From: Kees Cook <keescook@chromium.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
Peter Zijlstra <peterz@infradead.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Kalle Valo <kvalo@codeaurora.org>,
Andrew Morton <akpm@linux-foundation.org>,
Rik van Riel <riel@redhat.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Viresh Kumar <viresh.kumar@linaro.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Olof Johansson <olof@lixom.net>,
Chris Wilson <chris@chris-wilson.co.uk>,
George Spelvin <linux@sciencehorizons.net>,
Thomas Gleixner <tglx@linutronix.de>,
Josh Poimboeuf <jpoimboe@redhat.com>,
David Windsor <dwindsor@gmail.com>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [PATCH v2 7/7] refcount: Check bad states with CHECK_DATA_CORRUPTION()
Date: Tue, 4 Apr 2017 15:12:18 -0700 [thread overview]
Message-ID: <1491343938-75336-8-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1491343938-75336-1-git-send-email-keescook@chromium.org>
This converts from WARN_ONCE() to CHECK_DATA_CORRUPTION() (so that system
builders can choose between WARN and BUG). Additionally moves refcount_t
sanity-check conditionals into regular function flow.
Now when built with CONFIG_BUG_ON_DATA_CORRUPTION, the LKDTM REFCOUNT_*
tests correctly kill offending processes.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
lib/refcount.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/lib/refcount.c b/lib/refcount.c
index f42124ccf295..88289210d9fd 100644
--- a/lib/refcount.c
+++ b/lib/refcount.c
@@ -37,6 +37,13 @@
#include <linux/refcount.h>
#include <linux/bug.h>
+/*
+ * CHECK_DATA_CORRUPTION() is defined with __must_check, but we have a
+ * couple places where we want to report a condition that has already
+ * been checked, so this lets us cheat __must_check.
+ */
+#define REFCOUNT_CHECK(cond, str) unlikely(CHECK_DATA_CORRUPTION(cond, str))
+
/**
* refcount_add_not_zero - add a value to a refcount unless it is 0
* @i: the value to add to the refcount
@@ -72,7 +79,8 @@ bool refcount_add_not_zero(unsigned int i, refcount_t *r)
} while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
+ REFCOUNT_CHECK(new == UINT_MAX,
+ "refcount_t: add saturated; leaking memory.\n");
return true;
}
@@ -96,7 +104,8 @@ EXPORT_SYMBOL_GPL(refcount_add_not_zero);
*/
void refcount_add(unsigned int i, refcount_t *r)
{
- WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-after-free.\n");
+ REFCOUNT_CHECK(!refcount_add_not_zero(i, r),
+ "refcount_t: addition on 0; use-after-free.\n");
}
EXPORT_SYMBOL_GPL(refcount_add);
@@ -127,7 +136,8 @@ bool refcount_inc_not_zero(refcount_t *r)
} while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
+ REFCOUNT_CHECK(new == UINT_MAX,
+ "refcount_t: inc saturated; leaking memory.\n");
return true;
}
@@ -147,7 +157,8 @@ EXPORT_SYMBOL_GPL(refcount_inc_not_zero);
*/
void refcount_inc(refcount_t *r)
{
- WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-after-free.\n");
+ REFCOUNT_CHECK(!refcount_inc_not_zero(r),
+ "refcount_t: increment on 0; use-after-free.\n");
}
EXPORT_SYMBOL_GPL(refcount_inc);
@@ -180,10 +191,9 @@ bool refcount_sub_and_test(unsigned int i, refcount_t *r)
return false;
new = val - i;
- if (new > val) {
- WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n");
+ if (REFCOUNT_CHECK(new > val,
+ "refcount_t: sub underflow; use-after-free.\n"))
return false;
- }
} while (!atomic_try_cmpxchg_release(&r->refs, &val, new));
@@ -222,7 +232,8 @@ EXPORT_SYMBOL_GPL(refcount_dec_and_test);
*/
void refcount_dec(refcount_t *r)
{
- WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking memory.\n");
+ REFCOUNT_CHECK(refcount_dec_and_test(r),
+ "refcount_t: decrement hit 0; leaking memory.\n");
}
EXPORT_SYMBOL_GPL(refcount_dec);
@@ -273,10 +284,9 @@ bool refcount_dec_not_one(refcount_t *r)
return false;
new = val - 1;
- if (new > val) {
- WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n");
+ if (REFCOUNT_CHECK(new > val,
+ "refcount_t: dec underflow; use-after-free.\n"))
return true;
- }
} while (!atomic_try_cmpxchg_release(&r->refs, &val, new));
@@ -345,4 +355,3 @@ bool refcount_dec_and_lock(refcount_t *r, spinlock_t *lock)
return true;
}
EXPORT_SYMBOL_GPL(refcount_dec_and_lock);
-
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
Peter Zijlstra <peterz@infradead.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Kalle Valo <kvalo@codeaurora.org>,
Andrew Morton <akpm@linux-foundation.org>,
Rik van Riel <riel@redhat.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Viresh Kumar <viresh.kumar@linaro.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Olof Johansson <olof@lixom.net>,
Chris Wilson <chris@chris-wilson.co.uk>,
George Spelvin <linux@sciencehorizons.net>,
Thomas Gleixner <tglx@linutronix.de>,
Josh Poimboeuf <jpoimboe@redhat.com>,
David Windsor <dwindsor@gmail.com>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] [PATCH v2 7/7] refcount: Check bad states with CHECK_DATA_CORRUPTION()
Date: Tue, 4 Apr 2017 15:12:18 -0700 [thread overview]
Message-ID: <1491343938-75336-8-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1491343938-75336-1-git-send-email-keescook@chromium.org>
This converts from WARN_ONCE() to CHECK_DATA_CORRUPTION() (so that system
builders can choose between WARN and BUG). Additionally moves refcount_t
sanity-check conditionals into regular function flow.
