Page 1 of 1

PAX: overwritten function pointer or return address detected

PostPosted: Thu Jun 16, 2016 11:36 pm
by sth0R
Platform: Linux kernel 4.5.7 + PaX/Grsecurity( grsecurity-3.1-4.5.7-201606110914.patch)

It's paniced when trinity-fuzzer was starting. trinity-fuzzer doesn't generate much info but a few lines:
[main] shm is at 0x7ac074bfc000
[main] 32-bit syscalls: 380 enabled. 64-bit syscalls: 329 enabled.


Kernel info:
Jun 17 10:50:45 sth0R kernel: [ 807.767544] PAX: overwritten function pointer or return address detected: 0000 [#1] SMP
Jun 17 10:50:45 sth0R kernel: [ 807.767660] Modules linked in: ctr ccm rfcomm vmw_vsock_vmci_transport vsock vmw_vmci xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat bridge stp llc arc4 ebtable_filter ebtables bnep xt_recent xt_tcpudp xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_limit ip6table_mangle ip6table_filter ip6_tables iptable_mangle iptable_filter ip_tables x_tables nf_conntrack_irc nf_conntrack_ftp nf_conntrack binfmt_misc nls_iso8859_1 i2c_designware_platform i2c_designware_core snd_hda_codec_hdmi dell_wmi sparse_keymap snd_hda_codec_realtek snd_hda_codec_generic snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_sst_match snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine dw_dmac_core snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi intel_rapl x86_pkg_temp_thermal intel_powerclamp snd_seq coretemp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 snd_seq_device snd_timer videodev media videobuf2_core input_leds serio_raw joydev snd btusb btrtl soundcore ath10k_pci ath10k_core ath mac80211 idma64 virt_dma cfg80211 mei_me intel_lpss_pci processor_thermal_device shpchp mei intel_soc_dts_iosf int3403_thermal int340x_thermal_zone hci_uart btbcm btqca btintel bluetooth tpm_crb intel_lpss_acpi intel_lpss acpi_pad int3400_thermal acpi_thermal_rel dell_rbtn mac_hid acpi_als kfifo_buf industrialio kvm_intel kvm irqbypass parport_pc ppdev lp parport autofs4 btrfs xor raid6_pq jitterentropy_rng drbg ansi_cprng algif_skcipher af_alg dm_crypt dm_mirror dm_region_hash dm_log hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel nouveau aes_x86_64 lrw gf128mul i915 glue_helper ablk_helper cryptd psmouse mxm_wmi ttm i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm alx nvme mdio wmi video pinctrl_sunrisepoint pinctrl_intel fjes
Jun 17 10:50:45 sth0R kernel: [ 807.769754] CPU: 1 PID: 16564 Comm: trinity Not tainted 4.5.7-grsec #1
Jun 17 10:50:45 sth0R kernel: [ 807.769817] Hardware name: Alienware Alienware 13 R2/Alienware 13 R2, BIOS 1.2.8 01/29/2016
Jun 17 10:50:45 sth0R kernel: [ 807.769895] task: ffff880480eb0b00 ti: ffff880480eb1588 task.ti: ffff880480eb1588
Jun 17 10:50:45 sth0R kernel: [ 807.769963] RIP: 0010:[<ffffffff8459b852>] [<ffffffff8459b852>] dev_attr_show+0x42/0x60
Jun 17 10:50:45 sth0R kernel: [ 807.770047] RSP: 0018:ffffc9000bdebc28 EFLAGS: 00010287
