On Wed, Apr 26, 2017 at 12:56 AM, Kees Cook <keesc...@chromium.org> wrote:
> This protection is a modified version of the x86 PAX_REFCOUNT
> implementation from PaX/grsecurity. This speeds up the refcount_t API by
> duplicating the existing atomic_t implementation with a single instruction
> added to detect if the refcount has wrapped past INT_MAX (or below 0)
> resulting in a signed value.
[...]
> +static __always_inline void refcount_dec(refcount_t *r)
> +{
> + asm volatile(LOCK_PREFIX "decl %0\n\t"
> + REFCOUNT_CHECK_UNDERFLOW(4)
> + : [counter] "+m" (r->refs.counter)
> + : : "cc", "cx");
> +}
What purpose do checks on decrement now have? The mitigation is only
intended to deal with (positive) overflows, right? AFAICS if you hit this code,
similar to the inc-from-0 case, you're already in a UAF situation?
