Re: [PATCH v2 2/2] x86, refcount: Implement fast refcount overflow protection

From: Jann Horn
Date: Tue Apr 25 2017 - 20:27:37 EST

Next message: Joe Perches: "[PATCH] checkpatch: Improve k.alloc with multiplication and sizeof test"
Previous message: Frank Rowand: "Re: [PATCH v2 1/2] of: support dtc compiler flags for overlays"
In reply to: Kees Cook: "[PATCH v2 2/2] x86, refcount: Implement fast refcount overflow protection"
Next in thread: Kees Cook: "Re: [PATCH v2 2/2] x86, refcount: Implement fast refcount overflow protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 26, 2017 at 12:56 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> This protection is a modified version of the x86 PAX_REFCOUNT
> implementation from PaX/grsecurity. This speeds up the refcount_t API by
> duplicating the existing atomic_t implementation with a single instruction
> added to detect if the refcount has wrapped past INT_MAX (or below 0)
> resulting in a signed value.
[...]
> +static __always_inline void refcount_dec(refcount_t *r)
> +{
> + asm volatile(LOCK_PREFIX "decl %0\n\t"
> + REFCOUNT_CHECK_UNDERFLOW(4)
> + : [counter] "+m" (r->refs.counter)
> + : : "cc", "cx");
> +}

What purpose do checks on decrement now have? The mitigation is only
intended to deal with (positive) overflows, right? AFAICS if you hit this code,
similar to the inc-from-0 case, you're already in a UAF situation?

Next message: Joe Perches: "[PATCH] checkpatch: Improve k.alloc with multiplication and sizeof test"
Previous message: Frank Rowand: "Re: [PATCH v2 1/2] of: support dtc compiler flags for overlays"
In reply to: Kees Cook: "[PATCH v2 2/2] x86, refcount: Implement fast refcount overflow protection"
Next in thread: Kees Cook: "Re: [PATCH v2 2/2] x86, refcount: Implement fast refcount overflow protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]