lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Jul 2017 07:34:55 -0500 From: ebiederm@...ssion.com (Eric W. Biederman) To: Ingo Molnar <mingo@...nel.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, Davidlohr Bueso <dave@...olabs.net>, Elena Reshetova <elena.reshetova@...el.com>, linux-kernel@...r.kernel.org, peterz@...radead.org, gregkh@...uxfoundation.org, mingo@...hat.com, adobriyan@...il.com, serge@...lyn.com, arozansk@...hat.com, keescook@...omium.org, Hans Liljestrand <ishkamiel@...il.com>, David Windsor <dwindsor@...il.com> Subject: Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t Ingo Molnar <mingo@...nel.org> writes: > * Andrew Morton <akpm@...ux-foundation.org> wrote: > >> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso <dave@...olabs.net> wrote: >> >> > On Wed, 19 Jul 2017, Andrew Morton wrote: >> > >> > >I do rather dislike these conversions from the point of view of >> > >performance overhead and general code bloat. But I seem to have lost >> > >that struggle and I don't think any of these are fastpath(?). >> > >> > Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t >> > implementation), performance is supposed to be ok. >> >> Sure, things are OK for people who disable the feature. > > So with the WIP fast-refcount series from Kees: > > [PATCH v6 0/2] x86: Implement fast refcount overflow protection > > I believe the robustness difference between optimized-refcount_t and > full-refcount_t will be marginal. > > I.e. we'll be able to have both higher API safety _and_ performance. > >> But for people who want to enable the feature we really should minimize the cost >> by avoiding blindly converting sites which simply don't need it: simple, safe, >> old, well-tested code. Why go and slow down such code? Need to apply some >> common sense here... > > It's old, well-tested code _for existing, sane parameters_, until someone finds a > decade old bug in one of these with an insane parameters no-one stumbled upon so > far, and builds an exploit on top of it. > > Only by touching all these places do we have a chance to improve things measurably > in terms of reducing the probability of bugs. The more I hear people pushing the upsides of refcount_t without considering the downsides the more I dislike it. - refcount_t is really the wrong thing because it uses saturation semantics. So by definition it includes a bug. - refcount_t will only really prevent something if there is an extra increment. That is not the kind of bug people are likely to make. - refcount_t won't help if you have an extra decrement. The bad use-after-free will still happen. - refcount_t won't help if there is a memory stomp. As with an extra decrement the bad use-after-free will still happen. So all I see is a huge amount of code churn to implement a buggy (by definition) refcounting API, that risks adding new bugs and only truly helps with bugs that are unlikely in the first place. I really don't think this is an obvious slam dunk. Eric
Powered by blists - more mailing lists