diff options
Diffstat (limited to '3.14.3')
-rw-r--r-- | 3.14.3/0000_README | 2 | ||||
-rw-r--r-- | 3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch (renamed from 3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch) | 203 |
2 files changed, 160 insertions, 45 deletions
diff --git a/3.14.3/0000_README b/3.14.3/0000_README index 108ad48..4ea0a4a 100644 --- a/3.14.3/0000_README +++ b/3.14.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.3-201405092337.patch +Patch: 4420_grsecurity-3.0-3.14.3-201405101947.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch index 4e0c19f..d17eca9 100644 --- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch +++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch @@ -6784,7 +6784,7 @@ index 44a1f79..2bd6aa3 100644 void __init gt641xx_irq_init(void) diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c -index d1fea7a..45602ea 100644 +index d1fea7a..2e591b0 100644 --- a/arch/mips/kernel/irq.c +++ b/arch/mips/kernel/irq.c @@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq) @@ -6808,6 +6808,25 @@ index d1fea7a..45602ea 100644 } void __init init_IRQ(void) +@@ -110,7 +110,10 @@ void __init init_IRQ(void) + #endif + } + ++ + #ifdef DEBUG_STACKOVERFLOW ++extern void gr_handle_kernel_exploit(void); ++ + static inline void check_stack_overflow(void) + { + unsigned long sp; +@@ -126,6 +129,7 @@ static inline void check_stack_overflow(void) + printk("do_IRQ: stack overflow: %ld\n", + sp - sizeof(struct thread_info)); + dump_stack(); ++ gr_handle_kernel_exploit(); + } + } + #else diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c index 6ae540e..b7396dc 100644 --- a/arch/mips/kernel/process.c @@ -8435,6 +8454,27 @@ index 38d5073..f00af8d 100644 mr r5,r3 addi r3,r1,STACK_FRAME_OVERHEAD lwz r4,_DAR(r1) +diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c +index 1d0848b..d74685f 100644 +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -447,6 +447,8 @@ void migrate_irqs(void) + } + #endif + ++extern void gr_handle_kernel_exploit(void); ++ + static inline void check_stack_overflow(void) + { + #ifdef CONFIG_DEBUG_STACKOVERFLOW +@@ -459,6 +461,7 @@ static inline void check_stack_overflow(void) + printk("do_IRQ: stack overflow: %ld\n", + sp - sizeof(struct thread_info)); + dump_stack(); ++ gr_handle_kernel_exploit(); + } + #endif + } diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c index 6cff040..74ac5d1 100644 --- a/arch/powerpc/kernel/module_32.c @@ -21668,7 +21708,7 @@ index d9c12d3..7858b62 100644 if (__die(str, regs, err)) diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c -index f2a1770..540657f 100644 +index f2a1770..10fa52d 100644 --- a/arch/x86/kernel/dumpstack_32.c +++ b/arch/x86/kernel/dumpstack_32.c @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -21746,7 +21786,7 @@ index f2a1770..540657f 100644 return ud2 == 0x0b0f; } + -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY) +void pax_check_alloca(unsigned long size) +{ + unsigned long sp = (unsigned long)&sp, stack_left; @@ -21758,7 +21798,7 @@ index f2a1770..540657f 100644 +EXPORT_SYMBOL(pax_check_alloca); +#endif diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c -index addb207..99635fa 100644 +index addb207..921706b 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, @@ -21827,7 +21867,7 @@ index addb207..99635fa 100644 return ud2 == 0x0b0f; } + -+#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY) +void pax_check_alloca(unsigned long size) +{ + unsigned long sp = (unsigned long)&sp, stack_start, stack_end; @@ -24891,10 +24931,19 @@ index d99f31d..1c0f466 100644 } diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c -index d7fcbed..1f747f7 100644 +index d7fcbed..96e715a 100644 --- a/arch/x86/kernel/irq_32.c +++ b/arch/x86/kernel/irq_32.c -@@ -39,7 +39,7 @@ static int check_stack_overflow(void) +@@ -29,6 +29,8 @@ EXPORT_PER_CPU_SYMBOL(irq_regs); + + #ifdef CONFIG_DEBUG_STACKOVERFLOW + ++extern void gr_handle_kernel_exploit(void); ++ + int sysctl_panic_on_stackoverflow __read_mostly; + + /* Debugging check for stack overflow: is there less than 1KB free? */ +@@ -39,13 +41,14 @@ static int check_stack_overflow(void) __asm__ __volatile__("andl %%esp,%0" : "=r" (sp) : "0" (THREAD_SIZE - 1)); @@ -24903,7 +24952,14 @@ index d7fcbed..1f747f7 100644 } static void print_stack_overflow(void) -@@ -59,8 +59,8 @@ static inline void print_stack_overflow(void) { } + { + printk(KERN_WARNING "low stack detected by irq handler\n"); + dump_stack(); ++ gr_handle_kernel_exploit(); + if (sysctl_panic_on_stackoverflow) + panic("low stack detected by irq handler - check