Now when built with CONFIG_BUG_ON_DATA_CORRUPTION, the LKDTM REFCOUNT_*
tests correctly kill offending processes.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
lib/refcount.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/lib/refcount.c b/lib/refcount.c
index f42124ccf295..88289210d9fd 100644
--- a/lib/refcount.c
+++ b/lib/refcount.c
@@ -37,6 +37,13 @@
#include <linux/refcount.h>
#include <linux/bug.h>
+/*
+ * CHECK_DATA_CORRUPTION() is defined with __must_check, but we have a
+ * couple places where we want to report a condition that has already
+ * been checked, so this lets us cheat __must_check.
+ */
+#define REFCOUNT_CHECK(cond, str) unlikely(CHECK_DATA_CORRUPTION(cond, str))
+
/**
* refcount_add_not_zero - add a value to a refcount unless it is 0
* @i: the value to add to the refcount
@@ -72,7 +79,8 @@ bool refcount_add_not_zero(unsigned int i, refcount_t *r)
} while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
+ REFCOUNT_CHECK(new == UINT_MAX,
+ "refcount_t: add saturated; leaking memory.\n");
return true;
}
@@ -96,7 +104,8 @@ EXPORT_SYMBOL_GPL(refcount_add_not_zero);
*/
void refcount_add(unsigned int i, refcount_t *r)
{
- WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-after-free.\n");
+ REFCOUNT_CHECK(!refcount_add_not_zero(i, r),
+ "refcount_t: addition on 0; use-after-free.\n");
}
EXPORT_SYMBOL_GPL(refcount_add);
@@ -127,7 +136,8 @@ bool refcount_inc_not_zero(refcount_t *r)
} while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
+ REFCOUNT_CHECK(new == UINT_MAX,
+ "refcount_t: inc saturated; leaking memory.\n");
return true;
}
@@ -147,7 +157,8 @@ EXPORT_SYMBOL_GPL(refcount_inc_not_zero);
*/
void refcount_inc(refcount_t *r)
{
- WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-after-free.\n");
+ REFCOUNT_CHECK(!refcount_inc_not_zero(r),
+ "refcount_t: increment on 0; use-after-free.\n");
}
EXPORT_SYMBOL_GPL(refcount_inc);
@@ -180,10 +191,9 @@ bool refcount_sub_and_test(unsigned int i, refcount_t *r)
return false;
new = val - i;
- if (new > val) {
- WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n");
+ if (REFCOUNT_CHECK(new > val,
+ "refcount_t: sub underflow; use-after-free.\n"))
return false;
- }
} while (!atomic_try_cmpxchg_release(&r->refs, &val, new));
@@ -222,7 +232,8 @@ EXPORT_SYMBOL_GPL(refcount_dec_and_test);
*/
void refcount_dec(refcount_t *r)
{
- WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking memory.\n");
+ REFCOUNT_CHECK(refcount_dec_and_test(r),
+ "refcount_t: decrement hit 0; leaking memory.\n");
}
EXPORT_SYMBOL_GPL(refcount_dec);
@@ -273,10 +284,9 @@ bool refcount_dec_not_one(refcount_t *r)
return false;
new = val - 1;
- if (new > val) {
- WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n");
+ if (REFCOUNT_CHECK(new > val,
+ "refcount_t: dec underflow; use-after-free.\n"))
return true;
- }
} while (!atomic_try_cmpxchg_release(&r->refs, &val, new));
@@ -345,4 +355,3 @@ bool refcount_dec_and_lock(refcount_t *r, spinlock_t *lock)
return true;
}
EXPORT_SYMBOL_GPL(refcount_dec_and_lock);
-
--
2.7.4
next prev parent reply other threads:[~2017-04-04 22:13 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-04 22:12 [PATCH v2] bug: further enhance use of CHECK_DATA_CORRUPTION Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-04 22:12 ` [PATCH v2 1/7] bug: Clarify help text for BUG_ON_DATA_CORRUPTION Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-05 5:47 ` Ian Campbell
2017-04-05 19:32 ` Kees Cook
2017-04-05 19:32 ` Kees Cook
2017-04-04 22:12 ` [PATCH v2 2/7] bug: Improve unlikely() in data corruption check Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-04 22:12 ` [PATCH v2 3/7] bug: Use WARN_ONCE() for CHECK_DATA_CORRUPTION() Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-04 22:12 ` [PATCH v2 4/7] bug: Enable DEBUG_CREDENTIALS under BUG_ON_DATA_CORRUPTION Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-04 22:12 ` [PATCH v2 5/7] bug: Enable DEBUG_SG " Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-04 22:12 ` [PATCH v2 6/7] notifiers: Use CHECK_DATA_CORRUPTION() on checks Kees Cook
2017-04-04 22:12 ` [kernel-hardening] " Kees Cook
2017-04-04 22:12 ` Kees Cook [this message]
2017-04-04 22:12 ` [kernel-hardening] [PATCH v2 7/7] refcount: Check bad states with CHECK_DATA_CORRUPTION() Kees Cook
2021-01-04 23:07 ` [PATCH v2] bug: further enhance use of CHECK_DATA_CORRUPTION Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1491343938-75336-8-git-send-email-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=dwindsor@gmail.com \
--cc=geert@linux-m68k.org \
--cc=jakub.kicinski@netronome.com \
--cc=jpoimboe@redhat.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@sciencehorizons.net \
--cc=mingo@kernel.org \
--cc=olof@lixom.net \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=tglx@linutronix.de \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.