diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2014-05-29 17:54:31 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2014-05-29 17:54:31 -0400 |
commit | 42f2ed22cb151c6a136a4d39d9e973d36ec5d99b (patch) | |
tree | d60e2c8a4caaeda39584e91ffef1e3f66952bea3 | |
parent | Grsec/PaX: 3.0-3.14.4-201405271114 (diff) | |
download | hardened-patchset-42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.tar.gz hardened-patchset-42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.tar.bz2 hardened-patchset-42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.zip |
Grsec/PaX: 3.0-{3.2.59,3.14.4}-20140528192220140528
-rw-r--r-- | 3.14.4/0000_README | 2 | ||||
-rw-r--r-- | 3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch (renamed from 3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch) | 13 | ||||
-rw-r--r-- | 3.14.4/4425_grsec_remove_EI_PAX.patch | 2 | ||||
-rw-r--r-- | 3.14.4/4450_grsec-kconfig-default-gids.patch | 8 | ||||
-rw-r--r-- | 3.14.4/4475_emutramp_default_on.patch | 2 | ||||
-rw-r--r-- | 3.2.59/0000_README | 2 | ||||
-rw-r--r-- | 3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch (renamed from 3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch) | 55 |
7 files changed, 47 insertions, 37 deletions
diff --git a/3.14.4/0000_README b/3.14.4/0000_README index 4203555..275b0d1 100644 --- a/3.14.4/0000_README +++ b/3.14.4/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.4-201405271114.patch +Patch: 4420_grsecurity-3.0-3.14.4-201405281922.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch index 3537db8..c9100d1 100644 --- a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch +++ b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch @@ -58838,7 +58838,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index 3d78fcc..cd4f983 100644 +index 3d78fcc..122929d 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -59329,7 +59329,7 @@ index 3d78fcc..cd4f983 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1626,3 +1801,296 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1626,3 +1801,298 @@ asmlinkage long compat_sys_execve(const char __user * filename, return compat_do_execve(getname(filename), argv, envp); } #endif @@ -59613,6 +59613,8 @@ index 3d78fcc..cd4f983 100644 + if (sp < current_thread_info()->lowest_stack && + sp > (unsigned long)task_stack_page(current)) + current_thread_info()->lowest_stack = sp; ++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16))) ++ BUG(); +} +EXPORT_SYMBOL(pax_track_stack); +#endif @@ -104215,10 +104217,10 @@ index 8fac3fd..32ff38d 100644 unsigned int secindex_strings; diff --git a/security/Kconfig b/security/Kconfig -index beb86b5..55198cd 100644 +index beb86b5..1ea5a01 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,961 @@ +@@ -4,6 +4,960 @@ menu "Security options" @@ -104255,7 +104257,6 @@ index beb86b5..55198cd 100644 + select TTY + select DEBUG_KERNEL + select DEBUG_LIST -+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -105180,7 +105181,7 @@ index beb86b5..55198cd 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1058,7 @@ config INTEL_TXT +@@ -103,7 +1057,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.14.4/4425_grsec_remove_EI_PAX.patch b/3.14.4/4425_grsec_remove_EI_PAX.patch index 23631d1..fc51f79 100644 --- a/3.14.4/4425_grsec_remove_EI_PAX.patch +++ b/3.14.4/4425_grsec_remove_EI_PAX.patch @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 -@@ -269,7 +269,7 @@ +@@ -268,7 +268,7 @@ config PAX_EI_PAX bool 'Use legacy ELF header marking' diff --git a/3.14.4/4450_grsec-kconfig-default-gids.patch b/3.14.4/4450_grsec-kconfig-default-gids.patch index a965a27..19a4285 100644 --- a/3.14.4/4450_grsec-kconfig-default-gids.patch +++ b/3.14.4/4450_grsec-kconfig-default-gids.patch @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig diff -Nuar a/security/Kconfig b/security/Kconfig --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 -@@ -197,7 +197,7 @@ +@@ -196,7 +196,7 @@ config GRKERNSEC_PROC_GID int "GID exempted from /proc restrictions" @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified -@@ -208,7 +208,7 @@ +@@ -207,7 +207,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group untrusted users should be added to. These users will be placed under grsecurity's Trusted Path -@@ -220,7 +220,7 @@ +@@ -219,7 +219,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -229,7 +229,7 @@ +@@ -228,7 +228,7 @@ config GRKERNSEC_SYMLINKOWN_GID int "GID for users with kernel-enforced SymlinksIfOwnerMatch" depends on GRKERNSEC_CONFIG_SERVER diff --git a/3.14.4/4475_emutramp_default_on.patch b/3.14.4/4475_emutramp_default_on.patch index 2c704b9..a453a5b 100644 --- a/3.14.4/4475_emutramp_default_on.patch +++ b/3.14.4/4475_emutramp_default_on.patch @@ -10,7 +10,7 @@ See bug: diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 -@@ -429,7 +429,7 @@ +@@ -428,7 +428,7 @@ config PAX_EMUTRAMP bool "Emulate trampolines" diff --git a/3.2.59/0000_README b/3.2.59/0000_README index e328e8d..4d1e516 100644 --- a/3.2.59/0000_README +++ b/3.2.59/0000_README @@ -154,7 +154,7 @@ Patch: 1058_linux-3.2.59.patch From: http://www.kernel.org Desc: Linux 3.2.59 -Patch: 4420_grsecurity-3.0-3.2.59-201405252042.patch +Patch: 4420_grsecurity-3.0-3.2.59-201405281920.