grsecurity forums

Hello,

I've got another crash on my Arch Linux with linux-grsec-4.2.7.201512092320-1-x86_64 when starting VMs with qemu:

Code: Select all

Jan 05 15:20:25 x kernel: PAX: size overflow detected in function em_pop_sreg arch/x86/kvm/emulate.c:1896 cicus.1243_23 max, count: 143, decl: load_segment_descriptor; num: 2; context: fndecl;
Jan 05 15:20:26 x kernel: CPU: 5 PID: 1213 Comm: qemu-system-x86 Not tainted 4.2.7.201512092320-1-grsec #1
Jan 05 15:20:26 x kernel: Hardware name: Intel Corporation S5500HCV/S5500HCV, BIOS S5500.86B.01.00.0059.082320111421 08/23/2011
Jan 05 15:20:26 x kernel:  ffffffff92a04847 65cf2e176be23850 0000000000000000 ffffffffc02f53f2
Jan 05 15:20:26 x kernel:  ffffc90007023a68 ffffffff925d2621 00000000000000a6 ffffffffc02f5441
Jan 05 15:20:26 x kernel:  ffffc90007023a98 ffffffff921a6e34 ffff88064b801570 0000000000000003
Jan 05 15:20:26 x kernel: Call Trace:
Jan 05 15:20:26 x kernel:  [<ffffffff925d2621>] dump_stack+0x4c/0x7f
Jan 05 15:20:26 x kernel:  [<ffffffff921a6e34>] report_size_overflow+0x34/0x40
Jan 05 15:20:26 x kernel:  [<ffffffffc02187b5>] em_pop_sreg+0xd5/0xe0 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc021b91d>] x86_emulate_insn+0x2cd/0x1070 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc021a758>] ? x86_decode_insn+0x3d8/0x1250 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc01ff207>] x86_emulate_instruction+0x1a7/0x750 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc01cf600>] vmx_handle_exit+0x200/0x1370 [kvm_intel]
Jan 05 15:20:26 x kernel:  [<ffffffffc01ff5d2>] ? x86_emulate_instruction+0x572/0x750 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc01c5970>] ? vmx_get_exit_info+0x40/0x40 [kvm_intel]
Jan 05 15:20:26 x kernel:  [<ffffffffc01c5380>] ? vmx_invpcid_supported+0x30/0x30 [kvm_intel]
Jan 05 15:20:26 x kernel:  [<ffffffffc0203c3c>] kvm_arch_vcpu_ioctl_run+0x73c/0x1270 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc01fb7a1>] ? kvm_arch_vcpu_load+0x61/0x210 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffffc01ecbed>] kvm_vcpu_ioctl+0x52d/0xe10 [kvm]
Jan 05 15:20:26 x kernel:  [<ffffffff921b5f62>] do_vfs_ioctl+0x5c2/0x8a0
Jan 05 15:20:26 x kernel:  [<ffffffff921c2749>] ? __fget+0x79/0xa0
Jan 05 15:20:26 x kernel:  [<ffffffff921b62bd>] SyS_ioctl+0x7d/0x90
Jan 05 15:20:26 x kernel:  [<ffffffff925d8830>] entry_SYSCALL_64_fastpath+0x12/0x8a


this looks like an upstream bug where an unsigned long variable is used when a u16 would do and which leaves the variable partially uninitialized that then fails the range check on the downcast. can you try the following patch:

Code: Select all

--- a/arch/x86/kvm/emulate.c       2015-12-10 05:03:06.264795946 +0100
+++ b/arch/x86/kvm/emulate.c      2016-01-05 19:37:35.543173264 +0100
@@ -1881,7 +1881,7 @@
 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
 {
        int seg = ctxt->src2.val;
-       unsigned long selector;
+       u16 selector;
        int rc;

        rc = emulate_pop(ctxt, &selector, 2);


Thanks! Tested with 4.3.3-201601192226 patch and it works fine now.