Update Grsec/PaX20110502

2.2.2-2.6.32.39-201104301754 2.2.2-2.6.38.4-201105021909
author: Anthony G. Basile <blueness@gentoo.org> 2011-05-10 07:32:43 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2011-05-10 07:32:43 -0400
commit: 5b1c73031dad23abc700be2f806b6c1d89c478ed (patch)
tree: 1394ba38671feda919af73a81e3b741a651cc645 /2.6.32
parent: Added script to automatically retrieve patches (diff)
download: hardened-patchset-5b1c73031dad23abc700be2f806b6c1d89c478ed.tar.gz
hardened-patchset-5b1c73031dad23abc700be2f806b6c1d89c478ed.tar.bz2
hardened-patchset-5b1c73031dad23abc700be2f806b6c1d89c478ed.zip
2 files changed, 52 insertions, 45 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index a39c8e4..c7284cd 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -15,7 +15,7 @@ Patch:  1038_linux-2.6.32.39.patch
 From:   http://www.kernel.org
 Desc:   Linux 2.6.32.39
 
-Patch:	4420_grsecurity-2.2.2-2.6.32.39-201104232142.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.39-201104301754.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.39-201104232142.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.39-201104301754.patch
index b39bf4e..ab225e0 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.39-201104232142.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.39-201104301754.patch
@@ -48363,21 +48363,32 @@ diff -urNp linux-2.6.32.39/include/linux/highmem.h linux-2.6.32.39/include/linux
  	unsigned start2, unsigned end2)
 diff -urNp linux-2.6.32.39/include/linux/init_task.h linux-2.6.32.39/include/linux/init_task.h
 --- linux-2.6.32.39/include/linux/init_task.h	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.39/include/linux/init_task.h	2011-04-18 18:02:57.000000000 -0400
-@@ -83,6 +83,12 @@ extern struct group_info init_groups;
++++ linux-2.6.32.39/include/linux/init_task.h	2011-04-30 17:52:14.000000000 -0400
+@@ -83,6 +83,14 @@ extern struct group_info init_groups;
  #define INIT_IDS
  #endif
  
 +#ifdef CONFIG_X86
 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
++#define INIT_TASK_STACK	      .stack = &init_thread_union,
 +#else
 +#define INIT_TASK_THREAD_INFO
++#define INIT_TASK_STACK	      .stack = &init_thread_info,
 +#endif
 +
  #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
  /*
   * Because of the reduced scope of CAP_SETPCAP when filesystem
-@@ -156,6 +162,7 @@ extern struct cred init_cred;
+@@ -122,7 +130,7 @@ extern struct cred init_cred;
+ #define INIT_TASK(tsk)	\
+ {									\
+ 	.state		= 0,						\
+-	.stack		= &init_thread_info,				\
++	INIT_TASK_STACK							\
+ 	.usage		= ATOMIC_INIT(2),				\
+ 	.flags		= PF_KTHREAD,					\
+ 	.lock_depth	= -1,						\
+@@ -156,6 +164,7 @@ extern struct cred init_cred;
  		 __MUTEX_INITIALIZER(tsk.cred_guard_mutex),		\
  	.comm		= "swapper",					\
  	.thread		= INIT_THREAD,					\
@@ -51772,7 +51783,7 @@ diff -urNp linux-2.6.32.39/kernel/lockdep_proc.c linux-2.6.32.39/kernel/lockdep_
  	if (!name) {
 diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
 --- linux-2.6.32.39/kernel/module.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.39/kernel/module.c	2011-04-19 06:33:26.000000000 -0400
++++ linux-2.6.32.39/kernel/module.c	2011-04-29 18:52:40.000000000 -0400
 @@ -55,6 +55,7 @@
  #include <linux/async.h>
  #include <linux/percpu.h>
@@ -51852,16 +51863,23 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  
  #ifdef CONFIG_MPU
  	update_protections(current->mm);
-@@ -1628,8 +1633,25 @@ static int simplify_symbols(Elf_Shdr *se
+@@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
  	unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
  	int ret = 0;
  	const struct kernel_symbol *ksym;
 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
 +	int is_fs_load = 0;
 +	int register_filesystem_found = 0;
++	char *p;
++
++	p = strstr(mod->args, "grsec_modharden_fs");
 +
-+	if (strstr(mod->args, "grsec_modharden_fs"))
++	if (p) {
++		char *endptr = p + strlen("grsec_modharden_fs");
++		/* copy \0 as well */
++		memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
 +		is_fs_load = 1;
++	}
 +#endif
 +
  
@@ -51878,7 +51896,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  		switch (sym[i].st_shndx) {
  		case SHN_COMMON:
  			/* We compiled with -fno-common.  These are not
-@@ -1651,7 +1673,9 @@ static int simplify_symbols(Elf_Shdr *se
+@@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
  					      strtab + sym[i].st_name, mod);
  			/* Ok if resolved.  */
  			if (ksym) {
@@ -51888,7 +51906,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  				break;
  			}
  
-@@ -1670,11 +1694,20 @@ static int simplify_symbols(Elf_Shdr *se
+@@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
  				secbase = (unsigned long)mod->percpu;
  			else
  				secbase = sechdrs[sym[i].st_shndx].sh_addr;
@@ -51909,7 +51927,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	return ret;
  }
  
-@@ -1731,11 +1764,12 @@ static void layout_sections(struct modul
+@@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
  			    || s->sh_entsize != ~0UL
  			    || strstarts(secstrings + s->sh_name, ".init"))
  				continue;
@@ -51925,7 +51943,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	}
  
  	DEBUGP("Init section allocation order:\n");
-@@ -1748,12 +1782,13 @@ static void layout_sections(struct modul
+@@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
  			    || s->sh_entsize != ~0UL
  			    || !strstarts(secstrings + s->sh_name, ".init"))
  				continue;
@@ -51943,7 +51961,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	}
  }
  
-@@ -1857,9 +1892,8 @@ static int is_exported(const char *name,
+@@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
  
  /* As per nm */
  static char elf_type(const Elf_Sym *sym,
@@ -51955,7 +51973,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  {
  	if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
  		if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
-@@ -1934,7 +1968,7 @@ static unsigned long layout_symtab(struc
+@@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
  
  	/* Put symbol section at end of init part of module. */
  	symsect->sh_flags |= SHF_ALLOC;
@@ -51964,7 +51982,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  					 symindex) | INIT_OFFSET_MASK;
  	DEBUGP("\t%s\n", secstrings + symsect->sh_name);
  
-@@ -1951,19 +1985,19 @@ static unsigned long layout_symtab(struc
+@@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
  		}
  
  	/* Append room for core symbols at end of core part. */
@@ -51989,7 +52007,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  
  	return symoffs;
  }
-@@ -1987,12 +2021,14 @@ static void add_kallsyms(struct module *
+@@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
  	mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
  	mod->strtab = (void *)sechdrs[strindex].sh_addr;
  
@@ -52006,7 +52024,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	src = mod->symtab;
  	*dst = *src;
  	for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
-@@ -2004,10 +2040,12 @@ static void add_kallsyms(struct module *
+@@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
  	}
  	mod->core_num_syms = ndst;
  
@@ -52020,7 +52038,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  }
  #else
  static inline unsigned long layout_symtab(struct module *mod,
-@@ -2044,16 +2082,30 @@ static void dynamic_debug_setup(struct _
+@@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
  #endif
  }
  
@@ -52056,7 +52074,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	}
  	return ret;
  }
-@@ -2065,8 +2117,8 @@ static void kmemleak_load_module(struct 
+@@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct 
  	unsigned int i;
  
  	/* only scan the sections containing data */
@@ -52067,7 +52085,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  			   sizeof(struct module), GFP_KERNEL);
  
  	for (i = 1; i < hdr->e_shnum; i++) {
-@@ -2076,8 +2128,8 @@ static void kmemleak_load_module(struct 
+@@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct 
  		    && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
  			continue;
  
@@ -52078,7 +52096,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  				   sechdrs[i].sh_size, GFP_KERNEL);
  	}
  }
-@@ -2263,7 +2315,7 @@ static noinline struct module *load_modu
+@@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
  				secstrings, &stroffs, strmap);
  
  	/* Do the allocs. */
@@ -52087,7 +52105,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	/*
  	 * The pointer to this block is stored in the module structure
  	 * which is inside the block. Just mark it as not being a
-@@ -2274,23 +2326,47 @@ static noinline struct module *load_modu
+@@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
  		err = -ENOMEM;
  		goto free_percpu;
  	}
@@ -52143,7 +52161,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  
  	/* Transfer each section which specifies SHF_ALLOC */
  	DEBUGP("final section addresses:\n");
-@@ -2300,17 +2376,45 @@ static noinline struct module *load_modu
+@@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
  		if (!(sechdrs[i].sh_flags & SHF_ALLOC))
  			continue;
  
@@ -52198,7 +52216,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  		DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
  	}
  	/* Module has been moved. */
-@@ -2322,7 +2426,7 @@ static noinline struct module *load_modu
+@@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
  				      mod->name);
  	if (!mod->refptr) {
  		err = -ENOMEM;
@@ -52207,7 +52225,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	}
  #endif
  	/* Now we've moved module, initialize linked lists, etc. */
-@@ -2351,6 +2455,31 @@ static noinline struct module *load_modu
+@@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
  	/* Set up MODINFO_ATTR fields */
  	setup_modinfo(mod, sechdrs, infoindex);
  
@@ -52239,7 +52257,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	/* Fix up syms, so that st_value is a pointer to location. */
  	err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
  			       mod);
-@@ -2431,8 +2560,8 @@ static noinline struct module *load_modu
+@@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
  
