size overflow in bio_split block/bio.c:1800

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

size overflow in bio_split block/bio.c:1800

Postby jotik » Fri Oct 07, 2016 10:49 pm

With Gentoo's hardened-sources on an Raspberry Pi 2 when running `blkdiscard /dev/mmcblk0p2`.

Code: Select all
[  123.353876] PAX: size overflow detected in function bio_split block/bio.c:1800 cicus.904_41 max, count: 139, decl: bi_size; num: 0; context: bvec_iter;
[  123.361433] CPU: 0 PID: 1723 Comm: blkdiscard Not tainted 4.7.6-v7 #1
[  123.361449] Hardware name: BCM2835
[  123.361462] Backtrace:
[  123.361509] [<8010d710>] (dump_backtrace+0x0/0x118) from [<8010d8b8>] (show_stack+0x18/0x1c)
[  123.361522]  r7:600f0013 r6:80b20714 r5:80b03788 r4:00000000
[  123.361568] [<8010d8a0>] (show_stack+0x0/0x1c) from [<8047658c>] (dump_stack+0xac/0xe0)
[  123.361597] [<804764e0>] (dump_stack+0x0/0xe0) from [<80221600>] (report_size_overflow+0x80/0x90)
[  123.361608]  r7:809269d0 r6:00000708 r5:80925af0 r4:8099f898
[  123.361648] [<80221580>] (report_size_overflow+0x0/0x90) from [<80435280>] (bio_split+0xe4/0x114)
[  123.361659]  r8:9d300000 r7:004e9800 r6:bd161b40 r5:00000000 r4:9d300000
[  123.361704] [<8043519c>] (bio_split+0x0/0x114) from [<80440804>] (blk_queue_split+0x408/0x844)
[  123.361716]  r10:bd161a80 r9:00000000 r8:00500000 r7:00000000 r6:bd385500 r5:00000000
[  123.361749]  r4:004e9800 r3:bd385500
[  123.361781] [<804403fc>] (blk_queue_split+0x0/0x844) from [<8043b970>] (blk_queue_bio+0x44/0x2ec)
[  123.361793]  r10:bd161a80 r9:00000000 r8:bcab0010 r7:bd398000 r6:00000000 r5:80b03788
[  123.361826]  r4:bd398000
[  123.361853] [<8043b92c>] (blk_queue_bio+0x0/0x2ec) from [<804392b4>] (generic_make_request+0xe8/0x1a4)
[  123.361864]  r7:bd398000 r6:ffffffff r5:bd161a80 r4:80b03788
[  123.361905] [<804391cc>] (generic_make_request+0x0/0x1a4) from [<8043940c>] (submit_bio+0x9c/0x1c8)
[  123.361916]  r8:00000081 r7:bd15c880 r6:024000c0 r5:80b03788 r4:bd161a80
[  123.361961] [<80439370>] (submit_bio+0x0/0x1c8) from [<804431b8>] (next_bio+0x6c/0x98)
[  123.361972]  r10:bd161a80 r9:00000000 r8:00000081 r7:bd15c880 r6:024000c0 r5:bd1619c0
[  123.362006]  r4:bd161a80
[  123.362030] [<8044314c>] (next_bio+0x0/0x98) from [<804432b8>] (__blkdev_issue_discard+0xd4/0x364)
[  123.362041]  r9:00000000 r8:fd300000 r7:00000000 r6:007e0000 r5:007e0000 r4:007e9800
[  123.362089] [<804431e4>] (__blkdev_issue_discard+0x0/0x364) from [<804435c0>] (blkdev_issue_discard+0x78/0xd8)
[  123.362100]  r10:00000081 r9:00000000 r8:00000000 r7:00000000 r6:073f1800 r5:80b03788
[  123.362133]  r4:bcd0a200
[  123.362159] [<80443548>] (blkdev_issue_discard+0x0/0xd8) from [<8044a290>] (blk_ioctl_discard+0x194/0x200)
[  123.362170]  r10:00000000 r9:bcd0a200 r8:80b03788 r7:00000000 r6:073f1800 r5:00000000
[  123.362203]  r4:00000000
[  123.362225] [<8044a0fc>] (blk_ioctl_discard+0x0/0x200) from [<8044b1fc>] (blkdev_ioctl+0x774/0xfb8)
[  123.362236]  r10:00000000 r9:00000003 r8:0004001e r7:7e417ed0 r6:00001277 r5:bcd0a200
[  123.362270]  r4:80b03788
[  123.362297] [<8044aa88>] (blkdev_ioctl+0x0/0xfb8) from [<80258660>] (block_ioctl+0x3c/0x40)
[  123.362308]  r10:00000000 r9:00000003 r8:bd2cf598 r7:00001277 r6:bd0f9f00 r5:7e417ed0
[  123.362341]  r4:80b03788
[  123.362368] [<80258624>] (block_ioctl+0x0/0x40) from [<8022ca5c>] (do_vfs_ioctl+0xb8/0xd54)
[  123.362394] [<8022c9a4>] (do_vfs_ioctl+0x0/0xd54) from [<8022d734>] (sys_ioctl+0x3c/0x64)
[  123.362405]  r10:00000000 r9:bcab0000 r8:7e417ed0 r7:00001277 r6:bd0f9f00 r5:00000003
[  123.362438]  r4:bd0f9f00
[  123.362464] [<8022d6f8>] (sys_ioctl+0x0/0x64) from [<801084a0>] (ret_fast_syscall+0x0/0x70)
[  123.362475]  r9:bcab0000 r8:80108704 r7:00000036 r6:7e300000 r5:00000003 r4:7e417ed0
jotik
 
Posts: 22
Joined: Mon Oct 19, 2015 5:11 am

Re: size overflow in bio_split block/bio.c:1800

Postby ephox » Sat Oct 08, 2016 8:03 am

Hi,

Could you please apply this patch and send me the results from dmesg?
Code: Select all
--- block/bio.c.orig    2016-10-08 14:01:28.477164927 +0200
+++ block/bio.c 2016-10-08 14:02:32.013168614 +0200
@@ -1797,6 +1797,7 @@
        if (!split)
                return NULL;
 
+       printk(KERN_ERR "PAX: %x\n", sectors);
        split->bi_iter.bi_size = sectors << 9;
 
        if (bio_integrity(split))
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: size overflow in bio_split block/bio.c:1800

Postby jotik » Sat Oct 08, 2016 3:29 pm

This added a number of
Code: Select all
PAX: f0

lines to dmesg. All with value f0, except the ones right before the crash which are all
Code: Select all
PAX: 4e9800
jotik
 
Posts: 22
Joined: Mon Oct 19, 2015 5:11 am

Re: size overflow in bio_split block/bio.c:1800

Postby jotik » Sat Nov 05, 2016 12:56 pm

Any progress on this?
jotik
 
Posts: 22
Joined: Mon Oct 19, 2015 5:11 am

Re: size overflow in bio_split block/bio.c:1800

Postby PaX Team » Sat Nov 05, 2016 3:46 pm

it should be fixed already (the kernel code triggered undefined behaviour), do you still have the problem?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: size overflow in bio_split block/bio.c:1800

Postby jotik » Sat Nov 05, 2016 5:03 pm

PaX Team wrote:it should be fixed already (the kernel code triggered undefined behaviour), do you still have the problem?


I was not notified that it was fixed. So I didn't know to test.
jotik
 
Posts: 22
Joined: Mon Oct 19, 2015 5:11 am


Return to grsecurity support

cron