grsecurity forums

[quasar366]

It's me back again, now with ubuntu 16.04 desktop system.
Trying to use latest kernel 4.4.8 and latest grsecurity-3.1-4.4.8-201604252206.patch triggers a pax size overflow.
Nevertheless, the system is booting until I see a half desktop and then stops working. Without UDEREF the kernel is booting fine.
Tested a virtual machine with ubuntu 16.04 server release and latest grsec patch and it's running well! Also ubuntu 14.04 desktop system with gcc version 4.4.8 is running with latest grsec patch

gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2)

Code: Select all

kernel: [   15.701048] device enp4s0 entered promiscuous mode
kernel: [   15.717285] PAX: size overflow detected in function velocity_rx_refill drivers/net/ethernet/via/via-velocity.c:1547 cicus.1043_125 min, count: 20, decl: size; num: 0; context: rx_desc;
kernel: [   15.717289] CPU: 1 PID: 733 Comm: ip Not tainted 4.4.8 #2
kernel: [   15.717290] Hardware name: ASUS All Series/Z87M-PLUS, BIOS 1107 11/04/2014
kernel: [   15.717292]  0000000000000246 26f5f909cdc6de41 ffffc90003c1b560 ffffffffa43db2a4
kernel: [   15.717293]  000000000000060b 26f5f909cdc6de41 ffffffffc01366b8 000000000000060b
dbus[1866]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkitd.service'
kernel: [   15.717295]  ffffc90003c1b590 ffffffffa41d6a4c ffff88067f44c800 0000000000000000
kernel: [   15.717297] Call Trace:
kernel: [   15.717301]  [<ffffffffa43db2a4>] dump_stack+0x60/0x9c
kernel: [   15.717306]  [<ffffffffc01366b8>] ? velocity_ethtool_ops+0x7b8/0xb90 [via_velocity]
kernel: [   15.717309]  [<ffffffffa41d6a4c>] report_size_overflow+0x6c/0x80
kernel: [   15.717311]  [<ffffffffc013440d>] velocity_rx_refill+0x1fd/0x2d0 [via_velocity]
kernel: [   15.717314]  [<ffffffffa4412bd0>] ? swiotlb_alloc_coherent+0x160/0x160
systemd[1]: Reached target Bluetooth.
kernel: [   15.717317]  [<ffffffffc0134c2c>] velocity_init_rings+0x20c/0x410 [via_velocity]
kernel: [   15.717319]  [<ffffffffc01351e1>] velocity_open+0x21/0x115 [via_velocity]
kernel: [   15.717320]  [<ffffffffc01358e0>] ? velocity_pm_ops+0xc0/0xc0 [via_velocity]
kernel: [   15.717323]  [<ffffffffa470e493>] __dev_open+0xe3/0x160
kernel: [   15.717325]  [<ffffffffa470e7d2>] __dev_change_flags+0xb2/0x180
kernel: [   15.717326]  [<ffffffffa470e8c4>] dev_change_flags+0x24/0x70
kernel: [   15.717329]  [<ffffffffa471fba7>] do_setlink+0x6c7/0xc40
kernel: [   15.717332]  [<ffffffffa4395e9e>] ? generic_make_request+0x2e/0x200
kernel: [   15.717334]  [<ffffffffc01358e0>] ? velocity_pm_ops+0xc0/0xc0 [via_velocity]
kernel: [   15.717336]  [<ffffffffa4393a34>] ? alloc_request_struct+0x14/0x20
kernel: [   15.717343]  [<ffffffffc0589c40>] ? br_port_state_names+0x40/0x40 [bridge]
bluetoothd[1837]: Bluetooth management interface 1.10 initialized
kernel: [   15.717344]  [<ffffffffa4721484>] rtnl_newlink+0x5f4/0x900
kernel: [   15.717347]  [<ffffffffa405e4ab>] ? flush_tlb_page+0x4b/0x1f0
kernel: [   15.717350]  [<ffffffffa415b4e2>] ? lru_cache_add_active_or_unevictable+0x22/0xa0
kernel: [   15.717352]  [<ffffffffa4177c44>] ? wp_page_copy.isra.72+0x284/0x550
kernel: [   15.717355]  [<ffffffffa4413fc2>] ? nla_parse+0x32/0x100
kernel: [   15.717358]  [<ffffffffc0589c40>] ? br_port_state_names+0x40/0x40 [bridge]
kernel: [   15.717360]  [<ffffffffa4721299>] ? rtnl_newlink+0x409/0x900
kernel: [   15.717363]  [<ffffffffa43ca517>] ? gr_is_capable+0x17/0x30
kernel: [   15.717366]  [<ffffffffa4076131>] ? ns_capable+0x41/0x70
kernel: [   15.717367]  [<ffffffffa471e88f>] rtnetlink_rcv_msg+0x9f/0x250
kernel: [   15.717369]  [<ffffffffa41d708f>] ? __check_object_size.part.42+0x2f/0x1e0
bluetoothd[1837]: Failed to obtain handles for "Service Changed" characteristic
kernel: [   15.717371]  [<ffffffffa471e7f0>] ? rtnetlink_rcv+0x40/0x40
kernel: [   15.717373]  [<ffffffffa4747f58>] netlink_rcv_skb+0xe8/0x140
kernel: [   15.717374]  [<ffffffffa471e7d3>] rtnetlink_rcv+0x23/0x40
kernel: [   15.717375]  [<ffffffffa474739c>] netlink_unicast+0x13c/0x1e0
kernel: [   15.717376]  [<ffffffffa4747962>] netlink_sendmsg+0x522/0x820
kernel: [   15.717379]  [<ffffffffa46e387b>] sock_sendmsg+0x4b/0x60
kernel: [   15.717381]  [<ffffffffa46e4e41>] ___sys_sendmsg+0x291/0x2a0
kernel: [   15.717383]  [<ffffffffa415b4e2>] ? lru_cache_add_active_or_unevictable+0x22/0xa0
dbus[1866]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
kernel: [   15.717385]  [<ffffffffa41ebec6>] ? __dentry_kill+0x196/0x250
kernel: [   15.717387]  [<ffffffffa41f6a2f>] ? mntput+0x1f/0x40
kernel: [   15.717389]  [<ffffffffa41d1668>] ? __fput+0x1a8/0x260
kernel: [   15.717391]  [<ffffffffa46e68bc>] __sys_sendmsg+0x4c/0x90
kernel: [   15.717392]  [<ffffffffa46e690d>] SyS_sendmsg+0xd/0x30
kernel: [   15.717394]  [<ffffffffa48445a4>] entry_SYSCALL_64_fastpath+0x16/0x73

