Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5j+1irA8SK_XgbP9qRKLUckEzdPQ=YjopWJm+On_0RhumA@mail.gmail.com>
Date: Thu, 29 Jun 2017 20:58:10 -0700
From: Kees Cook <keescook@...omium.org>
To: Li Kun <hw.likun@...wei.com>
Cc: LKML <linux-kernel@...r.kernel.org>, Christoph Hellwig <hch@...radead.org>, 
	Peter Zijlstra <peterz@...radead.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Josh Poimboeuf <jpoimboe@...hat.com>, 
	PaX Team <pageexec@...email.hu>, Jann Horn <jannh@...gle.com>, 
	Eric Biggers <ebiggers3@...il.com>, Elena Reshetova <elena.reshetova@...el.com>, 
	Hans Liljestrand <ishkamiel@...il.com>, David Windsor <dwindsor@...il.com>, 
	Greg KH <gregkh@...uxfoundation.org>, Ingo Molnar <mingo@...hat.com>, 
	Alexey Dobriyan <adobriyan@...il.com>, "Serge E. Hallyn" <serge@...lyn.com>, arozansk@...hat.com, 
	Davidlohr Bueso <dave@...olabs.net>, Manfred Spraul <manfred@...orfullife.com>, 
	"axboe@...nel.dk" <axboe@...nel.dk>, James Bottomley <James.Bottomley@...senpartnership.com>, 
	"x86@...nel.org" <x86@...nel.org>, Ingo Molnar <mingo@...nel.org>, Arnd Bergmann <arnd@...db.de>, 
	"David S. Miller" <davem@...emloft.net>, Rik van Riel <riel@...hat.com>, 
	linux-arch <linux-arch@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	"Wangkai (Morgan, Euler)" <morgan.wang@...wei.com>
Subject: Re: [PATCH v5 3/3] x86/refcount: Implement fast
 refcount overflow protection

On Thu, Jun 29, 2017 at 7:42 PM, Li Kun <hw.likun@...wei.com> wrote:
>
>
> on 2017/6/30 6:05, Kees Cook wrote:
>>
>> On Wed, Jun 28, 2017 at 9:13 PM, Li Kun <hw.likun@...wei.com> wrote:
>>>
>>> 在 2017/5/31 5:39, Kees Cook 写道:
>>>>
>>>> +bool ex_handler_refcount(const struct exception_table_entry *fixup,
>>>> +                        struct pt_regs *regs, int trapnr)
>>>> +{
>>>> +       int reset;
>>>> +
>>>> +       /*
>>>> +        * If we crossed from INT_MAX to INT_MIN, the OF flag (result
>>>> +        * wrapped around) and the SF flag (result is negative) will be
>>>> +        * set. In this case, reset to INT_MAX in an attempt to leave
>>>> the
>>>> +        * refcount usable. Otherwise, we've landed here due to
>>>> producing
>>>> +        * a negative result from either decrementing zero or operating
>>>> on
>>>> +        * a negative value. In this case things are badly broken, so we
>>>> +        * we saturate to INT_MIN / 2.
>>>> +        */
>>>> +       if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>>> +               reset = INT_MAX;
>>>
>>>      Should it be like this to indicate that the refcount is wapped from
>>> INT_MAX to INT_MIN ?
>>>          if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_SF)
>>>                  == (X86_EFLAGS_OF | X86_EFLAGS_SF))
>>>
>>>                  reset = INT_MAX;
>>
>> Ah yes, thanks for the catch. Yeah, that test is expecting both
>> condition flags to be set.
>>
>> I'm still on the fence about the best way to deal with the bad states.
>> I've been pondering just strictly using a saturation value (INT_MIN /
>> 2), which should offer the same system state protection (except for
>> the inherent resource leak), but that means there isn't really a good
>> way to kill an offending process (since after saturation ALL processes
>> will look like violators). It can be argued that killing the process
>> doesn't actually provide any benefit since the system is still safe,
>> though.
>
> An immature idea,can we set the count to INT_MAX/2 when we detect and kill
> the offending process,
> and wait to see if there will be another offender touching the fence. Er,not
> very acurate,but better than
> killing all the processes doing refcount_add ,i think.
>>>>
>>>> +       else
>>>> +               reset = INT_MIN / 2;
>>>> +       *(int *)regs->cx = reset;

I suppose we could kill a process if it did the wrap from INT_MAX to
INT_MIN, and then ignore (though maintain saturation of) the rest.
i.e. if X86_EFLAGS_OF, kill and saturate. If X86_EFLAGS_SF, saturate.
I'm still curious about catching refcount_dec() (not
refcount_dec_and_test()) hitting zero.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.