grsecurity forums

[Pinkbyte]

Using Hardened Gentoo kernel 4.4.2. When first PPTP connection happens, kernel panicked:

Code: Select all

PAX: size overflow detected in function pptp_rcv_core drivers/net/ppp/pptp.c:371 cicus.190_166 min, count: 14, decl: network_header; num: 0; context: sk_buff;

Kernel panic - not syncing: Aiee, killing interrupt handler!
CPU: 1 PID: 1434 Comm: accel-pppd Not tainted 4.4.2-hardened-VIRTUAL #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 ffff88017fc83ae0 ffffffff8148bb27 0000000000000007 ffffffff81ae9570
 ffffffff8112fda1 0000000000000008 ffff88017fc83af0 ffff88017fc83a80
 ffff88005cd00900 0000000000200046 0000000000000000 000003fffffff000
Call Trace:
 <IRQ>  [<ffffffff8148bb27>] ? dump_stack+0x41/0x6a
 [<ffffffff8112fda1>] ? panic+0xbd/0x221
 [<ffffffff8109c8d7>] ? do_exit+0x817/0xa80
 [<ffffffff810a6dd4>] ? signal_wake_up_state+0x14/0x30
 [<ffffffff8109d9d4>] ? do_group_exit+0x44/0xc0
 [<ffffffff8118b6a1>] ? report_size_overflow+0x71/0x80
 [<ffffffff815b9493>] ? pptp_rcv_core+0x363/0x480
 [<ffffffff8168622f>] ? sk_receive_skb+0x12f/0x1d0
 [<ffffffff81794450>] ? ip_local_deliver_finish+0xb0/0x240
 [<ffffffff81794763>] ? ip_local_deliver+0x63/0xd0
 [<ffffffff817943a0>] ? ip_rcv_finish+0x320/0x320
 [<ffffffff81794a6e>] ? ip_rcv+0x29e/0x580
 [<ffffffff81794080>] ? inet_del_offload+0x40/0x40
 [<ffffffff816a0f31>] ? __netif_receive_skb_core+0x351/0xc40
 [<ffffffff817d6400>] ? inet_gro_receive+0x1c0/0x6d0
 [<ffffffff816a188a>] ? netif_receive_skb_internal+0x1a/0x80
 [<ffffffff816a2844>] ? napi_gro_receive+0x64/0x90
 [<ffffffff815ac6b9>] ? virtnet_receive+0x4c9/0xa10
 [<ffffffff81177e6a>] ? kmem_cache_free+0x2a/0x140
 [<ffffffff81177e6a>] ? kmem_cache_free+0x2a/0x140
 [<ffffffff815acce3>] ? virtnet_poll+0x13/0x70
 [<ffffffff816a1d2a>] ? net_rx_action+0x27a/0x430
 [<ffffffff8109e4fd>] ? __do_softirq+0xed/0x220
 [<ffffffff8109e787>] ? irq_exit+0x97/0xa0
 [<ffffffff810071aa>] ? do_IRQ+0x4a/0xe0
 [<ffffffff818ca090>] ? common_interrupt+0x90/0x90
 <EOI>
Kernel Offset: disabled
Rebooting in 5 seconds..


Looking at suggested file - drivers/net/ppp/pptp.c

Code: Select all

                if ((*skb->data) & 1) {
                        /* protocol is compressed */
                        skb_push(skb, 1)[0] = 0;
                }

                skb->ip_summed = CHECKSUM_NONE;
                skb_set_network_header(skb, skb->head-skb->data);
                ppp_input(&po->chan, skb);

                return NET_RX_SUCCESS;


Line 371 is 'skb_set_network_header(skb, skb->head-skb->data);'

I do not know what voodoo magic happens here
But i would be glad to provide additional information that will resolve it

[PaX Team]

can you try the following patch:

Code: Select all

--- a/drivers/net/ppp/pptp.c       2016-03-05 03:01:17.649565558 +0100
+++ b/drivers/net/ppp/pptp.c      2016-03-24 00:23:26.519041444 +0100
@@ -368,7 +368,7 @@
                }

                skb->ip_summed = CHECKSUM_NONE;
-               skb_set_network_header(skb, skb->head-skb->data);
+               skb->network_header = 0;
                ppp_input(&po->chan, skb);

                return NET_RX_SUCCESS;


[Pinkbyte]

Yep, that helps - kernel does not panic. Does this fix break netfilter marks? I am not sure, if they are kept in skb headers or not. And as i see, fix sets skb_header to zero

[PaX Team]

the fix in theory just does what the original code did in a somewhat convoluted way. it was basically doing "field=a-b; field+=b-a" which zeroes it out, modulo some integer casts and potentially undefined behaviour.

[Pinkbyte]

So, your fix is working great for me now. Any chance it would be included in next grsecurity patchset release?

[PaX Team]

sure, it's already in PaX and will be in grsec whenever spender makes a new release.