nfs overflow

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

nfs overflow

Postby forsaken » Sat Apr 27, 2013 8:39 am

Hi,

With grsecurity-2.9.1-3.8.10-201304262208 I got this when logging onto an already running nfs client after having rebooted the server:

Apr 27 14:33:47 [kernel] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:267 cicus.155_59 min, count: 26
Apr 27 14:33:47 [kernel] Pid: 2832, comm: nfsd Not tainted 3.8.10-grsec #1
Apr 27 14:33:47 [kernel] Call Trace:
Apr 27 14:33:47 [kernel] [<ffffffff810f91de>] report_size_overflow+0x3a/0x44
Apr 27 14:33:47 [kernel] [<ffffffff811d1311>] nfsd_cache_update+0xac/0x1db
Apr 27 14:33:47 [kernel] [<ffffffff811c86ec>] nfsd_dispatch+0x171/0x188
Apr 27 14:33:47 [kernel] [<ffffffff81722964>] svc_process+0x485/0x73b
Apr 27 14:33:47 [kernel] [<ffffffff811c816b>] nfsd+0xc6/0x116
Apr 27 14:33:47 [kernel] [<ffffffff811c80a5>] ? nfsd_destroy+0x7d/0x7d
- Last output repeated twice -
Apr 27 14:33:47 [kernel] [<ffffffff8106d887>] kthread+0xc1/0xc9
Apr 27 14:33:47 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66
Apr 27 14:33:47 [kernel] [<ffffffff817c1462>] ret_from_fork+0x72/0xa0
Apr 27 14:33:47 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66

Edit: rebooting the client did not help.
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Re: nfs overflow

Postby PaX Team » Sat Apr 27, 2013 8:58 am

PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: nfs overflow

Postby forsaken » Sat Apr 27, 2013 9:26 am

Thanks, unfortunately Jason's patch does not seem to solve the problem:

Apr 27 15:18:46 [kernel] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:269 cicus.156_64 min, count: 26
Apr 27 15:18:46 [kernel] Pid: 2826, comm: nfsd Not tainted 3.8.10-grsec #2
Apr 27 15:18:46 [kernel] Call Trace:
Apr 27 15:18:46 [kernel] [<ffffffff810f91de>] report_size_overflow+0x3a/0x44
Apr 27 15:18:46 [kernel] [<ffffffff811d131b>] nfsd_cache_update+0xb6/0x1f3
Apr 27 15:18:46 [kernel] [<ffffffff811c86ec>] nfsd_dispatch+0x171/0x188
Apr 27 15:18:46 [kernel] [<ffffffff81722964>] svc_process+0x485/0x73b
Apr 27 15:18:46 [kernel] [<ffffffff811c816b>] nfsd+0xc6/0x116
Apr 27 15:18:46 [kernel] [<ffffffff811c80a5>] ? nfsd_destroy+0x7d/0x7d
- Last output repeated twice -
Apr 27 15:18:46 [kernel] [<ffffffff8106d887>] kthread+0xc1/0xc9
Apr 27 15:18:46 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66
Apr 27 15:18:46 [kernel] [<ffffffff817c1462>] ret_from_fork+0x72/0xa0
Apr 27 15:18:46 [kernel] [<ffffffff8106d7c6>] ? __kthread_parkme+0x66/0x66
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Re: nfs overflow

Postby forsaken » Sat Apr 27, 2013 10:06 am

I added a printk before the overflow:

printk(KERN_ERR "resv: %d, statp: %X, iov_base: %X", resv->iov_len, statp, resv->iov_base);
Apr 27 16:00:55 [kernel] resv: 148, statp: E7F401C, iov_base: E7F4000

Don't see why that would overflow.
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Re: nfs overflow

Postby PaX Team » Sun Apr 28, 2013 2:37 am

thanks for the info, that's a new/different issue, i believe it's the usual false positive due to gcc's canonicalization of the expression that introduces an intentional overflow and that the overflow plugin will have to recognize and not trigger on.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: nfs overflow

Postby gaima » Mon Apr 29, 2013 5:10 pm

PaX Team wrote:thanks for the info, that's a new/different issue, i believe it's the usual false positive due to gcc's canonicalization of the expression that introduces an intentional overflow and that the overflow plugin will have to recognize and not trigger on.


Hi

I've got a very similar problem with 3.2.43.

Code: Select all
[685687.851952] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:267 cicus.32_58 min, count: 8
[685687.851958] Pid: 8887, comm: nfsd Not tainted 3.2.43-hardened-r1 #1
[685687.851961] Call Trace:
[685687.851970]  [<ffffffff810c685f>] ? report_size_overflow+0x22/0x2c
[685687.851982]  [<ffffffffa05a7f57>] ? nfsd_cache_update+0xa8/0x1d1 [nfsd]
[685687.851989]  [<ffffffffa05bfcb8>] ? nfs_cb_stat_to_errno+0x19ed/0xb8a1 [nfsd]
[685687.851996]  [<ffffffffa059f8bc>] ? nfsd_dispatch+0x1d4/0x1ea [nfsd]
[685687.852002]  [<ffffffffa05bfcb8>] ? nfs_cb_stat_to_errno+0x19ed/0xb8a1 [nfsd]
[685687.852019]  [<ffffffffa034e1a9>] ? svc_process+0x4b1/0x7b8 [sunrpc]
[685687.852023]  [<ffffffff8102c8d7>] ? try_to_wake_up+0x21a/0x21a
[685687.852028]  [<ffffffffa059f0e3>] ? nfsd+0xe3/0x127 [nfsd]
[685687.852041]  [<ffffffffa059f000>] ? 0xffffffffa059efff
[685687.852045]  [<ffffffff8104d8c1>] ? kthread+0x82/0x8a
[685687.852049]  [<ffffffff81441eb9>] ? kernel_thread_helper+0x9/0x20
[685687.852052]  [<ffffffff8143f72a>] ? retint_restore_args+0x6/0xd
[685687.852055]  [<ffffffff8104d83f>] ? kthread_worker_fn+0x13f/0x13f
[685687.852058]  [<ffffffff81441eb0>] ? gs_change+0x1b/0x1b


As you can see from the dmesg timestamp it took nearly 8 days for the problem to occur.

Thanks
gaima
 
Posts: 27
Joined: Fri Feb 12, 2010 12:17 pm


Return to grsecurity support

cron