Grsec/PaX: 3.0-{3.2.60,3.14.10,3.15.3}-20140705203220140705

5 files changed, 175 insertions, 6 deletions

diff --git a/3.14.10/0000_README b/3.14.10/0000_README
index f6fde5b..7edf2bb 100644
--- a/3.14.10/0000_README
+++ b/3.14.10/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.10-201407012152.patch
+Patch:	4420_grsecurity-3.0-3.14.10-201407052031.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.10/4420_grsecurity-3.0-3.14.10-201407012152.patch b/3.14.10/4420_grsecurity-3.0-3.14.10-201407052031.patch
index ba8d0dd..5cd674b 100644
--- a/3.14.10/4420_grsecurity-3.0-3.14.10-201407012152.patch
+++ b/3.14.10/4420_grsecurity-3.0-3.14.10-201407052031.patch
@@ -18734,7 +18734,7 @@ index fdedd38..95c02c2 100644
  void df_debug(struct pt_regs *regs, long error_code);
  #endif /* _ASM_X86_PROCESSOR_H */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index 14fd6fd..6740420 100644
+index 14fd6fd..b31a4a4 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
 @@ -84,28 +84,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
@@ -18807,6 +18807,29 @@ index 14fd6fd..6740420 100644
  #endif
  	return *(unsigned long *)((unsigned long)regs + offset);
  }
+@@ -231,6 +235,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+ 
+ #define ARCH_HAS_USER_SINGLE_STEP_INFO
+ 
++/*
++ * When hitting ptrace_stop(), we cannot return using SYSRET because
++ * that does not restore the full CPU state, only a minimal set.  The
++ * ptracer can change arbitrary register values, which is usually okay
++ * because the usual ptrace stops run off the signal delivery path which
++ * forces IRET; however, ptrace_event() stops happen in arbitrary places
++ * in the kernel and don't force IRET path.
++ *
++ * So force IRET path after a ptrace stop.
++ */
++#define arch_ptrace_stop_needed(code, info)				\
++({									\
++	set_thread_flag(TIF_NOTIFY_RESUME);				\
++	false;								\
++})
++
+ struct user_desc;
+ extern int do_get_thread_area(struct task_struct *p, int idx,
+ 			      struct user_desc __user *info);
 diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
 index 9c6b890..5305f53 100644
 --- a/arch/x86/include/asm/realmode.h
@@ -82077,6 +82100,20 @@ index 34a1e10..70f6bde 100644
  
