Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.2}-201305172333emutramp_default_on 20130517

author: Anthony G. Basile <blueness@gentoo.org> 2013-05-18 10:27:08 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2013-05-18 10:27:08 -0400
commit: dd5cadb3a57775c892a1f648f9f16ad4696f2f44 (patch)
tree: 8fa67c57dd8c2dff22ac3ea39f1dc59f4181bd7b
parent: Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.2}-20130514 (diff)
download: hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.tar.gz
hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.tar.bz2
hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.zip
12 files changed, 381 insertions, 57 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 64c91d5..755285c 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
@@ -67,6 +67,10 @@ From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 Desc:	Disables VDSO_COMPAT operation completely
 
-Patch:	4475_check_ssp_fix.patch
+Patch:	4475_emutramp_default_on.patch
+From:	Anthony G. Basile <blueness@gentoo.org>
+Desc:	Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194
+
+Patch:	4480_check_ssp_fix.patch
 From:	Magnus Granberg <zorry@gentoo.org>
 Desc:	Fixes kernel check script for ssp
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch
index f34ed36..3482354 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch
@@ -22024,7 +22024,7 @@ index d559af9..524c6ad 100644
  		 * Up to this point, the boot CPU has been using .data.init
  		 * area.  Reload any changed state for the boot CPU.
 diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index 6a44a76..a9287a1 100644
+index 6a44a76..3cab8c7 100644
 --- a/arch/x86/kernel/signal.c
 +++ b/arch/x86/kernel/signal.c
 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -22110,6 +22110,23 @@ index 6a44a76..a9287a1 100644
  		return;
  
  	if (current_thread_info()->status & TS_RESTORE_SIGMASK)
+@@ -799,6 +804,7 @@ static void do_signal(struct pt_regs *regs)
+ 
+ 	signr = get_signal_to_deliver(&info, &ka, regs, NULL);
+ 	if (signr > 0) {
++		sigset_t sigcopy = *oldset;
+ 		/*
+ 		 * Re-enable any watchpoints before delivering the
+ 		 * signal to user space. The processor register will
+@@ -809,7 +815,7 @@ static void do_signal(struct pt_regs *regs)
+ 			set_debugreg(current->thread.debugreg7, 7);
+ 
+ 		/* Whee! Actually deliver the signal.  */
+-		if (handle_signal(signr, &info, &ka, oldset, regs) == 0) {
++		if (handle_signal(signr, &info, &ka, &sigcopy, regs) == 0) {
+ 			/*
+ 			 * A signal was successfully delivered; the saved
+ 			 * sigmask will have been stored in the signal frame,
 diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
 index 29f0a78..374912c 100644
 --- a/arch/x86/kernel/smp.c
diff --git a/2.6.32/4475_emutramp_default_on.patch b/2.6.32/4475_emutramp_default_on.patch
new file mode 100644
index 0000000..2d7124b
--- /dev/null
+++ b/2.6.32/4475_emutramp_default_on.patch
@@ -0,0 +1,21 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines.
+We default PAX_EMUTRAMP='y' since almost all hardened users will want this.
+
+See bug:
+ http://bugs.gentoo.org/show_bug.cgi?id=329499
+ http://bugs.gentoo.org/show_bug.cgi?id=457194
+
+diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
+--- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
++++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
+@@ -424,7 +424,7 @@
+ 
+ config PAX_EMUTRAMP
+ 	bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
+-	default y if PARISC
++	default y
+ 	help
+ 	  There are some programs and libraries that for one reason or
+ 	  another attempt to execute special small code snippets from
diff --git a/2.6.32/4475_check_ssp_fix.patch b/2.6.32/4480_check_ssp_fix.patch
index 40e0467..40e0467 100644
--- a/2.6.32/4475_check_ssp_fix.patch
+++ b/2.6.32/4480_check_ssp_fix.patch
diff --git a/3.2.45/0000_README b/3.2.45/0000_README
index 931a45e..8925c1f 100644
--- a/3.2.45/0000_README
+++ b/3.2.45/0000_README
@@ -98,7 +98,7 @@ Patch:	1044_linux-3.2.45.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.45
 
-Patch:	4420_grsecurity-2.9.1-3.2.45-201305142033.patch
+Patch:	4420_grsecurity-2.9.1-3.2.45-201305162326.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
@@ -134,3 +134,7 @@ Patch:	4470_disable-compat_vdso.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 Desc:	Disables VDSO_COMPAT operation completely
+
+Patch: 4475_emutramp_default_on.patch
+From:  Anthony G. Basile <blueness@gentoo.org>
+Desc:  Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194
diff --git a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305142033.patch b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305162326.patch
index d1995bd..3625b94 100644
--- a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305142033.patch
+++ b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305162326.patch
@@ -20806,7 +20806,7 @@ index 5a98aa2..5aa4ffc 100644
  		 * Up to this point, the boot CPU has been using .init.data
  		 * area.  Reload any changed state for the boot CPU.
 diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index 54ddaeb2..22c3bdc 100644
+index 54ddaeb2..158e022 100644
 --- a/arch/x86/kernel/signal.c
 +++ b/arch/x86/kernel/signal.c
 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -20874,7 +20874,33 @@ index 54ddaeb2..22c3bdc 100644
  	} put_user_catch(err);
  
  	if (err)
-@@ -769,7 +772,7 @@ static void do_signal(struct pt_regs *regs)
+@@ -655,19 +658,22 @@ setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
+ {
+ 	int usig = signr_convert(sig);
+ 	sigset_t *set = &current->blocked;
++	sigset_t sigcopy;
+ 	int ret;
+ 
+ 	if (current_thread_info()->status & TS_RESTORE_SIGMASK)
+ 		set = &current->saved_sigmask;
+ 
++	sigcopy = *set;
++
+ 	/* Set up the stack frame */
+ 	if (is_ia32) {
+ 		if (ka->sa.sa_flags & SA_SIGINFO)
+-			ret = ia32_setup_rt_frame(usig, ka, info, set, regs);
++			ret = ia32_setup_rt_frame(usig, ka, info, &sigcopy, regs);
+ 		else
+-			ret = ia32_setup_frame(usig, ka, set, regs);
++			ret = ia32_setup_frame(usig, ka, &sigcopy, regs);
+ 	} else
+-		ret = __setup_rt_frame(sig, ka, info, set, regs);
++		ret = __setup_rt_frame(sig, ka, info, &sigcopy, regs);
+ 
+ 	if (ret) {
+ 		force_sigsegv(sig, current);
+@@ -769,7 +775,7 @@ static void do_signal(struct pt_regs *regs)
  	 * X86_32: vm86 regs switched out by assembly code before reaching
  	 * here, so testing against kernel CS suffices.
  	 */
@@ -34972,7 +34998,7 @@ index cabc95f..14b3d77 100644
  
  	for (;;) {
 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
-index 8a8725c..afed796 100644
+index 8a8725c2..afed796 100644
 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv,
diff --git a/3.2.45/4475_emutramp_default_on.patch b/3.2.45/4475_emutramp_default_on.patch
new file mode 100644
index 0000000..30f6978
--- /dev/null
+++ b/3.2.45/4475_emutramp_default_on.patch
@@ -0,0 +1,21 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines.
+We default PAX_EMUTRAMP='y' since almost all hardened users will want this.
+
+See bug:
+ http://bugs.gentoo.org/show_bug.cgi?id=329499
+ http://bugs.gentoo.org/show_bug.cgi?id=457194
+
+diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
+--- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
++++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
+@@ -428,7 +428,7 @@
+ 
+ config PAX_EMUTRAMP
+ 	bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
+-	default y if PARISC
++	default y
+ 	help
+ 	  There are some programs and libraries that for one reason or
+ 	  another attempt to execute special small code snippets from
diff --git a/3.9.2/0000_README b/3.9.2/0000_README
index 8bbbbef..5853027 100644
--- a/3.9.2/0000_README
+++ b/3.9.2/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.9.2-201305142035.patch
+Patch:	4420_grsecurity-2.9.1-3.9.2-201305172333.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
@@ -38,3 +38,7 @@ Patch:	4470_disable-compat_vdso.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 Desc:	Disables VDSO_COMPAT operation completely
+
+Patch: 4475_emutramp_default_on.patch
+From:  Anthony G. Basile <blueness@gentoo.org>
+Desc:  Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194
diff --git a/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305142035.patch b/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305172333.patch
index 7808b27..e39d39f 100644
--- a/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305142035.patch
+++ b/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305172333.patch
@@ -2028,6 +2028,19 @@ index 06e7d50..8a8e251 100644
  	nommu_start_thread(regs);					\
  })
  
+diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
+index ce0dbe7..c085b6f 100644
+--- a/arch/arm/include/asm/psci.h
++++ b/arch/arm/include/asm/psci.h
+@@ -29,7 +29,7 @@ struct psci_operations {
+ 	int (*cpu_off)(struct psci_power_state state);
+ 	int (*cpu_on)(unsigned long cpuid, unsigned long entry_point);
+ 	int (*migrate)(unsigned long cpuid);
+-};
++} __no_const;
+ 
+ extern struct psci_operations psci_ops;
+ 
 diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
 index d3a22be..3a69ad5 100644
 --- a/arch/arm/include/asm/smp.h
@@ -2824,6 +2837,19 @@ index 047d3e4..7e96107 100644
  	return 0;
  }
  arch_initcall(gate_vma_init);
+diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c
+index 3653164..d83e55d 100644
+--- a/arch/arm/kernel/psci.c
++++ b/arch/arm/kernel/psci.c
+@@ -24,7 +24,7 @@
+ #include <asm/opcodes-virt.h>
+ #include <asm/psci.h>
+ 
+-struct psci_operations psci_ops;
++struct psci_operations psci_ops __read_only;
+ 
+ static int (*invoke_psci_fn)(u32, u32, u32, u32);
+ 
 diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
 index 03deeff..741ce88 100644
 --- a/arch/arm/kernel/ptrace.c
@@ -14276,7 +14302,7 @@ index 4cc9f2b..5fd9226 100644
  
  /*
 diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
-index 1e67223..9183226 100644
+index 1e67223..dd6e7ea 100644
 --- a/arch/x86/include/asm/pgtable.h
 +++ b/arch/x86/include/asm/pgtable.h
 @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
@@ -14339,7 +14365,19 @@ index 1e67223..9183226 100644
  static inline int pte_dirty(pte_t pte)
  {
  	return pte_flags(pte) & _PAGE_DIRTY;
-@@ -200,9 +240,29 @@ static inline pte_t pte_wrprotect(pte_t pte)
+@@ -147,6 +187,11 @@ static inline unsigned long pud_pfn(pud_t pud)
+ 	return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT;
+ }
+ 
++static inline unsigned long pgd_pfn(pgd_t pgd)
++{
++	return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT;
++}
++
+ #define pte_page(pte)	pfn_to_page(pte_pfn(pte))
+ 
+ static inline int pmd_large(pmd_t pte)
+@@ -200,9 +245,29 @@ static inline pte_t pte_wrprotect(pte_t pte)
  	return pte_clear_flags(pte, _PAGE_RW);
  }
  
@@ -14370,7 +14408,7 @@ index 1e67223..9183226 100644
  }
  
  static inline pte_t pte_mkdirty(pte_t pte)
-@@ -394,6 +454,15 @@ pte_t *populate_extra_pte(unsigned long vaddr);
+@@ -394,6 +459,15 @@ pte_t *populate_extra_pte(unsigned long vaddr);
  #endif
  
  #ifndef __ASSEMBLY__
@@ -14386,7 +14424,25 @@ index 1e67223..9183226 100644
  #include <linux/mm_types.h>
  #include <linux/log2.h>
  
