567012 – sys-kernel/hardened-sources-4.2.6-r6 - PAX: size overflow detected in function __make_request drivers/md/raid10.c:1436

Bug 567012 - sys-kernel/hardened-sources-4.2.6-r6 - PAX: size overflow detected in function __make_request drivers/md/raid10.c:1436

Summary: sys-kernel/hardened-sources-4.2.6-r6 - PAX: size overflow detected in functio...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Kernel Team (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-28 08:08 UTC by Alexander Tsoy
Modified:	2015-12-01 11:46 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Tsoy 2015-11-28 08:08:27 UTC

I added debug output as requested in bug #566316 (so line number changed to 1444).

...
[  424.618912] md/raid10:md127: r10_bio->sector: 88989696, max_sectors: 1024, bio->bi_iter.bi_sector: 88989696
[  424.628676] md/raid10:md127: r10_bio->sector: 88990720, max_sectors: 1024, bio->bi_iter.bi_sector: 88990720
[  424.638436] md/raid10:md127: r10_bio->sector: 88991744, max_sectors: 1024, bio->bi_iter.bi_sector: 88991744
[  424.648202] md/raid10:md127: r10_bio->sector: 88992768, max_sectors: 16, bio->bi_iter.bi_sector: 88992768
[  424.657779] md/raid10:md127: r10_bio->sector: 141560208, max_sectors: 32, bio->bi_iter.bi_sector: 141560208
[  424.667546] md/raid10:md127: r10_bio->sector: 1107097904, max_sectors: 8, bio->bi_iter.bi_sector: 1107097904
[  424.677391] md/raid10:md127: r10_bio->sector: 1159597040, max_sectors: 8, bio->bi_iter.bi_sector: 1159597040
[  424.687243] md/raid10:md127: r10_bio->sector: -615032288, max_sectors: 96, bio->bi_iter.bi_sector: -615032288
[  424.697178] md/raid10:md127: r10_bio->sector: 1243388224, max_sectors: 8, bio->bi_iter.bi_sector: 1243388224
[  424.707027] PAX: size overflow detected in function __make_request drivers/md/raid10.c:1444 cicus.695_560 max, count: 79, decl: sector; num: 0; context: r10bio;
[  424.721416] CPU: 5 PID: 574 Comm: dmcrypt_write Not tainted 4.2.6-hardened-r6 #2
[  424.728828] Hardware name: Supermicro H8SCM/H8SCM, BIOS 3.5        11/25/2013
[  424.735963]  ffffc9000274bad8 0000000000000000 0000000000000000 ffffc9000274bb08
[  424.743445]  ffffffff81a49123 ffff880436d4ecb0 ffffffff81e3ab11 ffffc9000274bb38
[  424.750952]  ffffffff81202396 0000000000000000 0000000000000001 000000014a1c9940
[  424.758435] Call Trace:
[  424.760904]  [<ffffffff81a49123>] dump_stack+0x45/0x5d
[  424.766043]  [<ffffffff81202396>] report_size_overflow+0x36/0x40
[  424.772058]  [<ffffffff81712d81>] __make_request+0xbb1/0x1750
[  424.777813]  [<ffffffff8148aad0>] ? blk_start_plug+0x60/0x60
[  424.783475]  [<ffffffff814df5dc>] ? list_sort+0x17c/0x290
[  424.788894]  [<ffffffff81733909>] ? md_write_start+0x79/0x180
[  424.794643]  [<ffffffff810e2e39>] ? __wake_up+0x49/0x60
[  424.799863]  [<ffffffff8171399d>] make_request+0x7d/0x1f0
[  424.805266]  [<ffffffff81731049>] md_make_request+0xe9/0x210
[  424.810939]  [<ffffffff8148d503>] generic_make_request+0xd3/0x110
[  424.817027]  [<ffffffff81757cb2>] dmcrypt_write+0x1a2/0x1c0
