grsecurity forums

[jotik]

Using Gentoo's hardened-sources: Linux version 4.2.3-hardened-r5 (gcc version 4.9.3 (Gentoo Hardened 4.9.3 p1.0, pie-0.6.2) ) #1 SMP PREEMPT

Code: Select all

[ 1891.545512] PAX: size overflow detected in function __vhost_add_used_n drivers/vhost/vhost.c:1517 cicus.394_113 max, count: 3, decl: last_used_idx; num: 0; context: vhost_virtqueue;
[ 1891.545517] CPU: 5 PID: 3728 Comm: vhost-3726 Not tainted 4.2.3-hardened-r5 #1
[ 1891.545518] Hardware name: LENOVO 20AN006VMS/20AN006VMS, BIOS GLET78WW (2.32 ) 03/03/2015
[ 1891.545520]  ffffffffa2fcfc6b 1635b2bb646ff805 0000000000000000 ffffffffa2f42695
[ 1891.545522]  ffffc9000401bb98 ffffffffa2a83730 0000000000000000 ffffffffa2f426ab
[ 1891.545524]  ffffc9000401bbc8 ffffffffa21a10c3 ffff8803a8d50078 0000000000000001
[ 1891.545525] Call Trace:
[ 1891.545532]  [<ffffffffa2a83730>] dump_stack+0x4c/0x79
[ 1891.545535]  [<ffffffffa21a10c3>] report_size_overflow+0x33/0x60
[ 1891.545539]  [<ffffffffa28487ba>] __vhost_add_used_n+0x15a/0x160
[ 1891.545540]  [<ffffffffa284b0ad>] vhost_add_used_n+0x8d/0x190
[ 1891.545542]  [<ffffffffa284b385>] vhost_add_used_and_signal_n+0x25/0x40
[ 1891.545544]  [<ffffffffa2843a7e>] handle_rx+0x61e/0x920
[ 1891.545546]  [<ffffffffa284b1fb>] ? vhost_add_used+0x4b/0x70
[ 1891.545547]  [<ffffffffa2843d98>] handle_rx_net+0x18/0x20
[ 1891.545549]  [<ffffffffa2847edd>] vhost_worker+0xdd/0x180
[ 1891.545551]  [<ffffffffa2847e00>] ? vhost_poll_func+0x30/0x30
[ 1891.545555]  [<ffffffffa20dc847>] kthread+0xd7/0xf0
[ 1891.545556]  [<ffffffffa20dc770>] ? __kthread_parkme+0x80/0x80
[ 1891.545559]  [<ffffffffa2a8cc4e>] ret_from_fork+0x3e/0x70
[ 1891.545561]  [<ffffffffa20dc770>] ? __kthread_parkme+0x80/0x80

Same .config as in https://forums.grsecurity.net/viewtopic.php?f=3&t=4283, but for some reason the EXTRA_CFLAGS trick doesn't generate any extra files any more.

[quasar366]

Same issue with grsecurity-3.1-4.2.4-201510222059.patch

Code: Select all

[16424.310293] PAX: size overflow detected in function __vhost_add_used_n drivers/vhost/vhost.c:1517 cicus.511_199 max, count: 7, decl: last_used_idx; num: 0; context: vhost_virtqueue;
[16424.317367] CPU: 0 PID: 11382 Comm: vhost-11378 Tainted: P           OE   4.2.4 #1
[16424.317374]  ffffffffa07ca90c ffffc9000d42bbb8 ffffffff81761361 0000000000000001
[16424.317380]  ffffffffa07ca971 ffffc9000d42bbe8 ffffffff8119b6fc 000000000000ffff
[16424.317384]  ffff88038a9b0078 0000000000000001 0000000000010000 ffffc9000d42bc38
[16424.317388] Call Trace:
[16424.317402]  [<ffffffffa07ca90c>] ? __param_str_max_mem_regions+0x1c/0xad0 [vhost]
[16424.317408]  [<ffffffff81761361>] dump_stack+0x45/0x5d
[16424.317414]  [<ffffffffa07ca971>] ? __param_str_max_mem_regions+0x81/0xad0 [vhost]
[16424.317419]  [<ffffffff8119b6fc>] report_size_overflow+0x5c/0x60
[16424.317425]  [<ffffffffa07c8785>] __vhost_add_used_n+0x1d5/0x1e0 [vhost]
[16424.317431]  [<ffffffff813522d6>] ? copy_user_enhanced_fast_string+0x16/0x20
[16424.317435]  [<ffffffff8135b759>] ? copy_to_iter+0x229/0x780
[16424.317441]  [<ffffffffa07c8d4c>] vhost_add_used_n+0x8c/0x1c0 [vhost]
[16424.317446]  [<ffffffffa07c8e9a>] vhost_add_used_and_signal_n+0x1a/0x30 [vhost]
[16424.317451]  [<ffffffffa07d6c9b>] handle_rx+0x60b/0x8e0 [vhost_net]
[16424.317457]  [<ffffffffa07d6f80>] handle_rx_net+0x10/0x20 [vhost_net]
[16424.317462]  [<ffffffffa07c8530>] vhost_worker+0xe0/0x160 [vhost]
[16424.317467]  [<ffffffffa07c8450>] ? vhost_log_write+0xa0/0xa0 [vhost]
[16424.317473]  [<ffffffff8107faf0>] kthread+0xd0/0xf0
[16424.317477]  [<ffffffff8107fa20>] ? kthread_create_on_node+0x170/0x170
[16424.317482]  [<ffffffff8176901e>] ret_from_fork+0x3e/0x70
[16424.317486]  [<ffffffff8107fa20>] ? kthread_create_on_node+0x170/0x170

