/[linux-patches]/hardened/2.6/trunk/2.6.22/4450_grsec-2.1.11-2.6.22.4-200708211800.patch
Gentoo

Diff of /hardened/2.6/trunk/2.6.22/4450_grsec-2.1.11-2.6.22.4-200708211800.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1108 Revision 1109
1737 #define DOUBLEFAULT_STACKSIZE (1024) 1737 #define DOUBLEFAULT_STACKSIZE (1024)
1738 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE]; 1738 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
1739-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE) 1739-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
1740+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2) 1740+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
1741 1741
1742 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + 0x1000000) 1742 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
1743 1743
1744 static void doublefault_fn(void) 1744 static void doublefault_fn(void)
1745 { 1745 {
1746- struct Xgt_desc_struct gdt_desc = {0, 0}; 1746- struct Xgt_desc_struct gdt_desc = {0, 0};
1747+ struct Xgt_desc_struct gdt_desc = {0, NULL, 0}; 1747+ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
1748 unsigned long gdt, tss; 1748 unsigned long gdt, tss;
1749 1749
1750 store_gdt(&gdt_desc); 1750 store_gdt(&gdt_desc);
1751- gdt = gdt_desc.address; 1751- gdt = gdt_desc.address;
1752+ gdt = (unsigned long)gdt_desc.address; 1752+ gdt = (unsigned long)gdt_desc.address;
1753 1753
1754 printk("double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size); 1754 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
1755 1755
1756@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach 1756@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
1757 /* 0x2 bit is always set */ 1757 /* 0x2 bit is always set */
1758 .eflags = X86_EFLAGS_SF | 0x2, 1758 .eflags = X86_EFLAGS_SF | 0x2,
1759 .esp = STACK_START, 1759 .esp = STACK_START,
1760- .es = __USER_DS, 1760- .es = __USER_DS,
1761+ .es = __KERNEL_DS, 1761+ .es = __KERNEL_DS,
1762 .cs = __KERNEL_CS, 1762 .cs = __KERNEL_CS,
1763 .ss = __KERNEL_DS, 1763 .ss = __KERNEL_DS,
1764- .ds = __USER_DS, 1764- .ds = __USER_DS,
1765+ .ds = __KERNEL_DS, 1765+ .ds = __KERNEL_DS,
1766 .fs = __KERNEL_PERCPU,
1766 1767
1767 .__cr3 = __pa(swapper_pg_dir) 1768 .__cr3 = __pa(swapper_pg_dir)
1768 }
1769--- a/arch/i386/kernel/efi.c 1769--- a/arch/i386/kernel/efi.c
1770+++ b/arch/i386/kernel/efi.c 1770+++ b/arch/i386/kernel/efi.c
1771@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long 1771@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
1772 1772
1773 static unsigned long efi_rt_eflags; 1773 static unsigned long efi_rt_eflags;
6495+#endif 6495+#endif
6496+ 6496+
6497 static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address) 6497 static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
6498 { 6498 {
6499 unsigned index = pgd_index(address); 6499 unsigned index = pgd_index(address);
6500@@ -301,13 +333,20 @@ fastcall void __kprobes do_page_fault(st 6500@@ -302,13 +334,20 @@ fastcall void __kprobes do_page_fault(st
6501 struct task_struct *tsk; 6501 struct task_struct *tsk;
6502 struct mm_struct *mm; 6502 struct mm_struct *mm;
6503 struct vm_area_struct * vma; 6503 struct vm_area_struct * vma;
6504- unsigned long address; 6504- unsigned long address;
6505 int write, si_code; 6505 int write, si_code;
6518 tsk = current; 6518 tsk = current;
6519+ mm = tsk->mm; 6519+ mm = tsk->mm;
6520 6520
6521 si_code = SEGV_MAPERR; 6521 si_code = SEGV_MAPERR;
6522 6522
6523@@ -344,14 +383,12 @@ fastcall void __kprobes do_page_fault(st 6523@@ -345,14 +384,12 @@ fastcall void __kprobes do_page_fault(st
6524 if (regs->eflags & (X86_EFLAGS_IF|VM_MASK)) 6524 if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
6525 local_irq_enable(); 6525 local_irq_enable();
6526 6526
6527- mm = tsk->mm; 6527- mm = tsk->mm;
6528- 6528-
6534- goto bad_area_nosemaphore; 6534- goto bad_area_nosemaphore;
6535+ goto bad_area_nopax; 6535+ goto bad_area_nopax;
6536 6536
6537 /* When running in the kernel we expect faults to occur only to 6537 /* When running in the kernel we expect faults to occur only to
6538 * addresses in user space. All other faults represent errors in the 6538 * addresses in user space. All other faults represent errors in the
6539@@ -371,10 +408,104 @@ fastcall void __kprobes do_page_fault(st 6539@@ -372,10 +409,104 @@ fastcall void __kprobes do_page_fault(st
6540 if (!down_read_trylock(&mm->mmap_sem)) { 6540 if (!down_read_trylock(&mm->mmap_sem)) {
6541 if ((error_code & 4) == 0 && 6541 if ((error_code & 4) == 0 &&
6542 !search_exception_tables(regs->eip)) 6542 !search_exception_tables(regs->eip))
6543- goto bad_area_nosemaphore; 6543- goto bad_area_nosemaphore;
6544+ goto bad_area_nopax; 6544+ goto bad_area_nopax;
6640+#endif 6640+#endif
6641+ 6641+
6642 vma = find_vma(mm, address); 6642 vma = find_vma(mm, address);
6643 if (!vma) 6643 if (!vma)
6644 goto bad_area; 6644 goto bad_area;
6645@@ -392,6 +523,12 @@ fastcall void __kprobes do_page_fault(st 6645@@ -393,6 +524,12 @@ fastcall void __kprobes do_page_fault(st
6646 if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp) 6646 if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
6647 goto bad_area; 6647 goto bad_area;
6648 } 6648 }
6649+ 6649+
6650+#ifdef CONFIG_PAX_SEGMEXEC 6650+#ifdef CONFIG_PAX_SEGMEXEC
6653+#endif 6653+#endif
6654+ 6654+
6655 if (expand_stack(vma, address)) 6655 if (expand_stack(vma, address))
6656 goto bad_area; 6656 goto bad_area;
6657 /* 6657 /*
6658@@ -401,6 +538,8 @@ fastcall void __kprobes do_page_fault(st 6658@@ -402,6 +539,8 @@ fastcall void __kprobes do_page_fault(st
6659 good_area: 6659 good_area:
6660 si_code = SEGV_ACCERR; 6660 si_code = SEGV_ACCERR;
6661 write = 0; 6661 write = 0;
6662+ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC)) 6662+ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
6663+ goto bad_area; 6663+ goto bad_area;
6664 switch (error_code & 3) { 6664 switch (error_code & 3) {
6665 default: /* 3: write, present */ 6665 default: /* 3: write, present */
6666 /* fall through */ 6666 /* fall through */
6667@@ -456,6 +595,41 @@ bad_area: 6667@@ -457,6 +596,41 @@ bad_area:
6668 up_read(&mm->mmap_sem); 6668 up_read(&mm->mmap_sem);
6669 6669
6670 bad_area_nosemaphore: 6670 bad_area_nosemaphore:
6671+ 6671+
6672+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) 6672+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6704+ 6704+
6705+bad_area_nopax: 6705+bad_area_nopax:
6706 /* User mode accesses just cause a SIGSEGV */ 6706 /* User mode accesses just cause a SIGSEGV */
6707 if (error_code & 4) { 6707 if (error_code & 4) {
6708 /* 6708 /*
6709@@ -485,7 +659,7 @@ bad_area_nosemaphore: 6709@@ -486,7 +660,7 @@ bad_area_nosemaphore:
6710 if (boot_cpu_data.f00f_bug) { 6710 if (boot_cpu_data.f00f_bug) {
6711 unsigned long nr; 6711 unsigned long nr;
6712 6712
6713- nr = (address - idt_descr.address) >> 3; 6713- nr = (address - idt_descr.address) >> 3;
6714+ nr = (address - (unsigned long)idt_descr.address) >> 3; 6714+ nr = (address - (unsigned long)idt_descr.address) >> 3;
6715 6715
6716 if (nr == 6) { 6716 if (nr == 6) {
6717 do_invalid_op(regs, 0); 6717 do_invalid_op(regs, 0);
6718@@ -518,18 +692,34 @@ no_context: 6718@@ -519,18 +693,34 @@ no_context:
6719 __typeof__(pte_val(__pte(0))) page; 6719 __typeof__(pte_val(__pte(0))) page;
6720 6720
6721 #ifdef CONFIG_X86_PAE 6721 #ifdef CONFIG_X86_PAE
6722- if (error_code & 16) { 6722- if (error_code & 16) {
6723- pte_t *pte = lookup_address(address); 6723- pte_t *pte = lookup_address(address);
6751+#endif 6751+#endif
6752+ 6752+
6753 else 6753 else
6754 printk(KERN_ALERT "BUG: unable to handle kernel paging" 6754 printk(KERN_ALERT "BUG: unable to handle kernel paging"
6755 " request"); 6755 " request");
6756@@ -560,7 +750,7 @@ no_context: 6756@@ -561,7 +751,7 @@ no_context:
6757 * it's allocated already. 6757 * it's allocated already.
6758 */ 6758 */
6759 if ((page >> PAGE_SHIFT) < max_low_pfn 6759 if ((page >> PAGE_SHIFT) < max_low_pfn
6760- && (page & _PAGE_PRESENT)) { 6760- && (page & _PAGE_PRESENT)) {
6761+ && (page & (_PAGE_PRESENT | _PAGE_PSE)) == _PAGE_PRESENT) { 6761+ && (page & (_PAGE_PRESENT | _PAGE_PSE)) == _PAGE_PRESENT) {
6762 page &= PAGE_MASK; 6762 page &= PAGE_MASK;
6763 page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT) 6763 page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
6764 & (PTRS_PER_PTE - 1)]; 6764 & (PTRS_PER_PTE - 1)];
6765@@ -645,3 +835,110 @@ void vmalloc_sync_all(void) 6765@@ -646,3 +836,110 @@ void vmalloc_sync_all(void)
6766 start = address + PGDIR_SIZE; 6766 start = address + PGDIR_SIZE;
6767 } 6767 }
6768 } 6768 }
6769+ 6769+
6770+#ifdef CONFIG_PAX_EMUTRAMP 6770+#ifdef CONFIG_PAX_EMUTRAMP
10235+#include <linux/compiler.h> 10235+#include <linux/compiler.h>
10236+#include <linux/binfmts.h> 10236+#include <linux/binfmts.h>
10237 10237
10238 #include <asm/page.h> 10238 #include <asm/page.h>
10239 #include <asm/pgtable.h> 10239 #include <asm/pgtable.h>
10240@@ -273,6 +277,369 @@ cannot_handle: 10240@@ -270,6 +274,369 @@ cannot_handle:
10241 unhandled_fault (address, current, regs); 10241 unhandled_fault (address, current, regs);
10242 } 10242 }
10243 10243
10244+#ifdef CONFIG_PAX_PAGEEXEC 10244+#ifdef CONFIG_PAX_PAGEEXEC
10245+#ifdef CONFIG_PAX_EMUPLT 10245+#ifdef CONFIG_PAX_EMUPLT
10605+#endif 10605+#endif
10606+ 10606+
10607 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs) 10607 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
10608 { 10608 {
10609 struct mm_struct *mm = current->mm; 10609 struct mm_struct *mm = current->mm;
10610@@ -314,8 +681,10 @@ asmlinkage void __kprobes do_sparc64_fau 10610@@ -311,8 +678,10 @@ asmlinkage void __kprobes do_sparc64_fau
10611 goto intr_or_no_mm; 10611 goto intr_or_no_mm;
10612 10612
10613 if (test_thread_flag(TIF_32BIT)) { 10613 if (test_thread_flag(TIF_32BIT)) {
10614- if (!(regs->tstate & TSTATE_PRIV)) 10614- if (!(regs->tstate & TSTATE_PRIV))
10615+ if (!(regs->tstate & TSTATE_PRIV)) { 10615+ if (!(regs->tstate & TSTATE_PRIV)) {
10617+ regs->tnpc &= 0xffffffff; 10617+ regs->tnpc &= 0xffffffff;
10618+ } 10618+ }
10619 address &= 0xffffffff; 10619 address &= 0xffffffff;
10620 } 10620 }
10621 10621
10622@@ -332,6 +701,29 @@ asmlinkage void __kprobes do_sparc64_fau 10622@@ -329,6 +698,29 @@ asmlinkage void __kprobes do_sparc64_fau
10623 if (!vma) 10623 if (!vma)
10624 goto bad_area; 10624 goto bad_area;
10625 10625
10626+#ifdef CONFIG_PAX_PAGEEXEC 10626+#ifdef CONFIG_PAX_PAGEEXEC
10627+ /* PaX: detect ITLB misses on non-exec pages */ 10627+ /* PaX: detect ITLB misses on non-exec pages */
13948- int err = vfs_permission(&nd, MAY_EXEC); 13948- int err = vfs_permission(&nd, MAY_EXEC);
13949+ err = vfs_permission(&nd, MAY_EXEC); 13949+ err = vfs_permission(&nd, MAY_EXEC);
13950 file = ERR_PTR(err); 13950 file = ERR_PTR(err);
13951 if (!err) { 13951 if (!err) {
13952 file = nameidata_to_filp(&nd, O_RDONLY); 13952 file = nameidata_to_filp(&nd, O_RDONLY);
13953@@ -1161,6 +1240,11 @@ int do_execve(char * filename, 13953@@ -1156,6 +1235,11 @@ int do_execve(char * filename,
13954 struct file *file; 13954 struct file *file;
13955 int retval; 13955 int retval;
13956 int i; 13956 int i;
13957+#ifdef CONFIG_GRKERNSEC 13957+#ifdef CONFIG_GRKERNSEC
13958+ struct file *old_exec_file; 13958+ struct file *old_exec_file;
13960+ struct rlimit old_rlim[RLIM_NLIMITS]; 13960+ struct rlimit old_rlim[RLIM_NLIMITS];
13961+#endif 13961+#endif
13962 13962
13963 retval = -ENOMEM; 13963 retval = -ENOMEM;
13964 bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); 13964 bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
13965@@ -1172,10 +1256,29 @@ int do_execve(char * filename, 13965@@ -1167,10 +1251,29 @@ int do_execve(char * filename,
13966 if (IS_ERR(file)) 13966 if (IS_ERR(file))
13967 goto out_kfree; 13967 goto out_kfree;
13968 13968
13969+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1); 13969+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
13970+ 13970+
13990+#endif 13990+#endif
13991+ 13991+
13992 bprm->file = file; 13992 bprm->file = file;
13993 bprm->filename = filename; 13993 bprm->filename = filename;
13994 bprm->interp = filename; 13994 bprm->interp = filename;
13995@@ -1217,8 +1320,38 @@ int do_execve(char * filename, 13995@@ -1212,8 +1315,38 @@ int do_execve(char * filename,
13996 if (retval < 0) 13996 if (retval < 0)
13997 goto out; 13997 goto out;
13998 13998
13999+ if (!gr_tpe_allow(file)) { 13999+ if (!gr_tpe_allow(file)) {
14000+ retval = -EACCES; 14000+ retval = -EACCES;
14029+ fput(old_exec_file); 14029+ fput(old_exec_file);
14030+#endif 14030+#endif
14031 free_arg_pages(bprm); 14031 free_arg_pages(bprm);
14032 14032
14033 /* execve success */ 14033 /* execve success */
14034@@ -1228,6 +1361,14 @@ int do_execve(char * filename, 14034@@ -1223,6 +1356,14 @@ int do_execve(char * filename,
14035 return retval; 14035 return retval;
14036 } 14036 }
14037 14037
14038+out_fail: 14038+out_fail:
14039+#ifdef CONFIG_GRKERNSEC 14039+#ifdef CONFIG_GRKERNSEC
14044+#endif 14044+#endif
14045+ 14045+
14046 out: 14046 out:
14047 /* Something went wrong, return the inode and free the argument pages*/ 14047 /* Something went wrong, return the inode and free the argument pages*/
14048 for (i = 0 ; i < MAX_ARG_PAGES ; i++) { 14048 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
14049@@ -1391,6 +1532,114 @@ out: 14049@@ -1386,6 +1527,114 @@ out:
14050 return ispipe; 14050 return ispipe;
14051 } 14051 }
14052 14052
14053+int pax_check_flags(unsigned long *flags) 14053+int pax_check_flags(unsigned long *flags)
14054+{ 14054+{
14159+#endif 14159+#endif
14160+ 14160+
14161 static void zap_process(struct task_struct *start) 14161 static void zap_process(struct task_struct *start)
14162 { 14162 {
14163 struct task_struct *t; 14163 struct task_struct *t;
