Page 1 of 1

pax overflow in android binder

PostPosted: Fri Apr 21, 2017 3:34 am
by alaviss
Kernel version: 4.9.22.r201704120836-1-grsec

Code: Select all
[  874.806063] PAX: size overflow detected in function binder_mmap drivers/android/binder.c:2911 cicus.568_197 min, count: 24, decl: user_buffer_offset; num: 0; context: binder_proc;
[  874.806068] CPU: 2 PID: 30397 Comm: servicemanager Tainted: G           O    4.9.22.r201704120836-1-grsec #2
[  874.806069] Hardware name: Dell Inc. Inspiron 5548/0FFJC4, BIOS A07 06/23/2016
[  874.806071]  0000000000000000 ffffffff81360aa2 ffffffff8197faf8 03875e56d266529e
[  874.806075]  ffffffff81951800 0000000000000b5f ffffffff811f7410 ffff88016d4a4000
[  874.806078]  ffffc90005e93d48 ffff8801bca5cac8 0000a0916bf61000 ffffffff8159858f
[  874.806081] Call Trace:
[  874.806087]  [<ffffffff81360aa2>] ? dump_stack+0x69/0xa7
[  874.806091]  [<ffffffff811f7410>] ? report_size_overflow+0x70/0x80
[  874.806094]  [<ffffffff8159858f>] ? binder_mmap+0x28f/0x3f0
[  874.806097]  [<ffffffff811ca375>] ? kmem_cache_alloc+0xe5/0x140
[  874.806100]  [<ffffffff8119dfb0>] ? mmap_region+0x620/0x930
[  874.806102]  [<ffffffff8119e883>] ? do_mmap+0x5c3/0x6d0
[  874.806104]  [<ffffffff81176d58>] ? vm_mmap_pgoff+0xc8/0x100
[  874.806106]  [<ffffffff8119ac80>] ? sys_mmap_pgoff+0x1b0/0x260
[  874.806109]  [<ffffffff816fa224>] ? entry_SYSCALL_64_fastpath+0x17/0x98


This happened when running Anbox, causing it's session manager to continuously respawn.

Re: pax overflow in android binder

PostPosted: Fri Apr 21, 2017 7:21 pm
by spender
Thanks, this will be fixed in the next patch.

-Brad

Re: pax overflow in android binder

PostPosted: Sun Apr 23, 2017 5:56 am
by alaviss
Another overflow in version 4.9.24.r201704220732-1-grsec

Code: Select all
[  682.208193] PAX: size overflow detected in function binder_thread_write drivers/android/binder.c:1562 cicus.762_568 max, count: 55, decl: min_priority; num: 0; context: binder_node;
[  682.208198] CPU: 0 PID: 10619 Comm: anboxd Not tainted 4.9.24.r201704220732-1-grsec #1
[  682.208200] Hardware name: Dell Inc. Inspiron 5548/0FFJC4, BIOS A07 06/23/2016
[  682.208201]  0000000000000000 ffffffff81360e12 ffffffff819812a0 b67a41f10ce9a2c8
[  682.208205]  ffffffff81951ce8 000000000000061a ffffffff811f7540 0000000000000078
[  682.208208]  ffffc90005b800c8 ffff88020aca6200 ffff88020ac80600 ffffffff8159ed7c
[  682.208211] Call Trace:
[  682.208216]  [<ffffffff81360e12>] ? dump_stack+0x69/0xa7
[  682.208219]  [<ffffffff811f7540>] ? report_size_overflow+0x70/0x80
[  682.208223]  [<ffffffff8159ed7c>] ? binder_thread_write+0x1b7c/0x2a00
[  682.208225]  [<ffffffff815998eb>] ? binder_thread_read+0x64b/0xea0
[  682.208228]  [<ffffffff8159fd3f>] ? binder_ioctl_write_read.isra.16+0x13f/0x220
[  682.208230]  [<ffffffff815a00ec>] ? binder_ioctl+0x2cc/0x446
[  682.208232]  [<ffffffff81193730>] ? handle_mm_fault+0x2f0/0xfc0
[  682.208235]  [<ffffffff8120a03c>] ? do_vfs_ioctl+0xac/0x6e0
[  682.208237]  [<ffffffff8120a6ee>] ? sys_ioctl+0x7e/0x90
[  682.208240]  [<ffffffff816fb464>] ? entry_SYSCALL_64_fastpath+0x17/0x98

Re: pax overflow in android binder

PostPosted: Tue Apr 25, 2017 10:27 pm
by spender
Thanks, it'll be fixed in the patch being released shortly.

-Brad