Page 1 of 1

PAX: size overflow detected in function rs_get_adjacent_rat

PostPosted: Wed Oct 21, 2015 12:48 am
by andyj
kernel 4.2.3
grsecurity-3.1-4.2.3-201510202025

[ 356.184628] iwlwifi 0000:04:00.0: Invalid HT rate index 2825
[ 356.184630] PAX: size overflow detected in function rs_get_adjacent_rate drivers/net/wireless/iwlwifi/mvm/rs.c:904 cicus.271_125 min, count: 16, decl: rs_get_adjacent_rate; num: 0; context: fndecl;
[ 356.184633] CPU: 1 PID: 225 Comm: irq/32-iwlwifi Tainted: G W 4.2.3-grsec #2
[ 356.184634] Hardware name: ASUSTeK COMPUTER INC. G551JM/G551JM, BIOS G551JM.204 10/13/2014
[ 356.184635] 0000000000000001 868bedae7786324f 0000000000000000 ffffffff94c3c22a
[ 356.184638] 00000000ffff8700 ffffffff9487a5e9 ffff88041b89f308 ffffc90000abbba8
[ 356.184640] ffff88041b89f308 ffff88041b89f308 0000000000000003 ffffffff9487a913
[ 356.184642] Call Trace:
[ 356.184649] [<ffffffff94c3c22a>] ? dump_stack+0x40/0x56
[ 356.184653] [<ffffffff9487a5e9>] ? rs_get_adjacent_rate+0xe0/0xf0
[ 356.184656] [<ffffffff9487a913>] ? rs_get_lower_rate_in_column+0x34/0x50
[ 356.184658] [<ffffffff9487af0e>] ? rs_fill_lq_cmd+0x130/0x35d
[ 356.184660] [<ffffffff9487c324>] ? iwl_mvm_rs_tx_status+0x9a7/0x1360
[ 356.184663] [<ffffffff94beae84>] ? ieee80211_tx_status+0x8de/0xa7a
[ 356.184665] [<ffffffff94873f58>] ? iwl_mvm_rx_ba_notif+0x3ba/0x422
[ 356.184667] [<ffffffff948739ba>] ? iwl_mvm_rx_tx_cmd+0x303/0x4e7
[ 356.184670] [<ffffffff9484d8b1>] ? iwl_pcie_irq_handler+0x93c/0xae7
[ 356.184673] [<ffffffff9413c221>] ? irq_finalize_oneshot+0xe1/0xe1
[ 356.184675] [<ffffffff9413c244>] ? irq_thread_fn+0x23/0x43
[ 356.184676] [<ffffffff9413c221>] ? irq_finalize_oneshot+0xe1/0xe1
[ 356.184677] [<ffffffff9413c551>] ? irq_thread+0x13c/0x169
[ 356.184679] [<ffffffff9413c37f>] ? wake_threads_waitq+0x39/0x39
[ 356.184680] [<ffffffff9413c415>] ? irq_thread_dtor+0x96/0x96
[ 356.184682] [<ffffffff9411c5e6>] ? kthread+0xe1/0xe9
[ 356.184684] [<ffffffff9411c505>] ? __kthread_parkme+0x68/0x68
[ 356.184686] [<ffffffff94c4707e>] ? ret_from_fork+0x3e/0x70
[ 356.184687] [<ffffffff9411c505>] ? __kthread_parkme+0x68/0x68
[ 356.287895] iwlwifi 0000:04:00.0: Invalid HT rate index 2825
[ 356.287898] iwlwifi 0000:04:00.0: Invalid HT rate index 2825
[ 356.287899] iwlwifi 0000:04:00.0: Invalid HT rate index 2568
[ 356.287900] iwlwifi 0000:04:00.0: Invalid HT rate index 2568
[ 356.307100] iwlwifi 0000:04:00.0: Invalid HT rate index 2568

Is this something I should report upstream to kernel developers?

This popped up when I moved from 4.1.7 to 4.2.3, everything still seems to be working correctly just the extra messages in dmesg on my laptop.

Thanks for all the awesome work on grsecurity/PAX.

