Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jJG0LUxLPtqr79PG=RmWgV96sy2j7dQKr9yvjadzrc3Ag@mail.gmail.com>
Date: Mon, 14 Nov 2016 12:31:32 -0800
From: Kees Cook <keescook@...omium.org>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Will Deacon <will.deacon@....com>, Greg KH <gregkh@...uxfoundation.org>, 
	David Windsor <dave@...gbits.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Elena Reshetova <elena.reshetova@...el.com>, Arnd Bergmann <arnd@...db.de>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	"H. Peter Anvin" <h.peter.anvin@...el.com>
Subject: Re: Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

On Fri, Nov 11, 2016 at 12:17 PM, Peter Zijlstra <peterz@...radead.org> wrote:
> On Fri, Nov 11, 2016 at 10:04:42AM -0800, Kees Cook wrote:
>
>> I'm totally open about how to get there, but things can't just be opt-in.
>
> There really is no alternative.

I realize you feel that way, but if we can find a way to squeeze
mistakes down to impossible or very small, that has a strong effect on
the future of avoiding exploitation of these kinds of things.

> refcount_t; should only have: inc, inc_not_zero, dec_and_test

Sounds good. Two questions remain:

- how to deal with existing refcounting atomic_t users that want _add and _sub?
- keeping this fast enough that it can be used even in very sensitive
places (net, fs, etc).

> stats_t; should only have: add,sub

Seems right, though why not inc/dec? And shouldn't it have a _read of some kind?

Keeping the implementation details of refcount_t and stats_t opaque to
the users should discourage misuse...

> atomic_t; has:
>
>         {add,inc,sub,dec} + {and,or,xor,notand}
>
>         {add,inc,sub,dec}_return * {,relaxed,release,acquire}
>
>         (fetch_{add,inc,sub,dec} + {and,or,xor,notand}) * {,relaxed,release,acquire}
>
>         {sub,add,inc,dec}_and_test
>
>         {cmpxchg,xchg}
>
>         add_unless,inc_not_zero,{inc,dec}_unless_negative,dec_if_positive
>
> That is so much more than either refcount_t or stats_t should have, and
> the whole wrap/nowrap thing only matters to part of the ops.
>
> Like said, atomic_cmpxchg_wrap() is utter crap, that's a function name
> that doesn't make sense, and you guys should have realized that the
> moment you typed it.
>
> Its fantasy to think you can 'implement' atomic_t with refcount_t or
> anything else. You're chasing unicorns.

So, here's another suggestion on how to avoid this being opt-in: we
change atomic_t's name along with adding refcount_t and stats_t. We
need some way to distinguish "true" atomic users from the refcount_t
and stats_t, without needing to hope we can educate future driver
writers. Then, after transition to refcount_t, stats_t, and
bikeshed_atomic_t, we can catch misuse by having a CONFIG that forces
new/remaining atomic_t into refcount_t (which will blow up the build
if a driver uses anything besides inc, inc_not_zero, dec_and_test,
etc).

Regardless, adding refcount_t and stats_t will already make the audit
work of finding misused atomic_t SO much better, so since this is a
precondition to any other crazier ideas, it looks like we can all
agree on doing those pieces first.

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.