Size Overflow in _decode_session6 net/ipv6/xfrm6_policy.c

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

Size Overflow in _decode_session6 net/ipv6/xfrm6_policy.c

Postby cscmeu » Tue Aug 19, 2014 3:39 am

Hi girls,

[ 3461.196172] PAX: size overflow detected in function _decode_session6 net/ipv6/xfrm6_policy.c:133 cicus.116_244 min, count: 20
[ 3461.278561] CPU: 0 PID: 4648 Comm: java Not tainted 3.14.17-dsl0-grsec #3
[ 3459.591512] Kernel Offset: 0x3f000000 from 0xc1000000 (relocation range: 0xc0000000-0xf83fdfff)


With 3.0-3.14.17-201408140021 on Linux 3.14.17 running on Soekris net6501 (Intel 32 bits) with GCC :

# gcc --version
gcc (Debian 4.7.2-5) 4.7.2


Code: Select all
static inline void
_decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
{
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
        u16 offset = skb_network_header_len(skb);
                        ^ kaboum


What additional files should I provide to help debug this?

Thanks!

Best Regards,
cscmeu
 
Posts: 2
Joined: Tue Aug 19, 2014 3:19 am

Re: Size Overflow in _decode_session6 net/ipv6/xfrm6_policy.

Postby ephox » Fri Aug 22, 2014 11:49 pm

Hi,

Sorry for the late response, could you apply this patch, please and send me the results?
Code: Select all
--- net/ipv6/xfrm6_policy.c.orig        2014-08-20 10:11:56.859999741 +0200
+++ net/ipv6/xfrm6_policy.c     2014-08-20 10:15:47.907999732 +0200
@@ -130,13 +130,16 @@
 {
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
-       u16 offset = skb_network_header_len(skb);
+       u16 offset;
        const struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct ipv6_opt_hdr *exthdr;
        const unsigned char *nh = skb_network_header(skb);
        u8 nexthdr = nh[IP6CB(skb)->nhoff];
        int oif = 0;
 
+       printk(KERN_ERR "PAX _decode_session6: transport_header: %x, network_header: %x\n", skb->transport_header, skb->network_header);
+       offset = skb_network_header_len(skb);
+
        if (skb_dst(skb))
                oif = skb_dst(skb)->dev->ifindex;


Could you also send me the results of the following command (net/ipv6/xfrm6_policy.*) as well as your kernel .config?

Code: Select all
rm -f net/ipv6/xfrm6_policy.o ; make net/ipv6/xfrm6_policy.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all"


Thanks, Emese
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size Overflow in _decode_session6 net/ipv6/xfrm6_policy.

Postby cscmeu » Mon Aug 25, 2014 2:53 pm

Hi Emese,

ephox wrote:Could you also send me the results of the following command (net/ipv6/xfrm6_policy.*) as well as your kernel .config?


Thanks !
cscmeu
 
Posts: 2
Joined: Tue Aug 19, 2014 3:19 am

Re: Size Overflow in _decode_session6 net/ipv6/xfrm6_policy.

Postby ephox » Thu Aug 28, 2014 11:15 am

Hi,
Could you please send me the dmesg (the printk logs there from the patch) too when the overflow message is triggered?
Thanks, Emese
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm


Return to grsecurity development