Grsec/PaX: 3.0-{3.2.58,3.14.3}-20140510194720140510

author: Anthony G. Basile <blueness@gentoo.org> 2014-05-11 07:55:06 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2014-05-11 07:55:06 -0400
commit: c93aa17d5126ba7c50c7e204d699491674712983 (patch)
tree: 3e000ab025c3dcbdee1354d3937a276510ebbcfd
parent: Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405092337 (diff)
download: hardened-patchset-20140510.tar.gz
hardened-patchset-20140510.tar.bz2
hardened-patchset-20140510.zip
4 files changed, 368 insertions, 81 deletions
diff --git a/3.14.3/0000_README b/3.14.3/0000_README
index 108ad48..4ea0a4a 100644
--- a/3.14.3/0000_README
+++ b/3.14.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.3-201405092337.patch
+Patch:	4420_grsecurity-3.0-3.14.3-201405101947.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
index 4e0c19f..d17eca9 100644
--- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
+++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
@@ -6784,7 +6784,7 @@ index 44a1f79..2bd6aa3 100644
  
  void __init gt641xx_irq_init(void)
 diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
-index d1fea7a..45602ea 100644
+index d1fea7a..2e591b0 100644
 --- a/arch/mips/kernel/irq.c
 +++ b/arch/mips/kernel/irq.c
 @@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq)
@@ -6808,6 +6808,25 @@ index d1fea7a..45602ea 100644
  }
  
  void __init init_IRQ(void)
+@@ -110,7 +110,10 @@ void __init init_IRQ(void)
+ #endif
+ }
+ 
++
+ #ifdef DEBUG_STACKOVERFLOW
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ 	unsigned long sp;
+@@ -126,6 +129,7 @@ static inline void check_stack_overflow(void)
+ 		printk("do_IRQ: stack overflow: %ld\n",
+ 		       sp - sizeof(struct thread_info));
+ 		dump_stack();
++		gr_handle_kernel_exploit();
+ 	}
+ }
+ #else
 diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
 index 6ae540e..b7396dc 100644
 --- a/arch/mips/kernel/process.c
@@ -8435,6 +8454,27 @@ index 38d5073..f00af8d 100644
  	mr	r5,r3
  	addi	r3,r1,STACK_FRAME_OVERHEAD
  	lwz	r4,_DAR(r1)
+diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
+index 1d0848b..d74685f 100644
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -447,6 +447,8 @@ void migrate_irqs(void)
+ }
+ #endif
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+@@ -459,6 +461,7 @@ static inline void check_stack_overflow(void)
+ 		printk("do_IRQ: stack overflow: %ld\n",
+ 			sp - sizeof(struct thread_info));
+ 		dump_stack();
++		gr_handle_kernel_exploit();
+ 	}
+ #endif
+ }
 diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
 index 6cff040..74ac5d1 100644
 --- a/arch/powerpc/kernel/module_32.c
@@ -21668,7 +21708,7 @@ index d9c12d3..7858b62 100644
  
  	if (__die(str, regs, err))
 diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index f2a1770..540657f 100644
+index f2a1770..10fa52d 100644
 --- a/arch/x86/kernel/dumpstack_32.c
 +++ b/arch/x86/kernel/dumpstack_32.c
 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -21746,7 +21786,7 @@ index f2a1770..540657f 100644
  	return ud2 == 0x0b0f;
  }
 +
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
 +void pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_left;
@@ -21758,7 +21798,7 @@ index f2a1770..540657f 100644
 +EXPORT_SYMBOL(pax_check_alloca);
 +#endif
 diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index addb207..99635fa 100644
+index addb207..921706b 100644
 --- a/arch/x86/kernel/dumpstack_64.c
 +++ b/arch/x86/kernel/dumpstack_64.c
 @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -21827,7 +21867,7 @@ index addb207..99635fa 100644
  	return ud2 == 0x0b0f;
  }
 +
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
 +void pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
@@ -24891,10 +24931,19 @@ index d99f31d..1c0f466 100644
  }
  
 diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index d7fcbed..1f747f7 100644
+index d7fcbed..96e715a 100644
 --- a/arch/x86/kernel/irq_32.c
 +++ b/arch/x86/kernel/irq_32.c
-@@ -39,7 +39,7 @@ static int check_stack_overflow(void)
+@@ -29,6 +29,8 @@ EXPORT_PER_CPU_SYMBOL(irq_regs);
+ 
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ int sysctl_panic_on_stackoverflow __read_mostly;
+ 
+ /* Debugging check for stack overflow: is there less than 1KB free? */
+@@ -39,13 +41,14 @@ static int check_stack_overflow(void)
  	__asm__ __volatile__("andl %%esp,%0" :
  			     "=r" (sp) : "0" (THREAD_SIZE - 1));
  
