Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Discuss and suggest new grsecurity features

Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby tjh » Tue Jul 10, 2012 4:38 pm

Code: Select all
PAX: size overflow detected in function tcp_recvmsg net/ipv4/tcp.c:1696
Pid: 2447, comm: rtorrent Not tainted 3.4.4-grsec #1
Call Trace:
 [<000a5189>] ? 0x0a5189
 [<00217750>] ? 0x217750
 [<0023661f>] ? 0x23661f
 [<001c69ed>] ? 0x1c69ed
 [<001c8fed>] ? 0x1c8fed
 [<001c90b3>] ? 0x1c90b3
 [<001c9b2c>] ? 0x1c9b2c
 [<00265534>] ? 0x265534
 [<00265554>] ? 0x265554


This is with grsecurity-2.9.1-3.4.4-201207080925.patch and Linux 3.4.4.

Code: Select all
root@micro:/home/tim# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 13
model name      : Intel(R) Celeron(R) M processor          900MHz
stepping        : 6
microcode       : 0x18
cpu MHz         : 630.088
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr mce cx8 apic mtrr pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss tm pbe bts
bogomips        : 1260.17
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:


What additional files should I provide to help debug this?
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby ephox » Tue Jul 10, 2012 5:31 pm

I think it is false positive, I will fix it in the next plugin version.
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby Flexx » Mon Jul 23, 2012 4:46 am

got a similar problem here with icecast:

Linux version 3.2.23-grsec (gcc version 4.6.2 (Ubuntu/Linaro 4.6.2-10ubuntu1~10.04.2) ) #1 SMP
grsecurity-2.9.1-3.2.23-201207211428.patch

Code: Select all
PAX: size overflow detected in function tcp_recvmsg net/ipv4/tcp.c:1690
Pid: 4171, comm: icecast2.3.3 Not tainted 3.2.23-grsec #1
Call Trace:
[<ffffffff8117ed24>] report_size_overflow+0x24/0x30
[<ffffffff815a0b01>] tcp_recvmsg+0x1041/0x1270
[<ffffffff8118e940>] ? __pollwait+0x100/0x100
[<ffffffff815c481c>] inet_recvmsg+0x6c/0x80
[<ffffffff815c481c>] ? inet_recvmsg+0x6c/0x80
[<ffffffff8153bf95>] sock_recvmsg+0x125/0x140
[<ffffffff81664ecd>] ? bad_area_nosemaphore+0x13/0x15
[<ffffffff81674ebe>] ? do_page_fault+0x44e/0x550
[<ffffffff81664ecd>] ? bad_area_nosemaphore+0x13/0x15
[<ffffffff8109831e>] ? ktime_get_ts+0xae/0xf0
[<ffffffff815400ff>] sys_recvfrom+0xef/0x170
[<ffffffff81679165>] ? sysret_check+0x1e/0x5a
[<ffffffff8101c606>] ? pax_randomize_kstack+0x56/0x70
[<ffffffff81679165>] ? sysret_check+0x1e/0x5a
[<ffffffff8167913d>] system_call_fastpath+0x18/0x1d


while waiting for a fix, is it possible to disable this feature without recompiling the kernel with "CONFIG_PAX_SIZE_OVERFLOW=n" ? maybe via pax flags or /proc ?

thanks,
Bernd
Flexx
 
Posts: 1
Joined: Mon Jul 23, 2012 4:26 am

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby PaX Team » Mon Jul 23, 2012 11:13 am

Flexx wrote:while waiting for a fix, is it possible to disable this feature without recompiling the kernel with "CONFIG_PAX_SIZE_OVERFLOW=n" ? maybe via pax flags or /proc ?
this feature, as everything gcc plugin based, instruments generated code (i.e., something at compile time), so there's no way to get rid of it later, you'll have to recompile.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby kolargol » Fri Apr 04, 2014 7:15 am

