| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Jul 2017 07:34:55 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Ingo Molnar <mingo@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Davidlohr Bueso <dave@...olabs.net>,
Elena Reshetova <elena.reshetova@...el.com>,
linux-kernel@...r.kernel.org, peterz@...radead.org,
gregkh@...uxfoundation.org, mingo@...hat.com, adobriyan@...il.com,
serge@...lyn.com, arozansk@...hat.com, keescook@...omium.org,
Hans Liljestrand <ishkamiel@...il.com>,
David Windsor <dwindsor@...il.com>
Subject: Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
Ingo Molnar <mingo@...nel.org> writes:
> * Andrew Morton <akpm@...ux-foundation.org> wrote:
>
>> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso <dave@...olabs.net> wrote:
>>
>> > On Wed, 19 Jul 2017, Andrew Morton wrote:
>> >
>> > >I do rather dislike these conversions from the point of view of
>> > >performance overhead and general code bloat. But I seem to have lost
>> > >that struggle and I don't think any of these are fastpath(?).
>> >
>> > Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t
>> > implementation), performance is supposed to be ok.
>>
>> Sure, things are OK for people who disable the feature.
>
> So with the WIP fast-refcount series from Kees:
>
> [PATCH v6 0/2] x86: Implement fast refcount overflow protection
>
> I believe the robustness difference between optimized-refcount_t and
> full-refcount_t will be marginal.
>
> I.e. we'll be able to have both higher API safety _and_ performance.
>
>> But for people who want to enable the feature we really should minimize the cost
>> by avoiding blindly converting sites which simply don't need it: simple, safe,
>> old, well-tested code. Why go and slow down such code? Need to apply some
>> common sense here...
>
> It's old, well-tested code _for existing, sane parameters_, until someone finds a
> decade old bug in one of these with an insane parameters no-one stumbled upon so
> far, and builds an exploit on top of it.
>
> Only by touching all these places do we have a chance to improve things measurably
> in terms of reducing the probability of bugs.
The more I hear people pushing the upsides of refcount_t without
considering the downsides the more I dislike it.
- refcount_t is really the wrong thing because it uses saturation
semantics. So by definition it includes a bug.
- refcount_t will only really prevent something if there is an extra
increment. That is not the kind of bug people are likely to make.
- refcount_t won't help if you have an extra decrement. The bad
use-after-free will still happen.
- refcount_t won't help if there is a memory stomp. As with an extra
decrement the bad use-after-free will still happen.
So all I see is a huge amount of code churn to implement a buggy (by
definition) refcounting API, that risks adding new bugs and only truly
helps with bugs that are unlikely in the first place.
I really don't think this is an obvious slam dunk.
Eric
Powered by blists - more mailing lists