PAX: size overflow detected in function ttm_bo_handle_move_mem drivers/gpu/drm/ttm/ttm_bo.c

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

PAX: size overflow detected in function ttm_bo_handle_move_mem drivers/gpu/drm/ttm/ttm_bo.c

Postby foxxx0 » Mon Feb 13, 2017 7:41 am

Hey,

as we've got a working 4.9 grsec release now I wanted to try out the experimental amdgpu support for my radeon SI card.

Unfortunately there seems to be a size overflow somewhere which doesn't let me boot grsec with amdgpu.

GPU: Radeon HD7850 Eyfinity6
Kernel: 4.9.9
Grsec: 201702122044

I'm happy to test any patches :)


Code: Select all
Feb 13 12:26:40 utgard kernel: PAX: size overflow detected in function ttm_bo_handle_move_mem drivers/gpu/drm/ttm/ttm_bo.c:388 cicus.459_185 max, count: 5, decl: offset; num: 0; context: ttm_buffer_object;


Code: Select all
Feb 13 12:26:40 utgard kernel: [drm] amdgpu kernel modesetting enabled.
Feb 13 12:26:40 utgard kernel: AMD IOMMUv2 driver by Joerg Roedel <jroedel@suse.de>
Feb 13 12:26:40 utgard kernel: AMD IOMMUv2 functionality not available on this system
Feb 13 12:26:40 utgard kernel: CRAT table not found
Feb 13 12:26:40 utgard kernel: Finished initializing topology ret=0
Feb 13 12:26:40 utgard kernel: kfd kfd: Initialized module
Feb 13 12:26:40 utgard kernel: checking generic (e0000000 300000) vs hw (e0000000 10000000)
Feb 13 12:26:40 utgard kernel: fb: switching to amdgpudrmfb from EFI VGA
Feb 13 12:26:40 utgard kernel: Console: switching to colour dummy device 80x25
Feb 13 12:26:40 utgard kernel: [drm] initializing kernel modesetting (PITCAIRN 0x1002:0x6819 0x1787:0x2320 0x00).
Feb 13 12:26:40 utgard kernel: [drm] register mmio base: 0xF0000000
Feb 13 12:26:40 utgard kernel: [drm] register mmio size: 262144
Feb 13 12:26:40 utgard kernel: ATOM BIOS: PITCAIRN
Feb 13 12:26:40 utgard kernel: [drm] GPU post is not needed
Feb 13 12:26:40 utgard systemd[1]: Started udev Kernel Device Manager.
Feb 13 12:26:40 utgard kernel: [TTM] Zone  kernel: Available graphics memory: 8156542 kiB
Feb 13 12:26:40 utgard kernel: [TTM] Zone   dma32: Available graphics memory: 2097152 kiB
Feb 13 12:26:40 utgard kernel: [TTM] Initializing pool allocator
Feb 13 12:26:40 utgard kernel: [TTM] Initializing DMA pool allocator
Feb 13 12:26:40 utgard kernel: amdgpu 0000:01:00.0: VRAM: 2048M 0x0000000000000000 - 0x000000007FFFFFFF (2048M used)
Feb 13 12:26:40 utgard kernel: amdgpu 0000:01:00.0: GTT: 7965M 0x0000000080000000 - 0x0000000271D5F7FF
Feb 13 12:26:40 utgard kernel: [drm] Detected VRAM RAM=2048M, BAR=256M
Feb 13 12:26:40 utgard kernel: [drm] RAM width 256bits GDDR5
Feb 13 12:26:40 utgard kernel: [drm] amdgpu: 2048M of VRAM memory ready
Feb 13 12:26:40 utgard kernel: [drm] amdgpu: 7965M of GTT memory ready.
Feb 13 12:26:40 utgard kernel: [drm] GART: num cpu pages 2039135, num gpu pages 2039135
Feb 13 12:26:40 utgard kernel: amdgpu 0000:01:00.0: PCIE GART of 7965M enabled (table at 0x0000000000040000).
Feb 13 12:26:40 utgard kernel: PAX: size overflow detected in function ttm_bo_handle_move_mem drivers/gpu/drm/ttm/ttm_bo.c:388 cicus.459_185 max, count: 5, decl: offset; num: 0; context: ttm_buffer_object;
Feb 13 12:26:40 utgard kernel: CPU: 2 PID: 332 Comm: systemd-modules Not tainted 4.9.9.r201702122044-1-grsec #1
Feb 13 12:26:40 utgard kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z87E-ITX, BIOS P2.50 07/11/2014
Feb 13 12:26:40 utgard kernel:  ffffc90002567470 ffffffff8147f3a8 ffff88041c5ae0a8 ccf608c88f91db2d
Feb 13 12:26:40 utgard kernel:  ffffffffa04a6d56 0000000000000184 ffffc900025674a0 ffffffff812c5713
Feb 13 12:26:40 utgard kernel:  ffff8804181b6058 000000007ffff000 ffffc90002567568 0000000000000001
Feb 13 12:26:40 utgard kernel: Call Trace:
Feb 13 12:26:40 utgard kernel:  [<ffffffff8147f3a8>] dump_stack+0xc3/0x13b
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04a6d56>] ? ttm_exit+0x1ef1/0x587c [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffff812c5713>] report_size_overflow+0xb3/0xe0
