Re: tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection
From: Kees Cook
Date: Thu Aug 31 2017 - 14:45:23 EST
On Thu, Aug 31, 2017 at 10:19 AM, Mike Galbraith <efault@xxxxxx> wrote:
> On Thu, 2017-08-31 at 10:00 -0700, Kees Cook wrote:
>>
>> Oh! So it's gcc-version sensitive? That's alarming. Is this mapping correct:
>>
>> 4.8.5: WARN, eventual kernel hang
>> 6.3.1, 7.0.1: WARN, but continues working
>
> Yeah, that's correct. I find that troubling, simply because this gcc
> version has been through one hell of a lot of kernels with me. Yeah, I
> know, that doesn't exempt it from having bugs, but color me suspicious.
I still can't hit this with a 4.8.5 build. :(
With _RATELIMIT removed, this should, in theory, report whatever goes
negative first...
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index c076f710de4c..d4fc6b91c0e6 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -72,6 +72,10 @@ bool ex_handler_refcount(const struct
exception_table_entry *fixup,
bool zero = regs->flags & X86_EFLAGS_ZF;
refcount_error_report(regs, zero ? "hit zero" : "overflow");
+ } else if (regs->flags & X86_EFLAGS_SF) {
+ refcount_error_report(regs, "result was negative");
+ } else {
+ refcount_error_report(regs, "unknown state");
}
return true;
diff --git a/kernel/panic.c b/kernel/panic.c
index bdd18afa19a4..966ade491543 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -605,7 +605,7 @@ EXPORT_SYMBOL(__stack_chk_fail);
#ifdef CONFIG_ARCH_HAS_REFCOUNT
void refcount_error_report(struct pt_regs *regs, const char *err)
{
- WARN_RATELIMIT(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n",
+ WARN(1, "refcount_t %s at %pB in %s[%d], uid/euid: %u/%u\n",
err, (void *)instruction_pointer(regs),
current->comm, task_pid_nr(current),
from_kuid_munged(&init_user_ns, current_uid()),
And if it is still a refcount_inc(), and only on gcc 4.8.5, then I
think we need to study the resulting assembly...
-Kees
--
Kees Cook
Pixel Security