Change Details

``` This sorts out worries about mitigating bugs which overflow the counter without pessimizng anything, most notably it avoids whacking per-thread operation in favor of refcount(9) API. The struct already had two instances of 4 byte padding with 256 bytes in size, cr_flags gets moved around to avoid growing it. 32-bit platforms could also get the extended counter, but I did not do it as one day(tm) the mutex protecting centralized operation should be replaced with atomics and 64-bit ops on 32-bit platforms remain quite penalizing. While worries of counter overflow are addressed, the following is not: - counter *underflows* - buffer overruns from adjacent allocations - UAF due to stale cred pointer As such, while lipstick was placed, the pig should not be participating in any beauty pageants. ```

``` commit 998a1c313a986dc7c7457d0b5369381f65fa1330 Author: Mateusz Guzik <mjg@FreeBSD.org> Date: Wed Mar 22 20:42:04 2023 +0000 cred: convert the refcount from int to long On 64-bit platforms this sorts out worries about mitigating bugs which overflow the counter without pessimizng anything, most notably it avoids whacking per-thread operation in favor of refcount(9) API. The struct already had two instances of 4 byte padding with 256 bytes in size, cr_flags gets moved around to avoid growing it. 32-bit platforms could also get the extended counter, but I did not do it as one day(tm) the mutex protecting centralized operation should be replaced with atomics and 64-bit ops on 32-bit platforms remain quite penalizing. While worries of counter overflow are addressed, the following is not: - counter *underflows* - buffer overruns from adjacent allocations - UAF due to stale cred pointer As such, while lipstick was placed, the pig should not be participating in any beauty pageants. Reviewed by: Differential Revision: commit ceb8f401fcc5d956b9b92cff6aa6946a932f48bf Author: Mateusz Guzik <mjg@FreeBSD.org> Date: Wed Mar 22 21:44:55 2023 +0000 cred: make ref signed There are asserts on the count being > 0, but they are less useful than they can be because the type itself is unsigned. The kernel is compiled with -frapv, making wraparound perfectly defined. ```

``` commit 998a1c313a986dc7c7457d0b5369381f65fa1330 Author: Mateusz Guzik <mjg@FreeBSD.org> Date: Wed Mar 22 20:42:04 2023 +0000 This sorts out worries about mitigating bugs which overflow the countercred: convert the refcount from int to long without pessimizng anything, most notably it avoids whackOn 64-bit platforms this sorts out worries about mitigating per-threadbugs which operation in favor of refcount(9) API.overflow the counter without pessimizng anything, most notably it avoids whacking per-thread operation in favor of refcount(9) API. The struct already had two instances of 4 byte padding with 256 bytes in size, cr_flags gets moved around to avoid growing it. 32-bit platforms could also get the extended counter, but I did not do it as one day(tm) the mutex protecting centralized operation should be replaced with atomics and 64-bit ops on 32-bit platforms remain quite penalizing. While worries of counter overflow are addressed, the following is not: - counter *underflows* - buffer overruns from adjacent allocations - UAF due to stale cred pointer As such, while lipstick was placed, the pig should not be participating in any beauty pageants. Reviewed by: Differential Revision: commit ceb8f401fcc5d956b9b92cff6aa6946a932f48bf Author: Mateusz Guzik <mjg@FreeBSD.org> Date: Wed Mar 22 21:44:55 2023 +0000 cred: make ref signed There are asserts on the count being > 0, but they are less useful than they can be because the type itself is unsigned. The kernel is compiled with -frapv, making wraparound perfectly defined. ```