grsecurity forums

[Dwokfur]

After upgrading from hardened-sources-3.3.6-r1 (grsecurity-2.9-3.3.6-201205191125) to hardened-sources-3.3.7 (grsecurity-2.9-3.3.7-201205271953), smartd gets killed by PaX upon booting:

Jun 2 00:47:50 kernel: PAX: size overflow detected in function ata_cmd_ioctl drivers/ata/libata-scsi.c:488
Jun 2 00:47:50 kernel: Pid: 4767, comm: smartd Not tainted 3.3.7-hardened #1
Jun 2 00:47:50 kernel: Call Trace:
Jun 2 00:47:50 kernel: [<ffffffff8114bf87>] ? report_size_overflow+0x37/0x50
Jun 2 00:47:50 kernel: [<ffffffff81477162>] ? ata_cmd_ioctl+0x1d2/0x6b0
Jun 2 00:47:50 kernel: [<ffffffff81477ca0>] ? ata_sas_scsi_ioctl+0x210/0x720
Jun 2 00:47:50 kernel: [<ffffffff8143db97>] ? scsi_ioctl+0x107/0x6b0
Jun 2 00:47:50 kernel: [<ffffffff812ebd24>] ? blkdev_ioctl+0x104/0x910
Jun 2 00:47:50 kernel: [<ffffffff81181357>] ? block_ioctl+0x47/0x70
Jun 2 00:47:50 kernel: [<ffffffff8115b377>] ? do_vfs_ioctl+0xc7/0x8d0
Jun 2 00:47:50 kernel: [<ffffffff8115bc28>] ? sys_ioctl+0xa8/0xb0
Jun 2 00:47:50 kernel: [<ffffffff818f9b5e>] ? system_call_fastpath+0x18/0x1d

Something happened between these two versions of grsecurity. Please let me know if there's anything else I should report to help resolving this problem.

Thanks:
Dw.

[PaX Team]

After upgrading from hardened-sources-3.3.6-r1 (grsecurity-2.9-3.3.6-201205191125) to hardened-sources-3.3.7 (grsecurity-2.9-3.3.7-201205271953), smartd gets killed by PaX upon booting:

Jun 2 00:47:50 kernel: PAX: size overflow detected in function ata_cmd_ioctl drivers/ata/libata-scsi.c:488
Jun 2 00:47:50 kernel: Pid: 4767, comm: smartd Not tainted 3.3.7-hardened #1
Jun 2 00:47:50 kernel: Call Trace:
Jun 2 00:47:50 kernel: [<ffffffff8114bf87>] ? report_size_overflow+0x37/0x50
Jun 2 00:47:50 kernel: [<ffffffff81477162>] ? ata_cmd_ioctl+0x1d2/0x6b0

can you stick in a printk before the kmalloc and print out args[3]?

[Dwokfur]

The problem persists in hardened-sources-3.3.8. So I inserted the requested printk like this:

printk("args[3] 4 PaxTeam:" %d.);

That's why it reports line 490 instead of 488.

args[3] 4 PaxTeam: 1.
PAX: size overflow detected in function ata_cmd_ioctl drivers/ata/libata-scsi.c:490
Pid: 4794, comm: smartd Not tainted 3.3.8-hardened #2
Call Trace:
[<ffffffff81147a59>] ? report_size_overflow+0x29/0x40
[<ffffffff81467b6b>] ? ata_cmd_ioctl+0x1fb/0x630
[<ffffffff81468635>] ? ata_sas_scsi_ioctl+0x235/0x740
[<ffffffff8142ec48>] ? scsi_ioctl+0xd8/0x6e0
[<ffffffff812e22f4>] ? blkdev_ioctl+0x104/0x9e0
[<ffffffff8117bf99>] ? block_ioctl+0x49/0x70
PAX: size overflow detected in function ata_cmd_ioctl drivers/ata/libata-scsi.c:490
[<ffffffff81156aa9>] ? do_vfs_ioctl+0xc9/0x940
[<ffffffff811573c8>] ? sys_ioctl+0xa8/0xb0
[<ffffffff818eff4a>] ? sysret_check+0x22/0x5d
[<ffffffff818eff1e>] ? system_call_fastpath+0x18/0x1d

Please let me know what else I should do.

Thanks: Dw.

[Dwokfur]

Second run:

módosított kód:

Code: Select all

487        if (args[3]) {
488                printk("4 PaxTeam - args[3]: %d, ATA_SECT_SIZE: %d, ", args[3], ATA_SECT_SIZE);
489                printk("ATA_SECT_SIZE * args[3]: %d.\n", (ATA_SECT_SIZE * args[3]));
490                argsize = ATA_SECT_SIZE * args[3];
491                argbuf = kmalloc(argsize, GFP_KERNEL);


output:
4 PaxTeam - args[3]: 1, ATA_SECT_SIZE: 512, ATA_SECT_SIZE * args[3]: 512.
PAX: size overflow detected in function ata_cmd_ioctl drivers/ata/libata-scsi.c:490
Pid: 4789, comm: smartd Not tainted 3.3.8-hardened #5
Call Trace:
[<ffffffff81147a59>] ? report_size_overflow+0x29/0x40
[<ffffffff81467eae>] ? ata_cmd_ioctl+0x53e/0x6b0
[<ffffffff8130502b>] ? gr_task_acl_is_capable+0x3b/0x250
[<ffffffff814686b5>] ? ata_sas_scsi_ioctl+0x235/0x740
[<ffffffff8142ec48>] ? scsi_ioctl+0xd8/0x6e0
[<ffffffff812e22f4>] ? blkdev_ioctl+0x104/0x9e0
[<ffffffff8117bf99>] ? block_ioctl+0x49/0x70
[<ffffffff81156aa9>] ? do_vfs_ioctl+0xc9/0x940
[<ffffffff811573c8>] ? sys_ioctl+0xa8/0xb0
[<ffffffff818eff9e>] ? system_call_fastpath+0x18/0x1d

Architecture: corei7-avx (2630QM), 64bit-only Gentoo install.

