tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com"
	<mingo@...hat.com>, "Anvin, H Peter" <h.peter.anvin@...el.com>,
	"peterz@...radead.org" <peterz@...radead.org>, "will.deacon@....com"
	<will.deacon@....com>, "dwindsor@...il.com" <dwindsor@...il.com>,
	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
	"ishkamiel@...il.com" <ishkamiel@...il.com>
Subject: RE: [RFC PATCH 08/19] kernel, mm: convert from
 atomic_t to refcount_t

On Wed, Jan 11, 2017 at 02:55:21PM -0800, Kees Cook wrote:
> On Wed, Jan 11, 2017 at 1:42 PM, Kees Cook <keescook@...omium.org> wrote:
> > I can see if it'll cherry-pick cleanly, I assume it will. :)
>
> It cherry-picked cleanly. However, I made several changes:
>
> - I adjusted Peter's author email (it had extra []s around).
> - I fixed all of the commit subjects (Peter's were missing).
> - I added back "kref: Add KREF_INIT()" since it seems to have been
> lost and mixed into other patches that would break bisection
>
> It's here now, please work from this version:
>
> http://git.kernel.org/cgit/linux/kernel/git/kees/linux.git/log/?h=kspp/hardened-atomic

>I gave it a spin on arm64.
>It can compile with a change to smp.c that I mentioned before,
>but the boot failed. I've not dug into it.

Thank you! I fixed the smp.c (https://github.com/ereshetova/linux-stable/tree/refcount_t), I am surprised there was nothing more, I was expecting it to be worse. 
With regards to below error, I am afraid there are more of them to come since it really breaks things badly if there is a place that attempts to increment from zero. The way we have been debugging this is to modify the refcount_inc implementation to do the increment from zero, but just issue a warning (as in the first Peter's patch series) and then boot, collect all warnings from dmesg and process them manually one by one. 
If you could boot once with just warnings and send us all of refcount_t occurrences, we can try to see/fix them. The same would need to be done for arm also and for other archs. 

Best Regards,
Elena.

