Page 1 of 1

Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Tue Jul 10, 2012 4:38 pm
by tjh
Code: Select all
PAX: size overflow detected in function tcp_recvmsg net/ipv4/tcp.c:1696
Pid: 2447, comm: rtorrent Not tainted 3.4.4-grsec #1
Call Trace:
 [<000a5189>] ? 0x0a5189
 [<00217750>] ? 0x217750
 [<0023661f>] ? 0x23661f
 [<001c69ed>] ? 0x1c69ed
 [<001c8fed>] ? 0x1c8fed
 [<001c90b3>] ? 0x1c90b3
 [<001c9b2c>] ? 0x1c9b2c
 [<00265534>] ? 0x265534
 [<00265554>] ? 0x265554


This is with grsecurity-2.9.1-3.4.4-201207080925.patch and Linux 3.4.4.

Code: Select all
root@micro:/home/tim# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 13
model name      : Intel(R) Celeron(R) M processor          900MHz
stepping        : 6
microcode       : 0x18
cpu MHz         : 630.088
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr mce cx8 apic mtrr pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss tm pbe bts
bogomips        : 1260.17
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:


What additional files should I provide to help debug this?

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Tue Jul 10, 2012 5:31 pm
by ephox
I think it is false positive, I will fix it in the next plugin version.

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Mon Jul 23, 2012 4:46 am
by Flexx
got a similar problem here with icecast:

Linux version 3.2.23-grsec (gcc version 4.6.2 (Ubuntu/Linaro 4.6.2-10ubuntu1~10.04.2) ) #1 SMP
grsecurity-2.9.1-3.2.23-201207211428.patch

Code: Select all
PAX: size overflow detected in function tcp_recvmsg net/ipv4/tcp.c:1690
Pid: 4171, comm: icecast2.3.3 Not tainted 3.2.23-grsec #1
Call Trace:
[<ffffffff8117ed24>] report_size_overflow+0x24/0x30
[<ffffffff815a0b01>] tcp_recvmsg+0x1041/0x1270
[<ffffffff8118e940>] ? __pollwait+0x100/0x100
[<ffffffff815c481c>] inet_recvmsg+0x6c/0x80
[<ffffffff815c481c>] ? inet_recvmsg+0x6c/0x80
[<ffffffff8153bf95>] sock_recvmsg+0x125/0x140
[<ffffffff81664ecd>] ? bad_area_nosemaphore+0x13/0x15
[<ffffffff81674ebe>] ? do_page_fault+0x44e/0x550
[<ffffffff81664ecd>] ? bad_area_nosemaphore+0x13/0x15
[<ffffffff8109831e>] ? ktime_get_ts+0xae/0xf0
[<ffffffff815400ff>] sys_recvfrom+0xef/0x170
[<ffffffff81679165>] ? sysret_check+0x1e/0x5a
[<ffffffff8101c606>] ? pax_randomize_kstack+0x56/0x70
[<ffffffff81679165>] ? sysret_check+0x1e/0x5a
[<ffffffff8167913d>] system_call_fastpath+0x18/0x1d


while waiting for a fix, is it possible to disable this feature without recompiling the kernel with "CONFIG_PAX_SIZE_OVERFLOW=n" ? maybe via pax flags or /proc ?

thanks,
Bernd

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Mon Jul 23, 2012 11:13 am
by PaX Team
Flexx wrote:while waiting for a fix, is it possible to disable this feature without recompiling the kernel with "CONFIG_PAX_SIZE_OVERFLOW=n" ? maybe via pax flags or /proc ?
this feature, as everything gcc plugin based, instruments generated code (i.e., something at compile time), so there's no way to get rid of it later, you'll have to recompile.

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Fri Apr 04, 2014 7:15 am
by kolargol
Hello,

