On Mon, 2017-04-24 at 15:37 -0700, Kees Cook wrote: > On Mon, Apr 24, 2017 at 3:01 PM, Peter Zijlstra <peterz@xxxxxxxxxxxxx > > wrote: > > On Mon, Apr 24, 2017 at 01:40:56PM -0700, Kees Cook wrote: > > > I think we're way off in the weeds here. The "cannot inc from 0" > > > check > > > is about general sanity checks on refcounts. > > > > I disagree, although sanity check are good too. > > > > > It should never happen, and if it does, there's a bug. > > > > The very same is true of the overflow thing. > > > > > However, what the refcount hardening protection is trying to do > > > is > > > protect again the exploitable condition: overflow. > > > > Sure.. > > > > > Inc-from-0 isn't an exploitable condition since in theory > > > the memory suddenly becomes correctly managed again. > > > > It does not. It just got free'ed. Nothing will stop the free from > > happening (or already having happened). > > Well, yes, but that's kind of my point. Detecting inc-from-0 is "too > late" to offer a protection. It offers notification of a bug, rather > than stopping an exploit from happening. inc-from-0 could allow the attacker to gain access to an object which gets allocated to a new user afterwards. Certainly much less useful as an exploit, but still a potential privilege escalation.
