grsecurity forums

heres another size overflow detected

grsec patch grsecurity-3.1-4.2.6-201511282239.patch

Code: Select all

Nov 29 15:59:37 noShoh8e kernel: usb 1-2: new high-speed USB device number 8 using xhci_hcd
Nov 29 15:59:37 noShoh8e kernel: usb 1-2: New USB device found, idVendor=152d, idProduct=0567
Nov 29 15:59:37 noShoh8e kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Nov 29 15:59:37 noShoh8e kernel: usb 1-2: Product: USB to ATA/ATAPI Bridge
Nov 29 15:59:37 noShoh8e kernel: usb 1-2: Manufacturer: JMicron
Nov 29 15:59:37 noShoh8e kernel: usb 1-2: SerialNumber: 0123456789ABCDEF
Nov 29 15:59:37 noShoh8e kernel: usb-storage 1-2:1.0: USB Mass Storage device detected
Nov 29 15:59:37 noShoh8e kernel: scsi host6: usb-storage 1-2:1.0
Nov 29 15:59:33 noShoh8e mtp-probe[19732]: checking bus 1, device 8: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"
Nov 29 15:59:33 noShoh8e mtp-probe[19732]: bus: 1, device: 8 was not an MTP device
Nov 29 15:59:33 noShoh8e laptop-mode[19809]: Laptop mode
Nov 29 15:59:33 noShoh8e laptop-mode[19810]: enabled, not active
Nov 29 15:59:33 noShoh8e laptop-mode[19842]: Laptop mode
Nov 29 15:59:33 noShoh8e laptop-mode[19843]: enabled, not active
Nov 29 15:59:38 noShoh8e kernel: scsi 6:0:0:0: Direct-Access     JMicron  Generic DISK00   0103 PQ: 0 ANSI: 6
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:0: Attached scsi generic sg3 type 0
Nov 29 15:59:38 noShoh8e kernel: scsi 6:0:0:1: Direct-Access     JMicron  Generic DISK01   0103 PQ: 0 ANSI: 6
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:1: Attached scsi generic sg4 type 0
Nov 29 15:59:38 noShoh8e kernel: scsi 6:0:0:2: Direct-Access     JMicron  Generic DISK02   0103 PQ: 0 ANSI: 6
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:2: Attached scsi generic sg5 type 0
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:0: [sdc] Spinning up disk...
Nov 29 15:59:38 noShoh8e kernel: scsi 6:0:0:3: Direct-Access     JMicron  Generic DISK03   0103 PQ: 0 ANSI: 6
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:3: Attached scsi generic sg6 type 0
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:1: [sdd] Spinning up disk...
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:2: [sde] Spinning up disk...
Nov 29 15:59:38 noShoh8e kernel: sd 6:0:0:3: [sdf] Spinning up disk...
Nov 29 15:59:39 noShoh8e kernel: .
Nov 29 15:59:39 noShoh8e kernel: .
Nov 29 15:59:39 noShoh8e kernel: .
Nov 29 15:59:39 noShoh8e kernel: .
Nov 29 15:59:39 noShoh8e kernel: ready
Nov 29 15:59:39 noShoh8e kernel: ready
Nov 29 15:59:39 noShoh8e kernel: ready
Nov 29 15:59:39 noShoh8e kernel: ready
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] 11721045168 512-byte logical blocks: (6.00 TB/5.45 TiB)
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] 4096-byte physical blocks
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] 7814037168 512-byte logical blocks: (4.00 TB/3.63 TiB)
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] 4096-byte physical blocks
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] 11721045168 512-byte logical blocks: (6.00 TB/5.45 TiB)
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] 4096-byte physical blocks
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] 7814037168 512-byte logical blocks: (4.00 TB/3.63 TiB)
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] 4096-byte physical blocks
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Write Protect is off
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Mode Sense: 33 00 00 08
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Write Protect is off
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Mode Sense: 33 00 00 08
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Write Protect is off
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Mode Sense: 33 00 00 08
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Write Protect is off
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Mode Sense: 33 00 00 08
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] No Caching mode page found
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Assuming drive cache: write through
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] No Caching mode page found
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Assuming drive cache: write through
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] No Caching mode page found
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Assuming drive cache: write through
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] No Caching mode page found
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Assuming drive cache: write through
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel:  sde: sde1
Nov 29 15:59:39 noShoh8e kernel:  sdc: sdc1
Nov 29 15:59:39 noShoh8e kernel:  sdf: sdf1
Nov 29 15:59:39 noShoh8e kernel:  sdd: sdd1
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Very big device. Trying to use READ CAPACITY(16).
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:2: [sde] Attached SCSI disk
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:0: [sdc] Attached SCSI disk
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:3: [sdf] Attached SCSI disk
Nov 29 15:59:39 noShoh8e kernel: sd 6:0:0:1: [sdd] Attached SCSI disk
Nov 29 15:59:40 noShoh8e kernel: md: bind<sdc1>
Nov 29 15:59:40 noShoh8e kernel: md: bind<sdd1>
Nov 29 15:59:40 noShoh8e kernel: md/raid1:md0: active with 2 out of 2 mirrors
Nov 29 15:59:40 noShoh8e kernel: created bitmap (30 pages) for device md0
Nov 29 15:59:40 noShoh8e kernel: PAX: size overflow detected in function get_array_info drivers/md/md.c:5726 cicus.1454_133 max, count: 189, decl: size; num: 0; context: mdu_array_info_s;
Nov 29 15:59:40 noShoh8e kernel: CPU: 5 PID: 19901 Comm: mdadm Tainted: G           O    4.2.6-grsec #1
Nov 29 15:59:40 noShoh8e kernel: Hardware name: Dell Inc. Latitude E6440/XXXXXX, BIOS A10 02/02/2015
Nov 29 15:59:40 noShoh8e kernel:  ef65aad4727f13a4 ffffffff81f30cfd 0000000000000000 ffffffff81f30cfd
Nov 29 15:59:40 noShoh8e kernel:  ffffffff81a9d5f5 ffffffff81f30f1d ffffffff81170125 ffffffffffff4111
Nov 29 15:59:40 noShoh8e kernel:  0000000000000002 ffff8801f6a74040 0000000000000002 0000000000000000
Nov 29 15:59:40 noShoh8e kernel: Call Trace:
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81a9d5f5>] ? dump_stack+0x40/0x50
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81170125>] ? report_size_overflow+0x35/0x40
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff817ce050>] ? get_array_info+0x2d0/0x330
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff817d6e1e>] ? md_ioctl+0x73e/0x2060
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8143132c>] ? blkdev_ioctl+0x17c/0x8f0
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff811a2a3a>] ? block_ioctl+0x3a/0x50
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8117e2d3>] ? do_vfs_ioctl+0x453/0x760
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8117e654>] ? SyS_ioctl+0x74/0x80
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81aa62cb>] ? entry_SYSCALL_64_fastpath+0x12/0x73
Nov 29 15:59:40 noShoh8e kernel: md0: bitmap initialized from disk: read 2 pages, set 0 of 59615 bits
Nov 29 15:59:40 noShoh8e kernel: md0: detected capacity change from 0 to 4000650887168
Nov 29 15:59:40 noShoh8e kernel: PAX: size overflow detected in function get_array_info drivers/md/md.c:5726 cicus.1454_133 max, count: 189, decl: size; num: 0; context: mdu_array_info_s;
Nov 29 15:59:40 noShoh8e kernel: CPU: 7 PID: 19905 Comm: mdadm Tainted: G           O    4.2.6-grsec #1
Nov 29 15:59:40 noShoh8e kernel: Hardware name: Dell Inc. Latitude E6440/XXXXXX, BIOS A10 02/02/2015
Nov 29 15:59:40 noShoh8e kernel:  2bf0bcea7e51117e ffffffff81f30cfd 0000000000000000 ffffffff81f30cfd
Nov 29 15:59:40 noShoh8e kernel:  ffffffff81a9d5f5 ffffffff81f30f1d ffffffff81170125 ffffffffffff4111
Nov 29 15:59:40 noShoh8e kernel:  0000000000000002 ffff8801f6a74040 0000000000000002 0000000000000000
Nov 29 15:59:40 noShoh8e kernel: Call Trace:
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81a9d5f5>] ? dump_stack+0x40/0x50
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81170125>] ? report_size_overflow+0x35/0x40
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff817ce050>] ? get_array_info+0x2d0/0x330
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff817d6e1e>] ? md_ioctl+0x73e/0x2060
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8143132c>] ? blkdev_ioctl+0x17c/0x8f0
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff811a2a3a>] ? block_ioctl+0x3a/0x50
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8117e2d3>] ? do_vfs_ioctl+0x453/0x760
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8117e654>] ? SyS_ioctl+0x74/0x80
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81aa62cb>] ? entry_SYSCALL_64_fastpath+0x12/0x73
Nov 29 15:59:40 noShoh8e kernel: systemd-udevd[19874]: Process '/sbin/mdadm --detail --export /dev/md0' terminated by signal KILL.
Nov 29 15:59:40 noShoh8e kernel: PAX: size overflow detected in function get_array_info drivers/md/md.c:5726 cicus.1454_133 max, count: 189, decl: size; num: 0; context: mdu_array_info_s;
Nov 29 15:59:40 noShoh8e kernel: CPU: 4 PID: 19911 Comm: mdadm Tainted: G           O    4.2.6-grsec #1
Nov 29 15:59:40 noShoh8e kernel: Hardware name: Dell Inc. Latitude E6440/XXXXXX, BIOS A10 02/02/2015
Nov 29 15:59:40 noShoh8e kernel:  23b90f3e90e4f8aa ffffffff81f30cfd 0000000000000000 ffffffff81f30cfd
Nov 29 15:59:40 noShoh8e kernel:  ffffffff81a9d5f5 ffffffff81f30f1d ffffffff81170125 ffffffffffff4111
Nov 29 15:59:40 noShoh8e kernel:  0000000000000002 ffff8801f6a74040 0000000000000002 0000000000000000
Nov 29 15:59:40 noShoh8e kernel: Call Trace:
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81a9d5f5>] ? dump_stack+0x40/0x50
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81170125>] ? report_size_overflow+0x35/0x40
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff817ce050>] ? get_array_info+0x2d0/0x330
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff817d6e1e>] ? md_ioctl+0x73e/0x2060
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8143132c>] ? blkdev_ioctl+0x17c/0x8f0
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff811a2a3a>] ? block_ioctl+0x3a/0x50
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8117e2d3>] ? do_vfs_ioctl+0x453/0x760
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff8117e654>] ? SyS_ioctl+0x74/0x80
Nov 29 15:59:40 noShoh8e kernel:  [<ffffffff81aa62cb>] ? entry_SYSCALL_64_fastpath+0x12/0x73


it's a real integer overflow that the code is trying to check for but in a wrong way, the following patch should fix it:

Code: Select all

--- a/drivers/md/md.c      2015-11-10 01:38:00.170813912 +0100
+++ b/drivers/md/md.c     2015-12-02 00:20:22.042872936 +0100
@@ -5723,9 +5723,10 @@
        info.patch_version = MD_PATCHLEVEL_VERSION;
        info.ctime         = mddev->ctime;
        info.level         = mddev->level;
-       info.size          = mddev->dev_sectors / 2;
-       if (info.size != mddev->dev_sectors / 2) /* overflow */
+       if (2 * (sector_t)INT_MAX < mddev->dev_sectors) /* overflow */
                info.size = -1;
+       else
+               info.size = mddev->dev_sectors / 2;
        info.nr_disks      = nr;
        info.raid_disks    = mddev->raid_disks;
        info.md_minor      = mddev->md_minor;

fixed in grsecurity-3.1-4.2.6-201512051918.patch, thx