[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5j+1irA8SK_XgbP9qRKLUckEzdPQ=YjopWJm+On_0RhumA@mail.gmail.com>
Date: Thu, 29 Jun 2017 20:58:10 -0700
From: Kees Cook <keescook@...omium.org>
To: Li Kun <hw.likun@...wei.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Christoph Hellwig <hch@...radead.org>,
Peter Zijlstra <peterz@...radead.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
PaX Team <pageexec@...email.hu>, Jann Horn <jannh@...gle.com>,
Eric Biggers <ebiggers3@...il.com>,
Elena Reshetova <elena.reshetova@...el.com>,
Hans Liljestrand <ishkamiel@...il.com>,
David Windsor <dwindsor@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Ingo Molnar <mingo@...hat.com>,
Alexey Dobriyan <adobriyan@...il.com>,
"Serge E. Hallyn" <serge@...lyn.com>, arozansk@...hat.com,
Davidlohr Bueso <dave@...olabs.net>,
Manfred Spraul <manfred@...orfullife.com>,
"axboe@...nel.dk" <axboe@...nel.dk>,
James Bottomley <James.Bottomley@...senpartnership.com>,
"x86@...nel.org" <x86@...nel.org>, Ingo Molnar <mingo@...nel.org>,
Arnd Bergmann <arnd@...db.de>,
"David S. Miller" <davem@...emloft.net>,
Rik van Riel <riel@...hat.com>,
linux-arch <linux-arch@...r.kernel.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
"Wangkai (Morgan, Euler)" <morgan.wang@...wei.com>
Subject: Re: [kernel-hardening] [PATCH v5 3/3] x86/refcount: Implement fast
refcount overflow protection
On Thu, Jun 29, 2017 at 7:42 PM, Li Kun <hw.likun@...wei.com> wrote:
>
>
> on 2017/6/30 6:05, Kees Cook wrote:
>>
>> On Wed, Jun 28, 2017 at 9:13 PM, Li Kun <hw.likun@...wei.com> wrote:
>>>
>>> 在 2017/5/31 5:39, Kees Cook 写道:
>>>>
>>>> +bool ex_handler_refcount(const struct exception_table_entry *fixup,
>>>> + struct pt_regs *regs, int trapnr)
>>>> +{
>>>> + int reset;
>>>> +
>>>> + /*
>>>> + * If we crossed from INT_MAX to INT_MIN, the OF flag (result
>>>> + * wrapped around) and the SF flag (result is negative) will be
>>>> + * set. In this case, reset to INT_MAX in an attempt to leave
>>>> the
>>>> + * refcount usable. Otherwise, we've landed here due to
>>>> producing
>>>> + * a negative result from either decrementing zero or operating
>>>> on
>>>> + * a negative value. In this case things are badly broken, so we
>>>> + * we saturate to INT_MIN / 2.
>>>> + */
>>>> + if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>>> + reset = INT_MAX;
>>>
>>> Should it be like this to indicate that the refcount is wapped from
>>> INT_MAX to INT_MIN ?
>>> if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF)
>>> == (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>>
>>> reset = INT_MAX;
>>
>> Ah yes, thanks for the catch. Yeah, that test is expecting both
>> condition flags to be set.
>>
>> I'm still on the fence about the best way to deal with the bad states.
>> I've been pondering just strictly using a saturation value (INT_MIN /
>> 2), which should offer the same system state protection (except for
>> the inherent resource leak), but that means there isn't really a good
>> way to kill an offending process (since after saturation ALL processes
>> will look like violators). It can be argued that killing the process
>> doesn't actually provide any benefit since the system is still safe,
>> though.
>
> An immature idea,can we set the count to INT_MAX/2 when we detect and kill
> the offending process,
> and wait to see if there will be another offender touching the fence. Er,not
> very acurate,but better than
> killing all the processes doing refcount_add ,i think.
>>>>
>>>> + else
>>>> + reset = INT_MIN / 2;
>>>> + *(int *)regs->cx = reset;
I suppose we could kill a process if it did the wrap from INT_MAX to
INT_MIN, and then ignore (though maintain saturation of) the rest.
i.e. if X86_EFLAGS_OF, kill and saturate. If X86_EFLAGS_SF, saturate.
I'm still curious about catching refcount_dec() (not
refcount_dec_and_test()) hitting zero.
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists