grsecurity forums

Code: Select all

PAX: size overflow detected in function tcp_recvmsg net/ipv4/tcp.c:1696
Pid: 2447, comm: rtorrent Not tainted 3.4.4-grsec #1
Call Trace:
 [<000a5189>] ? 0x0a5189
 [<00217750>] ? 0x217750
 [<0023661f>] ? 0x23661f
 [<001c69ed>] ? 0x1c69ed
 [<001c8fed>] ? 0x1c8fed
 [<001c90b3>] ? 0x1c90b3
 [<001c9b2c>] ? 0x1c9b2c
 [<00265534>] ? 0x265534
 [<00265554>] ? 0x265554


This is with grsecurity-2.9.1-3.4.4-201207080925.patch and Linux 3.4.4.

Code: Select all

root@micro:/home/tim# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 13
model name      : Intel(R) Celeron(R) M processor          900MHz
stepping        : 6
microcode       : 0x18
cpu MHz         : 630.088
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr mce cx8 apic mtrr pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss tm pbe bts
bogomips        : 1260.17
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:


What additional files should I provide to help debug this?

I think it is false positive, I will fix it in the next plugin version.

got a similar problem here with icecast:

Linux version 3.2.23-grsec (gcc version 4.6.2 (Ubuntu/Linaro 4.6.2-10ubuntu1~10.04.2) ) #1 SMP
grsecurity-2.9.1-3.2.23-201207211428.patch

Code: Select all

PAX: size overflow detected in function tcp_recvmsg net/ipv4/tcp.c:1690
Pid: 4171, comm: icecast2.3.3 Not tainted 3.2.23-grsec #1
Call Trace:
[<ffffffff8117ed24>] report_size_overflow+0x24/0x30
[<ffffffff815a0b01>] tcp_recvmsg+0x1041/0x1270
[<ffffffff8118e940>] ? __pollwait+0x100/0x100
[<ffffffff815c481c>] inet_recvmsg+0x6c/0x80
[<ffffffff815c481c>] ? inet_recvmsg+0x6c/0x80
[<ffffffff8153bf95>] sock_recvmsg+0x125/0x140
[<ffffffff81664ecd>] ? bad_area_nosemaphore+0x13/0x15
[<ffffffff81674ebe>] ? do_page_fault+0x44e/0x550
[<ffffffff81664ecd>] ? bad_area_nosemaphore+0x13/0x15
[<ffffffff8109831e>] ? ktime_get_ts+0xae/0xf0
[<ffffffff815400ff>] sys_recvfrom+0xef/0x170
[<ffffffff81679165>] ? sysret_check+0x1e/0x5a
[<ffffffff8101c606>] ? pax_randomize_kstack+0x56/0x70
[<ffffffff81679165>] ? sysret_check+0x1e/0x5a
[<ffffffff8167913d>] system_call_fastpath+0x18/0x1d


while waiting for a fix, is it possible to disable this feature without recompiling the kernel with "CONFIG_PAX_SIZE_OVERFLOW=n" ? maybe via pax flags or /proc ?

thanks,
Bernd

Flexx wrote:while waiting for a fix, is it possible to disable this feature without recompiling the kernel with "CONFIG_PAX_SIZE_OVERFLOW=n" ? maybe via pax flags or /proc ?

this feature, as everything gcc plugin based, instruments generated code (i.e., something at compile time), so there's no way to get rid of it later, you'll have to recompile.

Hello,

got similar problem:

Code: Select all

[1911768.723141] PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.645_79 max, count: 3
[1911768.723161] Pid: 2401, comm: openvpn Not tainted 3.2.55-grsec-processone-R11 #1
[1911768.723170] Call Trace:
[1911768.723178]  [<ffffffff81104b34>] ? report_size_overflow+0x24/0x30
[1911768.723184]  [<ffffffff8147afa1>] ? __ip_select_ident+0x1e1/0x1f0
[1911768.723188]  [<ffffffff81484f74>] ? __ip_make_skb+0x1f4/0x450
[1911768.723192]  [<ffffffff814853a1>] ? ip_make_skb+0x131/0x160
[1911768.723198]  [<ffffffff812fb439>] ? __list_del_entry+0x9/0x20
[1911768.723202]  [<ffffffff81484580>] ? ip_output+0xa0/0xa0
[1911768.723205]  [<ffffffff81484580>] ? ip_output+0xa0/0xa0
[1911768.723210]  [<ffffffff814a9ced>] ? udp_sendmsg+0x2ad/0x940
[1911768.723215]  [<ffffffff810ed3b4>] ? kmem_cache_free+0x14/0xa0
[1911768.723219]  [<ffffffff814a8b62>] ? udp_recvmsg+0x1e2/0x420
[1911768.723223]  [<ffffffff81413f48>] ? sock_sendmsg+0xe8/0x120
[1911768.723228]  [<ffffffff81111e30>] ? __pollwait+0x120/0x120
[1911768.723231]  [<ffffffff810eda60>] ? check_heap_object+0x50/0x100
[1911768.723235]  [<ffffffff81103f03>] ? __check_object_size+0x63/0x1a0
[1911768.723240]  [<ffffffff81413cc8>] ? move_addr_to_kernel+0x98/0xf0
[1911768.723244]  [<ffffffff814155f7>] ? sys_sendto+0x117/0x190
[1911768.723248]  [<ffffffff81002812>] ? xen_load_sp0+0x72/0x90
[1911768.723253]  [<ffffffff81011c8d>] ? pax_randomize_kstack+0x4d/0x70
[1911768.723259]  [<ffffffff81574170>] ? retint_swapgs+0xe/0x11
[1911768.723263]  [<ffffffff81573c02>] ? system_call_fastpath+0x16/0x1b

patch version 3.0-3.2.55-201402241936 , is this known issue ?

thanks,

kolargol wrote:

Code: Select all

[1911768.723141] PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.645_79 max, count: 3

...
patch version 3.0-3.2.55-201402241936 , is this known issue ?

Hi,

Could you try the latest grsec version, please?

i will reply tests once i prepare new kernel, this is production, so next test can take a while ...

Hi,

I got the overflow reported by kolargol (not the original one reported in this topic) in grsecurity-3.0-3.2.58-201405051840.patch, which is fairly recent. It looks like the overflow is still there.

Code: Select all

PAX: size overflow detected in function __ip_select_ident net/ipv4/route.c:1379 cicus.605_79 max, count: 3
Pid: 1081, comm: webalizer Not tainted 3.2.58-2-amd64 #1
Call Trace:
[<ffffffff810e1624>] ? report_size_overflow+0x24/0x30
[<ffffffff8133f431>] ? __ip_select_ident+0x1d1/0x1e0
[<ffffffff813479c1>] ? __ip_make_skb+0x1f1/0x470
[<ffffffff81347e0a>] ? ip_make_skb+0x12a/0x150
[<ffffffff81345740>] ? __ip_append_data.isra.31+0xba0/0xba0
[<ffffffff8136d417>] ? udp_sendmsg+0x2a7/0x970
[<ffffffff81305897>] ? memcpy_toiovec+0x157/0x290
[<ffffffff8136c942>] ? udp_recvmsg+0x1f2/0x420
[<ffffffff812f3f63>] ? sock_sendmsg+0xc3/0xf0
[<ffffffff8137547e>] ? inet_recvmsg+0x4e/0x90
[<ffffffff812f3e1a>] ? sock_recvmsg+0xca/0x100
[<ffffffff810f21a0>] ? poll_schedule_timeout+0x70/0x70
[<ffffffff8133dd18>] ? __ip_route_output_key+0x4e8/0x9e0
[<ffffffff8133dd18>] ? __ip_route_output_key+0x4e8/0x9e0
[<ffffffff812f4002>] ? sockfd_lookup_light+0x22/0x80
[<ffffffff812f7933>] ? sys_sendto+0x113/0x180
[<ffffffff8136ab00>] ? udplite_getfrag+0x10/0x10
[<ffffffff812f7622>] ? sys_connect+0x102/0x110
[<ffffffff81397c6f>] ? system_call_fastpath+0x16/0x1b
[<ffffffff810f43ac>] ? sys_poll+0x6c/0xe0
[<ffffffff81397c97>] ? sysret_check+0x1e/0x65


i'll backport the recent overflow plugin changes to 3.2 as well once it's baked a bit in 3.14, in the meantime you should turn it off if this keeps triggering for you.