- Code: Select all
[ 144.640965] PAX: size overflow detected in function xdr_init_decode net/sunrpc/xdr.c:801 cicus.282_43 min, count: 18, decl: nwords; num: 0; context: xdr_stream;
[ 144.640993] CPU: 4 PID: 1130 Comm: rpc.nfsd Tainted: G E 4.5.7-grsec-201606142010 #1
[ 144.640996] Hardware name: Supermicro X10SRA/X10SRA, BIOS 1.0a 11/27/2014
[ 144.640999] 0000000000000000 6b1fb93e4b0e2c71 0000000000000286 0000000000000000
[ 144.641004] ffffffffb2351409 ffffffffc08e9e8a 6b1fb93e4b0e2c71 ffffffffc08e9e8a
[ 144.641008] 0000000000000321 ffffffffb21e3375 ffffc9000413b958 fffffffffffffffa
[ 144.641013] Call Trace:
[ 144.641023] [<ffffffffb2351409>] ? dump_stack+0x5a/0xb1
[ 144.641061] [<ffffffffc08e9e8a>] ? rpc_proc_fops+0x88a/0x7680 [sunrpc]
[ 144.641082] [<ffffffffc08e9e8a>] ? rpc_proc_fops+0x88a/0x7680 [sunrpc]
[ 144.641089] [<ffffffffb21e3375>] ? report_size_overflow+0x65/0x90
[ 144.641112] [<ffffffffc08d838c>] ? xdr_init_decode+0x13c/0x180 [sunrpc]
[ 144.641130] [<ffffffffc08c1290>] ? rpcproc_encode_null+0x20/0x20 [sunrpc]
[ 144.641150] [<ffffffffc08ce64d>] ? rpcauth_unwrap_resp+0x9d/0xe0 [sunrpc]
[ 144.641167] [<ffffffffc08c1290>] ? rpcproc_encode_null+0x20/0x20 [sunrpc]
[ 144.641184] [<ffffffffc08c1de6>] ? call_decode+0x186/0x3e0 [sunrpc]
[ 144.641203] [<ffffffffc08cbfd8>] ? __rpc_execute+0x78/0x2b0 [sunrpc]
[ 144.641220] [<ffffffffc08c3cb6>] ? rpc_run_task+0x76/0xa0 [sunrpc]
[ 144.641236] [<ffffffffc08c3d32>] ? rpc_call_sync+0x52/0xe0 [sunrpc]
[ 144.641259] [<ffffffffc08e7800>] ? rpc_inaddr_loopback+0x20/0x20 [sunrpc]
[ 144.641275] [<ffffffffc08c3e33>] ? rpc_ping+0x73/0xc0 [sunrpc]
[ 144.641295] [<ffffffffc08e7780>] ? __func__.59028+0x20/0x20 [sunrpc]
[ 144.641312] [<ffffffffc08c3f0f>] ? rpc_create_xprt+0x8f/0xc0 [sunrpc]
[ 144.641328] [<ffffffffc08c3ffc>] ? rpc_create+0xbc/0x190 [sunrpc]
[ 144.641348] [<ffffffffc08e8480>] ? rpcb_inaddr_loopback.56988+0x40/0x40 [sunrpc]
[ 144.641370] [<ffffffffc08e9e4b>] ? rpc_proc_fops+0x84b/0x7680 [sunrpc]
[ 144.641376] [<ffffffffb21b9fb0>] ? __kmalloc+0x300/0x470
[ 144.641399] [<ffffffffc08d798d>] ? rpcb_create_local+0xdd/0x230 [sunrpc]
[ 144.641423] [<ffffffffc08e8480>] ? rpcb_inaddr_loopback.56988+0x40/0x40 [sunrpc]
[ 144.641445] [<ffffffffc08e9e4b>] ? rpc_proc_fops+0x84b/0x7680 [sunrpc]
[ 144.641468] [<ffffffffc08e8880>] ? rpcb_getport_ops+0x20/0x20 [sunrpc]
[ 144.641491] [<ffffffffc08cfef4>] ? svc_rpcb_setup+0x14/0x50 [sunrpc]
[ 144.641509] [<ffffffffc098e578>] ? nfsd_create_serv+0xe8/0x240 [nfsd]
[ 144.641531] [<ffffffffc08d1e00>] ? svc_alien_sock+0x40/0x80 [sunrpc]
[ 144.641546] [<ffffffffc098fed3>] ? write_ports+0x243/0x2e0 [nfsd]
[ 144.641553] [<ffffffffb22101b3>] ? simple_transaction_get+0xd3/0x100