Jun 17 10:50:45 sth0R kernel: [ 807.770098] RAX: ffffffff8402c260 RBX: ffff8804b1762c68 RCX: ffffffff84a6a7e0
Jun 17 10:50:45 sth0R kernel: [ 807.770163] RDX: ffff8804aab74020 RSI: ffffffff850587e0 RDI: ffff8804b1762c68
Jun 17 10:50:45 sth0R kernel: [ 807.770228] RBP: ffffc9000bdebc40 R08: ffff8804c4094a00 R09: ffff8804aab74020
Jun 17 10:50:45 sth0R kernel: [ 807.770293] R10: 00007ac0745f22c8 R11: 0000000000000246 R12: ffffffff850587e0
Jun 17 10:50:45 sth0R kernel: [ 807.770357] R13: ffff8804aab74020 R14: ffff8803a669ec38 R15: ffff8804aab74020
Jun 17 10:50:45 sth0R kernel: [ 807.770424] FS: 00007ac074bf8700(0000) GS:ffff8804c4080000(0000) knlGS:0000000000000000
Jun 17 10:50:45 sth0R kernel: [ 807.770497] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 17 10:50:45 sth0R kernel: [ 807.770550] CR2: 00000000034f66c8 CR3: 000000037b38d000 CR4: 00000000003606f0
Jun 17 10:50:45 sth0R kernel: [ 807.770615] Stack:
Jun 17 10:50:45 sth0R kernel: [ 807.770636] ffff8804b0293898 0000000000001000 ffff8804b1762c68 ffffc9000bdebc80
Jun 17 10:50:45 sth0R kernel: [ 807.770716] ffffffff8428cd71 ffffffff84a6a7e0 ffff8804b0293898 0000000000000001
Jun 17 10:50:45 sth0R kernel: [ 807.770795] ffff8803e4c02f00 ffffc9000bdebec8 ffff8803e4c02f00 ffffc9000bdebca0
Jun 17 10:50:45 sth0R kernel: [ 807.770874] Call Trace:
Jun 17 10:50:45 sth0R kernel: [ 807.770905] [<ffffffff8428cd71>] sysfs_kf_seq_show+0xc1/0x140
Jun 17 10:50:45 sth0R kernel: [ 807.770962] [<ffffffff8428acba>] kernfs_seq_show+0x3a/0x60
Jun 17 10:50:45 sth0R kernel: [ 807.771016] [<ffffffff8421e901>] seq_read+0x171/0x7d0
Jun 17 10:50:45 sth0R kernel: [ 807.771068] [<ffffffff8428c1c4>] kernfs_fop_read+0x134/0x290
Jun 17 10:50:45 sth0R kernel: [ 807.771125] [<ffffffff841ed6c8>] __vfs_read+0x58/0x160
Jun 17 10:50:45 sth0R kernel: [ 807.771179] [<ffffffff8435b2f8>] ? security_file_permission+0xa8/0xe0
Jun 17 10:50:45 sth0R kernel: [ 807.771242] [<ffffffff841eecf5>] vfs_read+0xc5/0x250
Jun 17 10:50:45 sth0R kernel: [ 807.771292] [<ffffffff841f0354>] sys_read+0x54/0xd0
Jun 17 10:50:45 sth0R kernel: [ 807.771343] [<ffffffff848d1918>] entry_SYSCALL_64_fastpath+0x16/0x7e
Jun 17 10:50:45 sth0R kernel: [ 807.771402] Code: 48 85 c0 74 1d 48 81 78 f8 83 a8 70 56 75 1c 48 8d 7b f0 4c 89 ea 4c 89 e6 ff d0 5b 41 5c 41 5d 5d c3 48 c7 c0 fb ff ff ff eb f0 <0f> 0b 66 90 66 2e 0f 1f 84 00 00 00 00 00 cc cc cc cc cc cc cc
Jun 17 10:50:45 sth0R kernel: [ 807.771795] RIP [<ffffffff8459b852>] dev_attr_show+0x42/0x60
Jun 17 10:50:45 sth0R kernel: [ 807.771854] RSP <ffffc9000bdebc28>
Jun 17 10:50:45 sth0R kernel: [ 807.787614] ---[ end trace fc56c0989f28ce15 ]---
Jun 17 10:50:45 sth0R kernel: [ 807.787625] grsec: banning user with uid 1000 until system restart for suspicious kernel crash

Re: PAX: overwritten function pointer or return address detected

PostPosted: Thu Jun 16, 2016 11:47 pm
by PaX Team
can you please send me your vmlinux (from the build root dir which has debug symbols)?

