Re: [PATCH v2] creds: Convert cred.usage to refcount_t

From: Kees Cook
Date: Fri Aug 18 2023 - 16:17:35 EST

Next message: Saravana Kannan: "Re: [PATCH 5.17 127/298] driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction"
Previous message: Mark Brown: "Re: [PATCH v4 19/36] arm64/gcs: Allocate a new GCS for threads with GCS enabled"
In reply to: David Laight: "RE: [PATCH v2] creds: Convert cred.usage to refcount_t"
Next in thread: Jann Horn: "Re: [PATCH v2] creds: Convert cred.usage to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 18, 2023 at 12:31:48PM -0700, Andrew Morton wrote:
> On Fri, 18 Aug 2023 11:48:16 -0700 Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> > On Fri, Aug 18, 2023 at 08:17:55PM +0200, Jann Horn wrote:
> > > On Fri, Aug 18, 2023 at 7:56 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> > > > On Thu, 17 Aug 2023 21:17:41 -0700 Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> > > >
> > > > > From: Elena Reshetova <elena.reshetova@xxxxxxxxx>
> > > > >
> > > > > atomic_t variables are currently used to implement reference counters
> > > > > with the following properties:
> > > > > - counter is initialized to 1 using atomic_set()
> > > > > - a resource is freed upon counter reaching zero
> > > > > - once counter reaches zero, its further
> > > > > increments aren't allowed
> > > > > - counter schema uses basic atomic operations
> > > > > (set, inc, inc_not_zero, dec_and_test, etc.)
> > > > >
> > > > > Such atomic variables should be converted to a newly provided
> > > > > refcount_t type and API that prevents accidental counter overflows and
> > > > > underflows. This is important since overflows and underflows can lead
> > > > > to use-after-free situation and be exploitable.
> > > >
> > > > ie, if we have bugs which we have no reason to believe presently exist,
> > > > let's bloat and slow down the kernel just in case we add some in the
> > > > future?
> > >
> > > Yeah. Or in case we currently have some that we missed.
> >
> > Right, or to protect us against the _introduction_ of flaws.
>
> We could cheerfully add vast amounts of code to the kernel to check for
> the future addition of bugs. But we don't do that, because it would be
> insane.

This is a slippery-slope fallacy and doesn't apply. Yes, we don't add vast
amounts of code for that and that isn't the case here. This is fixing a
known weakness of using atomic reference counts, with a long history of
exploitation, on a struct used for enforcing security boundaries, solved
with the kernel's standard reference counting type. As I mentioned in
the other arm[1] of this thread, I think the question is better "Why is
this NOT refcount_t? What is the benefit, and why does that make struct
cred special?"

> > > Though really we don't *just* need refcount_t to catch bugs; on a
> > > system with enough RAM you can also overflow many 32-bit refcounts by
> > > simply creating 2^32 actual references to an object. Depending on the
> > > structure of objects that hold such refcounts, that can start
> > > happening at around 2^32 * 8 bytes = 32 GiB memory usage, and it
> > > becomes increasingly practical to do this with more objects if you
> > > have significantly more RAM. I suppose you could avoid such issues by
> > > putting a hard limit of 32 GiB on the amount of slab memory and
> > > requiring that kernel object references are stored as pointers in slab
> > > memory, or by making all the refcounts 64-bit.
> >
> > These problems are a different issue, and yes, the path out of it would
> > be to crank the size of refcount_t, etc.
>
> Is it possible for such overflows to occur in the cred code? If so,
> that's a bug. Can we fix that cred bug without all this overhead?
> With a cc:stable backport. If not then, again, what is the non
> handwavy, non cargoculty justification for adding this overhead to
> the kernel?

The only overhead is on slow-path for the error conditions. There is no
_known_ bug in the cred code today, but there might be unknown flaws,
or new flaws or unexpected reachability may be introduced in the future.
That's the whole point of making kernel code defensive. I've talked about
this (with lots of data to support it) at length before[2], mainly around
the lifetime of exploitable flaws: average lifetime is more than 5 years
and we keep introducing them in code that uses fragile types or ambiguous
language features. But I _haven't_ had to talk much about reference
counting since 2016 when we grew a proper type for it. :)

Let's get the stragglers fixed.

-Kees

[1] https://lore.kernel.org/lkml/202308181131.045F806@keescook/
[2] https://outflux.net/slides/2021/lss/kspp.pdf (see slides 4, 5, 6)
https://outflux.net/slides/2019/lss/kspp.pdf (see slides 4, 5, 6)
https://outflux.net/slides/2018/lss/kspp.pdf (see slides 3, 4)
https://outflux.net/slides/2017/lss/kspp.pdf (see slides 5, 6, 13)
https://outflux.net/slides/2017/ks/kspp.pdf (see slides 3, 4, 12)
https://outflux.net/slides/2016/lss/kspp.pdf (see slides 5, 6, 12, 20)
https://outflux.net/slides/2016/ks/kspp.pdf (see slides 17, 21)
https://outflux.net/slides/2015/ks/security.pdf (see slides 4, 13)

--
Kees Cook

Next message: Saravana Kannan: "Re: [PATCH 5.17 127/298] driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction"
Previous message: Mark Brown: "Re: [PATCH v4 19/36] arm64/gcs: Allocate a new GCS for threads with GCS enabled"
In reply to: David Laight: "RE: [PATCH v2] creds: Convert cred.usage to refcount_t"
Next in thread: Jann Horn: "Re: [PATCH v2] creds: Convert cred.usage to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]