[  424.822621]  [<ffffffff810ce180>] ? wake_up_q+0x80/0x80
[  424.827848]  [<ffffffff81757b10>] ? crypt_iv_lmk_dtr+0x60/0x60
[  424.833693]  [<ffffffff810c3e75>] kthread+0xd5/0xf0
[  424.838574]  [<ffffffff810c3da0>] ? kthread_create_on_node+0x190/0x190
[  424.845099]  [<ffffffff81a522ce>] ret_from_fork+0x3e/0x70
[  424.850502]  [<ffffffff810c3da0>] ? kthread_create_on_node+0x190/0x190
[  424.857037] ------------[ cut here ]------------
[  424.861670] WARNING: CPU: 5 PID: 574 at kernel/exit.c:667 do_exit+0x62/0xb90()
[  424.868925] Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 bridge stp llc ebtable_filter ebtables bnep bluetooth xt_limit xt_comment xt_recent xt_multiport iptable_raw xt_nat iptable_nat nf_nat_ipv4 nf_nat w83795 jc42 pcspkr sp5100_tco e1000e shpchp sch_fq_codel tcp_yeah tcp_vegas mgag200 syscopyarea sysfillrect sysimgblt radeon drm_kms_helper ttm vhost_scsi target_core_mod vhost_net tun vhost macvtap macvlan nf_conntrack_netbios_ns nf_conntrack_broadcast kvm_amd kvm ipmi_si ipmi_devintf ipmi_msghandler fuse eeprom
[  424.917908] CPU: 5 PID: 574 Comm: dmcrypt_write Not tainted 4.2.6-hardened-r6 #2
[  424.925295] Hardware name: Supermicro H8SCM/H8SCM, BIOS 3.5        11/25/2013
[  424.932443]  0000000000000007 0000000000000000 0000000000000000 ffffc9000274b9f8
[  424.939960]  ffffffff81a49123 ffff880436d4ecb0 0000000000000000 ffffc9000274ba38
[  424.947473]  ffffffff8109f680 ffffc9000274ba38 ffff88041e94c7c0 0000000000000009
[  424.955008] Call Trace:
[  424.957461]  [<ffffffff81a49123>] dump_stack+0x45/0x5d
[  424.962604]  [<ffffffff8109f680>] warn_slowpath_common+0x90/0xe0
[  424.968612]  [<ffffffff8109f7c7>] warn_slowpath_null+0x27/0x30
[  424.974448]  [<ffffffff810a1da2>] do_exit+0x62/0xb90
[  424.979420]  [<ffffffff810a2968>] do_group_exit+0x48/0xc0
[  424.984830]  [<ffffffff812023a0>] report_size_overflow+0x40/0x40
[  424.990841]  [<ffffffff81712d81>] __make_request+0xbb1/0x1750
[  424.996592]  [<ffffffff8148aad0>] ? blk_start_plug+0x60/0x60
[  425.002264]  [<ffffffff814df5dc>] ? list_sort+0x17c/0x290
[  425.007673]  [<ffffffff81733909>] ? md_write_start+0x79/0x180
[  425.013424]  [<ffffffff810e2e39>] ? __wake_up+0x49/0x60
[  425.018658]  [<ffffffff8171399d>] make_request+0x7d/0x1f0
[  425.024058]  [<ffffffff81731049>] md_make_request+0xe9/0x210
[  425.029725]  [<ffffffff8148d503>] generic_make_request+0xd3/0x110
[  425.035827]  [<ffffffff81757cb2>] dmcrypt_write+0x1a2/0x1c0
[  425.041398]  [<ffffffff810ce180>] ? wake_up_q+0x80/0x80
[  425.046629]  [<ffffffff81757b10>] ? crypt_iv_lmk_dtr+0x60/0x60
[  425.052472]  [<ffffffff810c3e75>] kthread+0xd5/0xf0
[  425.057348]  [<ffffffff810c3da0>] ? kthread_create_on_node+0x190/0x190
[  425.063887]  [<ffffffff81a522ce>] ret_from_fork+0x3e/0x70
[  425.069297]  [<ffffffff810c3da0>] ? kthread_create_on_node+0x190/0x190
[  425.075824] ---[ end trace 6f392e8be0ae1bf6 ]---

Comment 1 PaX Team 2015-11-28 12:23:54 UTC

what was the format string you used? should be %lx to get the full 64 bit values.

