Page 1 of 1

PAX: size overflow detected in function pptp_rcv_core

PostPosted: Thu May 12, 2016 4:15 am
by Pinkbyte
This is similar report that i posted earlier(viewtopic.php?f=3&t=4437) - symptoms are very similar

Using Hardened Gentoo kernel 4.5.3-r1. When first PPTP connection happens, kernel panicked:

Code: Select all
PAX: size overflow detected in function pptp_rcv_core include/linux/skbuff.h:2132 cicus.195_168 max, count: 9, decl: network_header; num: 0; context: sk_buff;
Kernel panic - not syncing: Aiee, killing interrupt handler!
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.3-hardened-r1-VIRTUAL #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 00000000 003ed97f 00200046 c2406580 00000009 000d0904 c2406580 00000009
 c2406580 00000001 00044eae c213b7d0 00000000 f540fd7c 00005996 00000000
 c219d367 00000024 00000000 f540fd1c 00200286 00000000 c24070c0 00000009
Call Trace:
 [<003ed97f>] ? dump_stack+0x45/0x66
 [<00200046>] ? ext4_xattr_set_entry+0x1a6/0x590
 [<000d0904>] ? panic+0x81/0x174
 [<00044eae>] ? do_exit+0x7be/0xa10
 [<00005996>] ? runqueues+0x56/0xa0
 [<00200286>] ? ext4_xattr_set_entry+0x3e6/0x590
 [<00045fa0>] ? do_group_exit+0x30/0x90
 [<0012b689>] ? report_size_overflow+0x69/0x70
 [<004fde86>] ? pptp_rcv_core+0x316/0x320
 [<00200246>] ? ext4_xattr_set_entry+0x3a6/0x590
 [<005bf8df>] ? sk_receive_skb+0x10f/0x1b0
 [<000017c9>] ? pt_ctx+0x21/0x58
 [<006ff188>] ? gre_rcv+0x58/0x100
 [<006ae07f>] ? ip_local_deliver_finish+0xaf/0x2b0
 [<006ae3ec>] ? ip_local_deliver+0x4c/0xb0
 [<006adfd0>] ? ip_rcv_finish+0x370/0x370
 [<006adcd7>] ? ip_rcv_finish+0x77/0x370
 [<006ae773>] ? ip_rcv+0x323/0x510
 [<006adc60>] ? inet_del_offload+0x30/0x30
 [<005d726a>] ? __netif_receive_skb_core+0x28a/0x990
 [<00080000>] ? print_cfs_rq+0xdf0/0xf40
 [<005d8703>] ? dev_gro_receive+0x2d3/0x5f0
 [<0006bb1f>] ? sched_clock_cpu+0xff/0x130
 [<00002a00>] ? lru_add_pvec+0x40/0x40
 [<005d79d7>] ? netif_receive_skb_internal+0x17/0x70
 [<005d8c77>] ? napi_gro_receive+0x77/0xc0
 [<004f1e34>] ? virtnet_receive+0x474/0xa00
 [<00002a00>] ? lru_add_pvec+0x40/0x40
 [<004f248f>] ? virtnet_poll+0xf/0x70
 [<005d8213>] ? net_rx_action+0x3e3/0x600
 [<00046b18>] ? __do_softirq+0xb8/0x1a0
 [<00200000>] ? ext4_xattr_set_entry+0x160/0x590
 [<00046a60>] ? cpu_callback+0xf0/0xf0
 [<0000568a>] ? do_softirq_own_stack+0x1a/0x20
 <IRQ>  [<00046d1d>] ? irq_exit+0x7d/0x80
 [<0000500a>] ? menu_devices+0xa/0x80
 [<00200006>] ? ext4_xattr_set_entry+0x166/0x590
 [<007c89f8>] ? common_interrupt+0x38/0x40
 [<0000bc52>] ? default_idle+0x2/0x10
 [<00200246>] ? ext4_xattr_set_entry+0x3a6/0x590
 [<0000c0a6>] ? arch_cpu_idle+0x6/0x10
 [<0007d36c>] ? cpu_startup_entry+0x16c/0x210
 [<016084f2>] ? 0x16084f2
 [<00020800>] ? intel_pt_interrupt+0x30/0x130
Kernel Offset: disabled
Rebooting in 5 seconds..


skbuff.h around line 2132:

Code: Select all
static inline void skb_set_network_header(struct sk_buff *skb, const int offset)
{
        skb_reset_network_header(skb);
        skb->network_header += offset;
}


Line 2132 in include/linux/skbuff.h is: skb->network_header += offset;

Line 371 in drivers/net/ppp/pptp.c is: skb_set_network_header(skb, skb->head-skb->data);

So this line(371) WAS not removed as suggested at previous thread, thus - panic is still here!

Re: PAX: size overflow detected in function pptp_rcv_core

PostPosted: Thu May 12, 2016 4:50 am
by PaX Team
hmm, i don't know how i managed to pull this one off, the fixed line's there but so is the old one. thanks for the report, will be *really* fixed in the next patch.