PAX: size overflow detected in function zlib_decompress_setu

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

PAX: size overflow detected in function zlib_decompress_setu

Postby audiocricket » Thu Nov 26, 2015 6:53 am

Hello there,

using latest patch - grsecurity-3.1-4.2.6-201511232037.patch

I got two size overflows and were not able to boot. After manually commenting out do_group_exit(SIGKILL) in fs/exec.c related to SIZE_OVERFLOW, I am at least able to boot and give out full details:

1st one:

Code: Select all
[    0.248790] PAX: size overflow detected in function zlib_decompress_setup crypto/zlib.c:226 cicus.89_58 max, count: 43, decl: decomp_windowBits; num: 0; context: zlib_ctx;
[    0.249132] CPU: 0 PID: 72 Comm: cryptomgr_test Not tainted 4.2.6 #5
[    0.249133] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[    0.249138]  ffff88002df46e38 00000000fffffff5 ffff88002df46e38 00000000fffffff5
[    0.249140]  ffffffff81283f62 0000000000000000 ffffffff81618028 ffff88002df46e38
[    0.249142]  8000000000000000 ffffffff8183b1c0 ffffffff81254573 0000000000000000
[    0.249143] Call Trace:
[    0.249155]  [<ffffffff81283f62>] ? zlib_decompress_setup+0x122/0x130
[    0.249162]  [<ffffffff81254573>] ? test_pcomp+0x343/0x630
[    0.249164]  [<ffffffff81254b12>] ? alg_test_pcomp+0x52/0xa0
[    0.249166]  [<ffffffff81258b79>] ? alg_test+0xc9/0x290
[    0.249171]  [<ffffffff8152ae73>] ? __schedule+0x363/0x98d
[    0.249172]  [<ffffffff81254170>] ? cryptomgr_probe+0xf0/0xf0
[    0.249174]  [<ffffffff812541a9>] ? cryptomgr_test+0x39/0x40
[    0.249182]  [<ffffffff8106b09b>] ? kthread+0xcb/0xf0
[    0.249183]  [<ffffffff8106afd0>] ? __kthread_parkme+0x70/0x70
[    0.249186]  [<ffffffff8152e3ce>] ? ret_from_fork+0x3e/0x70
[    0.249187]  [<ffffffff8106afd0>] ? __kthread_parkme+0x70/0x70


2nd one:

Code: Select all
[    0.249214] PAX: size overflow detected in function zlib_decompress_setup crypto/zlib.c:226 cicus.89_58 max, count: 43, decl: decomp_windowBits; num: 0; context: zlib_ctx;
[    0.249540] CPU: 0 PID: 72 Comm: cryptomgr_test Not tainted 4.2.6 #5
[    0.249541] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[    0.249542]  ffff88002df46e38 00000000fffffff5 ffff88002df46e38 00000000fffffff5
[    0.249543]  ffffffff81283f62 0000000000000000 ffffffff81618028 ffff88002df46e38
[    0.249545]  8000000000000000 ffffffff8183b5d8 ffffffff81254573 0000000000000000
[    0.249546] Call Trace:
[    0.249549]  [<ffffffff81283f62>] ? zlib_decompress_setup+0x122/0x130
[    0.249553]  [<ffffffff81254573>] ? test_pcomp+0x343/0x630
[    0.249556]  [<ffffffff81254b12>] ? alg_test_pcomp+0x52/0xa0
[    0.249557]  [<ffffffff81258b79>] ? alg_test+0xc9/0x290
[    0.249559]  [<ffffffff8152ae73>] ? __schedule+0x363/0x98d
[    0.249562]  [<ffffffff81254170>] ? cryptomgr_probe+0xf0/0xf0
[    0.249564]  [<ffffffff812541a9>] ? cryptomgr_test+0x39/0x40
[    0.249566]  [<ffffffff8106b09b>] ? kthread+0xcb/0xf0
[    0.249568]  [<ffffffff8106afd0>] ? __kthread_parkme+0x70/0x70
[    0.249571]  [<ffffffff8152e3ce>] ? ret_from_fork+0x3e/0x70
[    0.249573]  [<ffffffff8106afd0>] ? __kthread_parkme+0x70/0x70


