[ubuntu-hardened] [kernel-hardening] Re: Add overflow protection to kref
segoon at openwall.com
Fri Feb 17 07:59:45 UTC 2012
> And in all that time, I've never seen an instance where you can overflow
> the reference count,
Do you mean that the overflow is theoretically impossible or that this
type of programmer error is rare?
If the former, it is only 2**32 incs - if you can find open() implementation
with a missing atomic_dec() in error path and you can call open() faster than
10000 times per second, you can overflow the counter in ~4 days.
If the latter, it is just a question of finding missing put() in some triggerable
error path. Kees has already posted a link to a bug with a missing fput().
BTW, moving from atomic_t to 64 bit refcounter would kill the possibility of
overflow. Unfortunately, AFAIU, 64 bit operations are not atomic on some 64 bit
More information about the ubuntu-hardened