diff options
| -rw-r--r-- | 4.8.17/0000_README | 2 | ||||
| -rw-r--r-- | 4.8.17/4420_grsecurity-3.1-4.8.17-201701151620.patch (renamed from 4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch) | 198 | ||||
| -rw-r--r-- | 4.8.17/4427_force_XATTR_PAX_tmpfs.patch | 2 | ||||
| -rw-r--r-- | 4.8.17/4475_emutramp_default_on.patch | 4 |
4 files changed, 133 insertions, 73 deletions
diff --git a/4.8.17/0000_README b/4.8.17/0000_README index a2e828f..96fd06a 100644 --- a/4.8.17/0000_README +++ b/4.8.17/0000_README @@ -6,7 +6,7 @@ Patch: 1016_linux-4.8.17.patch From: http://www.kernel.org Desc: Linux 4.8.17 -Patch: 4420_grsecurity-3.1-4.8.17-201701121950.patch +Patch: 4420_grsecurity-3.1-4.8.17-201701151620.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch b/4.8.17/4420_grsecurity-3.1-4.8.17-201701151620.patch index 07572d7..147c250 100644 --- a/4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch +++ b/4.8.17/4420_grsecurity-3.1-4.8.17-201701151620.patch @@ -152755,7 +152755,7 @@ index 19e796d..9c8fa80 100644 /* * free pages are specially detected outside this table: diff --git a/mm/memory.c b/mm/memory.c -index 793fe0f..6e94a87 100644 +index 793fe0f..9e24e98 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -427,6 +427,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -153209,7 +153209,32 @@ index 793fe0f..6e94a87 100644 /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, fe->address, fe->pte); -@@ -3552,6 +3763,11 @@ static int handle_pte_fault(struct fault_env *fe) +@@ -3226,6 +3437,11 @@ static int do_cow_fault(struct fault_env *fe, pgoff_t pgoff) + copy_user_highpage(new_page, fault_page, fe->address, vma); + __SetPageUptodate(new_page); + ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (pax_find_mirror_vma(vma)) ++ BUG_ON(!trylock_page(new_page)); ++#endif ++ + ret |= alloc_set_pte(fe, memcg, new_page); + if (fe->pte) + pte_unmap_unlock(fe->pte, fe->ptl); +@@ -3235,6 +3451,12 @@ static int do_cow_fault(struct fault_env *fe, pgoff_t pgoff) + } else { + dax_unlock_mapping_entry(vma->vm_file->f_mapping, pgoff); + } ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (pax_find_mirror_vma(vma)) ++ unlock_page(new_page); ++#endif ++ + if (unlikely(ret & (VM_FAULT_ERROR | VM_FAULT_NOPAGE | VM_FAULT_RETRY))) + goto uncharge_out; + return ret; +@@ -3552,6 +3774,11 @@ static int handle_pte_fault(struct fault_env *fe) if (fe->flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(fe->vma, fe->address); } @@ -153221,7 +153246,7 @@ index 793fe0f..6e94a87 100644 unlock: pte_unmap_unlock(fe->pte, fe->ptl); return 0; -@@ -3575,14 +3791,49 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address, +@@ -3575,14 +3802,49 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address, pgd_t *pgd; pud_t *pud; @@ -153275,7 +153300,7 @@ index 793fe0f..6e94a87 100644 int ret = create_huge_pmd(&fe); if (!(ret & VM_FAULT_FALLBACK)) return ret; -@@ -3592,7 +3843,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address, +@@ -3592,7 +3854,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address, barrier(); if (pmd_trans_huge(orig_pmd) || pmd_devmap(orig_pmd)) { @@ -153284,7 +153309,7 @@ index 793fe0f..6e94a87 100644 return do_huge_pmd_numa_page(&fe, orig_pmd); if ((fe.flags & FAULT_FLAG_WRITE) && -@@ -3667,7 +3918,7 @@ EXPORT_SYMBOL_GPL(handle_mm_fault); +@@ -3667,7 +3929,7 @@ EXPORT_SYMBOL_GPL(handle_mm_fault); * Allocate page upper directory. * We've already handled the fast-path in-line. */ @@ -153293,7 +153318,7 @@ index 793fe0f..6e94a87 100644 { pud_t *new = pud_alloc_one(mm, address); if (!new) -@@ -3678,11 +3929,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3678,11 +3940,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_lock(&mm->page_table_lock); if (pgd_present(*pgd)) /* Another has populated it */ pud_free(mm, new); @@ -153317,7 +153342,7 @@ index 793fe0f..6e94a87 