Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.4.6/, 3.2.24/, 2.6.32/
Date: Wed, 01 Aug 2012 23:19:12
Message-Id: 1343863080.aa9317219e543d3f6f95d00619ba2af268edced9.blueness@gentoo
1 commit: aa9317219e543d3f6f95d00619ba2af268edced9
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Wed Aug 1 23:18:00 2012 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Wed Aug 1 23:18:00 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=aa931721
7
8 Grsec/PaX: 2.9.1-{2.6.32.59,3.2.24,3.4.6}-201207311908
9
10 ---
11 2.6.32/0000_README | 2 +-
12 ..._grsecurity-2.9.1-2.6.32.59-201207311908.patch} | 168 +++++-
13 3.2.24/0000_README | 2 +-
14 ...420_grsecurity-2.9.1-3.2.24-201207311909.patch} | 463 +++++++++++++---
15 3.4.6/0000_README | 2 +-
16 ...4420_grsecurity-2.9.1-3.4.7-201207311909.patch} | 618 +++++++++++---------
17 6 files changed, 863 insertions(+), 392 deletions(-)
18
19 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
20 index d4f6601..3010d85 100644
21 --- a/2.6.32/0000_README
22 +++ b/2.6.32/0000_README
23 @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch
24 From: http://www.kernel.org
25 Desc: Linux 2.6.32.59
26
27 -Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch
28 +Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch
29 From: http://www.grsecurity.net
30 Desc: hardened-sources base patch from upstream grsecurity
31
32
33 diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch
34 similarity index 99%
35 rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch
36 rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch
37 index 227df5e..a17194d 100644
38 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch
39 +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch
40 @@ -8939,7 +8939,7 @@ index bcbd36c..b1754af 100644
41
42 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
43 diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c
44 -index bbeb0c3..f5167ab 100644
45 +index bbeb0c3..1eb0571 100644
46 --- a/arch/x86/boot/compressed/relocs.c
47 +++ b/arch/x86/boot/compressed/relocs.c
48 @@ -10,8 +10,11 @@
49 @@ -9113,7 +9113,7 @@ index bbeb0c3..f5167ab 100644
50 +
51 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
52 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
53 -+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
54 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
55 + continue;
56 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
57 + continue;
58 @@ -23007,7 +23007,7 @@ index d430e4c..831f817 100644
59
60 local_irq_save(flags);
61 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
62 -index 3c68fe2..12c8280 100644
63 +index 3c68fe2..7a8c35b 100644
64 --- a/arch/x86/kernel/vmlinux.lds.S
65 +++ b/arch/x86/kernel/vmlinux.lds.S
66 @@ -26,6 +26,13 @@
67 @@ -23088,7 +23088,7 @@ index 3c68fe2..12c8280 100644
68 HEAD_TEXT
69 #ifdef CONFIG_X86_32
70 . = ALIGN(PAGE_SIZE);
71 -@@ -82,28 +102,71 @@ SECTIONS
72 +@@ -82,28 +102,72 @@ SECTIONS
73 IRQENTRY_TEXT
74 *(.fixup)
75 *(.gnu.warning)
76 @@ -23113,8 +23113,8 @@ index 3c68fe2..12c8280 100644
77 + MODULES_EXEC_VADDR = .;
78 + BYTE(0)
79 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
80 -+ . = ALIGN(HPAGE_SIZE);
81 -+ MODULES_EXEC_END = . - 1;
82 ++ . = ALIGN(HPAGE_SIZE) - 1;
83 ++ MODULES_EXEC_END = .;
84 +#endif
85 +
86 + } :module
87 @@ -23122,6 +23122,7 @@ index 3c68fe2..12c8280 100644
88 +
89 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
90 + /* End of text section */
91 ++ BYTE(0)
92 + _etext = . - __KERNEL_TEXT_OFFSET;
93 + }
94 +
95 @@ -23167,7 +23168,7 @@ index 3c68fe2..12c8280 100644
96
97 PAGE_ALIGNED_DATA(PAGE_SIZE)
98
99 -@@ -112,6 +175,8 @@ SECTIONS
100 +@@ -112,6 +176,8 @@ SECTIONS
101 DATA_DATA
102 CONSTRUCTORS
103
104 @@ -23176,7 +23177,7 @@ index 3c68fe2..12c8280 100644
105 /* rarely changed data like cpu maps */
106 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
107
108 -@@ -166,12 +231,6 @@ SECTIONS
