Page 1 of 1

kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Sun Apr 05, 2015 6:05 pm
by gabh
Dear All,

I'm facing the following problem. Whenever I try to play dota2 online my system crashes.
I hope you can help me to solve this issue. I'm using 3.19.3 with grsecurity-3.1-3.19.3-201504021826 patch.

Thank you!

ápr 05 11:49:01 host kernel: PAX: size overflow detected in function move_addr_to_user net/socket.c:227 cicus.872_183 max, count: 49
ápr 05 11:49:01 host kernel: CPU: 1 PID: 8272 Comm: dota_linux Not tainted 3.19.3-grsec-grsec #1
ápr 05 11:49:01 host kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Pro3, BIOS P2.10 07/12/2013
ápr 05 11:49:01 host kernel: ffffffff89a10907 de07edeadbb1eaa7 0000000000000000 ffffffff89910efb
ápr 05 11:49:01 host kernel: ffffc90009bbbcf8 ffffffff895ebf2d ffff88022f24dc78 ffffffff899110c7
ápr 05 11:49:01 host kernel: ffffc90009bbbd28 ffffffff891f497b ffff8801ace6ed00 0000000000000010
ápr 05 11:49:01 host kernel: Call Trace:
ápr 05 11:49:01 host kernel: [<ffffffff895ebf2d>] dump_stack+0x4c/0x7f
ápr 05 11:49:01 host kernel: [<ffffffff891f497b>] report_size_overflow+0x3b/0x50
ápr 05 11:49:01 host kernel: [<ffffffff894b7099>] move_addr_to_user+0x1a9/0x2c0
ápr 05 11:49:01 host kernel: [<ffffffff89211562>] ? __fget_light+0x32/0x80
ápr 05 11:49:01 host kernel: [<ffffffff892115cc>] ? __fdget+0x1c/0x30
ápr 05 11:49:01 host kernel: [<ffffffff894b9718>] SyS_getsockname+0xe8/0x100
ápr 05 11:49:01 host kernel: [<ffffffff891cfea0>] ? check_heap_object+0x40/0x120
ápr 05 11:49:01 host kernel: [<ffffffff891f5b11>] ? __check_object_size+0x51/0x230
ápr 05 11:49:01 host kernel: [<ffffffff89506428>] compat_SyS_socketcall+0x318/0x3f0
ápr 05 11:49:01 host kernel: [<ffffffff895f4cc2>] sysenter_dispatch+0x7/0x24
ápr 05 11:49:01 host kernel: ------------[ cut here ]------------
ápr 05 11:49:01 host kernel: kernel BUG at arch/x86/mm/uderef_64.c:18!
ápr 05 11:49:02 host kernel: invalid opcode: 0000 [#1] PREEMPT SMP
ápr 05 11:49:02 host kernel: Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun bnep bluetooth rfkill nf_conntrack_netbios_ns nf_conntrack_broadcast xt_tcpudp ip
ápr 05 11:49:02 host kernel: iTCO_wdt iTCO_vendor_support snd_hwdep snd_pcm coretemp snd_timer mii mac_hid hwmon intel_rapl serio_raw snd i2c_i801 i2c_core shpchp iosf_mbi psmouse ba
ápr 05 11:49:02 host kernel: CPU: 1 PID: 8272 Comm: dota_linux Not tainted 3.19.3-grsec-grsec #1
ápr 05 11:49:02 host kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Pro3, BIOS P2.10 07/12/2013
ápr 05 11:49:02 host kernel: task: ffff8801a665eae0 ti: ffff8801a665f198 task.ti: ffff8801a665f198
ápr 05 11:49:02 host kernel: RIP: 0010:[<ffffffff89060d40>] [<ffffffff89060d40>] __pax_open_userland+0x90/0xa0
ápr 05 11:49:02 host kernel: RSP: 0018:ffffc90009bbbbb8 EFLAGS: 00210202
ápr 05 11:49:02 host kernel: RAX: 0000000000000001 RBX: ffff880223d192c0 RCX: 00000000000002b0
ápr 05 11:49:02 host kernel: RDX: 0000000009605001 RSI: ffff880223d192c0 RDI: ffff8801a665eae0
ápr 05 11:49:02 host kernel: RBP: ffffc90009bbbbc8 R08: 0000000000000000 R09: ffff8801d9a2cad0
