PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972

Postby brainatwork » Wed Nov 23, 2016 9:56 am

Hi

One triggered xfs related size overflow. Happens since 4.8.6-4.8.9...

--8<--
[ 48.428822] PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972 cicus.404_40 max, count: 87, decl: length; num: 0; context: iomap;¶
[ 48.428824] CPU: 0 PID: 4267 Comm: systemd-readahe Not tainted 4.8.6-hardened-canicula-gw22 #2¶
[ 48.428825] Hardware name: Hewlett-Packard HP EliteDesk 800 G1 TWR/18E4, BIOS L01 v02.21 12/17/2013¶
[ 48.428826] 0000000000000246 6a8683674785bc87 ffffffff8159dfe3 ffffffff820eabd1¶
[ 48.428827] 6a8683674785bc87 ffffffff820ea03d 00000000000003cc ffffffff8120fa9e¶
[ 48.428829] ffffc90006d3bc48 ffffc90006d3bcc0 ffffc90006d3bbc0 8000000000000000¶
[ 48.428830] Call Trace:¶
[ 48.428834] [<ffffffff8159dfe3>] ? dump_stack+0x64/0xa4¶
[ 48.428837] [<ffffffff8120fa9e>] ? report_size_overflow+0x35/0x7b¶
[ 48.428840] [<ffffffff81400a99>] ? xfs_bmbt_to_iomap+0x194/0x203¶
[ 48.428841] [<ffffffff81400e11>] ? xfs_file_iomap_begin+0x309/0x33e¶
[ 48.428842] [<ffffffff81400e11>] ? xfs_file_iomap_begin+0x309/0x33e¶
[ 48.428844] [<ffffffff815093e0>] ? avc_has_perm_noaudit+0x68/0xc0¶
[ 48.428847] [<ffffffff81263e30>] ? iomap_apply+0x77/0x165¶
[ 48.428848] [<ffffffff81263e30>] ? iomap_apply+0x77/0x165¶
[ 48.428850] [<ffffffff81263fbf>] ? iomap_to_fiemap+0x63/0x63¶
[ 48.428851] [<ffffffff81264e64>] ? iomap_fiemap+0x93/0x10b¶
[ 48.428852] [<ffffffff81264e64>] ? iomap_fiemap+0x93/0x10b¶
[ 48.428853] [<ffffffff81263fbf>] ? iomap_to_fiemap+0x63/0x63¶
[ 48.428854] [<ffffffff81401547>] ? xfs_vn_fiemap+0x58/0x80¶
[ 48.428856] [<ffffffff8121b064>] ? do_vfs_ioctl+0x882/0x97c¶
[ 48.428857] [<ffffffff8126f50b>] ? proc_pid_readlink+0x1b6/0x30c¶
[ 48.428858] [<ffffffff8121b1ab>] ? sys_ioctl+0x4d/0x7b¶
[ 48.428861] [<ffffffff81c04053>] ? entry_SYSCALL_64_fastpath+0x13/0xa3¶
[ 48.428862] [<ffffffff81c04077>] ? entry_SYSCALL_64_fastpath+0x37/0xa3¶


[ 23.628162] PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972 cicus.404_40 max, count: 87, decl: length; num: 0; context: iomap;¶
[ 23.628165] CPU: 6 PID: 3078 Comm: systemd-readahe Not tainted 4.8.9-hardened-canicula-gw22 #2¶
[ 23.628165] Hardware name: Hewlett-Packard HP EliteDesk 800 G1 TWR/18E4, BIOS L01 v02.21 12/17/2013¶
[ 23.628166] 0000000000000246 4205dd92a5ad4db5 ffffffff8159f791 ffffffff820eabea¶
[ 23.628168] 4205dd92a5ad4db5 ffffffff820ea056 00000000000003cc ffffffff8120fdc7¶
[ 23.628170] ffffc90004853bd8 ffffc90004853c50 ffffc90004853b50 8000000000000000¶
[ 23.628180] Call Trace:¶
[ 23.628184] [<ffffffff8159f791>] ? dump_stack+0x64/0xa4¶
[ 23.628186] [<ffffffff8120fdc7>] ? report_size_overflow+0x35/0x7b¶
[ 23.628189] [<ffffffff8140236f>] ? xfs_bmbt_to_iomap+0x194/0x203¶
[ 23.628190] [<ffffffff814026e7>] ? xfs_file_iomap_begin+0x309/0x33e¶
[ 23.628191] [<ffffffff814026e7>] ? xfs_file_iomap_begin+0x309/0x33e¶
[ 23.628203] [<ffffffff81264724>] ? iomap_apply+0x76/0x165¶
[ 23.628204] [<ffffffff81264724>] ? iomap_apply+0x76/0x165¶
[ 23.628206] [<ffffffff812648b4>] ? iomap_to_fiemap+0x63/0x63¶
[ 23.628207] [<ffffffff8126575e>] ? iomap_fiemap+0x93/0x10b¶
[ 23.628208] [<ffffffff8126575e>] ? iomap_fiemap+0x93/0x10b¶
[ 23.628209] [<ffffffff812648b4>] ? iomap_to_fiemap+0x63/0x63¶
[ 23.628210] [<ffffffff81402e26>] ? xfs_vn_fiemap+0x58/0x80¶
[ 23.628212] [<ffffffff8121b3d2>] ? do_vfs_ioctl+0x887/0x981¶
[ 23.628213] [<ffffffff8121b519>] ? sys_ioctl+0x4d/0x7b¶
[ 23.628216] [<ffffffff81c060d3>] ? entry_SYSCALL_64_fastpath+0x13/0xa3¶
--8<--
brainatwork
 
Posts: 23
Joined: Wed Aug 13, 2008 12:53 pm

Re: PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972

Postby PaX Team » Wed Nov 23, 2016 12:39 pm

can you print out the values of imap->br_blockcount and mp->m_sb.sb_blocklog before that line?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972

Postby brainatwork » Thu Nov 24, 2016 4:35 am

Can you please be more specific? Before which line? There is no imap->br_blockcount or mp->m_sb.sb_blocklog in the dmesg output.
Am i missing debug settings in the kernel config?

I have multiple systems hitting that. However no kvm domUs just kernels running on hardware.

--8<--
Nov 13 15:46:22 callisto dhclient[3682]: DHCPDISCOVER on enp2s0 to 255.255.255.255 port 67 interval 8 (xid=0x1eb733a2)
Nov 13 15:46:22 callisto dhclient[3682]: DHCPREQUEST on enp2s0 to 255.255.255.255 port 67 (xid=0x1eb733a2)
Nov 13 15:46:22 callisto dhclient[3682]: DHCPOFFER from 192.168.3.254
Nov 13 15:46:22 callisto dhclient[3682]: DHCPACK from 192.168.3.254 (xid=0x1eb733a2)
Nov 13 15:46:24 callisto NET[3733]: /usr/sbin/dhclient-script : updated /etc/resolv.conf
Nov 13 15:46:24 callisto kernel: PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972 cicus.404_40 max, count: 87, decl: length; num: 0; context: iomap;
Nov 13 15:46:24 callisto kernel: CPU: 2 PID: 2558 Comm: systemd-readahe Not tainted 4.8.7-hardened-callisto-gw21 #1
Nov 13 15:46:24 callisto kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./870 Extreme3, BIOS P1.60 09/14/2010
Nov 13 15:46:24 callisto kernel: 0000000000000246 50e4328eb9de0be0 ffffffff81578b91 ffffffff82111f77
Nov 13 15:46:24 callisto systemd[1]: systemd-readahead-collect.service: main process exited, code=killed, status=9/KILL
Nov 13 15:46:24 callisto kernel: 50e4328eb9de0be0 ffffffff821113e3 00000000000003cc ffffffff811e1de3
Nov 13 15:46:24 callisto kernel: ffffc90004d6bc08 ffffc90004d6bc80 ffffc90004d6bb80 8000000000000000
Nov 13 15:46:24 callisto kernel: Call Trace:
Nov 13 15:46:24 callisto kernel: [<ffffffff81578b91>] ? dump_stack+0x64/0xa4
Nov 13 15:46:24 callisto kernel: [<ffffffff811e1de3>] ? report_size_overflow+0x35/0x7b
Nov 13 15:46:24 callisto kernel: [<ffffffff813d7fac>] ? xfs_bmbt_to_iomap+0x194/0x203
Nov 13 15:46:24 callisto kernel: [<ffffffff813d8324>] ? xfs_file_iomap_begin+0x309/0x33e
Nov 13 15:46:24 callisto kernel: [<ffffffff813d8324>] ? xfs_file_iomap_begin+0x309/0x33e
Nov 13 15:46:24 callisto kernel: [<ffffffff8123f036>] ? iomap_apply+0x76/0x165
Nov 13 15:46:24 callisto kernel: [<ffffffff8123f036>] ? iomap_apply+0x76/0x165
Nov 13 15:46:24 callisto kernel: [<ffffffff8123f1c6>] ? iomap_to_fiemap+0x63/0x63
Nov 13 15:46:24 callisto kernel: [<ffffffff81240060>] ? iomap_fiemap+0x90/0x108
Nov 13 15:46:24 callisto kernel: [<ffffffff81240060>] ? iomap_fiemap+0x90/0x108
Nov 13 15:46:24 callisto kernel: [<ffffffff8123f1c6>] ? iomap_to_fiemap+0x63/0x63
Nov 13 15:46:24 callisto kernel: [<ffffffff813d8a5a>] ? xfs_vn_fiemap+0x58/0x80
Nov 13 15:46:24 callisto kernel: [<ffffffff811ed1f5>] ? do_vfs_ioctl+0x87b/0x975
Nov 13 15:46:24 callisto kernel: [<ffffffff811ed33c>] ? sys_ioctl+0x4d/0x7b
Nov 13 15:46:24 callisto kernel: [<ffffffff81cc0e77>] ? entry_SYSCALL_64_fastpath+0x17/0xa7
--8<--
brainatwork
 
Posts: 23
Joined: Wed Aug 13, 2008 12:53 pm

Re: PAX: size overflow detected in function xfs_bmbt_to_iomap fs/xfs/xfs_iomap.c:972

Postby PaX Team » Thu Nov 24, 2016 6:07 am

i meant something like this:
Code: Select all
--- fs/xfs/xfs_iomap.c.orig     2016-11-23 20:41:56.670433347 +0100
+++ fs/xfs/xfs_iomap.c  2016-11-23 20:45:49.518422966 +0100
@@ -969,6 +969,7 @@
                        iomap->type = IOMAP_MAPPED;
        }
        iomap->offset = XFS_FSB_TO_B(mp, imap->br_startoff);
+       printk(KERN_ERR "PAX br_blockcount: %llx, blocklog: %x\n", imap->br_blockcount, mp->m_sb.sb_blocklog);
        iomap->length = XFS_FSB_TO_B(mp, imap->br_blockcount);
        iomap->bdev = xfs_find_bdev_for_inode(VFS_I(ip));
 }
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support