Re: [PATCH] x86/refcount: Implement fast refcount_t handling

From: PaX Team
Date: Tue Apr 25 2017 - 07:28:38 EST

Next message: Pali RohÃr: "Re: support autofocus / autogain in libv4l2"
Previous message: PaX Team: "Re: [PATCH] x86/refcount: Implement fast refcount_t handling"
In reply to: Peter Zijlstra: "Re: [PATCH] x86/refcount: Implement fast refcount_t handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25 Apr 2017 at 12:23, Peter Zijlstra wrote:

> So what avoids this:

simple, you noted it yourself in your previous mail:

> Well, your setup (panic_on_warn et al) would have it panic the box. That
> will effectively stop the exploit by virtue of stopping everything.

with that in mind the actual code looks like this:

> CPU0 CPU1
>
>
> lock inc %[val]; # 0x7fffffff
> jo 2f
>1: ...
>
> lock dec %[val]; # 0x80000000
> jo 2f
> 1: ...
>
>
>
>
>2: mov $0x7fffffff, %[val]

panic()

> jmp 1b
>
> 2: mov $0x80000000, %[val]

panic()

> jmp 1b
>

... and we never get this far.

Next message: Pali RohÃr: "Re: support autofocus / autogain in libv4l2"
Previous message: PaX Team: "Re: [PATCH] x86/refcount: Implement fast refcount_t handling"
In reply to: Peter Zijlstra: "Re: [PATCH] x86/refcount: Implement fast refcount_t handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]