1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
From: Jory Pratt <anarchy@gentoo.org>
Updated patch for kernel 2.6.32
The credits/description from the original version of this patch remain accurate
and are included below.
--
From: Gordon Malm <gengor@gentoo.org>
Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
This patch has been updated to keep current with newer kernel versions.
The original version of this patch contained no credits/description.
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -652,10 +652,12 @@
#ifdef CONFIG_PAX_KERNEXEC
if (init_mm.start_code <= address && address < init_mm.end_code) {
+#ifdef CONFIG_GRKERNSEC
if (current->signal->curr_ip)
printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
else
+#endif
printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
current->comm, task_pid_nr(current), current_uid(), current_euid());
}
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1750,9 +1750,11 @@
}
up_read(&mm->mmap_sem);
}
+#ifdef CONFIG_GRKERNSEC
if (tsk->signal->curr_ip)
printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
else
+#endif
printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
"PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
@@ -1767,10 +1769,12 @@
#ifdef CONFIG_PAX_REFCOUNT
void pax_report_refcount_overflow(struct pt_regs *regs)
{
+#ifdef CONFIG_GRKERNSEC
if (current->signal->curr_ip)
printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
else
+#endif
printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
current->comm, task_pid_nr(current), current_uid(), current_euid());
print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
@@ -1782,10 +1786,12 @@
#ifdef CONFIG_PAX_USERCOPY
void pax_report_leak_to_user(const void *ptr, unsigned long len)
{
+#ifdef CONFIG_GRKERNSEC
if (current->signal->curr_ip)
printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
¤t->signal->curr_ip, ptr, len);
else
+#endif
printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
dump_stack();
do_group_exit(SIGKILL);
@@ -1793,10 +1799,12 @@
void pax_report_overflow_from_user(const void *ptr, unsigned long len)
{
+#ifdef CONFIG_GRKERNSEC
if (current->signal->curr_ip)
printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
¤t->signal->curr_ip, ptr, len);
else
+#endif
printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
dump_stack();
do_group_exit(SIGKILL);
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -19,7 +19,7 @@ menu "PaX"
config PAX
bool "Enable various PaX features"
- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC || SPARC || X86)
+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC || SPARC || X86)
help
This allows you to enable various PaX features. PaX adds
intrusion prevention mechanisms to the kernel that reduce
|
GitWeb