[ 144.641567] [<ffffffffc098fc90>] ? write_recoverydir+0x120/0x120 [nfsd]
[ 144.641582] [<ffffffffc098f992>] ? nfsctl_transaction_write+0x62/0xa0 [nfsd]
[ 144.641587] [<ffffffffb21d99e1>] ? __vfs_write+0x61/0x180
[ 144.641592] [<ffffffffb22a20dd>] ? security_file_permission+0x4d/0xe0
[ 144.641597] [<ffffffffb20bf279>] ? percpu_down_read+0x9/0x80
[ 144.641602] [<ffffffffb21da6a6>] ? vfs_write+0xe6/0x2a0
[ 144.641606] [<ffffffffb21dbc81>] ? sys_write+0x51/0xd0
[ 144.641613] [<ffffffffb2685a2d>] ? entry_SYSCALL_64_fastpath+0x16/0x87
PAX: size overflow detected in function xdr_init_decode
5 posts
• Page 1 of 1
PAX: size overflow detected in function xdr_init_decode
by mathias » Thu Jun 16, 2016 4:02 pm
Running Linux 4.5.7 and grsecurity-3.1-4.5.7-201606142010.patch. This error does not occur when running Linux 4.5.5 with grsecurity-3.1-4.5.5-201605211442.patch applied. After boot I see this in dmesg:
- mathias
- Posts: 14
- Joined: Mon May 11, 2015 6:25 pm
Re: PAX: size overflow detected in function xdr_init_decode
by PaX Team » Thu Jun 16, 2016 5:30 pm
assuming you can reproduce this at will, can you apply the following patch and report back the results please:
- Code: Select all
--- a/net/sunrpc/xdr.c 2015-02-09 21:13:14.377587210 +0100
+++ b/net/sunrpc/xdr.c 2016-06-16 23:28:52.031875300 +0200
@@ -798,6 +798,7 @@
else if (buf->page_len != 0)
xdr_set_page_base(xdr, 0, buf->len);
if (p != NULL && p > xdr->p && xdr->end >= p) {
+printk("PAX: xdr->nwords:%x p:%p xdr->p:%p\n", xdr->nwords, p, xdr->p);
xdr->nwords -= p - xdr->p;
xdr->p = p;
}
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: PAX: size overflow detected in function xdr_init_decode
by mathias » Sat Jun 18, 2016 1:08 am
I've not found a way to reliably reproduce this issue. I have recompiled the kernel with the requested printk patch and frame pointers. If I see the problem again I'll update this thread.
- mathias
- Posts: 14
- Joined: Mon May 11, 2015 6:25 pm
Re: PAX: size overflow detected in function xdr_init_decode
by spender » Wed Jun 22, 2016 7:21 am
Have you been able to reproduce it yet? We'd like to make sure it's fixed before releasing a 4.6 patch.
Thanks,
-Brad
Thanks,
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: PAX: size overflow detected in function xdr_init_decode
by mathias » Fri Jun 24, 2016 5:22 pm
spender wrote:Have you been able to reproduce it yet? We'd like to make sure it's fixed before releasing a 4.6 patch.
Thanks,
-Brad
No, I haven't been able to get the overflow to trigger again. I guess I happened to hit a weird edge case. I will continue to watch for this issue to crop up again -- sorry for the noise.
- mathias
- Posts: 14
- Joined: Mon May 11, 2015 6:25 pm
5 posts
• Page 1 of 1