From: Li Kun <hw.likun@huawei.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
PaX Team <pageexec@freemail.hu>, Jann Horn <jannh@google.com>,
Eric Biggers <ebiggers3@gmail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
Hans Liljestrand <ishkamiel@gmail.com>,
David Windsor <dwindsor@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James
Subject: Re: [PATCH v5 3/3] x86/refcount: Implement fast refcount overflow protection
Date: Fri, 30 Jun 2017 10:42:05 +0800 [thread overview]
Message-ID: <afcc7ab0-c1ca-e89d-169c-66be444274e4@huawei.com> (raw)
In-Reply-To: <CAGXu5jLzL3URMvF81EbH1Bt74MnwL9-25AU41yQnbEBcWA7J8Q@mail.gmail.com>
on 2017/6/30 6:05, Kees Cook wrote:
> On Wed, Jun 28, 2017 at 9:13 PM, Li Kun <hw.likun@huawei.com> wrote:
>> 在 2017/5/31 5:39, Kees Cook 写道:
>>> +bool ex_handler_refcount(const struct exception_table_entry *fixup,
>>> + struct pt_regs *regs, int trapnr)
>>> +{
>>> + int reset;
>>> +
>>> + /*
>>> + * If we crossed from INT_MAX to INT_MIN, the OF flag (result
>>> + * wrapped around) and the SF flag (result is negative) will be
>>> + * set. In this case, reset to INT_MAX in an attempt to leave the
>>> + * refcount usable. Otherwise, we've landed here due to producing
>>> + * a negative result from either decrementing zero or operating on
>>> + * a negative value. In this case things are badly broken, so we
>>> + * we saturate to INT_MIN / 2.
>>> + */
>>> + if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>> + reset = INT_MAX;
>> Should it be like this to indicate that the refcount is wapped from
>> INT_MAX to INT_MIN ?
>> if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF)
>> == (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>
>> reset = INT_MAX;
> Ah yes, thanks for the catch. Yeah, that test is expecting both
> condition flags to be set.
>
> I'm still on the fence about the best way to deal with the bad states.
> I've been pondering just strictly using a saturation value (INT_MIN /
> 2), which should offer the same system state protection (except for
> the inherent resource leak), but that means there isn't really a good
> way to kill an offending process (since after saturation ALL processes
> will look like violators). It can be argued that killing the process
> doesn't actually provide any benefit since the system is still safe,
> though.
An immature idea,can we set the count to INT_MAX/2 when we detect and
kill the offending process,
and wait to see if there will be another offender touching the fence.
Er,not very acurate,but better than
killing all the processes doing refcount_add ,i think.
>>> + else
>>> + reset = INT_MIN / 2;
>>> + *(int *)regs->cx = reset;
> Thanks for looking at this!
>
> -Kees
>
--
Best Regards
Li Kun
WARNING: multiple messages have this Message-ID (diff)
From: Li Kun <hw.likun@huawei.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
PaX Team <pageexec@freemail.hu>, Jann Horn <jannh@google.com>,
Eric Biggers <ebiggers3@gmail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
Hans Liljestrand <ishkamiel@gmail.com>,
David Windsor <dwindsor@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"Wangkai (Morgan, Euler)" <morgan.wang@huawei.com>
Subject: Re: [kernel-hardening] [PATCH v5 3/3] x86/refcount: Implement fast refcount overflow protection
Date: Fri, 30 Jun 2017 10:42:05 +0800 [thread overview]
Message-ID: <afcc7ab0-c1ca-e89d-169c-66be444274e4@huawei.com> (raw)
Message-ID: <20170630024205.b9JkFyaKbtvfZTE6ioeZA56ONuZ8mzB0qMq6eg-vsyY@z> (raw)
In-Reply-To: <CAGXu5jLzL3URMvF81EbH1Bt74MnwL9-25AU41yQnbEBcWA7J8Q@mail.gmail.com>
on 2017/6/30 6:05, Kees Cook wrote:
> On Wed, Jun 28, 2017 at 9:13 PM, Li Kun <hw.likun@huawei.com> wrote:
>> 在 2017/5/31 5:39, Kees Cook 写道:
>>> +bool ex_handler_refcount(const struct exception_table_entry *fixup,
>>> + struct pt_regs *regs, int trapnr)
>>> +{
>>> + int reset;
>>> +
>>> + /*
>>> + * If we crossed from INT_MAX to INT_MIN, the OF flag (result
>>> + * wrapped around) and the SF flag (result is negative) will be
>>> + * set. In this case, reset to INT_MAX in an attempt to leave the
>>> + * refcount usable. Otherwise, we've landed here due to producing
>>> + * a negative result from either decrementing zero or operating on
>>> + * a negative value. In this case things are badly broken, so we
>>> + * we saturate to INT_MIN / 2.
