Created attachment 451036 [details] Kernel panic captured on serial sys-kernel/hardened-sources-4.7.6 and sys-kernel/hardened-sources-4.7.9 panic, probably on some specific ipv6 packets. (The system is running within libvirt/kvm.) I only have a full crash logs for sys-kernel/hardened-sources-4.7.9, since the crashes did not fit on the screen. (They looked basically the same, only most of the backtrace was visible there.) The system crashed mutliple times today after updating to 4.7.*, normally in the first minute, but so far I have not found out which packet(s) is triggering the crash. I captured one the crash via the serial console and another in the logs after setting pax_size_overflow_report_only. I'm plan to find out more and provide more details here. Speculation: I had also crashes for another VM running on the same host when using 4.7.7-hardened. Reverting back to 4.7.6-hardened fixed the issue there.
I have captured the packets triggering the pax overflow panic. (I have captured two different occurrences but I'll stick to the later one here.) panic4-suspect2-capture shows the log messages and suspect_2.pcap.gz has the packets triggering those messages (frame 16+17). The logfile also prints out the values of the variables used in the calculation. See the uploaded diff (hack.diff) how the printk was constructed. For these log only the first printk line from the diff was added to the kernel, the other changes in the patch were not yet present. (The calculation was not touched at all.) With the full changes in the patch pax no longer detects a overrun, but I suspect the patch is wrong and will sometimes calculate wrong values for temp. (I'm now removed the line "temp &= 0xff;" and suspect that will also fix the issue.) With the full patch I no longer get the Pax Overruns, but here the debug output of the added printk line for today: Oct 23 09:33:01 gandalf kernel: DDD ip6_frag_queue offset=0; payload_len=4d8; fhdr1=cf35ac7e; ipv6_hdr=cf35ac76 Oct 23 09:33:01 gandalf kernel: DDD ip6_frag_queue2 end=4d0 Oct 23 09:33:01 gandalf kernel: DDD ip6_frag_queue offset=4d0; payload_len=e4; fhdr1=cf35aa7e; ipv6_hdr=cf35aa76 Oct 23 09:33:01 gandalf kernel: DDD ip6_frag_queue2 end=5ac Oct 23 10:02:34 gandalf kernel: DDD ip6_frag_queue offset=0; payload_len=4d8; fhdr1=ccf8ea7e; ipv6_hdr=ccf8ea76 Oct 23 10:02:34 gandalf kernel: DDD ip6_frag_queue2 end=4d0 Oct 23 10:02:34 gandalf kernel: DDD ip6_frag_queue offset=4d0; payload_len=8e; fhdr1=ccf8e87e; ipv6_hdr=ccf8e876 Oct 23 10:02:34 gandalf kernel: DDD ip6_frag_queue2 end=556 Oct 23 11:33:00 gandalf kernel: DDD ip6_frag_queue offset=0; payload_len=4d8; fhdr1=b7cf87e; ipv6_hdr=b7cf876 Oct 23 11:33:00 gandalf kernel: DDD ip6_frag_queue2 end=4d0 Oct 23 11:33:00 gandalf kernel: DDD ip6_frag_queue offset=4d0; payload_len=e4; fhdr1=b7cf67e; ipv6_hdr=b7cf676 Oct 23 11:33:00 gandalf kernel: DDD ip6_frag_queue2 end=5ac Oct 23 13:14:12 gandalf kernel: DDD ip6_frag_queue offset=0; payload_len=4d8; fhdr1=bd115e7e; ipv6_hdr=bd115e76 Oct 23 13:14:12 gandalf kernel: DDD ip6_frag_queue2 end=4d0 Oct 23 13:14:12 gandalf kernel: DDD ip6_frag_queue offset=4d0; payload_len=199; fhdr1=bd115c7e; ipv6_hdr=bd115c76 Oct 23 13:14:12 gandalf kernel: DDD ip6_frag_queue2 end=661 Oct 23 13:21:59 gandalf kernel: DDD ip6_frag_queue offset=0; payload_len=4d8; fhdr1=bde3887e; ipv6_hdr=bde38876 Oct 23 13:21:59 gandalf kernel: DDD ip6_frag_queue2 end=4d0 Oct 23 13:21:59 gandalf kernel: DDD ip6_frag_queue offset=4d0; payload_len=e4; fhdr1=bde3867e; ipv6_hdr=bde38676 Oct 23 13:21:59 gandalf kernel: DDD ip6_frag_queue2 end=5ac Oct 23 14:33:02 gandalf kernel: DDD ip6_frag_queue offset=0; payload_len=4d8; fhdr1=b0ffa47e; ipv6_hdr=b0ffa476 Oct 23 14:33:02 gandalf kernel: DDD ip6_frag_queue2 end=4d0 Oct 23 14:33:02 gandalf kernel: DDD ip6_frag_queue offset=4d0; payload_len=e4; fhdr1=b0ffa27e; ipv6_hdr=b0ffa276 Oct 23 14:33:02 gandalf kernel: DDD ip6_frag_queue2 end=5ac
Created attachment 451094 [details, diff] hack.diff
Created attachment 451096 [details] panic4-suspect2-capture
Created attachment 451098 [details] suspect_2.pcap.gz
Asked for support from the PAX team: https://forums.grsecurity.net/viewtopic.php?f=3&t=4594
I'm passing this upstream. Unfortunately I'm going to have to stabilize 4.7.9 for CVE-2016-5195
Created attachment 451160 [details, diff] Proposed/Tested patch by Pax team The patch proposed on the PAX mailing list works for me. Guess it's too late to get that added to sys-kernel/hardened-sources-4.7.9 prior to stabilizing it? Without this patch sys-kernel/hardened-sources-4.7.6 and sys-kernel/hardened-sources-4.7.9 are just waiting to crash if they have an ipv6 connection...
(In reply to alexander.wetzel from comment #7) > Without this patch sys-kernel/hardened-sources-4.7.6 and > sys-kernel/hardened-sources-4.7.9 are just waiting to crash if they have an > ipv6 connection... only if they enable PAX_SIZE_OVERFLOW_EXTRA.
