Re: [kernel-hardening] Re: [PATCH] x86/refcount: Implement fast refcount_t handling

From: Rik van Riel
Date: Mon Apr 24 2017 - 21:11:43 EST


On Mon, 2017-04-24 at 15:37 -0700, Kees Cook wrote:
> On Mon, Apr 24, 2017 at 3:01 PM, Peter Zijlstra <peterz@xxxxxxxxxxxxx
> > wrote:
> > On Mon, Apr 24, 2017 at 01:40:56PM -0700, Kees Cook wrote:
> > > I think we're way off in the weeds here. The "cannot inc from 0"
> > > check
> > > is about general sanity checks on refcounts.
> >
> > I disagree, although sanity check are good too.
> >
> > > It should never happen, and if it does, there's a bug.
> >
> > The very same is true of the overflow thing.
> >
> > > However, what the refcount hardening protection is trying to do
> > > is
> > > protect again the exploitable condition: overflow.
> >
> > Sure..
> >
> > > Inc-from-0 isn't an exploitable condition since in theory
> > > the memory suddenly becomes correctly managed again.
> >
> > It does not. It just got free'ed. Nothing will stop the free from
> > happening (or already having happened).
>
> Well, yes, but that's kind of my point. Detecting inc-from-0 is "too
> late" to offer a protection. It offers notification of a bug, rather
> than stopping an exploit from happening.

inc-from-0 could allow the attacker to gain access to
an object which gets allocated to a new user afterwards.

Certainly much less useful as an exploit, but still a
potential privilege escalation.