Page 1 of 1

PAX: size overflow detected in function xdr_init_decode

PostPosted: Thu Jun 16, 2016 4:02 pm
by mathias
Running Linux 4.5.7 and grsecurity-3.1-4.5.7-201606142010.patch. This error does not occur when running Linux 4.5.5 with grsecurity-3.1-4.5.5-201605211442.patch applied. After boot I see this in dmesg:

Code: Select all
[  144.640965] PAX: size overflow detected in function xdr_init_decode net/sunrpc/xdr.c:801 cicus.282_43 min, count: 18, decl: nwords; num: 0; context: xdr_stream;
[  144.640993] CPU: 4 PID: 1130 Comm: rpc.nfsd Tainted: G            E   4.5.7-grsec-201606142010 #1
[  144.640996] Hardware name: Supermicro X10SRA/X10SRA, BIOS 1.0a 11/27/2014
[  144.640999]  0000000000000000 6b1fb93e4b0e2c71 0000000000000286 0000000000000000
[  144.641004]  ffffffffb2351409 ffffffffc08e9e8a 6b1fb93e4b0e2c71 ffffffffc08e9e8a
[  144.641008]  0000000000000321 ffffffffb21e3375 ffffc9000413b958 fffffffffffffffa
[  144.641013] Call Trace:
[  144.641023]  [<ffffffffb2351409>] ? dump_stack+0x5a/0xb1
[  144.641061]  [<ffffffffc08e9e8a>] ? rpc_proc_fops+0x88a/0x7680 [sunrpc]
[  144.641082]  [<ffffffffc08e9e8a>] ? rpc_proc_fops+0x88a/0x7680 [sunrpc]
[  144.641089]  [<ffffffffb21e3375>] ? report_size_overflow+0x65/0x90
[  144.641112]  [<ffffffffc08d838c>] ? xdr_init_decode+0x13c/0x180 [sunrpc]
[  144.641130]  [<ffffffffc08c1290>] ? rpcproc_encode_null+0x20/0x20 [sunrpc]
[  144.641150]  [<ffffffffc08ce64d>] ? rpcauth_unwrap_resp+0x9d/0xe0 [sunrpc]
[  144.641167]  [<ffffffffc08c1290>] ? rpcproc_encode_null+0x20/0x20 [sunrpc]
[  144.641184]  [<ffffffffc08c1de6>] ? call_decode+0x186/0x3e0 [sunrpc]
[  144.641203]  [<ffffffffc08cbfd8>] ? __rpc_execute+0x78/0x2b0 [sunrpc]
[  144.641220]  [<ffffffffc08c3cb6>] ? rpc_run_task+0x76/0xa0 [sunrpc]
[  144.641236]  [<ffffffffc08c3d32>] ? rpc_call_sync+0x52/0xe0 [sunrpc]
[  144.641259]  [<ffffffffc08e7800>] ? rpc_inaddr_loopback+0x20/0x20 [sunrpc]
[  144.641275]  [<ffffffffc08c3e33>] ? rpc_ping+0x73/0xc0 [sunrpc]
[  144.641295]  [<ffffffffc08e7780>] ? __func__.59028+0x20/0x20 [sunrpc]
[  144.641312]  [<ffffffffc08c3f0f>] ? rpc_create_xprt+0x8f/0xc0 [sunrpc]
[  144.641328]  [<ffffffffc08c3ffc>] ? rpc_create+0xbc/0x190 [sunrpc]
[  144.641348]  [<ffffffffc08e8480>] ? rpcb_inaddr_loopback.56988+0x40/0x40 [sunrpc]
[  144.641370]  [<ffffffffc08e9e4b>] ? rpc_proc_fops+0x84b/0x7680 [sunrpc]
[  144.641376]  [<ffffffffb21b9fb0>] ? __kmalloc+0x300/0x470
[  144.641399]  [<ffffffffc08d798d>] ? rpcb_create_local+0xdd/0x230 [sunrpc]
[  144.641423]  [<ffffffffc08e8480>] ? rpcb_inaddr_loopback.56988+0x40/0x40 [sunrpc]
[  144.641445]  [<ffffffffc08e9e4b>] ? rpc_proc_fops+0x84b/0x7680 [sunrpc]
[  144.641468]  [<ffffffffc08e8880>] ? rpcb_getport_ops+0x20/0x20 [sunrpc]
[  144.641491]  [<ffffffffc08cfef4>] ? svc_rpcb_setup+0x14/0x50 [sunrpc]
[  144.641509]  [<ffffffffc098e578>] ? nfsd_create_serv+0xe8/0x240 [nfsd]
[  144.641531]  [<ffffffffc08d1e00>] ? svc_alien_sock+0x40/0x80 [sunrpc]
[  144.641546]  [<ffffffffc098fed3>] ? write_ports+0x243/0x2e0 [nfsd]
[  144.641553]  [<ffffffffb22101b3>] ? simple_transaction_get+0xd3/0x100
[  144.641567]  [<ffffffffc098fc90>] ? write_recoverydir+0x120/0x120 [nfsd]
[  144.641582]  [<ffffffffc098f992>] ? nfsctl_transaction_write+0x62/0xa0 [nfsd]
[  144.641587]  [<ffffffffb21d99e1>] ? __vfs_write+0x61/0x180
[  144.641592]  [<ffffffffb22a20dd>] ? security_file_permission+0x4d/0xe0
[  144.641597]  [<ffffffffb20bf279>] ? percpu_down_read+0x9/0x80
[  144.641602]  [<ffffffffb21da6a6>] ? vfs_write+0xe6/0x2a0
[  144.641606]  [<ffffffffb21dbc81>] ? sys_write+0x51/0xd0
[  144.641613]  [<ffffffffb2685a2d>] ? entry_SYSCALL_64_fastpath+0x16/0x87

Re: PAX: size overflow detected in function xdr_init_decode

PostPosted: Thu Jun 16, 2016 5:30 pm
by PaX Team
assuming you can reproduce this at will, can you apply the following patch and report back the results please:
Code: Select all
--- a/net/sunrpc/xdr.c 2015-02-09 21:13:14.377587210 +0100
+++ b/net/sunrpc/xdr.c    2016-06-16 23:28:52.031875300 +0200
@@ -798,6 +798,7 @@
        else if (buf->page_len != 0)
                xdr_set_page_base(xdr, 0, buf->len);
        if (p != NULL && p > xdr->p && xdr->end >= p) {
+printk("PAX: xdr->nwords:%x p:%p xdr->p:%p\n", xdr->nwords, p, xdr->p);
                xdr->nwords -= p - xdr->p;
                xdr->p = p;
        }
also enable frame pointers for a better backtrace.

Re: PAX: size overflow detected in function xdr_init_decode

PostPosted: Sat Jun 18, 2016 1:08 am
by mathias
I've not found a way to reliably reproduce this issue. I have recompiled the kernel with the requested printk patch and frame pointers. If I see the problem again I'll update this thread.

Re: PAX: size overflow detected in function xdr_init_decode

PostPosted: Wed Jun 22, 2016 7:21 am
by spender
Have you been able to reproduce it yet? We'd like to make sure it's fixed before releasing a 4.6 patch.

Thanks,
-Brad

Re: PAX: size overflow detected in function xdr_init_decode

PostPosted: Fri Jun 24, 2016 5:22 pm
by mathias
spender wrote:Have you been able to reproduce it yet? We'd like to make sure it's fixed before releasing a 4.6 patch.

Thanks,
-Brad


No, I haven't been able to get the overflow to trigger again. I guess I happened to hit a weird edge case. I will continue to watch for this issue to crop up again -- sorry for the noise.