Feb 13 12:26:40 utgard kernel:  [<ffffffffa0496fcf>] ttm_bo_handle_move_mem+0x26f/0x7b0 [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa049812f>] ? ttm_bo_mem_space+0x46f/0x5a0 [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa0498b19>] ttm_bo_validate+0x219/0x240 [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04927d8>] ? ttm_check_swapping+0x78/0xe0 [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04931c4>] ? ttm_mem_global_alloc+0x54/0xc0 [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa0498ff9>] ttm_bo_init+0x4b9/0x690 [ttm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04e3839>] amdgpu_bo_create_restricted+0x249/0x700 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04e3140>] ? amdgpu_update_memory_usage+0x160/0x160 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04e421e>] amdgpu_bo_create+0x11e/0x220 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04c9b02>] amdgpu_device_init+0x1882/0x1f90 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa05ff3c0>] ? amdgpu_pm_ops+0xc0/0xc0 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa05ff8a0>] ? pciidlist+0x300/0x17e0 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04cd912>] amdgpu_driver_load_kms+0x82/0x2e0 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa03f1ce3>] drm_dev_register+0x163/0x1b0 [drm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa03f4985>] drm_get_pci_dev+0x165/0x2e0 [drm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa05ff8a0>] ? pciidlist+0x300/0x17e0 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa04c59ee>] amdgpu_pci_probe+0x10e/0x180 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffff815081cb>] local_pci_probe+0x8b/0x120
Feb 13 12:26:40 utgard kernel:  [<ffffffff81508089>] ? pci_match_device+0x149/0x180
Feb 13 12:26:40 utgard kernel:  [<ffffffff81509792>] pci_device_probe+0x1a2/0x230
Feb 13 12:26:40 utgard kernel:  [<ffffffffa05ff8a0>] ? pciidlist+0x300/0x17e0 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffff8167fe69>] driver_probe_device+0x189/0x510
Feb 13 12:26:40 utgard kernel:  [<ffffffff8168034c>] __driver_attach+0x15c/0x180
Feb 13 12:26:40 utgard kernel:  [<ffffffff816801f0>] ? driver_probe_device+0x510/0x510
Feb 13 12:26:40 utgard kernel:  [<ffffffff8167be77>] bus_for_each_dev+0xc7/0x160
Feb 13 12:26:40 utgard kernel:  [<ffffffff8167effc>] driver_attach+0x3c/0x70
Feb 13 12:26:40 utgard kernel:  [<ffffffff8167e713>] bus_add_driver+0x1c3/0x350
Feb 13 12:26:40 utgard kernel:  [<ffffffffa042c9c8>] ? drm_legacy_agp_clear+0xd6e8/0x22341 [drm]
Feb 13 12:26:40 utgard kernel:  [<ffffffff816811c7>] driver_register+0x97/0x170
Feb 13 12:26:40 utgard kernel:  [<ffffffffa042c9c8>] ? drm_legacy_agp_clear+0xd6e8/0x22341 [drm]
Feb 13 12:26:40 utgard kernel:  [<ffffffff8150761f>] __pci_register_driver+0x8f/0xe0
Feb 13 12:26:40 utgard kernel:  [<ffffffffa05ff3c0>] ? amdgpu_pm_ops+0xc0/0xc0 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa03f4ca9>] drm_pci_init+0x1a9/0x1d0 [drm]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa0697186>] amdgpu_init+0x17e/0x1f8 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffffa0697008>] ? __param_vramlimit+0x24830/0x24830 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffff810006a4>] do_one_initcall+0x84/0x230
Feb 13 12:26:40 utgard kernel:  [<ffffffff811dbb67>] do_init_module+0x9f/0x358
Feb 13 12:26:40 utgard kernel:  [<ffffffff81175132>] load_module+0x2ff2/0x3580
Feb 13 12:26:40 utgard kernel:  [<ffffffff811708c0>] ? show_taint+0x80/0x80
Feb 13 12:26:40 utgard kernel:  [<ffffffffa0697270>] ? initify.186.50030+0x30/0x5f550 [amdgpu]
Feb 13 12:26:40 utgard kernel:  [<ffffffff811759f9>] sys_init_module+0x339/0x370
Feb 13 12:26:40 utgard kernel:  [<ffffffff81175a6f>] rap_sys_init_module+0x3f/0x70
Feb 13 12:26:40 utgard kernel:  [<ffffffff819541f2>] entry_SYSCALL_64_fastpath+0x31/0x121



