Discuss and suggest new grsecurity features
Moderators: spender, PaX Team
by kdave » Mon Oct 19, 2015 5:44 pm
grsecurity-3.1-4.2.3-201510190716.patch
- Code: Select all
PAX: size overflow detected in function scm_detach_fds ../net/core/scm.c:309 cicus.208_135 min, count: 4, decl: msg_controllen; num: 0; context: msghdr
;
[ 9.824184] CPU: 0 PID: 634 Comm: dbus-daemon Not tainted 4.2.3-5-grsec-guest-kvm #1
[ 9.826996] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20141110_125520-cloud137 04/01/2014
[ 9.832067] 5ce08c9a23d488f9 ffffffff81f4769c 0000000000000000 ffffffff81f4769c
[ 9.835002] ffffffff81668e85 ffffffff81f4768d ffffffff81196925 0000040000000000
[ 9.837980] 0000040000000000 ffff88007c3ba170 0000000000000001 00000388c93a3644
[ 9.840944] Call Trace:
[ 9.843047] [<ffffffff81668e85>] ? dump_stack+0x40/0x56
[ 9.845590] [<ffffffff81196925>] ? report_size_overflow+0x35/0x40
[ 9.848243] [<ffffffff8154a2e1>] ? scm_detach_fds+0x2c1/0x2e0
[ 9.850773] [<ffffffff81606e91>] ? unix_stream_read_generic+0x5d1/0x900
[ 9.853435] [<ffffffff81607297>] ? unix_stream_recvmsg+0x47/0x60
[ 9.855953] [<ffffffff816034e0>] ? unix_set_peek_off+0x50/0x50
[ 9.858418] [<ffffffff81532f8e>] ? sock_recvmsg+0x4e/0x70
[ 9.860842] [<ffffffff81534fbf>] ? ___sys_recvmsg+0xef/0x230
[ 9.863271] [<ffffffff815366dd>] ? __sys_recvmsg+0x3d/0x70
[ 9.865675] [<ffffffff8166fe69>] ? entry_SYSCALL_64_fastpath+0x12/0x83
Source:
- Code: Select all
300 int cmlen = CMSG_LEN(i*sizeof(int));
301 err = put_user(SOL_SOCKET, &cm->cmsg_level);
302 if (!err)
303 err = put_user(SCM_RIGHTS, &cm->cmsg_type);
304 if (!err)
305 err = put_user(cmlen, &cm->cmsg_len);
306 if (!err) {
307 cmlen = CMSG_SPACE(i*sizeof(int));
308 msg->msg_control += cmlen;
309 msg->msg_controllen -= cmlen;
310 }
-
kdave
-
- Posts: 11
- Joined: Mon Oct 19, 2015 5:35 pm
by ephox » Mon Oct 19, 2015 5:58 pm
Hi,
Could you please apply this patch and send me the result from dmesg?
- Code: Select all
--- net/core/scm.c.orig 2015-10-20 00:22:55.880116597 +0200
+++ net/core/scm.c 2015-10-20 00:23:02.724116292 +0200
@@ -306,6 +306,7 @@
if (!err) {
cmlen = CMSG_SPACE(i*sizeof(int));
msg->msg_control += cmlen;
+ printk(KERN_ERR "PAX overflow msg_controllen %lx cmlen: %x\n", msg->msg_controllen, cmlen);
msg->msg_controllen -= cmlen;
}
-
ephox
-
- Posts: 134
- Joined: Tue Mar 20, 2012 4:36 pm
by kdave » Tue Oct 20, 2015 12:46 pm
- Code: Select all
[ 13.949116] PAX overflow msg_controllen 14 cmlen: 18
The values are same in all overflow reports.
-
kdave
-
- Posts: 11
- Joined: Mon Oct 19, 2015 5:35 pm
by ephox » Tue Oct 20, 2015 2:50 pm
This is a real underflow bug, could you please report it to the kernel mailing list?
