grsecurity forums

[audiocricket]

Hello PAX/grsec,

when trying to rate limit bridged veth interface with tc qdisc and when generating some traffic from that interface, I'm always getting this size overflow:

Code: Select all

[ 1963.536160] PAX: size overflow detected in function tbf_enqueue net/sched/sch_tbf.c:186 cicus.188_148 min, count: 36, decl: qdisc_tree_decrease_qlen; num: 2; context: fndecl;
[ 1963.537414] CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P           O    4.4.5 #7
[ 1963.538013] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1963.538348]  0000000000000000 3c9dca40a898b545 0000000000000286 0000000000000000
[ 1963.538994]  ffffffff9b4956a0 ffffffff9bdbd8e3 3c9dca40a898b545 ffffffff9bdbd8e3
[ 1963.540058]  00000000000000ba ffffffff9b1eb295 ffff880032ebd040 ffff8800296af200
[ 1963.540058] Call Trace:
[ 1963.540058]  [<ffffffff9b4956a0>] ? dump_stack+0x70/0xc0
[ 1963.540058]  [<ffffffff9b1eb295>] ? report_size_overflow+0x65/0x80
[ 1963.540058]  [<ffffffff9b795dfd>] ? tbf_enqueue+0x2cd/0x300
[ 1963.540058]  [<ffffffff9b7489a0>] ? __dev_queue_xmit+0x300/0x620
[ 1963.540058]  [<ffffffff9b9574a3>] ? br_dev_queue_push_xmit+0x93/0x2f0
[ 1963.540058]  [<ffffffff9b957978>] ? br_forward_finish+0x38/0xb0
[ 1963.540058]  [<ffffffff9b957410>] ? br_fdb_external_learn_del+0xf0/0xf0
[ 1963.540058]  [<ffffffff9b957779>] ? __br_deliver+0x79/0x160
[ 1963.540058]  [<ffffffff9b957940>] ? br_forward_finish.part.8+0x30/0x30
[ 1963.540058]  [<ffffffff9b9549e7>] ? br_dev_xmit+0x227/0x310
[ 1963.540058]  [<ffffffff9b748355>] ? dev_hard_start_xmit+0x315/0x520
[ 1963.540058]  [<ffffffff9b747bbc>] ? validate_xmit_skb.isra.117.part.118+0x1c/0x4a0
[ 1963.540058]  [<ffffffff9b748be9>] ? __dev_queue_xmit+0x549/0x620
[ 1963.540058]  [<ffffffff9b7593bc>] ? neigh_resolve_output+0xfc/0x1d0
[ 1963.540058]  [<ffffffff9b856200>] ? ip_forward_options+0x1d0/0x1d0
[ 1963.540058]  [<ffffffff9b8564a6>] ? ip_finish_output2+0x1d6/0x340
[ 1963.540058]  [<ffffffff9b8596ca>] ? ip_output+0x7a/0x100
[ 1963.540058]  [<ffffffff9b858920>] ? ip_fragment.constprop.40+0xa0/0xa0
[ 1963.540058]  [<ffffffff9b854963>] ? ip_forward+0x3e3/0x4e0
[ 1963.540058]  [<ffffffff9b854510>] ? ip_frag_mem+0x50/0x50
[ 1963.540058]  [<ffffffff9b852614>] ? ip_rcv+0x284/0x5c0
[ 1963.540058]  [<ffffffff9b851e40>] ? ip_local_deliver_finish+0x260/0x260
[ 1963.540058]  [<ffffffff9b741e00>] ? __netif_receive_skb_core+0x360/0xc40
[ 1963.540058]  [<ffffffff9b745ce4>] ? napi_gro_receive+0x94/0xb0
[ 1963.540058]  [<ffffffff9b611101>] ? virtnet_receive+0x701/0x9e0
[ 1963.540058]  [<ffffffff9b74504a>] ? netif_receive_skb_internal+0x2a/0xa0
[ 1963.540058]  [<ffffffff9b7451d0>] ? napi_gro_flush+0x50/0x70
[ 1963.540058]  [<ffffffff9b745253>] ? napi_complete_done+0x63/0xb0
[ 1963.540058]  [<ffffffff9b6114f0>] ? virtnet_poll+0x40/0x80
[ 1963.540058]  [<ffffffff9b746962>] ? net_rx_action+0x332/0x500
[ 1963.540058]  [<ffffffff9b0e3d8d>] ? __do_softirq+0xfd/0x200
[ 1963.540058]  [<ffffffff9b0e3eb5>] ? run_ksoftirqd+0x25/0x40
[ 1963.540058]  [<ffffffff9b104a01>] ? smpboot_thread_fn+0x161/0x1e0
[ 1963.540058]  [<ffffffff9b1048a0>] ? sort_range+0x30/0x30
[ 1963.540058]  [<ffffffff9b1018a7>] ? kthread+0xe7/0x100
[ 1963.540058]  [<ffffffff9b1017c0>] ? kthread_create_on_node+0x1a0/0x1a0
[ 1963.540058]  [<ffffffff9b98817e>] ? ret_from_fork+0x3e/0x70
[ 1963.540058]  [<ffffffff9b1017c0>] ? kthread_create_on_node+0x1a0/0x1a0


Kernel is 4.4.5, with only pax-linux-4.4.5-test10.patch applied and with ported pax_size_overflow_report functionality from mainstream grsec patch.
It's a VPS machine running under KVM. If you need more info, please let me know.

Many thanks for helping me solve this!

Regards,
A.

[PaX Team]

this is an intentional non-value preserving type conversion because there's no qdisc_tree_increase_qlen kernel API that this code really wants and (ab)uses qdisc_tree_decrease_qlen for. so we'll probably go with this workaround if you can confirm that it fixes the overflow reports:

Code: Select all

--- a/net/sched/sch_tbf.c  2014-12-08 21:50:34.032965627 +0100
+++ b/net/sched/sch_tbf.c 2016-03-24 14:00:59.498550475 +0100
@@ -160,7 +160,8 @@
        struct tbf_sched_data *q = qdisc_priv(sch);
        struct sk_buff *segs, *nskb;
        netdev_features_t features = netif_skb_features(skb);
-       int ret, nb;
+       int ret;
+       unsigned int nb;

        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);

@@ -182,8 +183,10 @@
                segs = nskb;
        }
        sch->q.qlen += nb;
-       if (nb > 1)
-               qdisc_tree_decrease_qlen(sch, 1 - nb);
+       if (nb > 1) {
+               nb--;
+               qdisc_tree_decrease_qlen(sch, -nb);
+       }
        consume_skb(skb);
        return nb > 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
 }


[audiocricket]

Hello,

it's been a month since I've last checked into this.

I can confirm it's working fine with curent grsecurity-3.1-4.4.8-201604201957.patch

Many thanks!