diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-12-06 16:38:40 -0500 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2010-12-06 16:38:40 -0500 |
commit | 0b1485dae5c19fb86c11b2669f1e80858bf18708 (patch) | |
tree | 2cd43e497b43ef82040a70d99290f3d53f588205 /2.6.32 | |
parent | Update Grsec/PaX (diff) | |
download | hardened-patchset-0b1485dae5c19fb86c11b2669f1e80858bf18708.tar.gz hardened-patchset-0b1485dae5c19fb86c11b2669f1e80858bf18708.tar.bz2 hardened-patchset-0b1485dae5c19fb86c11b2669f1e80858bf18708.zip |
Update Grsec/PaX20101204
2.2.1-2.6.32.26-201012040057 against 2.6.32.26
2.2.1-2.6.36.1-201012040057 against 2.6.36.1
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch (renamed from 2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch) | 390 | ||||
-rw-r--r-- | 2.6.32/4425_grsec-pax-without-grsec.patch | 8 |
3 files changed, 298 insertions, 102 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index e3e4d2b..4fd61af 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch +Patch: 4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch b/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch index 32c1449..fa46077 100644 --- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch +++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch @@ -20899,7 +20899,7 @@ diff -urNp linux-2.6.32.26/block/blk-iopoll.c linux-2.6.32.26/block/blk-iopoll.c int rearm = 0, budget = blk_iopoll_budget; diff -urNp linux-2.6.32.26/block/blk-map.c linux-2.6.32.26/block/blk-map.c --- linux-2.6.32.26/block/blk-map.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.26/block/blk-map.c 2010-11-11 18:23:36.000000000 -0500 ++++ linux-2.6.32.26/block/blk-map.c 2010-12-04 00:12:35.000000000 -0500 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ * direct dma. else, set up kernel bounce buffers */ @@ -20909,16 +20909,17 @@ diff -urNp linux-2.6.32.26/block/blk-map.c linux-2.6.32.26/block/blk-map.c bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask); else bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask); -@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_q - unaligned = 1; - break; - } +@@ -201,6 +201,9 @@ int blk_rq_map_user_iov(struct request_q + for (i = 0; i < iov_count; i++) { + unsigned long uaddr = (unsigned long)iov[i].iov_base; + + if (!iov[i].iov_len) + return -EINVAL; - } - - if (unaligned || (q->dma_pad_mask & len) || map_data) -@@ -297,7 +299,7 @@ int blk_rq_map_kern(struct request_queue ++ + if (uaddr & queue_dma_alignment(q)) { + unaligned = 1; + break; +@@ -297,7 +300,7 @@ int blk_rq_map_kern(struct request_queue if (!len || !kbuf) return -EINVAL; @@ -26430,6 +26431,39 @@ diff -urNp linux-2.6.32.26/drivers/infiniband/core/sysfs.c linux-2.6.32.26/drive .show = port_attr_show }; +diff -urNp linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c +--- linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c 2010-08-13 16:24:37.000000000 -0400 ++++ linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c 2010-12-04 00:09:12.000000000 -0500 +@@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u + dst->grh.sgid_index = src->grh.sgid_index; + dst->grh.hop_limit = src->grh.hop_limit; + dst->grh.traffic_class = src->grh.traffic_class; ++ memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved)); + dst->dlid = src->dlid; + dst->sl = src->sl; + dst->src_path_bits = src->src_path_bits; + dst->static_rate = src->static_rate; + dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0; + dst->port_num = src->port_num; ++ dst->reserved = 0; + } + EXPORT_SYMBOL(ib_copy_ah_attr_to_user); + + void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst, + struct ib_qp_attr *src) + { ++ dst->qp_state = src->qp_state; + dst->cur_qp_state = src->cur_qp_state; + dst->path_mtu = src->path_mtu; + dst->path_mig_state = src->path_mig_state; +@@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u + dst->rnr_retry = src->rnr_retry; + dst->alt_port_num = src->alt_port_num; + dst->alt_timeout = src->alt_timeout; ++ memset(dst->reserved, 0, sizeof(dst->reserved)); + } + EXPORT_SYMBOL(ib_copy_qp_attr_to_user); + diff -urNp linux-2.6.32.26/drivers/input/keyboard/atkbd.c linux-2.6.32.26/drivers/input/keyboard/atkbd.c --- linux-2.6.32.26/drivers/input/keyboard/atkbd.c 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.26/drivers/input/keyboard/atkbd.c 2010-10-23 19:59:20.000000000 -0400 @@ -31934,7 +31968,7 @@ diff -urNp linux-2.6.32.26/fs/compat_binfmt_elf.c linux-2.6.32.26/fs/compat_binf /* diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c --- linux-2.6.32.26/fs/compat.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.26/fs/compat.c 2010-11-06 18:27:12.000000000 -0400 ++++ linux-2.6.32.26/fs/compat.c 2010-12-04 00:28:11.000000000 -0500 @@ -1098,7 +1098,7 @@ static ssize_t compat_do_readv_writev(in * verify all the pointers */ @@ -31944,22 +31978,51 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c goto out; if (!file->f_op) goto out; -@@ -1410,14 +1410,12 @@ static int compat_copy_strings(int argc, +@@ -1353,6 +1353,10 @@ static int compat_count(compat_uptr_t __ + argv++; + if (i++ >= max) + return -E2BIG; ++ ++ if (fatal_signal_pending(current)) ++ return -ERESTARTNOHAND; ++ cond_resched(); + } + } + return i; +@@ -1394,6 +1398,12 @@ static int compat_copy_strings(int argc, + while (len > 0) { + int offset, bytes_to_copy; + ++ if (fatal_signal_pending(current)) { ++ ret = -ERESTARTNOHAND; ++ goto out; ++ } ++ cond_resched(); ++ + offset = pos % PAGE_SIZE; + if (offset == 0) + offset = PAGE_SIZE; +@@ -1410,17 +1420,8 @@ static int compat_copy_strings(int argc, if (!kmapped_page || kpos != (pos & PAGE_MASK)) { struct page *page; -#ifdef CONFIG_STACK_GROWSUP - ret = expand_stack_downwards(bprm->vma, pos); - if (ret < 0) { +- ret = expand_stack_downwards(bprm->vma, pos); +- if (ret < 0) { +- /* We've exceed the stack rlimit. */ +- ret = -E2BIG; +- goto out; +- } +-#endif +- ret = get_user_pages(current, bprm->mm, pos, +- 1, 1, 1, &page, NULL); +- if (ret <= 0) { ++ page = get_arg_page(bprm, pos, 1); ++ if (!page) { /* We've exceed the stack rlimit. */ ret = -E2BIG; goto out; - } --#endif - ret = get_user_pages(current, bprm->mm, pos, - 1, 1, 1, &page, NULL); - if (ret <= 0) { -@@ -1463,6 +1461,11 @@ int compat_do_execve(char * filename, +@@ -1463,6 +1464,11 @@ int compat_do_execve(char * filename, compat_uptr_t __user *envp, struct pt_regs * regs) { @@ -31971,7 +32034,7 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1499,6 +1502,14 @@ int compat_do_execve(char * filename, +@@ -1499,6 +1505,14 @@ int compat_do_execve(char * filename, bprm->filename = filename; bprm->interp = filename; @@ -31986,7 +32049,7 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1528,9 +1539,40 @@ int compat_do_execve(char * filename, +@@ -1528,9 +1542,40 @@ int compat_do_execve(char * filename, if (retval < 0) goto out; @@ -32028,7 +32091,7 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c /* execve succeeded */ current->fs->in_exec = 0; -@@ -1541,6 +1583,14 @@ int compat_do_execve(char * filename, +@@ -1541,9 +1586,19 @@ int compat_do_execve(char * filename, put_files_struct(displaced); return retval; @@ -32041,8 +32104,14 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c +#endif + out: - if (bprm->mm) +- if (bprm->mm) ++ if (bprm->mm) { ++ acct_arg_size(bprm, 0); mmput(bprm->mm); ++ } + + out_file: + if (bprm->file) { diff -urNp linux-2.6.32.26/fs/compat_ioctl.c linux-2.6.32.26/fs/compat_ioctl.c --- linux-2.6.32.26/fs/compat_ioctl.c 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.26/fs/compat_ioctl.c 2010-10-23 19:59:24.000000000 -0400 @@ -32121,7 +32190,7 @@ diff -urNp linux-2.6.32.26/fs/ecryptfs/inode.c linux-2.6.32.26/fs/ecryptfs/inode goto out_free; diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c --- linux-2.6.32.26/fs/exec.c 2010-10-31 16:44:11.000000000 -0400 -+++ linux-2.6.32.26/fs/exec.c 2010-10-23 19:59:20.000000000 -0400 ++++ linux-2.6.32.26/fs/exec.c 2010-12-04 00:51:17.000000000 -0500 @@ -56,12 +56,24 @@ #include <linux/fsnotify.h> #include <linux/fs_struct.h> @@ -32156,7 +32225,25 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c MAY_READ | MAY_EXEC | MAY_OPEN); putname(tmp); error = PTR_ERR(file); -@@ -163,18 +175,10 @@ static struct page *get_arg_page(struct +@@ -159,28 +171,35 @@ out: + + #ifdef CONFIG_MMU + +-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, ++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) ++{ ++ struct mm_struct *mm = current->mm; ++ long diff = (long)(pages - bprm->vma_pages); ++ ++ if (!mm || !diff) ++ return; ++ ++ bprm->vma_pages = pages; ++ ++ add_mm_counter(mm, anon_rss, diff); ++} ++ ++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, int write) { struct page *page; @@ -32178,7 +32265,15 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c return NULL; if (write) { -@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b + unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; + struct rlimit *rlim; + ++ acct_arg_size(bprm, size / PAGE_SIZE); ++ + /* + * We've historically supported up to 32 pages (ARG_MAX) + * of argument strings even with small stacks +@@ -246,6 +265,11 @@ static int __bprm_mm_init(struct linux_b vma->vm_end = STACK_TOP_MAX; vma->vm_start = vma->vm_end - PAGE_SIZE; vma->vm_flags = VM_STACK_FLAGS; @@ -32190,7 +32285,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); err = insert_vm_struct(mm, vma); if (err) -@@ -254,6 +263,12 @@ static int __bprm_mm_init(struct linux_b +@@ -254,6 +278,12 @@ static int __bprm_mm_init(struct linux_b mm->stack_vm = mm->total_vm = 1; up_write(&mm->mmap_sem); bprm->p = vma->vm_end - sizeof(void *); @@ -32203,7 +32298,20 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c return 0; err: up_write(&mm->mmap_sem); -@@ -484,7 +499,7 @@ int copy_strings_kernel(int argc,char ** +@@ -269,7 +299,11 @@ static bool valid_arg_len(struct linux_b + + #else + +-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, ++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) ++{ ++} ++ ++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + int write) + { + struct page *page; +@@ -484,7 +518,7 @@ int copy_strings_kernel(int argc,char ** int r; mm_segment_t oldfs = get_fs(); set_fs(KERNEL_DS); @@ -32212,7 +32320,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c set_fs(oldfs); return r; } -@@ -514,7 +529,8 @@ static int shift_arg_pages(struct vm_are +@@ -514,7 +548,8 @@ static int shift_arg_pages(struct vm_are unsigned long new_end = old_end - shift; struct mmu_gather *tlb; @@ -32222,7 +32330,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c /* * ensure there are no vmas between where we want to go -@@ -523,6 +539,10 @@ static int shift_arg_pages(struct vm_are +@@ -523,6 +558,10 @@ static int shift_arg_pages(struct vm_are if (vma != find_vma(mm, new_start)) return -EFAULT; @@ -32233,7 +32341,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c /* * cover the whole range: [new_start, old_end) */ -@@ -603,11 +623,6 @@ int setup_arg_pages(struct linux_binprm +@@ -603,11 +642,6 @@ int setup_arg_pages(struct linux_binprm #else stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -32245,7 +32353,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c stack_shift = vma->vm_end - stack_top; bprm->p -= stack_shift; -@@ -619,6 +634,14 @@ int setup_arg_pages(struct linux_binprm +@@ -619,6 +653,14 @@ int setup_arg_pages(struct linux_binprm bprm->exec -= stack_shift; down_write(&mm->mmap_sem); @@ -32260,7 +32368,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c vm_flags = VM_STACK_FLAGS; /* -@@ -632,19 +655,24 @@ int setup_arg_pages(struct linux_binprm +@@ -632,19 +674,24 @@ int setup_arg_pages(struct linux_binprm vm_flags &= ~VM_EXEC; vm_flags |= mm->def_flags; @@ -32292,7 +32400,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE; stack_size = vma->vm_end - vma->vm_start; /* -@@ -681,7 +709,7 @@ struct file *open_exec(const char *name) +@@ -681,7 +728,7 @@ struct file *open_exec(const char *name) int err; file = do_filp_open(AT_FDCWD, name, @@ -32301,7 +32409,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c MAY_EXEC | MAY_OPEN); if (IS_ERR(file)) goto out; -@@ -718,7 +746,7 @@ int kernel_read(struct file *file, loff_ +@@ -718,7 +765,7 @@ int kernel_read(struct file *file, loff_ old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -32310,7 +32418,15 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c set_fs(old_fs); return result; } -@@ -1124,7 +1152,7 @@ int check_unsafe_exec(struct linux_binpr +@@ -976,6 +1023,7 @@ int flush_old_exec(struct linux_binprm * + /* + * Release all of the old mmap stuff + */ ++ acct_arg_size(bprm, 0); + retval = exec_mmap(bprm->mm); + if (retval) + goto out; +@@ -1124,7 +1172,7 @@ int check_unsafe_exec(struct linux_binpr } rcu_read_unlock(); @@ -32319,7 +32435,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1323,6 +1351,11 @@ int do_execve(char * filename, +@@ -1323,6 +1371,11 @@ int do_execve(char * filename, char __user *__user *envp, struct pt_regs * regs) { @@ -32331,7 +32447,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1359,6 +1392,18 @@ int do_execve(char * filename, +@@ -1359,6 +1412,18 @@ int do_execve(char * filename, bprm->filename = filename; bprm->interp = filename; @@ -32350,7 +32466,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1388,10 +1433,41 @@ int do_execve(char * filename, +@@ -1388,10 +1453,41 @@ int do_execve(char * filename, if (retval < 0) goto out; @@ -32393,7 +32509,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c /* execve succeeded */ current->fs->in_exec = 0; -@@ -1402,6 +1478,14 @@ int do_execve(char * filename, +@@ -1402,9 +1498,19 @@ int do_execve(char * filename, put_files_struct(displaced); return retval; @@ -32406,9 +32522,15 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c +#endif + out: - if (bprm->mm) +- if (bprm->mm) ++ if (bprm->mm) { ++ acct_arg_size(bprm, 0); mmput (bprm->mm); -@@ -1565,6 +1649,217 @@ out: ++ } + + out_file: + if (bprm->file) { +@@ -1565,6 +1671,217 @@ out: return ispipe; } @@ -32626,7 +32748,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c static int zap_process(struct task_struct *start) { struct task_struct *t; -@@ -1767,17 +2062,17 @@ static void wait_for_dump_helpers(struct +@@ -1767,17 +2084,17 @@ static void wait_for_dump_helpers(struct pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -32649,7 +32771,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c pipe_unlock(pipe); } -@@ -1848,6 +2143,10 @@ void do_coredump(long signr, int exit_co +@@ -1848,6 +2165,10 @@ void do_coredump(long signr, int exit_co */ clear_thread_flag(TIF_SIGPENDING); @@ -33495,7 +33617,7 @@ diff -urNp linux-2.6.32.26/fs/locks.c linux-2.6.32.26/fs/locks.c lock_kernel(); diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c --- linux-2.6.32.26/fs/namei.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.26/fs/namei.c 2010-11-20 13:52:05.000000000 -0500 ++++ linux-2.6.32.26/fs/namei.c 2010-12-04 00:54:11.000000000 -0500 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino return ret; @@ -33578,7 +33700,28 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c path_put(&nd->path); return_err: return err; -@@ -1621,12 +1636,19 @@ static int __open_namei_create(struct na +@@ -1576,6 +1591,20 @@ int may_open(struct path *path, int acc_ + if (error) + goto err_out; + ++ ++ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) { ++ error = -EPERM; ++ goto err_out; ++ } ++ if (gr_handle_rawio(inode)) { ++ error = -EPERM; ++ goto err_out; ++ } ++ if (!gr_acl_handle_open(dentry, path->mnt, flag)) { ++ error = -EACCES; ++ goto err_out; ++ } ++ + if (flag & O_TRUNC) { + error = get_write_access(inode); + if (error) +@@ -1621,12 +1650,19 @@ static int __open_namei_create(struct na int error; struct dentry *dir = nd->path.dentry; @@ -33598,7 +33741,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); -@@ -1709,6 +1731,22 @@ struct file *do_filp_open(int dfd, const +@@ -1709,6 +1745,22 @@ struct file *do_filp_open(int dfd, const &nd, flag); if (error) return ERR_PTR(error); @@ -33621,24 +33764,14 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c goto ok; } -@@ -1795,6 +1833,24 @@ do_last: +@@ -1795,6 +1847,14 @@ do_last: /* * It already exists. */ + -+ if (gr_handle_rofs_blockwrite(path.dentry, nd.path.mnt, acc_mode)) { -+ error = -EPERM; -+ goto exit_mutex_unlock; -+ } -+ if (gr_handle_rawio(path.dentry->d_inode)) { -+ error = -EPERM; -+ goto exit_mutex_unlock; -+ } -+ if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) { -+ error = -EACCES; -+ goto exit_mutex_unlock; -+ } -+ if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) { ++ /* only check if O_CREAT is specified, all other checks need ++ to go into may_open */ ++ if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) { + error = -EACCES; + goto exit_mutex_unlock; + } @@ -33646,7 +33779,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); -@@ -1887,6 +1943,13 @@ do_link: +@@ -1887,6 +1947,13 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; @@ -33660,7 +33793,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only -@@ -2061,6 +2124,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const +@@ -2061,6 +2128,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const error = may_mknod(mode); if (error) goto out_dput; @@ -33678,7 +33811,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2081,6 +2155,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const +@@ -2081,6 +2159,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -33688,7 +33821,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c out_dput: dput(dentry); out_unlock: -@@ -2134,6 +2211,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const +@@ -2134,6 +2215,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const if (IS_ERR(dentry)) goto out_unlock; @@ -33700,7 +33833,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2145,6 +2227,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const +@@ -2145,6 +2231,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -33711,7 +33844,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c out_dput: dput(dentry); out_unlock: -@@ -2226,6 +2312,8 @@ static long do_rmdir(int dfd, const char +@@ -2226,6 +2316,8 @@ static long do_rmdir(int dfd, const char char * name; struct dentry *dentry; struct nameidata nd; @@ -33720,7 +33853,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2250,6 +2338,19 @@ static long do_rmdir(int dfd, const char +@@ -2250,6 +2342,19 @@ static long do_rmdir(int dfd, const char error = PTR_ERR(dentry); if (IS_ERR(dentry)) goto exit2; @@ -33740,7 +33873,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2257,6 +2358,8 @@ static long do_rmdir(int dfd, const char +@@ -2257,6 +2362,8 @@ static long do_rmdir(int dfd, const char if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -33749,7 +33882,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2318,6 +2421,8 @@ static long do_unlinkat(int dfd, const c +@@ -2318,6 +2425,8 @@ static long do_unlinkat(int dfd, const c struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -33758,7 +33891,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2337,8 +2442,19 @@ static long do_unlinkat(int dfd, const c +@@ -2337,8 +2446,19 @@ static long do_unlinkat(int dfd, const c if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; @@ -33779,7 +33912,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2346,6 +2462,8 @@ static long do_unlinkat(int dfd, const c +@@ -2346,6 +2466,8 @@ static long do_unlinkat(int dfd, const c if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -33788,7 +33921,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2424,6 +2542,11 @@ SYSCALL_DEFINE3(symlinkat, const char __ +@@ -2424,6 +2546,11 @@ SYSCALL_DEFINE3(symlinkat, const char __ if (IS_ERR(dentry)) goto out_unlock; @@ -33800,7 +33933,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2431,6 +2554,8 @@ SYSCALL_DEFINE3(symlinkat, const char __ +@@ -2431,6 +2558,8 @@ SYSCALL_DEFINE3(symlinkat, const char __ if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -33809,7 +33942,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2524,6 +2649,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con +@@ -2524,6 +2653,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -33830,7 +33963,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2531,6 +2670,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con +@@ -2531,6 +2674,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -33839,7 +33972,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2764,6 +2905,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -2764,6 +2909,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c if (new_dentry == trap) goto exit5; @@ -33852,7 +33985,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -2773,6 +2920,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c +@@ -2773,6 +2924,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -36137,7 +36270,7 @@ diff -urNp linux-2.6.32.26/fs/utimes.c linux-2.6.32.26/fs/utimes.c mutex_unlock(&inode->i_mutex); diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c --- linux-2.6.32.26/fs/xattr.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.26/fs/xattr.c 2010-11-28 09:38:51.000000000 -0500 ++++ linux-2.6.32.26/fs/xattr.c 2010-12-02 18:29:05.000000000 -0500 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr); * Extended attribute SET operations */ @@ -36147,21 +36280,22 @@ diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c size_t size, int flags) { int error; -@@ -271,7 +271,12 @@ setxattr(struct dentry *d, const char __ +@@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __ return PTR_ERR(kvalue); } - error = vfs_setxattr(d, kname, kvalue, size, flags); -+ error = 0; -+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) ++ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) { + error = -EACCES; ++ goto out; ++ } + -+ if (!error) -+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags); ++ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags); ++out: kfree(kvalue); return error; } -@@ -288,7 +293,7 @@ SYSCALL_DEFINE5(setxattr, const char __u +@@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u return error; error = mnt_want_write(path.mnt); if (!error) { @@ -36170,7 +36304,7 @@ diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c mnt_drop_write(path.mnt); } path_put(&path); -@@ -307,7 +312,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __ +@@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __ return error; error = mnt_want_write(path.mnt); if (!error) { @@ -36179,7 +36313,7 @@ diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c mnt_drop_write(path.mnt); } path_put(&path); -@@ -318,17 +323,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons +@@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons const void __user *,value, size_t, size, int, flags) { struct file *f; @@ -46585,8 +46719,27 @@ diff -urNp linux-2.6.32.26/include/linux/backlight.h linux-2.6.32.26/include/lin enum backlight_update_reason reason); diff -urNp linux-2.6.32.26/include/linux/binfmts.h linux-2.6.32.26/include/linux/binfmts.h --- linux-2.6.32.26/include/linux/binfmts.h 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.26/include/linux/binfmts.h 2010-10-23 19:59:20.000000000 -0400 -@@ -78,6 +78,7 @@ struct linux_binfmt { ++++ linux-2.6.32.26/include/linux/binfmts.h 2010-12-04 00:29:58.000000000 -0500 +@@ -29,6 +29,7 @@ struct linux_binprm{ + char buf[BINPRM_BUF_SIZE]; + #ifdef CONFIG_MMU + struct vm_area_struct *vma; ++ unsigned long vma_pages; + #else + # define MAX_ARG_PAGES 32 + struct page *page[MAX_ARG_PAGES]; +@@ -59,6 +60,10 @@ struct linux_binprm{ + unsigned long loader, exec; + }; + ++extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages); ++extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, ++ int write); ++ + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 + #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT) + +@@ -78,6 +83,7 @@ struct linux_binfmt { int (*load_binary)(struct linux_binprm *, struct pt_regs * regs); int (*load_shlib)(struct file *); int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit); @@ -50545,7 +50698,7 @@ diff -urNp linux-2.6.32.26/kernel/cred.c linux-2.6.32.26/kernel/cred.c old->egid != new->egid || diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c --- linux-2.6.32.26/kernel/exit.c 2010-09-26 17:26:05.000000000 -0400 -+++ linux-2.6.32.26/kernel/exit.c 2010-10-23 19:59:20.000000000 -0400 ++++ linux-2.6.32.26/kernel/exit.c 2010-12-04 00:19:54.000000000 -0500 @@ -56,6 +56,10 @@ #include <asm/mmu_context.h> #include "cred-internals.h" @@ -50557,7 +50710,22 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c static void exit_mm(struct task_struct * tsk); static void __unhash_process(struct task_struct *p) -@@ -167,6 +171,8 @@ void release_task(struct task_struct * p +@@ -92,6 +96,14 @@ static void __exit_signal(struct task_st + posix_cpu_timers_exit_group(tsk); + else { + /* ++ * This can only happen if the caller is de_thread(). ++ * FIXME: this is the temporary hack, we should teach ++ * posix-cpu-timers to handle this case correctly. ++ */ ++ if (unlikely(has_group_leader_pid(tsk))) ++ posix_cpu_timers_exit_group(tsk); ++ ++ /* + * If there is any task waiting for the group exit + * then notify it: + */ +@@ -167,6 +179,8 @@ void release_task(struct task_struct * p struct task_struct *leader; int zap_leader; repeat: @@ -50566,7 +50734,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c tracehook_prepare_release_task(p); /* don't need to get the RCU readlock here - the process is dead and * can't be modifying its own credentials */ -@@ -334,11 +340,22 @@ static void reparent_to_kthreadd(void) +@@ -334,11 +348,22 @@ static void reparent_to_kthreadd(void) { write_lock_irq(&tasklist_lock); @@ -50589,7 +50757,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c /* Set the exit signal to SIGCHLD so we signal init on exit */ current->exit_signal = SIGCHLD; -@@ -390,7 +407,7 @@ int allow_signal(int sig) +@@ -390,7 +415,7 @@ int allow_signal(int sig) * know it'll be handled, so that they don't get converted to * SIGKILL or just silently dropped. */ @@ -50598,7 +50766,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c recalc_sigpending(); spin_unlock_irq(¤t->sighand->siglock); return 0; -@@ -426,6 +443,17 @@ void daemonize(const char *name, ...) +@@ -426,6 +451,17 @@ void daemonize(const char *name, ...) vsnprintf(current->comm, sizeof(current->comm), name, args); va_end(args); @@ -50616,7 +50784,23 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c /* * If we were started as result of loading a module, close all of the * user space pages. We don't need them, and if we didn't close them -@@ -957,6 +985,9 @@ NORET_TYPE void do_exit(long code) +@@ -899,6 +935,15 @@ NORET_TYPE void do_exit(long code) + if (unlikely(!tsk->pid)) + panic("Attempted to kill the idle task!"); + ++ /* ++ * If do_exit is called because this processes oopsed, it's possible ++ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before ++ * continuing. Amongst other possible reasons, this is to prevent ++ * mm_release()->clear_child_tid() from writing to a user-controlled ++ * kernel address. ++ */ ++ set_fs(USER_DS); ++ + tracehook_report_exit(&code); + + validate_creds_for_do_exit(tsk); +@@ -957,6 +1002,9 @@ NORET_TYPE void do_exit(long code) tsk->exit_code = code; taskstats_exit(tsk, group_dead); @@ -50626,7 +50810,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c exit_mm(tsk); if (group_dead) -@@ -1172,7 +1203,7 @@ static int wait_task_zombie(struct wait_ +@@ -1172,7 +1220,7 @@ static int wait_task_zombie(struct wait_ if (unlikely(wo->wo_flags & WNOWAIT)) { int exit_code = p->exit_code; @@ -57051,6 +57235,18 @@ diff -urNp linux-2.6.32.26/net/decnet/sysctl_net_decnet.c linux-2.6.32.26/net/de return -EFAULT; *lenp = len; +diff -urNp linux-2.6.32.26/net/econet/Kconfig linux-2.6.32.26/net/econet/Kconfig +--- linux-2.6.32.26/net/econet/Kconfig 2010-08-13 16:24:37.000000000 -0400 ++++ linux-2.6.32.26/net/econet/Kconfig 2010-12-04 00:12:01.000000000 -0500 +@@ -4,7 +4,7 @@ + + config ECONET + tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)" +- depends on EXPERIMENTAL && INET ++ depends on EXPERIMENTAL && INET && BROKEN + ---help--- + Econet is a fairly old and slow networking protocol mainly used by + Acorn computers to access file and print servers. It uses native diff -urNp linux-2.6.32.26/net/ipv4/inet_diag.c linux-2.6.32.26/net/ipv4/inet_diag.c --- linux-2.6.32.26/net/ipv4/inet_diag.c 2010-08-13 16:24:37.000000000 -0400 +++ linux-2.6.32.26/net/ipv4/inet_diag.c 2010-11-13 14:53:02.000000000 -0500 @@ -58475,7 +58671,7 @@ diff -urNp linux-2.6.32.26/net/tipc/socket.c linux-2.6.32.26/net/tipc/socket.c diff -urNp linux-2.6.32.26/net/unix/af_unix.c linux-2.6.32.26/net/unix/af_unix.c --- linux-2.6.32.26/net/unix/af_unix.c 2010-09-26 17:26:06.000000000 -0400 -+++ linux-2.6.32.26/net/unix/af_unix.c 2010-10-23 19:59:20.000000000 -0400 ++++ linux-2.6.32.26/net/unix/af_unix.c 2010-12-04 00:41:07.000000000 -0500 @@ -743,6 +743,12 @@ static struct sock *unix_find_other(stru err = -ECONNREFUSED; if (!S_ISSOCK(inode->i_mode)) diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4425_grsec-pax-without-grsec.patch index 438148a..8bf0dc4 100644 --- a/2.6.32/4425_grsec-pax-without-grsec.patch +++ b/2.6.32/4425_grsec-pax-without-grsec.patch @@ -28,7 +28,7 @@ The original version of this patch contained no credits/description. } --- a/fs/exec.c +++ b/fs/exec.c -@@ -1759,9 +1759,11 @@ +@@ -1781,9 +1781,11 @@ } up_read(&mm->mmap_sem); } @@ -40,7 +40,7 @@ The original version of this patch contained no credits/description. printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), -@@ -1776,10 +1778,12 @@ +@@ -1798,10 +1800,12 @@ #ifdef CONFIG_PAX_REFCOUNT void pax_report_refcount_overflow(struct pt_regs *regs) { @@ -53,7 +53,7 @@ The original version of this patch contained no credits/description. printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), current_uid(), current_euid()); print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); -@@ -1839,10 +1843,12 @@ +@@ -1861,10 +1865,12 @@ void pax_report_leak_to_user(const void *ptr, unsigned long len) { @@ -66,7 +66,7 @@ The original version of this patch contained no credits/description. printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len); dump_stack(); do_group_exit(SIGKILL); -@@ -1850,10 +1856,12 @@ +@@ -1872,10 +1878,12 @@ void pax_report_overflow_from_user(const void *ptr, unsigned long len) { |