ápr 05 11:49:02 host kernel: R10: 0000000000000002 R11: ffff8800ae268000 R12: ffff8801a665eae0
ápr 05 11:49:02 host kernel: R13: 00000000f7049770 R14: ffff8801f4d63148 R15: ffff8801a665eae0
ápr 05 11:49:02 host kernel: FS: 0000000000000000(0000) GS:ffff88022f240000(0063) knlGS:00000000f7049700
ápr 05 11:49:02 host kernel: CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
ápr 05 11:49:02 host kernel: CR2: 00000000f2164000 CR3: 0000000009604000 CR4: 00000000000607f0
ápr 05 11:49:02 host kernel: Stack:
ápr 05 11:49:02 host kernel: ffffc90009bbbbe8 00000000000000ff ffffc90009bbbc28 ffffffff890f42df
ápr 05 11:49:02 host kernel: ffff8801a665eae0 0000000000000000 ffffc90009bbbc48 ffffffff89119536
ápr 05 11:49:02 host kernel: 0000000000000000 ffff880223d192c0 ffff8801a665eae0 0000000000000000
ápr 05 11:49:02 host kernel: Call Trace:
ápr 05 11:49:02 host kernel: [<ffffffff890f42df>] compat_exit_robust_list+0x2f/0x170
ápr 05 11:49:02 host kernel: [<ffffffff89119536>] ? taskstats_exit+0xd6/0x3e0
ápr 05 11:49:02 host kernel: [<ffffffff89068b08>] mm_release+0x158/0x170
ápr 05 11:49:02 host kernel: [<ffffffff8906e3bb>] do_exit+0x17b/0xb70
ápr 05 11:49:02 host kernel: [<ffffffff8907a628>] ? signal_wake_up_state+0x28/0x40
ápr 05 11:49:02 host kernel: [<ffffffff8906ee54>] do_group_exit+0x44/0xb0
ápr 05 11:49:02 host kernel: [<ffffffff891f4985>] report_size_overflow+0x45/0x50
ápr 05 11:49:02 host kernel: [<ffffffff894b7099>] move_addr_to_user+0x1a9/0x2c0
ápr 05 11:49:02 host kernel: [<ffffffff89211562>] ? __fget_light+0x32/0x80
ápr 05 11:49:02 host kernel: [<ffffffff892115cc>] ? __fdget+0x1c/0x30
ápr 05 11:49:02 host kernel: [<ffffffff894b9718>] SyS_getsockname+0xe8/0x100
ápr 05 11:49:02 host kernel: [<ffffffff891cfea0>] ? check_heap_object+0x40/0x120
ápr 05 11:49:02 host kernel: [<ffffffff891f5b11>] ? __check_object_size+0x51/0x230
ápr 05 11:49:02 host kernel: [<ffffffff89506428>] compat_SyS_socketcall+0x318/0x3f0
ápr 05 11:49:02 host kernel: [<ffffffff895f4cc2>] sysenter_dispatch+0x7/0x24
ápr 05 11:49:02 host kernel: Code: 00 48 01 d0 48 ba 01 00 00 00 00 00 00 80 48 09 d0 0f 22 d8 65 ff 0d 70 8c fa 76 48 83 c4 08 5a 5d 48 0f ba 2c 24 3f c3 0f 1f 00 <0f> 0b 66 66 66 66
ápr 05 11:49:02 host kernel: RIP [<ffffffff89060d40>] __pax_open_userland+0x90/0xa0
ápr 05 11:49:02 host kernel: RSP <ffffc90009bbbbb8>
ápr 05 11:49:03 host kernel: ---[ end trace ce2e324256a1f90c ]---
ápr 05 11:49:03 host kernel: grsec: banning user with uid 1000 until system restart for suspicious kernel crash
ápr 05 11:49:03 host kernel: Fixing recursive fault but reboot is needed!
ápr 05 11:49:03 host kernel: BUG: scheduling while atomic: dota_linux/8272/0x00000002
ápr 05 11:49:03 host kernel: Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun bnep bluetooth rfkill nf_conntrack_netbios_ns nf_conntrack_broadcast xt_tcpudp ip
ápr 05 11:49:03 host kernel: iTCO_wdt iTCO_vendor_support snd_hwdep snd_pcm coretemp snd_timer mii mac_hid hwmon intel_rapl serio_raw snd i2c_i801 i2c_core shpchp iosf_mbi psmouse ba