@@ -24903,7 +24952,14 @@ index d7fcbed..1f747f7 100644
  }
  
  static void print_stack_overflow(void)
-@@ -59,8 +59,8 @@ static inline void print_stack_overflow(void) { }
+ {
+ 	printk(KERN_WARNING "low stack detected by irq handler\n");
+ 	dump_stack();
++	gr_handle_kernel_exploit();
+ 	if (sysctl_panic_on_stackoverflow)
+ 		panic("low stack detected by irq handler - check messages\n");
+ }
+@@ -59,8 +62,8 @@ static inline void print_stack_overflow(void) { }
   * per-CPU IRQ handling contexts (thread information and stack)
   */
  union irq_ctx {
@@ -24914,7 +24970,7 @@ index d7fcbed..1f747f7 100644
  } __attribute__((aligned(THREAD_SIZE)));
  
  static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
-@@ -80,10 +80,9 @@ static void call_on_stack(void *func, void *stack)
+@@ -80,10 +83,9 @@ static void call_on_stack(void *func, void *stack)
  static inline int
  execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  {
@@ -24926,7 +24982,7 @@ index d7fcbed..1f747f7 100644
  	irqctx = __this_cpu_read(hardirq_ctx);
  
  	/*
-@@ -92,13 +91,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -92,13 +94,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  	 * handler) we can't do that and just have to keep using the
  	 * current stack (which is the irq stack already after all)
  	 */
@@ -24947,7 +25003,7 @@ index d7fcbed..1f747f7 100644
  
  	if (unlikely(overflow))
  		call_on_stack(print_stack_overflow, isp);
-@@ -110,6 +112,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -110,6 +115,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  		     :  "0" (irq),   "1" (desc),  "2" (isp),
  			"D" (desc->handle_irq)
  		     : "memory", "cc", "ecx");
@@ -24959,7 +25015,7 @@ index d7fcbed..1f747f7 100644
  	return 1;
  }
  
-@@ -118,48 +125,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -118,48 +128,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
   */
  void irq_ctx_init(int cpu)
  {
@@ -25021,7 +25077,7 @@ index d7fcbed..1f747f7 100644
  }
  
  bool handle_irq(unsigned irq, struct pt_regs *regs)
-@@ -173,7 +166,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
+@@ -173,7 +169,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
  	if (unlikely(!desc))
  		return false;
  
@@ -25031,10 +25087,19 @@ index d7fcbed..1f747f7 100644
  			print_stack_overflow();
  		desc->handle_irq(irq, desc);
 diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
-index 4d1c746..232961d 100644
+index 4d1c746..55a22d6 100644
 --- a/arch/x86/kernel/irq_64.c
 +++ b/arch/x86/kernel/irq_64.c
-@@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
+ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ int sysctl_panic_on_stackoverflow;
+ 
+ /*
+@@ -44,7 +46,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
  	u64 estack_top, estack_bottom;
  	u64 curbase = (u64)task_stack_page(current);
  
@@ -25043,6 +25108,15 @@ index 4d1c746..232961d 100644
  		return;
  
  	if (regs->sp >= curbase + sizeof(struct thread_info) +
+@@ -69,6 +71,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ 		irq_stack_top, irq_stack_bottom,
+ 		estack_top, estack_bottom);
+ 
++	gr_handle_kernel_exploit();
++
+ 	if (sysctl_panic_on_stackoverflow)
+ 		panic("low stack detected by irq handler - check messages\n");
+ #endif
 diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
 index 26d5a55..a01160a 100644
 --- a/arch/x86/kernel/jump_label.c
@@ -58399,7 +58473,7 @@ index e4141f2..d8263e8 100644
  		i += packet_length_size;
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff --git a/fs/exec.c b/fs/exec.c
-index 3d78fcc..5a38b6b 100644
+index 3d78fcc..460e2a0 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,8 +55,20 @@
@@ -58882,7 +58956,7 @@ index 3d78fcc..5a38b6b 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1626,3 +1800,295 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1626,3 +1800,296 @@ asmlinkage long compat_sys_execve(const char __user * filename,
  	return compat_do_execve(getname(filename), argv, envp);
  }
  #endif
@@ -59099,6 +59173,7 @@ index 3d78fcc..5a38b6b 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_USERCOPY
++
 +static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
 +{
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
@@ -64219,7 +64294,7 @@ index 87dbcbe..55e1b4d 100644
  }
  