===8<===
[    3.578618] refcount_t: increment on 0; use-after-free.
[    3.579165] ------------[ cut here ]------------
[    3.579254] WARNING: CPU: 0 PID: 1 at /home/akashi/arm/armv8/linaro/linux-aarch64/include/linux/refcount.h:109 unx_create+0x8c/0xc0
[    3.579338] Modules linked in:
[    3.579388]
[    3.579444] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc2-00018-g9a56ff6b34bd-dirty #1
[    3.579518] Hardware name: FVP Base (DT)
[    3.579578] task: ffff80087b078000 task.stack: ffff80087b080000
[    3.579655] PC is at unx_create+0x8c/0xc0
[    3.579722] LR is at unx_create+0x8c/0xc0
[    3.579786] pc : [<ffff0000088c9c24>] lr : [<ffff0000088c9c24>] pstate: 60000145
[    3.579855] sp : ffff80087b0837c0
[    3.579906] x29: ffff80087b0837c0 x28: 0000000000000000
[    3.579988] x27: ffff000008940bd0 x26: ffff000008e026fd
[    3.580073] x25: ffff000008f3b000 x24: ffff000008f3be98
[    3.580158] x23: ffff80087a750200 x22: ffff000008f3b000
[    3.580243] x21: ffff000008a57b48 x20: ffff80087b083860
[    3.580328] x19: ffff000008ed4000 x18: 0000000000000010
[    3.580409] x17: 0000000000000007 x16: 0000000000000001
[    3.580492] x15: ffff000088ee8ff7 x14: 0000000000000006
[    3.580575] x13: ffff000008ee9005 x12: ffff000008e10958
[    3.580660] x11: ffff000008e10000 x10: ffff000008517ff0
[    3.580745] x9 : ffff000008db5000 x8 : 2d657375203b3020
[    3.580830] x7 : 6e6f20746e656d65 x6 : 0000000000000100
[    3.580913] x5 : ffff000008eeac90 x4 : 0000000000000000
[    3.580993] x3 : 0000000000000000 x2 : 0000000000000463
[    3.581076] x1 : ffff80087b078000 x0 : 000000000000002b
[    3.581150]
[    3.581191] ---[ end trace f4a7848050409b47 ]---
[    3.581241] Call trace:
[    3.581300] Exception stack(0xffff80087b0835f0 to 0xffff80087b083720)
[    3.581384] 35e0:                                   ffff000008ed4000 0001000000000000
[    3.581489] 3600: ffff80087b0837c0 ffff0000088c9c24 ffff000008bb1588 ffff000008db5000
[    3.581593] 3620: ffff000008eeac90 ffff000008ea2fe0 ffff000008ee8ff8 000000010000002b
[    3.581699] 3640: ffff80087b0836e0 ffff00000810cea0 ffff000008ed4000 ffff80087b083860
[    3.581803] 3660: ffff000008a57b48 ffff000008f3b000 ffff80087a750200 ffff000008f3be98
[    3.581907] 3680: ffff000008f3b000 ffff000008e026fd 000000000000002b ffff80087b078000
[    3.582006] 36a0: 0000000000000463 0000000000000000 0000000000000000 ffff000008eeac90
[    3.582109] 36c0: 0000000000000100 6e6f20746e656d65 2d657375203b3020 ffff000008db5000
[    3.582214] 36e0: ffff000008517ff0 ffff000008e10000 ffff000008e10958 ffff000008ee9005
[    3.582313] 3700: 0000000000000006 ffff000088ee8ff7 0000000000000001 0000000000000007
[    3.582405] [<ffff0000088c9c24>] unx_create+0x8c/0xc0
[    3.582484] [<ffff0000088c9050>] rpcauth_create+0xc8/0x120
[    3.582567] [<ffff0000088be3c8>] rpc_client_register+0xc8/0x148
[    3.582652] [<ffff0000088be5cc>] rpc_new_client+0x184/0x278
[    3.582736] [<ffff0000088bf18c>] rpc_create_xprt+0x4c/0x168
[    3.582819] [<ffff0000088bf384>] rpc_create+0xdc/0x1a8
[    3.582907] [<ffff0000082eda54>] nfs_mount+0xb4/0x168
[    3.582988] [<ffff0000082e3f48>] nfs_request_mount.constprop.14+0xa8/0x100
[    3.583075] [<ffff0000082e3ff8>] nfs_try_mount+0x58/0x238
[    3.583154] [<ffff0000082e38c8>] nfs_fs_mount+0x270/0x848
[    3.583240] [<ffff0000081f1cf4>] mount_fs+0x4c/0x168
[    3.583330] [<ffff00000820eb60>] vfs_kern_mount+0x50/0x118
[    3.583407] [<ffff0000082115dc>] do_mount+0x1ac/0xbc0
[    3.583483] [<ffff000008212410>] SyS_mount+0x90/0xf8
[    3.583572] [<ffff000008cf12a4>] mount_root+0x74/0x134
[    3.583664] [<ffff000008cf14a0>] prepare_namespace+0x13c/0x184
[    3.583758] [<ffff000008cf0d94>] kernel_init_freeable+0x224/0x248
[    3.583842] [<ffff0000088f27d0>] kernel_init+0x10/0x100
[    3.583921] [<ffff000008082ec0>] ret_from_fork+0x10/0x50
[    3.584149] refcount_t: increment on 0; use-after-free.
[    3.584695] ------------[ cut here ]------------
[    3.584784] WARNING: CPU: 0 PID: 1 at /home/akashi/arm/armv8/linaro/linux-aarch64/include/linux/refcount.h:109 unx_create+0x8c/0xc0
< repeated ... >

===>8===
Here, I used an NFS rootfs.

Thanks,
-Takahiro AKASHI

> 0-day should see it soon. :)
>
> -Kees
>
> --
> Kees Cook
> Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.