-
ephox
-
- Posts: 134
- Joined: Tue Mar 20, 2012 4:36 pm
by hackurx » Wed Oct 21, 2015 4:22 am
Hi,
Same problem on a physical machine:
- Code: Select all
Oct 21 07:19:01 srv kernel: [39336.258900] PAX: size overflow detected in function scm_detach_fds net/core/scm.c:309 cicus.241_114 min, count: 22, decl: msg_controllen; num: 0; context: msghdr;
Oct 21 07:19:01 srv kernel: [39336.259613] CPU: 3 PID: 24802 Comm: sshd Tainted: G OE 4.2.3-srv #1
Oct 21 07:19:01 srv kernel: [39336.259618] Hardware name: To be filled by O.E.M. To be filled by O.E.M./DXXXX-HD, BIOS X.X.X XX/XX/20XX
Oct 21 07:19:01 srv kernel: [39336.259622] c6100399dde5e116 0000040000000000 0000000000000000 fffffffffffffffc
Oct 21 07:19:01 srv kernel: [39336.259630] ffffffff817be387 0000000000000018 ffffffff81681c97 ffff880072bb8000
Oct 21 07:19:01 srv kernel: [39336.259636] 0000000100000001 000003f9bc846a80 ffffc9000658bc70 ffffea0002eba700
Oct 21 07:19:01 srv kernel: [39336.259642] Call Trace:
Oct 21 07:19:01 srv kernel: [39336.259655] [<ffffffff817be387>] ? dump_stack+0x47/0x78
Oct 21 07:19:01 srv kernel: [39336.259663] [<ffffffff81681c97>] ? scm_detach_fds+0x267/0x290
Oct 21 07:19:01 srv kernel: [39336.259670] [<ffffffff8174a8fa>] ? unix_stream_read_generic+0x4aa/0x850
Oct 21 07:19:01 srv kernel: [39336.259678] [<ffffffff8174ad77>] ? unix_stream_recvmsg+0x47/0x60
Oct 21 07:19:01 srv kernel: [39336.259683] [<ffffffff81748de0>] ? unix_set_peek_off+0x50/0x50
Oct 21 07:19:01 srv kernel: [39336.259690] [<ffffffff8166971f>] ? ___sys_recvmsg+0xef/0x230
Oct 21 07:19:01 srv kernel: [39336.259697] [<ffffffff8166c55d>] ? __sys_recvmsg+0x3d/0x70
Oct 21 07:19:01 srv kernel: [39336.259704] [<ffffffff817c4fad>] ? entry_SYSCALL_64_fastpath+0x16/0x87
-
hackurx
-
- Posts: 2
- Joined: Wed Oct 21, 2015 4:15 am
by kdave » Wed Oct 21, 2015 10:46 am
I confirm that grsecurity-3.1-4.2.3-201510202025.patch fixes the problem.
-
kdave
-
- Posts: 11
- Joined: Mon Oct 19, 2015 5:35 pm
by hackurx » Wed Oct 21, 2015 2:14 pm
Thank you

For the curious, here are the changes:
- Code: Select all
@@ -211,7 +211,7 @@
struct cmsghdr __user *cm
= (struct cmsghdr __force_user *)msg->msg_control;
struct cmsghdr cmhdr;
- int cmlen = CMSG_LEN(len);
+ size_t cmlen = CMSG_LEN(len);
int err;
if (MSG_CMSG_COMPAT & msg->msg_flags)
@@ -297,7 +297,7 @@
if (i > 0)
{
- int cmlen = CMSG_LEN(i*sizeof(int));
+ size_t cmlen = CMSG_LEN(i*sizeof(int));
err = put_user(SOL_SOCKET, &cm->cmsg_level);
if (!err)
err = put_user(SCM_RIGHTS, &cm->cmsg_type);
@@ -305,6 +305,8 @@
err = put_user(cmlen, &cm->cmsg_len);
if (!err) {
cmlen = CMSG_SPACE(i*sizeof(int));
+ if (msg->msg_controllen < cmlen)
+ cmlen = msg->msg_controllen;
msg->msg_control += cmlen;
msg->msg_controllen -= cmlen;
}
-
hackurx
-
- Posts: 2
- Joined: Wed Oct 21, 2015 4:15 am
Return to grsecurity development