From: "Reshetova, Elena" <elena.reshetova@intel.com>
To: David Windsor <dwindsor@gmail.com>, Kees Cook <keescook@chromium.org>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Hans Liljestrand <ishkamiel@gmail.com>
Subject: [kernel-hardening] RE: [RFC PATCH 01/13] Add architecture independent hardened atomic base
Date: Tue, 4 Oct 2016 06:54:02 +0000 [thread overview]
Message-ID: <2236FBA76BA1254E88B949DDB74E612B41BDAC0E@IRSMSX102.ger.corp.intel.com> (raw)
In-Reply-To: <CAEXv5_h55L8UyYpFy6qQUPBqGfxOOR+DEXywbNVkBb89a336UQ@mail.gmail.com>
> config HARDENED_ATOMIC
> ...
> This option catches counter wrapping in atomic_t, which
> can turn refcounting over/underflow bugs into resource
> consumption bugs instead of exploitable user-after-free flaws.
>
>Sorry to be pedantic, but this feature doesn't actually protect against underflowing atomic_t, and you actually meant "use-after-free"
>flaws.
Actually I am looking into this now since at least on x86 it seems to catch the underflow in some form. This was the output from tests that Hans run:
> ...
> lkdtm: Performing direct entry ATOMIC_UNDERFLOW
> lkdtm: attempting good atomic increment
> lkdtm: attempting bad atomic underflow
> HARDENED_ATOMIC: refcount overflow detected in: cat:3015, uid/euid:
> 0/0
> HARDENED_ATOMIC: refcount overflow occurred at:
> ldtm_ATOMIC_UNDEFLOW+0x5f/0x80
> ---------[ cut here ]--------
> ...
This is the description of X86_TRAP_OF trap for x86:
"Interrupt 4—Overflow Exception (#OF)
Exception Class
Trap.
Description
Indicates that an overflow trap occurred when an INTO
instruction was executed. The INTO instruction checks the
state of the OF flag in the EFLAGS register. If the OF flag is set, an overflow trap is generated.
Some arithmetic instructions (such as the ADD and SU
B) perform both signed and unsigned arithmetic. These
instructions set the OF and CF flags in the EFLAGS register to indicate signed overflow and unsigned overflow,
respectively. When performing arithmetic on signed operands, the OF flag can be tested directly or the INTO
instruction can be used. The benefit of using the INTO instruction is that if the overflow exception is detected, an
exception handler can be called automatically to handle the overflow condition."
I start to believe that we have a mismatch of terms here.
Strictly speaking underflow is not defined for non-floating point numbers, so since we are dealing here with ints and longs,
when both of them approach zero and then wrap around, it is treated as overflow (just in a different direction than when it approaches LONG_MAX or LONG_MIN).
Does this makes sense for people?
Best Regards,
Elena.
next prev parent reply other threads:[~2016-10-04 6:54 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-03 6:41 [kernel-hardening] [RFC PATCH 00/13] HARDENING_ATOMIC feature Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 01/13] Add architecture independent hardened atomic base Elena Reshetova
2016-10-03 21:10 ` [kernel-hardening] " Kees Cook
2016-10-03 21:26 ` David Windsor
2016-10-03 21:38 ` Kees Cook
2016-10-04 7:05 ` [kernel-hardening] " Reshetova, Elena
2016-10-05 15:37 ` [kernel-hardening] " Dave Hansen
2016-10-04 7:07 ` [kernel-hardening] " Reshetova, Elena
2016-10-04 6:54 ` Reshetova, Elena [this message]
2016-10-04 7:23 ` Reshetova, Elena
2016-10-12 8:26 ` [kernel-hardening] " AKASHI Takahiro
2016-10-12 17:25 ` Reshetova, Elena
2016-10-12 22:50 ` Kees Cook
2016-10-13 14:31 ` Hans Liljestrand
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 02/13] percpu-refcount: leave atomic counter unprotected Elena Reshetova
2016-10-03 21:12 ` [kernel-hardening] " Kees Cook
2016-10-04 6:24 ` [kernel-hardening] " Reshetova, Elena
2016-10-04 13:06 ` [kernel-hardening] " Hans Liljestrand
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 03/13] kernel: identify wrapping atomic usage Elena Reshetova
2016-10-03 21:13 ` [kernel-hardening] " Kees Cook
2016-10-04 6:28 ` [kernel-hardening] " Reshetova, Elena
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 04/13] mm: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 05/13] fs: " Elena Reshetova
2016-10-03 21:57 ` Jann Horn
2016-10-03 22:21 ` Kees Cook
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 06/13] net: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 07/13] net: atm: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 08/13] security: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 09/13] drivers: identify wrapping atomic usage (part 1/2) Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 10/13] drivers: identify wrapping atomic usage (part 2/2) Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 11/13] x86: identify wrapping atomic usage Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 12/13] x86: x86 implementation for HARDENED_ATOMIC Elena Reshetova
2016-10-03 9:47 ` Jann Horn
2016-10-04 7:15 ` Reshetova, Elena
2016-10-04 12:46 ` Jann Horn
2016-10-03 19:27 ` Dave Hansen
2016-10-03 22:49 ` David Windsor
2016-10-04 12:41 ` Jann Horn
2016-10-04 18:51 ` Kees Cook
2016-10-04 19:48 ` Jann Horn
2016-10-05 15:39 ` Dave Hansen
2016-10-05 16:18 ` Jann Horn
2016-10-05 16:32 ` Dave Hansen
2016-10-03 21:29 ` [kernel-hardening] " Kees Cook
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 13/13] lkdtm: add tests for atomic over-/underflow Elena Reshetova
2016-10-03 21:35 ` [kernel-hardening] " Kees Cook
2016-10-04 6:27 ` [kernel-hardening] " Reshetova, Elena
2016-10-04 6:40 ` [kernel-hardening] " Hans Liljestrand
2016-10-03 8:14 ` [kernel-hardening] [RFC PATCH 00/13] HARDENING_ATOMIC feature AKASHI Takahiro
2016-10-03 8:13 ` Reshetova, Elena
2016-10-03 21:01 ` [kernel-hardening] " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2236FBA76BA1254E88B949DDB74E612B41BDAC0E@IRSMSX102.ger.corp.intel.com \
--to=elena.reshetova@intel.com \
--cc=dwindsor@gmail.com \
--cc=ishkamiel@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.