ápr 05 11:49:03 host kernel: CPU: 1 PID: 8272 Comm: dota_linux Tainted: G D 3.19.3-grsec-grsec #1
ápr 05 11:49:03 host kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Pro3, BIOS P2.10 07/12/2013
ápr 05 11:49:03 host kernel: ffffffff89a10907 de07edeadbb1eaa7 0000000000000000 ffff88022f24f880
ápr 05 11:49:03 host kernel: ffffc90009bbb758 ffffffff895ebf2d 0000000000000007 ffff8801a665eae0
ápr 05 11:49:03 host kernel: ffffc90009bbb778 ffffffff890997cc 0000000000000000 0000000000000001
ápr 05 11:49:03 host kernel: Call Trace:
ápr 05 11:49:03 host kernel: [<ffffffff895ebf2d>] dump_stack+0x4c/0x7f
ápr 05 11:49:03 host kernel: [<ffffffff890997cc>] __schedule_bug+0x5c/0x70
ápr 05 11:49:03 host kernel: [<ffffffff895eda08>] __schedule+0xa98/0xfe0
ápr 05 11:49:03 host kernel: [<ffffffff890b11d0>] ? run_rebalance_domains+0x1a0/0x1a0
ápr 05 11:49:03 host kernel: [<ffffffff890c8623>] ? vprintk_emit+0x273/0x520
ápr 05 11:49:03 host kernel: [<ffffffff890c8b18>] ? vprintk_default+0x28/0x40
ápr 05 11:49:03 host kernel: [<ffffffff895e9f35>] ? printk+0x69/0x8a
ápr 05 11:49:03 host kernel: [<ffffffff895edf79>] schedule+0x29/0x70
ápr 05 11:49:03 host kernel: [<ffffffff8906ec02>] do_exit+0x9c2/0xb70
ápr 05 11:49:03 host kernel: [<ffffffff8906ee54>] do_group_exit+0x44/0xb0
ápr 05 11:49:03 host kernel: [<ffffffff89007d41>] oops_end+0x71/0xa0
ápr 05 11:49:03 host kernel: [<ffffffff8900804b>] die+0x4b/0x80
ápr 05 11:49:03 host kernel: [<ffffffff89003790>] do_trap+0x160/0x170
ápr 05 11:49:03 host kernel: [<ffffffff890039a3>] do_error_trap+0xa3/0x140
ápr 05 11:49:03 host kernel: [<ffffffff89060d40>] ? __pax_open_userland+0x90/0xa0
ápr 05 11:49:03 host kernel: [<ffffffff890043ff>] do_invalid_op+0x2f/0x40
ápr 05 11:49:03 host kernel: [<ffffffff895f4188>] invalid_op+0x18/0x20
ápr 05 11:49:03 host kernel: [<ffffffff89060d40>] ? __pax_open_userland+0x90/0xa0
ápr 05 11:49:03 host kernel: [<ffffffff890f42df>] compat_exit_robust_list+0x2f/0x170
ápr 05 11:49:03 host kernel: [<ffffffff89119536>] ? taskstats_exit+0xd6/0x3e0
ápr 05 11:49:03 host kernel: [<ffffffff89068b08>] mm_release+0x158/0x170
ápr 05 11:49:03 host kernel: [<ffffffff8906e3bb>] do_exit+0x17b/0xb70
ápr 05 11:49:03 host kernel: [<ffffffff8907a628>] ? signal_wake_up_state+0x28/0x40
ápr 05 11:49:03 host kernel: [<ffffffff8906ee54>] do_group_exit+0x44/0xb0
ápr 05 11:49:03 host kernel: [<ffffffff891f4985>] report_size_overflow+0x45/0x50
ápr 05 11:49:03 host kernel: [<ffffffff894b7099>] move_addr_to_user+0x1a9/0x2c0
ápr 05 11:49:03 host kernel: [<ffffffff89211562>] ? __fget_light+0x32/0x80
ápr 05 11:49:03 host kernel: [<ffffffff892115cc>] ? __fdget+0x1c/0x30
ápr 05 11:49:03 host kernel: [<ffffffff894b9718>] SyS_getsockname+0xe8/0x100
ápr 05 11:49:03 host kernel: [<ffffffff891cfea0>] ? check_heap_object+0x40/0x120
ápr 05 11:49:03 host kernel: [<ffffffff891f5b11>] ? __check_object_size+0x51/0x230
ápr 05 11:49:03 host kernel: [<ffffffff89506428>] compat_SyS_socketcall+0x318/0x3f0
ápr 05 11:49:03 host kernel: [<ffffffff895f4cc2>] sysenter_dispatch+0x7/0x24


