Some more size overflows

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Some more size overflows

Postby alan.d » Thu Oct 22, 2015 4:02 pm

Hi, I also got a (yet unreported?) size overflow using the 201510222059 patch:

Code: Select all
[   10.041789] PAX: size overflow detected in function acm_probe drivers/usb/class/cdc-acm.c:1381 cicus.583_677 min, count: 64, decl: pipe; num: 0; context: urb;
[   10.041794] CPU: 4 PID: 581 Comm: systemd-udevd Not tainted 4.2.4-grsec-3.1-201510222059 #1
[   10.041795] Hardware name: Dell Inc. Precision M4600/      , BIOS A14 03/10/2013
[   10.041797]  bf3e15c1071bf6ad ffff8800c9f52000 0000000000000000 ffff8800c9f524d0
[   10.041800]  ffffffff8158bcd0 ffff8800c9f52000 ffffffffa076e3fb 0000000000000001
[   10.041801]  0000000000000400 ffff88041640b800 ffff880416406c00 ffff880416406800
[   10.041803] Call Trace:
[   10.041809]  [<ffffffff8158bcd0>] ? dump_stack+0x40/0x56
[   10.041813]  [<ffffffffa076e3fb>] ? acm_probe+0x109b/0x1530 [cdc_acm]
[   10.041816]  [<ffffffffa076fee0>] ? acm_ids+0xba0/0xc80 [cdc_acm]
[   10.041824]  [<ffffffffa00e3b32>] ? usb_probe_interface+0x192/0x270 [usbcore]
[   10.041827]  [<ffffffff813e4ee4>] ? driver_probe_device+0x1b4/0x310
[   10.041829]  [<ffffffff813e50ca>] ? __driver_attach+0x8a/0x90
[   10.041830]  [<ffffffff813e5040>] ? driver_probe_device+0x310/0x310
[   10.041833]  [<ffffffff813e2ef6>] ? bus_for_each_dev+0x66/0xa0
[   10.041835]  [<ffffffff813e4452>] ? bus_add_driver+0x1a2/0x220
[   10.041837]  [<ffffffff813e57e6>] ? driver_register+0x56/0xd0
[   10.041843]  [<ffffffffa00e24bc>] ? usb_register_driver+0x7c/0x130 [usbcore]
[   10.041844]  [<ffffffffa0773000>] ? 0xffffffffa0773000
[   10.041846]  [<ffffffffa077310f>] ? acm_init+0x10f/0x180 [cdc_acm]
[   10.041850]  [<ffffffff8100038c>] ? do_one_initcall+0x8c/0x1a0
[   10.041852]  [<ffffffff81589e71>] ? do_init_module+0x5d/0x1ee
[   10.041854]  [<ffffffff810d3cea>] ? load_module+0x216a/0x2400
[   10.041856]  [<ffffffff810d07b0>] ? __symbol_put+0x50/0x50
[   10.041858]  [<ffffffff810d0b39>] ? copy_module_from_fd.isra.61+0x159/0x300
[   10.041860]  [<ffffffffa07731d0>] ? cicus.734.33792+0x50/0x2d68 [cdc_acm]
[   10.041862]  [<ffffffff810d4326>] ? SyS_finit_module+0x86/0x90
[   10.041864]  [<ffffffff815917ad>] ? entry_SYSCALL_64_fastpath+0x16/0x87
[   10.041866]  [<ffffffff815917dd>] ? entry_SYSCALL_64_fastpath+0x46/0x87                                                           


How could I help?

gcc version 5.2.1 20151010 (Debian 5.2.1-22)
full kernel config: http://pastebin.com/uJvg9HH3
Last edited by alan.d on Sat Oct 24, 2015 4:43 am, edited 1 time in total.
alan.d
 
Posts: 34
Joined: Mon Jul 07, 2014 8:20 am

Re: Some more size overflows

Postby alan.d » Sat Oct 24, 2015 4:38 am

Still using 201510222059 patch:

