From: Rik van Riel <riel@redhat.com>
To: Kees Cook <keescook@chromium.org>, Peter Zijlstra <peterz@infradead.org>
Cc: PaX Team <pageexec@freemail.hu>,
LKML <linux-kernel@vger.kernel.org>,
Eric Biggers <ebiggers3@gmail.com>,
Christoph Hellwig <hch@infradead.org>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Elena Reshetova <elena.reshetova@intel.com>,
Hans Liljestrand <ishkamiel@gmail.com>,
David Windsor <dwindsor@gmail.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jann Horn <jann@thejh.net>,
"David S. Miller" <davem@davemloft.net>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] Re: [PATCH] x86/refcount: Implement fast refcount_t handling
Date: Mon, 24 Apr 2017 21:11:20 -0400 [thread overview]
Message-ID: <1493082680.23190.1.camel@redhat.com> (raw)
In-Reply-To: <CAGXu5j+tbPr04Jiv4yjJJO3h89fDxy-iWAeuoDZ2N+XDY58umw@mail.gmail.com>
On Mon, 2017-04-24 at 15:37 -0700, Kees Cook wrote:
> On Mon, Apr 24, 2017 at 3:01 PM, Peter Zijlstra <peterz@infradead.org
> > wrote:
> > On Mon, Apr 24, 2017 at 01:40:56PM -0700, Kees Cook wrote:
> > > I think we're way off in the weeds here. The "cannot inc from 0"
> > > check
> > > is about general sanity checks on refcounts.
> >
> > I disagree, although sanity check are good too.
> >
> > > It should never happen, and if it does, there's a bug.
> >
> > The very same is true of the overflow thing.
> >
> > > However, what the refcount hardening protection is trying to do
> > > is
> > > protect again the exploitable condition: overflow.
> >
> > Sure..
> >
> > > Inc-from-0 isn't an exploitable condition since in theory
> > > the memory suddenly becomes correctly managed again.
> >
> > It does not. It just got free'ed. Nothing will stop the free from
> > happening (or already having happened).
>
> Well, yes, but that's kind of my point. Detecting inc-from-0 is "too
> late" to offer a protection. It offers notification of a bug, rather
> than stopping an exploit from happening.
inc-from-0 could allow the attacker to gain access to
an object which gets allocated to a new user afterwards.
Certainly much less useful as an exploit, but still a
potential privilege escalation.
next prev parent reply other threads:[~2017-04-25 1:11 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-21 22:09 [PATCH] x86/refcount: Implement fast refcount_t handling Kees Cook
2017-04-24 8:32 ` Peter Zijlstra
2017-04-24 8:53 ` [kernel-hardening] " Jann Horn
2017-04-24 8:53 ` Jann Horn
2017-04-24 9:20 ` Peter Zijlstra
2017-04-24 11:00 ` PaX Team
2017-04-24 11:00 ` PaX Team
2017-04-24 11:15 ` Peter Zijlstra
2017-04-24 11:15 ` Peter Zijlstra
2017-04-24 13:08 ` PaX Team
2017-04-24 13:08 ` PaX Team
2017-04-24 13:33 ` Peter Zijlstra
2017-04-24 13:33 ` Peter Zijlstra
2017-04-24 15:15 ` PaX Team
2017-04-24 20:40 ` Kees Cook
2017-04-24 22:01 ` Peter Zijlstra
2017-04-24 22:01 ` Peter Zijlstra
2017-04-24 22:37 ` Kees Cook
2017-04-25 1:11 ` Rik van Riel [this message]
2017-04-25 9:05 ` Peter Zijlstra
2017-04-25 11:26 ` PaX Team
2017-04-25 11:26 ` PaX Team
2017-04-25 16:36 ` Kees Cook
2017-04-25 16:36 ` Kees Cook
2017-04-24 20:33 ` Kees Cook
2017-04-24 20:33 ` Kees Cook
2017-04-25 11:26 ` PaX Team
2017-04-25 16:39 ` Kees Cook
2017-04-26 2:14 ` PaX Team
2017-04-26 2:14 ` PaX Team
2017-04-26 4:42 ` Kees Cook
2017-04-24 20:16 ` Kees Cook
2017-04-24 20:16 ` Kees Cook
2017-04-24 10:45 ` Peter Zijlstra
2017-04-24 20:19 ` Kees Cook
2017-04-24 10:48 ` Peter Zijlstra
2017-04-24 10:48 ` Peter Zijlstra
2017-04-24 20:21 ` Kees Cook
2017-04-24 20:21 ` Kees Cook
2017-04-25 10:23 ` Peter Zijlstra
2017-04-25 11:26 ` PaX Team
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493082680.23190.1.camel@redhat.com \
--to=riel@redhat.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=arnd@arndb.de \
--cc=axboe@kernel.dk \
--cc=davem@davemloft.net \
--cc=dwindsor@gmail.com \
--cc=ebiggers3@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=ishkamiel@gmail.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=pageexec@freemail.hu \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).