grsecurity forums

[rfnx]

Hello,

With the latest grsec patch - grsecurity-3.1-4.2.6-201511211841.patch - my two computers freeze after a few minutes, with no message. They are both running Archlinux (updated). Ask me more info if you need.

Bye.

[PaX Team]

what gcc did you compile the kernel with? and if sysrq works, can you get a task list?

[rfnx]

Thanks for your reply, I compiled it with latest gcc version from Archlinux, 5.2.0 (https://www.archlinux.org/packages/core/x86_64/gcc/).

What is a task list ?

EDIT : Also, since this patch I have a lot of new warnings at the beginning of the kernel compilation, before configuring the kernel when there are lines like "HOSTCXX -fPIC tools/gcc/colorize_plugin.o". It's only warnings, but it is new.

[PaX Team]

ok, that's a new enough gcc without a particular problem i was thinking of. so the next task would be to get the kernel logs, either by taking a screenshot (you should stay in console mode if possible) or getting it via netconsole or a serial console. also do you have SIZE__OVERFLOW enabled? if so, can you disable it and see if the kernel works then?

[rfnx]

I can't give you logs because when it happens, the system is completly frozen, I can only reset the computer. The system logs stop here and I have nothing interesting.

I'll recompile without SIZE_OVERFLOW and post results later.

[rfnx]

Same problem with latest patch grsecurity-3.1-4.2.6-201511232037.patch .

The problem happens every time on my server, a few minutes after the boot. But I can't use this computer to debug because 1. it's not its role and 2. it's headless.
On my desktop computer, the bug occurs randomly, and sometimes it happens after a long time. And I don't have time this week to debug.

I'm sure other people have this problem, I can't be alone. So please help.

[PaX Team]

did you try it without SIZE_OVERFLOW?

[rfnx]

It works without SIZE_OVERFLOW.

As a side note, 99% of the time I had issues with grsec patches, it was caused by this option. So, is it really worth it ? Also, there was an option a few weeks ago (SIZE_OVERFLOW_DISABLE_KILL) to avoid crashes (again, it was done since this option caused a lot of problems), maybe you could consider adding it permanently for people who don't want to spend hours on this forum .

[PaX Team]

yes, it's worth it given this is probably the feature in grsec that found the most real bugs so far (not to mention the protection against 0-day bugs such as CVE-2013-0913). as for bringing back the DISABLE_KILL option, we added it temporarily exactly so that users still experiencing size overflow reports would have a chance to report them back to us and since the reports stopped coming in, spender reverted it. my guess is that you'll find such reports in your kernel logs for this period so you should dig them out and report them here.

[rfnx]

I checked all the logs I could find, and I have no size_overflow error. I reported some errors a few weeks ago, but after that everything was working correctly, until the 3 latest patch (4.2.6.201511182042 is the last working version for me).

[nail]

The same issue with Linux version 4.2.6.201511211841-1-grsec.
Here last journalctl messages before system freezing:
http://pastebin.com/gR71Vay2

[rfnx]

For me the biggest issue here is to see that the Archlinux package has been updated, even if I reported issue before.

Archlinux official repo isn't a play ground.

[ephox]

Could you please apply this patch and send me the result from dmesg?

Code: Select all

--- fs/exec.c.orig      2015-11-26 00:58:28.080278749 +0100
+++ fs/exec.c   2015-11-26 00:58:56.152280378 +0100
@@ -2224,7 +2224,7 @@
 {
        printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
        dump_stack();
-       do_group_exit(SIGKILL);
+//     do_group_exit(SIGKILL);
 }
 EXPORT_SYMBOL(report_size_overflow);
 #endif


[rfnx]

I patched and now I have a lot of these errors : PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;

Log :