14164@@ -1533,6 +1782,10 @@ int do_coredump(long signr, int exit_cod 14164@@ -1528,6 +1777,10 @@ int do_coredump(long signr, int exit_cod
14165 */ 14165 */
14166 clear_thread_flag(TIF_SIGPENDING); 14166 clear_thread_flag(TIF_SIGPENDING);
14167 14167
14168+ if (signr == SIGKILL || signr == SIGILL) 14168+ if (signr == SIGKILL || signr == SIGILL)
14169+ gr_handle_brute_attach(current); 14169+ gr_handle_brute_attach(current);
30246 if (entry) 30246 if (entry)
30247 entry->proc_fops = &proc_iomem_operations; 30247 entry->proc_fops = &proc_iomem_operations;
30248 return 0; 30248 return 0;
30249--- a/kernel/sched.c 30249--- a/kernel/sched.c
30250+++ b/kernel/sched.c 30250+++ b/kernel/sched.c
30251@@ -54,6 +54,7 @@ 30251@@ -53,6 +53,7 @@
30252 #include <linux/kprobes.h>
30252 #include <linux/delayacct.h> 30253 #include <linux/delayacct.h>
30253 #include <linux/reciprocal_div.h> 30254 #include <linux/reciprocal_div.h>
30254 #include <linux/slab.h>
30255+#include <linux/grsecurity.h> 30255+#include <linux/grsecurity.h>
30256 30256
30257 #include <asm/tlb.h> 30257 #include <asm/tlb.h>
30258 #include <asm/unistd.h> 30258 #include <asm/unistd.h>
30259@@ -3572,7 +3573,7 @@ asmlinkage void __sched schedule(void) 30259@@ -3571,7 +3572,7 @@ asmlinkage void __sched schedule(void)
30260 unsigned long long now; 30260 unsigned long long now;
30261 unsigned long run_time; 30261 unsigned long run_time;
30262 int cpu, idx, new_prio; 30262 int cpu, idx, new_prio;
30263- long *switch_count; 30263- long *switch_count;
30264+ unsigned long *switch_count; 30264+ unsigned long *switch_count;
30265 struct rq *rq; 30265 struct rq *rq;
30266 30266
30267 /* 30267 /*
30268@@ -4263,7 +4264,8 @@ asmlinkage long sys_nice(int increment) 30268@@ -4262,7 +4263,8 @@ asmlinkage long sys_nice(int increment)
30269 if (nice > 19) 30269 if (nice > 19)
30270 nice = 19; 30270 nice = 19;
30271 30271
30272- if (increment < 0 && !can_nice(current, nice)) 30272- if (increment < 0 && !can_nice(current, nice))
30273+ if (increment < 0 && (!can_nice(current, nice) || 30273+ if (increment < 0 && (!can_nice(current, nice) ||
33478- { -1, } 33478- { -1, }
33479+ { -1, NULL } 33479+ { -1, NULL }
33480 }; 33480 };
33481 33481
33482 int ipv6_parse_hopopts(struct sk_buff **skbp) 33482 int ipv6_parse_hopopts(struct sk_buff **skbp)
33483--- a/net/ipv6/ipv6_sockglue.c
33484+++ b/net/ipv6/ipv6_sockglue.c
33485@@ -825,7 +825,7 @@ static int ipv6_getsockopt_sticky(struct
33486 return 0;
33487
33488 len = min_t(unsigned int, len, ipv6_optlen(hdr));
33489- if (copy_to_user(optval, hdr, len));
33490+ if (copy_to_user(optval, hdr, len))
33491 return -EFAULT;
33492 return ipv6_optlen(hdr);
33493 }
33494--- a/net/ipv6/raw.c 33483--- a/net/ipv6/raw.c
33495+++ b/net/ipv6/raw.c 33484+++ b/net/ipv6/raw.c
33496@@ -549,7 +549,7 @@ out: 33485@@ -549,7 +549,7 @@ out:
33497 return err; 33486 return err;
33498 } 33487 }

Legend:
Removed from v.1108  
changed lines
  Added in v.1109

  ViewVC Help
Powered by ViewVC 1.1.20