 diff --git a/fs/proc/stat.c b/fs/proc/stat.c
-index 6f599c6..8f4644f 100644
+index 6f599c6..bd00271 100644
 --- a/fs/proc/stat.c
 +++ b/fs/proc/stat.c
 @@ -11,6 +11,7 @@
@@ -64249,34 +64324,63 @@ index 6f599c6..8f4644f 100644
  
  	user = nice = system = idle = iowait =
  		irq = softirq = steal = 0;
-@@ -94,6 +107,7 @@ static int show_stat(struct seq_file *p, void *v)
- 	getboottime(&boottime);
- 	jif = boottime.tv_sec;
- 
-+	if (unrestricted) {
- 	for_each_possible_cpu(i) {
- 		user += kcpustat_cpu(i).cpustat[CPUTIME_USER];
+@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v)
  		nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
-@@ -116,6 +130,7 @@ static int show_stat(struct seq_file *p, void *v)
+ 		system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
+ 		idle += get_idle_time(i);
+-		iowait += get_iowait_time(i);
+-		irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
+-		softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
+-		steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+-		guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+-		guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+-		sum += kstat_cpu_irqs_sum(i);
+-		sum += arch_irq_stat_cpu(i);
++		if (unrestricted) {
++			iowait += get_iowait_time(i);
++			irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
++			softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
++			steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
++			guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
++			guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++			sum += kstat_cpu_irqs_sum(i);
++			sum += arch_irq_stat_cpu(i);
++			for (j = 0; j < NR_SOFTIRQS; j++) {
++				unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
+ 
+-		for (j = 0; j < NR_SOFTIRQS; j++) {
+-			unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
+-
+-			per_softirq_sums[j] += softirq_stat;
+-			sum_softirq += softirq_stat;
++				per_softirq_sums[j] += softirq_stat;
++				sum_softirq += softirq_stat;
++			}
  		}
  	}
- 	sum += arch_irq_stat();
-+	}
+-	sum += arch_irq_stat();
++	if (unrestricted)
++		sum += arch_irq_stat();
  
  	seq_puts(p, "cpu ");
  	seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
-@@ -131,6 +146,7 @@ static int show_stat(struct seq_file *p, void *v)
- 	seq_putc(p, '\n');
- 
- 	for_each_online_cpu(i) {
-+		if (unrestricted) {
- 		/* Copy values here to work around gcc-2.95.3, gcc-2.96 */
- 		user = kcpustat_cpu(i).cpustat[CPUTIME_USER];
+@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v)
  		nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
-@@ -142,6 +158,7 @@ static int show_stat(struct seq_file *p, void *v)
- 		steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
- 		guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
- 		guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+ 		system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
+ 		idle = get_idle_time(i);
+-		iowait = get_iowait_time(i);
+-		irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
+-		softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
+-		steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+-		guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+-		guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++		if (unrestricted) {
++			iowait = get_iowait_time(i);
++			irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
++			softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
++			steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
++			guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
++			guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
 +		}
  		seq_printf(p, "cpu%d", i);
  		seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
@@ -82480,16 +82584,26 @@ index 387fa7d..3fcde6b 100644
  #ifdef CONFIG_MAGIC_SYSRQ
  
 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
-index fddbe20..0312de8 100644
+index fddbe20..e4cce53 100644
 --- a/include/linux/thread_info.h
 +++ b/include/linux/thread_info.h
-@@ -161,6 +161,15 @@ static inline bool test_and_clear_restore_sigmask(void)
+@@ -161,6 +161,25 @@ static inline bool test_and_clear_restore_sigmask(void)
  #error "no set_restore_sigmask() provided and default one won't work"
  #endif
  
 +extern void __check_object_size(const void *ptr, unsigned long n, bool to_user);
++
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++extern void pax_check_alloca(unsigned long size);
++#endif
++
 +static inline void check_object_size(const void *ptr, unsigned long n, bool to_user)
 +{
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++	/* always check if we've overflowed the stack in a copy*user */
++	pax_check_alloca(sizeof(unsigned long));
++#endif
++
 +#ifndef CONFIG_PAX_USERCOPY_DEBUG
 +	if (!__builtin_constant_p(n))
 +#endif
@@ -103516,10 +103630,10 @@ index 8fac3fd..32ff38d 100644
  	unsigned int secindex_strings;
  
 diff --git a/security/Kconfig b/security/Kconfig
-index beb86b5..1ea5a01 100644
+index beb86b5..55198cd 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,960 @@
+@@ -4,6 +4,961 @@
  
  menu "Security options"
  
@@ -103556,6 +103670,7 @@ index beb86b5..1ea5a01 100644
 +	select TTY
 +	select DEBUG_KERNEL
 +	select DEBUG_LIST
++	select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
 +	help
 +	  If you say Y here, you will be able to configure many features
 +	  that will enhance the security of your system.  It is highly
@@ -104480,7 +104595,7 @@ index beb86b5..1ea5a01 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1057,7 @@ config INTEL_TXT
+@@ -103,7 +1058,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
diff --git a/3.2.58/0000_README b/3.2.58/0000_README
index df97a0f..ad7286d 100644
--- a/3.2.58/0000_README
+++ b/3.2.58/0000_README
@@ -150,7 +150,7 @@ Patch:	1057_linux-3.2.58.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.58
 
-Patch:	4420_grsecurity-3.0-3.2.58-201405092334.patch
+Patch:	4420_grsecurity-3.0-3.2.58-201405101946.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch b/3.2.58/4420_grsecurity-3.0-3.2.58-201405101946.patch
index 4f95c38..ed3fd8f 100644
--- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
+++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405101946.patch
@@ -4059,6 +4059,29 @@ index 883fc6c..28c0acd 100644
  }
  
  void __init gt641xx_irq_init(void)
+diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
+index 7f50318..20685b9 100644
+--- a/arch/mips/kernel/irq.c
++++ b/arch/mips/kernel/irq.c
+@@ -111,7 +111,10 @@ void __init init_IRQ(void)
+ #endif
+ }
+ 
++
+ #ifdef DEBUG_STACKOVERFLOW
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ 	unsigned long sp;
+@@ -127,6 +130,7 @@ static inline void check_stack_overflow(void)
+ 		printk("do_IRQ: stack overflow: %ld\n",
+ 		       sp - sizeof(struct thread_info));
+ 		dump_stack();
++		gr_handle_kernel_exploit();
+ 	}
+ }
+ #else
 diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
 index bf128d7..bc244d6 100644
 --- a/arch/mips/kernel/process.c
@@ -5731,10 +5754,27 @@ index 8c3baa0..4d8c6f1 100644
  	addi	r3,r1,STACK_FRAME_OVERHEAD
  	lwz	r4,_DAR(r1)
 diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
-index 745c1e7..59d97a6 100644
+index 745c1e7..d231072 100644
 --- a/arch/powerpc/kernel/irq.c
 +++ b/arch/powerpc/kernel/irq.c
-@@ -547,9 +547,6 @@ struct irq_host *irq_alloc_host(struct device_node *of_node,
+@@ -324,6 +324,8 @@ static inline void handle_one_irq(unsigned int irq)
+ 		set_bits(irqtp->flags, &curtp->flags);
+ }
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+@@ -336,6 +338,7 @@ static inline void check_stack_overflow(void)
+ 		printk("do_IRQ: stack overflow: %ld\n",
+ 			sp - sizeof(struct thread_info));
+ 		dump_stack();
++		gr_handle_kernel_exploit();
+ 	}
+ #endif
+ }
+@@ -547,9 +550,6 @@ struct irq_host *irq_alloc_host(struct device_node *of_node,
  	host->ops = ops;
  	host->of_node = of_node_get(of_node);
  
