588624 – sys-kernel/hardened-sources-4.6.3-r2 - PAX: size overflow detected in function drbd_md_read drivers/block/drbd/drbd_main.c:3308

Bug 588624 - sys-kernel/hardened-sources-4.6.3-r2 - PAX: size overflow detected in function drbd_md_read drivers/block/drbd/drbd_main.c:3308

Summary: sys-kernel/hardened-sources-4.6.3-r2 - PAX: size overflow detected in functio...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-11 20:50 UTC by Georg Weiss
Modified:	2016-08-04 21:35 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Georg Weiss 2016-07-11 20:50:20 UTC

i hit another size overflow error using current hardened-source:

--8<--
[   32.818724] PAX: size overflow detected in function drbd_md_read drivers/block/drbd/drbd_main.c:3308 cicus.1150_220 max, count: 141, decl: al_offset; num: 0; context: drbd_md;
[   32.863179] CPU: 2 PID: 5410 Comm: drbdsetup Not tainted 4.6.3-hardened-r2-dom0-kvm-at-gw24 #5
[   32.863181] Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./J1900N-D3V, BIOS F1 01/22/2014
[   32.863183]  0000000000000006 ffffffffb64d6f54 ffff88043fd0d050 ffffffffb6ca6eb2
[   32.863188]  0000000000000cec ffffffffb61e916e ffff88041fc32978 ffff88041fc32800
[   32.863192]  ffffc90000ffba80 ffff88041f805000 ffffffffb65f6a33 000000000000003c
[   32.863195] Call Trace:
[   32.863204]  [<ffffffffb64d6f54>] ? dump_stack+0x47/0x6f
[   32.863208]  [<ffffffffb61e916e>] ? report_size_overflow+0x35/0x7b
[   32.863213]  [<ffffffffb65f6a33>] ? drbd_md_read+0x26e/0x5c4
[   32.863217]  [<ffffffffb650c846>] ? lc_create+0x1d0/0x239
[   32.863220]  [<ffffffffb6602ae4>] ? drbd_adm_attach+0x39b/0xfd8
[   32.863223]  [<ffffffffb6602ae4>] ? drbd_adm_attach+0x39b/0xfd8
[   32.863226]  [<ffffffffb64cf0c5>] ? gr_task_acl_is_capable+0x1f/0x173
[   32.863231]  [<ffffffffb68603a6>] ? genl_family_rcv_msg+0x2a7/0x349
[   32.863234]  [<ffffffffb6860482>] ? genl_rcv_msg+0x3a/0x5f
[   32.863237]  [<ffffffffb6860482>] ? genl_rcv_msg+0x3a/0x5f
[   32.863240]  [<ffffffffb6860448>] ? genl_family_rcv_msg+0x349/0x349
[   32.863243]  [<ffffffffb685fc8c>] ? netlink_rcv_skb+0x60/0x10a
[   32.863246]  [<ffffffffb686003b>] ? genl_rcv+0x1f/0x34
[   32.863248]  [<ffffffffb685e23d>] ? netlink_unicast+0x132/0x1e3
[   32.863251]  [<ffffffffb685eb4b>] ? netlink_sendmsg+0x41f/0x440
[   32.863255]  [<ffffffffb67fad19>] ? sock_sendmsg+0x38/0x57
[   32.863257]  [<ffffffffb67fada9>] ? sock_write_iter+0x71/0x94
[   32.863260]  [<ffffffffb61e0139>] ? __vfs_write+0xc0/0xf9
[   32.863263]  [<ffffffffb61e0407>] ? vfs_write+0x17a/0x2b8
[   32.863266]  [<ffffffffb61e062a>] ? sys_write+0x4c/0x99
[   32.863269]  [<ffffffffb61e062a>] ? sys_write+0x4c/0x99
[   32.863273]  [<ffffffffb6990353>] ? entry_SYSCALL_64_fastpath+0x13/0xa3
--8<--

Comment 1 Georg Weiss 2016-07-11 20:57:26 UTC

FYI: hardened-sources-4.5.7-r7 works (not hit by size overflow in drbd).

Comment 2 PaX Team 2016-07-11 23:15:20 UTC

this is an integer conversion problem in drbd:

3308 »·······bdev->md.al_offset = be32_to_cpu(buffer->al_offset);
3309 »·······bdev->md.bm_offset = be32_to_cpu(buffer->bm_offset);

the left hand side fields are s32 whereas the right hand side ones are u32 so there can be runtime values that cannot be converted without a value loss. i'm not sure whether this code works as intended so feel free to take it up with the drbd maintainers and we'll disable tracking these fields in the size overflow plugin for now.

Comment 3 Anthony Basile gentoo-dev

2016-07-13 14:52:47 UTC

(In reply to PaX Team from comment #2)
> this is an integer conversion problem in drbd:
> 
> 3308 »·······bdev->md.al_offset = be32_to_cpu(buffer->al_offset);
> 3309 »·······bdev->md.bm_offset = be32_to_cpu(buffer->bm_offset);
> 
> the left hand side fields are s32 whereas the right hand side ones are u32
> so there can be runtime values that cannot be converted without a value
> loss. i'm not sure whether this code works as intended so feel free to take
> it up with the drbd maintainers and we'll disable tracking these fields in
> the size overflow plugin for now.

is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ?

Comment 4 PaX Team 2016-07-14 19:27:23 UTC

(In reply to Anthony Basile from comment #3)
> is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ?

it's 'fixed' in that we turned off size overflow instrumentation on assignments to these fields, so end users should be fine. the proper solution would be for upstream to figure out why they mix different integer types here and preferably stick to one type only so that we can reenable the instrumentation.

Comment 5 Anthony Basile gentoo-dev

2016-07-21 16:36:04 UTC

(In reply to PaX Team from comment #4)
> (In reply to Anthony Basile from comment #3)
> > is this fixed in grsecurity-3.1-4.6.4-201607112205.patch ?
> 
> it's 'fixed' in that we turned off size overflow instrumentation on
> assignments to these fields, so end users should be fine. the proper
> solution would be for upstream to figure out why they mix different integer
> types here and preferably stick to one type only so that we can reenable the
> instrumentation.

yeah not idea, but okay for a workaround until drbd people address this.  mixing types sometimes has its place, but i get the feeling they're just not being careful here.

Comment 6 Mark (voidzero) 2016-08-04 14:41:23 UTC

 Happened with me today, on kernel 4.6.5-hardened...

Comment 7 PaX Team 2016-08-04 21:35:29 UTC

(In reply to Mark (voidzero) from comment #6)
>  Happened with me today, on kernel 4.6.5-hardened...

can you post the kernel logs?