grsecurity forums

[Carlos Carvalho]

4.5.3 with 201605080858 patch gets a null pointer dereference:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000144
IP: [<ffffffffa717256b>] nfsd_proc_read+0x10/0x155
PGD 0
Oops: 0000 [#3] SMP
CPU: 19 PID: 4897 Comm: nfsd Tainted: G D 4.5.3 #1
task: ffff88085a704ec0 ti: ffff88085a705700 task.ti: ffff88085a705700
RIP: 0010:[<ffffffffa717256b>] [<ffffffffa717256b>] nfsd_proc_read+0x10/0x155
RSP: 0000:ffffc9001052bdb0 EFLAGS: 00010282
RAX: ffffffffa717255b RBX: ffff8800780ab468 RCX: 0000000000000014
RDX: ffff8800780ab468 RSI: ffff8800780ab060 RDI: ffff88084ee60000
RBP: ffff88084ee60000 R08: ffff881055aecc62 R09: 0000160000000000
R10: ffff880000000000 R11: 0000000000001000 R12: 8000000000000000
R13: 0000000000000018 R14: ffff88062566b000 R15: ffffffffa7480430
FS: 0000000000000000(0000) GS:ffff88107fce0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000144 CR3: 000000002742a000 CR4: 00000000000606f0
Stack:
0000000057312c74 000000002ada1f39 ffff881000000000 ffff88084ee60000
ffffffffa717870b ffff88085ba60000 ffffc900000003dd 00000006a73e2a6d
0000001100000002 ffffffff70c3c120 ffff88084ee60000 ffff88084ee60000
Call Trace:
[<ffffffffa717870b>] ? nfsd_cache_lookup+0x40/0x512
[<ffffffffa7170d64>] ? nfsd_dispatch+0xaa/0x17e
[<ffffffffa73df763>] ? svc_process+0x47c/0x736
[<ffffffffa71708f0>] ? nfsd+0xea/0x142
[<ffffffffa7170806>] ? nfsd_destroy+0x59/0x59
[<ffffffffa704d809>] ? kthread+0xd0/0xe2
[<ffffffffa704d739>] ? __kthread_parkme+0x68/0x68
[<ffffffffa73f8079>] ? ret_from_fork+0x39/0x60
[<ffffffffa704d739>] ? __kthread_parkme+0x68/0x68
Code: 5b 5d 41 5d e9 b4 fe ff ff 5a 5b 5d 41 5d 4c 09 24 24 c3 40 a6 78 53 00 00 00 00 41 56 41 55 55 48 89 fd 53 48 89 d3 48 83 ec 68 <44> 8b 2c 25 44 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24
RIP [<ffffffffa717256b>] nfsd_proc_read+0x10/0x155
RSP <ffffc9001052bdb0>
CR2: 0000000000000144

It happened after some hours of heave nfs use. This is with RAP enabled. No idea if there's any relation to RAP or even grsec, since this is the first time I try this version. Up to 4.4.8 there were no problems at all.

[PaX Team]

it looks like a null data pointer dereference, argp/r13 was null (or rather, close to 0, must have been computed as a field offset of some structure). it doesn't look RAP related per se, but if you can somehow reproduce this, try it without RAP or even grsec altogether.

[spender]

Spotted the problem, this will be fixed in the next patch, thanks!

-Brad

[PaX Team]

looks like spender's got a sharper eye than me , so here's the fix for the typo i made while fixng up all the bad function types for RAP:

Code: Select all

--- a/fs/nfsd/nfsproc.c  2016-04-26 21:07:20.458670296 +0200
+++ b/fs/nfsd/nfsproc.c   2016-05-11 12:57:49.058234913 +0200
@@ -175,7 +175,7 @@
 nfsd_proc_read(struct svc_rqst *rqstp, void *_argp,
                                       void *_resp)
 {
-       struct nfsd_readargs *argp = argp;
+       struct nfsd_readargs *argp = _argp;
        struct nfsd_readres *resp = _resp;
        __be32  nfserr;



[Carlos Carvalho]

Running 4.5.4-201605112030.patch for 2 days with heavy load and all is fine. Thanks a lot.