@@ -5744,7 +5784,7 @@ index 745c1e7..59d97a6 100644
  	raw_spin_lock_irqsave(&irq_big_lock, flags);
  
  	/* If it's a legacy controller, check for duplicates and
-@@ -622,7 +619,12 @@ struct irq_host *irq_find_host(struct device_node *node)
+@@ -622,7 +622,12 @@ struct irq_host *irq_find_host(struct device_node *node)
  	 */
  	raw_spin_lock_irqsave(&irq_big_lock, flags);
  	list_for_each_entry(h, &irq_hosts, link)
@@ -18092,7 +18132,7 @@ index 1aae78f..138ca1b 100644
  
  	if (__die(str, regs, err))
 diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index c99f9ed..025ebd3 100644
+index c99f9ed..76cf602 100644
 --- a/arch/x86/kernel/dumpstack_32.c
 +++ b/arch/x86/kernel/dumpstack_32.c
 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -18163,7 +18203,7 @@ index c99f9ed..025ebd3 100644
  	return ud2 == 0x0b0f;
  }
 +
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
 +void pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_left;
@@ -18175,7 +18215,7 @@ index c99f9ed..025ebd3 100644
 +EXPORT_SYMBOL(pax_check_alloca);
 +#endif
 diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index 6d728d9..80f1867 100644
+index 6d728d9..c4c40f5 100644
 --- a/arch/x86/kernel/dumpstack_64.c
 +++ b/arch/x86/kernel/dumpstack_64.c
 @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -18253,7 +18293,7 @@ index 6d728d9..80f1867 100644
  	return ud2 == 0x0b0f;
  }
 +
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
 +void pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
@@ -21138,10 +21178,20 @@ index 687637b..3e626d9 100644
  }
  
 diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index 7209070..cbcd71a 100644
+index 7209070..ada4d63 100644
 --- a/arch/x86/kernel/irq_32.c
 +++ b/arch/x86/kernel/irq_32.c
-@@ -36,7 +36,7 @@ static int check_stack_overflow(void)
+@@ -28,6 +28,9 @@ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+ 
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
++
++extern void gr_handle_kernel_exploit(void);
++
+ /* Debugging check for stack overflow: is there less than 1KB free? */
+ static int check_stack_overflow(void)
+ {
+@@ -36,13 +39,14 @@ static int check_stack_overflow(void)
  	__asm__ __volatile__("andl %%esp,%0" :
  			     "=r" (sp) : "0" (THREAD_SIZE - 1));
  
@@ -21150,7 +21200,14 @@ index 7209070..cbcd71a 100644
  }
  
  static void print_stack_overflow(void)
-@@ -54,8 +54,8 @@ static inline void print_stack_overflow(void) { }
+ {
+ 	printk(KERN_WARNING "low stack detected by irq handler\n");
+ 	dump_stack();
++	gr_handle_kernel_exploit();
+ }
+ 
+ #else
+@@ -54,8 +58,8 @@ static inline void print_stack_overflow(void) { }
   * per-CPU IRQ handling contexts (thread information and stack)
   */
  union irq_ctx {
@@ -21161,7 +21218,7 @@ index 7209070..cbcd71a 100644
  } __attribute__((aligned(THREAD_SIZE)));
  
  static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
-@@ -75,10 +75,9 @@ static void call_on_stack(void *func, void *stack)
+@@ -75,10 +79,9 @@ static void call_on_stack(void *func, void *stack)
  static inline int
  execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  {
@@ -21173,7 +21230,7 @@ index 7209070..cbcd71a 100644
  	irqctx = __this_cpu_read(hardirq_ctx);
  
  	/*
-@@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -87,21 +90,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  	 * handler) we can't do that and just have to keep using the
  	 * current stack (which is the irq stack already after all)
  	 */
@@ -21201,7 +21258,7 @@ index 7209070..cbcd71a 100644
  
  	if (unlikely(overflow))
  		call_on_stack(print_stack_overflow, isp);
-@@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -113,6 +111,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  		     :  "0" (irq),   "1" (desc),  "2" (isp),
  			"D" (desc->handle_irq)
  		     : "memory", "cc", "ecx");
@@ -21213,7 +21270,7 @@ index 7209070..cbcd71a 100644
  	return 1;
  }
  