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3690,7 +3953,7 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3690,7 +3964,7 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) * Allocate page middle directory. * We've already handled the fast-path in-line. */ @@ -153326,7 +153351,7 @@ index 793fe0f..6e94a87 100644 { pmd_t *new = pmd_alloc_one(mm, address); if (!new) -@@ -3702,19 +3965,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3702,19 +3976,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) #ifndef __ARCH_HAS_4LEVEL_HACK if (!pud_present(*pud)) { mm_inc_nr_pmds(mm); @@ -153364,7 +153389,7 @@ index 793fe0f..6e94a87 100644 #endif /* __PAGETABLE_PMD_FOLDED */ static int __follow_pte(struct mm_struct *mm, unsigned long address, -@@ -3824,8 +4103,8 @@ out: +@@ -3824,8 +4114,8 @@ out: return ret; } @@ -153375,7 +153400,7 @@ index 793fe0f..6e94a87 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -3851,8 +4130,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); +@@ -3851,8 +4141,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -153386,7 +153411,7 @@ index 793fe0f..6e94a87 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -3860,7 +4139,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -3860,7 +4150,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -153395,7 +153420,7 @@ index 793fe0f..6e94a87 100644 void *maddr; struct page *page = NULL; -@@ -3921,8 +4200,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -3921,8 +4211,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -153406,7 +153431,7 @@ index 793fe0f..6e94a87 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -3932,11 +4211,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -3932,11 +4222,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -168783,7 +168808,7 @@ index 8b29dc1..ec1516e 100644 diff --git a/scripts/gcc-plugins/checker_plugin.c b/scripts/gcc-plugins/checker_plugin.c new file mode 100644 -index 0000000..0cd5656 +index 0000000..27fed8d --- /dev/null +++ b/scripts/gcc-plugins/checker_plugin.c @@ -0,0 +1,491 @@ @@ -169264,7 +169289,7 @@ index 0000000..0cd5656 + enable_context = true; + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + if (enable_user) @@ -169280,7 +169305,7 @@ index 0000000..0cd5656 +} diff --git a/scripts/gcc-plugins/colorize_plugin.c b/scripts/gcc-plugins/colorize_plugin.c new file mode 100644 -index 0000000..e6a0d72 +index 0000000..a229d00 --- /dev/null +++ b/scripts/gcc-plugins/colorize_plugin.c @@ -0,0 +1,158 @@ @@ -169432,7 +169457,7 @@ index 0000000..e6a0d72 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value); + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + if (colorize) { @@ -169444,7 +169469,7 @@ index 0000000..e6a0d72 +} diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c new file mode 100644 -index 0000000..e9051b5 +index 0000000..3cd0652 --- /dev/null +++ b/scripts/gcc-plugins/constify_plugin.c @@ -0,0 +1,577 @@ @@ -170006,7 +170031,7 @@ index 0000000..e9051b5 + enabled = false; + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) { @@ -170488,10 +170513,10 @@ index 0000000..7514850 +fi diff --git a/scripts/gcc-plugins/initify_plugin.c b/scripts/gcc-plugins/initify_plugin.c new file mode 100644 -index 0000000..07af312 +index 0000000..0fa1d7f --- /dev/null +++ b/scripts/gcc-plugins/initify_plugin.c -@@ -0,0 +1,1805 @@ +@@ -0,0 +1,1831 @@ +/* + * Copyright 2015-2017 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2 @@ -170541,7 +170566,7 @@ index 0000000..07af312 +__visible int plugin_is_GPL_compatible; + +static struct plugin_info initify_plugin_info = { -+ .version = "20161208", ++ .version = "20170112", + .help = "disable\tturn off the initify plugin\n" + "verbose\tprint all initified strings and all" + " functions which should be __init/__exit\n" @@ -172013,14 +172038,46 @@ index 0000000..07af312 + } +} + ++static bool has_non_init_caller(struct