got similar problem:
Code: Select all
[1911768.723141] PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.645_79 max, count: 3
[1911768.723161] Pid: 2401, comm: openvpn Not tainted 3.2.55-grsec-processone-R11 #1
[1911768.723170] Call Trace:
[1911768.723178]  [<ffffffff81104b34>] ? report_size_overflow+0x24/0x30
[1911768.723184]  [<ffffffff8147afa1>] ? __ip_select_ident+0x1e1/0x1f0
[1911768.723188]  [<ffffffff81484f74>] ? __ip_make_skb+0x1f4/0x450
[1911768.723192]  [<ffffffff814853a1>] ? ip_make_skb+0x131/0x160
[1911768.723198]  [<ffffffff812fb439>] ? __list_del_entry+0x9/0x20
[1911768.723202]  [<ffffffff81484580>] ? ip_output+0xa0/0xa0
[1911768.723205]  [<ffffffff81484580>] ? ip_output+0xa0/0xa0
[1911768.723210]  [<ffffffff814a9ced>] ? udp_sendmsg+0x2ad/0x940
[1911768.723215]  [<ffffffff810ed3b4>] ? kmem_cache_free+0x14/0xa0
[1911768.723219]  [<ffffffff814a8b62>] ? udp_recvmsg+0x1e2/0x420
[1911768.723223]  [<ffffffff81413f48>] ? sock_sendmsg+0xe8/0x120
[1911768.723228]  [<ffffffff81111e30>] ? __pollwait+0x120/0x120
[1911768.723231]  [<ffffffff810eda60>] ? check_heap_object+0x50/0x100
[1911768.723235]  [<ffffffff81103f03>] ? __check_object_size+0x63/0x1a0
[1911768.723240]  [<ffffffff81413cc8>] ? move_addr_to_kernel+0x98/0xf0
[1911768.723244]  [<ffffffff814155f7>] ? sys_sendto+0x117/0x190
[1911768.723248]  [<ffffffff81002812>] ? xen_load_sp0+0x72/0x90
[1911768.723253]  [<ffffffff81011c8d>] ? pax_randomize_kstack+0x4d/0x70
[1911768.723259]  [<ffffffff81574170>] ? retint_swapgs+0xe/0x11
[1911768.723263]  [<ffffffff81573c02>] ? system_call_fastpath+0x16/0x1b


patch version 3.0-3.2.55-201402241936 , is this known issue ?

thanks,

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Fri Apr 04, 2014 8:46 am
by ephox
kolargol wrote:
Code: Select all
[1911768.723141] PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.645_79 max, count: 3

...
patch version 3.0-3.2.55-201402241936 , is this known issue ?


Hi,

Could you try the latest grsec version, please?

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Thu Apr 10, 2014 4:41 am
by kolargol
i will reply tests once i prepare new kernel, this is production, so next test can take a while ...

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Tue May 13, 2014 4:56 am
by jorgus
Hi,

I got the overflow reported by kolargol (not the original one reported in this topic) in grsecurity-3.0-3.2.58-201405051840.patch, which is fairly recent. It looks like the overflow is still there.

Code: Select all
PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.605_79 max, count: 3
Pid: 1081, comm: webalizer Not tainted 3.2.58-2-amd64 #1
Call Trace:
[<ffffffff810e1624>] ? report_size_overflow+0x24/0x30
[<ffffffff8133f431>] ? __ip_select_ident+0x1d1/0x1e0
[<ffffffff813479c1>] ? __ip_make_skb+0x1f1/0x470
[<ffffffff81347e0a>] ? ip_make_skb+0x12a/0x150
[<ffffffff81345740>] ? __ip_append_data.isra.31+0xba0/0xba0
[<ffffffff8136d417>] ? udp_sendmsg+0x2a7/0x970
[<ffffffff81305897>] ? memcpy_toiovec+0x157/0x290
[<ffffffff8136c942>] ? udp_recvmsg+0x1f2/0x420
[<ffffffff812f3f63>] ? sock_sendmsg+0xc3/0xf0
[<ffffffff8137547e>] ? inet_recvmsg+0x4e/0x90
[<ffffffff812f3e1a>] ? sock_recvmsg+0xca/0x100
[<ffffffff810f21a0>] ? poll_schedule_timeout+0x70/0x70
[<ffffffff8133dd18>] ? __ip_route_output_key+0x4e8/0x9e0
[<ffffffff8133dd18>] ? __ip_route_output_key+0x4e8/0x9e0
[<ffffffff812f4002>] ? sockfd_lookup_light+0x22/0x80
[<ffffffff812f7933>] ? sys_sendto+0x113/0x180
[<ffffffff8136ab00>] ? udplite_getfrag+0x10/0x10
[<ffffffff812f7622>] ? sys_connect+0x102/0x110
[<ffffffff81397c6f>] ? system_call_fastpath+0x16/0x1b
[<ffffffff810f43ac>] ? sys_poll+0x6c/0xe0
[<ffffffff81397c97>] ? sysret_check+0x1e/0x65

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

PostPosted: Tue May 13, 2014 7:00 am
by PaX Team
i'll backport the recent overflow plugin changes to 3.2 as well once it's baked a bit in 3.14, in the meantime you should turn it off if this keeps triggering for you.