Summary: | sys-kernel/hardened-sources-4.6.3-r2 - PAX: size overflow detected in function drbd_md_read drivers/block/drbd/drbd_main.c:3308 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Georg Weiss <gentoo> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pageexec, re.emese, spender |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Georg Weiss
2016-07-11 20:50:20 UTC
FYI: hardened-sources-4.5.7-r7 works (not hit by size overflow in drbd). this is an integer conversion problem in drbd: 3308 »·······bdev->md.al_offset = be32_to_cpu(buffer->al_offset); 3309 »·······bdev->md.bm_offset = be32_to_cpu(buffer->bm_offset); the left hand side fields are s32 whereas the right hand side ones are u32 so there can be runtime values that cannot be converted without a value loss. i'm not sure whether this code works as intended so feel free to take it up with the drbd maintainers and we'll disable tracking these fields in the size overflow plugin for now. (In reply to PaX Team from comment #2) > this is an integer conversion problem in drbd: > > 3308 »·······bdev->md.al_offset = be32_to_cpu(buffer->al_offset); > 3309 »·······bdev->md.bm_offset = be32_to_cpu(buffer->bm_offset); > > the left hand side fields are s32 whereas the right hand side ones are u32 > so there can be runtime values that cannot be converted without a value > loss. i'm not sure whether this code works as intended so feel free to take > it up with the drbd maintainers and we'll disable tracking these fields in > the size overflow plugin for now. is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ? (In reply to Anthony Basile from comment #3) > is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ? it's 'fixed' in that we turned off size overflow instrumentation on assignments to these fields, so end users should be fine. the proper solution would be for upstream to figure out why they mix different integer types here and preferably stick to one type only so that we can reenable the instrumentation. (In reply to PaX Team from comment #4) > (In reply to Anthony Basile from comment #3) > > is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ? > > it's 'fixed' in that we turned off size overflow instrumentation on > assignments to these fields, so end users should be fine. the proper > solution would be for upstream to figure out why they mix different integer > types here and preferably stick to one type only so that we can reenable the > instrumentation. yeah not idea, but okay for a workaround until drbd people address this. mixing types sometimes has its place, but i get the feeling they're just not being careful here. Happened with me today, on kernel 4.6.5-hardened... (In reply to Mark (voidzero) from comment #6) > Happened with me today, on kernel 4.6.5-hardened... can you post the kernel logs? |