grsecurity forums

[ephox]

2) Constantly : every 2 minutes and 5 seconds (it's accurate) 3 new lines like the one below are logged :

Code: Select all

PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.147_213 min, count: 36, decl: len; num: 0; context: sk_buff;

Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/ipv6/ip6_offload.c.orig 2015-10-24 20:58:18.121414889 +0200
+++ net/ipv6/ip6_offload.c      2015-10-24 21:02:04.338536639 +0200
@@ -197,6 +197,7 @@
        if (!ops || !ops->callbacks.gro_receive) {
                __pskb_pull(skb, skb_gro_offset(skb));
                proto = ipv6_gso_pull_exthdrs(skb, proto);
+               printk(KERN_ERR "PAX overflow head: %p, transport_header: %hx, data: %p\n", skb->head, skb->transport_header, skb->data);
                skb_gro_pull(skb, -skb_transport_offset(skb));
                skb_reset_transport_header(skb);
                __skb_push(skb, skb_gro_offset(skb));


[rfnx]

Hello,

Hello,

Since the latest patch (grsecurity-3.1-4.2.4-201510222059.patch), the 2 errors I have are still here :

1) At boot only (I have a LSI megaraid card) :

Code: Select all

PAX: size overflow detected in function megasas_init_adapter_mfi drivers/scsi/megaraid/megaraid_sas_base.c:4297 cicus.1087_105 max, count: 21, decl: max_mfi_cmds; num: 0; context: megasas_instance;

Could you please send me the results (drivers/scsi/megaraid/megaraid_sas_base.c.*) of make drivers/scsi/megaraid/megaraid_sas_base.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all" ? Which gcc version did you use?

GCC version : 5.2.0
Results :

Code: Select all

  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CC      kernel/bounds.s
  CHK     include/generated/bounds.h
  CHK     include/generated/timeconst.h
  CC      arch/x86/kernel/asm-offsets.s
  CHK     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  HOSTCC  scripts/genksyms/genksyms.o
  SHIPPED scripts/genksyms/parse.tab.c
  HOSTCC  scripts/genksyms/parse.tab.o
  SHIPPED scripts/genksyms/lex.lex.c
  SHIPPED scripts/genksyms/keywords.hash.c
  SHIPPED scripts/genksyms/parse.tab.h
  HOSTCC  scripts/genksyms/lex.lex.o
scripts/genksyms/lex.lex.c_shipped: In function ‘yy_get_next_buffer’:
scripts/genksyms/lex.lex.c_shipped:675:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
   for ( n = 0; n < max_size && \
                  ^
scripts/genksyms/lex.lex.c_shipped:1135:3: note: in expansion of macro ‘YY_INPUT’
   YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
   ^
  HOSTLD  scripts/genksyms/genksyms
  CC      scripts/mod/empty.o
  HOSTCC  scripts/mod/mk_elfconfig
  MKELF   scripts/mod/elfconfig.h
  HOSTCC  scripts/mod/modpost.o
  CC      scripts/mod/devicetable-offsets.s
  GEN     scripts/mod/devicetable-offsets.h
  HOSTCC  scripts/mod/file2alias.o
scripts/mod/file2alias.c: In function ‘do_pci_entry’:
scripts/mod/file2alias.c:432:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "v", vendor != PCI_ANY_ID, vendor);
                         ^
scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
scripts/mod/file2alias.c:433:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "d", device != PCI_ANY_ID, device);
                         ^
scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
scripts/mod/file2alias.c:434:29: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "sv", subvendor != PCI_ANY_ID, subvendor);
                             ^
scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
scripts/mod/file2alias.c:435:29: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "sd", subdevice != PCI_ANY_ID, subdevice);
                             ^
scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
scripts/mod/file2alias.c: In function ‘do_vmbus_entry’:
scripts/mod/file2alias.c:917:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  for (i = 0; i < (sizeof(*guid) * 2); i += 2)
                ^
scripts/mod/file2alias.c: In function ‘do_ipack_entry’:
scripts/mod/file2alias.c:1074:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "v", vendor != IPACK_ANY_ID, vendor);
                         ^
scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
scripts/mod/file2alias.c:1075:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  ADD(alias, "d", device != IPACK_ANY_ID, device);
                         ^
scripts/mod/file2alias.c:118:13: note: in definition of macro ‘ADD’
         if (cond)                                               \
             ^
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/conmakehash
  HOSTCC  scripts/sortextable
  HOSTCC  scripts/asn1_compiler
  CC [M]  drivers/scsi/megaraid/megaraid_sas_base.o

2) Constantly : every 2 minutes and 5 seconds (it's accurate) 3 new lines like the one below are logged :

Code: Select all

PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.147_213 min, count: 36, decl: len; num: 0; context: sk_buff;

Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/ipv6/ip6_offload.c.orig 2015-10-24 20:58:18.121414889 +0200
+++ net/ipv6/ip6_offload.c      2015-10-24 21:02:04.338536639 +0200
@@ -197,6 +197,7 @@
        if (!ops || !ops->callbacks.gro_receive) {
                __pskb_pull(skb, skb_gro_offset(skb));
                proto = ipv6_gso_pull_exthdrs(skb, proto);
+               printk(KERN_ERR "PAX overflow head: %p, transport_header: %hx, data: %p\n", skb->head, skb->transport_header, skb->data);
                skb_gro_pull(skb, -skb_transport_offset(skb));
                skb_reset_transport_header(skb);
                __skb_push(skb, skb_gro_offset(skb));


I already did that in the previous posts of this thread. See viewtopic.php?f=3&t=4287#p15632 and viewtopic.php?f=3&t=4287#p15638

[ephox]

Hello,

Since the latest patch (grsecurity-3.1-4.2.4-201510222059.patch), the 2 errors I have are still here :

1) At boot only (I have a LSI megaraid card) :

Code: Select all

PAX: size overflow detected in function megasas_init_adapter_mfi drivers/scsi/megaraid/megaraid_sas_base.c:4297 cicus.1087_105 max, count: 21, decl: max_mfi_cmds; num: 0; context: megasas_instance;

Could you please send me the results (drivers/scsi/megaraid/megaraid_sas_base.c.*) of make drivers/scsi/megaraid/megaraid_sas_base.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all" ? Which gcc version did you use?

Thanks but I need the actual files (drivers/scsi/megaraid/megaraid_sas_base.c.*)

[rfnx]

Ok sorry ! I sent you a link to download all the files in your PM.

[ephox]

Code: Select all

PAX: size overflow detected in function megasas_init_adapter_mfi drivers/scsi/megaraid/megaraid_sas_base.c:4297 cicus.1087_105 max, count: 21, decl: max_mfi_cmds; num: 0; context: megasas_instance;

Thanks for the report, the bug will be fixed in the next patch after grsecurity-3.1-4.2.4-201510251544.patch.

[rfnx]

Thanks !

EDIT : both issues are fixed ! Thanks a lot !

[kdave]

Mixed reports in one topic might have confused me about the status, but I still see the report from ipv6_gro_receive with grsecurity-3.1-4.2.6-201511232037.patch:

Code: Select all

 PAX: size overflow detected in function ipv6_gro_receive ../include/linux/skbuff.h:1969 cicus.138_216 min, count: 20, decl: data_offset; num: 0; context: napi_gro_cb
;
 CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.2.6-0-grsec-kvm-custom #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
  6d032d5a13d67f97 ffffffff81ecc67b 0000000000000000 ffffffff81ecc67b
  ffffffff8166c6c9 ffffffff81f4b08d ffffffff8119ba53 0000000000000020
  000000000000003a fffffffffffffff8 0000000000000000 0000000000000001
 Call Trace:
  <IRQ>  [<ffffffff8166c6c9>] ? dump_stack+0x40/0x56
  [<ffffffff8119ba53>] ? report_size_overflow+0x33/0x40
  [<ffffffff81650460>] ? ipv6_gro_receive+0x990/0x9f0
  [<ffffffff81570bfc>] ? dev_gro_receive+0x24c/0x5e0
  [<ffffffff81560321>] ? __build_skb+0xc1/0x1f0
  [<ffffffff8157123f>] ? napi_gro_receive+0x1f/0x90
  [<ffffffffa002c8c5>] ? e1000_clean_rx_irq+0x195/0x570 [e1000]
  [<ffffffffa002dc1b>] ? e1000_clean+0x26b/0x8a0 [e1000]
  [<ffffffff810a12b2>] ? __wake_up+0x32/0x50
  [<ffffffff8145a895>] ? credit_entropy_bits+0x1f5/0x2d0
  [<ffffffff815707f4>] ? net_rx_action+0x274/0x430
  [<ffffffff8106427e>] ? __do_softirq+0xee/0x200
  [<ffffffff810644fc>] ? irq_exit+0x9c/0xa0
  [<ffffffff810051fa>] ? do_IRQ+0x4a/0xe0
  [<ffffffff81672fd7>] ? common_interrupt+0x97/0x97
  <EOI>  [<ffffffff8100d260>] ? arch_remove_reservations+0xf0/0xf0
  [<ffffffff8100d266>] ? default_idle+0x6/0x20
  [<ffffffff810a1f82>] ? cpu_startup_entry+0x1e2/0x230
  [<ffffffff81671da2>] ? _raw_spin_unlock_irqrestore+0x12/0x20
  [<ffffffff8103a790>] ? lapic_get_maxlvt+0x40/0x40
  [<ffffffff810386d7>] ? start_secondary+0x1e7/0x2b0

[rfnx]

Me too, I thought it was fixed.

See this new thread : viewtopic.php?f=3&t=4322

[ephox]

Code: Select all

 PAX: size overflow detected in function ipv6_gro_receive ../include/linux/skbuff.h:1969 cicus.138_216 min, count: 20, decl: data_offset; num: 0; context: napi_gro_cb


Thanks for the report, it will be fixed in the next grsec patch.