Comment 2 Alexander Tsoy 2015-11-28 13:01:48 UTC

(In reply to PaX Team from comment #1)
> what was the format string you used? should be %lx to get the full 64 bit
> values.

Oops. It was %d. :) Shouldn't it be %llu or %llx instead?

Comment 3 PaX Team 2015-11-28 14:19:49 UTC

(In reply to Alexander Tsoy from comment #2)
> (In reply to PaX Team from comment #1)
> > what was the format string you used? should be %lx to get the full 64 bit
> > values.
> 
> Oops. It was %d. :) Shouldn't it be %llu or %llx instead?

%lx is fine for 64 bit archs, these types have the same size.

Comment 4 Alexander Tsoy 2015-11-28 21:10:49 UTC

Now it should be better:

...
[  125.671100] md/raid10:md127: r10_bio->sector: ffb80300, max_sectors: 18, bio->bi_iter.bi_sector: ffb80300
[  125.680682] md/raid10:md127: r10_bio->sector: ffb80318, max_sectors: 10, bio->bi_iter.bi_sector: ffb80318
[  125.690277] md/raid10:md127: r10_bio->sector: ffb80328, max_sectors: 18, bio->bi_iter.bi_sector: ffb80328
[  125.699861] md/raid10:md127: r10_bio->sector: ffb80340, max_sectors: 8, bio->bi_iter.bi_sector: ffb80340
[  125.709369] md/raid10:md127: r10_bio->sector: 10d176a30, max_sectors: 8, bio->bi_iter.bi_sector: 10d176a30
[  125.719045] PAX: size overflow detected in function __make_request drivers/md/raid10.c:1444 cicus.695_560 max, count: 79, decl: sector; num: 0; context: r10bio;
[  125.733421] CPU: 2 PID: 590 Comm: dmcrypt_write Not tainted 4.2.6-hardened-r6 #3
[  125.740830] Hardware name: Supermicro H8SCM/H8SCM, BIOS 3.5        11/25/2013
[  125.747974]  ffffc9000241bad8 0000000000000000 0000000000000000 ffffc9000241bb08
[  125.755494]  ffffffff81a49103 ffff880436c8ecb0 ffffffff81e3ab11 ffffc9000241bb38
[  125.763010]  ffffffff81202376 0000000000000000 0000000000000001 000000010d176a30
[  125.770535] Call Trace:
[  125.773003]  [<ffffffff81a49103>] dump_stack+0x45/0x5d
[  125.778152]  [<ffffffff81202376>] report_size_overflow+0x36/0x40
[  125.784160]  [<ffffffff81712d61>] __make_request+0xbb1/0x1750
[  125.789908]  [<ffffffff817338e9>] ? md_write_start+0x79/0x180
[  125.795667]  [<ffffffff810e2e19>] ? __wake_up+0x49/0x60
[  125.800887]  [<ffffffff8171397d>] make_request+0x7d/0x1f0
[  125.806298]  [<ffffffff81a4dff2>] ? preempt_schedule_common+0x22/0x50
[  125.812749]  [<ffffffff81731029>] md_make_request+0xe9/0x210
[  125.818414]  [<ffffffff8148d4e3>] generic_make_request+0xd3/0x110
[  125.824508]  [<ffffffff81757c92>] dmcrypt_write+0x1a2/0x1c0
[  125.830093]  [<ffffffff810ce170>] ? wake_up_q+0x80/0x80
[  125.835315]  [<ffffffff81757af0>] ? crypt_iv_lmk_dtr+0x60/0x60
[  125.841160]  [<ffffffff810c3e65>] kthread+0xd5/0xf0
[  125.846033]  [<ffffffff810c3d90>] ? kthread_create_on_node+0x190/0x190
[  125.852582]  [<ffffffff81a522ce>] ret_from_fork+0x3e/0x70
[  125.857983]  [<ffffffff810c3d90>] ? kthread_create_on_node+0x190/0x190
[  125.864518] ------------[ cut here ]------------
