Two size overflow reports in grsecurity-3.1-4.6.4-201607182211

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Two size overflow reports in grsecurity-3.1-4.6.4-201607182211

Postby debrouxl » Tue Jul 19, 2016 8:00 am

Quoting from IRC earlier today, on spender's request:
With the latest test patch, I've just seen a size overflow panic in tcp_rtt_estimator() <- tcp_ack() <- csum_partial() <- (IPv6 stuff) <- (SCSI + cfq + netif stuff) <- atl1c driver, upon IPv6 traffic. Seemingly not IPv4 traffic, though.
The machine now has two NICs, so I guess I'll try to use the other interface to get a full stack trace.
Not better on the other NIC using IPv4 traffic. As soon as I try to ssh into the machine, I get that size overflow panic in tcp_rtt_estimator() <- tcp_ack() <- csum_partial() <- (TCP / IPv4 stuff) <- netif <- 8139too driver.
I can't really set up netconsole for the time being, the box needs to be back up soon...
I got a different stack trace which can fit on the screen.
PAX: size overflow detected in function tcp_rtt_estimator net/ipv4/tcp_input.c:714 cicus.1543_212 min, count: 78, decl: srtt_us; num:0; context tcp_sock;


Heh. Got another size overflow report, but not fatal because it isn't in an interrupt handler.
PAX: size overflow detected in function bictcp_cwnd_event net/ipv4/tcp_cubic.c:158 cicus.156_16 max count: 33, decl: epoch_start; num: 0; context: bictcp;
It's a byproduct of sys_write.
And it hangs the offending task, namely sshd, which I use as a trigger.


All three size overflow reports are reproducible. I'm building the kernel by myself, under Debian sid amd64, and nearly all PaX+grsec config options are enabled: I'm not using the special uid + gid for users allowed to fork tasks at the moment.

For now, I reverted to an older version :)
debrouxl
 
Posts: 2
Joined: Sun May 11, 2014 4:25 am

Re: Two size overflow reports in grsecurity-3.1-4.6.4-201607182211

Postby PaX Team » Tue Jul 19, 2016 9:40 am

thanks, i'll fix these in the next patch. as for getting the size overflow reports, you can always boot with pax_size_overflow_report_only on the kernel command line which disables the actual reaction mechanism (though your logs may be spammed so beware).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support