cgraph_node *callee) ++{ ++ struct cgraph_edge *e = callee->callers; ++ ++ if (!e) ++ return true; ++ ++ for (; e; e = e->next_caller) { ++ enum section_type caller_section; ++ struct cgraph_node *caller = e->caller; ++ ++ caller_section = get_init_exit_section(NODE_DECL(caller)); ++ if (caller_section == NONE && NODE_SYMBOL(caller)->aux == (void *)NONE) ++ return true; ++ } ++ ++ return false; ++} ++ ++static void has_non_init_clone(struct cgraph_node *node, bool *has_non_init) ++{ ++ if (*has_non_init) ++ return; ++ ++ if (has_non_init_caller(node)) ++ *has_non_init = true; ++ ++ if (node->clones) ++ has_non_init_clone(node->clones, has_non_init); ++ if (node->clone_of) ++ has_non_init_clone(node->clone_of, has_non_init); ++} ++ +/* + * If the function is called by only __init/__exit functions then it can become + * an __init/__exit function as well. + */ +static bool should_init_exit(struct cgraph_node *callee) +{ -+ struct cgraph_edge *e; -+ bool only_init_callers; ++ bool has_non_init; + const_tree callee_decl = NODE_DECL(callee); + + if (NODE_SYMBOL(callee)->aux != (void *)NONE) @@ -172035,39 +172092,33 @@ index 0000000..07af312 + if (NODE_SYMBOL(callee)->address_taken) + return false; + -+ e = callee->callers; -+ if (!e) -+ return false; -+ -+ only_init_callers = true; -+ for (; e; e = e->next_caller) { -+ enum section_type caller_section; -+ struct cgraph_node *caller = e->caller; -+ -+ caller_section = get_init_exit_section(NODE_DECL(caller)); -+ if (caller_section == NONE && NODE_SYMBOL(caller)->aux == (void *)NONE) -+ only_init_callers = false; -+ } -+ -+ return only_init_callers; ++ has_non_init = false; ++ has_non_init_clone(callee, &has_non_init); ++ return !has_non_init; +} + -+static bool inherit_section(struct cgraph_node *callee, struct cgraph_node *caller, enum section_type curfn_section) ++static bool inherit_section(struct cgraph_node *callee, struct cgraph_node *caller, enum section_type caller_section) +{ -+ if (curfn_section == NONE) -+ curfn_section = (enum section_type)(unsigned long)NODE_SYMBOL(caller)->aux; ++ enum section_type callee_section; ++ ++ if (caller_section == NONE) ++ caller_section = (enum section_type)(unsigned long)NODE_SYMBOL(caller)->aux; ++ ++ callee_section = (enum section_type)(unsigned long)NODE_SYMBOL(callee)->aux; ++ if (caller_section == INIT && callee_section == EXIT) ++ goto both_section; + -+ if (curfn_section == INIT && NODE_SYMBOL(callee)->aux == (void *)EXIT) ++ if (caller_section == EXIT && callee_section == INIT) + goto both_section; + -+ if (curfn_section == EXIT && NODE_SYMBOL(callee)->aux == (void *)INIT) ++ if (caller_section == BOTH && (callee_section == INIT || callee_section == EXIT)) + goto both_section; + + if (!should_init_exit(callee)) + return false; + -+ gcc_assert(NODE_SYMBOL(callee)->aux == (void *)NONE); -+ NODE_SYMBOL(callee)->aux = (void *)curfn_section; ++ gcc_assert(callee_section == NONE); ++ NODE_SYMBOL(callee)->aux = (void *)caller_section; + return true; + +both_section: @@ -172285,7 +172336,7 @@ index 0000000..07af312 + continue; + } + -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_INFO, NULL, &initify_plugin_info); @@ -172436,7 +172487,7 @@ index 0000000..0a9214d +} diff --git a/scripts/gcc-plugins/kernexec_plugin.c b/scripts/gcc-plugins/kernexec_plugin.c new file mode 100644 -index 0000000..9ac2ebb +index 0000000..1a35a0c --- /dev/null +++ b/scripts/gcc-plugins/kernexec_plugin.c @@ -0,0 +1,393 @@ @@ -172821,7 +172872,7 @@ index 0000000..9ac2ebb + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value); + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + if (!kernexec_instrument_fptr || !kernexec_instrument_retaddr) + error(G_("no instrumentation method was selected via '-fplugin-arg-%s-method'"), plugin_name); @@ -172835,7 +172886,7 @@ index 0000000..9ac2ebb +} diff --git a/scripts/gcc-plugins/latent_entropy_plugin.c