It seems that env_end ends up being 0 at the location of this printout: --- fs/proc/base.c.orig 2016-01-19 22:01:14.699210722 +0100 +++ fs/proc/base.c 2016-01-19 22:05:22.467199676 +0100 @@ -1061,6 +1061,7 @@ this_len = mm->env_end - (mm->env_start + src); max_len = min_t(size_t, PAGE_SIZE, count); + printk(KERN_ERR "PAX environ_read: env_end: %lx, mm->env_start: %lx, src: %lx, count: %lx\n", mm->env_end, mm->env_start, src, count); this_len = min(max_len, this_len); retval = access_remote_vm(mm, (mm->env_start + src), Example dmesg output: ... [37315.188078] PAX environ_read: env_end: 38b2728fbf8, mm->env_start: 38b2728f4ed, src: 0, count: 7ff [37315.188218] PAX environ_read: env_end: 382858f104b, mm->env_start: 382858f0929, src: 0, count: 7ff [37315.188715] PAX environ_read: env_end: 0, mm->env_start: 39cf59b19ca, src: 0, count: 7ff [37315.188717] PAX: size overflow detected in function environ_read fs/proc/base.c:1065 cicus.479_290 min, count: 54, decl: access_remote_vm; num: 4; context: fndecl; [37315.189082] CPU: 5 PID: 20991 Comm: ps Not tainted 4.4.6-hardened-r1 #2 [37315.189083] 28c16bdf00000002 28c16bdf5c6fdc95 0000000000000286 0000000000000000 [37315.189085] ffffc90003aa3c80 ffffffff812c9e2a 0000039cf59b19ca 28c16bdf5c6fdc95 [37315.189087] ffffffff816a08ef 0000000000000429 ffffc90003aa3cb0 ffffffff8114a47e [37315.189088] Call Trace: [37315.189092] [<ffffffff812c9e2a>] dump_stack+0x76/0xbc [37315.189095] [<ffffffff8114a47e>] report_size_overflow+0x6e/0x80 [37315.189097] [<ffffffff811a6dac>] environ_read+0x38c/0x5b0 [37315.189100] [<ffffffff81140a07>] __vfs_read+0x57/0x130 [37315.189102] [<ffffffff8127d4db>] ? security_file_permission+0xbb/0xd0 [37315.189104] [<ffffffff81140ba3>] vfs_read+0xc3/0x240 [37315.189108] [<ffffffff81141279>] SyS_read+0x59/0xd0 [37315.189111] [<ffffffff8155c670>] entry_SYSCALL_64_fastpath+0x12/0x8a [45519.802369] PAX environ_read: env_end: 39b3e125fd5, mm->env_start: 39b3e1258ca, src: 0, count: 7ff [45519.802531] PAX environ_read: env_end: 3ae9efb655f, mm->env_start: 3ae9efb5e3d, src: 0, count: 7ff [45519.802722] PAX environ_read: env_end: 3cdd8d85f12, mm->env_start: 3cdd8d857ef, src: 0, count: 7ff ... PAX team thinks this is an upstream bug. Originally reported here: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
commit 8148a73c9901a8794a50f950083c00ccf97d43b3 Author: Mathias Krause <minipli@googlemail.com> Date: Thu May 5 16:22:26 2016 -0700 proc: prevent accessing /proc/<PID>/environ until it's ready