grsecurity forums

I'm having a testing series kernel and I'm getting the following refcount overflow:

Code: Select all

[  437.367010] [<c053b148>] (__pabt_svc+0x68/0xc0) from [<c04cb8f0>] (ip_idents_reserve+0x8c/0xb0)
[  437.367028] [<c04cb8f0>] (ip_idents_reserve+0x8c/0xb0) from [<c04cba74>] (__ip_select_ident+0x84/0xbc)
[  437.367045] [<c04cba74>] (__ip_select_ident+0x84/0xbc) from [<c04d6874>] (__ip_make_skb+0x308/0x3c8)
[  437.367061] [<c04d6874>] (__ip_make_skb+0x308/0x3c8) from [<c04d69e0>] (ip_push_pending_frames+0x14/0x28)
[  437.367074] [<c04d69e0>] (ip_push_pending_frames+0x14/0x28) from [<c04d6ce4>] (ip_send_unicast_reply+0


Now I checked and id_idents_reserve is using the _unchecked variant. And the same kernel is not having any problems on x86_64. This so far seems to affect only ARM.

While this is not the latest 3.19 test kernel, I did not see any relevant changes in arm atomic unchecked. Has anyone else seen similar?

I'm slightly suspicious about:

Code: Select all

diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
...
+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op, , )\
+                                   __ATOMIC_OP(op, _unchecked, c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
...
+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op, , )\
+                                          __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)


Is this correct? Isn't it the _unchecked variant that should not add any overflow checking? Or did I miss something?

oops, i goofed up indeed when porting REFCOUNT to the new unified atomic code back in 3.19 or so, the _unchecked variant is indeed the one that doesn't need the overflow check. can you try this patch:

Code: Select all

diff -u linux-4.0-pax/arch/arm/include/asm/atomic.h linux-4.0-pax/arch/arm/include/asm/atomic.h
--- linux-4.0-pax/arch/arm/include/asm/atomic.h 2015-04-15 12:13:52.846318626 +0200
+++ linux-4.0-pax/arch/arm/include/asm/atomic.h 2015-04-20 21:58:29.247698219 +0200
@@ -101,8 +101,8 @@
        : "cc");                                                        \
 }                                                                      \

-#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op, , )\
-                                   __ATOMIC_OP(op, _unchecked, c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, _unchecked, c_op, asm_op, , )\
+                                   __ATOMIC_OP(op, , c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)

 #define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op, post_op, extable) \
 static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
@@ -130,8 +130,8 @@
        return result;                                                  \
 }

-#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op, , )\
-                                          __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op, , )\
+                                          __ATOMIC_OP_RETURN(op, , c_op, asm_op##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)

 static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new)
 {
@@ -477,8 +477,8 @@
        : "cc");                                                        \
 }                                                                      \

-#define ATOMIC64_OP(op, op1, op2) __ATOMIC64_OP(op, , op1, op2, , ) \
-                                 __ATOMIC64_OP(op, _unchecked, op1, op2##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
+#define ATOMIC64_OP(op, op1, op2) __ATOMIC64_OP(op, _unchecked, op1, op2, , ) \
+                                 __ATOMIC64_OP(op, , op1, op2##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)

 #define __ATOMIC64_OP_RETURN(op, suffix, op1, op2, post_op, extable)   \
 static inline long long atomic64_##op##_return##suffix(long long i, atomic64##suffix##_t *v) \
@@ -507,8 +507,8 @@
        return result;                                                  \
 }

-#define ATOMIC64_OP_RETURN(op, op1, op2) __ATOMIC64_OP_RETURN(op, , op1, op2, , ) \
-                                        __ATOMIC64_OP_RETURN(op, _unchecked, op1, op2##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
+#define ATOMIC64_OP_RETURN(op, op1, op2) __ATOMIC64_OP_RETURN(op, _unchecked, op1, op2, , ) \
+                                        __ATOMIC64_OP_RETURN(op, , op1, op2##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)

 #define ATOMIC64_OPS(op, op1, op2)                                     \
        ATOMIC64_OP(op, op1, op2)                                       \


Thanks! The fix seems to work good. I have now kernel with that applied and it's been up for a day without any hiccups.