lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 20 Feb 2017 12:30:30 +0000
From:   "Reshetova, Elena" <elena.reshetova@...el.com>
To:     Andy Shevchenko <andy.shevchenko@...il.com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "ebiederm@...ssion.com" <ebiederm@...ssion.com>,
        Ingo Molnar <mingo@...hat.com>,
        Alexey Dobriyan <adobriyan@...il.com>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        "arozansk@...hat.com" <arozansk@...hat.com>,
        "dave@...olabs.net" <dave@...olabs.net>
Subject: RE: [PATCH 0/3] ipc subsystem refcounter conversions

> On Mon, Feb 20, 2017 at 1:29 PM, Elena Reshetova
> <elena.reshetova@...el.com> wrote:
> > Now when new refcount_t type and API are finally merged
> > (see include/linux/refcount.h), the following
> > patches convert various refcounters in the ipc susystem from atomic_t
> > to refcount_t. By doing this we prevent intentional or accidental
> > underflows or overflows that can led to use-after-free vulnerabilities.
> >
> > The below patches are fully independent and can be cherry-picked separately.
> > Since we convert all kernel subsystems in the same fashion, resulting
> > in about 300 patches, we have to group them for sending at least in some
> > fashion to be manageable. Please excuse the long cc list.
> 
> Is that done using coccinelle?

Yes and no. 
The *finding* of cases that should be converted was done using coccinelle, but actual conversion was done manually for each case and not via semantic patch. 
There were many false-positives and all kind of other issues, so we had to analyse each variable separately to the extend we understand the code.  

> 
> Can I see the semantic patch (sorry if I missed it earlier)?

Attached is the one we used to initially find variables. 

Best Regards,
Elena.

Download attachment "atomic_as_refount.cocci" of type "application/octet-stream" (1339 bytes)

Powered by blists - more mailing lists