Debian Wheezy version:

Code: Select all
root@xxx:~/bin/kernel_autocompile/linux-4.2.6# cat /etc/debian_version
7.9


GCC version:

Code: Select all
root@xxx:~/bin/kernel_autocompile/linux-4.2.6# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.7/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.7.2-5' --with-bugurl=file:///usr/share/doc/gcc-4.7/README.Bugs --enable-languages=c,c++,go,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.7 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.7 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.7.2 (Debian 4.7.2-5)


It's running as a VM under KVM on Vultr Cloud. I can also attach my .config, if needed.

There were also some compilation messages about some functions not being present in hash table, I will post these later when I try to recompile again.

If you need anything else, just let me know. Thanks in advance for resolving this!

With best regards,
AudioCricket
audiocricket
 
Posts: 7
Joined: Thu Nov 26, 2015 6:43 am

Re: PAX: size overflow detected in function zlib_decompress_

Postby audiocricket » Thu Nov 26, 2015 7:47 am

And the missing hashes:

Code: Select all
root@xxx:~/bin/kernel_autocompile# grep missing build.log
Function wp_page_copy is missing from the size_overflow hash table +wp_page_copy+fndecl+0+16450+
Function reqsize is missing from the size_overflow hash table +reqsize+akcipher_alg+0+22792+
Function dst_len is missing from the size_overflow hash table +dst_len+akcipher_request+0+40899+
Function expectedlen is missing from the size_overflow hash table +expectedlen+drbg_testvec+0+8283+
Function seedsize is missing from the size_overflow hash table +seedsize+rng_alg+0+59748+
audiocricket
 
Posts: 7
Joined: Thu Nov 26, 2015 6:43 am

Re: PAX: size overflow detected in function zlib_decompress_

Postby PaX Team » Thu Nov 26, 2015 9:15 am

thanks for the report, it's the zlib code mixing up signed/unsigned ints. the next patch will have the following fix in case you want to test it now:
Code: Select all
--- a/crypto/zlib.c      2015-11-03 01:52:36.483459928 +0100
+++ b/crypto/zlib.c       2015-11-26 14:08:49.548972473 +0100
@@ -108,15 +108,15 @@

        ret = zlib_deflateInit2(stream,
                                tb[ZLIB_COMP_LEVEL]
-                                       ? nla_get_u32(tb[ZLIB_COMP_LEVEL])
+                                       ? nla_get_s32(tb[ZLIB_COMP_LEVEL])
                                        : Z_DEFAULT_COMPRESSION,
                                tb[ZLIB_COMP_METHOD]
-                                       ? nla_get_u32(tb[ZLIB_COMP_METHOD])
+                                       ? nla_get_s32(tb[ZLIB_COMP_METHOD])
                                        : Z_DEFLATED,
                                window_bits,
                                mem_level,
                                tb[ZLIB_COMP_STRATEGY]
-                                       ? nla_get_u32(tb[ZLIB_COMP_STRATEGY])
+                                       ? nla_get_s32(tb[ZLIB_COMP_STRATEGY])
                                        : Z_DEFAULT_STRATEGY);
        if (ret != Z_OK) {
                vfree(stream->workspace);
@@ -224,7 +224,7 @@
        zlib_decomp_exit(ctx);

        ctx->decomp_windowBits = tb[ZLIB_DECOMP_WINDOWBITS]
-                                ? nla_get_u32(tb[ZLIB_DECOMP_WINDOWBITS])
+                                ? nla_get_s32(tb[ZLIB_DECOMP_WINDOWBITS])
                                 : DEF_WBITS;

        stream->workspace = vzalloc(zlib_inflate_workspacesize());
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PAX: size overflow detected in function zlib_decompress_

Postby audiocricket » Tue Dec 29, 2015 7:45 am

Sorry for the late reply. I can confirm it's okay in current version (4.3.3) ...
audiocricket
 
Posts: 7
Joined: Thu Nov 26, 2015 6:43 am


Return to grsecurity support