109 +@@ -166,12 +232,6 @@ SECTIONS
110 }
111 vgetcpu_mode = VVIRT(.vgetcpu_mode);
112
113 @@ -23189,7 +23190,7 @@ index 3c68fe2..12c8280 100644
114 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
115 *(.vsyscall_3)
116 }
117 -@@ -187,12 +246,19 @@ SECTIONS
118 +@@ -187,12 +247,19 @@ SECTIONS
119 #endif /* CONFIG_X86_64 */
120
121 /* Init code and data - will be freed after init */
122 @@ -23212,7 +23213,7 @@ index 3c68fe2..12c8280 100644
123 /*
124 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
125 * output PHDR, so the next output section - .init.text - should
126 -@@ -201,12 +267,27 @@ SECTIONS
127 +@@ -201,12 +268,27 @@ SECTIONS
128 PERCPU_VADDR(0, :percpu)
129 #endif
130
131 @@ -23245,7 +23246,7 @@ index 3c68fe2..12c8280 100644
132
133 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
134 __x86_cpu_dev_start = .;
135 -@@ -232,19 +313,11 @@ SECTIONS
136 +@@ -232,19 +314,11 @@ SECTIONS
137 *(.altinstr_replacement)
138 }
139
140 @@ -23266,7 +23267,7 @@ index 3c68fe2..12c8280 100644
141 PERCPU(PAGE_SIZE)
142 #endif
143
144 -@@ -267,12 +340,6 @@ SECTIONS
145 +@@ -267,12 +341,6 @@ SECTIONS
146 . = ALIGN(PAGE_SIZE);
147 }
148
149 @@ -23279,7 +23280,7 @@ index 3c68fe2..12c8280 100644
150 /* BSS */
151 . = ALIGN(PAGE_SIZE);
152 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
153 -@@ -288,6 +355,7 @@ SECTIONS
154 +@@ -288,6 +356,7 @@ SECTIONS
155 __brk_base = .;
156 . += 64 * 1024; /* 64k alignment slop space */
157 *(.brk_reservation) /* areas brk users have reserved */
158 @@ -23287,7 +23288,7 @@ index 3c68fe2..12c8280 100644
159 __brk_limit = .;
160 }
161
162 -@@ -316,13 +384,12 @@ SECTIONS
163 +@@ -316,13 +385,12 @@ SECTIONS
164 * for the boot processor.
165 */
166 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
167 @@ -75400,7 +75401,7 @@ index fd38ce2..f5381b8 100644
168 return -EINVAL;
169
170 diff --git a/fs/seq_file.c b/fs/seq_file.c
171 -index eae7d9d..b7613c6 100644
172 +index eae7d9d..c6bba46 100644
173 --- a/fs/seq_file.c
174 +++ b/fs/seq_file.c
175 @@ -9,6 +9,7 @@
176 @@ -75421,7 +75422,55 @@ index eae7d9d..b7613c6 100644
177
178 /*
179 * Wrappers around seq_open(e.g. swaps_open) need to be
180 -@@ -551,7 +555,7 @@ static void single_stop(struct seq_file *p, void *v)
181 +@@ -76,7 +80,11 @@ static int traverse(struct seq_file *m, loff_t offset)
182 + return 0;
183 + }
184 + if (!m->buf) {
185 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
186 ++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY);
187 ++#else
188 + m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
189 ++#endif
190 + if (!m->buf)
191 + return -ENOMEM;
192 + }
193 +@@ -116,7 +124,11 @@ static int traverse(struct seq_file *m, loff_t offset)
194 + Eoverflow:
195 + m->op->stop(m, p);
196 + kfree(m->buf);
197 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
198 ++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY);
199 ++#else
200 + m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
201 ++#endif
202 + return !m->buf ? -ENOMEM : -EAGAIN;
203 + }
204 +
205 +@@ -169,7 +181,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
206 + m->version = file->f_version;
207 + /* grab buffer if we didn't have one */
208 + if (!m->buf) {
209 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
210 ++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY);
211 ++#else
212 + m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
213 ++#endif
214 + if (!m->buf)
215 + goto Enomem;
216 + }
217 +@@ -210,7 +226,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
218 + goto Fill;
219 + m->op->stop(m, p);
220 + kfree(m->buf);
221 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
222 ++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY);
223 ++#else
224 + m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
225 ++#endif
226 + if (!m->buf)
227 + goto Enomem;
228 + m->count = 0;
229 +@@ -551,7 +571,7 @@ static void single_stop(struct seq_file *p, void *v)
