From: Kees Cook <keescook@chromium.org>
To: Jann Horn <jannh@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-hardening@vger.kernel.org,
Elena Reshetova <elena.reshetova@intel.com>,
David Windsor <dwindsor@gmail.com>,
Hans Liljestrand <ishkamiel@gmail.com>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Anna Schumaker <anna@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Jeff Layton <jlayton@kernel.org>, Neil Brown <neilb@suse.de>,
Olga Kornievskaia <kolga@netapp.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Alexey Gladkov <legion@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Yu Zhao <yuzhao@google.com>,
linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH v2] creds: Convert cred.usage to refcount_t
Date: Fri, 18 Aug 2023 11:48:16 -0700 [thread overview]
Message-ID: <202308181146.465B4F85@keescook> (raw)
In-Reply-To: <CAG48ez3mNk8yryV3XHdWZBHC_4vFswJPx1yww+uDi68J=Lepdg@mail.gmail.com>
On Fri, Aug 18, 2023 at 08:17:55PM +0200, Jann Horn wrote:
> On Fri, Aug 18, 2023 at 7:56 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> > On Thu, 17 Aug 2023 21:17:41 -0700 Kees Cook <keescook@chromium.org> wrote:
> >
> > > From: Elena Reshetova <elena.reshetova@intel.com>
> > >
> > > atomic_t variables are currently used to implement reference counters
> > > with the following properties:
> > > - counter is initialized to 1 using atomic_set()
> > > - a resource is freed upon counter reaching zero
> > > - once counter reaches zero, its further
> > > increments aren't allowed
> > > - counter schema uses basic atomic operations
> > > (set, inc, inc_not_zero, dec_and_test, etc.)
> > >
> > > Such atomic variables should be converted to a newly provided
> > > refcount_t type and API that prevents accidental counter overflows and
> > > underflows. This is important since overflows and underflows can lead
> > > to use-after-free situation and be exploitable.
> >
> > ie, if we have bugs which we have no reason to believe presently exist,
> > let's bloat and slow down the kernel just in case we add some in the
> > future?
>
> Yeah. Or in case we currently have some that we missed.
Right, or to protect us against the _introduction_ of flaws.
> Though really we don't *just* need refcount_t to catch bugs; on a
> system with enough RAM you can also overflow many 32-bit refcounts by
> simply creating 2^32 actual references to an object. Depending on the
> structure of objects that hold such refcounts, that can start
> happening at around 2^32 * 8 bytes = 32 GiB memory usage, and it
> becomes increasingly practical to do this with more objects if you
> have significantly more RAM. I suppose you could avoid such issues by
> putting a hard limit of 32 GiB on the amount of slab memory and
> requiring that kernel object references are stored as pointers in slab
> memory, or by making all the refcounts 64-bit.
These problems are a different issue, and yes, the path out of it would
be to crank the size of refcount_t, etc.
--
Kees Cook
next prev parent reply other threads:[~2023-08-18 18:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 4:17 [PATCH v2] creds: Convert cred.usage to refcount_t Kees Cook
2023-08-18 17:55 ` Andrew Morton
2023-08-18 18:17 ` Jann Horn
2023-08-18 18:48 ` Kees Cook [this message]
2023-08-18 19:31 ` Andrew Morton
2023-08-18 20:10 ` Jeff Layton
2023-08-18 20:24 ` Kees Cook
2023-08-18 21:07 ` Eric W. Biederman
2023-08-21 10:18 ` David Laight
2023-08-18 20:16 ` Kees Cook
2023-08-18 20:54 ` Jann Horn
2023-08-18 18:46 ` Kees Cook
2023-08-18 20:21 ` David Windsor
2023-08-18 20:12 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308181146.465B4F85@keescook \
--to=keescook@chromium.org \
--cc=Dai.Ngo@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=dwindsor@gmail.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=elena.reshetova@intel.com \
--cc=ishkamiel@gmail.com \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=kolga@netapp.com \
--cc=kuba@kernel.org \
--cc=legion@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=senozhatsky@chromium.org \
--cc=tom@talpey.com \
--cc=trond.myklebust@hammerspace.com \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).