Size overflow detected in function ext4_mb_new_group_pa

Discuss and suggest new grsecurity features

Size overflow detected in function ext4_mb_new_group_pa

Postby Active2 » Tue Feb 21, 2017 10:32 am

Hello all,

Grsecurity patch: 3.1-4.9.10-201702162016

I got a kernel panic with:

size overflow detected in function ext4_mb_new_group_pa /usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/fs/ext4/mballoc.h:199 cicus.979_194 max, count: 103, decl: pa_lstart; num: 0; context: ext4_prealloc_space;


After booting with: pax_size_overflow_report_only I got a backtrace:

[ 13.900697] PAX: size overflow detected in function ext4_mb_new_group_pa /usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/fs/ext4/mballoc.h:199 cicus.979_194 max, count: 103, decl: pa_lstart; num: 0; context: ext4_prealloc_space;
[ 13.903750] CPU: 10 PID: 1209 Comm: cp Not tainted 4.9.0-2-grsec-amd64 #1 Debian 4.9.10-1+grsec201702162016+1
[ 13.904828] Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0a 08/01/2016
[ 13.905920] 0000000000000000 ffffffff814d215c ffffffffa02eeb08 8340c9803a45308c
[ 13.907024] ffffffffa02eeb08 00000000000000c7 ffffffff812d142b ffff881031b00c80
[ 13.908141] ffffc9000716b8c0 ffff88102b7d2750 000000015790ac00 ffffffffa02b3cd0
[ 13.909261] Call Trace:
[ 13.910378] [<ffffffff814d215c>] ? dump_stack+0xbd/0x131
[ 13.911536] [<ffffffffa02eeb08>] ? ext4_xattr_security_handler+0x13088/0x2a6f0 [ext4]
[ 13.912680] [<ffffffffa02eeb08>] ? ext4_xattr_security_handler+0x13088/0x2a6f0 [ext4]
[ 13.913804] [<ffffffff812d142b>] ? report_size_overflow+0xab/0xd0
[ 13.914931] [<ffffffffa02b3cd0>] ? ext4_mb_new_group_pa+0x480/0x690 [ext4]
[ 13.916055] [<ffffffffa02bc5b3>] ? ext4_mb_new_blocks+0xd33/0xfe0 [ext4]
[ 13.917169] [<ffffffffa02a0c4c>] ? ext4_find_extent+0x27c/0x390 [ext4]
[ 13.918275] [<ffffffffa02a75dd>] ? ext4_ext_map_blocks+0xecd/0x2bd0 [ext4]
[ 13.919378] [<ffffffff8120a766>] ? __pagevec_lru_add_fn+0x186/0x260
[ 13.920473] [<ffffffff8120b77e>] ? release_pages+0x39e/0x480
[ 13.921573] [<ffffffff8120a5e0>] ? pagevec_move_tail_fn+0x120/0x120
[ 13.922652] [<ffffffff81200001>] ? gfp_pfmemalloc_allowed+0x11/0xb0
[ 13.923728] [<ffffffffa026b6b2>] ? ext4_map_blocks+0x252/0xaf0 [ext4]
[ 13.924795] [<ffffffffa0145013>] ? jbd2__journal_start+0x133/0x200 [jbd2]
[ 13.925849] [<ffffffffa027188b>] ? ext4_writepages+0x87b/0x1180 [ext4]
[ 13.926888] [<ffffffff812088cb>] ? do_writepages+0x5b/0xb0
[ 13.927905] [<ffffffff811f3fb3>] ? __filemap_fdatawrite_range+0x133/0x1c0
[ 13.928904] [<ffffffff811f41d9>] ? filemap_flush+0x39/0x70
[ 13.929901] [<ffffffffa026db22>] ? ext4_alloc_da_blocks+0x52/0x70 [ext4]
[ 13.930900] [<ffffffffa025f973>] ? ext4_release_file+0xb3/0x130 [ext4]
[ 13.931906] [<ffffffff812c8316>] ? __fput+0x146/0x360
[ 13.932901] [<ffffffff812c85cc>] ? ____fput+0x2c/0x60
[ 13.933893] [<ffffffff810d36ef>] ? task_work_run+0xbf/0x120
[ 13.934879] [<ffffffff81002131>] ? exit_to_usermode_loop+0x121/0x140
[ 13.935864] [<ffffffff81002827>] ? syscall_return_slowpath+0xd7/0xf0
[ 13.936848] [<ffffffff81963028>] ? entry_SYSCALL_64_fastpath+0x123/0x125


There are more of those messages in my dmesg. I have the dmesg available if that is needed to research what is going on here.

It seems to be related to this bug: https://bugs.gentoo.org/show_bug.cgi?id=585638

Regards,
Active2
 
Posts: 14
Joined: Fri Feb 27, 2004 5:51 am

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby ephox » Tue Feb 21, 2017 1:10 pm

Hi,

Could you please apply this patch and send me the result from dmesg?
Code: Select all
--- fs/ext4/mballoc.c.orig      2017-02-21 17:35:58.283793248 +0100
+++ fs/ext4/mballoc.c   2017-02-21 18:06:38.471818061 +0100
@@ -3677,6 +3677,17 @@
        return 0;
 }
 
+static void pr_2(struct super_block *sb, ext4_group_t group_no)
+{
+       printk(KERN_ERR "PAX pr_2: group_no: %x, EXT4_BLOCKS_PER_GROUP(sb): %lx, EXT4_SB(sb)->s_es->s_first_data_block: %x\n", group_no, EXT4_BLOCKS_PER_GROUP(sb), EXT4_SB(sb)->s_es->s_first_data_block);
+}
+
+static void pr_1(struct super_block *sb, struct ext4_free_extent *fex)
+{
+       printk(KERN_ERR "PAX pr_1: fex->fe_start: %x, EXT4_SB(sb)->s_cluster_bits: %x\n", fex->fe_start, EXT4_SB(sb)->s_cluster_bits);
+       pr_2(sb, fex->fe_group);
+}
+
 /*
  * creates new preallocated space for locality group inodes belongs to
  */
@@ -3702,6 +3713,7 @@
         * allocated blocks for history */
        ac->ac_f_ex = ac->ac_b_ex;
 
+       pr_1(sb, &ac->ac_b_ex);
        pa->pa_pstart = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
        pa->pa_lstart = pa->pa_pstart;
        pa->pa_len = ac->ac_b_ex.fe_len;


Which gcc version did you use? Could you please send me your kernel .config?
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby Active2 » Wed Feb 22, 2017 1:26 pm

Compiler version (gcc-6 -v)
Code: Select all
Using built-in specs.
COLLECT_GCC=gcc-6
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 6.3.0-7' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 6.3.0 20170218 (Debian 6.3.0-7)


The .config: http://pastebin.com/sr8M9bP0

The complete dmesg output http://pastebin.com/wr3UGLS9

Regards,
Active2
 
Posts: 14
Joined: Fri Feb 27, 2004 5:51 am

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby ephox » Wed Feb 22, 2017 4:16 pm

Hi,

Could you please send me the results (fs/ext4/mballoc.*) of make fs/ext4/mballoc.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all"?
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby Active2 » Wed Feb 22, 2017 5:21 pm

I'm not sure if this helps:

Code: Select all
root@hammer:/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/build_amd64_grsec_amd64# make fs/ext4/mballoc.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all"
  CHK     include/config/kernel.release
  Using /usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec as source for kernel
  GEN     ./Makefile
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CHK     include/generated/package.h
  UPD     include/generated/package.h
  CC      arch/x86/purgatory/purgatory.o
  CC      arch/x86/purgatory/sha256.o
  CC      arch/x86/purgatory/string.o
  LD      arch/x86/purgatory/purgatory.ro
  BIN2C   arch/x86/purgatory/kexec-purgatory.c
  CC      kernel/bounds.s
  CHK     include/generated/bounds.h
  CHK     include/generated/timeconst.h
  CC      arch/x86/kernel/asm-offsets.s
  CHK     include/generated/asm-offsets.h
  CALL    /usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/checksyscalls.sh
  CC      scripts/mod/empty.o
  MKELF   scripts/mod/elfconfig.h
  HOSTCC  scripts/mod/modpost.o
  CC      scripts/mod/devicetable-offsets.s
  GEN     scripts/mod/devicetable-offsets.h
  HOSTCC  scripts/mod/file2alias.o
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c: In function ‘do_pci_entry’:
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:477:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "v", vendor != PCI_ANY_ID, vendor);
                         ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:478:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "d", device != PCI_ANY_ID, device);
                         ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:479:29: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "sv", subvendor != PCI_ANY_ID, subvendor);
                             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:480:29: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "sd", subdevice != PCI_ANY_ID, subdevice);
                             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c: In function ‘do_vmbus_entry’:
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:937:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  for (i = 0; i < (sizeof(*guid) * 2); i += 2)
                ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c: In function ‘do_ipack_entry’:
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:1094:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "v", vendor != IPACK_ANY_ID, vendor);
                         ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:1095:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "d", device != IPACK_ANY_ID, device);
                         ^
/usr/src/kernel/grsec-kernel-4.9/linux-grsec-4.9.10/debian/build/source_grsec/scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  CC [M]  fs/ext4/mballoc.o
Active2
 
Posts: 14
Joined: Fri Feb 27, 2004 5:51 am

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby PaX Team » Wed Feb 22, 2017 5:52 pm

that's only the compile log, check your build tree for files matching fs/ext4/mballoc.* and send those to her ;).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby Active2 » Thu Feb 23, 2017 3:27 am

Excuse moi!

Hereby a link to download the files: http://filebin.ca/3DMIChVw9lQM/mballoc.tgz
Active2
 
Posts: 14
Joined: Fri Feb 27, 2004 5:51 am

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby ephox » Thu Feb 23, 2017 6:51 pm

Thanks for the report. I think this is an upstream bug. Based on the runtime values provided by you, ext4_mb_new_group_pa() tries to store a value into pa->pa_lstart which larger than UINT_MAX which comes from ext4_group_first_block_no().
Could you please report it to the ext4 developers?
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby Active2 » Fri Feb 24, 2017 6:55 am

Active2
 
Posts: 14
Joined: Fri Feb 27, 2004 5:51 am

Re: Size overflow detected in function ext4_mb_new_group_pa

Postby Active2 » Fri Feb 24, 2017 9:12 am

Active2 wrote:Hopefully correctly reported:
http://marc.info/?l=linux-ext4&m=148793330609643&w=2


And now correctly reported it: https://bugzilla.kernel.org/show_bug.cgi?id=194695
Active2
 
Posts: 14
Joined: Fri Feb 27, 2004 5:51 am


Return to grsecurity development

cron