grsecurity forums

Skip to content

PAX size overflow false positive in usbdev_read?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

PAX size overflow false positive in usbdev_read?

Postby quasar366 » Mon Dec 02, 2013 3:28 pm

Hello there,

I have the same problems reported by @jorgus and other strange kernel hang tasks.
I'm using ubuntu 12.04 / 64 bit - gcc 4.6.3 and had the same problem, described in this post viewtopic.php?f=3&t=3878
but I solved it by removing some related kernel modules. If you are interested in the kernel config, I can send you.

Code: Select all
INFO: task khubd:30 blocked for
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables
khubd D 0000000000000000 0 30
ffff88028c947d00 0000000000000046 ffff88028c947c10 ffffffff00000000
ffff88028cf64410 ffff88028cf64860 ffff88028cf64860 ffff88028cf64860
ffff88028cead330 ffff88028cf64410 ffff88028c947c50 ffff88029dc8f240
Call Trace:   
[<ffffffff81040c14>] ? finish_task_switch+0x44/0xf0 
[<ffffffff81618b5f>] ? __schedule+0x2ff/0x8f0 
[<ffffffff8161943a>] schedule+0x3a/0x50   
[<ffffffff8161a207>] __mutex_lock_slowpath+0xc7/0x140   
[<ffffffff812d3022>] ? __list_add+0x22/0x50 
[<ffffffff81619fc5>] mutex_lock+0x25/0x40   
[<ffffffff8144150e>] hub_thread+0x10e/0x1370   
[<ffffffff810728b0>] ? remove_wait_queue+0x50/0x50 
[<ffffffff81441400>] ? usb_remote_wakeup+0x40/0x40 
[<ffffffff810720c7>] kthread+0x87/0x90   
[<ffffffff81623804>] kernel_thread_helper+0x4/0x10   
[<ffffffff81072040>] ? kthread_worker_fn+0x180/0x180 
[<ffffffff81623800>] ? gs_change+0x13/0x13 
INFO: task colord:2761 blocked for
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables
colord D 0000000000000000 0 2761
ffff880287bd9b28 0000000000000082 ffff880287bd9b08 ffffffff810d8b48
ffff8802898ccba0 ffff8802898ccff0 ffff8802898ccff0 ffff8802898ccff0
ffff880287dc8790 ffff8802898ccba0 ffffffff00000072 0000000000000000
Call Trace:   
[<ffffffff810d8b48>] ? get_page_from_freelist+0x2f8/0x7c0 
[<ffffffff8161943a>] schedule+0x3a/0x50   
[<ffffffff8161a207>] __mutex_lock_slowpath+0xc7/0x140   
[<ffffffff8144de50>] ? driver_resume+0x10/0x10 
[<ffffffff81619fc5>] mutex_lock+0x25/0x40   
[<ffffffff8144e406>] usbdev_open+0xf6/0x240   
[<ffffffff811300aa>] chrdev_open+0xea/0x1b0   
[<ffffffff8112ffc0>] ? cdev_put+0x30/0x30 
[<ffffffff8112970e>] __dentry_open+0x26e/0x340   
[<ffffffff811394a1>] ? generic_permission+0x131/0x290 
[<ffffffff8112aa11>] nameidata_to_filp+0x71/0x80   
[<ffffffff8113c1f7>] do_last+0x397/0xb50   
[<ffffffff8113dbae>] path_openat+0xce/0x420   
[<ffffffff812bc4b9>] ? gr_log_resource+0x29/0x100 
[<ffffffff81141368>] ? filldir+0x178/0x210 
[<ffffffff812af9cc>] ? gr_learn_resource+0x3c/0x1d0 
[<ffffffff8113e00d>] do_filp_open+0x3d/0xa0   
[<ffffffff8114bca9>] ? alloc_fd+0x169/0x1d0 
[<ffffffff8112ab21>] do_sys_open+0x101/0x1e0   
[<ffffffff8112ac1b>] sys_open+0x1b/0x20   
[<ffffffff8162194d>] system_call_fastpath+0x18/0x1d   
INFO: task libvirtd:3395 blocked for
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables
libvirtd D 0000000000000000 0 3395
ffff880287a29d68 0000000000000086 000280d000000000 ffffea000a2c93c0
ffff88028aa896b0 ffff88028aa89b00 ffff88028aa89b00 ffff88028aa89b00

