lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Aug 2017 11:45:17 -0700 From: Kees Cook <keescook@...omium.org> To: Mike Galbraith <efault@....de> Cc: "David S. Miller" <davem@...emloft.net>, Peter Zijlstra <peterz@...radead.org>, LKML <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...e.hu>, "Reshetova, Elena" <elena.reshetova@...el.com>, Network Development <netdev@...r.kernel.org> Subject: Re: tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection On Thu, Aug 31, 2017 at 10:19 AM, Mike Galbraith <efault@....de> wrote: > On Thu, 2017-08-31 at 10:00 -0700, Kees Cook wrote: >> >> Oh! So it's gcc-version sensitive? That's alarming. Is this mapping correct: >> >> 4.8.5: WARN, eventual kernel hang >> 6.3.1, 7.0.1: WARN, but continues working > > Yeah, that's correct. I find that troubling, simply because this gcc > version has been through one hell of a lot of kernels with me. Yeah, I > know, that doesn't exempt it from having bugs, but color me suspicious. I still can't hit this with a 4.8.5 build. :( With _RATELIMIT removed, this should, in theory, report whatever goes negative first... diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index c076f710de4c..d4fc6b91c0e6 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -72,6 +72,10 @@ bool ex_handler_refcount(const struct exception_table_entry *fixup, bool zero = regs->flags & X86_EFLAGS_ZF; refcount_error_report(regs, zero ? "hit zero" : "overflow"); + } else if (regs->flags & X86_EFLAGS_SF) { + refcount_error_report(regs, "result was negative"); + } else { + refcount_error_report(regs, "unknown state"); } return true; diff --git a/kernel/panic.c b/kernel/panic.c index bdd18afa19a4..966ade491543 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail); #ifdef CONFIG_ARCH_HAS_REFCOUNT void refcount_error_report(struct pt_regs *regs, const char *err) { - WARN_RATELIMIT(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n", + WARN(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n", err, (void *)instruction_pointer(regs), current->comm, task_pid_nr(current), from_kuid_munged(&init_user_ns, current_uid()), And if it is still a refcount_inc(), and only on gcc 4.8.5, then I think we need to study the resulting assembly... -Kees -- Kees Cook Pixel Security
Powered by blists - more mailing lists