grsecurity forums

[linkfanel]

I got this reproducible error on a corrupted filesystem...

[ 591.140714] PAX: suspicious general protection fault: 0000 [#1]
[ 591.140869] Modules linked in: tcp_diag inet_diag af_packet ts_bm xt_tcpudp xt_string tun dummy sit tunnel4 ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 ip_tables x_tables dm_mod pata_ali 3c59x mii ipv6 unix
[ 591.143030]
[ 591.143111] Pid: 1831, comm: rm Not tainted 3.0.8-grsec #1
[ 591.143280] EIP: 0060:[<000e4052>] EFLAGS: 00010286 CPU: 0
[ 591.143383] EAX: 00000000 EBX: c204d94b ECX: 00000000 EDX: c49afd78
[ 591.143491] ESI: ffffffff EDI: c204d55e EBP: c49afd78 ESP: c49afce8
[ 591.143594] DS: 0068 ES: 0068 FS: 0000 GS: 007b SS: 0068
[ 591.143696] Process rm (pid: 1831, ti=c076faac task=c076f880 task.ti=c076faac)
[ 591.143811] Stack:
[ 591.143881] c744a460 c204d95e c49afda0 c7ad3800 c04e0a58 000ea66a 00000001 00000000
[ 591.144273] 00000000 00000000 00000000 c76d41f8 00000001 c746e460 00000088 c76d4310
[ 591.144662] 00000074 000f4c6b c7ad3800 c8c2c000 000f19e9 00000000 c7ad3800 c186998c
[ 591.145054] Call Trace:
[ 591.145168] [<000ea66a>] ? search_for_position_by_key+0x1a/0x2b0
[ 591.145300] [<000f4c6b>] ? reiserfs_write_lock+0x1b/0x30
[ 591.145410] [<000f19e9>] ? do_journal_end.clone.38+0x209/0xc60
[ 591.145543] [<000e431c>] ? __reiserfs_error+0x1c/0xb0
[ 591.145649] [<000ec2de>] ? reiserfs_do_truncate+0x47e/0x580
[ 591.145764] [<000f482f>] ? reiserfs_for_each_xattr+0x23f/0x3c0
[ 591.145896] [<00076dfe>] ? mprotect_fixup+0x6e/0x4d0
[ 591.146004] [<00076dff>] ? mprotect_fixup+0x6f/0x4d0
[ 591.146116] [<006b113b>] ? 0x6b113a
[ 591.146212] [<000ec405>] ? reiserfs_delete_object+0x25/0x60
[ 591.146325] [<000d8e8b>] ? reiserfs_evict_inode+0xab/0xe0
[ 591.146434] [<006b113b>] ? 0x6b113a
[ 591.146542] [<0009f026>] ? evict+0x46/0x110
[ 591.146643] [<00096118>] ? do_unlinkat+0xe8/0x1c0
[ 591.146750] [<00076dff>] ? mprotect_fixup+0x6f/0x4d0
[ 591.146876] [<0020decb>] ? restore_all_pax+0x7/0x7
[ 591.146981] [<0020deb0>] ? syscall_call+0x7/0xb
[ 591.147097] [<00010246>] ? hw_perf_event_destroy+0x6/0xb0
[ 591.147219] [<00008000>] ? arch_validate_hwbkpt_settings+0xb0/0xe0
[ 591.147348] [<000889e3>] ? filp_close+0x43/0x60
[ 591.147453] [<00088a5e>] ? sys_close+0x5e/0x80
[ 591.147558] [<0020decb>] ? restore_all_pax+0x7/0x7
[ 591.147652] Code: ff 00 00 52 8b 48 08 51 8b 50 04 52 8b 00 50 68 60 5e 86 c1 57 e8 3f 51 04 00 83 c4 1c e9 e7 fd ff ff 8d 6e 04 8b 36 85 f6 74 75 <8a> 46 10 ba 85 02 87 c1 84 c0 74 1b 3c 03 74 79 ba 3d 94 86 c1
[ 591.150067] EIP: [<000e4052>] prepare_error_buf+0x3b2/0x4b0 SS:ESP 0068:c49afce8
[ 591.150373] ---[ end trace c51ba557ad60cc16 ]---
[ 591.150472] ------------[ cut here ]------------

Is this related to PaX in any way, or just a typical kernel bug?

[PaX Team]

Is this related to PaX in any way, or just a typical kernel bug?

this looks like a problem in reiserfs (dereferencing an invalid pointer, looks like 'NULL -1'). if you send me your .config and vmlinux, i can maybe pinpoint the failing code. on the other hand, if you can't reproduce the oops, we probably won't know what really went wrong and can't fix this properly.