Bug 116461

Summary: PAX: size overflow in function environ_read fs/proc/base.c
Product: File System Reporter: jaak+bugzilla.kernel.org
Component: OtherAssignee: fs_other
Status: NEW ---    
Severity: normal CC: adobriyan, pageexec
Priority: P1    
Hardware: x86-64   
OS: Linux   
URL: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Kernel Version: 4.4.6 Subsystem:
Regression: No Bisected commit-id:

Description jaak+bugzilla.kernel.org 2016-04-15 18:37:57 UTC 
It seems that env_end ends up being 0 at the location of this printout:

--- fs/proc/base.c.orig 2016-01-19 22:01:14.699210722 +0100
+++ fs/proc/base.c      2016-01-19 22:05:22.467199676 +0100
@@ -1061,6 +1061,7 @@
                this_len = mm->env_end - (mm->env_start + src);
 
                max_len = min_t(size_t, PAGE_SIZE, count);
+               printk(KERN_ERR "PAX environ_read: env_end: %lx, mm->env_start: %lx, src: %lx, count: %lx\n", mm->env_end, mm->env_start, src, count);
                this_len = min(max_len, this_len);
 
                retval = access_remote_vm(mm, (mm->env_start + src),

Example dmesg output:

...
[37315.188078] PAX environ_read: env_end: 38b2728fbf8, mm->env_start: 38b2728f4ed, src: 0, count: 7ff
[37315.188218] PAX environ_read: env_end: 382858f104b, mm->env_start: 382858f0929, src: 0, count: 7ff
[37315.188715] PAX environ_read: env_end: 0, mm->env_start: 39cf59b19ca, src: 0, count: 7ff
[37315.188717] PAX: size overflow detected in function environ_read fs/proc/base.c:1065 cicus.479_290 min, count: 54, decl: access_remote_vm; num: 4; context: fndecl;
[37315.189082] CPU: 5 PID: 20991 Comm: ps Not tainted 4.4.6-hardened-r1 #2
[37315.189083]  28c16bdf00000002 28c16bdf5c6fdc95 0000000000000286 0000000000000000
[37315.189085]  ffffc90003aa3c80 ffffffff812c9e2a 0000039cf59b19ca 28c16bdf5c6fdc95
[37315.189087]  ffffffff816a08ef 0000000000000429 ffffc90003aa3cb0 ffffffff8114a47e
[37315.189088] Call Trace:
[37315.189092]  [<ffffffff812c9e2a>] dump_stack+0x76/0xbc
[37315.189095]  [<ffffffff8114a47e>] report_size_overflow+0x6e/0x80
[37315.189097]  [<ffffffff811a6dac>] environ_read+0x38c/0x5b0
[37315.189100]  [<ffffffff81140a07>] __vfs_read+0x57/0x130
[37315.189102]  [<ffffffff8127d4db>] ? security_file_permission+0xbb/0xd0
[37315.189104]  [<ffffffff81140ba3>] vfs_read+0xc3/0x240
[37315.189108]  [<ffffffff81141279>] SyS_read+0x59/0xd0
[37315.189111]  [<ffffffff8155c670>] entry_SYSCALL_64_fastpath+0x12/0x8a
[45519.802369] PAX environ_read: env_end: 39b3e125fd5, mm->env_start: 39b3e1258ca, src: 0, count: 7ff
[45519.802531] PAX environ_read: env_end: 3ae9efb655f, mm->env_start: 3ae9efb5e3d, src: 0, count: 7ff
[45519.802722] PAX environ_read: env_end: 3cdd8d85f12, mm->env_start: 3cdd8d857ef, src: 0, count: 7ff
...


PAX team thinks this is an upstream bug. Originally reported here:
  https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Comment 1 Alexey Dobriyan 2016-07-17 22:35:09 UTC 
commit 8148a73c9901a8794a50f950083c00ccf97d43b3
Author: Mathias Krause <minipli@googlemail.com>
Date:   Thu May 5 16:22:26 2016 -0700

    proc: prevent accessing /proc/<PID>/environ until it's ready