230 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
231 void *data)
232 {
233 @@ -76190,10 +76239,10 @@ index 8f32f50..b6a41e8 100644
234 link[pathlen] = '\0';
235 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
236 new file mode 100644
237 -index 0000000..c20c1db
238 +index 0000000..bbbfa1c
239 --- /dev/null
240 +++ b/grsecurity/Kconfig
241 -@@ -0,0 +1,939 @@
242 +@@ -0,0 +1,940 @@
243 +#
244 +# grecurity configuration
245 +#
246 @@ -76320,6 +76369,7 @@ index 0000000..c20c1db
247 +
248 +config GRKERNSEC_HIDESYM
249 + bool "Hide kernel symbols"
250 ++ select PAX_USERCOPY_SLABS
251 + default y if GRKERNSEC_CONFIG_AUTO
252 + help
253 + If you say Y here, getting information on loaded modules, and
254 @@ -95468,10 +95518,25 @@ index 67578ca..4115fbf 100644
255
256 static inline void mutex_clear_owner(struct mutex *lock)
257 diff --git a/kernel/panic.c b/kernel/panic.c
258 -index 96b45d0..7677a03 100644
259 +index 96b45d0..98fb1c3 100644
260 --- a/kernel/panic.c
261 +++ b/kernel/panic.c
262 -@@ -71,7 +71,11 @@ NORET_TYPE void panic(const char * fmt, ...)
263 +@@ -59,6 +59,14 @@ NORET_TYPE void panic(const char * fmt, ...)
264 + long i;
265 +
266 + /*
267 ++ * Disable local interrupts. This will prevent panic_smp_self_stop
268 ++ * from deadlocking the first cpu that invokes the panic, since
269 ++ * there is nothing to prevent an interrupt handler (that runs
270 ++ * after the panic_lock is acquired) from invoking panic again.
271 ++ */
272 ++ local_irq_disable();
273 ++
274 ++ /*
275 + * It's possible to come here directly from a panic-assertion and
276 + * not have preempt disabled. Some functions called from here want
277 + * preempt to be disabled. No point enabling it later though...
278 +@@ -71,7 +79,11 @@ NORET_TYPE void panic(const char * fmt, ...)
279 va_end(args);
280 printk(KERN_EMERG "Kernel panic - not syncing: %s\n",buf);
281 #ifdef CONFIG_DEBUG_BUGVERBOSE
282 @@ -95484,7 +95549,7 @@ index 96b45d0..7677a03 100644
283 #endif
284
285 /*
286 -@@ -352,7 +356,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, struc
287 +@@ -352,7 +364,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, struc
288 const char *board;
289
290 printk(KERN_WARNING "------------[ cut here ]------------\n");
291 @@ -95493,7 +95558,7 @@ index 96b45d0..7677a03 100644
292 board = dmi_get_system_info(DMI_PRODUCT_NAME);
293 if (board)
294 printk(KERN_WARNING "Hardware name: %s\n", board);
295 -@@ -392,7 +396,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
296 +@@ -392,7 +404,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
297 */
298 void __stack_chk_fail(void)
299 {
300 @@ -98299,7 +98364,7 @@ index 217d5c4..45aba8a 100644
301
302 /**
303 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
304 -index 33bed5e..1477e46 100644
305 +index 33bed5e..ab4e52f 100644
306 --- a/lib/vsprintf.c
307 +++ b/lib/vsprintf.c
308 @@ -16,6 +16,9 @@
309 @@ -98369,7 +98434,30 @@ index 33bed5e..1477e46 100644
310 return symbol_string(buf, end, ptr, spec, *fmt);
311 case 'R':
312 return resource_string(buf, end, ptr, spec);
313 -@@ -1445,7 +1458,7 @@ do { \
314 +@@ -853,7 +866,22 @@ static char *pointer(const char *fmt, char *buf, char *end, void *ptr,
315 + return ip4_addr_string(buf, end, ptr, spec, fmt);
316 + }
317 + break;
318 ++ case 'P':
319 ++ break;
320 + }
321 ++
322 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
323 ++ /* 'P' = approved pointers to copy to userland,
324 ++ as in the /proc/kallsyms case, as we make it display nothing
325 ++ for non-root users, and the real contents for root users
326 ++ */
327 ++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) {
328 ++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@××××××××××.net.\n");
329 ++ dump_stack();
330 ++ ptr = NULL;
331 ++ }
332 ++#endif
333 ++
334 + spec.flags |= SMALL;
335 + if (spec.field_width == -1) {
336 + spec.field_width = 2*sizeof(void *);
