diff options
Diffstat (limited to '3.1.3/4425_grsec-pax-without-grsec.patch')
| -rw-r--r-- | 3.1.3/4425_grsec-pax-without-grsec.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/3.1.3/4425_grsec-pax-without-grsec.patch b/3.1.3/4425_grsec-pax-without-grsec.patch new file mode 100644 index 0000000..8304192 --- /dev/null +++ b/3.1.3/4425_grsec-pax-without-grsec.patch @@ -0,0 +1,88 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and +pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy. +This patch has been updated to reflect that change. +-- +From: Jory Pratt <anarchy@gentoo.org> +Updated patch for kernel 2.6.32 + +The credits/description from the original version of this patch remain accurate +and are included below. +-- +From: Gordon Malm <gengor@gentoo.org> + +Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. + +This patch has been updated to keep current with newer kernel versions. +The original version of this patch contained no credits/description. + +diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +--- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400 ++++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400 +@@ -651,10 +651,12 @@ + + #ifdef CONFIG_PAX_KERNEXEC + if (init_mm.start_code <= address && address < init_mm.end_code) { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); + else ++#endif + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", + current->comm, task_pid_nr(current), current_uid(), current_euid()); + } +diff -Naur a/fs/exec.c b/fs/exec.c +--- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400 ++++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400 +@@ -1999,9 +1999,11 @@ + } + up_read(&mm->mmap_sem); + } ++#ifdef CONFIG_GRKERNSEC + if (tsk->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); + else ++#endif + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), +@@ -2016,10 +2018,12 @@ + #ifdef CONFIG_PAX_REFCOUNT + void pax_report_refcount_overflow(struct pt_regs *regs) + { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); + else ++#endif + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", + current->comm, task_pid_nr(current), current_uid(), current_euid()); + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); +@@ -2079,10 +2083,12 @@ + + NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) + { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); + else ++#endif + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); + dump_stack(); +diff -Naur a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400 ++++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400 +@@ -29,7 +29,7 @@ + + config PAX + bool "Enable various PaX features" +- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) ++ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) + help + This allows you to enable various PaX features. PaX adds + intrusion prevention mechanisms to the kernel that reduce |