More than happy to debug however I can be helpful. I took a look at the code pointed to in the message but I am unable to identify the overflow myself. I suspect the 2 for loops with bitwise shifts in that function but don't feel brave enough to tinker with it atm. :D

Re: PAX: size overflow detected in function rs_get_adjacent_

PostPosted: Fri Oct 23, 2015 1:07 pm
by ephox
Thanks for the report, it will be fixed in the next grsec patch.

Re: PAX: size overflow detected in function rs_get_adjacent_

PostPosted: Fri Oct 23, 2015 4:46 pm
by jotik
Is the following a duplicate of this or a separate issue?

Code: Select all
PAX: size overflow detected in function rs_get_lower_rate_in_column drivers/net/wireless/iwlwifi/mvm/rs.c:976 cicus.364_19 max, count: 17, decl: index; num: 0; context: rs                               
_rate;                                                                                                                                                                                                   
CPU: 1 PID: 60 Comm: kworker/u16:1 Not tainted 4.2.3-hardened-r5 #1                                                                                                                                       
Hardware name: LENOVO 20AN006VMS/20AN006VMS, BIOS GLET78WW (2.32 ) 03/03/2015
Workqueue: phy0 ffffffffaba46200
 ffffffffabfcfc6b 32478aba075a3790 0000000000000000 ffffffffabede0b8
 ffffc90000243438 ffffffffaba83730 0000000000000000 ffffffffabf34604
 ffffc90000243468 ffffffffab1a10c3 ffffc90000243578 ffff88040a1f09d0
Call Trace:
 [<ffffffffaba83730>] dump_stack+0x4c/0x79
 [<ffffffffab1a10c3>] report_size_overflow+0x33/0x60
 [<ffffffffab700c98>] rs_get_lower_rate_in_column+0x88/0x90
 [<ffffffffab70110a>] rs_fill_rates_for_column+0x1aa/0x3c0
 [<ffffffffab70140d>] rs_fill_lq_cmd+0xed/0x3c0
 [<ffffffffab6f5999>] ? iwl_mvm_send_cmd_pdu_status+0x59/0x80
 [<ffffffffab701c1b>] iwl_mvm_rs_rate_init+0x4eb/0x820
 [<ffffffffab6ebddb>] iwl_mvm_mac_sta_state+0x2eb/0x3c0
 [<ffffffffaba374bb>] sta_info_move_state+0x13b/0x440
 [<ffffffffaba87abc>] ieee80211_assoc_success+0x5aa/0xb5e
 [<ffffffffab0fb6cc>] ? vprintk_emit+0x27c/0x730
 [<ffffffffab6cfb42>] ? iwl_trans_pcie_tx+0x462/0x660
 [<ffffffffab380bc0>] ? swiotlb_free_coherent+0x90/0x90
 [<ffffffffaba62482>] ? ieee802_11_parse_elems_crc+0x62/0x580
 [<ffffffffab0fbd53>] ? vprintk_default+0x23/0x30
 [<ffffffffaba6ec3a>] ieee80211_rx_mgmt_assoc_resp+0x1ba/0x3a0
 [<ffffffffaba6fa12>] ieee80211_sta_rx_queued_mgmt+0x1a2/0x680
 [<ffffffffaba6a5a4>] ? run_again+0x34/0x40
 [<ffffffffaba70150>] ? ieee80211_sta_work+0x210/0x17c0
 [<ffffffffab0f3480>] ? __wake_up_common+0x50/0x90
 [<ffffffffab371084>] ? __list_del_entry+0x14/0x30
 [<ffffffffab0eb7f2>] ? dequeue_task_fair+0x352/0x450
 [<ffffffffaba46520>] ieee80211_iface_work+0x320/0x3c0
 [<ffffffffab0d645f>] process_one_work+0x12f/0x330
 [<ffffffffab0d66ac>] worker_thread+0x4c/0x460
 [<ffffffffab0d6660>] ? process_one_work+0x330/0x330
 [<ffffffffab0dc847>] kthread+0xd7/0xf0
 [<ffffffffab0dc770>] ? __kthread_parkme+0x80/0x80
 [<ffffffffaba8cc4e>] ret_from_fork+0x3e/0x70
 [<ffffffffab0dc770>] ? __kthread_parkme+0x80/0x80

Re: PAX: size overflow detected in function rs_get_adjacent_

PostPosted: Sat Oct 24, 2015 3:14 pm
by ephox
Thanks for the report, it will be fixed in the next grsec patch.