On Tue, Mar 21, 2017 at 7:03 PM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > On Tue, 2017-03-21 at 16:51 -0700, Kees Cook wrote: > >> Am I understanding you correctly that you'd want something like: >> >> refcount.h: >> #ifdef UNPROTECTED_REFCOUNT >> #define refcount_inc(x) atomic_inc(x) >> ... >> #else >> void refcount_inc(... >> ... >> #endif >> >> some/net.c: >> #define UNPROTECTED_REFCOUNT >> #include <refcount.h> >> >> or similar? > > At first, it could be something simple like that yes. > > Note that we might define two refcount_inc() : One that does whole > tests, and refcount_inc_relaxed() that might translate to atomic_inc() > on non debug kernels. > > Then later, maybe provide a dynamic infrastructure so that we can > dynamically force the full checks even for refcount_inc_relaxed() on say > 1% of the hosts, to get better debug coverage ? Well, this isn't about finding bugs in normal workflows. This is about catching bugs that attackers have found and start exploiting to gain a use-after-free primitive. The intention is for it to be always enabled. -Kees -- Kees Cook Pixel Security