messages\n"); + } +@@ -59,8 +62,8 @@ static inline void print_stack_overflow(void) { } * per-CPU IRQ handling contexts (thread information and stack) */ union irq_ctx { @@ -24914,7 +24970,7 @@ index d7fcbed..1f747f7 100644 } __attribute__((aligned(THREAD_SIZE))); static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx); -@@ -80,10 +80,9 @@ static void call_on_stack(void *func, void *stack) +@@ -80,10 +83,9 @@ static void call_on_stack(void *func, void *stack) static inline int execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) { @@ -24926,7 +24982,7 @@ index d7fcbed..1f747f7 100644 irqctx = __this_cpu_read(hardirq_ctx); /* -@@ -92,13 +91,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) +@@ -92,13 +94,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) * handler) we can't do that and just have to keep using the * current stack (which is the irq stack already after all) */ @@ -24947,7 +25003,7 @@ index d7fcbed..1f747f7 100644 if (unlikely(overflow)) call_on_stack(print_stack_overflow, isp); -@@ -110,6 +112,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) +@@ -110,6 +115,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) : "0" (irq), "1" (desc), "2" (isp), "D" (desc->handle_irq) : "memory", "cc", "ecx"); @@ -24959,7 +25015,7 @@ index d7fcbed..1f747f7 100644 return 1; } -@@ -118,48 +125,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) +@@ -118,48 +128,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) */ void irq_ctx_init(int cpu) { @@ -25021,7 +25077,7 @@ index d7fcbed..1f747f7 100644 } bool handle_irq(unsigned irq, struct pt_regs *regs) -@@ -173,7 +166,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs) +@@ -173,7 +169,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs) if (unlikely(!desc)) return false; @@ -25031,10 +25087,19 @@ index d7fcbed..1f747f7 100644 print_stack_overflow(); desc->handle_irq(irq, desc); diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c -index 4d1c746..232961d 100644 +index 4d1c746..55a22d6 100644 --- a/arch/x86/kernel/irq_64.c +++ b/arch/x86/kernel/irq_64.c -@@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) +@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat); + DEFINE_PER_CPU(struct pt_regs *, irq_regs); + EXPORT_PER_CPU_SYMBOL(irq_regs); + ++extern void gr_handle_kernel_exploit(void); ++ + int sysctl_panic_on_stackoverflow; + + /* +@@ -44,7 +46,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) u64 estack_top, estack_bottom; u64 curbase = (u64)task_stack_page(current); @@ -25043,6 +25108,15 @@ index 4d1c746..232961d 100644 return; if (regs->sp >= curbase + sizeof(struct thread_info) + +@@ -69,6 +71,8 @@ static inline void stack_overflow_check(struct pt_regs *regs) + irq_stack_top, irq_stack_bottom, + estack_top, estack_bottom); + ++ gr_handle_kernel_exploit(); ++ + if (sysctl_panic_on_stackoverflow) + panic("low stack detected by irq handler - check messages\n"); + #endif diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c index 26d5a55..a01160a 100644 --- a/arch/x86/kernel/jump_label.c @@ -58399,7 +58473,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index 3d78fcc..5a38b6b 100644 +index 3d78fcc..460e2a0 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -58882,7 +58956,7 @@ index 3d78fcc..5a38b6b 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1626,3 +1800,295 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1626,3 +1800,296 @@ asmlinkage long compat_sys_execve(const char __user * filename, return compat_do_execve(getname(filename), argv, envp); } #endif @@ -59099,6 +59173,7 @@ index 3d78fcc..5a38b6b 100644 +#endif + +#ifdef CONFIG_PAX_USERCOPY ++ +static inline bool check_kernel_text_object(unsigned long low, unsigned long high) +{ +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) @@ -64219,7 +64294,7 @@ index 87dbcbe..55e1b4d 100644 } diff --git a/fs/proc/stat.c b/fs/proc/stat.c -index 6f599c6..8f4644f 100644 +index 6f599c6..bd00271 100644 --- a/fs/proc/stat.c +++ b/fs/proc/stat.c @@ -11,6 +11,7 @@ @@ -64249,34 +64324,63 @@ index 6f599c6..8f4644f 100644 user = nice = system = idle = iowait = irq = softirq = steal = 0; -@@ -94,6 +107,7 @@ static int show_stat(struct seq_file *p, void *v) - getboottime(&boottime); - jif = boottime.tv_sec; - -+ if (unrestricted) { - for_each_possible_cpu(i) { - user += kcpustat_cpu(i).cpustat[CPUTIME_USER]; +@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v) nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE]; -@@ -116,6 +130,7 @@ static int show_stat(struct seq_file *p, void *v) + system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM]; + idle += get_idle_time(i); +- iowait += get_iowait_time(i); +- irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ]; +- softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ]; +- steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; +- guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; +- guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; +- sum += kstat_cpu_irqs_sum(i); +- sum += arch_irq_stat_cpu(i); ++ if (unrestricted) { ++ iowait += get_iowait_time(i); ++ irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ]; ++ softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ]; ++ steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; ++ guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; ++ guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; ++ sum += kstat_cpu_irqs_sum(i); ++ sum += arch_irq_stat_cpu(i); ++ for (j = 0; j < NR_SOFTIRQS; j++) { ++ unsigned int softirq_stat = kstat_softirqs_cpu(j, i); + +- for (j = 0; j < NR_SOFTIRQS; j++) { +- unsigned int softirq_stat = kstat_softirqs_cpu(j, i); +- +- per_softirq_sums[j] += softirq_stat; +- sum_softirq += softirq_stat; ++ per_softirq_sums[j] += softirq_stat; ++ sum_softirq += softirq_stat; ++ } } } - sum += arch_irq_stat(); -+ } +- sum += arch_irq_stat(); ++ if (unrestricted) ++ sum += arch_irq_stat(); seq_puts(p, "cpu "); seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user)); -@@ -131,6 +146,7 @@ static int show_stat(struct seq_file *p, void *v) - seq_putc(p, '\n'); - - for_each_online_cpu(i) { -+ if (unrestricted) { - /* Copy values here to work around gcc-2.95.3, gcc-2.96 */ - user = kcpustat_cpu(i).cpustat[CPUTIME_USER]; +@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v) nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE]; -@@ -142,6 +158,7 @@ static int show_stat(struct seq_file *p, void *v) - steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; - guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; - guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; + system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM]; + idle = get_idle_time(i); +- iowait = get_iowait_time(i); +- irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ]; +- softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ]; +- steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; +- guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; +- guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; ++ if (unrestricted) { ++ iowait = get_iowait_time(i); ++ irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ]; ++ softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ]; ++ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; ++ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; ++ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; + } seq_printf(p, "cpu%d", i); seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user)); @@ -82480,16 +82584,26 @@ index 387fa7d..3fcde6b 100644 #ifdef CONFIG_MAGIC_SYSRQ diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h -index fddbe20..0312de8 100644 +index fddbe20..e4cce53 100644 --- a/include/linux/thread_info.h +++ b/include/linux/thread_info.h -@@ -161,6 +161,15 @@ static inline bool test_and_clear_restore_sigmask(void) +@@ -161,6 +161,25 @@ static inline bool test_and_clear_restore_sigmask(void) #error "no set_restore_sigmask() provided and default one won't work" #endif +extern void __check_object_size(const void *ptr, unsigned long n, bool to_user); ++ ++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY) ++extern void pax_check_alloca(unsigned long size); ++#endif ++ +static inline void check_object_size(const void *ptr, unsigned long n, bool to_user) +{ ++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY) ++ /* always check if we've overflowed the stack in a copy*user */ ++ pax_check_alloca(sizeof(unsigned long)); ++#endif ++ +#ifndef CONFIG_PAX_USERCOPY_DEBUG + if (!__builtin_constant_p(n)) +#endif @@ -103516,10 +103630,10 @@ index 8fac3fd..32ff38d 100644 unsigned int secindex_strings; diff --git a/security/Kconfig b/security/Kconfig -index beb86b5..1ea5a01 100644 +index beb86b5..55198cd 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,960 @@ +@@ -4,6 +4,961 @@ menu "Security options" @@ -103556,6 +103670,7 @@ index beb86b5..1ea5a01 100644 + select TTY + select DEBUG_KERNEL + select DEBUG_LIST ++ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -104480,7 +104595,7 @@ index beb86b5..1ea5a01 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1057,7 @@ config INTEL_TXT +@@ -103,7 +1058,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX |