grsecurity forums

[cscmeu]

Hi girls,

[ 3461.196172] PAX: size overflow detected in function _decode_session6 net/ipv6/xfrm6_policy.c:133 cicus.116_244 min, count: 20
[ 3461.278561] CPU: 0 PID: 4648 Comm: java Not tainted 3.14.17-dsl0-grsec #3
[ 3459.591512] Kernel Offset: 0x3f000000 from 0xc1000000 (relocation range: 0xc0000000-0xf83fdfff)

With 3.0-3.14.17-201408140021 on Linux 3.14.17 running on Soekris net6501 (Intel 32 bits) with GCC :

# gcc --version
gcc (Debian 4.7.2-5) 4.7.2

Code: Select all

static inline void
_decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
{
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
        u16 offset = skb_network_header_len(skb);
                        ^ kaboum


What additional files should I provide to help debug this?

Thanks!

Best Regards,

[ephox]

Hi,

Sorry for the late response, could you apply this patch, please and send me the results?

Code: Select all

--- net/ipv6/xfrm6_policy.c.orig        2014-08-20 10:11:56.859999741 +0200
+++ net/ipv6/xfrm6_policy.c     2014-08-20 10:15:47.907999732 +0200
@@ -130,13 +130,16 @@
 {
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
-       u16 offset = skb_network_header_len(skb);
+       u16 offset;
        const struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct ipv6_opt_hdr *exthdr;
        const unsigned char *nh = skb_network_header(skb);
        u8 nexthdr = nh[IP6CB(skb)->nhoff];
        int oif = 0;
 
+       printk(KERN_ERR "PAX _decode_session6: transport_header: %x, network_header: %x\n", skb->transport_header, skb->network_header);
+       offset = skb_network_header_len(skb);
+
        if (skb_dst(skb))
                oif = skb_dst(skb)->dev->ifindex;



Could you also send me the results of the following command (net/ipv6/xfrm6_policy.*) as well as your kernel .config?

Code: Select all

rm -f net/ipv6/xfrm6_policy.o ; make net/ipv6/xfrm6_policy.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all"


Thanks, Emese

[cscmeu]

Hi Emese,

Could you also send me the results of the following command (net/ipv6/xfrm6_policy.*) as well as your kernel .config?

• Kernel config https://csquad.org/wp-content/xfrm6_policy.config
• net/ipv6/xfrm6_policy.* https://csquad.org/wp-content/xfrm6_policy.tar.bz2

Thanks !

[ephox]

Hi,
Could you please send me the dmesg (the printk logs there from the patch) too when the overflow message is triggered?
Thanks, Emese