[  125.869147] WARNING: CPU: 2 PID: 590 at kernel/exit.c:667 do_exit+0x62/0xb90()
[  125.876381] Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 bridge stp llc ebtable_filter ebtables bnep bluetooth xt_limit xt_comment xt_recent iptable_raw xt_nat xt_multiport iptable_nat nf_nat_ipv4 nf_nat w83795 jc42 pcspkr e1000e sp5100_tco shpchp sch_fq_codel tcp_yeah tcp_vegas mgag200 syscopyarea sysfillrect sysimgblt radeon drm_kms_helper ttm vhost_scsi target_core_mod vhost_net tun vhost macvtap macvlan nf_conntrack_netbios_ns nf_conntrack_broadcast kvm_amd kvm ipmi_si ipmi_devintf ipmi_msghandler fuse eeprom
[  125.925379] CPU: 2 PID: 590 Comm: dmcrypt_write Not tainted 4.2.6-hardened-r6 #3
[  125.932766] Hardware name: Supermicro H8SCM/H8SCM, BIOS 3.5        11/25/2013
[  125.939910]  0000000000000007 0000000000000000 0000000000000000 ffffc9000241b9f8
[  125.947406]  ffffffff81a49103 ffff880436c8ecb0 0000000000000000 ffffc9000241ba38
[  125.954887]  ffffffff8109f670 ffffc9000241ba38 ffff880420848000 0000000000000009
[  125.962386] Call Trace:
[  125.964842]  [<ffffffff81a49103>] dump_stack+0x45/0x5d
[  125.969993]  [<ffffffff8109f670>] warn_slowpath_common+0x90/0xe0
[  125.976002]  [<ffffffff8109f7b7>] warn_slowpath_null+0x27/0x30
[  125.981836]  [<ffffffff810a1d92>] do_exit+0x62/0xb90
[  125.986808]  [<ffffffff810a2958>] do_group_exit+0x48/0xc0
[  125.992219]  [<ffffffff81202380>] report_size_overflow+0x40/0x40
[  125.998228]  [<ffffffff81712d61>] __make_request+0xbb1/0x1750
[  126.003979]  [<ffffffff817338e9>] ? md_write_start+0x79/0x180
[  126.009737]  [<ffffffff810e2e19>] ? __wake_up+0x49/0x60
[  126.014965]  [<ffffffff8171397d>] make_request+0x7d/0x1f0
[  126.020378]  [<ffffffff81a4dff2>] ? preempt_schedule_common+0x22/0x50
[  126.026819]  [<ffffffff81731029>] md_make_request+0xe9/0x210
[  126.032491]  [<ffffffff8148d4e3>] generic_make_request+0xd3/0x110
[  126.038588]  [<ffffffff81757c92>] dmcrypt_write+0x1a2/0x1c0
[  126.044163]  [<ffffffff810ce170>] ? wake_up_q+0x80/0x80
[  126.049393]  [<ffffffff81757af0>] ? crypt_iv_lmk_dtr+0x60/0x60
[  126.055237]  [<ffffffff810c3e65>] kthread+0xd5/0xf0
[  126.060113]  [<ffffffff810c3d90>] ? kthread_create_on_node+0x190/0x190
[  126.066658]  [<ffffffff81a522ce>] ret_from_fork+0x3e/0x70
[  126.072062]  [<ffffffff810c3d90>] ? kthread_create_on_node+0x190/0x190
[  126.078591] ---[ end trace a1edf65d89c761ac ]---

Comment 5 PaX Team 2015-11-28 22:19:18 UTC

thanks, so the plugin triggers on a sector value above 4G (is it a block device over 2TB?) as that doesn't fit the int type of the resulting expression (and which gcc internally optimizes down to compute on the int type). in any case, this should be fixed now by using a wider type for the result.

Comment 6 Alexander Tsoy 2015-11-28 22:28:08 UTC

(In reply to PaX Team from comment #5)
> (is it a block device over 2TB?)
Yes.

Comment 7 Alexander Tsoy 2015-12-01 11:46:17 UTC

Fixed in -r7. Thanks!