2 files changed, 160 insertions, 45 deletions

diff --git a/3.14.3/0000_README b/3.14.3/0000_README
index 108ad48..4ea0a4a 100644
--- a/3.14.3/0000_README
+++ b/3.14.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.3-201405092337.patch
+Patch:	4420_grsecurity-3.0-3.14.3-201405101947.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
index 4e0c19f..d17eca9 100644
--- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
+++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
@@ -6784,7 +6784,7 @@ index 44a1f79..2bd6aa3 100644
  
  void __init gt641xx_irq_init(void)
 diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
-index d1fea7a..45602ea 100644
+index d1fea7a..2e591b0 100644
 --- a/arch/mips/kernel/irq.c
 +++ b/arch/mips/kernel/irq.c
 @@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq)
@@ -6808,6 +6808,25 @@ index d1fea7a..45602ea 100644
  }
  
  void __init init_IRQ(void)
+@@ -110,7 +110,10 @@ void __init init_IRQ(void)
+ #endif
+ }
+ 
++
+ #ifdef DEBUG_STACKOVERFLOW
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ 	unsigned long sp;
+@@ -126,6 +129,7 @@ static inline void check_stack_overflow(void)
+ 		printk("do_IRQ: stack overflow: %ld\n",
+ 		       sp - sizeof(struct thread_info));
+ 		dump_stack();
++		gr_handle_kernel_exploit();
+ 	}
+ }
+ #else
 diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
 index 6ae540e..b7396dc 100644
 --- a/arch/mips/kernel/process.c
@@ -8435,6 +8454,27 @@ index 38d5073..f00af8d 100644
  	mr	r5,r3
  	addi	r3,r1,STACK_FRAME_OVERHEAD
  	lwz	r4,_DAR(r1)
+diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
+index 1d0848b..d74685f 100644
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -447,6 +447,8 @@ void migrate_irqs(void)
+ }
+ #endif
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+@@ -459,6 +461,7 @@ static inline void check_stack_overflow(void)
+ 		printk("do_IRQ: stack overflow: %ld\n",
+ 			sp - sizeof(struct thread_info));
+ 		dump_stack();
++		gr_handle_kernel_exploit();
+ 	}
+ #endif
+ }
 diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
 index 6cff040..74ac5d1 100644
 --- a/arch/powerpc/kernel/module_32.c
@@ -21668,7 +21708,7 @@ index d9c12d3..7858b62 100644
  
  	if (__die(str, regs, err))
 diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index f2a1770..540657f 100644
+index f2a1770..10fa52d 100644
 --- a/arch/x86/kernel/dumpstack_32.c
 +++ b/arch/x86/kernel/dumpstack_32.c
 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -21746,7 +21786,7 @@ index f2a1770..540657f 100644
  	return ud2 == 0x0b0f;
  }
 +
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
 +void pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_left;
@@ -21758,7 +21798,7 @@ index f2a1770..540657f 100644
 +EXPORT_SYMBOL(pax_check_alloca);
 +#endif
 diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index addb207..99635fa 100644
+index addb207..921706b 100644
 --- a/arch/x86/kernel/dumpstack_64.c
 +++ b/arch/x86/kernel/dumpstack_64.c
 @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -21827,7 +21867,7 @@ index addb207..99635fa 100644
  	return ud2 == 0x0b0f;
  }
 +
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
 +void pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
@@ -24891,10 +24931,19 @@ index d99f31d..1c0f466 100644
  }
  
 diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index d7fcbed..1f747f7 100644
+index d7fcbed..96e715a 100644
 --- a/arch/x86/kernel/irq_32.c
 +++ b/arch/x86/kernel/irq_32.c
-@@ -39,7 +39,7 @@ static int check_stack_overflow(void)
+@@ -29,6 +29,8 @@ EXPORT_PER_CPU_SYMBOL(irq_regs);
+ 
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ int sysctl_panic_on_stackoverflow __read_mostly;
+ 
+ /* Debugging check for stack overflow: is there less than 1KB free? */
+@@ -39,13 +41,14 @@ static int check_stack_overflow(void)
  	__asm__ __volatile__("andl %%esp,%0" :
  			     "=r" (sp) : "0" (THREAD_SIZE - 1));
  
@@ -24903,7 +24952,14 @@ index d7fcbed..1f747f7 100644
  }
  
  static void print_stack_overflow(void)
-@@ -59,8 +59,8 @@ static inline void print_stack_overflow(void) { }
+ {
+ 	printk(KERN_WARNING "low stack detected by irq handler\n");
+ 	dump_stack();
++	gr_handle_kernel_exploit();
+ 	if (sysctl_panic_on_stackoverflow)
+ 		panic("low stack detected by irq handler - check messages\n");
+ }
+@@ -59,8 +62,8 @@ static inline void print_stack_overflow(void) { }
   * per-CPU IRQ handling contexts (thread information and stack)
   */
  union irq_ctx {
@@ -24914,7 +24970,7 @@ index d7fcbed..1f747f7 100644
  } __attribute__((aligned(THREAD_SIZE)));
  
  static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
-@@ -80,10 +80,9 @@ static void call_on_stack(void *func, void *stack)
+@@ -80,10 +83,9 @@ static void call_on_stack(void *func, void *stack)
  static inline int
  execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  {
@@ -24926,7 +24982,7 @@ index d7fcbed..1f747f7 100644
  	irqctx = __this_cpu_read(hardirq_ctx);
  
  	/*
-@@ -92,13 +91,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -92,13 +94,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  	 * handler) we can't do that and just have to keep using the
  	 * current stack (which is the irq stack already after all)
  	 */
@@ -24947,7 +25003,7 @@ index d7fcbed..1f747f7 100644
  
  	if (unlikely(overflow))
  		call_on_stack(print_stack_overflow, isp);
-@@ -110,6 +112,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -110,6 +115,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
  		     :  "0" (irq),   "1" (desc),  "2" (isp),
  			"D" (desc->handle_irq)
  		     : "memory", "cc", "ecx");
@@ -24959,7 +25015,7 @@ index d7fcbed..1f747f7 100644
  	return 1;
  }
  
-@@ -118,48 +125,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -118,48 +128,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
   */
  void irq_ctx_init(int cpu)
  {
@@ -25021,7 +25077,7 @@ index d7fcbed..1f747f7 100644
  }
  
  bool handle_irq(unsigned irq, struct pt_regs *regs)
-@@ -173,7 +166,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
+@@ -173,7 +169,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
  	if (unlikely(!desc))
  		return false;
  
@@ -25031,10 +25087,19 @@ index d7fcbed..1f747f7 100644
  			print_stack_overflow();
  		desc->handle_irq(irq, desc);
 diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
-index 4d1c746..232961d 100644
+index 4d1c746..55a22d6 100644
 --- a/arch/x86/kernel/irq_64.c
 +++ b/arch/x86/kernel/irq_64.c
-@@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
+ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ int sysctl_panic_on_stackoverflow;
+ 
+ /*
+@@ -44,7 +46,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
  	u64 estack_top, estack_bottom;
  	u64 curbase = (u64)task_stack_page(current);
  
@@ -25043,6 +25108,15 @@ index 4d1c746..232961d 100644
  		return;
  
  	if (regs->sp >= curbase + sizeof(struct thread_info) +
+@@ -69,6 +71,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ 		irq_stack_top, irq_stack_bottom,
+ 		estack_top, estack_bottom);
+ 
++	gr_handle_kernel_exploit();
++
+ 	if (sysctl_panic_on_stackoverflow)
+ 		panic("low stack detected by irq handler - check messages\n");
+ #endif
 diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
 index 26d5a55..a01160a 100644
 --- a/arch/x86/kernel/jump_label.c
@@ -58399,7 +58473,7 @@ index e4141f2..d8263e8 100644
  		i += packet_length_size;
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff --git a/fs/exec.c b/fs/exec.c
-index 3d78fcc..5a38b6b 100644
+index 3d78fcc..460e2a0 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,8 +55,20 @@
@@ -58882,7 +58956,7 @@ index 3d78fcc..5a38b6b 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1626,3 +1800,295 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1626,3 +1800,296 @@ asmlinkage long compat_sys_execve(const char __user * filename,
  	return compat_do_execve(getname(filename), argv, envp);
  }
  #endif
@@ -59099,6 +59173,7 @@ index 3d78fcc..5a38b6b 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_USERCOPY
++
 +static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
 +{
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
@@ -64219,7 +64294,7 @@ index 87dbcbe..55e1b4d 100644
  }
  
 diff --git a/fs/proc/stat.c b/fs/proc/stat.c
-index 6f599c6..8f4644f 100644
+index 6f599c6..bd00271 100644
 --- a/fs/proc/stat.c
 +++ b/fs/proc/stat.c
 @@ -11,6 +11,7 @@
@@ -64249,34 +64324,63 @@ index 6f599c6..8f4644f 100644
  
  	user = nice = system = idle = iowait =
  		irq = softirq = steal = 0;
-@@ -94,6 +107,7 @@ static int show_stat(struct seq_file *p, void *v)
- 	getboottime(&boottime);
- 	jif = boottime.tv_sec;
- 
-+	if (unrestricted) {
- 	for_each_possible_cpu(i) {
- 		user += kcpustat_cpu(i).cpustat[CPUTIME_USER];
+@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v)
  		nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
-@@ -116,6 +130,7 @@ static int show_stat(struct seq_file *p, void *v)
+ 		system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
+ 		idle += get_idle_time(i);
+-		iowait += get_iowait_time(i);
+-		irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
+-		softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
+-		steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+-		guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+-		guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+-		sum += kstat_cpu_irqs_sum(i);
+-		sum += arch_irq_stat_cpu(i);
++		if (unrestricted) {
++			iowait += get_iowait_time(i);
++			irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
++			softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
++			steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
++			guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
++			guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++			sum += kstat_cpu_irqs_sum(i);
++			sum += arch_irq_stat_cpu(i);
++			for (j = 0; j < NR_SOFTIRQS; j++) {
++				unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
+ 
+-		for (j = 0; j < NR_SOFTIRQS; j++) {
+-			unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
+-
+-			per_softirq_sums[j] += softirq_stat;
+-			sum_softirq += softirq_stat;
++				per_softirq_sums[j] += softirq_stat;
++				sum_softirq += softirq_stat;
++			}
  		}
  	}
- 	sum += arch_irq_stat();
-+	}
+-	sum += arch_irq_stat();
++	if (unrestricted)
++		sum += arch_irq_stat();
  
  	seq_puts(p, "cpu ");
  	seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
-@@ -131,6 +146,7 @@ static int show_stat(struct seq_file *p, void *v)
- 	seq_putc(p, '\n');
- 
- 	for_each_online_cpu(i) {
-+		if (unrestricted) {
- 		/* Copy values here to work around gcc-2.95.3, gcc-2.96 */
- 		user = kcpustat_cpu(i).cpustat[CPUTIME_USER];
+@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v)
  		nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
-@@ -142,6 +158,7 @@ static int show_stat(struct seq_file *p, void *v)
- 		steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
- 		guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
- 		guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+ 		system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
+ 		idle = get_idle_time(i);
+-		iowait = get_iowait_time(i);
+-		irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
+-		softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
+-		steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+-		guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+-		guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++		if (unrestricted) {
++			iowait = get_iowait_time(i);
++			irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
++			softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
++			steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
++			guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
++			guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
 +		}
  		seq_printf(p, "cpu%d", i);
  		seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
@@ -82480,16 +82584,26 @@ index 387fa7d..3fcde6b 100644
  #ifdef CONFIG_MAGIC_SYSRQ
  
 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
-index fddbe20..0312de8 100644
+index fddbe20..e4cce53 100644
 --- a/include/linux/thread_info.h
 +++ b/include/linux/thread_info.h
-@@ -161,6 +161,15 @@ static inline bool test_and_clear_restore_sigmask(void)
+@@ -161,6 +161,25 @@ static inline bool test_and_clear_restore_sigmask(void)
  #error "no set_restore_sigmask() provided and default one won't work"
  #endif
  
 +extern void __check_object_size(const void *ptr, unsigned long n, bool to_user);
++
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++extern void pax_check_alloca(unsigned long size);
++#endif
++
 +static inline void check_object_size(const void *ptr, unsigned long n, bool to_user)
 +{
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++	/* always check if we've overflowed the stack in a copy*user */
++	pax_check_alloca(sizeof(unsigned long));
++#endif
++
 +#ifndef CONFIG_PAX_USERCOPY_DEBUG
 +	if (!__builtin_constant_p(n))
 +#endif
@@ -103516,10 +103630,10 @@ index 8fac3fd..32ff38d 100644
  	unsigned int secindex_strings;
  
 diff --git a/security/Kconfig b/security/Kconfig
-index beb86b5..1ea5a01 100644
+index beb86b5..55198cd 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,960 @@
+@@ -4,6 +4,961 @@
  
  menu "Security options"
  
@@ -103556,6 +103670,7 @@ index beb86b5..1ea5a01 100644
 +	select TTY
 +	select DEBUG_KERNEL
 +	select DEBUG_LIST
++	select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
 +	help
 +	  If you say Y here, you will be able to configure many features
 +	  that will enhance the security of your system.  It is highly
@@ -104480,7 +104595,7 @@ index beb86b5..1ea5a01 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1057,7 @@ config INTEL_TXT
+@@ -103,7 +1058,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX