diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-06-15 12:41:51 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-06-15 12:41:51 -0400 |
commit | f7b78ff5181a2af72e7265fbfc9268ce65a8a259 (patch) | |
tree | 7c9c8df8f1f50b425d1ce7d06c22c791399f51f6 | |
parent | Update Grsec/PaX (diff) | |
download | hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.tar.gz hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.tar.bz2 hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.zip |
Update Grsec/PaX
2.2.2-2.6.32.41-201106132135
2.2.2-2.6.39.1-201106132135
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch) | 247 | ||||
-rw-r--r-- | 2.6.39/0000_README | 2 | ||||
-rw-r--r-- | 2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch (renamed from 2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch) | 220 |
4 files changed, 423 insertions, 48 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 3c6c9f7..1b0ab21 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch index 3d01c9c..69e5b91 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch @@ -50,8 +50,60 @@ diff -urNp linux-2.6.32.41/arch/alpha/kernel/module.c linux-2.6.32.41/arch/alpha for (i = 0; i < n; i++) { diff -urNp linux-2.6.32.41/arch/alpha/kernel/osf_sys.c linux-2.6.32.41/arch/alpha/kernel/osf_sys.c --- linux-2.6.32.41/arch/alpha/kernel/osf_sys.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.41/arch/alpha/kernel/osf_sys.c 2011-04-17 15:56:45.000000000 -0400 -@@ -1169,7 +1169,7 @@ arch_get_unmapped_area_1(unsigned long a ++++ linux-2.6.32.41/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:47.000000000 -0400 +@@ -431,7 +431,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char + return -EFAULT; + + len = namelen; +- if (namelen > 32) ++ if (len > 32) + len = 32; + + down_read(&uts_sem); +@@ -618,7 +618,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + down_read(&uts_sem); + res = sysinfo_table[offset]; + len = strlen(res)+1; +- if (len > count) ++ if ((unsigned long)len > (unsigned long)count) + len = count; + if (copy_to_user(buf, res, len)) + err = -EFAULT; +@@ -673,7 +673,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned + return 1; + + case GSI_GET_HWRPB: +- if (nbytes < sizeof(*hwrpb)) ++ if (nbytes > sizeof(*hwrpb)) + return -EINVAL; + if (copy_to_user(buffer, hwrpb, nbytes) != 0) + return -EFAULT; +@@ -1035,6 +1035,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + { + struct rusage r; + long ret, err; ++ unsigned int status = 0; + mm_segment_t old_fs; + + if (!ur) +@@ -1043,13 +1044,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + old_fs = get_fs(); + + set_fs (KERNEL_DS); +- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); ++ ret = sys_wait4(pid, (unsigned int __user *) &status, options, ++ (struct rusage __user *) &r); + set_fs (old_fs); + + if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) + return -EFAULT; + + err = 0; ++ err |= put_user(status, ustatus); + err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); + err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); + err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); +@@ -1169,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a /* At this point: (!vma || addr < vma->vm_end). */ if (limit - len < addr) return -ENOMEM; @@ -60,7 +112,7 @@ diff -urNp linux-2.6.32.41/arch/alpha/kernel/osf_sys.c linux-2.6.32.41/arch/alph return addr; addr = vma->vm_end; vma = vma->vm_next; -@@ -1205,6 +1205,10 @@ arch_get_unmapped_area(struct file *filp +@@ -1205,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp merely specific addresses, but regions of memory -- perhaps this feature should be incorporated into all ports? */ @@ -71,7 +123,7 @@ diff -urNp linux-2.6.32.41/arch/alpha/kernel/osf_sys.c linux-2.6.32.41/arch/alph if (addr) { addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); if (addr != (unsigned long) -ENOMEM) -@@ -1212,8 +1216,8 @@ arch_get_unmapped_area(struct file *filp +@@ -1212,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp } /* Next, try allocating at TASK_UNMAPPED_BASE. */ @@ -306,6 +358,27 @@ diff -urNp linux-2.6.32.41/arch/arm/kernel/kgdb.c linux-2.6.32.41/arch/arm/kerne #ifndef __ARMEB__ .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7} #else /* ! __ARMEB__ */ +diff -urNp linux-2.6.32.41/arch/arm/kernel/traps.c linux-2.6.32.41/arch/arm/kernel/traps.c +--- linux-2.6.32.41/arch/arm/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.41/arch/arm/kernel/traps.c 2011-06-13 21:31:18.000000000 -0400 +@@ -247,6 +247,8 @@ static void __die(const char *str, int e + + DEFINE_SPINLOCK(die_lock); + ++extern void gr_handle_kernel_exploit(void); ++ + /* + * This function is protected against re-entrancy. + */ +@@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str + if (panic_on_oops) + panic("Fatal exception"); + ++ gr_handle_kernel_exploit(); ++ + do_exit(SIGSEGV); + } + diff -urNp linux-2.6.32.41/arch/arm/mach-at91/pm.c linux-2.6.32.41/arch/arm/mach-at91/pm.c --- linux-2.6.32.41/arch/arm/mach-at91/pm.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.41/arch/arm/mach-at91/pm.c 2011-04-17 15:56:45.000000000 -0400 @@ -2577,6 +2650,27 @@ diff -urNp linux-2.6.32.41/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.41/arch/ } return error; } +diff -urNp linux-2.6.32.41/arch/powerpc/kernel/traps.c linux-2.6.32.41/arch/powerpc/kernel/traps.c +--- linux-2.6.32.41/arch/powerpc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.41/arch/powerpc/kernel/traps.c 2011-06-13 21:33:37.000000000 -0400 +@@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void) + static inline void pmac_backlight_unblank(void) { } + #endif + ++extern void gr_handle_kernel_exploit(void); ++ + int die(const char *str, struct pt_regs *regs, long err) + { + static struct { +@@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs + if (panic_on_oops) + panic("Fatal exception"); + ++ gr_handle_kernel_exploit(); ++ + oops_exit(); + do_exit(err); + diff -urNp linux-2.6.32.41/arch/powerpc/kernel/vdso.c linux-2.6.32.41/arch/powerpc/kernel/vdso.c --- linux-2.6.32.41/arch/powerpc/kernel/vdso.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.41/arch/powerpc/kernel/vdso.c 2011-04-17 15:56:45.000000000 -0400 @@ -4257,8 +4351,17 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.41/arch } diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_32.c linux-2.6.32.41/arch/sparc/kernel/traps_32.c --- linux-2.6.32.41/arch/sparc/kernel/traps_32.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.41/arch/sparc/kernel/traps_32.c 2011-04-17 15:56:46.000000000 -0400 -@@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_ ++++ linux-2.6.32.41/arch/sparc/kernel/traps_32.c 2011-06-13 21:25:39.000000000 -0400 +@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo + #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t") + #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t") + ++extern void gr_handle_kernel_exploit(void); ++ + void die_if_kernel(char *str, struct pt_regs *regs) + { + static int die_counter; +@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_ count++ < 30 && (((unsigned long) rw) >= PAGE_OFFSET) && !(((unsigned long) rw) & 0x7)) { @@ -4267,9 +4370,20 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_32.c linux-2.6.32.41/arch/spa (void *) rw->ins[7]); rw = (struct reg_window32 *)rw->ins[6]; } + } + printk("Instruction DUMP:"); + instruction_dump ((unsigned long *) regs->pc); +- if(regs->psr & PSR_PS) ++ if(regs->psr & PSR_PS) { ++ gr_handle_kernel_exploit(); + do_exit(SIGKILL); ++ } + do_exit(SIGSEGV); + } + diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_64.c linux-2.6.32.41/arch/sparc/kernel/traps_64.c --- linux-2.6.32.41/arch/sparc/kernel/traps_64.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.41/arch/sparc/kernel/traps_64.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.41/arch/sparc/kernel/traps_64.c 2011-06-13 21:24:11.000000000 -0400 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_ i + 1, p->trapstack[i].tstate, p->trapstack[i].tpc, @@ -4370,7 +4484,16 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_64.c linux-2.6.32.41/arch/spa } while (++count < 16); } -@@ -2260,7 +2271,7 @@ void die_if_kernel(char *str, struct pt_ +@@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_ + return (struct reg_window *) (fp + STACK_BIAS); + } + ++extern void gr_handle_kernel_exploit(void); ++ + void die_if_kernel(char *str, struct pt_regs *regs) + { + static int die_counter; +@@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_ while (rw && count++ < 30&& is_kernel_stack(current, rw)) { @@ -4379,6 +4502,19 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_64.c linux-2.6.32.41/arch/spa (void *) rw->ins[7]); rw = kernel_stack_up(rw); +@@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_ + } + user_instruction_dump ((unsigned int __user *) regs->tpc); + } +- if (regs->tstate & TSTATE_PRIV) ++ if (regs->tstate & TSTATE_PRIV) { ++ gr_handle_kernel_exploit(); + do_exit(SIGKILL); ++ } ++ + do_exit(SIGSEGV); + } + EXPORT_SYMBOL(die_if_kernel); diff -urNp linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c --- linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:56:46.000000000 -0400 @@ -36760,6 +36896,20 @@ diff -urNp linux-2.6.32.41/fs/btrfs/extent_io.h linux-2.6.32.41/fs/btrfs/extent_ }; struct extent_state { +diff -urNp linux-2.6.32.41/fs/btrfs/extent-tree.c linux-2.6.32.41/fs/btrfs/extent-tree.c +--- linux-2.6.32.41/fs/btrfs/extent-tree.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.41/fs/btrfs/extent-tree.c 2011-06-12 06:39:08.000000000 -0400 +@@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent( + u64 group_start = group->key.objectid; + new_extents = kmalloc(sizeof(*new_extents), + GFP_NOFS); ++ if (!new_extents) { ++ ret = -ENOMEM; ++ goto out; ++ } + nr_extents = 1; + ret = get_new_locations(reloc_inode, + extent_key, diff -urNp linux-2.6.32.41/fs/btrfs/free-space-cache.c linux-2.6.32.41/fs/btrfs/free-space-cache.c --- linux-2.6.32.41/fs/btrfs/free-space-cache.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.41/fs/btrfs/free-space-cache.c 2011-04-17 15:56:46.000000000 -0400 @@ -36783,7 +36933,7 @@ diff -urNp linux-2.6.32.41/fs/btrfs/free-space-cache.c linux-2.6.32.41/fs/btrfs/ ret = btrfs_bitmap_cluster(block_group, entry, cluster, diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c --- linux-2.6.32.41/fs/btrfs/inode.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.41/fs/btrfs/inode.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.41/fs/btrfs/inode.c 2011-06-12 06:39:58.000000000 -0400 @@ -63,7 +63,7 @@ static const struct inode_operations btr static const struct address_space_operations btrfs_aops; static const struct address_space_operations btrfs_symlink_aops; @@ -36793,7 +36943,24 @@ diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c static struct kmem_cache *btrfs_inode_cachep; struct kmem_cache *btrfs_trans_handle_cachep; -@@ -5410,7 +5410,7 @@ fail: +@@ -925,6 +925,7 @@ static int cow_file_range_async(struct i + 1, 0, NULL, GFP_NOFS); + while (start < end) { + async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS); ++ BUG_ON(!async_cow); + async_cow->inode = inode; + async_cow->root = root; + async_cow->locked_page = locked_page; +@@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st + inline_size = btrfs_file_extent_inline_item_len(leaf, + btrfs_item_nr(leaf, path->slots[0])); + tmp = kmalloc(inline_size, GFP_NOFS); ++ if (!tmp) ++ return -ENOMEM; + ptr = btrfs_file_extent_inline_start(item); + + read_extent_buffer(leaf, tmp, ptr, inline_size); +@@ -5410,7 +5413,7 @@ fail: return -ENOMEM; } @@ -36802,7 +36969,7 @@ diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c struct dentry *dentry, struct kstat *stat) { struct inode *inode = dentry->d_inode; -@@ -5422,6 +5422,14 @@ static int btrfs_getattr(struct vfsmount +@@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount return 0; } @@ -36817,7 +36984,7 @@ diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry) { -@@ -5972,7 +5980,7 @@ static const struct file_operations btrf +@@ -5972,7 +5983,7 @@ static const struct file_operations btrf .fsync = btrfs_sync_file, }; @@ -43625,8 +43792,8 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl_alloc.c linux-2.6.32.41/grsecurity/g +} diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c --- linux-2.6.32.41/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.41/grsecurity/gracl.c 2011-05-24 20:26:07.000000000 -0400 -@@ -0,0 +1,4079 @@ ++++ linux-2.6.32.41/grsecurity/gracl.c 2011-06-11 16:24:26.000000000 -0400 +@@ -0,0 +1,4085 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -43711,7 +43878,8 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c +extern struct vfsmount *hugetlbfs_vfsmount; +#endif + -+static struct acl_object_label *fakefs_obj; ++static struct acl_object_label *fakefs_obj_rw; ++static struct acl_object_label *fakefs_obj_rwx; + +extern int gr_init_uidset(void); +extern void gr_free_uidset(void); @@ -44443,10 +44611,15 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino); +#endif + -+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label)); -+ if (fakefs_obj == NULL) ++ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label)); ++ if (fakefs_obj_rw == NULL) ++ return 1; ++ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE; ++ ++ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label)); ++ if (fakefs_obj_rwx == NULL) + return 1; -+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC; ++ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC; + + subj_map_set.s_hash = + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *)); @@ -45454,7 +45627,7 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c +#endif + /* ignore Eric Biederman */ + IS_PRIVATE(l_dentry->d_inode))) { -+ retval = fakefs_obj; ++ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw; + goto out; + } + @@ -52261,7 +52434,7 @@ diff -urNp linux-2.6.32.41/grsecurity/grsum.c linux-2.6.32.41/grsecurity/grsum.c +} diff -urNp linux-2.6.32.41/grsecurity/Kconfig linux-2.6.32.41/grsecurity/Kconfig --- linux-2.6.32.41/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.41/grsecurity/Kconfig 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.41/grsecurity/Kconfig 2011-06-13 21:34:09.000000000 -0400 @@ -0,0 +1,1045 @@ +# +# grecurity configuration @@ -52405,7 +52578,7 @@ diff -urNp linux-2.6.32.41/grsecurity/Kconfig linux-2.6.32.41/grsecurity/Kconfig + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_KERN_LOCKOUT if (X86) ++ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC32 || SPARC64) + select PAX + select PAX_RANDUSTACK + select PAX_ASLR @@ -52605,7 +52778,7 @@ diff -urNp linux-2.6.32.41/grsecurity/Kconfig linux-2.6.32.41/grsecurity/Kconfig + +config GRKERNSEC_KERN_LOCKOUT + bool "Active kernel exploit response" -+ depends on X86 ++ depends on X86 || ARM || PPC || SPARC32 || SPARC64 + help + If you say Y here, when a PaX alert is triggered due to suspicious + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY) @@ -55028,8 +55201,8 @@ diff -urNp linux-2.6.32.41/include/linux/gralloc.h linux-2.6.32.41/include/linux +#endif diff -urNp linux-2.6.32.41/include/linux/grdefs.h linux-2.6.32.41/include/linux/grdefs.h --- linux-2.6.32.41/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.41/include/linux/grdefs.h 2011-04-17 15:56:46.000000000 -0400 -@@ -0,0 +1,139 @@ ++++ linux-2.6.32.41/include/linux/grdefs.h 2011-06-11 16:20:26.000000000 -0400 +@@ -0,0 +1,140 @@ +#ifndef GRDEFS_H +#define GRDEFS_H + @@ -55119,7 +55292,8 @@ diff -urNp linux-2.6.32.41/include/linux/grdefs.h linux-2.6.32.41/include/linux/ + GR_PROCFIND = 0x00008000, + GR_POVERRIDE = 0x00010000, + GR_KERNELAUTH = 0x00020000, -+ GR_ATSECURE = 0x00040000 ++ GR_ATSECURE = 0x00040000, ++ GR_SHMEXEC = 0x00080000 +}; + +enum { @@ -66922,6 +67096,29 @@ diff -urNp linux-2.6.32.41/net/atm/resources.c linux-2.6.32.41/net/atm/resources __AAL_STAT_ITEMS #undef __HANDLE_ITEM } +diff -urNp linux-2.6.32.41/net/bluetooth/l2cap.c linux-2.6.32.41/net/bluetooth/l2cap.c +--- linux-2.6.32.41/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.41/net/bluetooth/l2cap.c 2011-06-12 06:34:08.000000000 -0400 +@@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str + err = -ENOTCONN; + break; + } +- ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); + +diff -urNp linux-2.6.32.41/net/bluetooth/rfcomm/sock.c linux-2.6.32.41/net/bluetooth/rfcomm/sock.c +--- linux-2.6.32.41/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.41/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400 +@@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st + + l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); + diff -urNp linux-2.6.32.41/net/bridge/br_private.h linux-2.6.32.41/net/bridge/br_private.h --- linux-2.6.32.41/net/bridge/br_private.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.41/net/bridge/br_private.h 2011-04-17 15:56:46.000000000 -0400 diff --git a/2.6.39/0000_README b/2.6.39/0000_README index e431fc5..f82a66c 100644 --- a/2.6.39/0000_README +++ b/2.6.39/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch +Patch: 4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch index 3621970..9d35972 100644 --- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch +++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch @@ -197,8 +197,60 @@ diff -urNp linux-2.6.39.1/arch/alpha/kernel/module.c linux-2.6.39.1/arch/alpha/k for (i = 0; i < n; i++) { diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/kernel/osf_sys.c --- linux-2.6.39.1/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.1/arch/alpha/kernel/osf_sys.c 2011-05-22 19:36:30.000000000 -0400 -@@ -1142,7 +1142,7 @@ arch_get_unmapped_area_1(unsigned long a ++++ linux-2.6.39.1/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400 +@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char + return -EFAULT; + + len = namelen; +- if (namelen > 32) ++ if (len > 32) + len = 32; + + down_read(&uts_sem); +@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + down_read(&uts_sem); + res = sysinfo_table[offset]; + len = strlen(res)+1; +- if (len > count) ++ if ((unsigned long)len > (unsigned long)count) + len = count; + if (copy_to_user(buf, res, len)) + err = -EFAULT; +@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned + return 1; + + case GSI_GET_HWRPB: +- if (nbytes < sizeof(*hwrpb)) ++ if (nbytes > sizeof(*hwrpb)) + return -EINVAL; + if (copy_to_user(buffer, hwrpb, nbytes) != 0) + return -EFAULT; +@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + { + struct rusage r; + long ret, err; ++ unsigned int status = 0; + mm_segment_t old_fs; + + if (!ur) +@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + old_fs = get_fs(); + + set_fs (KERNEL_DS); +- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); ++ ret = sys_wait4(pid, (unsigned int __user *) &status, options, ++ (struct rusage __user *) &r); + set_fs (old_fs); + + if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) + return -EFAULT; + + err = 0; ++ err |= put_user(status, ustatus); + err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); + err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); + err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); +@@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a /* At this point: (!vma || addr < vma->vm_end). */ if (limit - len < addr) return -ENOMEM; @@ -207,7 +259,7 @@ diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/ return addr; addr = vma->vm_end; vma = vma->vm_next; -@@ -1178,6 +1178,10 @@ arch_get_unmapped_area(struct file *filp +@@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp merely specific addresses, but regions of memory -- perhaps this feature should be incorporated into all ports? */ @@ -218,7 +270,7 @@ diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/ if (addr) { addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); if (addr != (unsigned long) -ENOMEM) -@@ -1185,8 +1189,8 @@ arch_get_unmapped_area(struct file *filp +@@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp } /* Next, try allocating at TASK_UNMAPPED_BASE. */ @@ -682,6 +734,28 @@ diff -urNp linux-2.6.39.1/arch/arm/kernel/process.c linux-2.6.39.1/arch/arm/kern #ifdef CONFIG_MMU /* * The vectors page is always readable from user space for the +diff -urNp linux-2.6.39.1/arch/arm/kernel/traps.c linux-2.6.39.1/arch/arm/kernel/traps.c +--- linux-2.6.39.1/arch/arm/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400 ++++ linux-2.6.39.1/arch/arm/kernel/traps.c 2011-06-13 21:30:34.000000000 -0400 +@@ -258,6 +258,8 @@ static int __die(const char *str, int er + + static DEFINE_SPINLOCK(die_lock); + ++extern void gr_handle_kernel_exploit(void); ++ + /* + * This function is protected against re-entrancy. + */ +@@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs + panic("Fatal exception in interrupt"); + if (panic_on_oops) + panic("Fatal exception"); ++ ++ gr_handle_kernel_exploit(); ++ + if (ret != NOTIFY_STOP) + do_exit(SIGSEGV); + } diff -urNp linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c --- linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400 +++ linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400 @@ -3959,6 +4033,27 @@ diff -urNp linux-2.6.39.1/arch/powerpc/kernel/signal_64.c linux-2.6.39.1/arch/po regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp; } else { err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]); +diff -urNp linux-2.6.39.1/arch/powerpc/kernel/traps.c linux-2.6.39.1/arch/powerpc/kernel/traps.c +--- linux-2.6.39.1/arch/powerpc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400 ++++ linux-2.6.39.1/arch/powerpc/kernel/traps.c 2011-06-13 21:33:04.000000000 -0400 +@@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void) + static inline void pmac_backlight_unblank(void) { } + #endif + ++extern void gr_handle_kernel_exploit(void); ++ + int die(const char *str, struct pt_regs *regs, long err) + { + static struct { +@@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs + if (panic_on_oops) + panic("Fatal exception"); + ++ gr_handle_kernel_exploit(); ++ + oops_exit(); + do_exit(err); + diff -urNp linux-2.6.39.1/arch/powerpc/kernel/vdso.c linux-2.6.39.1/arch/powerpc/kernel/vdso.c --- linux-2.6.39.1/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400 +++ linux-2.6.39.1/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400 @@ -5999,8 +6094,17 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.1/arch/s } diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_32.c linux-2.6.39.1/arch/sparc/kernel/traps_32.c --- linux-2.6.39.1/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.1/arch/sparc/kernel/traps_32.c 2011-05-22 19:41:32.000000000 -0400 -@@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_ ++++ linux-2.6.39.1/arch/sparc/kernel/traps_32.c 2011-06-13 21:29:23.000000000 -0400 +@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo + #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t") + #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t") + ++extern void gr_handle_kernel_exploit(void); ++ + void die_if_kernel(char *str, struct pt_regs *regs) + { + static int die_counter; +@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_ count++ < 30 && (((unsigned long) rw) >= PAGE_OFFSET) && !(((unsigned long) rw) & 0x7)) { @@ -6009,9 +6113,20 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_32.c linux-2.6.39.1/arch/sparc (void *) rw->ins[7]); rw = (struct reg_window32 *)rw->ins[6]; } + } + printk("Instruction DUMP:"); + instruction_dump ((unsigned long *) regs->pc); +- if(regs->psr & PSR_PS) ++ if(regs->psr & PSR_PS) { ++ gr_handle_kernel_exploit(); + do_exit(SIGKILL); ++ } + do_exit(SIGSEGV); + } + diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc/kernel/traps_64.c --- linux-2.6.39.1/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.1/arch/sparc/kernel/traps_64.c 2011-05-22 19:41:32.000000000 -0400 ++++ linux-2.6.39.1/arch/sparc/kernel/traps_64.c 2011-06-13 21:28:54.000000000 -0400 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_ i + 1, p->trapstack[i].tstate, p->trapstack[i].tpc, @@ -6119,7 +6234,16 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc graph++; } } -@@ -2254,7 +2265,7 @@ void die_if_kernel(char *str, struct pt_ +@@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_ + return (struct reg_window *) (fp + STACK_BIAS); + } + ++extern void gr_handle_kernel_exploit(void); ++ + void die_if_kernel(char *str, struct pt_regs *regs) + { + static int die_counter; +@@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_ while (rw && count++ < 30 && kstack_valid(tp, (unsigned long) rw)) { @@ -6128,6 +6252,18 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc (void *) rw->ins[7]); rw = kernel_stack_up(rw); +@@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_ + } + user_instruction_dump ((unsigned int __user *) regs->tpc); + } +- if (regs->tstate & TSTATE_PRIV) ++ if (regs->tstate & TSTATE_PRIV) { ++ gr_handle_kernel_exploit(); + do_exit(SIGKILL); ++ } + do_exit(SIGSEGV); + } + EXPORT_SYMBOL(die_if_kernel); diff -urNp linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c --- linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400 +++ linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400 @@ -51282,8 +51418,8 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl_alloc.c linux-2.6.39.1/grsecurity/gra +} diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c --- linux-2.6.39.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.39.1/grsecurity/gracl.c 2011-05-24 20:27:30.000000000 -0400 -@@ -0,0 +1,4103 @@ ++++ linux-2.6.39.1/grsecurity/gracl.c 2011-06-11 16:26:18.000000000 -0400 +@@ -0,0 +1,4109 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -51368,7 +51504,8 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c +extern struct vfsmount *hugetlbfs_vfsmount; +#endif + -+static struct acl_object_label *fakefs_obj; ++static struct acl_object_label *fakefs_obj_rw; ++static struct acl_object_label *fakefs_obj_rwx; + +extern int gr_init_uidset(void); +extern void gr_free_uidset(void); @@ -52112,10 +52249,15 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino); +#endif + -+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label)); -+ if (fakefs_obj == NULL) ++ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label)); ++ if (fakefs_obj_rw == NULL) ++ return 1; ++ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE; ++ ++ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label)); ++ if (fakefs_obj_rwx == NULL) + return 1; -+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC; ++ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC; + + subj_map_set.s_hash = + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *)); @@ -53124,7 +53266,7 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c +#endif + /* ignore Eric Biederman */ + IS_PRIVATE(l_dentry->d_inode))) { -+ retval = fakefs_obj; ++ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw; + goto out; + } + @@ -59838,7 +59980,7 @@ diff -urNp linux-2.6.39.1/grsecurity/grsum.c linux-2.6.39.1/grsecurity/grsum.c +} diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig --- linux-2.6.39.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.39.1/grsecurity/Kconfig 2011-05-22 19:41:42.000000000 -0400 ++++ linux-2.6.39.1/grsecurity/Kconfig 2011-06-13 21:34:34.000000000 -0400 @@ -0,0 +1,1045 @@ +# +# grecurity configuration @@ -59982,7 +60124,7 @@ diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_KERN_LOCKOUT if (X86) ++ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC32 || SPARC64) + select PAX + select PAX_RANDUSTACK + select PAX_ASLR @@ -60182,7 +60324,7 @@ diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig + +config GRKERNSEC_KERN_LOCKOUT + bool "Active kernel exploit response" -+ depends on X86 ++ depends on X86 || ARM || PPC || SPARC32 || SPARC64 + help + If you say Y here, when a PaX alert is triggered due to suspicious + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY) @@ -62590,8 +62732,8 @@ diff -urNp linux-2.6.39.1/include/linux/gralloc.h linux-2.6.39.1/include/linux/g +#endif diff -urNp linux-2.6.39.1/include/linux/grdefs.h linux-2.6.39.1/include/linux/grdefs.h --- linux-2.6.39.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.39.1/include/linux/grdefs.h 2011-05-22 19:41:42.000000000 -0400 -@@ -0,0 +1,139 @@ ++++ linux-2.6.39.1/include/linux/grdefs.h 2011-06-11 16:24:51.000000000 -0400 +@@ -0,0 +1,140 @@ +#ifndef GRDEFS_H +#define GRDEFS_H + @@ -62681,7 +62823,8 @@ diff -urNp linux-2.6.39.1/include/linux/grdefs.h linux-2.6.39.1/include/linux/gr + GR_PROCFIND = 0x00008000, + GR_POVERRIDE = 0x00010000, + GR_KERNELAUTH = 0x00020000, -+ GR_ATSECURE = 0x00040000 ++ GR_ATSECURE = 0x00040000, ++ GR_SHMEXEC = 0x00080000 +}; + +enum { @@ -67640,6 +67783,19 @@ diff -urNp linux-2.6.39.1/kernel/hrtimer.c linux-2.6.39.1/kernel/hrtimer.c { hrtimer_peek_ahead_timers(); } +diff -urNp linux-2.6.39.1/kernel/irq/manage.c linux-2.6.39.1/kernel/irq/manage.c +--- linux-2.6.39.1/kernel/irq/manage.c 2011-05-19 00:06:34.000000000 -0400 ++++ linux-2.6.39.1/kernel/irq/manage.c 2011-06-13 17:09:06.000000000 -0400 +@@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u + struct irq_desc *desc = irq_get_desc_buslock(irq, &flags); + int ret = 0; + ++ if (!desc) ++ return -EINVAL; ++ + /* wakeup-capable irqs can be shared between drivers that + * don't need to have the same sleep mode behaviors. + */ diff -urNp linux-2.6.39.1/kernel/jump_label.c linux-2.6.39.1/kernel/jump_label.c --- linux-2.6.39.1/kernel/jump_label.c 2011-05-19 00:06:34.000000000 -0400 +++ linux-2.6.39.1/kernel/jump_label.c 2011-05-22 19:36:33.000000000 -0400 @@ -75604,6 +75760,28 @@ diff -urNp linux-2.6.39.1/net/batman-adv/unicast.c linux-2.6.39.1/net/batman-adv frag1->seqno = htons(seqno - 1); frag2->seqno = htons(seqno); +diff -urNp linux-2.6.39.1/net/bluetooth/l2cap_sock.c linux-2.6.39.1/net/bluetooth/l2cap_sock.c +--- linux-2.6.39.1/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400 ++++ linux-2.6.39.1/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400 +@@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str + break; + } + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); + +diff -urNp linux-2.6.39.1/net/bluetooth/rfcomm/sock.c linux-2.6.39.1/net/bluetooth/rfcomm/sock.c +--- linux-2.6.39.1/net/bluetooth/rfcomm/sock.c 2011-05-19 00:06:34.000000000 -0400 ++++ linux-2.6.39.1/net/bluetooth/rfcomm/sock.c 2011-06-12 06:36:42.000000000 -0400 +@@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st + + l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); + diff -urNp linux-2.6.39.1/net/bridge/br_multicast.c linux-2.6.39.1/net/bridge/br_multicast.c --- linux-2.6.39.1/net/bridge/br_multicast.c 2011-05-19 00:06:34.000000000 -0400 +++ linux-2.6.39.1/net/bridge/br_multicast.c 2011-05-22 19:36:33.000000000 -0400 |