b/scripts/gcc-plugins/latent_entropy_plugin.c new file mode 100644 -index 0000000..56b1ece +index 0000000..d5a37cb --- /dev/null +++ b/scripts/gcc-plugins/latent_entropy_plugin.c @@ -0,0 +1,609 @@ @@ -173435,7 +173486,7 @@ index 0000000..56b1ece + enabled = false; + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_INFO, NULL, &latent_entropy_plugin_info); @@ -173450,7 +173501,7 @@ index 0000000..56b1ece +} diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c new file mode 100644 -index 0000000..2ca34f1 +index 0000000..71911c82 --- /dev/null +++ b/scripts/gcc-plugins/randomize_layout_plugin.c @@ -0,0 +1,940 @@ @@ -174369,7 +174420,7 @@ index 0000000..2ca34f1 + performance_mode = 1; + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + if (strlen(randstruct_seed) != 64) { @@ -175062,7 +175113,7 @@ index 0000000..161102f +} diff --git a/scripts/gcc-plugins/rap_plugin/rap_plugin.c b/scripts/gcc-plugins/rap_plugin/rap_plugin.c new file mode 100644 -index 0000000..8359861 +index 0000000..998fc0f --- /dev/null +++ b/scripts/gcc-plugins/rap_plugin/rap_plugin.c @@ -0,0 +1,505 @@ @@ -175548,7 +175599,7 @@ index 0000000..8359861 + continue; + } + -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_INFO, NULL, &rap_plugin_info); @@ -175674,7 +175725,7 @@ index 0000000..65bc1cd + U64TO8_LE(out, b); +} diff --git a/scripts/gcc-plugins/sancov_plugin.c b/scripts/gcc-plugins/sancov_plugin.c -index aedd611..72265dd 100644 +index aedd611..f39cee3 100644 --- a/scripts/gcc-plugins/sancov_plugin.c +++ b/scripts/gcc-plugins/sancov_plugin.c @@ -1,5 +1,5 @@ @@ -175732,6 +175783,15 @@ index aedd611..72265dd 100644 if (!plugin_default_version_check(version, &gcc_version)) { error(G_("incompatible gcc/plugin versions")); +@@ -126,7 +124,7 @@ int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version + enable = false; + continue; + } +- error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_INFO, NULL, &sancov_plugin_info); @@ -137,7 +135,7 @@ int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version #if BUILDING_GCC_VERSION < 6000 register_callback(plugin_name, PLUGIN_START_UNIT, &sancov_start_unit, NULL); @@ -175779,10 +175839,10 @@ index 0000000..a8039b2 +clean-files += *.so diff --git a/scripts/gcc-plugins/size_overflow_plugin/disable.data b/scripts/gcc-plugins/size_overflow_plugin/disable.data new file mode 100644 -index 0000000..925b27a +index 0000000..83975f2 --- /dev/null +++ b/scripts/gcc-plugins/size_overflow_plugin/disable.data -@@ -0,0 +1,12471 @@ +@@ -0,0 +1,12472 @@ +disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL +disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL +disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray @@ -188254,6 +188314,7 @@ index 0000000..925b27a +btrfs_get_token_32_fndecl_7192_fns btrfs_get_token_32 fndecl 0 7192 NULL +btrfs_get_token_16_fndecl_46639_fns btrfs_get_token_16 fndecl 0 46639 NULL +btrfs_get_token_64_fndecl_54223_fns btrfs_get_token_64 fndecl 0 54223 NULL ++qdisc_tree_reduce_backlog_fndecl_3865_fields qdisc_tree_reduce_backlog fndecl 2 3865 NULL diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_aux.data b/scripts/gcc-plugins/size_overflow_plugin/e_aux.data new file mode 100644 index 0000000..74e91b2 @@ -188359,10 +188420,10 @@ index 0000000..74e91b2 +enable_so_zpios_read_fndecl_64734 zpios_read fndecl 3 64734 NULL diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fields.data b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data new file mode 100644 -index 0000000..4aabb55 +index 0000000..6b5367db --- /dev/null +++ b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data -@@ -0,0 +1,16262 @@ +@@ -0,0 +1,16261 @@ +recv_ctrl_pipe_us_data_0_fields recv_ctrl_pipe us_data 0 0 NULL +__earlyonly_bootmem_alloc_fndecl_3_fields __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL +size_ttm_mem_reg_8_fields size ttm_mem_reg 0 8 NULL @@ -189301,7 +189362,6 @@ index 0000000..4aabb55 +find_end_of_node_fndecl_3843_fields find_end_of_node fndecl 0-3-1-2 3843 NULL +bg_inode_table_hi_ext4_group_desc_3844_fields bg_inode_table_hi ext4_group_desc 0 3844 NULL +btrfs_dirty_pages_fndecl_3848_fields btrfs_dirty_pages fndecl 6-5 3848 NULL -+qdisc_tree_reduce_backlog_fndecl_3865_fields qdisc_tree_reduce_backlog fndecl 2 3865 NULL +ocfs2_free_clusters_fndecl_3866_fields ocfs2_free_clusters fndecl 4 3866 NULL +minlen_fstrim_range_3870_fields minlen fstrim_range 0 3870 NULL +size_of_priv_dvb_usb_adapter_fe_properties_3875_fields size_of_priv dvb_usb_adapter_fe_properties 0 3875 NULL @@ -214621,7 +214681,7 @@ index 0000000..b5291e1 + diff --git a/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c new file mode 100644 -index 0000000..4645a29 +index 0000000..4f667bad --- /dev/null +++ b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c @@ -0,0 +1,299 @@ @@ -214900,7 +214960,7 @@ index 0000000..4645a29 + continue; + } + -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info); @@ -217198,7 +217258,7 @@ index 0000000..7b24aea +} diff --git a/scripts/gcc-plugins/stackleak_plugin.c b/scripts/gcc-plugins/stackleak_plugin.c new file mode 100644 -index 0000000..b70f0bc +index 0000000..75524f4 --- /dev/null +++ b/scripts/gcc-plugins/stackleak_plugin.c @@ -0,0 +1,342 @@ @@ -217534,7 +217594,7 @@ index 0000000..b70f0bc + init_locals = true; + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_START_UNIT, &stackleak_start_unit, NULL); @@ -217546,7 +217606,7 @@ index 0000000..b70f0bc +} diff --git a/scripts/gcc-plugins/structleak_plugin.c b/scripts/gcc-plugins/structleak_plugin.c new file mode 100644 -index 0000000..0afee93 +index 0000000..7ff562f --- /dev/null +++ b/scripts/gcc-plugins/structleak_plugin.c @@ -0,0 +1,235 @@ @@ -217773,7 +217833,7 @@ index 0000000..0afee93 + enable = false; + continue; + } -+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); ++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + + register_callback(plugin_name, PLUGIN_INFO, NULL, &structleak_plugin_info); @@ -218275,7 +218335,7 @@ index b3775a9..be6b9f9 100755 # Find all available archs find_all_archs() diff --git a/security/Kconfig b/security/Kconfig -index 118f454..5c61f40 100644 +index 118f454..288ab93 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -4,6 +4,1065 @@ @@ -219383,7 +219443,7 @@ index 118f454..5c61f40 100644 - separately allocates pages, are not on the process stack, - or are part of the kernel text. This kills entire classes - of heap overflow exploits and similar kernel memory exposures. -+ def_bool y ++ bool + select BUG if BROKEN_SECURITY config HARDENED_USERCOPY_PAGESPAN diff --git a/4.8.17/4427_force_XATTR_PAX_tmpfs.patch b/4.8.17/4427_force_XATTR_PAX_tmpfs.patch index caecb91..ba7da66 100644 --- a/4.8.17/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.8.17/4427_force_XATTR_PAX_tmpfs.patch @@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive emerge. diff -Naur a/mm/shmem.c b/mm/shmem.c --- a/mm/shmem.c 2016-04-29 19:56:25.306101147 -0400 +++ b/mm/shmem.c 2016-04-29 19:59:44.126104490 -0400 -@@ -3255,7 +3255,6 @@ +@@ -3257,7 +3257,6 @@ return simple_xattr_set(&info->xattrs, name, value, size, flags); } diff --git a/4.8.17/4475_emutramp_default_on.patch b/4.8.17/4475_emutramp_default_on.patch index 7b468ee..feb8c7b 100644 --- a/4.8.17/4475_emutramp_default_on.patch +++ b/4.8.17/4475_emutramp_default_on.patch @@ -10,7 +10,7 @@ See bug: diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 -@@ -434,7 +434,7 @@ +@@ -440,7 +440,7 @@ config PAX_EMUTRAMP bool "Emulate trampolines" @@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) help There are some programs and libraries that for one reason or -@@ -457,6 +457,12 @@ +@@ -463,6 +463,12 @@ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC for the affected files. |