grsecurity forums

[nail]

System: Archlinux 64-bit.
DE: XFCE4.12
DM: LightDM
Kernel log at boot with linux-grsec 4.2.3.201510171833:
http://pastebin.com/YtEVKi2M

After that me downgraded to previous version 4.2.3.201510130858. That's working. Kernel log:
http://pastebin.com/46weFK8p

Threads about similar bugs with freezes:
https://bbs.archlinux.org/viewtopic.php?id=203973
http://www.wilderssecurity.com/threads/ ... ng.380789/

[ephox]

it is same as this bug: https://bugs.archlinux.org/task/46794

[nail]

LightDM is OFF.
http://i.imgur.com/wFUPHum.jpg

[nail]

Another shot with size overflow...
http://i.imgur.com/FpG4ybS.jpg

[ephox]

Hi,
Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/core/skbuff.c.orig      2015-10-20 00:32:27.592091107 +0200
+++ net/core/skbuff.c   2015-10-20 00:34:03.536086830 +0200
@@ -970,6 +970,7 @@
                skb->csum_start += off;
        /* {transport,network,mac}_header and tail are relative to skb->head */
        skb->transport_header += off;
+       printk(KERN_ERR "PAX overflow skb->network_header: %hx off: %x\n", skb->network_header, off);
        skb->network_header   += off;
        if (skb_mac_header_was_set(skb))
                skb->mac_header += off;


[nail]

Code: Select all

can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- net/core/skbuff.c.orig      2015-10-20 00:32:27.592091107 +0200
|+++ net/core/skbuff.c   2015-10-20 00:34:03.536086830 +0200
--------------------------
File to patch:



[spender]

What patch command did you use? You should use -p0 for this one if done inside the root of the kernel source tree.

-Brad

[nail]

Do I have to patch the original kernel from kernel.org or is this additional patch to kernel with grsecurity?

Tried to patch additionally after grsecurity main patch:

Code: Select all

patching file net/core/skbuff.c
patch: **** malformed patch at line 8: skb->network_header, off);

==> ERROR: A failure occurred in prepare().
    Aborting..


[nail]

Second try to apply:

Code: Select all

patching file net/core/skbuff.c
Hunk #1 FAILED at 970.
1 out of 1 hunk FAILED -- saving rejects to file net/core/skbuff.c.rej

==> ERROR: A failure occurred in prepare().
    Aborting..


[nail]

Hi,
Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/core/skbuff.c.orig      2015-10-20 00:32:27.592091107 +0200
+++ net/core/skbuff.c   2015-10-20 00:34:03.536086830 +0200
@@ -970,6 +970,7 @@
                skb->csum_start += off;
        /* {transport,network,mac}_header and tail are relative to skb->head */
        skb->transport_header += off;
+       printk(KERN_ERR "PAX overflow skb->network_header: %hx off: %x\n", skb->network_header, off);
        skb->network_header   += off;
        if (skb_mac_header_was_set(skb))
                skb->mac_header += off;


i had compare "net/core/skbuff.c" file near 970-980 lines with your patch. Me edited your patch. Instead of spaces before each line there are tabs now. And new kernel compilation started succesfully...
Later i will send it...

[nail]

Hi,
Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/core/skbuff.c.orig      2015-10-20 00:32:27.592091107 +0200
+++ net/core/skbuff.c   2015-10-20 00:34:03.536086830 +0200
@@ -970,6 +970,7 @@
                skb->csum_start += off;
        /* {transport,network,mac}_header and tail are relative to skb->head */
        skb->transport_header += off;
+       printk(KERN_ERR "PAX overflow skb->network_header: %hx off: %x\n", skb->network_header, off);
        skb->network_header   += off;
        if (skb_mac_header_was_set(skb))
                skb->mac_header += off;


2 shots :
http://i.imgur.com/R6HqBYY.jpg
http://i.imgur.com/dsJBiq9.jpg
Will be it helpfull?

[ephox]

It looks like a real bug, could you please report it to the kernel (netdev) mailing list (send them the printed values and the backtrace)?

[nail]

It looks like a real bug, could you please report it to the kernel (netdev) mailing list (send them the printed values and the backtrace)?

Ok. Thanks. I will send it them...
But there are no freezes when kernel loaded without last grsecurity patches and kernel loaded with grsecurity patch including until 4.2.3.201510130858 versions?

[PaX Team]

But there are no freezes when kernel loaded without last grsecurity patches and kernel loaded with grsecurity patch including until 4.2.3.201510130858 versions?

that's when spender re-enabled the size overflow plugin for 4.2 that grew some new features since 4.1 such as tracking and instrumenting global variables and structure fields. we did expect this new coverage to find new issues (both true and false positives) but not this amount, so we're trying our best to handle the fallout, please don't be discouraged and keep reporting them .

[strcat]

Did this get reported upstream? It doesn't seem like it has been addressed yet.