Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 609500 - sys-kernel/hardened-sources-4.8.17-r2: PAX: size overflow detected in function mwifiex_alloc_dma_align_buf ./include/linux/skbuff.h:2009
Summary: sys-kernel/hardened-sources-4.8.17-r2: PAX: size overflow detected in functio...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-16 10:26 UTC by René Korthaus
Modified: 2018-10-12 00:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
dmesg output (dmesg,54.85 KB, text/plain)
2017-02-16 10:30 UTC, René Korthaus 		Details
kernel config (kernel.config,106.70 KB, text/plain)
2017-02-16 10:30 UTC, René Korthaus 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description René Korthaus 2017-02-16 10:26:47 UTC 
4.8.17-hardened-r2 with CONFIG_PAX_SIZE_OVERFLOW errors when the Marvell WiFi PCIe driver is enabled as a kernel module (CONFIG_MWIFIEX_PCIE=m).

Booting with pax_size_overflow_report only reported:

[    6.565840] mwifiex_pcie 0000:02:00.0: enabling device (0000 -> 0002)
[    6.566101] mwifiex_pcie: try set_consistent_dma_mask(32)
[    6.566124] mwifiex_pcie: PCI memory map Virt0: ffffc90001200000 PCI memory map Virt2: ffffc90001400000
[    6.566185] PAX: size overflow detected in function mwifiex_alloc_dma_align_buf drivers/net/wireless/marvell/mwifiex/util.c:764 cicus.149_30 min, count: 2, decl: tail; num: 0; context: sk_buff;
[    6.566215] CPU: 2 PID: 3818 Comm: systemd-udevd Tainted: G     U          4.8.17-hardened-r2 #1
[    6.566217] Hardware name: Microsoft Corporation Surface Pro 4/Surface Pro 4, BIOS 106.1281.768 08/01/2016
[    6.566218]  0000000000000286 0000000000000286 ffffc9000531b9f0 ffffffff813ba6e9
[    6.566221]  0000000000000001 ffffffffa002d91a 00000000000002fc ffffc9000531ba20
[    6.566223]  ffffffff811d0924 0000000000000080 ffff88045a1e4100 ffff88045a470080
[    6.566225] Call Trace:
[    6.566231]  [<ffffffff813ba6e9>] dump_stack+0x4e/0x71
[    6.566236]  [<ffffffffa002d91a>] ? bss_modes+0x1e5a/0xadcc [mwifiex]
[    6.566240]  [<ffffffff811d0924>] report_size_overflow+0x3f/0x7a
[    6.566244]  [<ffffffffa000a592>] mwifiex_alloc_dma_align_buf+0x117/0x189 [mwifiex]
[    6.566247]  [<ffffffffa004e391>] mwifiex_pcie_init+0x55c/0xac1 [mwifiex_pcie]
[    6.566249]  [<ffffffffa004e391>] ? mwifiex_pcie_init+0x55c/0xac1 [mwifiex_pcie]
[    6.566251]  [<ffffffffa0051740>] ? mwifiex_reg_8997+0x80/0x80 [mwifiex_pcie]
[    6.566252]  [<ffffffffa0051740>] ? mwifiex_reg_8997+0x80/0x80 [mwifiex_pcie]
[    6.566255]  [<ffffffff811b2797>] ? kmem_cache_alloc+0xb1/0xd6
[    6.566258]  [<ffffffffa0005115>] mwifiex_add_card+0x9b/0x44a [mwifiex]
[    6.566260]  [<ffffffffa0051580>] ? mwifiex_ids+0xc0/0xc0 [mwifiex_pcie]
[    6.566261]  [<ffffffff811b2797>] ? kmem_cache_alloc+0xb1/0xd6
[    6.566263]  [<ffffffffa00514e0>] ? mwifiex_ids+0x20/0xc0 [mwifiex_pcie]
[    6.566265]  [<ffffffffa00514e0>] ? mwifiex_ids+0x20/0xc0 [mwifiex_pcie]
[    6.566267]  [<ffffffffa004d676>] mwifiex_pcie_probe+0x7f/0xa6 [mwifiex_pcie]
[    6.566269]  [<ffffffff81401336>] pci_device_probe+0x8f/0xfd
[    6.566272]  [<ffffffff816a5879>] driver_probe_device+0x145/0x2be
[    6.566273]  [<ffffffff816a5a70>] __driver_attach+0x7e/0xa6
