210022 – (PAX_khelper_crash) hardened-sources-2.6.23-r7: PAX khelper crash / Overcommit vm memory

Bug 210022 (PAX_khelper_crash) - hardened-sources-2.6.23-r7: PAX khelper crash / Overcommit vm memory

Summary: hardened-sources-2.6.23-r7: PAX khelper crash / Overcommit vm memory

Status:	RESOLVED FIXED

Alias:	PAX_khelper_crash

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:	http://forums.grsecurity.net/viewtopi...
Whiteboard:
Keywords:

Depends on:
Blocks:	210026
	Show dependency tree

Reported:	2008-02-13 16:20 UTC by cilly
Modified:	2008-02-27 16:33 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description cilly 2008-02-13 16:20:25 UTC

This is the logentry:

Feb 13 03:49:46 host PAX: suspicious general protection fault: 0000 [#3]
Feb 13 03:49:46 host PREEMPT
Feb 13 03:49:46 host Modules linked in:
Feb 13 03:49:46 host CPU:    0
Feb 13 03:49:46 host EIP:    0060:[<00046ca1>]    Tainted: G      D VLI
Feb 13 03:49:46 host EFLAGS: 00010202   (2.6.23-hardened-r7 #3)
Feb 13 03:49:46 host eax: 00000000   ebx: 00000001   ecx: 00000000   edx: 00000000
Feb 13 03:49:46 host esi: 00000001   edi: 00000000   ebp: 00000064   esp: d1563e30
Feb 13 03:49:46 host ds: 0068   es: 0068   fs: 0000  gs: 0000  ss: 0068
Feb 13 03:49:46 host Process khelper (pid: 9435, ti=d1562000 task=f2896550 task.ti=d1562000)
Feb 13 03:49:46 host Stack: f2889f24 00002000 c5c3b040 00000001 00044d3e 00000001 d38aa0cc 00000001
Feb 13 03:49:46 host d38aa0cc 00000000 bfffe000 00044f2a 00000000 bfffe000 00000001 00000000
Feb 13 03:49:46 host cc262c60 bfffefff 00000001 00000001 00056ee2 00000000 00000001 00000001
Feb 13 03:49:46 host Call Trace:
Feb 13 03:49:46 host [<00002000>] <0> [<00044d3e>] <0> [<00044f2a>] <0> [<00056ee2>] <0> [<0005702f>] <0> [<0005889b>] <0> [<0000f205>] <0> [<0000f5eb>] <0> [<0000f1c3>] <0> [<0005b3ef>] <0> [<00001d50>] <0> [<000038f2>] <0> [<00006d20>] <0> [<0001fb91>] <0> [<0001fc86>] <0> [<0001fb91>] <0> [<00003cd7>] <0> =======================
Feb 13 03:49:46 host Code: 8d 04 11 39 d8 76 3a eb 47 a1 d4 34 03 c1 ba 64 00 00 00 0f af 05 dc 6b 00 c1 89 d5 31 d2 f7 f5 85 f6 89 c1 75 05 c1 e8 05 29 c1 <8b> 47 58 03 0d 44 d0 04 c1 c1 e8 05 29 c1 39 0d f4 cf 04 c1 7c
Feb 13 03:49:46 host EIP: [<00046ca1>]  SS:ESP 0068:d1563e30
Feb 13 03:49:46 host note: khelper[9435] exited with preempt_count 1

Here is the code from maintainer to fix it:

--- linux-2.6.24-pax/mm/mmap.c  2008-01-25 15:28:01.000000000 +0100
+++ linux-2.6.24-pax/mm/mmap.c  2008-01-28 18:59:27.000000000 +0100
@@ -1736,7 +1736,7 @@
         * Overcommit..  This must be the final test, as it will
         * update security statistics.
         */
-       if (security_vm_enough_memory(grow))
+       if (security_vm_enough_memory_mm(mm, grow))
                return -ENOMEM;



See:

http://forums.grsecurity.net/viewtopic.php?f=3&t=1873
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-02-13 17:17:18 UTC

Reassigning to hardened.

Comment 2 Gordon Malm (RETIRED) gentoo-dev

2008-02-18 09:21:54 UTC

Another pair of eyes here... have reviewed this issue and proposed fix is accurate.  I would like to see this go into -r8.

Comment 3 Guillaume Destuynder (RETIRED) gentoo-dev

2008-02-20 17:34:26 UTC

Fixed in rsbac-sources-2.6.23-r1

2.6.23 patch with correct offsets:

--- mm/mmap.c.ori       2008-02-20 16:23:25.000000000 +0100
+++ mm/mmap.c   2008-02-20 16:23:43.000000000 +0100
@@ -1773,7 +1773,7 @@ static int acct_stack_growth(struct vm_a
         * Overcommit..  This must be the final test, as it will
         * update security statistics.
         */
-       if (security_vm_enough_memory(grow))
+       if (security_vm_enough_memory_mm(mm, grow))
                return -ENOMEM;

        /* Ok, everything looks good - let it rip */

Comment 4 kfm 2008-02-27 16:33:33 UTC

Fixed in 2.6.23-r8.