Best regards,
Gabor

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Mon Apr 06, 2015 3:58 pm
by ephox
Hi,
Could you please send me the results (net/socket.*) of make net/socket.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all" and your kernel .config?
Which gcc version did you use?

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Tue Apr 07, 2015 10:06 am
by PaX Team
this seems to be a generic issue with get_user on x86 as it mixes signed/unsigned variables for no reason. can you try the following patch and let us know if it fixes the problem:
Code: Select all
diff -u linux-3.19.3-pax/arch/x86/include/asm/uaccess.h linux-3.19.3-pax/arch/x86/include/asm/uaccess.h
--- linux-3.19.3-pax/arch/x86/include/asm/uaccess.h     2015-02-09 21:15:08.069605856 +0100
+++ linux-3.19.3-pax/arch/x86/include/asm/uaccess.h     2015-04-07 02:19:08.006926598 +0200
@@ -168,11 +168,13 @@
 extern int __get_user_bad(void);

 /*
- * This is a type: either unsigned long, if the argument fits into
- * that type, or otherwise unsigned long long.
+ * This is a type: either (un)signed long, if the argument fits into
+ * that type, or otherwise (un)signed long long.
  */
 #define __inttype(x) \
-__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
+__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL),              \
+       __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0ULL, 0LL),\
+       __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0UL, 0L)))

 /**
  * get_user: - Get a simple variable from user space.
diff -u linux-3.19.3-pax/include/linux/compiler.h linux-3.19.3-pax/include/linux/compiler.h
--- linux-3.19.3-pax/include/linux/compiler.h   2015-03-08 00:39:11.589763828 +0100
+++ linux-3.19.3-pax/include/linux/compiler.h   2015-04-07 02:07:58.366890228 +0200
@@ -441,6 +441,8 @@
 # define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
 #endif

+#define __type_is_unsigned(t) (__same_type((t)0, 0UL) || __same_type((t)0, 0U) || __same_type((t)0, (unsigned short)0) || __same_type((t)0, (unsigned char)0))
+
 /* Is this type a native word size -- useful for atomic operations */
 #ifndef __native_word
 # define __native_word(t) (sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
diff -u linux-3.19.3-pax/include/linux/syscalls.h linux-3.19.3-pax/include/linux/syscalls.h
--- linux-3.19.3-pax/include/linux/syscalls.h   2015-02-09 21:34:08.813269600 +0100
+++ linux-3.19.3-pax/include/linux/syscalls.h   2015-04-07 02:18:35.834924851 +0200
@@ -99,15 +99,14 @@
 #define __MAP(n,...) __MAP##n(__VA_ARGS__)

 #define __SC_DECL(t, a)        t a
-#define __TYPE_IS_U(t) (__same_type((t)0, 0UL) || __same_type((t)0, 0U) || __same_type((t)0, (unsigned short)0) || __same_type((t)0, (unsigned char)0))
 #define __TYPE_IS_L(t) (__same_type((t)0, 0L))
 #define __TYPE_IS_UL(t)        (__same_type((t)0, 0UL))
 #define __TYPE_IS_LL(t) (__same_type((t)0, 0LL) || __same_type((t)0, 0ULL))
-#define __SC_LONG(t, a)        __typeof(                               \
+#define __SC_LONG(t, a)        __typeof__(                             \
        __builtin_choose_expr(                                  \
                sizeof(t) > sizeof(int),                        \
                (t) 0,                                          \
-               __builtin_choose_expr(__TYPE_IS_U(t), 0UL, 0L)  \
+               __builtin_choose_expr(__type_is_unsigned(t), 0UL, 0L)   \
        )) a
 #define __SC_CAST(t, a)        (t) a
 #define __SC_ARGS(t, a)        a

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Tue Apr 07, 2015 3:08 pm
by gabh
ephox wrote:Hi,
Could you please send me the results (net/socket.*) of make net/socket.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all" and your kernel .config?
Which gcc version did you use?