>>> + */
>>> + if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>> + reset = INT_MAX;
>> Should it be like this to indicate that the refcount is wapped from
>> INT_MAX to INT_MIN ?
>> if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF)
>> == (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>
>> reset = INT_MAX;
> Ah yes, thanks for the catch. Yeah, that test is expecting both
> condition flags to be set.
>
> I'm still on the fence about the best way to deal with the bad states.
> I've been pondering just strictly using a saturation value (INT_MIN /
> 2), which should offer the same system state protection (except for
> the inherent resource leak), but that means there isn't really a good
> way to kill an offending process (since after saturation ALL processes
> will look like violators). It can be argued that killing the process
> doesn't actually provide any benefit since the system is still safe,
> though.
An immature idea,can we set the count to INT_MAX/2 when we detect and
kill the offending process,
and wait to see if there will be another offender touching the fence.
Er,not very acurate,but better than
killing all the processes doing refcount_add ,i think.
>>> + else
>>> + reset = INT_MIN / 2;
>>> + *(int *)regs->cx = reset;
> Thanks for looking at this!
>
> -Kees
>
--
Best Regards
Li Kun
next prev parent reply other threads:[~2017-06-30 2:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-30 21:39 [PATCH v5 0/3] Implement fast refcount overflow protection Kees Cook
2017-05-30 21:39 ` Kees Cook
2017-05-30 21:39 ` [PATCH v5 1/3] refcount: Create unchecked atomic_t implementation Kees Cook
2017-05-30 21:39 ` Kees Cook
2017-05-31 10:45 ` Reshetova, Elena
2017-05-31 10:45 ` Reshetova, Elena
2017-05-31 11:09 ` Peter Zijlstra
2017-05-31 11:09 ` Peter Zijlstra
2017-06-01 14:43 ` Kees Cook
2017-06-01 14:43 ` Kees Cook
2017-05-30 21:39 ` [PATCH v5 2/3] x86/asm: Add suffix macro for GEN_*_RMWcc() Kees Cook
2017-05-30 21:39 ` Kees Cook
2017-05-31 11:13 ` Peter Zijlstra
2017-05-31 11:13 ` Peter Zijlstra
2017-05-31 13:17 ` Kees Cook
2017-05-31 13:17 ` Kees Cook
2017-05-31 14:03 ` Peter Zijlstra
2017-05-31 14:03 ` Peter Zijlstra
2017-05-31 16:09 ` Kees Cook
2017-05-31 16:09 ` Kees Cook
2017-05-30 21:39 ` [PATCH v5 3/3] x86/refcount: Implement fast refcount overflow protection Kees Cook
2017-05-30 21:39 ` Kees Cook
2017-06-29 4:13 ` [kernel-hardening] " Li Kun
2017-06-29 4:13 ` Li Kun
2017-06-29 22:05 ` Kees Cook
2017-06-29 22:05 ` [kernel-hardening] " Kees Cook
2017-06-30 2:42 ` Li Kun [this message]
2017-06-30 2:42 ` Li Kun
2017-06-30 3:58 ` Kees Cook
2017-06-30 3:58 ` Kees Cook
2017-05-31 12:27 ` [PATCH v5 0/3] " Davidlohr Bueso
2017-05-31 12:27 ` Davidlohr Bueso
2017-05-31 13:20 ` Kees Cook
2017-05-31 13:20 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afcc7ab0-c1ca-e89d-169c-66be444274e4@huawei.com \
--to=hw.likun@huawei.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arozansk@redhat.com \
--cc=axboe@kernel.dk \
--cc=dave@stgolabs.net \
--cc=dwindsor@gmail.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers3@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=ishkamiel@gmail.com \
--cc=jannh@google.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=mingo@redhat.com \
--cc=pageexec@freemail.hu \
--cc=peterz@infradead.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox