When PAX is used and a nfs-client connects to the server, nfs gets killed with the following message: PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c A patch is proposed here (for the same problem), but does not work: https://forums.grsecurity.net/viewtopic.php?f=3&t=3438 Reproducible: Always Steps to Reproduce: 1.Compile hardened-sources-3.8.6 with pax support and nfs4 2.Connect a (linux) nfs-client to the server Actual Results: PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c NFS gets cancelled on the server. Expected Results: NFS should still work. emerge --info Portage 2.1.11.62 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.8.6-hardened x86_64) ================================================================= System uname: Linux-3.8.6-hardened-x86_64-Dual_Core_AMD_Opteron-tm-_Processor_280-with-gentoo-2.2 KiB Mem: 8181064 total, 1096512 free KiB Swap: 16787920 total, 16787324 free Timestamp of tree: Fri, 31 May 2013 06:45:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.6.8-r1, 2.7.3-r3, 3.1.5-r1, 3.2.3-r2 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/yp/Makefile" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="acl amd64 apache2 berkdb bzip2 cli cracklib crypt cups curl cxx dri fortran gd gdbm gif gpm hardened iconv imap jpeg justify kerberos ldap maildir mmx mng modules mudflap multilib mysql ncurses nls nptl openmp pam pax_kernel pcre perl png readline sasl session sse sse2 ssl tcpd tiff truetype unicode urandom xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en de" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Another user has reported a similar problem.
(In reply to Anthony Basile from comment #1) > Another user has reported a similar problem. s/similar/same
1. can you try something newer, from the 3.9 series? 2. what's the exact kernel log (with backtrace, etc)?
1.) I used the 3.8.6 hardened kernel, because it is the latest kernel marked stable. As the server is used by about 30 people, it is difficult for me to test different kernels, i.e. I can only test it on weekend. 2.) Kernel log as requested (without the patch): Jun 2 18:52:19 ihesamoa kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory Jun 2 18:52:19 ihesamoa kernel: NFSD: starting 90-second grace period (net ffffffff81a4a640) Jun 2 18:53:33 ihesamoa kernel: PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:267 cicus.113_58 min, count: 28 Jun 2 18:53:33 ihesamoa kernel: Pid: 2431, comm: nfsd Not tainted 3.8.6-hardened #2 Jun 2 18:53:33 ihesamoa kernel: Call Trace: Jun 2 18:53:33 ihesamoa kernel: [<ffffffff81108c55>] ? report_size_overflow+0x35/0x40 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff8124a47b>] ? nfsd_cache_update+0x24b/0x280 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff8123f2d5>] ? nfsd_dispatch+0x175/0x1f0 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff816591aa>] ? svc_process+0x4ea/0x810 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff8123ec77>] ? nfsd+0xb7/0x120 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff8123ebc0>] ? nfsd_destroy+0xa0/0xa0 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff810636ff>] ? kthread+0xbf/0xd0 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff81063640>] ? kthread_freezable_should_stop+0x60/0x60 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff8167ed72>] ? ret_from_fork+0x72/0xa0 Jun 2 18:53:33 ihesamoa kernel: [<ffffffff81063640>] ? kthread_freezable_should_stop+0x60/0x60
Created attachment 350324 [details] whole kernel log
(In reply to Steffen from comment #4) > 1.) > I used the 3.8.6 hardened kernel, because it is the latest kernel marked > stable. As the server is used by about 30 people, it is difficult for me to > test different kernels, i.e. I can only test it on weekend. can you at least try 3.8.12? this particular problem should already be fixed there as well.
Having the same problem, I tried 3.8.12, but without success. Upgrading to 3.9.4-r1 fixed the problem. (See also #467510)
(In reply to Martin Kolleck from comment #7) > Having the same problem, I tried 3.8.12, but without success. Upgrading to > 3.9.4-r1 fixed the problem. (See also #467510) that's interesting because we have the same fix in both 3.8.12 and 3.9.4 ;). can you post the overflow log for 3.8.12 (we no longer support it but maybe there's another issue there that needs a further look)?
