diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-05-18 10:27:08 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-05-18 10:27:08 -0400 |
commit | dd5cadb3a57775c892a1f648f9f16ad4696f2f44 (patch) | |
tree | 8fa67c57dd8c2dff22ac3ea39f1dc59f4181bd7b /2.6.32 | |
parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.2}-20130514 (diff) | |
download | hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.tar.gz hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.tar.bz2 hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.zip |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.2}-201305172333emutramp_default_on20130517
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 8 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch) | 19 | ||||
-rw-r--r-- | 2.6.32/4475_emutramp_default_on.patch | 21 | ||||
-rw-r--r-- | 2.6.32/4480_check_ssp_fix.patch (renamed from 2.6.32/4475_check_ssp_fix.patch) | 0 |
4 files changed, 45 insertions, 3 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 64c91d5..755285c 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity @@ -67,6 +67,10 @@ From: Gordon Malm <gengor@gentoo.org> Kerin Millar <kerframil@gmail.com> Desc: Disables VDSO_COMPAT operation completely -Patch: 4475_check_ssp_fix.patch +Patch: 4475_emutramp_default_on.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 + +Patch: 4480_check_ssp_fix.patch From: Magnus Granberg <zorry@gentoo.org> Desc: Fixes kernel check script for ssp diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch index f34ed36..3482354 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch @@ -22024,7 +22024,7 @@ index d559af9..524c6ad 100644 * Up to this point, the boot CPU has been using .data.init * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 6a44a76..a9287a1 100644 +index 6a44a76..3cab8c7 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -22110,6 +22110,23 @@ index 6a44a76..a9287a1 100644 return; if (current_thread_info()->status & TS_RESTORE_SIGMASK) +@@ -799,6 +804,7 @@ static void do_signal(struct pt_regs *regs) + + signr = get_signal_to_deliver(&info, &ka, regs, NULL); + if (signr > 0) { ++ sigset_t sigcopy = *oldset; + /* + * Re-enable any watchpoints before delivering the + * signal to user space. The processor register will +@@ -809,7 +815,7 @@ static void do_signal(struct pt_regs *regs) + set_debugreg(current->thread.debugreg7, 7); + + /* Whee! Actually deliver the signal. */ +- if (handle_signal(signr, &info, &ka, oldset, regs) == 0) { ++ if (handle_signal(signr, &info, &ka, &sigcopy, regs) == 0) { + /* + * A signal was successfully delivered; the saved + * sigmask will have been stored in the signal frame, diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c index 29f0a78..374912c 100644 --- a/arch/x86/kernel/smp.c diff --git a/2.6.32/4475_emutramp_default_on.patch b/2.6.32/4475_emutramp_default_on.patch new file mode 100644 index 0000000..2d7124b --- /dev/null +++ b/2.6.32/4475_emutramp_default_on.patch @@ -0,0 +1,21 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines. +We default PAX_EMUTRAMP='y' since almost all hardened users will want this. + +See bug: + http://bugs.gentoo.org/show_bug.cgi?id=329499 + http://bugs.gentoo.org/show_bug.cgi?id=457194 + +diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig +--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 ++++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 +@@ -424,7 +424,7 @@ + + config PAX_EMUTRAMP + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) +- default y if PARISC ++ default y + help + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from diff --git a/2.6.32/4475_check_ssp_fix.patch b/2.6.32/4480_check_ssp_fix.patch index 40e0467..40e0467 100644 --- a/2.6.32/4475_check_ssp_fix.patch +++ b/2.6.32/4480_check_ssp_fix.patch |