FS#52461 - [linux-grsec] 4.8.18 kernel build may not include patch from grsecurity, causing PAX size overflow

Attached to Project: Community Packages
Opened by Clayton Craft (craftyguy) - Tuesday, 10 January 2017, 03:26 GMT
Last edited by Daniel Micay (thestinger) - Wednesday, 25 January 2017, 17:21 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Daniel Micay (thestinger)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

I reported a kernel panic I receive quite reliably when I enable tc qdisc on a network interface and then preceed to generate traffic over that interface. Grsecurity folks suggest that this kernel (linux-grsec) might be compiled with GCC 6 with the forwprop option, which effectively undoes a patch they included to resolve this issue I am encountering.

See this thread for more information: http://forums.grsecurity.net/viewtopic.php?f=3&t=4640

Additional info:

linux-grsec-4.8.17.r201701090823-1-grsec

Steps to reproduce:

Enable tc qdisc on interface, generate traffic, receive kernel panic due to PAX overflow
This task depends upon

Closed by  Daniel Micay (thestinger)
Wednesday, 25 January 2017, 17:21 GMT
Reason for closing:  Fixed
Comment by Daniel Micay (thestinger) - Tuesday, 10 January 2017, 17:23 GMT
You can pass pax_size_overflow_report_only for now. I'll disable PAX_SIZE_OVERFLOW_EXTRA until they work out more fixes for these issues, but hopefully nothing comes up blocking the feature as a whole. They told you that the problem comes up with GCC 6.x optimizations. I could build with an older GCC but that just means opting into a separate set of problems since the regular Arch kernels are tested only with the current GCC. It doesn't make sense to disable core optimizations to work around the known limitations of the SIZE_OVERFLOW plugin either. It has false positives, and there's little that can be done about it beyond working to improve GCC to provide what it needs.
Comment by Clayton Craft (craftyguy) - Tuesday, 10 January 2017, 17:33 GMT
Excuse the ignorance, but where do I set 'pax_size_overflow_report_only'? I don't see it in /proc/sys/kernel/grsecurity. Can it be set at runtime (or boot)?
Comment by Daniel Micay (thestinger) - Tuesday, 10 January 2017, 17:35 GMT
On the kernel line, likely in your bootloader configuration.

Loading...