On Sat, Sep 2, 2017 at 3:29 AM, Ingo Molnar <mingo@xxxxxxxxxx> wrote:
>
> * Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
>> Using .text.unlikely for refcount exceptions isn't safe because gcc may
>> move entire functions into .text.unlikely (e.g. in6_dev_get()), which
>> would cause any uses of a protected refcount_t function to stay inline
>> with the function, triggering the protection unconditionally:
>>
>> .section .text.unlikely,"ax",@progbits
>> .type in6_dev_get, @function
>> in6_dev_getx:
>> .LFB4673:
>> .loc 2 4128 0
>> .cfi_startproc
>> ...
>> lock; incl 480(%rbx)
>> js 111f
>> .pushsection .text.unlikely
>> 111: lea 480(%rbx), %rcx
>> 112: .byte 0x0f, 0xff
>> .popsection
>> 113:
>>
>> This creates a unique .text section and adds an additional test to the
>> exception handler to WARN in the case of having none of OF, SF, nor ZF
>> set so we can see things like this more easily in the future.
>>
>> Reported-by: Mike Galbraith <efault@xxxxxx>
>> Fixes: 7a46ec0e2f48 ("locking/refcounts, x86/asm: Implement fast refcount overflow protection")
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> ---
>> arch/x86/Kconfig | 2 +-
>> arch/x86/include/asm/refcount.h | 2 +-
>> arch/x86/mm/extable.c | 7 ++++++-
>> include/asm-generic/vmlinux.lds.h | 1 +
>> 4 files changed, 9 insertions(+), 3 deletions(-)
>
> Could you please split this into two patches: one that fixes the .unlikely bug,
> the other that re-enables the optimized version?
>
> Should there be any other problem with refcounts this would make any bisection
> result more clear-cut.
Certainly!
-Kees
--
Kees Cook
Pixel Security
