545776 – =sys-kernel/hardened-sources-3.19.3: crash: PAX: size overflow detected in function zlib_compress_setup crypto/zlib:104 cicus.54_63 max, count: 7

Bug 545776 - =sys-kernel/hardened-sources-3.19.3: crash: PAX: size overflow detected in function zlib_compress_setup crypto/zlib:104 cicus.54_63 max, count: 7

Summary: =sys-kernel/hardened-sources-3.19.3: crash: PAX: size overflow detected in fu...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-04-06 21:36 UTC by Attila Tóth
Modified:	2015-09-11 04:01 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Attila Tóth 2015-04-06 21:36:18 UTC

I'd like to join the crash party. This size_overflow is not related to the other two reported crashes. It happens quite early during boot. It was the same for 3.19.1-hardened and 3.19.2-hardened. During Easter I had a bit of time to slow down printk to observe the culprit function.

Reproducible: Always

Comment 1 PaX Team 2015-04-06 22:45:06 UTC

can you post your .config? also for the future, enable frame pointers for better backtraces ;).

Comment 2 PaX Team 2015-04-06 22:47:46 UTC

can you try this patch:

--- a/crypto/zlib.c       2015-02-09 21:11:58.221574279 +0100
+++ b/crypto/zlib.c       2015-04-07 00:47:00.694626395 +0200
@@ -95,10 +95,10 @@
        zlib_comp_exit(ctx);

        window_bits = tb[ZLIB_COMP_WINDOWBITS]
-                                       ? nla_get_u32(tb[ZLIB_COMP_WINDOWBITS])
+                                       ? nla_get_s32(tb[ZLIB_COMP_WINDOWBITS])
                                        : MAX_WBITS;
        mem_level = tb[ZLIB_COMP_MEMLEVEL]
-                                       ? nla_get_u32(tb[ZLIB_COMP_MEMLEVEL])
+                                       ? nla_get_s32(tb[ZLIB_COMP_MEMLEVEL])
                                        : DEF_MEM_LEVEL;

        workspacesize = zlib_deflate_workspacesize(window_bits, mem_level);

Comment 3 Attila Tóth 2015-04-08 23:04:59 UTC

(In reply to PaX Team from comment #2)
> can you try this patch:
> 
> --- a/crypto/zlib.c       2015-02-09 21:11:58.221574279 +0100
> +++ b/crypto/zlib.c       2015-04-07 00:47:00.694626395 +0200
> @@ -95,10 +95,10 @@
>         zlib_comp_exit(ctx);
> 
>         window_bits = tb[ZLIB_COMP_WINDOWBITS]
> -                                       ?
> nla_get_u32(tb[ZLIB_COMP_WINDOWBITS])
> +                                       ?
> nla_get_s32(tb[ZLIB_COMP_WINDOWBITS])
>                                         : MAX_WBITS;
>         mem_level = tb[ZLIB_COMP_MEMLEVEL]
> -                                       ? nla_get_u32(tb[ZLIB_COMP_MEMLEVEL])
> +                                       ? nla_get_s32(tb[ZLIB_COMP_MEMLEVEL])
>                                         : DEF_MEM_LEVEL;
> 
>         workspacesize = zlib_deflate_workspacesize(window_bits, mem_level);

This modification solves the size overflow problem!

Comment 4 Attila Tóth 2015-04-08 23:06:22 UTC

(In reply to PaX Team from comment #1)
> can you post your .config? also for the future, enable frame pointers for
> better backtraces ;).

I've enabled frame pointers and reverted the modification to make the kernel crash again during boot. Please find the config and the screen captures at the same place I put those previously.

Many thanks: Dw

Comment 5 PaX Team 2015-09-11 00:07:39 UTC

this should have been fixed a while ago, is there still a problem?

Comment 6 Attila Tóth 2015-09-11 04:01:34 UTC

I can confirm, that this bug no longer occurs using current version.