-@@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -121,29 +124,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
   */
  void __cpuinit irq_ctx_init(int cpu)
  {
@@ -21245,7 +21302,7 @@ index 7209070..cbcd71a 100644
  
  	printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
  	       cpu, per_cpu(hardirq_ctx, cpu),  per_cpu(softirq_ctx, cpu));
-@@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
+@@ -152,7 +137,6 @@ void __cpuinit irq_ctx_init(int cpu)
  asmlinkage void do_softirq(void)
  {
  	unsigned long flags;
@@ -21253,7 +21310,7 @@ index 7209070..cbcd71a 100644
  	union irq_ctx *irqctx;
  	u32 *isp;
  
-@@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
+@@ -162,15 +146,22 @@ asmlinkage void do_softirq(void)
  	local_irq_save(flags);
  
  	if (local_softirq_pending()) {
@@ -21281,10 +21338,19 @@ index 7209070..cbcd71a 100644
  		 * Shouldn't happen, we returned above if in_interrupt():
  		 */
 diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
-index 69bca46..0bac999 100644
+index 69bca46..fe78277 100644
 --- a/arch/x86/kernel/irq_64.c
 +++ b/arch/x86/kernel/irq_64.c
-@@ -38,7 +38,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
+ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ /*
+  * Probabilistic stack overflow check:
+  *
+@@ -38,7 +40,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
  #ifdef CONFIG_DEBUG_STACKOVERFLOW
  	u64 curbase = (u64)task_stack_page(current);
  
@@ -21293,6 +21359,14 @@ index 69bca46..0bac999 100644
  		return;
  
  	WARN_ONCE(regs->sp >= curbase &&
+@@ -48,6 +50,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ 
+ 		  "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
+ 			current->comm, curbase, regs->sp);
++	gr_handle_kernel_exploit();
+ #endif
+ }
+ 
 diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
 index 2f45c4c..3f51a0c 100644
 --- a/arch/x86/kernel/kgdb.c
@@ -56597,7 +56671,7 @@ index 451b9b8..12e5a03 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index 78199eb..1781a561 100644
+index 78199eb..80dac79 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,12 +55,35 @@
@@ -57210,7 +57284,7 @@ index 78199eb..1781a561 100644
  	cn->corename = kmalloc(cn->size, GFP_KERNEL);
  	cn->used = 0;
  
-@@ -1833,6 +2016,292 @@ out:
+@@ -1833,6 +2016,293 @@ out:
  	return ispipe;
  }
  
@@ -57420,6 +57494,7 @@ index 78199eb..1781a561 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_USERCOPY
++
 +static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
 +{
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
@@ -57503,7 +57578,7 @@ index 78199eb..1781a561 100644
  static int zap_process(struct task_struct *start, int exit_code)
  {
  	struct task_struct *t;
-@@ -2006,17 +2475,17 @@ static void coredump_finish(struct mm_struct *mm)
+@@ -2006,17 +2476,17 @@ static void coredump_finish(struct mm_struct *mm)
  void set_dumpable(struct mm_struct *mm, int value)
  {
  	switch (value) {
@@ -57524,7 +57599,7 @@ index 78199eb..1781a561 100644
  		set_bit(MMF_DUMP_SECURELY, &mm->flags);
  		smp_wmb();
  		set_bit(MMF_DUMPABLE, &mm->flags);
-@@ -2029,7 +2498,7 @@ static int __get_dumpable(unsigned long mm_flags)
+@@ -2029,7 +2499,7 @@ static int __get_dumpable(unsigned long mm_flags)
  	int ret;
  
  	ret = mm_flags & MMF_DUMPABLE_MASK;
@@ -57533,7 +57608,7 @@ index 78199eb..1781a561 100644
  }
  
  /*
-@@ -2050,17 +2519,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2050,17 +2520,17 @@ static void wait_for_dump_helpers(struct file *file)
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -57556,7 +57631,7 @@ index 78199eb..1781a561 100644
  	pipe_unlock(pipe);
  
  }
-@@ -2121,7 +2590,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2121,7 +2591,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	int retval = 0;
  	int flag = 0;
  	int ispipe;
@@ -57566,7 +57641,7 @@ index 78199eb..1781a561 100644
  	struct coredump_params cprm = {
  		.signr = signr,
  		.regs = regs,
-@@ -2136,6 +2606,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2136,6 +2607,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  
  	audit_core_dumps(signr);
  