-@@ -584,7 +653,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
+@@ -529,7 +603,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud)
+  * Currently stuck as a macro due to indirect forward reference to
+  * linux/mmzone.h's __section_mem_map_addr() definition:
+  */
+-#define pud_page(pud)		pfn_to_page(pud_val(pud) >> PAGE_SHIFT)
++#define pud_page(pud)		pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT)
+ 
+ /* Find an entry in the second-level page table.. */
+ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
+@@ -569,7 +643,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd)
+  * Currently stuck as a macro due to indirect forward reference to
+  * linux/mmzone.h's __section_mem_map_addr() definition:
+  */
+-#define pgd_page(pgd)		pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT)
++#define pgd_page(pgd)		pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT)
+ 
+ /* to find an entry in a page-table-directory. */
+ static inline unsigned long pud_index(unsigned long address)
+@@ -584,7 +658,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
  
  static inline int pgd_bad(pgd_t pgd)
  {
@@ -14395,7 +14451,7 @@ index 1e67223..9183226 100644
  }
  
  static inline int pgd_none(pgd_t pgd)
-@@ -607,7 +676,12 @@ static inline int pgd_none(pgd_t pgd)
+@@ -607,7 +681,12 @@ static inline int pgd_none(pgd_t pgd)
   * pgd_offset() returns a (pgd_t *)
   * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
   */
@@ -14409,7 +14465,7 @@ index 1e67223..9183226 100644
  /*
   * a shortcut which implies the use of the kernel's pgd, instead
   * of a process's
-@@ -618,6 +692,22 @@ static inline int pgd_none(pgd_t pgd)
+@@ -618,6 +697,22 @@ static inline int pgd_none(pgd_t pgd)
  #define KERNEL_PGD_BOUNDARY	pgd_index(PAGE_OFFSET)
  #define KERNEL_PGD_PTRS		(PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
  
@@ -14432,7 +14488,7 @@ index 1e67223..9183226 100644
  #ifndef __ASSEMBLY__
  
  extern int direct_gbpages;
-@@ -784,11 +874,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
+@@ -784,11 +879,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
   * dst and src can be on the same page, but the range must not overlap,
   * and must not cross a page boundary.
   */
@@ -22547,7 +22603,7 @@ index 5cdff03..80fa283 100644
  		 * Up to this point, the boot CPU has been using .init.data
  		 * area.  Reload any changed state for the boot CPU.
 diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
-index 6956299..6797253 100644
+index 6956299..f20beae 100644
 --- a/arch/x86/kernel/signal.c
 +++ b/arch/x86/kernel/signal.c
 @@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -22601,6 +22657,29 @@ index 6956299..6797253 100644
  	} put_user_catch(err);
  	
  	err |= copy_siginfo_to_user(&frame->info, &ksig->info);
+@@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
+ {
+ 	int usig = signr_convert(ksig->sig);
+ 	sigset_t *set = sigmask_to_save();
+-	compat_sigset_t *cset = (compat_sigset_t *) set;
++	sigset_t sigcopy;
++	compat_sigset_t *cset;
++
++	sigcopy = *set;
++
++	cset = (compat_sigset_t *) &sigcopy;
+ 
+ 	/* Set up the stack frame */
+ 	if (is_ia32_frame()) {
+@@ -626,7 +634,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
+ 	} else if (is_x32_frame()) {
+ 		return x32_setup_rt_frame(ksig, cset, regs);
+ 	} else {
+-		return __setup_rt_frame(ksig->sig, ksig, set, regs);
++		return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs);
+ 	}
+ }
+ 
 diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
 index 48d2b7d..90d328a 100644
 --- a/arch/x86/kernel/smp.c
@@ -22953,7 +23032,7 @@ index 0000000..207bec6
 +	return addr;
 +}
 diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
-index dbded5a..7916f74 100644
+index dbded5a..ace2781 100644
 --- a/arch/x86/kernel/sys_x86_64.c
 +++ b/arch/x86/kernel/sys_x86_64.c
 @@ -81,8 +81,8 @@ out:
@@ -23020,7 +23099,7 @@ index dbded5a..7916f74 100644
  
  	/* requested length too big for entire address space */
  	if (len > TASK_SIZE)
-@@ -161,6 +167,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -161,12 +167,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT))
  		goto bottomup;
  
@@ -23031,7 +23110,14 @@ index dbded5a..7916f74 100644
  	/* requesting a specific address */
  	if (addr) {
  		addr = PAGE_ALIGN(addr);
-@@ -176,6 +186,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 		vma = find_vma(mm, addr);
+-		if (TASK_SIZE - len >= addr &&
+-				(!vma || addr + len <= vma->vm_start))
++		if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
+ 			return addr;
+ 	}
+ 
+@@ -176,6 +185,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	info.high_limit = mm->mmap_base;
  	info.align_mask = filp ? get_align_mask() : 0;
  	info.align_offset = pgoff << PAGE_SHIFT;
@@ -35917,7 +36003,7 @@ index 4640adb..e1384ed 100644
  
  	for (;;) {
 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
-index 8a8725c..afed796 100644
+index 8a8725c2..afed796 100644
 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv,
@@ -36111,6 +36197,55 @@ index a14f634..2916ee2 100644
  	int err;
  
  	/* Set up read-only sensors */
+diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
+index 9add6092..ee7ba3f 100644
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -781,7 +781,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr)
+ 	return 0;
+ }
+ 
+-static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
++static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr,
+ 				const char *name,
+ 				umode_t mode,
+ 				ssize_t (*show)(struct device *dev,
+@@ -798,7 +798,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
+ 	dev_attr->store = store;
+ }
+ 
+-static void pmbus_attr_init(struct sensor_device_attribute *a,
++static void pmbus_attr_init(sensor_device_attribute_no_const *a,
+ 			    const char *name,
+ 			    umode_t mode,
+ 			    ssize_t (*show)(struct device *dev,
+@@ -820,7 +820,7 @@ static int pmbus_add_boolean(struct pmbus_data *data,
+ 			     u16 reg, u8 mask)
+ {
+ 	struct pmbus_boolean *boolean;
+-	struct sensor_device_attribute *a;
++	sensor_device_attribute_no_const *a;
+ 
+ 	boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL);
+ 	if (!boolean)
+@@ -845,7 +845,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
+ 					     bool update, bool readonly)
+ {
+ 	struct pmbus_sensor *sensor;
+-	struct device_attribute *a;
++	device_attribute_no_const *a;
+ 
+ 	sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL);
+ 	if (!sensor)
+@@ -876,7 +876,7 @@ static int pmbus_add_label(struct pmbus_data *data,
+ 			   const char *lstring, int index)
+ {
+ 	struct pmbus_label *label;
+-	struct device_attribute *a;
++	device_attribute_no_const *a;
+ 
+ 	label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL);
+ 	if (!label)
 diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
 index 2507f90..1645765 100644
 --- a/drivers/hwmon/sht15.c
@@ -37129,7 +37264,7 @@ index 7c11ff3..5b2d7a7 100644
  
  bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip)
 diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
-index fc6aebf..94d5248 100644
+index fc6aebf..762c5f5 100644
 --- a/drivers/irqchip/irq-gic.c
 +++ b/drivers/irqchip/irq-gic.c
 @@ -83,7 +83,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly;
@@ -37137,7 +37272,7 @@ index fc6aebf..94d5248 100644
   * Default make them NULL.
   */
 -struct irq_chip gic_arch_extn = {
-+irq_chip_no_const gic_arch_extn __read_only = {
++irq_chip_no_const gic_arch_extn = {
  	.irq_eoi	= NULL,
  	.irq_mask	= NULL,
  	.irq_unmask	= NULL,
@@ -39318,6 +39453,50 @@ index fbe5363..266b4e3 100644
  	fifo->mempool =
  		__vxge_hw_mempool_create(vpath->hldev,
  			fifo->config->memblock_size,
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
+index 5c033f2..7bbb0d8 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
+@@ -1894,7 +1894,9 @@ int qlcnic_83xx_config_default_opmode(struct qlcnic_adapter *adapter)
+ 	op_mode = QLCRDX(ahw, QLC_83XX_DRV_OP_MODE);
+ 
+ 	if (op_mode == QLC_83XX_DEFAULT_OPMODE) {
+-		adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
++		pax_open_kernel();
++		*(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
++		pax_close_kernel();
+ 		ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
+ 	} else {
+ 		return -EIO;
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
+index b0c3de9..fc5857e 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
+@@ -200,15 +200,21 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter)
+ 	if (priv_level == QLCNIC_NON_PRIV_FUNC) {
+ 		ahw->op_mode = QLCNIC_NON_PRIV_FUNC;
+ 		ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
+-		nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
++		pax_open_kernel();
++		*(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
++		pax_close_kernel();
+ 	} else if (priv_level == QLCNIC_PRIV_FUNC) {
+ 		ahw->op_mode = QLCNIC_PRIV_FUNC;
+ 		ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry;
+-		nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
++		pax_open_kernel();
++		*(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
++		pax_close_kernel();
+ 	} else if (priv_level == QLCNIC_MGMT_FUNC) {
+ 		ahw->op_mode = QLCNIC_MGMT_FUNC;
+ 		ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
+-		nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
++		pax_open_kernel();
++		*(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
++		pax_close_kernel();
+ 	} else {
+ 		return -EIO;
+ 	}
 diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
 index 15ba8c4..3f56838 100644
 --- a/drivers/net/ethernet/realtek/r8169.c
@@ -40628,6 +40807,19 @@ index 0b00947..64f7c0a 100644
  	proc_create("devices", 0, proc_bus_pci_dir,
  		    &proc_bus_pci_dev_operations);
  	proc_initialized = 1;
+diff --git a/drivers/platform/x86/chromeos_laptop.c b/drivers/platform/x86/chromeos_laptop.c
+index 3e5b4497..dcdfb70 100644
+--- a/drivers/platform/x86/chromeos_laptop.c
++++ b/drivers/platform/x86/chromeos_laptop.c
+@@ -301,7 +301,7 @@ static int __init setup_tsl2563_als(const struct dmi_system_id *id)
+ 	return 0;
+ }
+ 
+-static struct dmi_system_id __initdata chromeos_laptop_dmi_table[] = {
++static struct dmi_system_id __initconst chromeos_laptop_dmi_table[] = {
+ 	{
+ 		.ident = "Samsung Series 5 550 - Touchpad",
+ 		.matches = {
 diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
 index 6b22938..bc9700e 100644
 --- a/drivers/platform/x86/msi-laptop.c
@@ -52386,27 +52578,9 @@ index a6597d6..41b30ec 100644
  
  /*
 diff --git a/fs/jfs/super.c b/fs/jfs/super.c
-index 2003e83..5e1975d 100644
+index 2003e83..40db287 100644
 --- a/fs/jfs/super.c
 +++ b/fs/jfs/super.c
-@@ -225,7 +225,7 @@ static const match_table_t tokens = {
- static int parse_options(char *options, struct super_block *sb, s64 *newLVSize,
- 			 int *flag)
- {
--	void *nls_map = (void *)-1;	/* -1: no change;  NULL: none */
-+	const void *nls_map = (const void *)-1;	/* -1: no change;  NULL: none */
- 	char *p;
- 	struct jfs_sb_info *sbi = JFS_SBI(sb);
- 
-@@ -253,7 +253,7 @@ static int parse_options(char *options, struct super_block *sb, s64 *newLVSize,
- 			/* Don't do anything ;-) */
- 			break;
- 		case Opt_iocharset:
--			if (nls_map && nls_map != (void *) -1)
-+			if (nls_map && nls_map != (const void *) -1)
- 				unload_nls(nls_map);
- 			if (!strcmp(args[0].from, "none"))
- 				nls_map = NULL;
 @@ -856,7 +856,7 @@ static int __init init_jfs_fs(void)
  
  	jfs_inode_cachep =
@@ -68845,11 +69019,15 @@ index bc4e066..50468a9 100644
  /*
   * irq_chip specific flags
 diff --git a/include/linux/irqchip/arm-gic.h b/include/linux/irqchip/arm-gic.h
-index 3fd8e42..d5403e1 100644
+index 3fd8e42..a73e966 100644
 --- a/include/linux/irqchip/arm-gic.h
 +++ b/include/linux/irqchip/arm-gic.h
-@@ -61,7 +61,7 @@
+@@ -59,9 +59,11 @@
  