  struct proc_ns {
  	void *ns;
+diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
+index 077904c..cc79eff 100644
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -334,6 +334,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
+  * calling arch_ptrace_stop() when it would be superfluous.  For example,
+  * if the thread has not been back to user mode since the last stop, the
+  * thread state might indicate that nothing needs to be done.
++ *
++ * This is guaranteed to be invoked once before a task stops for ptrace and
++ * may include arch-specific operations necessary prior to a ptrace stop.
+  */
+ #define arch_ptrace_stop_needed(code, info)	(0)
+ #endif
 diff --git a/include/linux/quota.h b/include/linux/quota.h
 index cc7494a..1e27036 100644
 --- a/include/linux/quota.h
@@ -92405,6 +92442,37 @@ index c24c2f7..f0296f4 100644
 +	pax_close_kernel();
 +}
 +EXPORT_SYMBOL(pax_list_del_rcu);
+diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
+index b74da44..7a85967 100644
+--- a/lib/lz4/lz4_decompress.c
++++ b/lib/lz4/lz4_decompress.c
+@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ 			int s = 255;
+ 			while ((ip < iend) && (s == 255)) {
+ 				s = *ip++;
++				if (unlikely(length > (size_t)(length + s)))
++					goto _output_error;
+ 				length += s;
+ 			}
+ 		}
+@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ 		if (length == ML_MASK) {
+ 			while (ip < iend) {
+ 				int s = *ip++;
++				if (unlikely(length > (size_t)(length + s)))
++					goto _output_error;
+ 				length += s;
+ 				if (s == 255)
+ 					continue;
+@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ 
+ 	/* write overflow error detected */
+ _output_error:
+-	return (int) (-(((char *) ip) - source));
++	return -1;
+ }
+ 
+ int lz4_decompress(const unsigned char *src, size_t *src_len,
 diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
 index 963b703..438bc51 100644
 --- a/lib/percpu-refcount.c
diff --git a/3.15.3/4420_grsecurity-3.0-3.15.3-201407012153.patch b/3.15.3/4420_grsecurity-3.0-3.15.3-201407052032.patch
index 962e272..34bb183 100644
--- a/3.15.3/4420_grsecurity-3.0-3.15.3-201407012153.patch
+++ b/3.15.3/4420_grsecurity-3.0-3.15.3-201407052032.patch
@@ -18365,7 +18365,7 @@ index a4ea023..33aa874 100644
  void df_debug(struct pt_regs *regs, long error_code);
  #endif /* _ASM_X86_PROCESSOR_H */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index 14fd6fd..6740420 100644
+index 14fd6fd..b31a4a4 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
 @@ -84,28 +84,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
@@ -18438,6 +18438,29 @@ index 14fd6fd..6740420 100644
  #endif
  	return *(unsigned long *)((unsigned long)regs + offset);
  }
+@@ -231,6 +235,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+ 
+ #define ARCH_HAS_USER_SINGLE_STEP_INFO
+ 
++/*
++ * When hitting ptrace_stop(), we cannot return using SYSRET because
++ * that does not restore the full CPU state, only a minimal set.  The
++ * ptracer can change arbitrary register values, which is usually okay
++ * because the usual ptrace stops run off the signal delivery path which
++ * forces IRET; however, ptrace_event() stops happen in arbitrary places
++ * in the kernel and don't force IRET path.
++ *
++ * So force IRET path after a ptrace stop.
++ */
++#define arch_ptrace_stop_needed(code, info)				\
++({									\
++	set_thread_flag(TIF_NOTIFY_RESUME);				\
++	false;								\
++})
++
+ struct user_desc;
+ extern int do_get_thread_area(struct task_struct *p, int idx,
+ 			      struct user_desc __user *info);
 diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
 index 9c6b890..5305f53 100644
 --- a/arch/x86/include/asm/realmode.h
@@ -81526,6 +81549,20 @@ index 34a1e10..70f6bde 100644
  
  struct proc_ns {
  	void *ns;
+diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
+index 077904c..cc79eff 100644
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -334,6 +334,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
+  * calling arch_ptrace_stop() when it would be superfluous.  For example,
+  * if the thread has not been back to user mode since the last stop, the
+  * thread state might indicate that nothing needs to be done.
++ *
++ * This is guaranteed to be invoked once before a task stops for ptrace and
++ * may include arch-specific operations necessary prior to a ptrace stop.
+  */
+ #define arch_ptrace_stop_needed(code, info)	(0)
+ #endif
 diff --git a/include/linux/quota.h b/include/linux/quota.h
 index cc7494a..1e27036 100644
 --- a/include/linux/quota.h
@@ -91912,6 +91949,37 @@ index c24c2f7..f0296f4 100644
 +	pax_close_kernel();
 +}
 +EXPORT_SYMBOL(pax_list_del_rcu);
+diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
+index b74da44..7a85967 100644
+--- a/lib/lz4/lz4_decompress.c
++++ b/lib/lz4/lz4_decompress.c
+@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ 			int s = 255;
+ 			while ((ip < iend) && (s == 255)) {
+ 				s = *ip++;
++				if (unlikely(length > (size_t)(length + s)))
++					goto _output_error;
+ 				length += s;
+ 			}
+ 		}
+@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ 		if (length == ML_MASK) {
+ 			while (ip < iend) {
+ 				int s = *ip++;
++				if (unlikely(length > (size_t)(length + s)))
++					goto _output_error;
+ 				length += s;
+ 				if (s == 255)
+ 					continue;
+@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
+ 
+ 	/* write overflow error detected */
+ _output_error:
+-	return (int) (-(((char *) ip) - source));
++	return -1;
+ }
+ 
+ int lz4_decompress(const unsigned char *src, size_t *src_len,
 diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
 index 963b703..438bc51 100644
 --- a/lib/percpu-refcount.c
diff --git a/3.2.60/0000_README b/3.2.60/0000_README
index 9604a91..ee22cb5 100644
--- a/3.2.60/0000_README
+++ b/3.2.60/0000_README
@@ -158,7 +158,7 @@ Patch:	1059_linux-3.2.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.60
 