  	/* Now do relocations. */
  	for (i = 1; i < hdr->e_shnum; i++) {
@@ -52249,7 +52267,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  
  		/* Not a valid relocation section? */
  		if (info >= hdr->e_shnum)
-@@ -2493,16 +2622,15 @@ static noinline struct module *load_modu
+@@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
  	 * Do it before processing of module parameters, so the module
  	 * can provide parameter accessor functions of its own.
  	 */
@@ -52272,7 +52290,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
  		printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
  		       mod->name);
-@@ -2546,12 +2674,16 @@ static noinline struct module *load_modu
+@@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
   free_unload:
  	module_unload_free(mod);
  #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
@@ -52293,7 +52311,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	/* mod will be freed with core. Don't access it beyond this line! */
   free_percpu:
  	if (percpu)
-@@ -2653,10 +2785,12 @@ SYSCALL_DEFINE3(init_module, void __user
+@@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
  	mod->symtab = mod->core_symtab;
  	mod->strtab = mod->core_strtab;
  #endif
@@ -52310,7 +52328,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	mutex_unlock(&module_mutex);
  
  	return 0;
-@@ -2687,10 +2821,16 @@ static const char *get_ksymbol(struct mo
+@@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
  	unsigned long nextval;
  
  	/* At worse, next value is at end of module */
@@ -52330,7 +52348,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  
  	/* Scan for closest preceeding symbol, and next symbol. (ELF
  	   starts real symbols at 1). */
-@@ -2936,7 +3076,7 @@ static int m_show(struct seq_file *m, vo
+@@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
  	char buf[8];
  
  	seq_printf(m, "%s %u",
@@ -52339,7 +52357,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	print_unload_info(m, mod);
  
  	/* Informative for users. */
-@@ -2945,7 +3085,7 @@ static int m_show(struct seq_file *m, vo
+@@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
  		   mod->state == MODULE_STATE_COMING ? "Loading":
  		   "Live");
  	/* Used by oprofile and other similar tools. */
@@ -52348,7 +52366,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  
  	/* Taints info */
  	if (mod->taints)
-@@ -2981,7 +3121,17 @@ static const struct file_operations proc
+@@ -2981,7 +3128,17 @@ static const struct file_operations proc
  
  static int __init proc_modules_init(void)
  {
@@ -52366,7 +52384,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  	return 0;
  }
  module_init(proc_modules_init);
-@@ -3040,12 +3190,12 @@ struct module *__module_address(unsigned
+@@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
  {
  	struct module *mod;
  
@@ -52382,7 +52400,7 @@ diff -urNp linux-2.6.32.39/kernel/module.c linux-2.6.32.39/kernel/module.c
  			return mod;
  	return NULL;
  }
-@@ -3079,11 +3229,20 @@ bool is_module_text_address(unsigned lon
+@@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
   */
  struct module *__module_text_address(unsigned long addr)
  {
@@ -58097,17 +58115,6 @@ diff -urNp linux-2.6.32.39/net/atm/resources.c linux-2.6.32.39/net/atm/resources
  	__AAL_STAT_ITEMS
  #undef __HANDLE_ITEM
  }
-diff -urNp linux-2.6.32.39/net/ax25/af_ax25.c linux-2.6.32.39/net/ax25/af_ax25.c
---- linux-2.6.32.39/net/ax25/af_ax25.c	2011-04-22 19:16:29.000000000 -0400
-+++ linux-2.6.32.39/net/ax25/af_ax25.c	2011-04-17 17:03:58.000000000 -0400
-@@ -1445,6 +1445,7 @@ static int ax25_sendmsg(struct kiocb *io
- 	if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_CMSG_COMPAT))
- 		return -EINVAL;
- 
-+	memset(fsa, 0, sizeof(fsa));
- 	lock_sock(sk);
- 	ax25 = ax25_sk(sk);
- 
 diff -urNp linux-2.6.32.39/net/bridge/br_private.h linux-2.6.32.39/net/bridge/br_private.h
 --- linux-2.6.32.39/net/bridge/br_private.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.39/net/bridge/br_private.h	2011-04-17 15:56:46.000000000 -0400
author	Anthony G. Basile <blueness@gentoo.org>	2011-05-10 07:32:43 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2011-05-10 07:32:43 -0400
commit	5b1c73031dad23abc700be2f806b6c1d89c478ed (patch)
tree	1394ba38671feda919af73a81e3b741a651cc645 /2.6.32
parent	Added script to automatically retrieve patches (diff)
download	hardened-patchset-5b1c73031dad23abc700be2f806b6c1d89c478ed.tar.gz hardened-patchset-5b1c73031dad23abc700be2f806b6c1d89c478ed.tar.bz2 hardened-patchset-5b1c73031dad23abc700be2f806b6c1d89c478ed.zip