and most usb devices have no function, except mouse and keyboard

Code: Select all
PAX: size overflow detected in
Pid: 2660, comm: colord Tainted:
Call Trace:   
[<ffffffff81131034>] report_size_overflow+0x24/0x30   
[<ffffffff81453785>] usbdev_read+0x1085/0x10b0   
[<ffffffff8112bc07>] vfs_read+0xd7/0x220   
[<ffffffff8112bd95>] sys_read+0x45/0x90   
[<ffffffff8162194d>] system_call_fastpath+0x18/0x1d   
activated service 'org.freedesktop.ColorManager'


on a ubuntu system 10.04 / i386 - gcc 4.4.3 it's running well

thank you for the project grsecurity!
best regards
quasar366
 
Posts: 36
Joined: Mon Dec 02, 2013 2:26 pm
Top

Re: PAX size overflow false positive in usbdev_read?

Postby ephox » Wed Dec 04, 2013 11:24 am

Hi,
Which grsec patch version did you use? Could you send me the whole dmesg and your kernel .config?
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm
Top

Re: PAX size overflow false positive in usbdev_read?

Postby quasar366 » Fri Dec 06, 2013 12:37 pm

I used the latest patch grsecurity-3.0-3.2.53-201312021727.patch. I want to update the thread. My described running system (gcc 4.4.3) is a server system, without graphical interface. The gcc 4.6.3 system is a desktop system and I have it running now by disabling the physical protection on "new USB connections after toggle" in the kernel config (which was disabled anyway in the sysctl.conf)

http://pastebin.com/bubuLDk0 dmesg (I have only the syslog but with all kernel messages)
I have only the new kernel config, but the only difference is the disabled "new USB connections after toggle"
http://pastebin.com/fEb2KEe2
quasar366
 
Posts: 36
Joined: Mon Dec 02, 2013 2:26 pm
Top

Re: PAX size overflow false positive in usbdev_read?

Postby PaX Team » Fri Dec 06, 2013 4:32 pm

the config you posted doesn't have the SIZE_OVERFLOW plugin enabled either, so i guess you disabled more than just that USB protection feature, so no wonder it no longer triggers ;). in any case, can you do a 'make drivers/usb/core/devio.o EXTRA_CFLAGS=-fdump-tree-all' and post the resulting drivers/usb/core/devio.* files?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: PAX size overflow false positive in usbdev_read?

Postby quasar366 » Fri Dec 06, 2013 7:11 pm

PAX Team wrote:so i guess you disabled more than just that USB protection feature, so no wonder it no longer triggers ;)

ups, now you are mention it, I remember there were some more options

I prepared the original kernel config file, I used http://pastebin.com/nDC6wi3Q

and here is the output of 'make drivers/usb/core/devio.o EXTRA_CFLAGS=-fdump-tree-all':
Code: Select all
-rw-rw-r-- 1 root root   53K Nov 28 15:02 drivers/usb/core/devio.c
-rw-r--r-- 1 root root  8,5M Dez  6 23:53 drivers/usb/core/devio.c.001t.tu
-rw-r--r-- 1 root root  769K Dez  6 23:53 drivers/usb/core/devio.c.003t.original
-rw-r--r-- 1 root root  241K Dez  6 23:53 drivers/usb/core/devio.c.004t.gimple
-rw-r--r-- 1 root root  294K Dez  6 23:53 drivers/usb/core/devio.c.006t.vcg
-rw-r--r-- 1 root root  248K Dez  6 23:53 drivers/usb/core/devio.c.009t.omplower
-rw-r--r-- 1 root root  238K Dez  6 23:53 drivers/usb/core/devio.c.010t.lower
-rw-r--r-- 1 root root  238K Dez  6 23:53 drivers/usb/core/devio.c.012t.eh
-rw-r--r-- 1 root root  186K Dez  6 23:53 drivers/usb/core/devio.c.013t.cfg
-rw-r--r-- 1 root root  223K Dez  6 23:53 drivers/usb/core/devio.c.017t.ssa
-rw-r--r-- 1 root root  203K Dez  6 23:53 drivers/usb/core/devio.c.018t.veclower
-rw-r--r-- 1 root root   26K Dez  6 23:53 drivers/usb/core/devio.c.019t.inline_param1
-rw-r--r-- 1 root root  540K Dez  6 23:53 drivers/usb/core/devio.c.020t.einline
-rw-r--r-- 1 root root  6,5K Dez  6 23:53 drivers/usb/core/devio.c.021t.early_optimizations
-rw-r--r-- 1 root root  447K Dez  6 23:53 drivers/usb/core/devio.c.022t.copyrename1
-rw-r--r-- 1 root root  424K Dez  6 23:53 drivers/usb/core/devio.c.023t.ccp1
-rw-r--r-- 1 root root  415K Dez  6 23:53 drivers/usb/core/devio.c.024t.forwprop1
-rw-r--r-- 1 root root 1018K Dez  6 23:53 drivers/usb/core/devio.c.025t.ealias
-rw-r--r-- 1 root root  414K Dez  6 23:53 drivers/usb/core/devio.c.026t.esra
-rw-r--r-- 1 root root  399K Dez  6 23:53 drivers/usb/core/devio.c.027t.copyprop1
-rw-r--r-- 1 root root  396K Dez  6 23:53 drivers/usb/core/devio.c.028t.mergephi1
-rw-r--r-- 1 root root  452K Dez  6 23:53 drivers/usb/core/devio.c.029t.cddce1
-rw-r--r-- 1 root root  433K Dez  6 23:53 drivers/usb/core/devio.c.030t.eipa_sra
-rw-r--r-- 1 root root  400K Dez  6 23:53 drivers/usb/core/devio.c.032t.switchconv
-rw-r--r-- 1 root root  229K Dez  6 23:53 drivers/usb/core/devio.c.034t.profile
-rw-r--r-- 1 root root  945K Dez  6 23:53 drivers/usb/core/devio.c.035t.local-pure-const1
-rw-r--r-- 1 root root  402K Dez  6 23:53 drivers/usb/core/devio.c.036t.fnsplit
-rw-r--r-- 1 root root  396K Dez  6 23:53 drivers/usb/core/devio.c.037t.release_ssa
-rw-r--r-- 1 root root   27K Dez  6 23:53 drivers/usb/core/devio.c.038t.inline_param2
-rw-r--r-- 1 root root  305K Dez  6 23:53 drivers/usb/core/devio.c.057t.copyrename2
-rw-r--r-- 1 root root  344K Dez  6 23:53 drivers/usb/core/devio.c.058t.cunrolli
-rw-r--r-- 1 root root  305K Dez  6 23:53 drivers/usb/core/devio.c.059t.ccp2
-rw-r--r-- 1 root root  304K Dez  6 23:53 drivers/usb/core/devio.c.060t.forwprop2
-rw-r--r-- 1 root root  299K Dez  6 23:53 drivers/usb/core/devio.c.061t.cdce
-rw-r--r-- 1 root root  662K Dez  6 23:53 drivers/usb/core/devio.c.062t.alias
-rw-r--r-- 1 root root  1,7K Dez  6 23:53 drivers/usb/core/devio.c.063t.retslot
-rw-r--r-- 1 root root  300K Dez  6 23:53 drivers/usb/core/devio.c.064t.phiprop
-rw-r--r-- 1 root root  297K Dez  6 23:53 drivers/usb/core/devio.c.065t.fre
-rw-r--r-- 1 root root  289K Dez  6 23:53 drivers/usb/core/devio.c.066t.copyprop2
-rw-r--r-- 1 root root  289K Dez  6 23:53 drivers/usb/core/devio.c.067t.mergephi2
-rw-r--r-- 1 root root  489K Dez  6 23:53 drivers/usb/core/devio.c.068t.vrp1
-rw-r--r-- 1 root root  280K Dez  6 23:53 drivers/usb/core/devio.c.069t.dce1
-rw-r--r-- 1 root root  278K Dez  6 23:53 drivers/usb/core/devio.c.070t.cselim
-rw-r--r-- 1 root root  278K Dez  6 23:53 drivers/usb/core/devio.c.071t.ifcombine
-rw-r--r-- 1 root root  278K Dez  6 23:53 drivers/usb/core/devio.c.072t.phiopt1
-rw-r--r-- 1 root root  333K Dez  6 23:53 drivers/usb/core/devio.c.074t.ch
-rw-r--r-- 1 root root  285K Dez  6 23:53 drivers/usb/core/devio.c.076t.cplxlower
