Page 1 of 1

size overflow detected in function __disk_conf_from_attrs

PostPosted: Sat Jan 23, 2016 12:25 pm
by iamb
Greetings. I ran into a size overflow with the latest grsecurity-3.1-4.3.3-201601192226.patch and DRBD. It's a bit tricky, __disk_conf_from_attrs is generated by a macro in in include/linux/drbd_genl.h. I haven't gotten much farther than that. Here's a stack trace:

2016-01-22 08:03:28.328172500 kern.notice: Jan 22 08:03:28 : <6>[ 79.891295] drbd r1: Starting worker thread (from drbdsetup-84 [1916])
2016-01-22 08:03:28.328173500 kern.notice: Jan 22 08:03:28 : <0>[ 79.891371] PAX: size overflow detected in function __disk_conf_from_attrs /mnt/scratch/linux-4.3.3/include/linux/drbd_genl.h:104 cicus.705_132 max, count: 161, decl: meta_dev_idx; num: 0; context: disk_conf;
2016-01-22 08:03:28.328175500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891954] CPU: 0 PID: 1916 Comm: drbdsetup-84 Not tainted 4.3.3-grsec #6
2016-01-22 08:03:28.328194500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891956] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
2016-01-22 08:03:28.328195500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891958] ffffffff00000002 f59b92516f169996 0000000000000000 ffffffff8bb280a8
2016-01-22 08:03:28.328196500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891961] ffffc9000285b9c0 ffffffff8b47756b ffffffff8bb5aa52 ffffc9000285b9f0
2016-01-22 08:03:28.328199500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891962] ffffffff8b205084 ffff88001cc56aa8 00000000fffffffd ffffc9000285bb70
2016-01-22 08:03:28.328200500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891965] Call Trace:
2016-01-22 08:03:28.328208500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891971] [<ffffffff8b47756b>] dump_stack+0x44/0x69
2016-01-22 08:03:28.328208500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891974] [<ffffffff8b205084>] report_size_overflow+0x34/0x40
2016-01-22 08:03:28.328209500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891977] [<ffffffff8b5910a3>] __disk_conf_from_attrs+0x5d3/0x5e0
2016-01-22 08:03:28.328304500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891982] [<ffffffff8b1eae17>] ? kmem_cache_alloc+0x147/0x170
2016-01-22 08:03:28.328305500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891985] [<ffffffff8b59814b>] drbd_adm_attach+0x2eb/0x1440
2016-01-22 08:03:28.328305500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891988] [<ffffffff8b4676c9>] ? gr_is_capable+0x19/0x30
2016-01-22 08:03:28.328306500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891994] [<ffffffff8b6c642f>] genl_family_rcv_msg+0x23f/0x430
2016-01-22 08:03:28.328306500 kern.notice: Jan 22 08:03:28 : <4>[ 79.891999] [<ffffffff8b6c66a2>] genl_rcv_msg+0x82/0xb0
2016-01-22 08:03:28.328312500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892027] [<ffffffff8b6c6620>] ? genl_family_rcv_msg+0x430/0x430
2016-01-22 08:03:28.328313500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892029] [<ffffffff8b6c5d6c>] netlink_rcv_skb+0xec/0x130
2016-01-22 08:03:28.328314500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892031] [<ffffffff8b6c61d3>] genl_rcv+0x23/0x40
2016-01-22 08:03:28.328323500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892033] [<ffffffff8b6c3e6a>] netlink_unicast+0x19a/0x250
2016-01-22 08:03:28.328324500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892035] [<ffffffff8b6c4761>] netlink_sendmsg+0x391/0x500
2016-01-22 08:03:28.328324500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892038] [<ffffffff8b66b55e>] sock_sendmsg+0x4e/0x60
2016-01-22 08:03:28.328441500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892046] [<ffffffff8b66b5f5>] sock_write_iter+0x85/0x100
2016-01-22 08:03:28.328442500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892054] [<ffffffff8b1fba3c>] __vfs_write+0x10c/0x140
2016-01-22 08:03:28.328442500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892055] [<ffffffff8b1fbca5>] vfs_write+0xf5/0x2a0
2016-01-22 08:03:28.328443500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892056] [<ffffffff8b1fbf79>] SyS_write+0x59/0xd0
2016-01-22 08:03:28.328443500 kern.notice: Jan 22 08:03:28 : <4>[ 79.892059] [<ffffffff8b8329b0>] entry_SYSCALL_64_fastpath+0x12/0x8a

