size overflow detected in function __disk_conf_from_attrs
Posted: Sat Jan 23, 2016 12:25 pm
Greetings. I ran into a size overflow with the latest grsecurity-3.1-4.3.3-201601192226.patch and DRBD. It's a bit tricky, __disk_conf_from_attrs is generated by a macro in in include/linux/drbd_genl.h. I haven't gotten much farther than that. Here's a stack trace:
2016-01-22 08:03:28.328172500 kern.notice: Jan 22 08:03:28 : <6>[ 79.891295] drbd r1: Starting worker thread (from drbdsetup-84 [1916])
2016-01-22 08:03:28.328173500 kern.notice: Jan 22 08:03:28 : <0>[ 79.891371] PAX: size overflow detected in function __disk_conf_from_attrs /mnt/scratch/linux-4.3.3/include/linux/drbd_genl.h:104 cicus.705_132 max, count: 161, decl: meta_dev_idx; num: 0; context: disk_conf;
2016-01-22 08:03:28.328175500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891954] CPU: 0 PID: 1916 Comm: drbdsetup-84 Not tainted 4.3.3-grsec #6
2016-01-22 08:03:28.328194500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891956] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
2016-01-22 08:03:28.328195500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891958] ffffffff00000002 f59b92516f169996 0000000000000000 ffffffff8bb280a8
2016-01-22 08:03:28.328196500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891961] ffffc9000285b9c0 ffffffff8b47756b ffffffff8bb5aa52 ffffc9000285b9f0
2016-01-22 08:03:28.328199500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891962] ffffffff8b205084 ffff88001cc56aa8 00000000fffffffd ffffc9000285bb70
2016-01-22 08:03:28.328200500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891965] Call Trace:
2016-01-22 08:03:28.328208500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891971] [<ffffffff8b47756b>] dump_stack+0x44/0x69
2016-01-22 08:03:28.328208500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891974] [<ffffffff8b205084>] report_size_overflow+0x34/0x40
2016-01-22 08:03:28.328209500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891977] [<ffffffff8b5910a3>] __disk_conf_from_attrs+0x5d3/0x5e0
2016-01-22 08:03:28.328304500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891982] [<ffffffff8b1eae17>] ? kmem_cache_alloc+0x147/0x170
2016-01-22 08:03:28.328305500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891985] [<ffffffff8b59814b>] drbd_adm_attach+0x2eb/0x1440
2016-01-22 08:03:28.328305500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891988] [<ffffffff8b4676c9>] ? gr_is_capable+0x19/0x30
2016-01-22 08:03:28.328306500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891994] [<ffffffff8b6c642f>] genl_family_rcv_msg+0x23f/0x430
2016-01-22 08:03:28.328306500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891999] [<ffffffff8b6c66a2>] genl_rcv_msg+0x82/0xb0
2016-01-22 08:03:28.328312500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892027] [<ffffffff8b6c6620>] ? genl_family_rcv_msg+0x430/0x430
2016-01-22 08:03:28.328313500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892029] [<ffffffff8b6c5d6c>] netlink_rcv_skb+0xec/0x130
2016-01-22 08:03:28.328314500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892031] [<ffffffff8b6c61d3>] genl_rcv+0x23/0x40
2016-01-22 08:03:28.328323500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892033] [<ffffffff8b6c3e6a>] netlink_unicast+0x19a/0x250
2016-01-22 08:03:28.328324500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892035] [<ffffffff8b6c4761>] netlink_sendmsg+0x391/0x500
2016-01-22 08:03:28.328324500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892038] [<ffffffff8b66b55e>] sock_sendmsg+0x4e/0x60
2016-01-22 08:03:28.328441500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892046] [<ffffffff8b66b5f5>] sock_write_iter+0x85/0x100
2016-01-22 08:03:28.328442500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892054] [<ffffffff8b1fba3c>] __vfs_write+0x10c/0x140
2016-01-22 08:03:28.328442500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892055] [<ffffffff8b1fbca5>] vfs_write+0xf5/0x2a0
2016-01-22 08:03:28.328443500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892056] [<ffffffff8b1fbf79>] SyS_write+0x59/0xd0
2016-01-22 08:03:28.328443500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892059] [<ffffffff8b8329b0>] entry_SYSCALL_64_fastpath+0x12/0x8a
This would then kill the drbd worker process. I tried booting with pax_size_overflow_report_only; I see the same overflow reported and the worker doesn't get killed, but DRBD still fails to function. After disabling CONFIG_PAX_SIZE_OVERFLOW entirely, it functions normally. That seems really odd to me, but I haven't looked into it further yet.
Let me know if there are other details that would be helpful. Thanks!
2016-01-22 08:03:28.328172500 kern.notice: Jan 22 08:03:28 : <6>[ 79.891295] drbd r1: Starting worker thread (from drbdsetup-84 [1916])
2016-01-22 08:03:28.328173500 kern.notice: Jan 22 08:03:28 : <0>[ 79.891371] PAX: size overflow detected in function __disk_conf_from_attrs /mnt/scratch/linux-4.3.3/include/linux/drbd_genl.h:104 cicus.705_132 max, count: 161, decl: meta_dev_idx; num: 0; context: disk_conf;
2016-01-22 08:03:28.328175500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891954] CPU: 0 PID: 1916 Comm: drbdsetup-84 Not tainted 4.3.3-grsec #6
2016-01-22 08:03:28.328194500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891956] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
2016-01-22 08:03:28.328195500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891958] ffffffff00000002 f59b92516f169996 0000000000000000 ffffffff8bb280a8
2016-01-22 08:03:28.328196500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891961] ffffc9000285b9c0 ffffffff8b47756b ffffffff8bb5aa52 ffffc9000285b9f0
2016-01-22 08:03:28.328199500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891962] ffffffff8b205084 ffff88001cc56aa8 00000000fffffffd ffffc9000285bb70
2016-01-22 08:03:28.328200500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891965] Call Trace:
2016-01-22 08:03:28.328208500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891971] [<ffffffff8b47756b>] dump_stack+0x44/0x69
2016-01-22 08:03:28.328208500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891974] [<ffffffff8b205084>] report_size_overflow+0x34/0x40
2016-01-22 08:03:28.328209500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891977] [<ffffffff8b5910a3>] __disk_conf_from_attrs+0x5d3/0x5e0
2016-01-22 08:03:28.328304500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891982] [<ffffffff8b1eae17>] ? kmem_cache_alloc+0x147/0x170
2016-01-22 08:03:28.328305500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891985] [<ffffffff8b59814b>] drbd_adm_attach+0x2eb/0x1440
2016-01-22 08:03:28.328305500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891988] [<ffffffff8b4676c9>] ? gr_is_capable+0x19/0x30
2016-01-22 08:03:28.328306500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891994] [<ffffffff8b6c642f>] genl_family_rcv_msg+0x23f/0x430
2016-01-22 08:03:28.328306500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891999] [<ffffffff8b6c66a2>] genl_rcv_msg+0x82/0xb0
2016-01-22 08:03:28.328312500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892027] [<ffffffff8b6c6620>] ? genl_family_rcv_msg+0x430/0x430
2016-01-22 08:03:28.328313500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892029] [<ffffffff8b6c5d6c>] netlink_rcv_skb+0xec/0x130
2016-01-22 08:03:28.328314500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892031] [<ffffffff8b6c61d3>] genl_rcv+0x23/0x40
2016-01-22 08:03:28.328323500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892033] [<ffffffff8b6c3e6a>] netlink_unicast+0x19a/0x250
2016-01-22 08:03:28.328324500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892035] [<ffffffff8b6c4761>] netlink_sendmsg+0x391/0x500
2016-01-22 08:03:28.328324500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892038] [<ffffffff8b66b55e>] sock_sendmsg+0x4e/0x60
2016-01-22 08:03:28.328441500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892046] [<ffffffff8b66b5f5>] sock_write_iter+0x85/0x100
2016-01-22 08:03:28.328442500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892054] [<ffffffff8b1fba3c>] __vfs_write+0x10c/0x140
2016-01-22 08:03:28.328442500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892055] [<ffffffff8b1fbca5>] vfs_write+0xf5/0x2a0
2016-01-22 08:03:28.328443500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892056] [<ffffffff8b1fbf79>] SyS_write+0x59/0xd0
2016-01-22 08:03:28.328443500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892059] [<ffffffff8b8329b0>] entry_SYSCALL_64_fastpath+0x12/0x8a
This would then kill the drbd worker process. I tried booting with pax_size_overflow_report_only; I see the same overflow reported and the worker doesn't get killed, but DRBD still fails to function. After disabling CONFIG_PAX_SIZE_OVERFLOW entirely, it functions normally. That seems really odd to me, but I haven't looked into it further yet.
Let me know if there are other details that would be helpful. Thanks!