Hello,

got similar problem:
Code: Select all
[1911768.723141] PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.645_79 max, count: 3
[1911768.723161] Pid: 2401, comm: openvpn Not tainted 3.2.55-grsec-processone-R11 #1
[1911768.723170] Call Trace:
[1911768.723178]  [<ffffffff81104b34>] ? report_size_overflow+0x24/0x30
[1911768.723184]  [<ffffffff8147afa1>] ? __ip_select_ident+0x1e1/0x1f0
[1911768.723188]  [<ffffffff81484f74>] ? __ip_make_skb+0x1f4/0x450
[1911768.723192]  [<ffffffff814853a1>] ? ip_make_skb+0x131/0x160
[1911768.723198]  [<ffffffff812fb439>] ? __list_del_entry+0x9/0x20
[1911768.723202]  [<ffffffff81484580>] ? ip_output+0xa0/0xa0
[1911768.723205]  [<ffffffff81484580>] ? ip_output+0xa0/0xa0
[1911768.723210]  [<ffffffff814a9ced>] ? udp_sendmsg+0x2ad/0x940
[1911768.723215]  [<ffffffff810ed3b4>] ? kmem_cache_free+0x14/0xa0
[1911768.723219]  [<ffffffff814a8b62>] ? udp_recvmsg+0x1e2/0x420
[1911768.723223]  [<ffffffff81413f48>] ? sock_sendmsg+0xe8/0x120
[1911768.723228]  [<ffffffff81111e30>] ? __pollwait+0x120/0x120
[1911768.723231]  [<ffffffff810eda60>] ? check_heap_object+0x50/0x100
[1911768.723235]  [<ffffffff81103f03>] ? __check_object_size+0x63/0x1a0
[1911768.723240]  [<ffffffff81413cc8>] ? move_addr_to_kernel+0x98/0xf0
[1911768.723244]  [<ffffffff814155f7>] ? sys_sendto+0x117/0x190
[1911768.723248]  [<ffffffff81002812>] ? xen_load_sp0+0x72/0x90
[1911768.723253]  [<ffffffff81011c8d>] ? pax_randomize_kstack+0x4d/0x70
[1911768.723259]  [<ffffffff81574170>] ? retint_swapgs+0xe/0x11
[1911768.723263]  [<ffffffff81573c02>] ? system_call_fastpath+0x16/0x1b


patch version 3.0-3.2.55-201402241936 , is this known issue ?

thanks,
kolargol
 
Posts: 36
Joined: Thu Sep 23, 2004 5:19 am

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby ephox » Fri Apr 04, 2014 8:46 am

kolargol wrote:
Code: Select all
[1911768.723141] PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.645_79 max, count: 3

...
patch version 3.0-3.2.55-201402241936 , is this known issue ?


Hi,

Could you try the latest grsec version, please?
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby kolargol » Thu Apr 10, 2014 4:41 am

i will reply tests once i prepare new kernel, this is production, so next test can take a while ...
kolargol
 
Posts: 36
Joined: Thu Sep 23, 2004 5:19 am

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby jorgus » Tue May 13, 2014 4:56 am

Hi,

I got the overflow reported by kolargol (not the original one reported in this topic) in grsecurity-3.0-3.2.58-201405051840.patch, which is fairly recent. It looks like the overflow is still there.

Code: Select all
PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.605_79 max, count: 3
Pid: 1081, comm: webalizer Not tainted 3.2.58-2-amd64 #1
Call Trace:
[<ffffffff810e1624>] ? report_size_overflow+0x24/0x30
[<ffffffff8133f431>] ? __ip_select_ident+0x1d1/0x1e0
[<ffffffff813479c1>] ? __ip_make_skb+0x1f1/0x470
[<ffffffff81347e0a>] ? ip_make_skb+0x12a/0x150
[<ffffffff81345740>] ? __ip_append_data.isra.31+0xba0/0xba0
[<ffffffff8136d417>] ? udp_sendmsg+0x2a7/0x970
[<ffffffff81305897>] ? memcpy_toiovec+0x157/0x290
[<ffffffff8136c942>] ? udp_recvmsg+0x1f2/0x420
[<ffffffff812f3f63>] ? sock_sendmsg+0xc3/0xf0
[<ffffffff8137547e>] ? inet_recvmsg+0x4e/0x90
[<ffffffff812f3e1a>] ? sock_recvmsg+0xca/0x100
[<ffffffff810f21a0>] ? poll_schedule_timeout+0x70/0x70
[<ffffffff8133dd18>] ? __ip_route_output_key+0x4e8/0x9e0
[<ffffffff8133dd18>] ? __ip_route_output_key+0x4e8/0x9e0
[<ffffffff812f4002>] ? sockfd_lookup_light+0x22/0x80
[<ffffffff812f7933>] ? sys_sendto+0x113/0x180
[<ffffffff8136ab00>] ? udplite_getfrag+0x10/0x10
[<ffffffff812f7622>] ? sys_connect+0x102/0x110
[<ffffffff81397c6f>] ? system_call_fastpath+0x16/0x1b
[<ffffffff810f43ac>] ? sys_poll+0x6c/0xe0
[<ffffffff81397c97>] ? sysret_check+0x1e/0x65
jorgus
 
Posts: 65
Joined: Wed Feb 20, 2008 9:50 pm

Re: Size Overflow in tcp_recvmsg net/ipv4/tcp.c:1696

Postby PaX Team » Tue May 13, 2014 7:00 am

i'll backport the recent overflow plugin changes to 3.2 as well once it's baked a bit in 3.14, in the meantime you should turn it off if this keeps triggering for you.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity development