grsecurity forums

[kreutzm]

Hello,
I run a current Debian (testing/Wheezy) system with a custom compiled kernel (stock source + grsecurity patch). When I enabled the option CONFIG_PAX_SIZE_OVERFLOW last year most of the system (as far as I tested) kept working without problem, the notable exception was tvtime, which got killed on startup with the following in the system log:

Mar 25 22:05:21 sneo kernel: Pid: 18699, comm: tvtime Not tainted 3.2.12sneo.01-grsec #1
Mar 25 22:05:21 sneo kernel: Call Trace:
Mar 25 22:05:21 sneo kernel: [<ffffffffa0098ba0>] ? __videobuf_iolock+0xa90/0x1268 [videobuf_dma_sg]
Mar 25 22:05:21 sneo kernel: [<ffffffff810dae49>] ? report_size_overflow+0x29/0x40
Mar 25 22:05:21 sneo kernel: [<ffffffffa009823a>] ? __videobuf_iolock+0x12a/0x1268 [videobuf_dma_sg]
Mar 25 22:05:21 sneo kernel: [<ffffffffa014ff12>] ? buffer_prepare+0x1d2/0x300 [bttv]
Mar 25 22:05:21 sneo kernel: [<ffffffffa015d4a0>] ? init_bttv_i2c_ir+0x1415/0x86f9 [bttv]
Mar 25 22:05:21 sneo kernel: [<ffffffffa007ad8c>] ? videobuf_qbuf+0x2fc/0x4e0 [videobuf_core]
Mar 25 22:05:21 sneo kernel: [<ffffffff8131829e>] ? __video_do_ioctl+0x24de/0x5760
Mar 25 22:05:21 sneo kernel: [<ffffffffa0150d90>] ? bttv_dqbuf+0x50/0x50 [bttv]
Mar 25 22:05:21 sneo kernel: [<ffffffff81315331>] ? video_usercopy+0x121/0xa90
Mar 25 22:05:21 sneo kernel: [<ffffffff81315dc0>] ? v4l_printk_ioctl+0x70/0x70
Mar 25 22:05:21 sneo kernel: [<ffffffff81314547>] ? v4l2_ioctl+0xc7/0x160
Mar 25 22:05:21 sneo kernel: [<ffffffff810e8d0c>] ? do_vfs_ioctl+0xbc/0x8e0
Mar 25 22:05:21 sneo kernel: [<ffffffff810e95c8>] ? sys_ioctl+0x98/0xa0
Mar 25 22:05:21 sneo kernel: [<ffffffff81417fab>] ? system_call_fastpath+0x18/0x1d

To track down the problem, I reported the issue to the Debian maintainer, who asked for more input but did not state which kind of input he required. Eventually he closed the bug, stating that grsecurity on Debian is not a supported combination. Unfortunately he did not react on my suggestion, that this fault might reveal an security issue in tvtime on a "stock" kernel. (For reference, the bug is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665868).

I'm not a programmer per se (though involved in the IT security field) and was unable to understand the kernel help (including the referenced link) for CONFIG_PAX_SIZE_OVERFLOW.

Is this crash revealing a problematic issue within tvtime (i.e. something a user on an ordinary kernel should worry about) or just a minor hassle? (Or is there a longer description for the CONFIG_PAX_SIZE_OVERFLOW overflow option available, I'm perfectly fine reading a FAQ (first)).

Thanks

Helge

[PaX Team]

yours is a very old kernel (and associated overflow plugin) that has since seen several fixes for false positives, so you should first try the latest grsec patch from the 3.2 series and see if you can still reproduce the problem then we can investigate (we'll also need the line reported by the overflow plugin, "PAX: size overflow detected in function....").

[PaX Team]

I'm not a programmer per se (though involved in the IT security field) and was unable to understand the kernel help (including the referenced link) for CONFIG_PAX_SIZE_OVERFLOW.

Is this crash revealing a problematic issue within tvtime (i.e. something a user on an ordinary kernel should worry about) or just a minor hassle? (Or is there a longer description for the CONFIG_PAX_SIZE_OVERFLOW overflow option available, I'm perfectly fine reading a FAQ (first)).

see the blog about it perhaps and if you have more questions, you can always just ask Emese .

[kreutzm]

I recompiled my kernel (reenabling CONFIG_PAX_SIZE_OVERFLOW) using version 3.2.36 and now tvtime works.

Sorry for the false alarm and thanks for the prompt help.