Dear ephox,

https://drive.google.com/open?id=0B5Aio ... authuser=0
https://drive.google.com/open?id=0B5Aio ... authuser=0

gcc version 4.9.2 20150304 (prerelease) (GCC)

Thanks!

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Tue Apr 07, 2015 3:09 pm
by gabh
Dear Pax Team,

Will check.

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Tue Apr 07, 2015 5:10 pm
by gabh
Dear PaX Team,

Your patch solved the bug, so now my machine doesn't crash.
But still have the size overflow problem:

ápr 07 23:07:20 breath kernel: PAX: size overflow detected in function move_addr_to_user net/socket.c:227 cicus.872_183 max, count: 49
ápr 07 23:07:20 breath kernel: CPU: 1 PID: 2071 Comm: dota_linux Not tainted 3.19.3-grsec-grsec #2
ápr 07 23:07:20 breath kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Pro3, BIOS P2.10 07/12/2013
ápr 07 23:07:20 breath kernel: ffffffffa5a10907 a7a8925c0489f5c0 0000000000000000 ffffffffa5910f1b
ápr 07 23:07:20 breath kernel: ffffc900059bbcd8 ffffffffa55ec3bd ffff88022f24dc78 ffffffffa59110e7
ápr 07 23:07:20 breath kernel: ffffc900059bbd08 ffffffffa51f497b ffff8801e13ed900 0000000000000010
ápr 07 23:07:20 breath kernel: Call Trace:
ápr 07 23:07:20 breath kernel: [<ffffffffa55ec3bd>] dump_stack+0x4c/0x7f
ápr 07 23:07:20 breath kernel: [<ffffffffa51f497b>] report_size_overflow+0x3b/0x50
ápr 07 23:07:20 breath kernel: [<ffffffffa54b7131>] move_addr_to_user+0x1f1/0x310
ápr 07 23:07:20 breath kernel: [<ffffffffa5211562>] ? __fget_light+0x32/0x80
ápr 07 23:07:20 breath kernel: [<ffffffffa52115cc>] ? __fdget+0x1c/0x30
ápr 07 23:07:20 breath kernel: [<ffffffffa54b97b8>] SyS_getsockname+0xe8/0x100
ápr 07 23:07:20 breath kernel: [<ffffffffa51cfea0>] ? check_heap_object+0x40/0x120
ápr 07 23:07:20 breath kernel: [<ffffffffa51f5b11>] ? __check_object_size+0x51/0x230
ápr 07 23:07:20 breath kernel: [<ffffffffa55064f8>] compat_SyS_socketcall+0x318/0x3f0
ápr 07 23:07:20 breath kernel: [<ffffffffa55f5182>] sysenter_dispatch+0x7/0x24
ápr 07 23:07:20 breath kernel: [<ffffffffa55f51b4>] ? sysexit_from_sys_call+0x15/0x51


Thanks!

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Tue Apr 07, 2015 5:40 pm
by PaX Team
that's weird, you should not have seen any size overflow detection at all ;). can you upload a new set of socket.c.* files with my patch above applied?

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Fri Apr 10, 2015 6:28 pm
by gabh
Hi,

Sorry for the delay, but I haven't had any time :(.
I've uploaded it.
Also maybe that could be a problem but I had to use your patch with option -l because of syscall.h rejected patching w/o it.

patching file arch/x86/include/asm/uaccess.h
patching file include/linux/compiler.h
Hunk #1 succeeded at 449 (offset 8 lines).
patching file include/linux/syscalls.h


Here are the files:

https://drive.google.com/open?id=0B5Aio ... authuser=0

Maybe I've commited something wrong, but hope you will find it quicker then me :).

Thanks!

Brgds,
Gabor

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Fri Apr 10, 2015 7:03 pm
by PaX Team
thanks, i see what's still wrong. can you modify this hunk of the previous patch:
Code: Select all
+__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL),              \
+       __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0ULL, 0LL),\
+       __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0UL, 0L)))
to look like this instead (you can just edit the source code directly, it's a trivial change to remove three L suffixes):
Code: Select all
+__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0U),              \
+       __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0ULL, 0LL),\
+       __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0U, 0)))

Re: kernel BUG at arch/x86/mm/uderef_64.c

PostPosted: Sat Apr 11, 2015 1:06 pm
by gabh
Hi PaX Team,

I can confirm that this modification fixed the issue.

Thank you very much!

Best regards,
Gabor