@@ -57576,7 +57651,7 @@ index 78199eb..1781a561 100644
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
  		goto fail;
-@@ -2146,14 +2619,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2146,14 +2620,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	if (!cred)
  		goto fail;
  	/*
@@ -57597,7 +57672,7 @@ index 78199eb..1781a561 100644
  	}
  
  	retval = coredump_wait(exit_code, &core_state);
-@@ -2203,7 +2678,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2203,7 +2679,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  		}
  		cprm.limit = RLIM_INFINITY;
  
@@ -57606,7 +57681,7 @@ index 78199eb..1781a561 100644
  		if (core_pipe_limit && (core_pipe_limit < dump_count)) {
  			printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
  			       task_tgid_vnr(current), current->comm);
-@@ -2230,9 +2705,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2230,9 +2706,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	} else {
  		struct inode *inode;
  
@@ -57626,7 +57701,7 @@ index 78199eb..1781a561 100644
  		cprm.file = filp_open(cn.corename,
  				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
  				 0600);
-@@ -2273,7 +2758,7 @@ close_fail:
+@@ -2273,7 +2759,7 @@ close_fail:
  		filp_close(cprm.file, NULL);
  fail_dropcount:
  	if (ispipe)
@@ -57635,7 +57710,7 @@ index 78199eb..1781a561 100644
  fail_unlock:
  	kfree(cn.corename);
  fail_corename:
-@@ -2292,7 +2777,7 @@ fail:
+@@ -2292,7 +2778,7 @@ fail:
   */
  int dump_write(struct file *file, const void *addr, int nr)
  {
@@ -63098,6 +63173,92 @@ index 03102d9..4ae347e 100644
  	proc_sys_init();
  }
  
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
+index 4c9a859..0b51e6b 100644
+--- a/fs/proc/stat.c
++++ b/fs/proc/stat.c
+@@ -67,6 +67,18 @@ static int show_stat(struct seq_file *p, void *v)
+ 	u64 sum_softirq = 0;
+ 	unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
+ 	struct timespec boottime;
++	int unrestricted = 1;
++
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	if (current_uid()
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++	    && !in_group_p(grsec_proc_gid)
++#endif
++	)
++		unrestricted = 0;
++#endif
++#endif
+ 
+ 	user = nice = system = idle = iowait =
+ 		irq = softirq = steal = cputime64_zero;
+@@ -79,24 +91,27 @@ static int show_stat(struct seq_file *p, void *v)
+ 		nice = cputime64_add(nice, kstat_cpu(i).cpustat.nice);
+ 		system = cputime64_add(system, kstat_cpu(i).cpustat.system);
+ 		idle = cputime64_add(idle, get_idle_time(i));
+-		iowait = cputime64_add(iowait, get_iowait_time(i));
+-		irq = cputime64_add(irq, kstat_cpu(i).cpustat.irq);
+-		softirq = cputime64_add(softirq, kstat_cpu(i).cpustat.softirq);
+-		steal = cputime64_add(steal, kstat_cpu(i).cpustat.steal);
+-		guest = cputime64_add(guest, kstat_cpu(i).cpustat.guest);
+-		guest_nice = cputime64_add(guest_nice,
+-			kstat_cpu(i).cpustat.guest_nice);
+-		sum += kstat_cpu_irqs_sum(i);
+-		sum += arch_irq_stat_cpu(i);
++		if (unrestricted) {
++			iowait = cputime64_add(iowait, get_iowait_time(i));
++			irq = cputime64_add(irq, kstat_cpu(i).cpustat.irq);
++			softirq = cputime64_add(softirq, kstat_cpu(i).cpustat.softirq);
++			steal = cputime64_add(steal, kstat_cpu(i).cpustat.steal);
++			guest = cputime64_add(guest, kstat_cpu(i).cpustat.guest);
++			guest_nice = cputime64_add(guest_nice,
++				kstat_cpu(i).cpustat.guest_nice);
++			sum += kstat_cpu_irqs_sum(i);
++			sum += arch_irq_stat_cpu(i);
+ 
+-		for (j = 0; j < NR_SOFTIRQS; j++) {
+-			unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
++			for (j = 0; j < NR_SOFTIRQS; j++) {
++				unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
+ 
+-			per_softirq_sums[j] += softirq_stat;
+-			sum_softirq += softirq_stat;
++				per_softirq_sums[j] += softirq_stat;
++				sum_softirq += softirq_stat;
++			}
+ 		}
+ 	}
+-	sum += arch_irq_stat();
++	if (unrestricted)
++		sum += arch_irq_stat();
+ 
+ 	seq_printf(p, "cpu  %llu %llu %llu %llu %llu %llu %llu %llu %llu "
+ 		"%llu\n",
+@@ -116,12 +131,14 @@ static int show_stat(struct seq_file *p, void *v)
+ 		nice = kstat_cpu(i).cpustat.nice;
+ 		system = kstat_cpu(i).cpustat.system;
+ 		idle = get_idle_time(i);
+-		iowait = get_iowait_time(i);
+-		irq = kstat_cpu(i).cpustat.irq;
+-		softirq = kstat_cpu(i).cpustat.softirq;
+-		steal = kstat_cpu(i).cpustat.steal;
+-		guest = kstat_cpu(i).cpustat.guest;
+-		guest_nice = kstat_cpu(i).cpustat.guest_nice;
++		if (unrestricted) {
++			iowait = get_iowait_time(i);
++			irq = kstat_cpu(i).cpustat.irq;
++			softirq = kstat_cpu(i).cpustat.softirq;
++			steal = kstat_cpu(i).cpustat.steal;
++			guest = kstat_cpu(i).cpustat.guest;
++			guest_nice = kstat_cpu(i).cpustat.guest_nice;
++		}
+ 		seq_printf(p,
+ 			"cpu%d %llu %llu %llu %llu %llu %llu %llu %llu %llu "
+ 			"%llu\n",
 diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
 index ef1740d..9a18b87 100644
 --- a/fs/proc/task_mmu.c
@@ -82409,16 +82570,26 @@ index 7faf933..9b85a0c 100644
  #ifdef CONFIG_MAGIC_SYSRQ
  