Vanilla 4.9.8 boots just fine with amdgpu, dmesg:
Code: Select all
[Mon Feb 13 12:27:29 2017] [drm] amdgpu kernel modesetting enabled.
[Mon Feb 13 12:27:29 2017] fb: switching to amdgpudrmfb from EFI VGA
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: VRAM: 2048M 0x0000000000000000 - 0x000000007FFFFFFF (2048M used)
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: GTT: 7968M 0x0000000080000000 - 0x00000002720E77FF
[Mon Feb 13 12:27:29 2017] [drm] amdgpu: 2048M of VRAM memory ready
[Mon Feb 13 12:27:29 2017] [drm] amdgpu: 7968M of GTT memory ready.
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: PCIE GART of 7968M enabled (table at 0x0000000000040000).
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: amdgpu: using MSI.
[Mon Feb 13 12:27:29 2017] [drm] amdgpu: irq initialized.
[Mon Feb 13 12:27:29 2017] [drm] amdgpu: dpm initialized
[Mon Feb 13 12:27:29 2017] [drm] AMDGPU Display Connectors
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: fence driver on ring 0 use gpu addr 0x0000000080000010, cpu addr 0xffff8804170af010
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: fence driver on ring 1 use gpu addr 0x0000000080000020, cpu addr 0xffff8804170af020
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: fence driver on ring 2 use gpu addr 0x0000000080000030, cpu addr 0xffff8804170af030
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: fence driver on ring 3 use gpu addr 0x0000000080000040, cpu addr 0xffff8804170af040
[Mon Feb 13 12:27:29 2017] amdgpu 0000:01:00.0: fence driver on ring 4 use gpu addr 0x0000000080000050, cpu addr 0xffff8804170af050
[Mon Feb 13 12:27:30 2017] fbcon: amdgpudrmfb (fb0) is primary device
[Mon Feb 13 12:27:30 2017] amdgpu 0000:01:00.0: fb0: amdgpudrmfb frame buffer device
[Mon Feb 13 12:27:30 2017] [drm] Initialized amdgpu 3.8.0 20150101 for 0000:01:00.0 on minor 0
foxxx0
 
Posts: 14
Joined: Tue Jul 12, 2016 3:03 am

Re: PAX: size overflow detected in function ttm_bo_handle_move_mem drivers/gpu/drm/ttm/ttm_bo.c

Postby foxxx0 » Mon Feb 13, 2017 12:47 pm

adding the following patch from pipacs:

Code: Select all
--- a/drivers/gpu/drm/ttm/ttm_bo.c       2016-12-13 12:11:19.867579755 +0100
+++ b/drivers/gpu/drm/ttm/ttm_bo.c        2017-02-13 16:18:24.346406456 +0100
@@ -385,6 +385,7 @@
        }

        if (bo->mem.mm_node) {
+               printk("PAX start:%lx type:%x offset:%lx\n", bo->mem.start, bo->mem.mem_type, bdev->man[bo->mem.mem_type].gpu_offset);
                bo->offset = (bo->mem.start << PAGE_SHIFT) +
                    bdev->man[bo->mem.mem_type].gpu_offset;
                bo->cur_placement = bo->mem.placement;


yielded the following:

Code: Select all
Feb 13 17:39:04 utgard kernel: PAX start:7fffffffffffffff type:1 offset:80000000


Which indeed seems to be an overflow.

I'll continue to be in contact with pipacs but also keep this thread updated.
foxxx0
 
Posts: 14
Joined: Tue Jul 12, 2016 3:03 am



Return to grsecurity support

cron