Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.2}-201305172333emutramp_default_on20130517

4 files changed, 45 insertions, 3 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 64c91d5..755285c 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
@@ -67,6 +67,10 @@ From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 Desc:	Disables VDSO_COMPAT operation completely
 
-Patch:	4475_check_ssp_fix.patch
+Patch:	4475_emutramp_default_on.patch
+From:	Anthony G. Basile <blueness@gentoo.org>
+Desc:	Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194
+
+Patch:	4480_check_ssp_fix.patch
 From:	Magnus Granberg <zorry@gentoo.org>
 Desc:	Fixes kernel check script for ssp
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch
index f34ed36..3482354 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch
@@ -22024,7 +22024,7 @@ index d559af9..524c6ad 100644
  		 * Up to this point, the boot CPU has been using .data.init
  		 * area.  Reload any changed state for the boot CPU.
 diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index 6a44a76..a9287a1 100644
+index 6a44a76..3cab8c7 100644
 --- a/arch/x86/kernel/signal.c
 +++ b/arch/x86/kernel/signal.c
 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -22110,6 +22110,23 @@ index 6a44a76..a9287a1 100644
  		return;
  
  	if (current_thread_info()->status & TS_RESTORE_SIGMASK)
+@@ -799,6 +804,7 @@ static void do_signal(struct pt_regs *regs)
+ 
+ 	signr = get_signal_to_deliver(&info, &ka, regs, NULL);
+ 	if (signr > 0) {
++		sigset_t sigcopy = *oldset;
+ 		/*
+ 		 * Re-enable any watchpoints before delivering the
+ 		 * signal to user space. The processor register will
+@@ -809,7 +815,7 @@ static void do_signal(struct pt_regs *regs)
+ 			set_debugreg(current->thread.debugreg7, 7);
+ 
+ 		/* Whee! Actually deliver the signal.  */
+-		if (handle_signal(signr, &info, &ka, oldset, regs) == 0) {
++		if (handle_signal(signr, &info, &ka, &sigcopy, regs) == 0) {
+ 			/*
+ 			 * A signal was successfully delivered; the saved
+ 			 * sigmask will have been stored in the signal frame,
 diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
 index 29f0a78..374912c 100644
 --- a/arch/x86/kernel/smp.c
diff --git a/2.6.32/4475_emutramp_default_on.patch b/2.6.32/4475_emutramp_default_on.patch
new file mode 100644
index 0000000..2d7124b
--- /dev/null
+++ b/2.6.32/4475_emutramp_default_on.patch
@@ -0,0 +1,21 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines.
+We default PAX_EMUTRAMP='y' since almost all hardened users will want this.
+
+See bug:
+ http://bugs.gentoo.org/show_bug.cgi?id=329499
+ http://bugs.gentoo.org/show_bug.cgi?id=457194
+
+diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
+--- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
++++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
+@@ -424,7 +424,7 @@
+ 
+ config PAX_EMUTRAMP
+ 	bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
+-	default y if PARISC
++	default y
+ 	help
+ 	  There are some programs and libraries that for one reason or
+ 	  another attempt to execute special small code snippets from
diff --git a/2.6.32/4475_check_ssp_fix.patch b/2.6.32/4480_check_ssp_fix.patch
index 40e0467..40e0467 100644
--- a/2.6.32/4475_check_ssp_fix.patch
+++ b/2.6.32/4480_check_ssp_fix.patch