regards

[PaX Team]

the code in question is in drivers/net/ethernet/via/via-velocity.c:velocity_alloc_rx_buf

Code: Select all

rd->size = cpu_to_le16(vptr->rx.buf_sz) | RX_INTEN;

which is basically a u16=int assignment so it's a potential integer truncation and chances are that this is a bug and not a false positive. can you print out the value of vptr->rx.buf_sz just before this assignment? something like this:

Code: Select all

--- a/drivers/net/ethernet/via/via-velocity.c      2016-01-11 01:27:48.511056076 +0100
+++ b/drivers/net/ethernet/via/via-velocity.c     2016-04-28 13:20:30.169684334 +0200
@@ -1544,6 +1544,7 @@
         */

        *((u32 *) & (rd->rdesc0)) = 0;
+       printk("PAX: vptr->rx.buf_sz: %x\n", vptr->rx.buf_sz);
        rd->size = cpu_to_le16(vptr->rx.buf_sz) | RX_INTEN;
        rd->pa_low = cpu_to_le32(rd_info->skb_dma);
        rd->pa_high = 0;


[quasar366]

O.k., at least I was able to find out, why my desktop stopped with a task bar and black screen. It was triggered by lcd4linux ...

the value of vptr->rx.buf_sz is:

Code: Select all

[  100.067625] PAX: vptr->rx.buf_sz: 604

[PaX Team]

is that the last message before the size overflow report? can you post a bit more context?

[quasar366]

The output before size overflow is different and I have to complete, it has nothing to do with uderef enabled or not. I'm able to boot the complete system, but I'm not able to get a root session, because systemd is waiting for eth link coming up and the cpu load get's higher and higher.

Here is the complete output:

Code: Select all

kernel: [   22.573569] asus_wmi: ASUS WMI generic driver loaded
kernel: [   22.575450] asus_wmi: Initialization: 0x0
kernel: [   22.575466] asus_wmi: BIOS WMI version: 0.9
kernel: [   22.575494] asus_wmi: SFUN value: 0x0
kernel: [   22.575723] input: Eee PC WMI hotkeys as /devices/platform/eeepc-wmi/input/input18
kernel: [   22.576006] asus_wmi: Number of fans: 1
kernel: [   22.724264] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
kernel: [   27.188097] Adding 5853608k swap on /dev/mapper/swap.  Priority:-1 extents:1 across:5853608k SSFS
kernel: [   27.205829] EXT4-fs (dm-54): mounted filesystem with ordered data mode. Opts: (null)
kernel: [   28.398383] EXT4-fs (dm-31): mounted filesystem with ordered data mode. Opts: (null)
kernel: [   28.647795] EXT4-fs (dm-52): mounted filesystem with ordered data mode. Opts: (null)
kernel: [   29.019819] EXT4-fs (dm-50): mounted filesystem with ordered data mode. Opts: (null)
kernel: [   29.111045] r8169 0000:03:00.0 enp3s0: link down
kernel: [   29.111062] r8169 0000:03:00.0 enp3s0: link down
kernel: [   29.111099] IPv6: ADDRCONF(NETDEV_UP): enp3s0: link is not ready
kernel: [   29.111218] PAX: vptr->rx.buf_sz: 604
kernel: [   29.111221] PAX: size overflow detected in function velocity_rx_refill drivers/net/ethernet/via/via-velocity.c:1548 cicus.871_127 min, count: 18, decl: size; num: 0; context: rx_desc;
kernel: [   29.111224] CPU: 0 PID: 1844 Comm: ip Not tainted 4.4.8-generic #1
kernel: [   29.111225] Hardware name: ASUS All Series/Z87M-PLUS, BIOS 1107 11/04/2014
kernel: [   29.111226]  0000000000000246 ed65636c5523bcd7 ffffc9000375b620 ffffffff92422824
kernel: [   29.111228]  000000000000060c ed65636c5523bcd7 ffffffffc011e668 000000000000060c
kernel: [   29.111230]  ffffc9000375b650 ffffffff92205ecc ffff88067f713400 0000000000000000
kernel: [   29.111231] Call Trace:
kernel: [   29.111237]  [<ffffffff92422824>] dump_stack+0x60/0x9c
kernel: [   29.111241]  [<ffffffffc011e668>] ? velocity_ethtool_ops+0x788/0xbb8 [via_velocity]
kernel: [   29.111244]  [<ffffffff92205ecc>] report_size_overflow+0x6c/0x80
kernel: [   29.111246]  [<ffffffffc011add4>] velocity_rx_refill+0x254/0x2c0 [via_velocity]
kernel: [   29.111248]  [<ffffffffc011bedc>] velocity_init_rings+0x20c/0x410 [via_velocity]
kernel: [   29.111250]  [<ffffffffc011cd31>] velocity_open+0x21/0x120 [via_velocity]
kernel: [   29.111253]  [<ffffffffc011d8c0>] ? velocity_pm_ops+0xc0/0xc0 [via_velocity]
kernel: [   29.111256]  [<ffffffff9276f1e3>] __dev_open+0xe3/0x160
kernel: [   29.111258]  [<ffffffff9276f522>] __dev_change_flags+0xb2/0x180
kernel: [   29.111259]  [<ffffffff9276f614>] dev_change_flags+0x24/0x70
kernel: [   29.111261]  [<ffffffff927806d7>] do_setlink+0x6c7/0xc40
kernel: [   29.111263]  [<ffffffffc011d8c0>] ? velocity_pm_ops+0xc0/0xc0 [via_velocity]
kernel: [   29.111266]  [<ffffffff92174eb5>] ? mempool_alloc+0x75/0x180
kernel: [   29.111268]  [<ffffffff9243d7d5>] ? find_next_bit+0x15/0x30
kernel: [   29.111270]  [<ffffffff9242270c>] ? cpumask_any_but+0x2c/0x50
kernel: [   29.111273]  [<ffffffff9205f62b>] ? flush_tlb_page+0x4b/0xd0
kernel: [   29.111275]  [<ffffffff9245b812>] ? nla_parse+0x32/0x100
kernel: [   29.111277]  [<ffffffff92781fb4>] rtnl_newlink+0x5f4/0x900
kernel: [   29.111280]  [<ffffffff92412047>] ? gr_is_capable+0x17/0x30
kernel: [   29.111282]  [<ffffffff920781d1>] ? ns_capable+0x41/0x70
kernel: [   29.111284]  [<ffffffff9277f3bf>] rtnetlink_rcv_msg+0x9f/0x250
kernel: [   29.111286]  [<ffffffff921ddc4d>] ? check_heap_object+0x3d/0xf0
kernel: [   29.111287]  [<ffffffff9220650f>] ? __check_object_size.part.37+0x2f/0x1e0
kernel: [   29.111289]  [<ffffffff9277f320>] ? rtnetlink_rcv+0x40/0x40
kernel: [   29.111291]  [<ffffffff927aae58>] netlink_rcv_skb+0xe8/0x140
kernel: [   29.111292]  [<ffffffff9277f303>] rtnetlink_rcv+0x23/0x40
kernel: [   29.111294]  [<ffffffff927aa29c>] netlink_unicast+0x13c/0x1e0
kernel: [   29.111295]  [<ffffffff927aa862>] netlink_sendmsg+0x522/0x820
kernel: [   29.111297]  [<ffffffff927440fb>] sock_sendmsg+0x4b/0x60
kernel: [   29.111299]  [<ffffffff927454fb>] ___sys_sendmsg+0x32b/0x3c0
kernel: [   29.111302]  [<ffffffff921aaf9f>] ? handle_mm_fault+0x16cf/0x1a40
kernel: [   29.111304]  [<ffffffff9221bdb0>] ? dput+0x220/0x260
kernel: [   29.111306]  [<ffffffff92200a00>] ? __fput+0xb0/0x260
kernel: [   29.111308]  [<ffffffff92746f7c>] __sys_sendmsg+0x4c/0x90
kernel: [   29.111310]  [<ffffffff92746fcd>] SyS_sendmsg+0xd/0x30
kernel: [   29.111312]  [<ffffffff928a609f>] entry_SYSCALL_64_fastpath+0x16/0x6e

I'm not sure, if this may be a hardware problem of my second ethernet card, because there is always burning a led, which should not. But it was working the last ~8 month and had no issues so far. Why is the same kernel working with a lower gcc version and using upstart on ubuntu 14.04?
regards

[ephox]

Thanks for the report, it will be fixed in the next grsec patch.

[quasar366]

Thanks, the latest grsecurity-3.1-4.5.3-201605060852.patch fixed the PAX size overflow!