Attempts to squashing an (squashfs + overlayfs) - directory randomly fail with ~hardened-sources-3.19.6 and =hardened-sources-4.0.1: The kernel spits the error: PAX: size overflow detected in function squashfs_listxattr /usr/src/linux-4.0.1-hardened/fs/squashfs/xattr.c:39 cicus.188_138 min, count: 40 (reproducable always the same cicus and count for both kernel versions) and then gives a call trace like (numbers vary): ? dump_stack+0x40/0x56 ? exit_squashfs_fs+0x1b22/0x2b33 [squashfs] ? report_size_overflow+0x37/0x41 ? exit_squashfs_fs+0x1b8f/0x2b33 [squashfs] ? squashfs_listxattr+0x1cf/0x368 [squashfs] ? vfs_listxattr+0x47/0x52 ? ovl_listxattr+0x46/0xe7 [overlay] ? vfs_listxattr+0x47/0x52 ? listxattr+0x68/0xfc ? path_listxattr+0x52/0x9a ? system_call_fastpath+0x12/0x17 ? retint_swapgs+0xe/0x11
In case it is important: The original data is compressed with mksquashfs ... -comp lz4 -Xhc but omitting these option after the crash does not change anything.
I'm getting 4.0.2 ready now. Upstream will want you to test that version once it hits the tree.
1. can you post a backtrace with frame pointers enabled? 2. what's your gcc version? 3. can you post the resulting files (fs/squashfs/xattr.*) of 'make fs/squashfs/xattr.o EXTRA_CFLAGS=-fdump-tree-all'?
The problem occurs also with hardened-sources-4.0.2 It occurs if (and only if) squashing a filesystem which contains xattrs (paxmarks) and which is mounted as squashfs (i.e. overlayfs is not necessary to trigger the problem). Thus, a way to reproduce the problem is here: mkdir x cp -p /bin/bash x paxctl-ng -lm x/bash mksquashfs x x.sfs -comp xz mount -t squashfs x.sfs x mksquashfs x y.sfs -comp xz The last command will get killed, leaving the reported syslog error. Surprisingly, e.g. tar'ing or zip'ing does not cause such problems. To your other questions: 2. gcc-5.1.0, but the problem occured also when the kernel was compiled with gcc-4.9.2 1. I don't know how to get a backtrace for a "killed" program: $ gdb --args mksquashfs x y.sfs [...] Reading symbols from mksquashfs...(no debugging symbols found)...done. (gdb) run Starting program: /usr/bin/mksquashfs x y.sfs warning: Cannot call inferior functions, Linux kernel PaX protection forbids return to non-executable pages! Parallel mksquashfs: Using 2 processors Creating 4.0 filesystem on y.sfs, block size 131072. [LWP 16509 exited] Program terminated with signal SIGKILL, Killed. The program no longer exists. (gdb) bt No stack. 3. The files are compressed 548K. Are you sure that I should post them on bugzilla?
(In reply to Martin Väth from comment #4) > 1. I don't know how to get a backtrace for a "killed" program: i meant the kernel backtrace and you should enable frame pointers in the kernel config for that. > 3. The files are compressed 548K. > Are you sure that I should post them on bugzilla? you can just email them to Emese and me.
Hi, Could you please try this patch and send me the results from dmesg? --- fs/squashfs/xattr.c.orig 2015-05-10 21:54:49.762914343 +0200 +++ fs/squashfs/xattr.c 2015-05-10 21:56:36.134920516 +0200 @@ -107,6 +107,7 @@ ssize_t squashfs_listxattr(struct dentry if (err < 0) goto failed; } + printk(KERN_ERR "buffer_size: %lx rest: %lx\n", buffer_size, rest); err = buffer_size - rest; failed:
buffer_size: 0 rest: fffffffffffffff1
(In reply to Martin Väth from comment #7) > buffer_size: 0 rest: fffffffffffffff1 this means that the code relies on (unsigned) integer overflow which is well defined by C per se but for size calculation purposes we explicitly want to avoid it (at least that's the point of the size overflow plugin ;). so we'll have to patch this code to avoid the overflow, we'll keep you posted.
can you try the following patch (whitespace damaged)? --- a/fs/squashfs/xattr.c 2012-12-11 04:30:57.000000000 +0100 +++ b/fs/squashfs/xattr.c 2015-05-11 01:18:49.494609079 +0200 @@ -46,8 +46,8 @@ + msblk->xattr_table; int offset = SQUASHFS_XATTR_OFFSET(squashfs_i(inode)->xattr); int count = squashfs_i(inode)->xattr_count; - size_t rest = buffer_size; - int err; + size_t used = 0; + ssize_t err; /* check that the file system has xattrs */ if (msblk->xattr_id_table == NULL) @@ -68,11 +68,11 @@ name_size = le16_to_cpu(entry.size); handler = squashfs_xattr_handler(le16_to_cpu(entry.type)); if (handler) - prefix_size = handler->list(d, buffer, rest, NULL, + prefix_size = handler->list(d, buffer, buffer ? buffer_size - used : 0, NULL, name_size, handler->flags); if (prefix_size) { if (buffer) { - if (prefix_size + name_size + 1 > rest) { + if (prefix_size + name_size + 1 > buffer_size - used) { err = -ERANGE; goto failed; } @@ -86,7 +86,7 @@ buffer[name_size] = '\0'; buffer += name_size + 1; } - rest -= prefix_size + name_size + 1; + used += prefix_size + name_size + 1; } else { /* no handler or insuffficient privileges, so skip */ err = squashfs_read_metadata(sb, NULL, &start, @@ -107,7 +107,7 @@ if (err < 0) goto failed; } - err = buffer_size - rest; + err = used; failed: return err;
The patch works
(In reply to Martin Väth from comment #10) > The patch works I tested and this is fixed in hardened-sources-4.0.4.ebuild which I just added to the tree. Reopen if this is still an issue.
