grsecurity forums

Hi,

With grsecurity-2.9.1-3.8.10-201304262208 I got this when logging onto an already running nfs client after having rebooted the server:

Apr 27 14:33:47 [kernel] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:267 cicus.155_59 min, count: 26
Apr 27 14:33:47 [kernel] Pid: 2832, comm: nfsd Not tainted 3.8.10-grsec #1
Apr 27 14:33:47 [kernel] Call Trace:
Apr 27 14:33:47 [kernel] [<ffffffff810f91de>] report_size_overflow+0x3a/0x44
Apr 27 14:33:47 [kernel] [<ffffffff811d1311>] nfsd_cache_update+0xac/0x1db
Apr 27 14:33:47 [kernel] [<ffffffff811c86ec>] nfsd_dispatch+0x171/0x188
Apr 27 14:33:47 [kernel] [<ffffffff81722964>] svc_process+0x485/0x73b
Apr 27 14:33:47 [kernel] [<ffffffff811c816b>] nfsd+0xc6/0x116
Apr 27 14:33:47 [kernel] [<ffffffff811c80a5>] ? nfsd_destroy+0x7d/0x7d
- Last output repeated twice -
Apr 27 14:33:47 [kernel] [<ffffffff8106d887>] kthread+0xc1/0xc9
Apr 27 14:33:47 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66
Apr 27 14:33:47 [kernel] [<ffffffff817c1462>] ret_from_fork+0x72/0xa0
Apr 27 14:33:47 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66

Edit: rebooting the client did not help.

Thanks, unfortunately Jason's patch does not seem to solve the problem:

Apr 27 15:18:46 [kernel] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:269 cicus.156_64 min, count: 26
Apr 27 15:18:46 [kernel] Pid: 2826, comm: nfsd Not tainted 3.8.10-grsec #2
Apr 27 15:18:46 [kernel] Call Trace:
Apr 27 15:18:46 [kernel] [<ffffffff810f91de>] report_size_overflow+0x3a/0x44
Apr 27 15:18:46 [kernel] [<ffffffff811d131b>] nfsd_cache_update+0xb6/0x1f3
Apr 27 15:18:46 [kernel] [<ffffffff811c86ec>] nfsd_dispatch+0x171/0x188
Apr 27 15:18:46 [kernel] [<ffffffff81722964>] svc_process+0x485/0x73b
Apr 27 15:18:46 [kernel] [<ffffffff811c816b>] nfsd+0xc6/0x116
Apr 27 15:18:46 [kernel] [<ffffffff811c80a5>] ? nfsd_destroy+0x7d/0x7d
- Last output repeated twice -
Apr 27 15:18:46 [kernel] [<ffffffff8106d887>] kthread+0xc1/0xc9
Apr 27 15:18:46 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66
Apr 27 15:18:46 [kernel] [<ffffffff817c1462>] ret_from_fork+0x72/0xa0
Apr 27 15:18:46 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66

I added a printk before the overflow:

printk(KERN_ERR "resv: %d, statp: %X, iov_base: %X", resv->iov_len, statp, resv->iov_base);
Apr 27 16:00:55 [kernel] resv: 148, statp: E7F401C, iov_base: E7F4000

Don't see why that would overflow.

thanks for the info, that's a new/different issue, i believe it's the usual false positive due to gcc's canonicalization of the expression that introduces an intentional overflow and that the overflow plugin will have to recognize and not trigger on.

PaX Team wrote:thanks for the info, that's a new/different issue, i believe it's the usual false positive due to gcc's canonicalization of the expression that introduces an intentional overflow and that the overflow plugin will have to recognize and not trigger on.

Hi

I've got a very similar problem with 3.2.43.

Code: Select all

[685687.851952] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:267 cicus.32_58 min, count: 8
[685687.851958] Pid: 8887, comm: nfsd Not tainted 3.2.43-hardened-r1 #1
[685687.851961] Call Trace:
[685687.851970]  [<ffffffff810c685f>] ? report_size_overflow+0x22/0x2c
[685687.851982]  [<ffffffffa05a7f57>] ? nfsd_cache_update+0xa8/0x1d1 [nfsd]
[685687.851989]  [<ffffffffa05bfcb8>] ? nfs_cb_stat_to_errno+0x19ed/0xb8a1 [nfsd]
[685687.851996]  [<ffffffffa059f8bc>] ? nfsd_dispatch+0x1d4/0x1ea [nfsd]
[685687.852002]  [<ffffffffa05bfcb8>] ? nfs_cb_stat_to_errno+0x19ed/0xb8a1 [nfsd]
[685687.852019]  [<ffffffffa034e1a9>] ? svc_process+0x4b1/0x7b8 [sunrpc]
[685687.852023]  [<ffffffff8102c8d7>] ? try_to_wake_up+0x21a/0x21a
[685687.852028]  [<ffffffffa059f0e3>] ? nfsd+0xe3/0x127 [nfsd]
[685687.852041]  [<ffffffffa059f000>] ? 0xffffffffa059efff
[685687.852045]  [<ffffffff8104d8c1>] ? kthread+0x82/0x8a
[685687.852049]  [<ffffffff81441eb9>] ? kernel_thread_helper+0x9/0x20
[685687.852052]  [<ffffffff8143f72a>] ? retint_restore_args+0x6/0xd
[685687.852055]  [<ffffffff8104d83f>] ? kthread_worker_fn+0x13f/0x13f
[685687.852058]  [<ffffffff81441eb0>] ? gs_change+0x1b/0x1b


As you can see from the dmesg timestamp it took nearly 8 days for the problem to occur.

Thanks