[Drbd-dev] integer signedness mixup problem in drbd_main.c

[Drbd-dev] integer signedness mixup problem in drbd_main.c

[Marc Schiffbauer]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

hi all,

using a kernel hardened with grsecurity/PaX we discovered a problem 
where PaX detects a size overflow after a quite large uptime:

PAX: size overflow detected in function drbd_send_dblock 
drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1

this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.  
The line triggering this is:

p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));

(line 1625 in linux 3.14.19 and 1637 in linux 4.4.5)

please see [1] for more details.

Please can you tell whether this should be fixed in drbd? Or might this 
be some false positive in PaX?

regards
-Marc

[1] https://forums.grsecurity.net/viewtopic.php?f=3&t=4425

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Drbd-dev] integer signedness mixup problem in drbd_main.c

[Lars Ellenberg]

On Tue, Mar 22, 2016 at 12:18:17AM +0100, Marc Schiffbauer wrote:
> hi all,
> 
> using a kernel hardened with grsecurity/PaX we discovered a problem 
> where PaX detects a size overflow after a quite large uptime:
> 
> PAX: size overflow detected in function drbd_send_dblock 
> drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
> 
> this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.  
> The line triggering this is:
> 
> p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));

Boring.
seq_num should give it away: it is a sequence number.
it wraps. that's what sequence numbers do, eventually.

haven't we been here before?


-- 
: Lars Ellenberg
: LINBIT | Keeping the Digital World Running
: DRBD -- Heartbeat -- Corosync -- Pacemaker
: R&D, Integration, Ops, Consulting, Support

DRBD® and LINBIT® are registered trademarks of LINBIT

Re: [Drbd-dev] integer signedness mixup problem in drbd_main.c

[Marc Schiffbauer]

* Lars Ellenberg schrieb am 22.03.16 um 11:25 Uhr:
> On Tue, Mar 22, 2016 at 12:18:17AM +0100, Marc Schiffbauer wrote:
> > hi all,
> > 
> > using a kernel hardened with grsecurity/PaX we discovered a problem 
> > where PaX detects a size overflow after a quite large uptime:
> > 
> > PAX: size overflow detected in function drbd_send_dblock 
> > drivers/block/drbd/drbd_main.c:1625 cicus.964_133 max, count: 1
> > 
> > this was in kernel 3.14.19, but 4.4.5 still seems to have that problem.  
> > The line triggering this is:
> > 
> > p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));
> 
> Boring.
> seq_num should give it away: it is a sequence number.
> it wraps. that's what sequence numbers do, eventually.
> 
> haven't we been here before?

We had another case that had been fixed.

Thanks Lars for the Feedback.

-Marc

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein