| Summary: | sys-kernel/hardened-sources-4.4.2 PAX size overflow detected in super_1_sync | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Étienne Buira <etienne.buira> |
| Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | etienne.buira, pageexec, re.emese, spender |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://marc.info/?t=145916111500005&r=1&w=2 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Étienne Buira
2016-03-29 10:48:03 UTC
(In reply to Étienne Buira from comment #0) > Hi, > > When trying to reshape an array, i got a PAX size overflow that reads: > PAX: size overflow detected in function super_1_sync drivers/md/md.c:1683 > cicus.1522_314 min, count: 158, decl: new_offset; num: 0; context > mdp_superblock_1; > > I initially reported the bug upstream (you can find more details on the > bug's url), but were told it's a normal case. > > Regards thanks. i'll pass it by the pax folks. (In reply to Anthony Basile from comment #1) > (In reply to Étienne Buira from comment #0) > > > > Regards > > thanks. i'll pass it by the pax folks. linux-raid@vger suggested testing on a vanilla kernel. did you do so? i always ask people to do that since its a good first step to decide if this is a grsec/pax issue or vanilla. Hi, i did some testing with vanilla 4.4.6 on a dummy array, but could not enter the 'if' in which sb->new_offset were set. the problem is that mdp_superblock_1.new_offset is defined as an unsigned int even though its own comment says it holds a signed value (which in turn is because the kernel doesn't have signed versions of the endian-specific types). the overflow plugin merely catches the u64->u32 conversion where the u64 value would really have to be s64 which then would be converted to s32 without loss. i guess we'll just have to disable tracking this field in the overflow plugin. something like the following: a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data --- b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data 2016-03-24 00:48:23.981420686 +0100 +++ tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data 2016-03-29 13:36:49.217021709 +0200 @@ -12437,3 +12437,4 @@ enable_so_dsack_tcp_options_received_277 enable_so_inbufBits_bunzip_data_13788 inbufBits bunzip_data 0 13788 NULL enable_so_i_ino_inode_8428 i_ino inode 0 8428 NULL enable_so_squashfs_iget_fndecl_37485 squashfs_iget fndecl 3 37485 NULL +enable_so_new_offset_mdp_superblock_1_6501 new_offset mdp_superblock_1 0 6501 NULL --- a/tools/gcc/size_overflow_plugin/size_overflow_hash.data 2016-03-24 00:48:23.997453111 +0100 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data 2016-03-29 13:36:52.624798122 +0200 @@ -2084,7 +2084,6 @@ enable_so_datasize_vub300_mmc_host_6490 enable_so_beep_amp_ad198x_spec_6490 beep_amp ad198x_spec 0 6490 &enable_so_datasize_vub300_mmc_host_6490 nohasharray enable_so_probe_kernel_write_fndecl_6490 probe_kernel_write fndecl 3 6490 &enable_so_beep_amp_ad198x_spec_6490 enable_so_curr_dma_words_tegra_spi_data_6500 curr_dma_words tegra_spi_data 0 6500 NULL -enable_so_new_offset_mdp_superblock_1_6501 new_offset mdp_superblock_1 0 6501 NULL enable_so_f_read_cntrs_qib_devdata_6502 f_read_cntrs qib_devdata 0 6502 NULL enable_so_inc_remap_and_issue_cell_fndecl_6505 inc_remap_and_issue_cell fndecl 3 6505 NULL enable_so_hugetlb_file_setup_fndecl_6506 hugetlb_file_setup fndecl 2 6506 NULL @pageexec did you guys apply your fix? (In reply to Anthony Basile from comment #5) > @pageexec did you guys apply your fix? sure, at the time i answered. |