 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
-index 8d03f07..e723aa8 100644
+index 8d03f07..66b3cf6 100644
 --- a/include/linux/thread_info.h
 +++ b/include/linux/thread_info.h
-@@ -123,6 +123,13 @@ static inline void set_restore_sigmask(void)
+@@ -123,6 +123,23 @@ static inline void set_restore_sigmask(void)
  }
  #endif	/* TIF_RESTORE_SIGMASK && !HAVE_SET_RESTORE_SIGMASK */
  
 +extern void __check_object_size(const void *ptr, unsigned long n, bool to);
++
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++extern void pax_check_alloca(unsigned long size);
++#endif
++
 +static inline void check_object_size(const void *ptr, unsigned long n, bool to)
 +{
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++	/* always check if we've overflowed the stack in a copy*user */
++	pax_check_alloca(sizeof(unsigned long));
++#endif
++
 +	if (!__builtin_constant_p(n))
 +		__check_object_size(ptr, n, to);
 +}
@@ -106618,10 +106789,10 @@ index 38f6617..e70b72b 100755
  
  exuberant()
 diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..d4191c5 100644
+index 51bd5a0..f75fbf0 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,955 @@
+@@ -4,6 +4,956 @@
  
  menu "Security options"
  
@@ -106657,6 +106828,7 @@ index 51bd5a0..d4191c5 100644
 +	select STOP_MACHINE
 +	select DEBUG_KERNEL
 +	select DEBUG_LIST
++	select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
 +	help
 +	  If you say Y here, you will be able to configure many features
 +	  that will enhance the security of your system.  It is highly
@@ -107577,7 +107749,7 @@ index 51bd5a0..d4191c5 100644
  config KEYS
  	bool "Enable access key retention support"
  	help
-@@ -169,7 +1118,7 @@ config INTEL_TXT
+@@ -169,7 +1119,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
author	Anthony G. Basile <blueness@gentoo.org>	2014-05-11 07:55:06 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2014-05-11 07:55:06 -0400
commit	c93aa17d5126ba7c50c7e204d699491674712983 (patch)
tree	3e000ab025c3dcbdee1354d3937a276510ebbcfd
parent	Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405092337 (diff)
download	hardened-patchset-20140510.tar.gz hardened-patchset-20140510.tar.bz2 hardened-patchset-20140510.zip