Two size overflow reports in grsecurity-3.1-4.6.4-201607182211
Posted: Tue Jul 19, 2016 8:00 amQuoting from IRC earlier today, on spender's request:
All three size overflow reports are reproducible. I'm building the kernel by myself, under Debian sid amd64, and nearly all PaX+grsec config options are enabled: I'm not using the special uid + gid for users allowed to fork tasks at the moment.
For now, I reverted to an older version
With the latest test patch, I've just seen a size overflow panic in tcp_rtt_estimator() <- tcp_ack() <- csum_partial() <- (IPv6 stuff) <- (SCSI + cfq + netif stuff) <- atl1c driver, upon IPv6 traffic. Seemingly not IPv4 traffic, though.
The machine now has two NICs, so I guess I'll try to use the other interface to get a full stack trace.
Not better on the other NIC using IPv4 traffic. As soon as I try to ssh into the machine, I get that size overflow panic in tcp_rtt_estimator() <- tcp_ack() <- csum_partial() <- (TCP / IPv4 stuff) <- netif <- 8139too driver.
I can't really set up netconsole for the time being, the box needs to be back up soon...
I got a different stack trace which can fit on the screen.
PAX: size overflow detected in function tcp_rtt_estimator net/ipv4/tcp_input.c:714 cicus.1543_212 min, count: 78, decl: srtt_us; num:0; context tcp_sock;
Heh. Got another size overflow report, but not fatal because it isn't in an interrupt handler.
PAX: size overflow detected in function bictcp_cwnd_event net/ipv4/tcp_cubic.c:158 cicus.156_16 max count: 33, decl: epoch_start; num: 0; context: bictcp;
It's a byproduct of sys_write.
And it hangs the offending task, namely sshd, which I use as a trigger.
All three size overflow reports are reproducible. I'm building the kernel by myself, under Debian sid amd64, and nearly all PaX+grsec config options are enabled: I'm not using the special uid + gid for users allowed to fork tasks at the moment.
For now, I reverted to an older version