From patchwork Sat Oct 29 16:19:54 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Windsor X-Patchwork-Id: 9403967 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5415160588 for ; Sat, 29 Oct 2016 16:20:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 44FF929012 for ; Sat, 29 Oct 2016 16:20:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 37B64290CD; Sat, 29 Oct 2016 16:20:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 661E529012 for ; Sat, 29 Oct 2016 16:20:49 +0000 (UTC) Received: (qmail 26014 invoked by uid 550); 29 Oct 2016 16:20:35 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 25900 invoked from network); 29 Oct 2016 16:20:34 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=M0H05iUVzA5JR0O2IsL5WDaWXUIdIiQJOiJpKUvKAr4=; b=FRMyJbN+DdIGTFZpbx1kqdsY8J/AtEsYwFZjEgckjWrD4GUlUTNSwteegKfAQtOp2+ dYipkvemFkQJZvvye1k8yXByhH24nQ5YvbkI5qp0rmmgclPWyvj6r5OLLZqbL+7COM/k PlM/KFQ4FIzTAfLKRponZwtTJ/1t7ED0hR6TYw7Rqq0owka5pBcZZdaU+culs4PJrhDq EMz3oDmM21eaYNny7XTTSIKGYXqmlvQE8dA13fhFkMYOiP1PJ5mLSJD6rqsB6C9hUmj2 sYIbaH22H4YJHjDzoM6kbgNM3MNZRgC2IQbC7BgB2aeL7CcsLpmeCtq9U0AH5YRa1Cmz hr4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=M0H05iUVzA5JR0O2IsL5WDaWXUIdIiQJOiJpKUvKAr4=; b=C6FRJ2uOccRgAWbRPZfreFuiGUSX6zMjM3V0A6c6eKR33nB2nSPn6sLtuG1ab0CRPz H/4rVNYQGREwQjxKukUT62z23ZBfUQqJnmR/1POaBmaiJCbTqVPdkGjLtYZ11SmDC6Ow fo2HKByGl7UWVZzVmkI6eTXgbBji+InoX10ubrvUPznb+Fw+nkmfJAyy92eOKBD4SaAn qJ1sUywsBhfWe8Xr1BgTINafLyaoiJkDE3feoke/UzCMy2nGUZ0Rxxktg1hF400NOGQw yB9bHw1tZRQHChjzn6zKxyINNTufolYXim4Evjh9eGvmpKGX4GnVvuPO7eKQBa1ANj+L IEpg== X-Gm-Message-State: ABUngvfTVJ/pyZYotZiDsVTIWKc0o+ACoRx6NogYEFKotK0bhe4F0aPOzc0qrfDXjATiKA== X-Received: by 10.55.47.198 with SMTP id v189mr14868939qkh.250.1477758022982; Sat, 29 Oct 2016 09:20:22 -0700 (PDT) From: David Windsor To: kernel-hardening@lists.openwall.com Cc: keescook@chromium.org, elena.reshetova@intel.com, ishkamiel@gmail.com, takahiro.akashi@linaro.org, colin@cvidal.org, dwindsor@gmail.com Date: Sat, 29 Oct 2016 12:19:54 -0400 Message-Id: <1477757996-22468-4-git-send-email-dwindsor@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1477757996-22468-1-git-send-email-dwindsor@gmail.com> References: <1477757996-22468-1-git-send-email-dwindsor@gmail.com> Subject: [kernel-hardening][RFC PATCH 3/5] tty: add overflow protection to struct tty_ldisc_ops.refcount X-Virus-Scanned: ClamAV using ClamSMTP Change type of struct tty_ldisc_ops.refcount to atomic_t. This enables overflow protection: when CONFIG_HARDENED_ATOMIC is enabled, atomic_t variables cannot be overflowed. The copyright for the original PAX_REFCOUNT code: - all REFCOUNT code in general: PaX Team - various false positive fixes: Mathias Krause --- drivers/tty/n_tty.c | 3 ++- drivers/tty/tty_ldisc.c | 8 ++++---- include/linux/tty_ldisc.h | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index bdf0e6e..a640ce5 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -2465,7 +2465,8 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = n_tty_ops; ops->owner = NULL; - ops->refcount = ops->flags = 0; + atomic_set(&ops->refcount, 0); + ops->flags = 0; } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 68947f6..1f85fef2 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -68,7 +68,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc) raw_spin_lock_irqsave(&tty_ldiscs_lock, flags); tty_ldiscs[disc] = new_ldisc; new_ldisc->num = disc; - new_ldisc->refcount = 0; + atomic_set(&new_ldisc->refcount, 0); raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags); return ret; @@ -96,7 +96,7 @@ int tty_unregister_ldisc(int disc) return -EINVAL; raw_spin_lock_irqsave(&tty_ldiscs_lock, flags); - if (tty_ldiscs[disc]->refcount) + if (atomic_read(&tty_ldiscs[disc]->refcount)) ret = -EBUSY; else tty_ldiscs[disc] = NULL; @@ -117,7 +117,7 @@ static struct tty_ldisc_ops *get_ldops(int disc) if (ldops) { ret = ERR_PTR(-EAGAIN); if (try_module_get(ldops->owner)) { - ldops->refcount++; + atomic_inc(&ldops->refcount); ret = ldops; } } @@ -130,7 +130,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops) unsigned long flags; raw_spin_lock_irqsave(&tty_ldiscs_lock, flags); - ldops->refcount--; + atomic_dec(&ldops->refcount); module_put(ldops->owner); raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags); } diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h index 3971cf0..7704c48 100644 --- a/include/linux/tty_ldisc.h +++ b/include/linux/tty_ldisc.h @@ -202,7 +202,7 @@ struct tty_ldisc_ops { struct module *owner; - int refcount; + atomic_t refcount; }; struct tty_ldisc {