summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2014-05-29 17:54:31 -0400
committerAnthony G. Basile <blueness@gentoo.org>2014-05-29 17:54:31 -0400
commit42f2ed22cb151c6a136a4d39d9e973d36ec5d99b (patch)
treed60e2c8a4caaeda39584e91ffef1e3f66952bea3
parentGrsec/PaX: 3.0-3.14.4-201405271114 (diff)
downloadhardened-patchset-42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.tar.gz
hardened-patchset-42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.tar.bz2
hardened-patchset-42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.zip
Grsec/PaX: 3.0-{3.2.59,3.14.4}-20140528192220140528
-rw-r--r--3.14.4/0000_README2
-rw-r--r--3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch (renamed from 3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch)13
-rw-r--r--3.14.4/4425_grsec_remove_EI_PAX.patch2
-rw-r--r--3.14.4/4450_grsec-kconfig-default-gids.patch8
-rw-r--r--3.14.4/4475_emutramp_default_on.patch2
-rw-r--r--3.2.59/0000_README2
-rw-r--r--3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch (renamed from 3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch)55
7 files changed, 47 insertions, 37 deletions
diff --git a/3.14.4/0000_README b/3.14.4/0000_README
index 4203555..275b0d1 100644
--- a/3.14.4/0000_README
+++ b/3.14.4/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.4-201405271114.patch
+Patch: 4420_grsecurity-3.0-3.14.4-201405281922.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch
index 3537db8..c9100d1 100644
--- a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch
+++ b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch
@@ -58838,7 +58838,7 @@ index e4141f2..d8263e8 100644
i += packet_length_size;
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
diff --git a/fs/exec.c b/fs/exec.c
-index 3d78fcc..cd4f983 100644
+index 3d78fcc..122929d 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,8 +55,20 @@
@@ -59329,7 +59329,7 @@ index 3d78fcc..cd4f983 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1626,3 +1801,296 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1626,3 +1801,298 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return compat_do_execve(getname(filename), argv, envp);
}
#endif
@@ -59613,6 +59613,8 @@ index 3d78fcc..cd4f983 100644
+ if (sp < current_thread_info()->lowest_stack &&
+ sp > (unsigned long)task_stack_page(current))
+ current_thread_info()->lowest_stack = sp;
++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
++ BUG();
+}
+EXPORT_SYMBOL(pax_track_stack);
+#endif
@@ -104215,10 +104217,10 @@ index 8fac3fd..32ff38d 100644
unsigned int secindex_strings;
diff --git a/security/Kconfig b/security/Kconfig
-index beb86b5..55198cd 100644
+index beb86b5..1ea5a01 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,961 @@
+@@ -4,6 +4,960 @@
menu "Security options"
@@ -104255,7 +104257,6 @@ index beb86b5..55198cd 100644
+ select TTY
+ select DEBUG_KERNEL
+ select DEBUG_LIST
-+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
@@ -105180,7 +105181,7 @@ index beb86b5..55198cd 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1058,7 @@ config INTEL_TXT
+@@ -103,7 +1057,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
diff --git a/3.14.4/4425_grsec_remove_EI_PAX.patch b/3.14.4/4425_grsec_remove_EI_PAX.patch
index 23631d1..fc51f79 100644
--- a/3.14.4/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.4/4425_grsec_remove_EI_PAX.patch
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
-@@ -269,7 +269,7 @@
+@@ -268,7 +268,7 @@
config PAX_EI_PAX
bool 'Use legacy ELF header marking'
diff --git a/3.14.4/4450_grsec-kconfig-default-gids.patch b/3.14.4/4450_grsec-kconfig-default-gids.patch
index a965a27..19a4285 100644
--- a/3.14.4/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.4/4450_grsec-kconfig-default-gids.patch
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
diff -Nuar a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
-@@ -197,7 +197,7 @@
+@@ -196,7 +196,7 @@
config GRKERNSEC_PROC_GID
int "GID exempted from /proc restrictions"
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group will be exempted from
grsecurity's /proc restrictions, allowing users of the specified
-@@ -208,7 +208,7 @@
+@@ -207,7 +207,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines which group untrusted users should
be added to. These users will be placed under grsecurity's Trusted Path
-@@ -220,7 +220,7 @@
+@@ -219,7 +219,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -229,7 +229,7 @@
+@@ -228,7 +228,7 @@
config GRKERNSEC_SYMLINKOWN_GID
int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
depends on GRKERNSEC_CONFIG_SERVER
diff --git a/3.14.4/4475_emutramp_default_on.patch b/3.14.4/4475_emutramp_default_on.patch
index 2c704b9..a453a5b 100644
--- a/3.14.4/4475_emutramp_default_on.patch
+++ b/3.14.4/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
-@@ -429,7 +429,7 @@
+@@ -428,7 +428,7 @@
config PAX_EMUTRAMP
bool "Emulate trampolines"
diff --git a/3.2.59/0000_README b/3.2.59/0000_README
index e328e8d..4d1e516 100644
--- a/3.2.59/0000_README
+++ b/3.2.59/0000_README
@@ -154,7 +154,7 @@ Patch: 1058_linux-3.2.59.patch
From: http://www.kernel.org
Desc: Linux 3.2.59
-Patch: 4420_grsecurity-3.0-3.2.59-201405252042.patch
+Patch: 4420_grsecurity-3.0-3.2.59-201405281920.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch
index a27bb43..ae61f08 100644
--- a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch
+++ b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch
@@ -21377,7 +21377,7 @@ index 7209070..ada4d63 100644
* Shouldn't happen, we returned above if in_interrupt():
*/
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
-index 69bca46..fe78277 100644
+index 69bca46..1ac9a15 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
@@ -21389,7 +21389,7 @@ index 69bca46..fe78277 100644
/*
* Probabilistic stack overflow check:
*
-@@ -38,7 +40,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+@@ -38,16 +40,16 @@ static inline void stack_overflow_check(struct pt_regs *regs)
#ifdef CONFIG_DEBUG_STACKOVERFLOW
u64 curbase = (u64)task_stack_page(current);
@@ -21397,11 +21397,19 @@ index 69bca46..fe78277 100644
+ if (user_mode(regs))
return;
- WARN_ONCE(regs->sp >= curbase &&
-@@ -48,6 +50,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
-
- "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
- current->comm, curbase, regs->sp);
+- WARN_ONCE(regs->sp >= curbase &&
+- regs->sp <= curbase + THREAD_SIZE &&
+- regs->sp < curbase + sizeof(struct thread_info) +
+- sizeof(struct pt_regs) + 128,
+-
+- "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
+- current->comm, curbase, regs->sp);
++ if (regs->sp >= curbase + sizeof(struct thread_info) +
++ sizeof(struct pt_regs) + 128 &&
++ regs->sp <= curbase + THREAD_SIZE)
++ return;
++ WARN_ONCE(1, "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
++ current->comm, curbase, regs->sp);
+ gr_handle_kernel_exploit();
#endif
}
@@ -56716,7 +56724,7 @@ index 451b9b8..12e5a03 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index 78199eb..80dac79 100644
+index 78199eb..125722f 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,12 +55,35 @@
@@ -57329,7 +57337,7 @@ index 78199eb..80dac79 100644
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
-@@ -1833,6 +2016,293 @@ out:
+@@ -1833,6 +2016,295 @@ out:
return ispipe;
}
@@ -57606,6 +57614,8 @@ index 78199eb..80dac79 100644
+ if (sp < current_thread_info()->lowest_stack &&
+ sp > (unsigned long)task_stack_page(current))
+ current_thread_info()->lowest_stack = sp;
++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
++ BUG();
+}
+EXPORT_SYMBOL(pax_track_stack);
+#endif
@@ -57623,7 +57633,7 @@ index 78199eb..80dac79 100644
static int zap_process(struct task_struct *start, int exit_code)
{
struct task_struct *t;
-@@ -2006,17 +2476,17 @@ static void coredump_finish(struct mm_struct *mm)
+@@ -2006,17 +2478,17 @@ static void coredump_finish(struct mm_struct *mm)
void set_dumpable(struct mm_struct *mm, int value)
{
switch (value) {
@@ -57644,7 +57654,7 @@ index 78199eb..80dac79 100644
set_bit(MMF_DUMP_SECURELY, &mm->flags);
smp_wmb();
set_bit(MMF_DUMPABLE, &mm->flags);
-@@ -2029,7 +2499,7 @@ static int __get_dumpable(unsigned long mm_flags)
+@@ -2029,7 +2501,7 @@ static int __get_dumpable(unsigned long mm_flags)
int ret;
ret = mm_flags & MMF_DUMPABLE_MASK;
@@ -57653,7 +57663,7 @@ index 78199eb..80dac79 100644
}
/*
-@@ -2050,17 +2520,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2050,17 +2522,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -57676,7 +57686,7 @@ index 78199eb..80dac79 100644
pipe_unlock(pipe);
}
-@@ -2121,7 +2591,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2121,7 +2593,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
int retval = 0;
int flag = 0;
int ispipe;
@@ -57686,7 +57696,7 @@ index 78199eb..80dac79 100644
struct coredump_params cprm = {
.signr = signr,
.regs = regs,
-@@ -2136,6 +2607,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2136,6 +2609,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
audit_core_dumps(signr);
@@ -57696,7 +57706,7 @@ index 78199eb..80dac79 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -2146,14 +2620,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2146,14 +2622,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
if (!cred)
goto fail;
/*
@@ -57717,7 +57727,7 @@ index 78199eb..80dac79 100644
}
retval = coredump_wait(exit_code, &core_state);
-@@ -2203,7 +2679,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2203,7 +2681,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
}
cprm.limit = RLIM_INFINITY;
@@ -57726,7 +57736,7 @@ index 78199eb..80dac79 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -2230,9 +2706,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2230,9 +2708,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
} else {
struct inode *inode;
@@ -57746,7 +57756,7 @@ index 78199eb..80dac79 100644
cprm.file = filp_open(cn.corename,
O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
0600);
-@@ -2273,7 +2759,7 @@ close_fail:
+@@ -2273,7 +2761,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -57755,7 +57765,7 @@ index 78199eb..80dac79 100644
fail_unlock:
kfree(cn.corename);
fail_corename:
-@@ -2292,7 +2778,7 @@ fail:
+@@ -2292,7 +2780,7 @@ fail:
*/
int dump_write(struct file *file, const void *addr, int nr)
{
@@ -106824,10 +106834,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..f75fbf0 100644
+index 51bd5a0..d4191c5 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,956 @@
+@@ -4,6 +4,955 @@
menu "Security options"
@@ -106863,7 +106873,6 @@ index 51bd5a0..f75fbf0 100644
+ select STOP_MACHINE
+ select DEBUG_KERNEL
+ select DEBUG_LIST
-+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
@@ -107784,7 +107793,7 @@ index 51bd5a0..f75fbf0 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1119,7 @@ config INTEL_TXT
+@@ -169,7 +1118,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX