From: Kees Cook <keescook@chromium.org>
To: Mike Galbraith <efault@gmx.de>
Cc: "David S. Miller" <davem@davemloft.net>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>, Ingo Molnar <mingo@elte.hu>,
"Reshetova, Elena" <elena.reshetova@intel.com>,
Network Development <netdev@vger.kernel.org>
Subject: Re: tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection
Date: Thu, 31 Aug 2017 11:45:17 -0700 [thread overview]
Message-ID: <CAGXu5j+RPDAP-dK+dizQV4prmWBhqU_G1PccWpME=924-2985w@mail.gmail.com> (raw)
In-Reply-To: <1504199967.666.16.camel@gmx.de>
On Thu, Aug 31, 2017 at 10:19 AM, Mike Galbraith <efault@gmx.de> wrote:
> On Thu, 2017-08-31 at 10:00 -0700, Kees Cook wrote:
>>
>> Oh! So it's gcc-version sensitive? That's alarming. Is this mapping correct:
>>
>> 4.8.5: WARN, eventual kernel hang
>> 6.3.1, 7.0.1: WARN, but continues working
>
> Yeah, that's correct. I find that troubling, simply because this gcc
> version has been through one hell of a lot of kernels with me. Yeah, I
> know, that doesn't exempt it from having bugs, but color me suspicious.
I still can't hit this with a 4.8.5 build. :(
With _RATELIMIT removed, this should, in theory, report whatever goes
negative first...
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index c076f710de4c..d4fc6b91c0e6 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -72,6 +72,10 @@ bool ex_handler_refcount(const struct
exception_table_entry *fixup,
bool zero = regs->flags & X86_EFLAGS_ZF;
refcount_error_report(regs, zero ? "hit zero" : "overflow");
+ } else if (regs->flags & X86_EFLAGS_SF) {
+ refcount_error_report(regs, "result was negative");
+ } else {
+ refcount_error_report(regs, "unknown state");
}
return true;
diff --git a/kernel/panic.c b/kernel/panic.c
index bdd18afa19a4..966ade491543 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail);
#ifdef CONFIG_ARCH_HAS_REFCOUNT
void refcount_error_report(struct pt_regs *regs, const char *err)
{
- WARN_RATELIMIT(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n",
+ WARN(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n",
err, (void *)instruction_pointer(regs),
current->comm, task_pid_nr(current),
from_kuid_munged(&init_user_ns, current_uid()),
And if it is still a refcount_inc(), and only on gcc 4.8.5, then I
think we need to study the resulting assembly...
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-08-31 18:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1503996623.8323.20.camel@gmx.de>
[not found] ` <CAGXu5jLYHy6Damtg_Pc4=G76OUiMV3fcY9+Ru1-Lmiq6VWEgsw@mail.gmail.com>
[not found] ` <1504025721.6024.25.camel@gmx.de>
[not found] ` <1504030207.6560.0.camel@gmx.de>
[not found] ` <CAGXu5jKSWiZ8NkgUqO6G8fs5R06bMtdFBmZz9MMX-HAk8nXXNw@mail.gmail.com>
[not found] ` <1504069332.8352.3.camel@gmx.de>
[not found] ` <CAGXu5jJim=r8b+y1qQXtuzm9fPyv1tp9ANebxbCc9ic2c83_Mg@mail.gmail.com>
[not found] ` <1504113212.5852.6.camel@gmx.de>
[not found] ` <CAGXu5jJd80-0PJvB51x9ZDETPSoAtRVQ7dQ6HWwd0DYpKBgPFA@mail.gmail.com>
[not found] ` <1504115735.5852.11.camel@gmx.de>
[not found] ` <CAGXu5j+BLj6_LPfKs-vts-mbyJHu8D--WrmWbiT8Zbt-iD65KA@mail.gmail.com>
[not found] ` <CAGXu5j+neSYAqb8=r42=jQ0LsJTGjCSdpgc9Hv+ipyAFURbCdw@mail.gmail.com>
[not found] ` <1504145389.23109.4.camel@gmx.de>
[not found] ` <CAGXu5jLKXEDdSpxxVM5oHHUWKbSTozx4FZRn70bQm4tQAhMqUQ@mail.gmail.com>
[not found] ` <1504149176.23109.9.camel@gmx.de>
2017-08-31 4:01 ` tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection Kees Cook
2017-08-31 4:10 ` Kees Cook
2017-08-31 4:38 ` Mike Galbraith
2017-08-31 13:58 ` Mike Galbraith
2017-08-31 17:00 ` Kees Cook
2017-08-31 17:19 ` Mike Galbraith
2017-08-31 18:45 ` Kees Cook [this message]
2017-09-01 6:57 ` Mike Galbraith
2017-09-01 13:09 ` Mike Galbraith
2017-09-01 17:12 ` Kees Cook
2017-09-01 17:52 ` Mike Galbraith
2017-09-01 18:58 ` Kees Cook
2017-09-01 19:24 ` Mike Galbraith
2017-09-01 19:40 ` Kees Cook
2017-08-31 19:28 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5j+RPDAP-dK+dizQV4prmWBhqU_G1PccWpME=924-2985w@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=davem@davemloft.net \
--cc=efault@gmx.de \
--cc=elena.reshetova@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).