grsecurity forums

[specs]

The problem:

Code: Select all

CIFS VFS: default security mechanism requested.  The default security mechanism will be upgraded from ntlm to ntlmv2 in kernel release 3.3
PAX: size overflow detected in function blkcipher_next_slow crypto/blkcipher.c:164
Pid: 6185, comm: cryptomgr_test Not tainted 3.2.27-201208132029-2 #1
Call Trace:
 [<0008d49c>] ? report_size_overflow+0x1b/0x25
 [<0010606c>] ? blkcipher_walk_next+0x149/0x2b6
 [<002de0b3>] ? crypto_ecb_crypt+0x57/0x67 [ecb]
 [<002de13c>] ? crypto_ecb_encrypt+0x39/0x40 [ecb]
 [<003056eb>] ? des_ekey+0x6eb/0x6eb [des_generic]
 [<00105962>] ? async_encrypt+0x32/0x39
 [<00109098>] ? test_skcipher+0x42c/0x596
 [<00102b18>] ? crypto_alg_lookup+0x32/0x3a
 [<00102b45>] ? crypto_larval_lookup+0x25/0xff
 [<00102f00>] ? crypto_alg_mod_lookup+0x30/0x76
 [<0010568e>] ? crypto_lookup_skcipher+0x1e/0x1ed
 [<000025c0>] ? __show_regs+0x4/0x4
 [<00109b8d>] ? alg_test_skcipher+0x47/0x76
 [<00109f12>] ? alg_test+0x15d/0x1e8
 [<000246f5>] ? try_to_wake_up+0x199/0x1a4
 [<0001dd7e>] ? __wake_up_common+0x36/0x5d
 [<001083f4>] ? cryptomgr_probe+0xa2/0xa2
 [<00108413>] ? cryptomgr_test+0x1f/0x3c
 [<0003d641>] ? kthread+0x64/0x69
 [<0003d5dd>] ? kthread_worker_fn+0xf9/0xf9
 [<002ac842>] ? kernel_thread_helper+0x6/0xd
CIFS: Unknown mount option nodiratime
CIFS VFS: could not allocate des crypto API

CIFS VFS: Error -110 during NTLM authentication
CIFS VFS: Send error in SessSetup = -110
CIFS VFS: cifs_mount failed w/return code = -110
CIFS VFS: could not allocate des crypto API


The "cause" is a call to "mount -t cifs //homeserver/Sources /home/sources". (Actually with a few options, but it also fails with this commandline.
It still worked with grsecurity-2.9.1-3.2.27-201208112021.patch
It failed with grsecurity-2.9.1-3.2.27-201208132029.patch

The config has hardly changed since last report, but you will find it in your email.

[ephox]

Hi, can you reproduce it with the latest grsec (0815) version? I fixed some bugs in my overflow plugin since version 0813.

[specs]

It seems the same to me.
From dmesg:

Code: Select all

CIFS VFS: default security mechanism requested.  The default security mechanism will be upgraded from ntlm to ntlmv2 in kernel release 3.3
PAX: size overflow detected in function blkcipher_next_slow crypto/blkcipher.c:164 cicus.32_56 (max)
Pid: 5835, comm: cryptomgr_test Not tainted 3.2.27-201208151951-3 #1
Call Trace:
 [<0008d605>] ? report_size_overflow+0x1f/0x29
 [<00106774>] ? blkcipher_walk_next+0x149/0x2b6
 [<002e50b3>] ? crypto_ecb_crypt+0x57/0x67 [ecb]
 [<002e513c>] ? crypto_ecb_encrypt+0x39/0x40 [ecb]
 [<002e96eb>] ? des_ekey+0x6eb/0x6eb [des_generic]
 [<0010606a>] ? async_encrypt+0x32/0x39
 [<001097a0>] ? test_skcipher+0x42c/0x596
 [<00103220>] ? crypto_alg_lookup+0x32/0x3a
 [<0010324d>] ? crypto_larval_lookup+0x25/0xff
 [<00103608>] ? crypto_alg_mod_lookup+0x30/0x76
 [<00105d96>] ? crypto_lookup_skcipher+0x1e/0x1ed
 [<000025c0>] ? __show_regs+0x4/0x4
 [<0010a295>] ? alg_test_skcipher+0x47/0x76
 [<0010a45f>] ? alg_test+0x15d/0x1e8
 [<00024785>] ? try_to_wake_up+0x199/0x1a4
 [<0001de0e>] ? __wake_up_common+0x36/0x5d
 [<00108afc>] ? cryptomgr_probe+0xa2/0xa2
 [<00108b1b>] ? cryptomgr_test+0x1f/0x3c
 [<0003d779>] ? kthread+0x64/0x69
 [<0003d715>] ? kthread_worker_fn+0xf9/0xf9
 [<002ae2c2>] ? kernel_thread_helper+0x6/0xd


And I see this at the prompt.

Code: Select all

# !mount
mount -t cifs //renchan/Sources test
Password:
mount error(110): Connection timed out
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


Since it's grsecurity spender should have the config by now.
Hope it helps a little.

[ephox]

Which gcc version do you use? Can you patch your kernel with the following and send me the "SIZE_OVERFLOW: aligned_bsize" from dmesg, please. The patch is:

Code: Select all

--- orig        2012-08-17 00:09:59.630534514 +0200
+++ crypto/blkcipher.c  2012-08-17 00:10:02.490536223 +0200
@@ -161,6 +161,7 @@ static inline int blkcipher_next_slow(st
        if (walk->buffer)
                goto ok;
 
+       printk(KERN_ERR "SIZE_OVERFLOW: aligned_bsize: %x alignmask: %x\n", aligned_bsize, alignmask);
        n = aligned_bsize * 3 - (alignmask + 1) +
            (alignmask & ~(crypto_tfm_ctx_alignment() - 1));
        walk->buffer = kmalloc(n, GFP_ATOMIC);

[ephox]

I found the bug, you can find the fix in the next plugin version (probably in the next PaX patch)

[specs]

It works again with grsecurity-2.9.1-3.2.27-201208201521.patch.

Thanks for your effort.