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch index a27bb43..ae61f08 100644 --- a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch +++ b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch @@ -21377,7 +21377,7 @@ index 7209070..ada4d63 100644 * Shouldn't happen, we returned above if in_interrupt(): */ diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c -index 69bca46..fe78277 100644 +index 69bca46..1ac9a15 100644 --- a/arch/x86/kernel/irq_64.c +++ b/arch/x86/kernel/irq_64.c @@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat); @@ -21389,7 +21389,7 @@ index 69bca46..fe78277 100644 /* * Probabilistic stack overflow check: * -@@ -38,7 +40,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) +@@ -38,16 +40,16 @@ static inline void stack_overflow_check(struct pt_regs *regs) #ifdef CONFIG_DEBUG_STACKOVERFLOW u64 curbase = (u64)task_stack_page(current); @@ -21397,11 +21397,19 @@ index 69bca46..fe78277 100644 + if (user_mode(regs)) return; - WARN_ONCE(regs->sp >= curbase && -@@ -48,6 +50,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) - - "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n", - current->comm, curbase, regs->sp); +- WARN_ONCE(regs->sp >= curbase && +- regs->sp <= curbase + THREAD_SIZE && +- regs->sp < curbase + sizeof(struct thread_info) + +- sizeof(struct pt_regs) + 128, +- +- "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n", +- current->comm, curbase, regs->sp); ++ if (regs->sp >= curbase + sizeof(struct thread_info) + ++ sizeof(struct pt_regs) + 128 && ++ regs->sp <= curbase + THREAD_SIZE) ++ return; ++ WARN_ONCE(1, "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n", ++ current->comm, curbase, regs->sp); + gr_handle_kernel_exploit(); #endif } @@ -56716,7 +56724,7 @@ index 451b9b8..12e5a03 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 78199eb..80dac79 100644 +index 78199eb..125722f 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,35 @@ @@ -57329,7 +57337,7 @@ index 78199eb..80dac79 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1833,6 +2016,293 @@ out: +@@ -1833,6 +2016,295 @@ out: return ispipe; } @@ -57606,6 +57614,8 @@ index 78199eb..80dac79 100644 + if (sp < current_thread_info()->lowest_stack && + sp > (unsigned long)task_stack_page(current)) + current_thread_info()->lowest_stack = sp; ++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16))) ++ BUG(); +} +EXPORT_SYMBOL(pax_track_stack); +#endif @@ -57623,7 +57633,7 @@ index 78199eb..80dac79 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2006,17 +2476,17 @@ static void coredump_finish(struct mm_struct *mm) +@@ -2006,17 +2478,17 @@ static void coredump_finish(struct mm_struct *mm) void set_dumpable(struct mm_struct *mm, int value) { switch (value) { @@ -57644,7 +57654,7 @@ index 78199eb..80dac79 100644 set_bit(MMF_DUMP_SECURELY, &mm->flags); smp_wmb(); set_bit(MMF_DUMPABLE, &mm->flags); -@@ -2029,7 +2499,7 @@ static int __get_dumpable(unsigned long mm_flags) +@@ -2029,7 +2501,7 @@ static int __get_dumpable(unsigned long mm_flags) int ret; ret = mm_flags & MMF_DUMPABLE_MASK; @@ -57653,7 +57663,7 @@ index 78199eb..80dac79 100644 } /* -@@ -2050,17 +2520,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2050,17 +2522,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -57676,7 +57686,7 @@ index 78199eb..80dac79 100644 pipe_unlock(pipe); } -@@ -2121,7 +2591,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2121,7 +2593,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -57686,7 +57696,7 @@ index 78199eb..80dac79 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2136,6 +2607,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2136,6 +2609,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -57696,7 +57706,7 @@ index 78199eb..80dac79 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2146,14 +2620,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2146,14 +2622,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) if (!cred) goto fail; /* @@ -57717,7 +57727,7 @@ index 78199eb..80dac79 100644 } retval = coredump_wait(exit_code, &core_state); -@@ -2203,7 +2679,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2203,7 +2681,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -57726,7 +57736,7 @@ index 78199eb..80dac79 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2230,9 +2706,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2230,9 +2708,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -57746,7 +57756,7 @@ index 78199eb..80dac79 100644 cprm.file = filp_open(cn.corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); -@@ -2273,7 +2759,7 @@ close_fail: +@@ -2273,7 +2761,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -57755,7 +57765,7 @@ index 78199eb..80dac79 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2292,7 +2778,7 @@ fail: +@@ -2292,7 +2780,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -106824,10 +106834,10 @@ index 38f6617..e70b72b 100755 exuberant() diff --git a/security/Kconfig b/security/Kconfig -index 51bd5a0..f75fbf0 100644 +index 51bd5a0..d4191c5 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,956 @@ +@@ -4,6 +4,955 @@ menu "Security options" @@ -106863,7 +106873,6 @@ index 51bd5a0..f75fbf0 100644 + select STOP_MACHINE + select DEBUG_KERNEL + select DEBUG_LIST -+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -107784,7 +107793,7 @@ index 51bd5a0..f75fbf0 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1119,7 @@ config INTEL_TXT +@@ -169,7 +1118,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX |