grsecurity forums

[schiffi]

Hi,

I discovered a problem with PaX and DRBD (kernel 3.14.19, gento hardened) which looks like this:

Code: Select all

PAX: size overflow detected in function drbd_send_dblock drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
CPU: 2 PID: 4072 Comm: drbd_w_vg01 Not tainted 3.14.19-hardened-r1 #9
Hardware name: Supermicro X9DRT-HF+/X9DRT-HF+, BIOS 3.0b 01/21/2014
 ffff882f876fa000 ffffffff8162e8c7 ffff882f876fa000 ffffffff81130980
 ffffffffa1b19358 0000000000000000 ffff882f7d85ce00 ffff882f870b7800
 ffff88201e673b18 ffffffff815b0ba0 00000001813a26b2 ffff882f86267010
Call Trace:
 [<ffffffff8162e8c7>] ? dump_stack+0x41/0x55
 [<ffffffff81130980>] ? report_size_overflow+0x20/0x30
 [<ffffffffa1b19358>] ? drbd_send_dblock+0x5b8/0x5c0 [drbd]
 [<ffffffff815b0ba0>] ? do_tcp_setsockopt.isra.29+0x130/0x890
 [<ffffffffa1b01678>] ? wait_for_work+0x1e8/0x2d0 [drbd]
 [<ffffffffa1b007b2>] ? w_send_dblock+0x62/0x160 [drbd]
 [<ffffffffa1b017ef>] ? drbd_worker+0x8f/0x260 [drbd]
 [<ffffffffa1b16880>] ? drbd_notify_sys+0x10/0x10 [drbd]
 [<ffffffffa1b168ca>] ? drbd_thread_setup+0x4a/0x120 [drbd]
 [<ffffffffa1b16880>] ? drbd_notify_sys+0x10/0x10 [drbd]
 [<ffffffff8108cc3c>] ? kthread+0xbc/0xe0
 [<ffffffff8108cb80>] ? kthread_create_on_node+0x170/0x170
 [<ffffffff816343df>] ? ret_from_fork+0x6f/0xa0
 [<ffffffff8108cb80>] ? kthread_create_on_node+0x170/0x170
block drbd0: Remote failed to finish a request within ko-count * timeout
block drbd0: peer( Primary -> Unknown ) conn( Connected -> Timeout ) pdsk( UpToDate -> DUnknown )
d-con vg01: asender terminated
d-con vg01: Terminating drbd_a_vg01


Is this some bug in DRBD or a false positive in PaX?

Do you need more information?

Thanks in advance.

-Marc

[PaX Team]

it's a rather old kernel, is this what you have at line 1625:

Code: Select all

p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));

if yes then it's an integer signedness mixup problem (atomic_t is a signed int, seq_num is unsigned) and only the drbd developers can tell whether it's harmless or a bug to be fixed.

[schiffi]

According to the answer on drbd-dev ML this sequence number is supposed to wrap. So can this be fixed in PaX?

> seq_num should give it away: it is a sequence number.
> it wraps. that's what sequence numbers do, eventually.

TIA

[PaX Team]

the problem isn't that the sequence number can wrap (that's already taken care of by using the _unchecked type and accessors) but that its value goes through a sign conversion which can't preserve all possible values. now whether that conversion is a problem or not is what the maintainers can tell best though i guess it isn't and we'll just disable the size overflow instrumentation on it.

[schiffi]

ok, thank you