size overflow in skb

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

size overflow in skb

Postby neeo » Mon Aug 01, 2016 12:21 pm

hi,

when I try to set link up for my wifi card in monitor mode I get kernel panic:
Image

it's usb wifi wl-wn722n
Code: Select all
kernel: usbcore: registered new interface driver ath9k_htc
kernel: usb 3-3: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
kernel: ath9k_htc 3-3:1.0: ath9k_htc: HTC initialized with 33 credits
kernel: ath9k_htc 3-3:1.0: ath9k_htc: FW Version: 1.4
kernel: ath9k_htc 3-3:1.0: FW RMW support: On


the pax config part:
Code: Select all
CONFIG_PAX_USERCOPY_SLABS=y
# PaX
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
CONFIG_PAX_MEMORY_STRUCTLEAK=y
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
# CONFIG_PAX_RAP is not set
neeo
 
Posts: 2
Joined: Mon Aug 01, 2016 12:11 pm

Re: size overflow in skb

Postby PaX Team » Mon Aug 01, 2016 1:01 pm

this seems very similar to https://bugs.gentoo.org/show_bug.cgi?id=584378#c1, can you also apply that patch and report back the results? if it turns out to be the same issue, you should work it out with upstream. last but not least, you can boot with pax_size_overflow_report_only to disable the reaction logic.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: size overflow in skb

Postby neeo » Mon Aug 01, 2016 2:33 pm

I've applied the patch and recompiled with frame pointers:
Code: Select all
[  186.900355] PAX: network_header:0 off:ffffff94
[  186.915205] PAX: network_header:0 off:ffffff94
[  186.918303] PAX: network_header:0 off:ffffff95
[  186.918752] PAX: network_header:0 off:ffffff95
[  186.919504] PAX: network_header:0 off:ffffff95
[  186.920692] PAX: network_header:0 off:ffffff95
[  186.937342] PAX: network_header:0 off:ffffff95
[  186.937358] report_size_overflow: 1585 callbacks suppressed
[  186.937363] PAX: size overflow detected in function skb_headers_offset_update net/core/skbuff.c:1052 cicus.674_41 min, count: 22, decl: network_header; num: 0; context: sk_buff;
[  186.937370] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.5-grsec #1
[  186.937372] Hardware name: ASUSTeK COMPUTER INC.
[  186.937375]  0000000000000000 ffff88027ee03ca0 ffffffff812a0bb7 0000000000000000
[  186.937380]  ffffffff819f29cd 000000000000041c ffff88027ee03cd0 ffffffff8114db06
[  186.937384]  ffff88026f1b8a00 00000000ffffff95 00000000ffffff95 00000000ffffff95
[  186.937389] Call Trace:
[  186.937391]  <IRQ>  [<ffffffff812a0bb7>] dump_stack+0x4e/0x77
[  186.937409]  [<ffffffff8114db06>] report_size_overflow+0x66/0x80
[  186.937417]  [<ffffffff815497b9>] skb_headers_offset_update+0x149/0x1c0
[  186.937421]  [<ffffffff8154c140>] skb_copy_expand+0x110/0x1d0
[  186.937441]  [<ffffffffa0505450>] ieee80211_rx_napi+0x750/0xbe0 [mac80211]
[  186.937449]  [<ffffffff81625459>] ? _raw_spin_unlock_irqrestore+0x9/0x10
[  186.937455]  [<ffffffffa06a53b9>] ? ath9k_cmn_rx_skb_postprocess+0x119/0x130 [ath9k_common]
[  186.937462]  [<ffffffffa06b4039>] ath9k_rx_tasklet+0x3b9/0x470 [ath9k_htc]
[  186.937468]  [<ffffffff8105455b>] tasklet_action+0x10b/0x150
[  186.937473]  [<ffffffff81054a7b>] __do_softirq+0xdb/0x1e0
[  186.937478]  [<ffffffff81054cb4>] irq_exit+0x94/0xa0
[  186.937482]  [<ffffffff8101a14f>] do_IRQ+0x4f/0xd0
[  186.937487]  [<ffffffff81626181>] common_interrupt+0x81/0x81
[  186.937489]  <EOI>  [<ffffffff8151af8c>] ? cpuidle_enter_state+0x13c/0x200
[  186.937496]  [<ffffffff8151b072>] cpuidle_enter+0x12/0x20
[  186.937500]  [<ffffffff8108c5be>] call_cpuidle+0x1e/0x30
[  186.937503]  [<ffffffff8108c851>] cpu_startup_entry+0x191/0x220
[  186.937506]  [<ffffffff8162032d>] rest_init+0x6d/0x70
[  186.937509]  [<ffffffff81cc1896>] 0xffffffff81cc1896
[  186.937511]  [<ffffffff81cc0120>] ? 0xffffffff81cc0120
[  186.937514]  [<ffffffff81cc03a0>] 0xffffffff81cc03a0
[  186.937516]  [<ffffffff81cc03a0>] ? 0xffffffff81cc03a0
[  186.937518]  [<ffffffff81cc04bc>] 0xffffffff81cc04bc
[  186.937735] PAX: network_header:0 off:ffffff95


I didn't experience any problems with the card when running on vanilla kernel - so I'm not sure upstream is the best place to report to.
neeo
 
Posts: 2
Joined: Mon Aug 01, 2016 12:11 pm

Re: size overflow in skb

Postby careta » Thu Mar 16, 2017 8:24 pm

I had this problem in 4.4, and it seems to have disappeared in 4.9.14.
careta
 
Posts: 11
Joined: Sun May 18, 2014 6:43 pm


Return to grsecurity support