From: Greg KH <gregkh@linuxfoundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: Ubuntu security discussion <ubuntu-hardened@lists.ubuntu.com>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, pageexec@freemail.hu,
spender@grsecurity.net
Subject: [kernel-hardening] Re: Add overflow protection to kref
Date: Thu, 16 Feb 2012 17:40:08 -0800 [thread overview]
Message-ID: <20120217014008.GA18763@kroah.com> (raw)
In-Reply-To: <20120217010624.GA6541@outflux.net>
On Thu, Feb 16, 2012 at 05:06:24PM -0800, Kees Cook wrote:
Any reason you forgot to cc: me on the response?
> On Thu, Feb 16, 2012 at 04:24:05PM -0800, Greg Kroah-Hartman wrote:
> > On Thu, Feb 16, 2012 at 12:45:15PM -0800, Kees Cook wrote:
> > > Hi,
> > >
> > > [This should probably be discussed on LKML for an even wider audience, so
> > > I've added a CC for it there.]
> > >
> > > On Thu, Feb 16, 2012 at 09:02:13AM -0500, David Windsor wrote:
> > > > Hi,
> > > >
> > > > We are attempting to add various grsecurity/PAX features to upstream
> > > > Ubuntu kernels.
> > >
> > > This didn't parse quite right for me. I think you meant that the intent
> > > is to get these features into the upstream Linux kernel, with potential
> > > staging in Ubuntu kernels.
> > >
> > > (Also s/PAX/PaX/g)
> > >
> > > > The PAX folks added refcount overflow protection by inserting
> > > > architecture-specific code in the increment paths of atomic_t. For
> > > > instance:
> > > >
> > > > static inline void atomic_inc(atomic_t *v)
> > > > {
> > > > asm volatile(LOCK_PREFIX "incl %0\n"
> > > >
> > > > #ifdef CONFIG_PAX_REFCOUNT
> > > > "jno 0f\n"
> > > > LOCK_PREFIX "decl %0\n"
> > > > "int $4\n0:\n"
> > > > _ASM_EXTABLE(0b, 0b)
> > > > #endif
> > > >
> > > > : "+m" (v->counter));
> > > > }
> > > >
> > > > There are two distinct classes of users we need to consider here:
> > > > those who use atomic_t for reference counters and those who use
> > > > atomic_t for keeping track of statistics, like performance counters,
> > > > etc.; it makes little sense to overflow a performance counter, so we
> > > > shouldn't subject those users to the same protections as imposed on
> > > > actual reference counters. The solution implemented by PAX is to
> > > > create a family of *_unchecked() functions and to patch
> > > > statistics-based users of atomic_t to use this interface.
> > > >
> > > > PAX refcount overflow protection was developed before kref was
> > > > created. I'd like to move overflow protection out of atomic_t and
> > > > into kref and gradually migrate atomic_t users to kref, leaving
> > > > atomic_t for those users who don't need overflow protection (e.g.
> > > > statistics-based counters).
> > >
> > > For people new to this, can you give an overview of what attacks are foiled
> > > by adding overflow protection?
> > >
> > > > I realize that there are many users of atomic_t needing overflow
> > > > protection, but the move to kref seems like the right thing to do in
> > > > this case.
> > > >
> > > > Leaving the semantics of overflow detection aside for the moment, what
> > > > are everyone's thoughts on adding overflow protection to kref rather
> > > > than to atomic_t?
> > >
> > > Why was kref introduced? Or rather, how is kref currently different from
> > > atomic_t?
> >
> > a kref is to handle reference counting for an object, so you don't have
> > to constantly "roll your own" all the time using an atomic_t or
> > whatever. It's the basis for the struct kobject and other object
> > reference counting structures in the kernel for a very long time now.
> >
> > And in all that time, I've never seen an instance where you can overflow
> > the reference count, so I'm hard pressed to see how changing kref in
> > this manner will help anything at all.
>
> A quick search gives me:
> CVE-2005-3359: https://bugzilla.redhat.com/show_bug.cgi?id=175769
> CVE-2006-3741: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b8444d00762703e1b6146fce12ce2684885f8bf6
Neither of those are kref issues, just bugs with other types of
counting things.
> And actually an earlier discussion you were actually involved in:
> https://lkml.org/lkml/2008/7/16/300
That wasn't about a kref issue either. It was also a fun flamefest, but
I don't see how that is relevant here. What am I missing?
> > So no, I don't recommend changing this logic at all in kref.
>
> If it's inexpensive and helps defend against problems, it seems sensible to
> add to me.
I have yet to see a patch, so why are we arguing about this? :)
Again, I don't know of any kref overflows that have ever happened, so
trying to "protect" this type of thing, seems odd to me.
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: Ubuntu security discussion <ubuntu-hardened@lists.ubuntu.com>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, pageexec@freemail.hu,
spender@grsecurity.net
Subject: Re: Add overflow protection to kref
Date: Thu, 16 Feb 2012 17:40:08 -0800 [thread overview]
Message-ID: <20120217014008.GA18763@kroah.com> (raw)
In-Reply-To: <20120217010624.GA6541@outflux.net>
On Thu, Feb 16, 2012 at 05:06:24PM -0800, Kees Cook wrote:
Any reason you forgot to cc: me on the response?
> On Thu, Feb 16, 2012 at 04:24:05PM -0800, Greg Kroah-Hartman wrote:
> > On Thu, Feb 16, 2012 at 12:45:15PM -0800, Kees Cook wrote:
> > > Hi,
> > >
> > > [This should probably be discussed on LKML for an even wider audience, so
> > > I've added a CC for it there.]
> > >
> > > On Thu, Feb 16, 2012 at 09:02:13AM -0500, David Windsor wrote:
> > > > Hi,
> > > >
> > > > We are attempting to add various grsecurity/PAX features to upstream
> > > > Ubuntu kernels.
> > >
> > > This didn't parse quite right for me. I think you meant that the intent
> > > is to get these features into the upstream Linux kernel, with potential
> > > staging in Ubuntu kernels.
> > >
> > > (Also s/PAX/PaX/g)
> > >
> > > > The PAX folks added refcount overflow protection by inserting
> > > > architecture-specific code in the increment paths of atomic_t. For
> > > > instance:
> > > >
> > > > static inline void atomic_inc(atomic_t *v)
> > > > {
> > > > asm volatile(LOCK_PREFIX "incl %0\n"
> > > >
> > > > #ifdef CONFIG_PAX_REFCOUNT
> > > > "jno 0f\n"
> > > > LOCK_PREFIX "decl %0\n"
> > > > "int $4\n0:\n"
> > > > _ASM_EXTABLE(0b, 0b)
> > > > #endif
> > > >
> > > > : "+m" (v->counter));
> > > > }
> > > >
> > > > There are two distinct classes of users we need to consider here:
> > > > those who use atomic_t for reference counters and those who use
> > > > atomic_t for keeping track of statistics, like performance counters,
> > > > etc.; it makes little sense to overflow a performance counter, so we
> > > > shouldn't subject those users to the same protections as imposed on
> > > > actual reference counters. The solution implemented by PAX is to
> > > > create a family of *_unchecked() functions and to patch
> > > > statistics-based users of atomic_t to use this interface.
> > > >
> > > > PAX refcount overflow protection was developed before kref was
> > > > created. I'd like to move overflow protection out of atomic_t and
> > > > into kref and gradually migrate atomic_t users to kref, leaving
> > > > atomic_t for those users who don't need overflow protection (e.g.
> > > > statistics-based counters).
> > >
> > > For people new to this, can you give an overview of what attacks are foiled
> > > by adding overflow protection?
> > >
> > > > I realize that there are many users of atomic_t needing overflow
> > > > protection, but the move to kref seems like the right thing to do in
> > > > this case.
> > > >
> > > > Leaving the semantics of overflow detection aside for the moment, what
> > > > are everyone's thoughts on adding overflow protection to kref rather
> > > > than to atomic_t?
> > >
> > > Why was kref introduced? Or rather, how is kref currently different from
> > > atomic_t?
> >
> > a kref is to handle reference counting for an object, so you don't have
> > to constantly "roll your own" all the time using an atomic_t or
> > whatever. It's the basis for the struct kobject and other object
> > reference counting structures in the kernel for a very long time now.
> >
> > And in all that time, I've never seen an instance where you can overflow
> > the reference count, so I'm hard pressed to see how changing kref in
> > this manner will help anything at all.
>
> A quick search gives me:
> CVE-2005-3359: https://bugzilla.redhat.com/show_bug.cgi?id=175769
> CVE-2006-3741: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b8444d00762703e1b6146fce12ce2684885f8bf6
Neither of those are kref issues, just bugs with other types of
counting things.
> And actually an earlier discussion you were actually involved in:
> https://lkml.org/lkml/2008/7/16/300
That wasn't about a kref issue either. It was also a fun flamefest, but
I don't see how that is relevant here. What am I missing?
> > So no, I don't recommend changing this logic at all in kref.
>
> If it's inexpensive and helps defend against problems, it seems sensible to
> add to me.
I have yet to see a patch, so why are we arguing about this? :)
Again, I don't know of any kref overflows that have ever happened, so
trying to "protect" this type of thing, seems odd to me.
thanks,
greg k-h
next prev parent reply other threads:[~2012-02-17 1:40 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-16 14:02 [kernel-hardening] Add overflow protection to kref David Windsor
2012-02-16 20:45 ` [kernel-hardening] " Kees Cook
2012-02-16 20:45 ` Kees Cook
2012-02-17 0:24 ` [kernel-hardening] " Greg Kroah-Hartman
2012-02-17 0:24 ` Greg Kroah-Hartman
2012-02-17 1:06 ` [kernel-hardening] " Kees Cook
2012-02-17 1:06 ` Kees Cook
2012-02-17 1:40 ` Greg KH [this message]
2012-02-17 1:40 ` Greg KH
2012-02-17 2:11 ` [kernel-hardening] Re: [ubuntu-hardened] " Kees Cook
2012-02-17 2:11 ` Kees Cook
2012-02-17 2:48 ` [kernel-hardening] " David Windsor
2012-02-17 2:48 ` David Windsor
2012-02-17 3:32 ` [kernel-hardening] " Greg KH
2012-02-17 3:32 ` Greg KH
2012-02-17 6:33 ` [kernel-hardening] " Alexey Dobriyan
2012-02-17 6:33 ` Alexey Dobriyan
2012-02-17 13:23 ` [kernel-hardening] " pageexec
2012-02-17 13:23 ` pageexec
2012-02-17 7:59 ` [kernel-hardening] " Vasiliy Kulikov
2012-02-17 7:59 ` Vasiliy Kulikov
2012-02-17 17:53 ` Greg KH
2012-02-17 17:54 ` Greg KH
2012-02-17 19:37 ` Vasiliy Kulikov
2012-02-17 23:39 ` Djalal Harouni
2012-02-18 1:44 ` Roland Dreier
2012-02-18 16:15 ` David Windsor
2012-02-18 16:35 ` Vasiliy Kulikov
2012-02-18 16:18 ` Greg KH
2012-02-24 17:58 ` David Windsor
2012-02-24 18:37 ` Greg KH
2012-02-24 18:52 ` Kees Cook
2012-02-24 19:05 ` Nick Bowler
2012-02-24 19:13 ` Vasiliy Kulikov
2012-02-24 19:35 ` Nick Bowler
2012-02-24 21:59 ` PaX Team
2012-02-24 18:58 ` Vasiliy Kulikov
2012-02-24 19:41 ` Greg KH
2012-02-24 20:04 ` Kees Cook
2012-02-24 19:04 ` David Windsor
2012-02-24 22:14 ` PaX Team
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120217014008.GA18763@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=spender@grsecurity.net \
--cc=ubuntu-hardened@lists.ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.