[    6.566275]  [<ffffffff816a59f2>] ? driver_probe_device+0x2be/0x2be
[    6.566276]  [<ffffffff816a3be0>] bus_for_each_dev+0x7c/0x9c
[    6.566277]  [<ffffffff816a52d8>] driver_attach+0x1d/0x26
[    6.566279]  [<ffffffff816a4e9a>] bus_add_driver+0xe7/0x1f0
[    6.566281]  [<ffffffffa0052bd6>] ? mwifiex_reg_8766+0x1416/0x226d [mwifiex_pcie]
[    6.566282]  [<ffffffff816a6300>] driver_register+0x89/0xcb
[    6.566284]  [<ffffffffa0052bd6>] ? mwifiex_reg_8766+0x1416/0x226d [mwifiex_pcie]
[    6.566286]  [<ffffffff813ffbea>] __pci_register_driver+0x5e/0x6c
[    6.566288]  [<ffffffffa005121a>] ? mwifiex_pcie_work+0x44e/0x44e [mwifiex_pcie]
[    6.566290]  [<ffffffffa005126a>] mwifiex_pcie_init_module+0x50/0x6f [mwifiex_pcie]
[    6.566292]  [<ffffffff8100058c>] do_one_initcall+0xa5/0x133
[    6.566295]  [<ffffffff811646ed>] do_init_module+0x61/0x1d5
[    6.566297]  [<ffffffff8112fb0e>] load_module+0x208b/0x20b0
[    6.566298]  [<ffffffff811d02e5>] ? kernel_read_file+0x1c5/0x272
[    6.566300]  [<ffffffffa00560b0>] ? mwifiex_reg_8766+0x48f0/0x5530 [mwifiex_pcie]
[    6.566301]  [<ffffffffa0055000>] ? 0xffffffffa0055000
[    6.566303]  [<ffffffffa0052cb8>] ? mwifiex_reg_8766+0x14f8/0x226d [mwifiex_pcie]
[    6.566305]  [<ffffffff8112fe97>] sys_finit_module+0xac/0xbf
[    6.566307]  [<ffffffff8112fe97>] ? sys_finit_module+0xac/0xbf
[    6.566309]  [<ffffffff810014fa>] do_syscall_64+0xac/0x156
[    6.566311]  [<ffffffff81b2e9f9>] entry_SYSCALL64_slow_path+0x25/0x25
[    6.566313] PAX: size overflow detected in function mwifiex_alloc_dma_align_buf ./include/linux/skbuff.h:2009 cicus.152_33 max, count: 5, decl: tail; num: 0; context: sk_buff;
[    6.566314] CPU: 2 PID: 3818 Comm: systemd-udevd Tainted: G     U          4.8.17-hardened-r2 #1
[    6.566314] Hardware name: Microsoft Corporation Surface Pro 4/Surface Pro 4, BIOS 106.1281.768 08/01/2016
[    6.566315]  0000000000000286 0000000000000286 ffffc9000531b9f0 ffffffff813ba6e9
[    6.566317]  0000000000000001 ffffffffa002d9da 00000000000007d9 ffffc9000531ba20
[    6.566318]  ffffffff811d0924 000077fc00000080 ffff88045a1e4100 ffff88045a470080
[    6.566320] Call Trace:
[    6.566322]  [<ffffffff813ba6e9>] dump_stack+0x4e/0x71
[    6.566326]  [<ffffffffa002d9da>] ? bss_modes+0x1f1a/0xadcc [mwifiex]
[    6.566327]  [<ffffffff811d0924>] report_size_overflow+0x3f/0x7a
[    6.566331]  [<ffffffffa000a5e6>] mwifiex_alloc_dma_align_buf+0x16b/0x189 [mwifiex]
[    6.566333]  [<ffffffffa004e391>] mwifiex_pcie_init+0x55c/0xac1 [mwifiex_pcie]
[    6.566335]  [<ffffffffa004e391>] ? mwifiex_pcie_init+0x55c/0xac1 [mwifiex_pcie]
[    6.566337]  [<ffffffffa0051740>] ? mwifiex_reg_8997+0x80/0x80 [mwifiex_pcie]
[    6.566338]  [<ffffffffa0051740>] ? mwifiex_reg_8997+0x80/0x80 [mwifiex_pcie]
[    6.566340]  [<ffffffff811b2797>] ? kmem_cache_alloc+0xb1/0xd6
[    6.566343]  [<ffffffffa0005115>] mwifiex_add_card+0x9b/0x44a [mwifiex]
[    6.566345]  [<ffffffffa0051580>] ? mwifiex_ids+0xc0/0xc0 [mwifiex_pcie]
[    6.566346]  [<ffffffff811b2797>] ? kmem_cache_alloc+0xb1/0xd6
[    6.566348]  [<ffffffffa00514e0>] ? mwifiex_ids+0x20/0xc0 [mwifiex_pcie]
[    6.566349]  [<ffffffffa00514e0>] ? mwifiex_ids+0x20/0xc0 [mwifiex_pcie]
[    6.566351]  [<ffffffffa004d676>] mwifiex_pcie_probe+0x7f/0xa6 [mwifiex_pcie]
[    6.566353]  [<ffffffff81401336>] pci_device_probe+0x8f/0xfd
[    6.566354]  [<ffffffff816a5879>] driver_probe_device+0x145/0x2be
[    6.566356]  [<ffffffff816a5a70>] __driver_attach+0x7e/0xa6
[    6.566357]  [<ffffffff816a59f2>] ? driver_probe_device+0x2be/0x2be
[    6.566358]  [<ffffffff816a3be0>] bus_for_each_dev+0x7c/0x9c
[    6.566359]  [<ffffffff816a52d8>] driver_attach+0x1d/0x26
[    6.566361]  [<ffffffff816a4e9a>] bus_add_driver+0xe7/0x1f0
[    6.566362]  [<ffffffffa0052bd6>] ? mwifiex_reg_8766+0x1416/0x226d [mwifiex_pcie]
[    6.566364]  [<ffffffff816a6300>] driver_register+0x89/0xcb
[    6.566366]  [<ffffffffa0052bd6>] ? mwifiex_reg_8766+0x1416/0x226d [mwifiex_pcie]
[    6.566367]  [<ffffffff813ffbea>] __pci_register_driver+0x5e/0x6c
[    6.566369]  [<ffffffffa005121a>] ? mwifiex_pcie_work+0x44e/0x44e [mwifiex_pcie]
[    6.566371]  [<ffffffffa005126a>] mwifiex_pcie_init_module+0x50/0x6f [mwifiex_pcie]
[    6.566373]  [<ffffffff8100058c>] do_one_initcall+0xa5/0x133
[    6.566374]  [<ffffffff811646ed>] do_init_module+0x61/0x1d5
[    6.566376]  [<ffffffff8112fb0e>] load_module+0x208b/0x20b0
[    6.566377]  [<ffffffff811d02e5>] ? kernel_read_file+0x1c5/0x272
[    6.566379]  [<ffffffffa00560b0>] ? mwifiex_reg_8766+0x48f0/0x5530 [mwifiex_pcie]
[    6.566380]  [<ffffffffa0055000>] ? 0xffffffffa0055000
[    6.566381]  [<ffffffffa0052cb8>] ? mwifiex_reg_8766+0x14f8/0x226d [mwifiex_pcie]
[    6.566383]  [<ffffffff8112fe97>] sys_finit_module+0xac/0xbf
[    6.566385]  [<ffffffff8112fe97>] ? sys_finit_module+0xac/0xbf
[    6.566387]  [<ffffffff810014fa>] do_syscall_64+0xac/0x156
[    6.566388]  [<ffffffff81b2e9f9>] entry_SYSCALL64_slow_path+0x25/0x25
[    6.566391] PAX: size overflow detected in function mwifiex_alloc_dma_align_buf drivers/net/wireless/marvell/mwifiex/util.c:764 cicus.149_30 min, count: 2, decl: tail; num: 0; context: sk_buff;
[    6.566392] CPU: 2 PID: 3818 Comm: systemd-udevd Tainted: G     U          4.8.17-hardened-r2 #1
[    6.566393] Hardware name: Microsoft Corporation Surface Pro 4/Surface Pro 4, BIOS 106.1281.768 08/01/2016
[    6.566393]  0000000000000286 0000000000000286 ffffc9000531b9f0 ffffffff813ba6e9
[    6.566395]  0000000000000001 ffffffffa002d91a 00000000000002fc ffffc9000531ba20
[    6.566397]  ffffffff811d0924 0000000000000080 ffff880459e21700 ffff88045a442080
[    6.566399] Call Trace:
[    6.566400]  [<ffffffff813ba6e9>] dump_stack+0x4e/0x71
[    6.566404]  [<ffffffffa002d91a>] ? bss_modes+0x1e5a/0xadcc [mwifiex]
[    6.566406]  [<ffffffff811d0924>] report_size_overflow+0x3f/0x7a
[    6.566410]  [<ffffffffa000a592>] mwifiex_alloc_dma_align_buf+0x117/0x189 [mwifiex]
[    6.566411]  [<ffffffffa004e391>] mwifiex_pcie_init+0x55c/0xac1 [mwifiex_pcie]
[    6.566413]  [<ffffffffa004e391>] ? mwifiex_pcie_init+0x55c/0xac1 [mwifiex_pcie]
[    6.566415]  [<ffffffffa0051740>] ? mwifiex_reg_8997+0x80/0x80 [mwifiex_pcie]
[    6.566417]  [<ffffffffa0051740>] ? mwifiex_reg_8997+0x80/0x80 [mwifiex_pcie]
[    6.566420]  [<ffffffffa0005115>] mwifiex_add_card+0x9b/0x44a [mwifiex]
[    6.566422]  [<ffffffffa0051580>] ? mwifiex_ids+0xc0/0xc0 [mwifiex_pcie]
[    6.566423]  [<ffffffff811b2797>] ? kmem_cache_alloc+0xb1/0xd6
[    6.566425]  [<ffffffffa00514e0>] ? mwifiex_ids+0x20/0xc0 [mwifiex_pcie]
[    6.566427]  [<ffffffffa00514e0>] ? mwifiex_ids+0x20/0xc0 [mwifiex_pcie]
[    6.566429]  [<ffffffffa004d676>] mwifiex_pcie_probe+0x7f/0xa6 [mwifiex_pcie]
[    6.566430]  [<ffffffff81401336>] pci_device_probe+0x8f/0xfd
[    6.566432]  [<ffffffff816a5879>] driver_probe_device+0x145/0x2be
[    6.566433]  [<ffffffff816a5a70>] __driver_attach+0x7e/0xa6
[    6.566434]  [<ffffffff816a59f2>] ? driver_probe_device+0x2be/0x2be
[    6.566435]  [<ffffffff816a3be0>] bus_for_each_dev+0x7c/0x9c
[    6.566437]  [<ffffffff816a52d8>] driver_attach+0x1d/0x26
[    6.566438]  [<ffffffff816a4e9a>] bus_add_driver+0xe7/0x1f0
[    6.566440]  [<ffffffffa0052bd6>] ? mwifiex_reg_8766+0x1416/0x226d [mwifiex_pcie]
[    6.566441]  [<ffffffff816a6300>] driver_register+0x89/0xcb
[    6.566443]  [<ffffffffa0052bd6>] ? mwifiex_reg_8766+0x1416/0x226d [mwifiex_pcie]
[    6.566444]  [<ffffffff813ffbea>] __pci_register_driver+0x5e/0x6c
[    6.566446]  [<ffffffffa005121a>] ? mwifiex_pcie_work+0x44e/0x44e [mwifiex_pcie]
[    6.566448]  [<ffffffffa005126a>] mwifiex_pcie_init_module+0x50/0x6f [mwifiex_pcie]
[    6.566450]  [<ffffffff8100058c>] do_one_initcall+0xa5/0x133
[    6.566452]  [<ffffffff811646ed>] do_init_module+0x61/0x1d5
[    6.566453]  [<ffffffff8112fb0e>] load_module+0x208b/0x20b0
[    6.566455]  [<ffffffff811d02e5>] ? kernel_read_file+0x1c5/0x272
[    6.566456]  [<ffffffffa00560b0>] ? mwifiex_reg_8766+0x48f0/0x5530 [mwifiex_pcie]
[    6.566457]  [<ffffffffa0055000>] ? 0xffffffffa0055000
[    6.566459]  [<ffffffffa0052cb8>] ? mwifiex_reg_8766+0x14f8/0x226d [mwifiex_pcie]
[    6.566461]  [<ffffffff8112fe97>] sys_finit_module+0xac/0xbf
[    6.566462]  [<ffffffff8112fe97>] ? sys_finit_module+0xac/0xbf
[    6.566464]  [<ffffffff810014fa>] do_syscall_64+0xac/0x156
[    6.566466]  [<ffffffff81b2e9f9>] entry_SYSCALL64_slow_path+0x25/0x25
[    6.566509] mwifiex: rx work enabled, cpus 8
[    7.596127] mwifiex_pcie 0000:02:00.0: info: FW download over, size 803884 bytes

Reproducible: Always
Comment 1 René Korthaus 2017-02-16 10:30:13 UTC 
Created attachment 463914 [details]
dmesg output
Comment 2 René Korthaus 2017-02-16 10:30:36 UTC 
Created attachment 463916 [details]
kernel config
Comment 3 Anthony Basile gentoo-dev 2017-02-16 12:01:53 UTC 
Okay passing this upstream.
Comment 4 PaX Team 2017-02-16 15:49:18 UTC 
note we've moved to 4.9 in the meantime however the following workaround should apply to 4.8 too. can you test it please?

--- a/drivers/net/wireless/marvell/mwifiex/util.c       2016-12-13 12:11:36.927700689 +0100
+++ b/drivers/net/wireless/marvell/mwifiex/util.c 2017-02-16 16:47:48.362832854 +0100
@@ -751,7 +751,7 @@
 void *mwifiex_alloc_dma_align_buf(int rx_len, gfp_t flags)
 {
        struct sk_buff *skb;
-       int buf_len, pad;
+       long buf_len, pad;

        buf_len = rx_len + MWIFIEX_RX_HEADROOM + MWIFIEX_DMA_ALIGN_SZ;
Comment 5 René Korthaus 2017-02-16 21:57:34 UTC 
Patch works fine on 4.8.17-hardened-r2. Thank you.