Re: [RFC] Warn the user when they could overflow mapcount

From: valdis . kletnieks
Date: Thu Feb 08 2018 - 12:58:57 EST

Next message: sean.wang: "[PATCH v4 0/5] add support for Mediatek High-Speed DMA controller on MT7622 and MT7623 SoC"
Previous message: Mark Salter: "Re: [PATCH] perf: arm_pmu_acpi: Fix armpmu_alloc call from invalid context"
Next in thread: Daniel Micay: "Re: [RFC] Warn the user when they could overflow mapcount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 08 Feb 2018 03:56:26 +0100, Jann Horn said:

> I wouldn't be too surprised if there are more 32-bit overflows that
> start being realistic once you put something on the order of terabytes
> of memory into one machine, given that refcount_t is 32 bits wide -
> for example, the i_count. See
> https://bugs.chromium.org/p/project-zero/issues/detail?id=809 for an
> example where, given a sufficiently high RLIMIT_MEMLOCK, it was
> possible to overflow a 32-bit refcounter on a system with just ~32GiB
> of free memory (minimum required to store 2^32 64-bit pointers).
>
> On systems with RAM on the order of terabytes, it's probably a good
> idea to turn on refcount hardening to make issues like that
> non-exploitable for now.

I have at least 10 systems across the hall that have 3T of RAM on them
across our various HPC clusters. So this is indeed no longer a hypothetical
issue.

Attachment: pgpceFdoGDpTJ.pgp
Description: PGP signature

Next message: sean.wang: "[PATCH v4 0/5] add support for Mediatek High-Speed DMA controller on MT7622 and MT7623 SoC"
Previous message: Mark Salter: "Re: [PATCH] perf: arm_pmu_acpi: Fix armpmu_alloc call from invalid context"
Next in thread: Daniel Micay: "Re: [RFC] Warn the user when they could overflow mapcount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]