refcount overflow at ip_idents_reserve with linux-grsec 3.14.15-0
With edge and a clean installation, “ping” and maybe some other network related tools get killed by PAX sometimes (on first execution after boot for example)
This seems to be very related to this forum post: https://forums.grsecurity.net/viewtopic.php?t=4022&p=14298
in main/linux-grsec net/ipv4/route.c:ip_idents_reserve() change the atomic_add_return to an atomic_add_return_unchecked and it should work. I haven’t tested this yet but will report back once I have.
kernel:
Linux alpine-linux 3.14.15-0-grsec #1-Alpine SMP Fri Aug 1 10:07:42 GMT 2014 x86_64 Linux
dmesg output:
[3441049.782467] PAX: refcount overflow detected in: busybox:1028, uid/euid: 0/0
[3441049.782475] PAX: refcount overflow occured at: ip_idents_reserve+0x5e/0x6a
[3441049.782479] CPU: 0 PID: 1028 Comm: busybox Not tainted 3.14.15-0-grsec #1-Alpine
[3441049.782482] task: ffff88007bce8000 ti: ffff88007bce8640 task.ti: ffff88007bce8640
[3441049.782484] RIP: e030:[<ffffffff812cbe3a>] [<ffffffff812cbe3a>] ip_idents_reserve+0x5e/0x6a
[3441049.782488] RSP: e02b:ffffc90001973ac8 EFLAGS: 00000a03
[3441049.782489] RAX: 00000000c8a1bddd RBX: ffff88007c4b89e0 RCX: 00000000f7389f8e
[3441049.782491] RDX: 0000000085cf5f02 RSI: 00000000d93b3add RDI: ffff88007fa0de80
[3441049.782492] RBP: ffffc90001973ae0 R08: 00000000c1900000 R09: ffff8800026f9600
[3441049.782494] R10: 0000000000000000 R11: 0000000000000014 R12: 0000000000000001
[3441049.782495] R13: 00000000ed5c6dae R14: ffff88007c1a0000 R15: ffff880002742810
[3441049.782499] FS: 0000784b34846188(0000) GS:ffff88007fa00000(0000) knlGS:0000000000000000
[3441049.782501] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[3441049.782502] CR2: 0000784b345f6c0c CR3: 000000000224e000 CR4: 0000000000042660
[3441049.782504] Stack:
[3441049.782505] 0000000000000001 ffff880002742810 ffffc90001973ba0 ffffc90001973b00
[3441049.782508] ffffffff812cbedc ffff8800026f9600 ffff88007c1b4000 ffffc90001973b50
[3441049.782510] ffffffff812d5581 0000000000000000 0000000000000000 ffffffff815bc040
[3441049.782512] Call Trace:
[3441049.782517] [<ffffffff812cbedc>] __ip_select_ident+0x96/0xa3
[3441049.782521] [<ffffffff812d5581>] __ip_make_skb+0x294/0x358
[3441049.782524] [<ffffffff812d3cae>] ? ip_reply_glue_bits+0x5a/0x5a
[3441049.782527] [<ffffffff812d57a3>] ip_make_skb+0xde/0xf1
[3441049.782532] [<ffffffff812f64c0>] udp_sendmsg+0x51a/0x755
[3441049.782535] [<ffffffff812d3cae>] ? ip_reply_glue_bits+0x5a/0x5a
[3441049.782539] [<ffffffff81005746>] ? pte_mfn_to_pfn+0x5e/0xcf
[3441049.782542] [<ffffffff81004adc>] ? xen_batched_set_pte+0x18/0xd3
[3441049.782546] [<ffffffff812fe572>] inet_sendmsg+0x58/0x8f
[3441049.782549] [<ffffffff8128bc69>] sock_sendmsg+0x69/0x7a
[3441049.782554] [<ffffffff810e2b3c>] ? check_heap_object+0x2a/0xec
[3441049.782557] [<ffffffff8128d0d1>] ? move_addr_to_kernel+0xa0/0xcd
[3441049.782560] [<ffffffff8128da69>] SyS_sendto+0x12e/0x173
[3441049.782567] [<ffffffff81006a8f>] ? xen_clocksource_read+0x20/0x22
[3441049.782572] [<ffffffff81006a9a>] ? xen_clocksource_get_cycles+0x9/0xb
[3441049.782579] [<ffffffff81083e11>] ? __getnstimeofday+0x35/0xa1
[3441049.782584] [<ffffffff813393b5>] system_call_fastpath+0x16/0x1b
[3441049.782586] Code: b1 53 04 39 c8 75 f1 41 89 d5 41 29 c5 e8 e8 f3 ec ff 89 c0 49 0f af c5 48 c1 e8 20 44 01 e0 89 c2 f0 0f c1 13 71 04 89 13 cd 04 <5b> 01 d0 44 29 e0 41 5c 41 5d 5d c3 55 48 89 e5 41 54 49 89 fc
(from redmine: issue id 3277, created on 2014-08-02, closed on 2017-04-07)
- Changesets:
- Revision 2a8ec5c8 by Natanael Copa on 2014-08-04T14:11:46Z:
main/linux-grsec: upgrade to grsecurity-3.0-3.14.15-201408032014
fixes #3277