grsecurity forums

[kdave]

grsecurity-3.1-4.2.3-201510190716.patch

Code: Select all

PAX: size overflow detected in function scm_detach_fds ../net/core/scm.c:309 cicus.208_135 min, count: 4, decl: msg_controllen; num: 0; context: msghdr
;
[    9.824184] CPU: 0 PID: 634 Comm: dbus-daemon Not tainted 4.2.3-5-grsec-guest-kvm #1
[    9.826996] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20141110_125520-cloud137 04/01/2014
[    9.832067]  5ce08c9a23d488f9 ffffffff81f4769c 0000000000000000 ffffffff81f4769c
[    9.835002]  ffffffff81668e85 ffffffff81f4768d ffffffff81196925 0000040000000000
[    9.837980]  0000040000000000 ffff88007c3ba170 0000000000000001 00000388c93a3644
[    9.840944] Call Trace:
[    9.843047]  [<ffffffff81668e85>] ? dump_stack+0x40/0x56
[    9.845590]  [<ffffffff81196925>] ? report_size_overflow+0x35/0x40
[    9.848243]  [<ffffffff8154a2e1>] ? scm_detach_fds+0x2c1/0x2e0
[    9.850773]  [<ffffffff81606e91>] ? unix_stream_read_generic+0x5d1/0x900
[    9.853435]  [<ffffffff81607297>] ? unix_stream_recvmsg+0x47/0x60
[    9.855953]  [<ffffffff816034e0>] ? unix_set_peek_off+0x50/0x50
[    9.858418]  [<ffffffff81532f8e>] ? sock_recvmsg+0x4e/0x70
[    9.860842]  [<ffffffff81534fbf>] ? ___sys_recvmsg+0xef/0x230
[    9.863271]  [<ffffffff815366dd>] ? __sys_recvmsg+0x3d/0x70
[    9.865675]  [<ffffffff8166fe69>] ? entry_SYSCALL_64_fastpath+0x12/0x83


Source:

Code: Select all

300                 int cmlen = CMSG_LEN(i*sizeof(int));
301                 err = put_user(SOL_SOCKET, &cm->cmsg_level);
302                 if (!err)
303                         err = put_user(SCM_RIGHTS, &cm->cmsg_type);
304                 if (!err)
305                         err = put_user(cmlen, &cm->cmsg_len);
306                 if (!err) {
307                         cmlen = CMSG_SPACE(i*sizeof(int));
308                         msg->msg_control += cmlen;
309                         msg->msg_controllen -= cmlen;
310                 }


[ephox]

Hi,
Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/core/scm.c.orig 2015-10-20 00:22:55.880116597 +0200
+++ net/core/scm.c      2015-10-20 00:23:02.724116292 +0200
@@ -306,6 +306,7 @@
                if (!err) {
                        cmlen = CMSG_SPACE(i*sizeof(int));
                        msg->msg_control += cmlen;
+                       printk(KERN_ERR "PAX overflow msg_controllen %lx cmlen: %x\n", msg->msg_controllen, cmlen);
                        msg->msg_controllen -= cmlen;
                }


[kdave]

Code: Select all

[   13.949116] PAX overflow msg_controllen 14 cmlen: 18

The values are same in all overflow reports.

[ephox]

This is a real underflow bug, could you please report it to the kernel mailing list?

[hackurx]

Hi,

Same problem on a physical machine:

Code: Select all

Oct 21 07:19:01 srv kernel: [39336.258900] PAX: size overflow detected in function scm_detach_fds net/core/scm.c:309 cicus.241_114 min, count: 22, decl: msg_controllen; num: 0; context: msghdr;
Oct 21 07:19:01 srv kernel: [39336.259613] CPU: 3 PID: 24802 Comm: sshd Tainted: G           OE   4.2.3-srv #1
Oct 21 07:19:01 srv kernel: [39336.259618] Hardware name: To be filled by O.E.M. To be filled by O.E.M./DXXXX-HD, BIOS X.X.X XX/XX/20XX
Oct 21 07:19:01 srv kernel: [39336.259622]  c6100399dde5e116 0000040000000000 0000000000000000 fffffffffffffffc
Oct 21 07:19:01 srv kernel: [39336.259630]  ffffffff817be387 0000000000000018 ffffffff81681c97 ffff880072bb8000
Oct 21 07:19:01 srv kernel: [39336.259636]  0000000100000001 000003f9bc846a80 ffffc9000658bc70 ffffea0002eba700
Oct 21 07:19:01 srv kernel: [39336.259642] Call Trace:
Oct 21 07:19:01 srv kernel: [39336.259655]  [<ffffffff817be387>] ? dump_stack+0x47/0x78
Oct 21 07:19:01 srv kernel: [39336.259663]  [<ffffffff81681c97>] ? scm_detach_fds+0x267/0x290
Oct 21 07:19:01 srv kernel: [39336.259670]  [<ffffffff8174a8fa>] ? unix_stream_read_generic+0x4aa/0x850
Oct 21 07:19:01 srv kernel: [39336.259678]  [<ffffffff8174ad77>] ? unix_stream_recvmsg+0x47/0x60
Oct 21 07:19:01 srv kernel: [39336.259683]  [<ffffffff81748de0>] ? unix_set_peek_off+0x50/0x50
Oct 21 07:19:01 srv kernel: [39336.259690]  [<ffffffff8166971f>] ? ___sys_recvmsg+0xef/0x230
Oct 21 07:19:01 srv kernel: [39336.259697]  [<ffffffff8166c55d>] ? __sys_recvmsg+0x3d/0x70
Oct 21 07:19:01 srv kernel: [39336.259704]  [<ffffffff817c4fad>] ? entry_SYSCALL_64_fastpath+0x16/0x87

[kdave]

I confirm that grsecurity-3.1-4.2.3-201510202025.patch fixes the problem.

[hackurx]

Thank you
For the curious, here are the changes:

Code: Select all

@@ -211,7 +211,7 @@
    struct cmsghdr __user *cm
       = (struct cmsghdr __force_user *)msg->msg_control;
    struct cmsghdr cmhdr;
-   int cmlen = CMSG_LEN(len);
+   size_t cmlen = CMSG_LEN(len);
    int err;
 
    if (MSG_CMSG_COMPAT & msg->msg_flags)
@@ -297,7 +297,7 @@
 
    if (i > 0)
    {
-      int cmlen = CMSG_LEN(i*sizeof(int));
+      size_t cmlen = CMSG_LEN(i*sizeof(int));
       err = put_user(SOL_SOCKET, &cm->cmsg_level);
       if (!err)
          err = put_user(SCM_RIGHTS, &cm->cmsg_type);
@@ -305,6 +305,8 @@
          err = put_user(cmlen, &cm->cmsg_len);
       if (!err) {
          cmlen = CMSG_SPACE(i*sizeof(int));
+         if (msg->msg_controllen < cmlen)
+            cmlen = msg->msg_controllen;
          msg->msg_control += cmlen;
          msg->msg_controllen -= cmlen;
       }