This would then kill the drbd worker process. I tried booting with pax_size_overflow_report_only; I see the same overflow reported and the worker doesn't get killed, but DRBD still fails to function. After disabling CONFIG_PAX_SIZE_OVERFLOW entirely, it functions normally. That seems really odd to me, but I haven't looked into it further yet.

Let me know if there are other details that would be helpful. Thanks!

Re: size overflow detected in function __disk_conf_from_attr

PostPosted: Sun Jan 24, 2016 4:08 pm
by ephox
Hi,
Could you please send me the results (drivers/block/drbd/drbd_nl.*) of make drivers/block/drbd/drbd_nl.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all" and your kernel .config?
Which gcc version did you use?

Re: size overflow detected in function __disk_conf_from_attr

PostPosted: Mon Feb 15, 2016 11:54 am
by gaima
ephox wrote:Hi,
Could you please send me the results (drivers/block/drbd/drbd_nl.*) of make drivers/block/drbd/drbd_nl.o EXTRA_CFLAGS="-fdump-tree-all -fdump-ipa-all" and your kernel .config?
Which gcc version did you use?


Hi,

I just hit this with Gentoos hardened-sources-4.3.5-r2 (4.2.7 and 4.3.3-r1 were both fine).
Here are my drbd.nl.* files and .config
https://www.dropbox.com/s/fs6mrft2jbwcm ... ar.gz?dl=0


Thanks
Mike

Re: size overflow detected in function __disk_conf_from_attr

PostPosted: Mon Feb 15, 2016 12:17 pm
by PaX Team
can you also post the corresponding kernel logs please?

Re: size overflow detected in function __disk_conf_from_attr

PostPosted: Mon Feb 15, 2016 6:18 pm
by gaima
PaX Team wrote:can you also post the corresponding kernel logs please?


Sure, here it is;

Code: Select all
[Mon Feb 15 22:16:40 2016] drbd drbd0: Starting worker thread (from drbdsetup-84 [3979])
[Mon Feb 15 22:16:40 2016] PAX: size overflow detected in function __disk_conf_from_attrs include/linux/drbd_genl.h:104 cicus.725_132 max, count: 161, decl: meta_dev_idx; num: 0; context: disk_conf;
[Mon Feb 15 22:16:40 2016] CPU: 4 PID: 3979 Comm: drbdsetup-84 Not tainted 4.3.5-hardened-r2 #1
[Mon Feb 15 22:16:40 2016]  0000000000000068 ffffffff813bd89b ffffffffa085da4f ffffffff8116908f
[Mon Feb 15 22:16:40 2016]  ffff8800ffe6f000 ffffc9004959bb50 00000000fffffffd ffff8800ff738000
[Mon Feb 15 22:16:40 2016]  ffffffffa0841e4b ffff8801f0b9c000 ffffc9004959bc48 ffff8801f0b9c000
[Mon Feb 15 22:16:40 2016] Call Trace:
[Mon Feb 15 22:16:40 2016]  [<ffffffff813bd89b>] ? dump_stack+0x40/0x55
[Mon Feb 15 22:16:40 2016]  [<ffffffffa085da4f>] ? drbd_nla_find_nested+0xd28f/0x1550d [drbd]
[Mon Feb 15 22:16:40 2016]  [<ffffffff8116908f>] ? report_size_overflow+0x5f/0x70
[Mon Feb 15 22:16:40 2016]  [<ffffffffa0841e4b>] ? __disk_conf_from_attrs+0x54b/0x590 [drbd]
[Mon Feb 15 22:16:40 2016]  [<ffffffffa084860b>] ? drbd_adm_attach+0x29b/0x1360 [drbd]
[Mon Feb 15 22:16:40 2016]  [<ffffffff8119bd1d>] ? bd_set_size+0xed/0x150
[Mon Feb 15 22:16:40 2016]  [<ffffffff8119d4bd>] ? __blkdev_get+0x1fd/0x430
[Mon Feb 15 22:16:40 2016]  [<ffffffff813b3b42>] ? gr_task_acl_is_capable+0x22/0x160
[Mon Feb 15 22:16:40 2016]  [<ffffffff8162b7a8>] ? genl_family_rcv_msg+0x218/0x3b0
[Mon Feb 15 22:16:40 2016]  [<ffffffff8162b940>] ? genl_family_rcv_msg+0x3b0/0x3b0
[Mon Feb 15 22:16:40 2016]  [<ffffffff8162b9ab>] ? genl_rcv_msg+0x6b/0xb0
[Mon Feb 15 22:16:40 2016]  [<ffffffff8162a57a>] ? netlink_rcv_skb+0xda/0x120
[Mon Feb 15 22:16:40 2016]  [<ffffffff8162b57f>] ? genl_rcv+0x1f/0x30
[Mon Feb 15 22:16:40 2016]  [<ffffffff81629c89>] ? netlink_unicast+0x149/0x1f0
[Mon Feb 15 22:16:40 2016]  [<ffffffff8162a169>] ? netlink_sendmsg+0x389/0x4b0
[Mon Feb 15 22:16:40 2016]  [<ffffffff815d384e>] ? sock_sendmsg+0xe/0x20
[Mon Feb 15 22:16:40 2016]  [<ffffffff815d38d7>] ? sock_write_iter+0x77/0xd0
[Mon Feb 15 22:16:40 2016]  [<ffffffff81161d73>] ? __vfs_write+0xb3/0xf0
[Mon Feb 15 22:16:40 2016]  [<ffffffff81162857>] ? vfs_write+0xf7/0x2b0
[Mon Feb 15 22:16:40 2016]  [<ffffffff81005305>] ? xen_mc_flush+0xf5/0x130
[Mon Feb 15 22:16:40 2016]  [<ffffffff8116393d>] ? SyS_write+0x3d/0xa0
[Mon Feb 15 22:16:40 2016]  [<ffffffff81704436>] ? entry_SYSCALL_64_fastpath+0x12/0x80

Re: size overflow detected in function __disk_conf_from_attr

PostPosted: Mon Feb 15, 2016 6:49 pm
by PaX Team
thanks, it's a drbd/kernel bug, __s32_field uses u32 nla accessors which the size overflow plugin catches. the following should fix it, can you test it?
Code: Select all
--- a/include/linux/genl_magic_struct.h    2013-02-19 01:13:20.461768211 +0100
+++ b/include/linux/genl_magic_struct.h   2016-02-15 23:43:53.821115928 +0100
@@ -76,8 +76,8 @@
        __field(attr_nr, attr_flag, name, NLA_U32, __u32, \
                        nla_get_u32, nla_put_u32, false)
 #define __s32_field(attr_nr, attr_flag, name)  \
-       __field(attr_nr, attr_flag, name, NLA_U32, __s32, \
-                       nla_get_u32, nla_put_u32, true)
+       __field(attr_nr, attr_flag, name, NLA_S32, __s32, \
+                       nla_get_s32, nla_put_s32, true)
 #define __u64_field(attr_nr, attr_flag, name)  \
        __field(attr_nr, attr_flag, name, NLA_U64, __u64, \
                        nla_get_u64, nla_put_u64, false)

Re: size overflow detected in function __disk_conf_from_attr

PostPosted: Tue Feb 16, 2016 6:49 am
by gaima
PaX Team wrote:thanks, it's a drbd/kernel bug, __s32_field uses u32 nla accessors which the size overflow plugin catches. the following should fix it, can you test it?


Marvellous, that got it.
Thanks!