Köszi: Dw.

[PaX Team]

4 PaxTeam - args[3]: 1

ok, this looks like a plugin bug/false positive, we'll look into it.

[ephox]

It was fixed in this grsecurity version:
https://grsecurity.net/~spender/grsecur ... 2153.patch

[Dwokfur]

I compiled a custom kernel with your linked patch.
Smartd fails the same way with size overflow.
Additionally gradm reports incompatible versions.
In the mean time iptables has problems with this kernel as well, but it seems to be unrelated to the problem. No other size overflow messages I could see apart from the smartd triggered message.

I've also read your README of the plugin. Last time I compiled a kernel I logged missing size_overflow hash messages:
mm/slab.c:4435:16: note: Function slabinfo_write is missing from the size_overflow hash table +slabinfo_write+3+18600+
fs/proc/base.c:840:16: note: Function mem_write is missing from the size_overflow hash table +mem_write+3+22232+
fs/proc/base.c:834:16: note: Function mem_read is missing from the size_overflo hash table +mem_read+3+57631+
fs/binfmt_elf.c:110:12: note: Function padzero is missing from the size_overflo hash table +padzero+1+55+
grsecurity/gracl.c:832:1: note: Function create_table is missing from the size_overflow hash table +create_table+2+16213+
grsecurity/gracl.c:832:1: note: Function create_table is missing from the size_overflow hash table +create_table+2+16213+
grsecurity/gracl.c:832:1: note: Function create_table is missing from the size_overflow hash table +create_table+2+16213+
grsecurity/gracl.c:832:1: note: Function create_table is missing from the size_overflow hash table +create_table+2+16213+
grsecurity/gracl_alloc.c:39:1: note: Function acl_alloc is missing from the size_overflow hash table +acl_alloc+1+35979+
grsecurity/gracl_alloc.c:91:1: note: Function acl_alloc_stack_init is missing from the size_overflow hash table +acl_alloc_stack_init+1+60630+
grsecurity/gracl_alloc.c:91:1: note: Function acl_alloc_stack_init is missing from the size_overflow hash table +acl_alloc_stack_init+1+60630+
grsecurity/gracl_alloc.c:91:1: note: Function acl_alloc_stack_init is missing from the size_overflow hash table +acl_alloc_stack_init+1+60630+
grsecurity/gracl_alloc.c:91:1: note: Function acl_alloc_stack_init is missing from the size_overflow hash table +acl_alloc_stack_init+1+60630+
grsecurity/gracl_alloc.c:91:1: note: Function acl_alloc_stack_init is missing from the size_overflow hash table +acl_alloc_stack_init+1+60630+
grsecurity/gracl_alloc.c:91:1: note: Function acl_alloc_stack_init is missing from the size_overflow hash table +acl_alloc_stack_init+1+60630+
drivers/acpi/acpica/exnames.c:75:14: note: Function acpi_ex_allocate_name_string is missing from the size_overflow hash table +acpi_ex_allocate_name_string+1+7685+
drivers/acpi/acpica/exnames.c:75:14: note: Function acpi_ex_allocate_name_string is missing from the size_overflow hash table +acpi_ex_allocate_name_string+1+7685+
drivers/char/kcopy/kcopy.c:303:22: note: Function kcopy_copy_pages_from_user is missing from the size_overflow hash table +kcopy_copy_pages_from_user+3+59866+
drivers/char/kcopy/kcopy.c:303:22: note: Function kcopy_copy_pages_from_user is missing from the size_overflow hash table +kcopy_copy_pages_from_user+4+59866+
drivers/char/kcopy/kcopy.c:344:22: note: Function kcopy_copy_pages_to_user is missing from the size_overflow hash table +kcopy_copy_pages_to_user+3+49823+
drivers/char/kcopy/kcopy.c:344:22: note: Function kcopy_copy_pages_to_user is missing from the size_overflow hash table +kcopy_copy_pages_to_user+4+49823+
drivers/char/kcopy/kcopy.c:524:9: note: Function kcopy_write is missing from the size_overflow hash table +kcopy_write+3+43683+

Please let me know the next target for test.

Regards:
Dw.

[Dwokfur]

May I expect grsecurity-2.9.1-3.4.3-201206171836 to provide a remedy, or should I test another version of the patch?
I'll test it anyways.

Regards:
Dw.

[PaX Team]

May I expect grsecurity-2.9.1-3.4.3-201206171836 to provide a remedy, or should I test another version of the patch?

you're slow , there's a new one since yesterday. but yes, Emese fixed the plugin that should avoid this problem but we also ran into other issues since that require more extensive changes, so only real testing will tell whether your particular issue is fixed or not.

[Dwokfur]

It seems my particular problem has been solved as of grsecurity-2.9.1-3.4.3-201206171836.
I have to compile new gradm for this version. Netfilter log config option had been moved by kernel 3.4.x. That was the cause of my iptables problem. BTW: is there a way to make gradm utility backwards compatible?
Emese. Hmm. So you've got a novice? Does she like pipacs? Pass my greetings to her. ;->

[spender]

It would be possible but it's not worth the effort (and would introduce additional pain every time a new feature was added). It also makes sure everyone's on the same page with using the latest policy analysis. The versions don't change that often (and I only change versions when required by the protocol between gradm and the kernel), so I don't think it's a big inconvenience.

-Brad