Not fixed in 3.8.12... [ 935.895342] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:268 cicus.114_63 min, count: 26 [ 935.895347] Pid: 2443, comm: nfsd Not tainted 3.8.12-hardened #1 [ 935.895348] Call Trace: [ 935.895357] [<ffffffff81108d25>] ? report_size_overflow+0x35/0x40 [ 935.895361] [<ffffffff8124a40b>] ? nfsd_cache_update+0x25b/0x290 [ 935.895363] [<ffffffff8123f255>] ? nfsd_dispatch+0x175/0x1f0 [ 935.895366] [<ffffffff8165845a>] ? svc_process+0x4ea/0x810 [ 935.895368] [<ffffffff8123ebf7>] ? nfsd+0xb7/0x120 [ 935.895369] [<ffffffff8123eb40>] ? nfsd_destroy+0x80/0x80 [ 935.895372] [<ffffffff8106369f>] ? kthread+0xbf/0xd0 [ 935.895375] [<ffffffff810635e0>] ? kthread_freezable_should_stop+0x60/0x60 [ 935.895377] [<ffffffff8167df42>] ? ret_from_fork+0x72/0xa0 [ 935.895380] [<ffffffff810635e0>] ? kthread_freezable_should_stop+0x60/0x60 [ 957.532248] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:268 cicus.114_63 min, count: 26 [ 957.532254] Pid: 2445, comm: nfsd Not tainted 3.8.12-hardened #1 [ 957.532255] Call Trace: [ 957.532263] [<ffffffff81108d25>] ? report_size_overflow+0x35/0x40 [ 957.532267] [<ffffffff8124a40b>] ? nfsd_cache_update+0x25b/0x290 [ 957.532269] [<ffffffff8123f255>] ? nfsd_dispatch+0x175/0x1f0 [ 957.532272] [<ffffffff8165845a>] ? svc_process+0x4ea/0x810 [ 957.532274] [<ffffffff8123ebf7>] ? nfsd+0xb7/0x120 [ 957.532276] [<ffffffff8123eb40>] ? nfsd_destroy+0x80/0x80 [ 957.532279] [<ffffffff8106369f>] ? kthread+0xbf/0xd0 [ 957.532281] [<ffffffff810635e0>] ? kthread_freezable_should_stop+0x60/0x60 [ 957.532284] [<ffffffff8167df42>] ? ret_from_fork+0x72/0xa0 [ 957.532286] [<ffffffff810635e0>] ? kthread_freezable_should_stop+0x60/0x60 [ 974.102541] PAX: size overflow detected in function nfsd_cache_update fs/nfsd/nfscache.c:268 cicus.114_63 min, count: 26
(In reply to Steffen from comment #9) > Not fixed in 3.8.12... > Give me a bit and 3.9.5 will be up. I'm testing now. (A bit = a few hours).
(In reply to Steffen from comment #9) > Not fixed in 3.8.12... > > [ 935.895342] PAX: size overflow detected in function nfsd_cache_update > fs/nfsd/nfscache.c:268 cicus.114_63 min, count: 26 thanks, this is a false positive, we'll fix it in the next patches (but not for 3.8). blueness, a request: in the future can you also CC re.emese@gmail.com for size overflow related bugs please?
(In reply to PaX Team from comment #11) > > blueness, a request: in the future can you also CC re.emese@gmail.com for > size overflow related bugs please? I cant' cc people who are not registered in bugzilla. I'll try but if may spit back at me.
I just marked 2.6.32-r170, 3.2.46-r1, 3.9.5. Please test and if this is still an issue reopen.
(In reply to Anthony Basile from comment #13) > I just marked 2.6.32-r170, 3.2.46-r1, 3.9.5. Please test and if this is > still an issue reopen. The bug is fixed in 3.9.5. Thank you.
