Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 588624

Summary: sys-kernel/hardened-sources-4.6.3-r2 - PAX: size overflow detected in function drbd_md_read drivers/block/drbd/drbd_main.c:3308
Product: Gentoo Linux Reporter: Georg Weiss <gentoo>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED FIXED    
Severity: normal CC: pageexec, re.emese, spender
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Georg Weiss 2016-07-11 20:50:20 UTC 
i hit another size overflow error using current hardened-source:

--8<--
[   32.818724] PAX: size overflow detected in function drbd_md_read drivers/block/drbd/drbd_main.c:3308 cicus.1150_220 max, count: 141, decl: al_offset; num: 0; context: drbd_md;
[   32.863179] CPU: 2 PID: 5410 Comm: drbdsetup Not tainted 4.6.3-hardened-r2-dom0-kvm-at-gw24 #5
[   32.863181] Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./J1900N-D3V, BIOS F1 01/22/2014
[   32.863183]  0000000000000006 ffffffffb64d6f54 ffff88043fd0d050 ffffffffb6ca6eb2
[   32.863188]  0000000000000cec ffffffffb61e916e ffff88041fc32978 ffff88041fc32800
[   32.863192]  ffffc90000ffba80 ffff88041f805000 ffffffffb65f6a33 000000000000003c
[   32.863195] Call Trace:
[   32.863204]  [<ffffffffb64d6f54>] ? dump_stack+0x47/0x6f
[   32.863208]  [<ffffffffb61e916e>] ? report_size_overflow+0x35/0x7b
[   32.863213]  [<ffffffffb65f6a33>] ? drbd_md_read+0x26e/0x5c4
[   32.863217]  [<ffffffffb650c846>] ? lc_create+0x1d0/0x239
[   32.863220]  [<ffffffffb6602ae4>] ? drbd_adm_attach+0x39b/0xfd8
[   32.863223]  [<ffffffffb6602ae4>] ? drbd_adm_attach+0x39b/0xfd8
[   32.863226]  [<ffffffffb64cf0c5>] ? gr_task_acl_is_capable+0x1f/0x173
[   32.863231]  [<ffffffffb68603a6>] ? genl_family_rcv_msg+0x2a7/0x349
[   32.863234]  [<ffffffffb6860482>] ? genl_rcv_msg+0x3a/0x5f
[   32.863237]  [<ffffffffb6860482>] ? genl_rcv_msg+0x3a/0x5f
[   32.863240]  [<ffffffffb6860448>] ? genl_family_rcv_msg+0x349/0x349
[   32.863243]  [<ffffffffb685fc8c>] ? netlink_rcv_skb+0x60/0x10a
[   32.863246]  [<ffffffffb686003b>] ? genl_rcv+0x1f/0x34
[   32.863248]  [<ffffffffb685e23d>] ? netlink_unicast+0x132/0x1e3
[   32.863251]  [<ffffffffb685eb4b>] ? netlink_sendmsg+0x41f/0x440
[   32.863255]  [<ffffffffb67fad19>] ? sock_sendmsg+0x38/0x57
[   32.863257]  [<ffffffffb67fada9>] ? sock_write_iter+0x71/0x94
[   32.863260]  [<ffffffffb61e0139>] ? __vfs_write+0xc0/0xf9
[   32.863263]  [<ffffffffb61e0407>] ? vfs_write+0x17a/0x2b8
[   32.863266]  [<ffffffffb61e062a>] ? sys_write+0x4c/0x99
[   32.863269]  [<ffffffffb61e062a>] ? sys_write+0x4c/0x99
[   32.863273]  [<ffffffffb6990353>] ? entry_SYSCALL_64_fastpath+0x13/0xa3
--8<--
Comment 1 Georg Weiss 2016-07-11 20:57:26 UTC 
FYI: hardened-sources-4.5.7-r7 works (not hit by size overflow in drbd).
Comment 2 PaX Team 2016-07-11 23:15:20 UTC 
this is an integer conversion problem in drbd:

3308 »·······bdev->md.al_offset = be32_to_cpu(buffer->al_offset);
3309 »·······bdev->md.bm_offset = be32_to_cpu(buffer->bm_offset);

the left hand side fields are s32 whereas the right hand side ones are u32 so there can be runtime values that cannot be converted without a value loss. i'm not sure whether this code works as intended so feel free to take it up with the drbd maintainers and we'll disable tracking these fields in the size overflow plugin for now.
Comment 3 Anthony Basile gentoo-dev 2016-07-13 14:52:47 UTC 
(In reply to PaX Team from comment #2)
> this is an integer conversion problem in drbd:
> 
> 3308 »·······bdev->md.al_offset = be32_to_cpu(buffer->al_offset);
> 3309 »·······bdev->md.bm_offset = be32_to_cpu(buffer->bm_offset);
> 
> the left hand side fields are s32 whereas the right hand side ones are u32
> so there can be runtime values that cannot be converted without a value
> loss. i'm not sure whether this code works as intended so feel free to take
> it up with the drbd maintainers and we'll disable tracking these fields in
> the size overflow plugin for now.

is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ?
Comment 4 PaX Team 2016-07-14 19:27:23 UTC 
(In reply to Anthony Basile from comment #3)
> is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ?

it's 'fixed' in that we turned off size overflow instrumentation on assignments to these fields, so end users should be fine. the proper solution would be for upstream to figure out why they mix different integer types here and preferably stick to one type only so that we can reenable the instrumentation.
Comment 5 Anthony Basile gentoo-dev 2016-07-21 16:36:04 UTC 
(In reply to PaX Team from comment #4)
> (In reply to Anthony Basile from comment #3)
> > is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ?
> 
> it's 'fixed' in that we turned off size overflow instrumentation on
> assignments to these fields, so end users should be fine. the proper
> solution would be for upstream to figure out why they mix different integer
> types here and preferably stick to one type only so that we can reenable the
> instrumentation.

yeah not idea, but okay for a workaround until drbd people address this.  mixing types sometimes has its place, but i get the feeling they're just not being careful here.
Comment 6 Mark (voidzero) 2016-08-04 14:41:23 UTC 
 Happened with me today, on kernel 4.6.5-hardened...
Comment 7 PaX Team 2016-08-04 21:35:29 UTC 
(In reply to Mark (voidzero) from comment #6)
>  Happened with me today, on kernel 4.6.5-hardened...

can you post the kernel logs?