Code: Select all
[ 2707.962599] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.144_220 min, count: 18, decl: data_offset; num: 0; context: napi_gro_cb;
[ 2707.962611] CPU: 3 PID: 631 Comm: irq/38-iwlwifi Not tainted 4.2.4-grsec-3.1-201510222059 #1
[ 2707.962615] Hardware name: Dell Inc. Precision M4600/      , BIOS A14 03/10/2013
[ 2707.962619]  adf4af5915f59b8f 0000000000000024 0000000000000000 fffffffffffffff8
[ 2707.962627]  ffffffff8158bcd0 000000000000003a ffffffff8156cdc8 ffff880418d48000
[ 2707.962633]  ffff880416f0bb20 0000000000000000 ffff8800c9f74a00 ffff8800c9f74a58
[ 2707.962639] Call Trace:
[ 2707.962651]  [<ffffffff8158bcd0>] ? dump_stack+0x40/0x56
[ 2707.962657]  [<ffffffff8156cdc8>] ? ipv6_gro_receive+0x9a8/0xa10
[ 2707.962664]  [<ffffffff8146d7ab>] ? dev_gro_receive+0x25b/0x5f0
[ 2707.962670]  [<ffffffff8146ddff>] ? napi_gro_receive+0x1f/0x90
[ 2707.962702]  [<ffffffffa0a11839>] ? ieee80211_deliver_skb+0xa9/0x2e0 [mac80211]
[ 2707.962726]  [<ffffffffa0a13dde>] ? ieee80211_rx_handlers+0xd2e/0x2540 [mac80211]
[ 2707.962734]  [<ffffffff81096041>] ? find_busiest_group+0x31/0x4e0
[ 2707.962752]  [<ffffffffa0a1578d>] ? ieee80211_prepare_and_rx_handle+0x19d/0xa40 [mac80211]
[ 2707.962768]  [<ffffffffa0a162fb>] ? ieee80211_rx+0x2cb/0xa90 [mac80211]
[ 2707.962774]  [<ffffffff814522d6>] ? __kmalloc_reserve.isra.34+0x36/0x90
[ 2707.962788]  [<ffffffffa090e950>] ? iwlagn_rx_reply_rx+0x490/0x640 [iwldvm]
[ 2707.962802]  [<ffffffffa081c301>] ? iwl_pcie_irq_handler+0x601/0xd40 [iwlwifi]
[ 2707.962809]  [<ffffffff810aa950>] ? irq_finalize_oneshot.part.32+0xf0/0xf0
[ 2707.962814]  [<ffffffff810aa973>] ? irq_thread_fn+0x23/0x50
[ 2707.962820]  [<ffffffff810aa950>] ? irq_finalize_oneshot.part.32+0xf0/0xf0
[ 2707.962826]  [<ffffffff810aac93>] ? irq_thread+0x123/0x140
[ 2707.962832]  [<ffffffff810aaac0>] ? wake_threads_waitq+0x40/0x40
[ 2707.962837]  [<ffffffff810aab70>] ? irq_thread_dtor+0xb0/0xb0
[ 2707.962842]  [<ffffffff8107eedd>] ? kthread+0xcd/0xf0
[ 2707.962848]  [<ffffffff8107ee10>] ? kthread_worker_fn+0x170/0x170
[ 2707.962854]  [<ffffffff81591bce>] ? ret_from_fork+0x3e/0x70
[ 2707.962858]  [<ffffffff8107ee10>] ? kthread_worker_fn+0x170/0x170


I do not know: It seems creating a new topic for every overflow will flood the forums, so I thought it would be better to just post all of mine in one thread.
Any better place to report those?

EDIT: This one seems identical to number 2 here: http://forums.grsecurity.net/viewtopic. ... 641#p15627 with a few minor differences.
alan.d
 
Posts: 34
Joined: Mon Jul 07, 2014 8:20 am

Re: Some more size overflows

Postby alan.d » Sat Oct 24, 2015 5:01 am

BTW: the overflow messages flood my console ... even when setting the loglevel to the lowest level (using dmesg -D or dmesg -d 1)
Anyway I could disable the messages? I guess they all have panic priority?
alan.d
 
Posts: 34
Joined: Mon Jul 07, 2014 8:20 am

Re: Some more size overflows

Postby ephox » Sat Oct 24, 2015 8:24 am

alan.d wrote:
Code: Select all
[   10.041789] PAX: size overflow detected in function acm_probe drivers/usb/class/cdc-acm.c:1381 cicus.583_677 min, count: 64, decl: pipe; num: 0; context: urb;



Thanks for the report, it is an upstream bug, it will be fixed in the next grsec patch.
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm


Return to grsecurity support