Re: [RFC] Disable lockref on arm64

From: Ard Biesheuvel
Date: Sat Jun 15 2019 - 10:23:25 EST


On Sat, 15 Jun 2019 at 15:59, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> On Sat, Jun 15, 2019 at 10:47:19AM +0200, Ard Biesheuvel wrote:
> > remaining question Will had was whether it makes sense to do the
> > condition checks before doing the actual store, to avoid having a time
> > window where the refcount assumes its illegal value. Since arm64 does
> > not have memory operands, the instruction count wouldn't change, but
> > it will definitely result in a performance hit on out-of-order CPUs.
>
> What do the races end up looking like? Is it possible to have two
> threads ordered in a way that a second thread could _un_saturate a
> counter?
>
> CPU 1 CPU 2
> inc()
> load INT_MAX-1
> about to overflow?
> yes
> dec()
> load INT_MAX-1
> set to INT_MAX
> set to INT_MAX-2
>
> Or would you use the same INT_MIN/2 saturation point done on x86?
>

Yes, I am using the same saturation point as x86. In this example, I
am not entirely sure I understand why it matters, though: the atomics
guarantee that the write by CPU2 fails if CPU1 changed the value in
the mean time, regardless of which value it wrote.

I think the concern is more related to the likelihood of another CPU
doing something nasty between the moment that the refcount overflows
and the moment that the handler pins it at INT_MIN/2, e.g.,

> CPU 1 CPU 2
> inc()
> load INT_MAX
> about to overflow?
> yes
>
> set to 0
> <insert exploit here>
> set to INT_MIN/2


> As for performance, it should be easy to measure with the LKDTM test
> to find out exactly the differences.
>

Yes, I intend to look into this on Monday.