grsecurity forums

Code: Select all

[427905.464831] PAX: size overflow detected in function xfrm4_transport_output net/ipv4/xfrm4_mode_transport.c:27 cicus.35_50 max, count: 15, decl: mac_header; num: 0; context: sk_buff;
[427905.465007] CPU: 2 PID: 8220 Comm: xl2tpd Not tainted 4.2.6.201511282239-1-grsec #1
[427905.465011] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Q1900DC-ITX, BIOS P1.20 07/08/2014
[427905.465015]  ffffffff85a04847 46f9994cb2fbe0b0 0000000000000000 ffffffffc088c700
[427905.465021]  ffffc90004d43838 ffffffff855d2198 00000000000000a9 ffffffffc088c796
[427905.465027]  ffffc90004d43868 ffffffff851a6e24 0000000000010019 ffff8800ab075000
[427905.465032] Call Trace:
[427905.465044]  [<ffffffffc088c700>] ? xfrm4_transport_exit+0x35e/0x4f0 [xfrm4_mode_transport]
[427905.465051]  [<ffffffff855d2198>] dump_stack+0x4c/0x7f
[427905.465057]  [<ffffffffc088c796>] ? xfrm4_transport_exit+0x3f4/0x4f0 [xfrm4_mode_transport]
[427905.465063]  [<ffffffff851a6e24>] report_size_overflow+0x34/0x40
[427905.465068]  [<ffffffffc088c2dd>] xfrm4_transport_output+0x1ad/0x272 [xfrm4_mode_transport]
[427905.465075]  [<ffffffff8555c073>] xfrm_output_resume+0x173/0x530
[427905.465079]  [<ffffffff8555c523>] xfrm_output+0x43/0xe0
[427905.465084]  [<ffffffff8554fb9c>] xfrm4_output_finish+0x2c/0x40
[427905.465088]  [<ffffffff8554fa22>] __xfrm4_output+0x42/0x70
[427905.465092]  [<ffffffff8554fbf3>] xfrm4_output+0x43/0xc0
[427905.465097]  [<ffffffff8554f9e0>] ? xfrm4_udp_encap_rcv+0x330/0x330
[427905.465102]  [<ffffffff854ebc5c>] ip_local_out_sk+0x3c/0x50
[427905.465107]  [<ffffffff854efeb9>] ip_send_skb+0x19/0x50
[427905.465112]  [<ffffffff85520a8b>] udp_send_skb+0x15b/0x270
[427905.465116]  [<ffffffff85522501>] udp_sendmsg+0x4b1/0x9c0
[427905.465122]  [<ffffffff852e114c>] ? import_iovec+0x4c/0xf0
[427905.465128]  [<ffffffff8552f42a>] inet_sendmsg+0x8a/0xc0
[427905.465133]  [<ffffffff85475f81>] sock_sendmsg+0x51/0x60
[427905.465138]  [<ffffffff85476cb7>] ___sys_sendmsg+0x377/0x420
[427905.465144]  [<ffffffff854782eb>] __sys_sendmsg+0x5b/0xb0
[427905.465149]  [<ffffffff85478367>] SyS_sendmsg+0x27/0x50
[427905.465155]  [<ffffffff855d83b0>] entry_SYSCALL_64_fastpath+0x12/0x8a

Arch Linux running linux-grsec-4.2.6.201511282239-1, the above happens when running xl2tpd-1.3.6-1:

Code: Select all

Dec 04 18:10:26 wardrobe systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: setsockopt recvref[30]: Protocol not available
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: Using l2tp kernel support.
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: xl2tpd version xl2tpd-1.3.6 started on wardrobe PID:8220
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: Forked by Scott Balmos and David Stipp, (C) 2001
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: Inherited by Jeff McAdams, (C) 2002
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Dec 04 18:10:26 wardrobe xl2tpd[8220]: xl2tpd[8220]: Listening on IP address 0.0.0.0, port 1701
Dec 04 18:10:28 wardrobe xl2tpd[8220]: xl2tpd[8220]: network_thread: recv packet from XX.XX.XX.XX, size = 69, tunnel = 0, call = 0 ref=0 refhim=0
Dec 04 18:10:28 wardrobe xl2tpd[8220]: xl2tpd[8220]: get_call: allocating new tunnel for host XX.XX.XX.XX, port 40288.
Dec 04 18:10:28 wardrobe xl2tpd[8220]: xl2tpd[8220]: handle_avps: handling avp's for tunnel 6537, call 0
Dec 04 18:10:28 wardrobe xl2tpd[8220]: xl2tpd[8220]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Dec 04 18:10:28 wardrobe xl2tpd[8220]: xl2tpd[8220]: protocol_version_avp: peer is using version 1, revision 0.
Dec 04 18:10:28 wardrobe systemd[1]: xl2tpd.service: Main process exited, code=killed, status=9/KILL


Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- net/ipv4/xfrm4_mode_transport.c.orig        2015-12-04 22:00:52.950714809 +0100
+++ net/ipv4/xfrm4_mode_transport.c     2015-12-05 01:52:59.282093913 +0100
@@ -23,7 +23,9 @@
        struct iphdr *iph = ip_hdr(skb);
        int ihl = iph->ihl * 4;
 
+       printk(KERN_ERR "PAX data: %p head: %p offset %x\n", skb->data,  skb->head, -x->props.header_len);
        skb_set_network_header(skb, -x->props.header_len);
+       printk(KERN_ERR "PAX network_header: %hx\n", skb->network_header);
        skb->mac_header = skb->network_header +
                          offsetof(struct iphdr, protocol);
        skb->transport_header = skb->network_header + ihl;


Not sure if I built the kernel properly as it's not killing xl2tpd anymore... reverting to the prebuilt linux-grsec pkg from community repo still crashes it. But anyway, here's dmesg:

Code: Select all

[  263.183958] PAX data: ffff8800b5111450 head: ffff8800b5111428 offset ffffffe8
[  263.184061] PAX network_header: 10
[  263.198814] PAX data: ffff880139dbaee0 head: ffff880139dbaeb8 offset ffffffe8
[  263.198910] PAX network_header: 10
[  263.212977] PAX data: ffff8800379de2b0 head: ffff8800379de288 offset ffffffe8
[  263.213065] PAX network_header: 10
[  263.213153] PAX data: ffff8800379dc848 head: ffff8800379dc820 offset ffffffe8
[  263.213239] PAX network_header: 10
[  263.228037] PAX data: ffff88013a139270 head: ffff88013a139248 offset ffffffe8
[  263.228114] PAX network_header: 10
[  263.266893] PAX data: ffff8800379dc438 head: ffff8800379dc410 offset ffffffe8
[  263.266973] PAX network_header: 10
[  263.283852] PAX data: ffff88013a13aee0 head: ffff88013a13aeb8 offset ffffffe8
[  263.283929] PAX network_header: 10
[  263.284067] PAX data: ffff88013a13acd8 head: ffff88013a13acb0 offset ffffffe8
[  263.284135] PAX network_header: 10
[  264.287375] PAX data: ffff88013a13a6c0 head: ffff88013a13a698 offset ffffffe8
[  264.287501] PAX network_header: 10
[  265.290620] PAX data: ffff88013a13a4b8 head: ffff88013a13a490 offset ffffffe8
[  265.290747] PAX network_header: 10
[  266.293917] PAX data: ffff88013a138438 head: ffff88013a138410 offset ffffffe8
[  266.294043] PAX network_header: 10
[  267.297201] PAX data: ffff88013a138c58 head: ffff88013a138c30 offset ffffffe8
[  267.297328] PAX network_header: 10

For the record, this is what I changed in PKGBUILD:

Code: Select all

sairon@wardrobe ~/c/l/r/community-x86_64> git diff
diff --git a/linux-grsec/repos/community-x86_64/PKGBUILD b/linux-grsec/repos/community-x86_64/PKGBUILD
index e94add1..edb54b2 100644
--- a/linux-grsec/repos/community-x86_64/PKGBUILD
+++ b/linux-grsec/repos/community-x86_64/PKGBUILD
@@ -31,7 +31,8 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
         'change-default-console-loglevel.patch'
         'btrfs-overflow.patch'
         '0001-e1000e-Fix-tight-loop-implementation-of-systime-read.patch'
-        '0001-netfilter-conntrack-use-nf_ct_tmpl_free-in-CT-synpro.patch')
+        '0001-netfilter-conntrack-use-nf_ct_tmpl_free-in-CT-synpro.patch'
+        '0001-xfrm4-mode-transport-debug.patch')
 
 sha256sums=('cf20e044f17588d2a42c8f2a450b0fd84dfdbd579b489d93e9ab7d0e8b45dbeb'
             'SKIP'
@@ -45,7 +46,8 @@ sha256sums=('cf20e044f17588d2a42c8f2a450b0fd84dfdbd579b489d93e9ab7d0e8b45dbeb'
             '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99'
             '82efb1d533b579e8ea6103456e76ace1f749c9f055b0eaf95b980dc9ae544e5f'
             '0b1e41ba59ae45f5929963aa22fdc53bc8ffb4534e976cec046269d1a462197b'
-            '6ed9e31ae5614c289c4884620e45698e764c03670ebc45bab9319d741238cbd3')
+            '6ed9e31ae5614c289c4884620e45698e764c03670ebc45bab9319d741238cbd3'
+            '9fa6ebe8e59d1c63c204bfafc422a234f2e4b9928b709a2d96ac28c98062e3b7')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
@@ -70,6 +72,8 @@ prepare() {
 
   patch -p1 -i "$srcdir/btrfs-overflow.patch"
 
+  patch -p1 -i "$srcdir/0001-xfrm4-mode-transport-debug.patch"
+
   # Add grsecurity patches
   patch -Np1 -i "$srcdir/$_grsec_patch"
   rm localversion-grsec

can you remove the second printk (network_header) and try it again? this is a tricky situation where that printk between two interesting statements can apparently affect how gcc transforms some computations and hide the actual issue (it's probably a false positive but we need the numbers to confirm ).

You're right!

Code: Select all

[  582.578383] PAX data: ffff8800ab0cac80 head: ffff8800ab0cac58 offset ffffffe8
[  582.584467] PAX: size overflow detected in function xfrm4_transport_output net/ipv4/xfrm4_mode_transport.c:28 cicus.28_55 max, count: 7, decl: mac_header; num: 0; context: sk_buff;
[  582.595277] CPU: 0 PID: 1351 Comm: xl2tpd Not tainted 4.2.6.201511282239-1-grsec #1
[  582.595284] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Q1900DC-ITX, BIOS P1.20 07/08/2014
[  582.595289]  ffffffffbca04847 187b95b995000a42 0000000000000000 ffffffffc085e5f8
[  582.595299]  ffffc90000eab8b8 ffffffffbc5d2198 00000000000000a8 ffffffffc085e79f
[  582.595307]  ffffc90000eab8e8 ffffffffbc1a6e24 ffff88013a0c1c00 0000000000010019
[  582.595314] Call Trace:
[  582.595333]  [<ffffffffc085e5f8>] ? xfrm4_transport_exit+0x22b/0x4fd [xfrm4_mode_transport]
[  582.595343]  [<ffffffffbc5d2198>] dump_stack+0x4c/0x7f
[  582.595351]  [<ffffffffc085e79f>] ? xfrm4_transport_exit+0x3d2/0x4fd [xfrm4_mode_transport]
[  582.595360]  [<ffffffffbc1a6e24>] report_size_overflow+0x34/0x40
[  582.595368]  [<ffffffffc085e1d1>] xfrm4_transport_output+0x1d1/0x2a0 [xfrm4_mode_transport]
[  582.595377]  [<ffffffffbc55c073>] xfrm_output_resume+0x173/0x530
[  582.595384]  [<ffffffffbc55c523>] xfrm_output+0x43/0xe0
[  582.595391]  [<ffffffffbc54fb9c>] xfrm4_output_finish+0x2c/0x40
[  582.595397]  [<ffffffffbc54fa22>] __xfrm4_output+0x42/0x70
[  582.595404]  [<ffffffffbc54fbf3>] xfrm4_output+0x43/0xc0
[  582.595410]  [<ffffffffbc54f9e0>] ? xfrm4_udp_encap_rcv+0x330/0x330
[  582.595418]  [<ffffffffbc4ebc5c>] ip_local_out_sk+0x3c/0x50
[  582.595425]  [<ffffffffbc4efeb9>] ip_send_skb+0x19/0x50
[  582.595432]  [<ffffffffbc520a8b>] udp_send_skb+0x15b/0x270
[  582.595439]  [<ffffffffbc522501>] udp_sendmsg+0x4b1/0x9c0
[  582.595448]  [<ffffffffbc2e114c>] ? import_iovec+0x4c/0xf0
[  582.595455]  [<ffffffffbc52f42a>] inet_sendmsg+0x8a/0xc0
[  582.595463]  [<ffffffffbc475f81>] sock_sendmsg+0x51/0x60
[  582.595470]  [<ffffffffbc476cb7>] ___sys_sendmsg+0x377/0x420
[  582.595479]  [<ffffffffbc4782eb>] __sys_sendmsg+0x5b/0xb0
[  582.595487]  [<ffffffffbc478367>] SyS_sendmsg+0x27/0x50
[  582.595495]  [<ffffffffbc5d83b0>] entry_SYSCALL_64_fastpath+0x12/0x8a

Thanks for the report, it will be fixed in the next grsec patch.