-rw-r--r-- 1 root root  285K Dez  6 23:53 drivers/usb/core/devio.c.077t.sra
-rw-r--r-- 1 root root  285K Dez  6 23:53 drivers/usb/core/devio.c.078t.copyrename3
-rw-r--r-- 1 root root  272K Dez  6 23:53 drivers/usb/core/devio.c.079t.dom1
-rw-r--r-- 1 root root  221K Dez  6 23:53 drivers/usb/core/devio.c.080t.phicprop1
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.081t.dse1
-rw-r--r-- 1 root root  246K Dez  6 23:53 drivers/usb/core/devio.c.082t.reassoc1
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.083t.dce2
-rw-r--r-- 1 root root  219K Dez  6 23:53 drivers/usb/core/devio.c.084t.forwprop3
-rw-r--r-- 1 root root  216K Dez  6 23:53 drivers/usb/core/devio.c.085t.phiopt2
-rw-r--r-- 1 root root  217K Dez  6 23:53 drivers/usb/core/devio.c.086t.objsz
-rw-r--r-- 1 root root  212K Dez  6 23:53 drivers/usb/core/devio.c.087t.ccp3
-rw-r--r-- 1 root root  211K Dez  6 23:53 drivers/usb/core/devio.c.088t.copyprop3
-rw-r--r-- 1 root root  211K Dez  6 23:53 drivers/usb/core/devio.c.089t.sincos
-rw-r--r-- 1 root root  1,7K Dez  6 23:53 drivers/usb/core/devio.c.090t.bswap
-rw-r--r-- 1 root root  223K Dez  6 23:53 drivers/usb/core/devio.c.091t.crited
-rw-r--r-- 1 root root  586K Dez  6 23:53 drivers/usb/core/devio.c.092t.pre
-rw-r--r-- 1 root root  281K Dez  6 23:53 drivers/usb/core/devio.c.093t.sink
-rw-r--r-- 1 root root  234K Dez  6 23:53 drivers/usb/core/devio.c.094t.loop
-rw-r--r-- 1 root root  275K Dez  6 23:53 drivers/usb/core/devio.c.095t.loopinit
-rw-r--r-- 1 root root  234K Dez  6 23:53 drivers/usb/core/devio.c.096t.lim1
-rw-r--r-- 1 root root  230K Dez  6 23:53 drivers/usb/core/devio.c.097t.copyprop4
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.098t.dceloop1
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.100t.sccp
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.103t.copyprop5
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.109t.ivcanon
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.115t.cunroll
-rw-r--r-- 1 root root  219K Dez  6 23:53 drivers/usb/core/devio.c.119t.ivopts
-rw-r--r-- 1 root root  219K Dez  6 23:53 drivers/usb/core/devio.c.120t.loopdone
-rw-r--r-- 1 root root  245K Dez  6 23:53 drivers/usb/core/devio.c.122t.reassoc2
-rw-r--r-- 1 root root  338K Dez  6 23:53 drivers/usb/core/devio.c.123t.vrp2
-rw-r--r-- 1 root root  250K Dez  6 23:53 drivers/usb/core/devio.c.124t.dom2
-rw-r--r-- 1 root root  218K Dez  6 23:53 drivers/usb/core/devio.c.125t.phicprop2
-rw-r--r-- 1 root root  251K Dez  6 23:53 drivers/usb/core/devio.c.126t.cddce2
-rw-r--r-- 1 root root  1,7K Dez  6 23:53 drivers/usb/core/devio.c.128t.uninit
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.129t.dse2
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.130t.forwprop4
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.131t.phiopt3
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.132t.fab
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.133t.widening_mul
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.135t.copyrename4
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.136t.uncprop
-rw-r--r-- 1 root root  187K Dez  6 23:53 drivers/usb/core/devio.c.137t.local-pure-const2
-rw-r--r-- 1 root root  220K Dez  6 23:53 drivers/usb/core/devio.c.141t.nrv
-rw-r--r-- 1 root root  221K Dez  6 23:53 drivers/usb/core/devio.c.143t.optimized
-rw-r--r-- 1 root root   53K Dez  6 23:53 drivers/usb/core/devio.c.224t.statistics
-rw-r--r-- 1 root root  1,9K Dez  6 23:53 drivers/usb/core/devio.c.226t.latent_entropy
-rw-r--r-- 1 root root   51K Dez  6 23:53 drivers/usb/core/devio.o


thanks for your support!
quasar366
 
Posts: 36
Joined: Mon Dec 02, 2013 2:26 pm
Top

Re: PAX size overflow false positive in usbdev_read?

Postby PaX Team » Fri Dec 06, 2013 8:16 pm

thanks but we'll need the actual files ;).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: PAX size overflow false positive in usbdev_read?

Postby ephox » Sat Dec 07, 2013 2:27 pm

Thanks for the report. This bug will be fixed in the next pax version.
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group