Re: [PATCH v2] creds: Convert cred.usage to refcount_t

From: Kees Cook
Date: Fri Aug 18 2023 - 14:49:10 EST

Next message: Leon Romanovsky: "Re: [net-next PATCH v3] octeontx2-pf: Use PTP HW timestamp counter atomic update feature"
Previous message: Waiman Long: "Re: [PATCH v3] sched/core: Use empty mask to reset cpumasks in sched_setaffinity()"
In reply to: Jann Horn: "Re: [PATCH v2] creds: Convert cred.usage to refcount_t"
Next in thread: Andrew Morton: "Re: [PATCH v2] creds: Convert cred.usage to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 18, 2023 at 08:17:55PM +0200, Jann Horn wrote:
> On Fri, Aug 18, 2023 at 7:56 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> > On Thu, 17 Aug 2023 21:17:41 -0700 Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> >
> > > From: Elena Reshetova <elena.reshetova@xxxxxxxxx>
> > >
> > > atomic_t variables are currently used to implement reference counters
> > > with the following properties:
> > > - counter is initialized to 1 using atomic_set()
> > > - a resource is freed upon counter reaching zero
> > > - once counter reaches zero, its further
> > > increments aren't allowed
> > > - counter schema uses basic atomic operations
> > > (set, inc, inc_not_zero, dec_and_test, etc.)
> > >
> > > Such atomic variables should be converted to a newly provided
> > > refcount_t type and API that prevents accidental counter overflows and
> > > underflows. This is important since overflows and underflows can lead
> > > to use-after-free situation and be exploitable.
> >
> > ie, if we have bugs which we have no reason to believe presently exist,
> > let's bloat and slow down the kernel just in case we add some in the
> > future?
>
> Yeah. Or in case we currently have some that we missed.

Right, or to protect us against the _introduction_ of flaws.

> Though really we don't *just* need refcount_t to catch bugs; on a
> system with enough RAM you can also overflow many 32-bit refcounts by
> simply creating 2^32 actual references to an object. Depending on the
> structure of objects that hold such refcounts, that can start
> happening at around 2^32 * 8 bytes = 32 GiB memory usage, and it
> becomes increasingly practical to do this with more objects if you
> have significantly more RAM. I suppose you could avoid such issues by
> putting a hard limit of 32 GiB on the amount of slab memory and
> requiring that kernel object references are stored as pointers in slab
> memory, or by making all the refcounts 64-bit.

These problems are a different issue, and yes, the path out of it would
be to crank the size of refcount_t, etc.

--
Kees Cook

Next message: Leon Romanovsky: "Re: [net-next PATCH v3] octeontx2-pf: Use PTP HW timestamp counter atomic update feature"
Previous message: Waiman Long: "Re: [PATCH v3] sched/core: Use empty mask to reset cpumasks in sched_setaffinity()"
In reply to: Jann Horn: "Re: [PATCH v2] creds: Convert cred.usage to refcount_t"
Next in thread: Andrew Morton: "Re: [PATCH v2] creds: Convert cred.usage to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]