lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHk-=wgvb72urgEM5q_SpXFv1OXnDGY8VFs8QmZPt9_n1bH0CQ@mail.gmail.com>
Date:   Mon, 25 Oct 2021 14:17:58 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Matthew Wilcox <willy@...radead.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux-MM <linux-mm@...ck.org>,
        Jordy Zomer <jordy@...ing.systems>,
        James Bottomley <James.Bottomley@...senpartnership.com>,
        Mike Rapoport <rppt@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] secretmem: Prevent secretmem_users from wrapping to zero

On Mon, Oct 25, 2021 at 2:04 PM Kees Cook <keescook@...omium.org> wrote:
>
> Is secretmem different? We're trying to count how many of these we have,
> this is a common pattern in, for example, the network code which does
> this kind of thing a lot.

Yes, secretmem is different.

A refcount being zero means that the data it referenced no longer exists.

That's not what the secretmem counter meant at all.

Making it a refcount was simply WRONG. It's not a refcount, it's a
usage count, and the fact that syzbot caught the warning just shows
how wrong it was.

Stop arguing for garbage. It was wrong, just admit it. The semantics
for "refcount" is something else than what that code had. As a result,
it got reverted. I've applied Willy's patch that actually makes sense.

Arguing for garbage in the name of "security" is still garbage. In
fact, it only causes confusion, and as such is likely to result in
problems - including security problems - later.

Because confusion about semantics is bad. And that was what that patch was.

And I want to state - again - how dangerous this "refcounts are always
prefereable to atomics" mental model is. Refcounts are _not_
fundamentally preferable to atomics. They are slower, bigger, and have
completely different semantics.

So if something isn't a refcount, it damn well shouldn't use "refcount_t".

             Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