Code: Select all

[   38.131937] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;
[   38.131989] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.2.6.201511232037-3-grsec-custom #1
[   38.131990] Hardware name: System manufacturer System Product Name/P8Z77, BIOS 1225 12/07/2012
[   38.131991]  ffffffff98a0485f 46c8725b4eb91ffe 0000000000000000 ffffffff988ffa19
[   38.131993]  ffff88081fb03cc8 ffffffff985e828d 0000000000000097 ffffffff989306da
[   38.131995]  ffff88081fb03cf8 ffffffff9819f4e4 000000000000003a 0000000000000028
[   38.131996] Call Trace:
[   38.131997]  <IRQ>  [<ffffffff985e828d>] dump_stack+0x45/0x5d
[   38.132003]  [<ffffffff9819f4e4>] report_size_overflow+0x34/0x50
[   38.132005]  [<ffffffff985c3e4e>] ipv6_gro_receive+0xa0e/0xb10
[   38.132007]  [<ffffffff984b2f5c>] dev_gro_receive+0x29c/0x670
[   38.132009]  [<ffffffff982f59dc>] ? swiotlb_sync_single+0x4c/0x70
[   38.132010]  [<ffffffff984b3650>] napi_gro_receive+0x20/0x90
[   38.132014]  [<ffffffffc032926f>] rtl8169_poll+0x2cf/0x680 [r8169]
[   38.132015]  [<ffffffff984b47d3>] net_rx_action+0x1f3/0x300
[   38.132018]  [<ffffffff98068a67>] __do_softirq+0xf7/0x210
[   38.132019]  [<ffffffff98068cba>] irq_exit+0x6a/0x70
[   38.132021]  [<ffffffff980056f5>] do_IRQ+0x55/0xf0
[   38.132023]  [<ffffffff985eea9a>] common_interrupt+0x9a/0x9a
[   38.132024]  <EOI>  [<ffffffff98464536>] ? cpuidle_enter_state+0x156/0x210
[   38.132027]  [<ffffffff9846452f>] ? cpuidle_enter_state+0x14f/0x210
[   38.132029]  [<ffffffff98464654>] cpuidle_enter+0x24/0x40
[   38.132031]  [<ffffffff980a935b>] call_cpuidle+0x3b/0x70
[   38.132032]  [<ffffffff980a9531>] cpu_startup_entry+0x1a1/0x260
[   38.132034]  [<ffffffff980403b0>] ? lapic_get_maxlvt+0x40/0x40
[   38.132036]  [<ffffffff98046f10>] ? x2apic_apic_id_registered+0x20/0x20
[   38.132038]  [<ffffffff9803e372>] start_secondary+0x1f2/0x230
[   38.165143] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;
[   38.165195] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.2.6.201511232037-3-grsec-custom #1
[   38.165196] Hardware name: System manufacturer System Product Name/P8Z77, BIOS 1225 12/07/2012
[   38.165197]  ffffffff98a0485f 46c8725b4eb91ffe 0000000000000000 ffffffff988ffa19
[   38.165198]  ffff88081fb03cc8 ffffffff985e828d 0000000000000097 ffffffff989306da
[   38.165200]  ffff88081fb03cf8 ffffffff9819f4e4 000000000000003a 0000000000000028
[   38.165201] Call Trace:
[   38.165202]  <IRQ>  [<ffffffff985e828d>] dump_stack+0x45/0x5d
[   38.165206]  [<ffffffff9819f4e4>] report_size_overflow+0x34/0x50
[   38.165208]  [<ffffffff985c3e4e>] ipv6_gro_receive+0xa0e/0xb10
[   38.165209]  [<ffffffff984b2f5c>] dev_gro_receive+0x29c/0x670
[   38.165211]  [<ffffffff982f59dc>] ? swiotlb_sync_single+0x4c/0x70
[   38.165212]  [<ffffffff984b3650>] napi_gro_receive+0x20/0x90
[   38.165215]  [<ffffffffc032926f>] rtl8169_poll+0x2cf/0x680 [r8169]
[   38.165216]  [<ffffffff984b47d3>] net_rx_action+0x1f3/0x300
[   38.165218]  [<ffffffff98068a67>] __do_softirq+0xf7/0x210
[   38.165220]  [<ffffffff98068cba>] irq_exit+0x6a/0x70
[   38.165221]  [<ffffffff980056f5>] do_IRQ+0x55/0xf0
[   38.165222]  [<ffffffff985eea9a>] common_interrupt+0x9a/0x9a
[   38.165223]  <EOI>  [<ffffffff98464536>] ? cpuidle_enter_state+0x156/0x210
[   38.165226]  [<ffffffff9846452f>] ? cpuidle_enter_state+0x14f/0x210
[   38.165227]  [<ffffffff98464654>] cpuidle_enter+0x24/0x40
[   38.165229]  [<ffffffff980a935b>] call_cpuidle+0x3b/0x70
[   38.165230]  [<ffffffff980a9531>] cpu_startup_entry+0x1a1/0x260
[   38.165231]  [<ffffffff980403b0>] ? lapic_get_maxlvt+0x40/0x40
[   38.165233]  [<ffffffff98046f10>] ? x2apic_apic_id_registered+0x20/0x20
[   38.165235]  [<ffffffff9803e372>] start_secondary+0x1f2/0x230

This problem was previously fixed (see viewtopic.php?f=3&t=4287) but it's happening again.

[ephox]

Code: Select all

[   38.165143] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;

Thanks for the report, it will be fixed in the next grsec patch.