grsecurity forums

[HellFire]

Log:

Code: Select all

# rmmod cifs
# modprobe cifs CIFSMaxBufSize=130048
# mount -t cifs //10.0.0.2/G$ /media/cifs -o username=Administrator,rsize=32768,wsize=32768
Password:
# file /media/cifs/Thumbs.db
/media/cifs/Thumbs.db:                                                            CDF V2 Document, No summary info
# umount /media/cifs



# mount -t cifs //10.0.0.2/G$ /media/cifs -o username=Administrator,rsize=32768,wsize=32768,directio
Password:
# file /media/cifs/Thumbs.db
Killed
# dmesg | tail -15
[ 4366.494392] PAX: From 10.0.0.17: kernel memory leak attempt detected from ec34803f (cifs_request) (16384 bytes)
[ 4366.494407] Pid: 4292, comm: file Not tainted 3.0.3-grsec #1
[ 4366.494414] Call Trace:
[ 4366.494429]  [<c1568b97>] ? printk+0x30/0x39
[ 4366.494441]  [<c113d761>] pax_report_usercopy+0x91/0xf0
[ 4366.494452]  [<c1128072>] check_object_size+0xb2/0xe0
[ 4366.494463]  [<c147ab68>] memcpy_toiovecend+0x98/0x110
[ 4366.494488]  [<fa9f2d5c>] cifs_user_readv+0x17c/0x300 [cifs]
[ 4366.494508]  [<faa02a00>] ? cifs_file_strict_ops+0x80/0x80 [cifs]
[ 4366.494518]  [<c1136234>] do_sync_read+0xa4/0xe0
[ 4366.494529]  [<c113660c>] ? rw_verify_area+0x6c/0x130
[ 4366.494538]  [<c156ec57>] ? do_page_fault+0x237/0x4c0
[ 4366.494548]  [<c1136b6f>] vfs_read+0xbf/0x1c0
[ 4366.494558]  [<c156b62d>] ? _raw_spin_lock+0xd/0x10
[ 4366.494567]  [<c1136190>] ? do_sync_write+0xe0/0xe0
[ 4366.494576]  [<c1136cb2>] sys_read+0x42/0x70
[ 4366.494585]  [<c1572530>] sysenter_do_call+0x12/0x28


# echo test > /media/cifs/test
# cat /media/cifs/test
Killed
# rm /media/cifs/test
# dmesg | tail -15
[ 4809.959744] PAX: From 10.0.0.17: kernel memory leak attempt detected from ec1416ff (cifs_small_rq) (5 bytes)
[ 4809.959764] Pid: 4355, comm: cat Not tainted 3.0.3-grsec #1
[ 4809.959772] Call Trace:
[ 4809.959791]  [<c1568b97>] ? printk+0x30/0x39
[ 4809.959806]  [<c113d761>] pax_report_usercopy+0x91/0xf0
[ 4809.959821]  [<c1128072>] check_object_size+0xb2/0xe0
[ 4809.959835]  [<c147ab68>] memcpy_toiovecend+0x98/0x110
[ 4809.959867]  [<fa9f2d5c>] cifs_user_readv+0x17c/0x300 [cifs]
[ 4809.959894]  [<faa02a00>] ? cifs_file_strict_ops+0x80/0x80 [cifs]
[ 4809.959908]  [<c1136234>] do_sync_read+0xa4/0xe0
[ 4809.959922]  [<c113660c>] ? rw_verify_area+0x6c/0x130
[ 4809.959935]  [<c1136b6f>] vfs_read+0xbf/0x1c0
[ 4809.959947]  [<c1136190>] ? do_sync_write+0xe0/0xe0
[ 4809.959959]  [<c1136cb2>] sys_read+0x42/0x70
[ 4809.959973]  [<c1572530>] sysenter_do_call+0x12/0x28

Tested on 2.6.39.4 and 3.0.3, both have the same issue.

[PaX Team]

thanks, these are false positives and fixed in the latest patches. i also found new refcount false positives while looking at this code, fixed them too.