Re: PAX: overwritten function pointer or return address detected

PostPosted: Sat Jun 18, 2016 2:02 pm
by minipli
In case you want to accelerate this a little for further trinity runs, you can apply the following patch: http://r00tworld.net/~minipli/grsec/pax ... ction.diff

It'll extend the kernel log with an additional line, decoding the function pointer that violated the RAP type hash. E.g., you'll get something like the following (yeah, dma-buf has/had a type mixup, too :wink:):

bbox:~# cat /sys/kernel/debug/dma_buf/bufinfo
[ 382.604304] PAX: RAP hash violation for dma_buf_describe+0x0/0x1c0
[ 382.621490] PAX: overwritten function pointer or return address detected: 0000 [#1] SMP
[ 382.621490] Modules linked in: ipv6 pcspkr serio_raw virtio_net virtio_pci virtio_ring virtio sr_mod cdrom
[ 382.621490] CPU: 0 PID: 332 Comm: cat Not tainted 4.5.7-grsec+ #241
[ 382.621490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 382.621490] task: ffff88001f689580 ti: ffff88001f689e70 task.ti: ffff88001f689e70
[ 382.621490] RIP: 0010:[<ffffffff814c23d0>] [<ffffffff814c23d0>] dma_buf_show+0x30/0x50
[ 382.621490] RSP: 0018:ffff88001f753d58 EFLAGS: 00010206
[ 382.621490] RAX: ffffffff814c36f0 RBX: ffff88001f66b900 RCX: ffffffff814c23a0
[ 382.621490] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88001ee91450
[ 382.621490] RBP: ffff88001f753e20 R08: 0000000000000001 R09: ffff88001f465668
[ 382.621490] R10: ffff88001d40fc00 R11: 0000000000000001 R12: 8000000000000000
[ 382.621490] R13: 0000000000000001 R14: ffff88001ee91450 R15: ffff88001f753f10
[ 382.621490] FS: 00000000025952d0(0063) GS:ffff88001e600000(0000) knlGS:0000000000000000
[ 382.621490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 382.621490] CR2: 000000000042fae0 CR3: 00000000016b2000 CR4: 00000000001606f0
[ 382.621490] Stack:
[ 382.621490] ffffffff811e3f7a 0000000000000000 0000000000000206 ffff88001f753d88
[ 382.621490] 0000000000000206 ffff88001cf1b480 ffff88001f753e78 000003a70fc61130
[ 382.621490] ffff88001f753dc8 0000000000001000 0000000000000000 00ff880000000001
[ 382.621490] Call Trace:
[ 382.621490] [<ffffffff811e3f7a>] ? seq_read+0x11a/0xad0
[ 382.621490] [<ffffffff811b6983>] __vfs_read+0x43/0x120
[ 382.621490] [<ffffffff811cb40a>] ? putname+0x5a/0x70
[ 382.621490] [<ffffffff811a685c>] ? kmem_cache_free+0x1fc/0x2a0
[ 382.621490] [<ffffffff811b7b33>] vfs_read+0xc3/0x200
[ 382.621490] [<ffffffff811cb40a>] ? putname+0x5a/0x70
[ 382.621490] [<ffffffff811b6156>] ? do_sys_open+0x1c6/0x2a0
[ 382.621490] [<ffffffff811b8ec9>] sys_read+0x49/0xc0
[ 382.621490] [<ffffffff8169aacb>] entry_SYSCALL_64_fastpath+0x12/0x6e
[ 382.621490] Code: 48 b8 00 00 00 00 00 00 00 80 48 0b 87 98 00 00 00 48 81 78 f8 18 85 4a 61 75 10 55 48 89 e5 ff d0 31 c0 5d 48 0f ba 2c 24 3f c3 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 cc cc cc cc cc
[ 382.621490] RIP [<ffffffff814c23d0>] dma_buf_show+0x30/0x50
[ 382.621490] RSP <ffff88001f753d58>
[ 383.194084] ---[ end trace 4b61e05b515a79d5 ]---


Notice the additional first line telling us that dma_buf_describe(), that should have been called from dma_buf_show(), would be called through a function pointer with the wrong type.

But please, use this patch only for testing, not for production use. It's a hack only, but does the trick for such use cases ;)