From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753437AbdF0TWu (ORCPT <rfc822;w@1wt.eu>);
        Tue, 27 Jun 2017 15:22:50 -0400
Received: from mga09.intel.com ([134.134.136.24]:10554 "EHLO mga09.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752311AbdF0TWo (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Jun 2017 15:22:44 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.40,271,1496127600"; 
   d="scan'208";a="102029577"
Date: Tue, 27 Jun 2017 12:22:42 -0700
From: Andi Kleen <ak@linux.intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ingo Molnar <mingo@kernel.org>, Peter Zijlstra <peterz@infradead.org>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>,
        Thomas Hellstrom <thellstrom@vmware.com>,
        Daniel Micay <danielmicay@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] kref: Avoid null pointer dereference after WARN
Message-ID: <20170627192242.GI23705@tassilo.jf.intel.com>
References: <20170627190001.GA7811@beast>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170627190001.GA7811@beast>
User-Agent: Mutt/1.8.0 (2017-02-23)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jun 27, 2017 at 12:00:02PM -0700, Kees Cook wrote:
> From: Daniel Micay <danielmicay@gmail.com>
> 
> The WARN_ON() checking for a NULL release pointer was (sensibly)
> removed in commit ec48c940da6c ("kref: remove WARN_ON for NULL release
> functions") since it offered no protection at all about calling a NULL
> release pointer. However, it should instead be a BUG() since continuing
> with a NULL release pointer will lead to a NULL pointer execution
> anyway. Systems with an incorrectly set mmap_min_addr and no PXN/SMEP
> protection would be left open to executing userspace memory.

There's still no evidence that actually would prevented anything
exploitable?

Who would actually set mman_min_addr incorrectly?
And of course near all modern systems have SMEP/SMAP.

Surviving minor problems is actually a feature, not a bug.
Linux was always better than other Unixes here, which
are typically far too panic happy.

If you really want it, I would rather add bug/panic_on_warn sysctl
that does this for every warning but make it default to off. 

That would actually cover more cases.

I could see panic_on_warn being moderately useful for debugging
when crash dumps are enabled.

-Andi