+ #ifndef __ASSEMBLY__
+ 
++#include <linux/irq.h>
++
  struct device_node;
  
 -extern struct irq_chip gic_arch_extn;
@@ -72219,6 +72397,19 @@ index b797e8f..8e2c3aa 100644
  
  
  /**
+diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
+index ff6c741..393815f 100644
+--- a/include/sound/compress_driver.h
++++ b/include/sound/compress_driver.h
+@@ -130,7 +130,7 @@ struct snd_compr_ops {
+ 			struct snd_compr_caps *caps);
+ 	int (*get_codec_caps) (struct snd_compr_stream *stream,
+ 			struct snd_compr_codec_caps *codec);
+-};
++} __no_const;
+ 
+ /**
+  * struct snd_compr: Compressed device
 diff --git a/include/sound/soc.h b/include/sound/soc.h
 index a6a059c..2243336 100644
 --- a/include/sound/soc.h
@@ -87228,7 +87419,7 @@ index 5b1e5af..2358147 100644
  	return res;
  }
 diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
-index 843d8c4..6e0a0ff 100644
+index 843d8c4..cb04fa1 100644
 --- a/net/mac80211/cfg.c
 +++ b/net/mac80211/cfg.c
 @@ -799,7 +799,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
@@ -87255,8 +87446,8 @@ index 843d8c4..6e0a0ff 100644
  		ret = 0;
 -	} else if (local->open_count > 0 &&
 -		   local->open_count == local->monitors &&
-+	} else if (atomic_read(&local->open_count) > 0 &&
-+		   atomic_read(&local->open_count) == local->monitors &&
++	} else if (local_read(&local->open_count) > 0 &&
++		   local_read(&local->open_count) == local->monitors &&
  		   sdata->vif.type == NL80211_IFTYPE_MONITOR) {
  		if (local->use_chanctx)
  			*chandef = local->monitor_chandef;
@@ -90177,10 +90368,10 @@ index f5eb43d..1814de8 100644
  	shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff));
  	shstrtab_sec = shdr + r2(&ehdr->e_shstrndx);
 diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..eef8ada 100644
+index e9c6ac7..e6254cf 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,943 @@
+@@ -4,6 +4,944 @@
  
  menu "Security options"
  
@@ -90214,6 +90405,7 @@ index e9c6ac7..eef8ada 100644
 +	select CRYPTO_SHA256
 +	select PROC_FS
 +	select STOP_MACHINE
++	select TTY
 +	help
 +	  If you say Y here, you will be able to configure many features
 +	  that will enhance the security of your system.  It is highly
@@ -91124,7 +91316,7 @@ index e9c6ac7..eef8ada 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1040,7 @@ config INTEL_TXT
+@@ -103,7 +1041,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
@@ -92082,6 +92274,19 @@ index 22056c5..25d3244 100644
  	chip->card = card;
  	chip->pci = pci;
  	chip->irq = -1;
+diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c
+index 7decbd9..d17d9d0 100644
+--- a/sound/soc/fsl/fsl_ssi.c
++++ b/sound/soc/fsl/fsl_ssi.c
+@@ -643,7 +643,7 @@ static int fsl_ssi_probe(struct platform_device *pdev)
+ {
+ 	struct fsl_ssi_private *ssi_private;
+ 	int ret = 0;
+-	struct device_attribute *dev_attr = NULL;
++	device_attribute_no_const *dev_attr = NULL;
+ 	struct device_node *np = pdev->dev.of_node;
+ 	const char *p, *sprop;
+ 	const uint32_t *iprop;
 diff --git a/tools/gcc/.gitignore b/tools/gcc/.gitignore
 new file mode 100644
 index 0000000..50f2f2f
@@ -102415,10 +102620,10 @@ index 0000000..ac2901e
 +}
 diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
 new file mode 100644
-index 0000000..b07fe22
+index 0000000..4fae911
 --- /dev/null
 +++ b/tools/gcc/structleak_plugin.c
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,277 @@
 +/*
 + * Copyright 2013 by PaX Team <pageexec@freemail.hu>
 + * Licensed under the GPL v2
@@ -102559,11 +102764,12 @@ index 0000000..b07fe22
 +	// first check if the variable is already initialized, warn otherwise
 +	for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
 +		gimple stmt = gsi_stmt(gsi);
-+		tree rhs1 = gimple_assign_rhs1(stmt);
++		tree rhs1;
 +
 +		// we're looking for an assignment of a single rhs...
 +		if (!gimple_assign_single_p(stmt))
 +			continue;
++		rhs1 = gimple_assign_rhs1(stmt);
 +#if BUILDING_GCC_VERSION >= 4007
 +		// ... of a non-clobbering expression...
 +		if (TREE_CLOBBER_P(rhs1))
diff --git a/3.9.2/4425_grsec_remove_EI_PAX.patch b/3.9.2/4425_grsec_remove_EI_PAX.patch
index 7d06ac2..415fda5 100644
--- a/3.9.2/4425_grsec_remove_EI_PAX.patch
+++ b/3.9.2/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
 --- linux-3.7.1-hardened.orig/security/Kconfig	2012-12-26 08:39:29.000000000 -0500
 +++ linux-3.7.1-hardened/security/Kconfig	2012-12-26 09:05:44.000000000 -0500
-@@ -265,7 +265,7 @@
+@@ -266,7 +266,7 @@
  