-Patch:	4420_grsecurity-3.0-3.2.60-201407012149.patch
+Patch:	4420_grsecurity-3.0-3.2.60-201407052028.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.60/4420_grsecurity-3.0-3.2.60-201407012149.patch b/3.2.60/4420_grsecurity-3.0-3.2.60-201407052028.patch
index 2be45b2..2ddb90d 100644
--- a/3.2.60/4420_grsecurity-3.0-3.2.60-201407012149.patch
+++ b/3.2.60/4420_grsecurity-3.0-3.2.60-201407052028.patch
@@ -15196,7 +15196,7 @@ index 7b0a55a..ad115bf 100644
  
  /* top of stack page */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index 3b96fd4..8790004 100644
+index 3b96fd4..d8c7f13 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
 @@ -156,28 +156,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
@@ -15254,6 +15254,29 @@ index 3b96fd4..8790004 100644
  #endif
  }
  #endif
+@@ -287,6 +289,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+ 
+ #define ARCH_HAS_USER_SINGLE_STEP_INFO
+ 
++/*
++ * When hitting ptrace_stop(), we cannot return using SYSRET because
++ * that does not restore the full CPU state, only a minimal set.  The
++ * ptracer can change arbitrary register values, which is usually okay
++ * because the usual ptrace stops run off the signal delivery path which
++ * forces IRET; however, ptrace_event() stops happen in arbitrary places
++ * in the kernel and don't force IRET path.
++ *
++ * So force IRET path after a ptrace stop.
++ */
++#define arch_ptrace_stop_needed(code, info)				\
++({									\
++	set_thread_flag(TIF_NOTIFY_RESUME);				\
++	false;								\
++})
++
+ struct user_desc;
+ extern int do_get_thread_area(struct task_struct *p, int idx,
+ 			      struct user_desc __user *info);
 diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h
 index 92f29706..d0a1a53 100644
 --- a/arch/x86/include/asm/reboot.h
@@ -81186,7 +81209,7 @@ index 643b96c..c9bfc32 100644
  static inline struct proc_inode *PROC_I(const struct inode *inode)
  {
 diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
-index 800f113..13b3715 100644
+index 800f113..635a20c 100644
 --- a/include/linux/ptrace.h
 +++ b/include/linux/ptrace.h
 @@ -62,8 +62,9 @@
@@ -81247,6 +81270,16 @@ index 800f113..13b3715 100644
  	}
  }
  
+@@ -371,6 +377,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
+  * calling arch_ptrace_stop() when it would be superfluous.  For example,
+  * if the thread has not been back to user mode since the last stop, the
+  * thread state might indicate that nothing needs to be done.
++ *
++ * This is guaranteed to be invoked once before a task stops for ptrace and
++ * may include arch-specific operations necessary prior to a ptrace stop.
+  */
+ #define arch_ptrace_stop_needed(code, info)	(0)
+ #endif
 diff --git a/include/linux/random.h b/include/linux/random.h
 index f5e1311..d51eec7 100644
 --- a/include/linux/random.h