From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Reshetova, Elena" <elena.reshetova@intel.com>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"arnd@arndb.de" <arnd@arndb.de>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"mingo@redhat.com" <mingo@redhat.com>,
"Anvin, H Peter" <h.peter.anvin@intel.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"will.deacon@arm.com" <will.deacon@arm.com>,
"dwindsor@gmail.com" <dwindsor@gmail.com>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"ishkamiel@gmail.com" <ishkamiel@gmail.com>
Subject: Re: [kernel-hardening] [RFC PATCH 08/19] kernel, mm: convert from atomic_t to refcount_t
Date: Thu, 12 Jan 2017 14:11:15 +0900 [thread overview]
Message-ID: <20170112051114.GG20972@linaro.org> (raw)
In-Reply-To: <CAGXu5jLC-drraZ3D5bj3_rO4LEFiUhutHHw7U8AfDyAEHg+xtg@mail.gmail.com>
On Wed, Jan 11, 2017 at 02:55:21PM -0800, Kees Cook wrote:
> On Wed, Jan 11, 2017 at 1:42 PM, Kees Cook <keescook@chromium.org> wrote:
> > I can see if it'll cherry-pick cleanly, I assume it will. :)
>
> It cherry-picked cleanly. However, I made several changes:
>
> - I adjusted Peter's author email (it had extra []s around).
> - I fixed all of the commit subjects (Peter's were missing).
> - I added back "kref: Add KREF_INIT()" since it seems to have been
> lost and mixed into other patches that would break bisection
>
> It's here now, please work from this version:
>
> http://git.kernel.org/cgit/linux/kernel/git/kees/linux.git/log/?h=kspp/hardened-atomic
I gave it a spin on arm64.
It can compile with a change to smp.c that I mentioned before,
but the boot failed. I've not dug into it.
===8<===
[ 3.578618] refcount_t: increment on 0; use-after-free.
[ 3.579165] ------------[ cut here ]------------
[ 3.579254] WARNING: CPU: 0 PID: 1 at /home/akashi/arm/armv8/linaro/linux-aarch64/include/linux/refcount.h:109 unx_create+0x8c/0xc0
[ 3.579338] Modules linked in:
[ 3.579388]
[ 3.579444] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc2-00018-g9a56ff6b34bd-dirty #1
[ 3.579518] Hardware name: FVP Base (DT)
[ 3.579578] task: ffff80087b078000 task.stack: ffff80087b080000
[ 3.579655] PC is at unx_create+0x8c/0xc0
[ 3.579722] LR is at unx_create+0x8c/0xc0
[ 3.579786] pc : [<ffff0000088c9c24>] lr : [<ffff0000088c9c24>] pstate: 60000145
[ 3.579855] sp : ffff80087b0837c0
[ 3.579906] x29: ffff80087b0837c0 x28: 0000000000000000
[ 3.579988] x27: ffff000008940bd0 x26: ffff000008e026fd
[ 3.580073] x25: ffff000008f3b000 x24: ffff000008f3be98
[ 3.580158] x23: ffff80087a750200 x22: ffff000008f3b000
[ 3.580243] x21: ffff000008a57b48 x20: ffff80087b083860
[ 3.580328] x19: ffff000008ed4000 x18: 0000000000000010
[ 3.580409] x17: 0000000000000007 x16: 0000000000000001
[ 3.580492] x15: ffff000088ee8ff7 x14: 0000000000000006
[ 3.580575] x13: ffff000008ee9005 x12: ffff000008e10958
[ 3.580660] x11: ffff000008e10000 x10: ffff000008517ff0
[ 3.580745] x9 : ffff000008db5000 x8 : 2d657375203b3020
[ 3.580830] x7 : 6e6f20746e656d65 x6 : 0000000000000100
[ 3.580913] x5 : ffff000008eeac90 x4 : 0000000000000000
[ 3.580993] x3 : 0000000000000000 x2 : 0000000000000463
[ 3.581076] x1 : ffff80087b078000 x0 : 000000000000002b
[ 3.581150]
[ 3.581191] ---[ end trace f4a7848050409b47 ]---
[ 3.581241] Call trace:
[ 3.581300] Exception stack(0xffff80087b0835f0 to 0xffff80087b083720)
[ 3.581384] 35e0: ffff000008ed4000 0001000000000000
[ 3.581489] 3600: ffff80087b0837c0 ffff0000088c9c24 ffff000008bb1588 ffff000008db5000
[ 3.581593] 3620: ffff000008eeac90 ffff000008ea2fe0 ffff000008ee8ff8 000000010000002b
[ 3.581699] 3640: ffff80087b0836e0 ffff00000810cea0 ffff000008ed4000 ffff80087b083860
[ 3.581803] 3660: ffff000008a57b48 ffff000008f3b000 ffff80087a750200 ffff000008f3be98
[ 3.581907] 3680: ffff000008f3b000 ffff000008e026fd 000000000000002b ffff80087b078000
[ 3.582006] 36a0: 0000000000000463 0000000000000000 0000000000000000 ffff000008eeac90
[ 3.582109] 36c0: 0000000000000100 6e6f20746e656d65 2d657375203b3020 ffff000008db5000
[ 3.582214] 36e0: ffff000008517ff0 ffff000008e10000 ffff000008e10958 ffff000008ee9005
[ 3.582313] 3700: 0000000000000006 ffff000088ee8ff7 0000000000000001 0000000000000007
[ 3.582405] [<ffff0000088c9c24>] unx_create+0x8c/0xc0
[ 3.582484] [<ffff0000088c9050>] rpcauth_create+0xc8/0x120
[ 3.582567] [<ffff0000088be3c8>] rpc_client_register+0xc8/0x148
[ 3.582652] [<ffff0000088be5cc>] rpc_new_client+0x184/0x278
[ 3.582736] [<ffff0000088bf18c>] rpc_create_xprt+0x4c/0x168
[ 3.582819] [<ffff0000088bf384>] rpc_create+0xdc/0x1a8
[ 3.582907] [<ffff0000082eda54>] nfs_mount+0xb4/0x168
[ 3.582988] [<ffff0000082e3f48>] nfs_request_mount.constprop.14+0xa8/0x100
[ 3.583075] [<ffff0000082e3ff8>] nfs_try_mount+0x58/0x238
[ 3.583154] [<ffff0000082e38c8>] nfs_fs_mount+0x270/0x848
[ 3.583240] [<ffff0000081f1cf4>] mount_fs+0x4c/0x168
[ 3.583330] [<ffff00000820eb60>] vfs_kern_mount+0x50/0x118
[ 3.583407] [<ffff0000082115dc>] do_mount+0x1ac/0xbc0
[ 3.583483] [<ffff000008212410>] SyS_mount+0x90/0xf8
[ 3.583572] [<ffff000008cf12a4>] mount_root+0x74/0x134
[ 3.583664] [<ffff000008cf14a0>] prepare_namespace+0x13c/0x184
[ 3.583758] [<ffff000008cf0d94>] kernel_init_freeable+0x224/0x248
[ 3.583842] [<ffff0000088f27d0>] kernel_init+0x10/0x100
[ 3.583921] [<ffff000008082ec0>] ret_from_fork+0x10/0x50
[ 3.584149] refcount_t: increment on 0; use-after-free.
[ 3.584695] ------------[ cut here ]------------
[ 3.584784] WARNING: CPU: 0 PID: 1 at /home/akashi/arm/armv8/linaro/linux-aarch64/include/linux/refcount.h:109 unx_create+0x8c/0xc0
< repeated ... >
===>8===
Here, I used an NFS rootfs.
Thanks,
-Takahiro AKASHI
> 0-day should see it soon. :)
>
> -Kees
>
> --
> Kees Cook
> Nexus Security
next prev parent reply other threads:[~2017-01-12 5:11 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-29 6:55 [kernel-hardening] [RFC PATCH 00/19] refcount_t API + usage Elena Reshetova
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 01/19] Since we need to change the implementation, stop exposing internals. Provide kref_read() to read the current reference count; typically used for debug messages Elena Reshetova
2016-12-29 16:41 ` [kernel-hardening] " Greg KH
2016-12-29 16:49 ` Reshetova, Elena
2016-12-30 7:58 ` Greg KH
2016-12-30 12:50 ` Reshetova, Elena
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 02/19] By general sentiment kref_sub() is a bad interface, make it go away Elena Reshetova
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 03/19] For some obscure reason apparmor thinks its needs to locally implement kref primitives that already exist. Stop doing this Elena Reshetova
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 04/19] Because home-rolling your own is _awesome_, stop doing it. Provide kref_put_lock(), just like kref_put_mutex() but for a spinlock Elena Reshetova
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 05/19] Leak references by unbalanced get, instead of poking at kref implementation details Elena Reshetova
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 06/19] Provide refcount_t, an atomic_t like primitive built just for refcounting Elena Reshetova
2016-12-30 1:06 ` Eric Biggers
2016-12-30 13:17 ` Reshetova, Elena
2016-12-30 19:52 ` Eric Biggers
2017-01-03 13:21 ` Peter Zijlstra
2017-01-04 20:36 ` Eric Biggers
2017-01-05 10:44 ` Peter Zijlstra
2017-01-05 21:21 ` PaX Team
2017-01-20 10:35 ` Greg KH
2017-01-20 13:10 ` Peter Zijlstra
2016-12-29 6:55 ` [kernel-hardening] [RFC PATCH 07/19] mixed: kref fixes Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 08/19] kernel, mm: convert from atomic_t to refcount_t Elena Reshetova
2017-01-05 2:25 ` AKASHI Takahiro
2017-01-05 9:56 ` Reshetova, Elena
2017-01-05 19:33 ` Kees Cook
2017-01-10 11:57 ` Reshetova, Elena
2017-01-10 20:34 ` Kees Cook
2017-01-11 9:30 ` Reshetova, Elena
2017-01-11 21:42 ` Kees Cook
2017-01-11 22:55 ` Kees Cook
2017-01-12 2:55 ` Kees Cook
2017-01-12 8:02 ` Reshetova, Elena
2017-01-12 5:11 ` AKASHI Takahiro [this message]
2017-01-12 8:18 ` Reshetova, Elena
2017-01-12 8:57 ` Peter Zijlstra
2017-01-16 16:16 ` Reshetova, Elena
2017-01-17 17:15 ` Kees Cook
2017-01-17 17:44 ` Reshetova, Elena
2017-01-17 17:50 ` David Windsor
2017-01-18 8:41 ` Reshetova, Elena
2017-01-18 9:03 ` gregkh
2017-01-18 9:14 ` Reshetova, Elena
2017-01-17 18:26 ` gregkh
2017-01-12 7:57 ` Reshetova, Elena
2017-01-12 7:54 ` Reshetova, Elena
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 09/19] net: " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 10/19] fs: " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 11/19] security: " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 12/19] sound: " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 13/19] ipc: covert " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 14/19] tools: convert " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 15/19] block: " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 16/19] drivers: net " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 17/19] drivers: misc " Elena Reshetova
2016-12-29 6:56 ` [kernel-hardening] [RFC PATCH 18/19] drivers: infiniband " Elena Reshetova
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170112051114.GG20972@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=arnd@arndb.de \
--cc=dwindsor@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=h.peter.anvin@intel.com \
--cc=ishkamiel@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.