  config PAX_EI_PAX
  	bool 'Use legacy ELF header marking'
diff --git a/3.9.2/4450_grsec-kconfig-default-gids.patch b/3.9.2/4450_grsec-kconfig-default-gids.patch
index 6f5b79b..190e85d 100644
--- a/3.9.2/4450_grsec-kconfig-default-gids.patch
+++ b/3.9.2/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 diff -Nuar a/security/Kconfig b/security/Kconfig
 --- a/security/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/security/Kconfig	2012-10-13 09:52:59.000000000 -0400
-@@ -193,7 +193,7 @@
+@@ -194,7 +194,7 @@
  
  config GRKERNSEC_PROC_GID
  	int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
-@@ -204,7 +204,7 @@
+@@ -205,7 +205,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
          int "GID for TPE-untrusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
  	  Setting this GID determines which group untrusted users should
  	  be added to.  These users will be placed under grsecurity's Trusted Path
-@@ -216,7 +216,7 @@
+@@ -217,7 +217,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
          int "GID for TPE-trusted users"
          depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
          help
            Setting this GID determines what group TPE restrictions will be
            *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -225,7 +225,7 @@
+@@ -226,7 +226,7 @@
  config GRKERNSEC_SYMLINKOWN_GID
          int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
          depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.9.2/4475_emutramp_default_on.patch b/3.9.2/4475_emutramp_default_on.patch
new file mode 100644
index 0000000..27bfc2d
--- /dev/null
+++ b/3.9.2/4475_emutramp_default_on.patch
@@ -0,0 +1,21 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines.
+We default PAX_EMUTRAMP='y' since almost all hardened users will want this.
+
+See bug:
+ http://bugs.gentoo.org/show_bug.cgi?id=329499
+ http://bugs.gentoo.org/show_bug.cgi?id=457194
+
+diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
+--- linux-3.9.2-hardened.orig/security/Kconfig	2013-05-18 08:53:41.000000000 -0400
++++ linux-3.9.2-hardened/security/Kconfig	2013-05-18 09:17:57.000000000 -0400
+@@ -429,7 +429,7 @@
+ 
+ config PAX_EMUTRAMP
+ 	bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
+-	default y if PARISC
++	default y
+ 	help
+ 	  There are some programs and libraries that for one reason or
+ 	  another attempt to execute special small code snippets from
author	Anthony G. Basile <blueness@gentoo.org>	2013-05-18 10:27:08 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2013-05-18 10:27:08 -0400
commit	dd5cadb3a57775c892a1f648f9f16ad4696f2f44 (patch)
tree	8fa67c57dd8c2dff22ac3ea39f1dc59f4181bd7b
parent	Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.2}-20130514 (diff)
download	hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.tar.gz hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.tar.bz2 hardened-patchset-dd5cadb3a57775c892a1f648f9f16ad4696f2f44.zip