[ephox]

Thanks for the report, it will be fixed in the next grsec patch.

[jotik]

Same issue with grsecurity-3.1-4.2.4-201510222059.patch

Weird. I'm unable to reproduce this with Gentoo's hardened-sources-4.2.4 (vanilla-4.2.4 + genpatches-4.2-6 + grsecurity-3.1-4.2.4-201510222059).

[quasar366]

This was after the machine was running for a while and I think after high load of the vm guest. I have this issue on 2 machines. But not tested with latest grsec from 25. Oct because of disabled PAX.

On one machine it tooks one day until the message appeared and after that, the log file flooded with this messages all 8 minutes

regards

Edit: happened again with grsecurity-3.1-4.2.4-201510251836.patch

Code: Select all

[ 9714.246024] PAX: size overflow detected in function __vhost_add_used_n drivers/vhost/vhost.c:1517 cicus.503_199 max, count: 1, decl: last_used_idx; num: 0; context: vhost_virtqueue;
[ 9714.255418] CPU: 3 PID: 5850 Comm: vhost-5845 Tainted: P           OE   4.2.4 #1
[ 9714.255423] Hardware name: Gigabyte Technology Co., Ltd. H97-HD3/H97-HD3, BIOS F7 04/22/2015
[ 9714.255427]  ffffffffa07725ec ffffc900051b3c08 ffffffff816c55d0 0000000000000001
[ 9714.255434]  ffffffffa077263a ffffc900051b3c38 ffffffff8118893c 000000000000ffff
[ 9714.255439]  ffff8806e5740078 0000000000000001 0000000000010000 ffffc900051b3c78
[ 9714.255445] Call Trace:
[ 9714.255462]  [<ffffffffa07725ec>] ? __param_str_max_mem_regions+0x1c/0x918 [vhost]
[ 9714.255471]  [<ffffffff816c55d0>] dump_stack+0x45/0x5d
[ 9714.255478]  [<ffffffffa077263a>] ? __param_str_max_mem_regions+0x6a/0x918 [vhost]
[ 9714.255485]  [<ffffffff8118893c>] report_size_overflow+0x5c/0x60
[ 9714.255492]  [<ffffffffa0770551>] __vhost_add_used_n+0x1c1/0x1d0 [vhost]
[ 9714.255500]  [<ffffffffa0770ae0>] vhost_add_used_n+0x50/0x110 [vhost]
[ 9714.255506]  [<ffffffffa0770bba>] vhost_add_used_and_signal_n+0x1a/0x30 [vhost]
[ 9714.255514]  [<ffffffffa0788bd7>] handle_rx+0x547/0x740 [vhost_net]
[ 9714.255520]  [<ffffffffa0770b1a>] ? vhost_add_used_n+0x8a/0x110 [vhost]
[ 9714.255526]  [<ffffffffa0788de0>] handle_rx_net+0x10/0x20 [vhost_net]
[ 9714.255533]  [<ffffffffa0770310>] vhost_worker+0xe0/0x160 [vhost]
[ 9714.255539]  [<ffffffffa0770230>] ? vhost_log_write+0xa0/0xa0 [vhost]
[ 9714.255547]  [<ffffffff8107bf80>] kthread+0xd0/0xf0
[ 9714.255554]  [<ffffffff8107beb0>] ? kthread_create_on_node+0x170/0x170
[ 9714.255560]  [<ffffffff816ccd9e>] ret_from_fork+0x3e/0x70
[ 9714.255566]  [<ffffffff8107beb0>] ? kthread_create_on_node+0x170/0x170