grsecurity forums

[jdkbx]

Code: Select all

[   73.179198] PAX: size overflow detected in function xfs_da_grow_inode_int fs/xfs/libxfs/xfs_da_btree.c:2001 cicus.555_105 min, count: 36, decl: total; num: 0; context: xfs_da_args;
[   73.179266] CPU: 2 PID: 6049 Comm: cp Not tainted 4.3.3-hardened-r1 #1
[   73.179292] Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./Z170-HD3P-CF, BIOS F2 07/27/2015
[   73.179332]  ffffffffa4162511 666c28bdd20ecae3 0000000000000000 ffffc90006383670
[   73.179368]  ffffffffa466dc45 ffffffffab314b88 ffffc900063836a0 ffffffffa4224e74
[   73.179403]  ffffffffab314e11 ffffc90006383748 ffff880459d8bed8 0000000000000023
[   73.179439] Call Trace:
[   73.179451]  [<ffffffffa4162511>] ? 0xffffffffa4162511
[   73.179473]  [<ffffffffa466dc45>] 0xffffffffa466dc45
[   73.179493]  [<ffffffffa4224e74>] 0xffffffffa4224e74
[   73.179514]  [<ffffffffa4481a93>] 0xffffffffa4481a93
[   73.179534]  [<ffffffffa42079b6>] ? 0xffffffffa42079b6
[   73.179554]  [<ffffffffa45b294e>] ? 0xffffffffa45b294e
[   73.179588]  [<ffffffffa4484ebb>] 0xffffffffa4484ebb
[   73.179615]  [<ffffffffa4484ebb>] ? 0xffffffffa4484ebb
[   73.179639]  [<ffffffffa4486ced>] 0xffffffffa4486ced
[   73.179660]  [<ffffffffa4486ced>] ? 0xffffffffa4486ced
[   73.179681]  [<ffffffffa44b4dc4>] ? 0xffffffffa44b4dc4
[   73.179702]  [<ffffffffa44b6cea>] ? 0xffffffffa44b6cea
[   73.179723]  [<ffffffffa448e469>] 0xffffffffa448e469
[   73.179743]  [<ffffffffa44851d7>] 0xffffffffa44851d7
[   73.179763]  [<ffffffffa44851d7>] ? 0xffffffffa44851d7
[   73.179784]  [<ffffffffa44b7544>] 0xffffffffa44b7544
[   73.179805]  [<ffffffffa44b38d9>] 0xffffffffa44b38d9
[   73.179826]  [<ffffffffa44b3abe>] 0xffffffffa44b3abe
[   73.179846]  [<ffffffffa44b3af0>] 0xffffffffa44b3af0
[   73.182183]  [<ffffffffa422db55>] 0xffffffffa422db55
[   73.184552]  [<ffffffffa422e42d>] 0xffffffffa422e42d
[   73.186873]  [<ffffffffa4230302>] 0xffffffffa4230302
[   73.189175]  [<ffffffffa423e608>] ? 0xffffffffa423e608
[   73.191473]  [<ffffffffa4fb7492>] ? 0xffffffffa4fb7492
[   73.193758]  [<ffffffffa423e6c8>] ? 0xffffffffa423e6c8
[   73.195782]  [<ffffffffa422f48e>] ? 0xffffffffa422f48e
[   73.197741]  [<ffffffffa421d0c3>] 0xffffffffa421d0c3
[   73.199588]  [<ffffffffa421d198>] 0xffffffffa421d198
[   73.201292]  [<ffffffffa4fb7dd9>] 0xffffffffa4fb7dd9

gentoo-4.3.3-hardened-r1, grsecurity-3.1-4.3.3-201512162141

[ephox]

There are two problems. I fixed the gcc intentional overflow but there is an integer truncation in fs/xfs/libxfs/xfs_da_btree.c +2079:

args->total -= dp->i_d.di_nblocks - nblks;
The types are:
uint32 -= uint64 - uint64

Could you please ask the upstream developers whether the truncation is intentional and safe?

[jdkbx]

> Yes and yes. We can be, at most, asking for 128 blocks to be
> allocated in this function, so that "uint64 - uint64" will
> typically have a value of 1 or 2. the worst case is about 130 in the
> most extreme, never-used-but-still-possible filesystem
> configuration.
>
> Cheers,
>
> Dave.
>

http://thread.gmane.org/gmane.comp.file-systems.xfs.general/71941/focus=71949