337 +@@ -1445,7 +1473,7 @@ do { \
338 size_t len;
339 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
340 || (unsigned long)save_str < PAGE_SIZE)
341 @@ -98378,7 +98466,7 @@ index 33bed5e..1477e46 100644
342 len = strlen(save_str);
343 if (str + len + 1 < end)
344 memcpy(str, save_str, len + 1);
345 -@@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
346 +@@ -1555,11 +1583,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
347 typeof(type) value; \
348 if (sizeof(type) == 8) { \
349 args = PTR_ALIGN(args, sizeof(u32)); \
350 @@ -98393,7 +98481,7 @@ index 33bed5e..1477e46 100644
351 } \
352 args += sizeof(type); \
353 value; \
354 -@@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
355 +@@ -1622,7 +1650,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
356 const char *str_arg = args;
357 size_t len = strlen(str_arg);
358 args += len + 1;
359 @@ -105574,6 +105662,27 @@ index de4a1b1..94ec861 100644
360 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
361 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
362
363 +diff --git a/net/rds/recv.c b/net/rds/recv.c
364 +index 6a2654a..c45a881c 100644
365 +--- a/net/rds/recv.c
366 ++++ b/net/rds/recv.c
367 +@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
368 +
369 + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
370 +
371 ++ msg->msg_namelen = 0;
372 ++
373 + if (msg_flags & MSG_OOB)
374 + goto out;
375 +
376 +@@ -486,6 +488,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
377 + sin->sin_port = inc->i_hdr.h_sport;
378 + sin->sin_addr.s_addr = inc->i_saddr;
379 + memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
380 ++ msg->msg_namelen = sizeof(*sin);
381 + }
382 + break;
383 + }
384 diff --git a/net/rds/tcp.c b/net/rds/tcp.c
385 index b5198ae..8b9fb90 100644
386 --- a/net/rds/tcp.c
387 @@ -107155,10 +107264,10 @@ index d52f7a0..b66cdd9 100755
388 rm -f tags
389 xtags ctags
390 diff --git a/security/Kconfig b/security/Kconfig
391 -index fb363cd..6426142 100644
392 +index fb363cd..124d914 100644
393 --- a/security/Kconfig
394 +++ b/security/Kconfig
395 -@@ -4,6 +4,869 @@
396 +@@ -4,6 +4,870 @@
397
398 menu "Security options"
399
400 @@ -107190,6 +107299,7 @@ index fb363cd..6426142 100644
401 + bool "Grsecurity"
402 + select CRYPTO
403 + select CRYPTO_SHA256
404 ++ select PROC_FS
405 + select STOP_MACHINE
406 + help
407 + If you say Y here, you will be able to configure many features
408 @@ -108028,7 +108138,7 @@ index fb363cd..6426142 100644
409 config KEYS
410 bool "Enable access key retention support"
411 help
412 -@@ -146,7 +1009,7 @@ config INTEL_TXT
413 +@@ -146,7 +1010,7 @@ config INTEL_TXT
414 config LSM_MMAP_MIN_ADDR
415 int "Low address space for LSM to protect from user allocation"
416 depends on SECURITY && SECURITY_SELINUX
417
418 diff --git a/3.2.24/0000_README b/3.2.24/0000_README
419 index 51bc4a5..e45dbd8 100644
420 --- a/3.2.24/0000_README
421 +++ b/3.2.24/0000_README
422 @@ -14,7 +14,7 @@ Patch: 1023_linux-3.2.24.patch
423 From: http://www.kernel.org
424 Desc: Linux 3.2.24
425
426 -Patch: 4420_grsecurity-2.9.1-3.2.24-201207281946.patch
427 +Patch: 4420_grsecurity-2.9.1-3.2.24-201207311909.patch
428 From: http://www.grsecurity.net
429 Desc: hardened-sources base patch from upstream grsecurity
430
431
432 diff --git a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207281946.patch b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch
433 similarity index 99%
434 rename from 3.2.24/4420_grsecurity-2.9.1-3.2.24-201207281946.patch
435 rename to 3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch
436 index d960312..4c10305 100644
437 --- a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207281946.patch
438 +++ b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch
439 @@ -211,6 +211,39 @@ index 81c287f..d456d02 100644
440 pcbit= [HW,ISDN]
441
442 pcd. [PARIDE]
443 +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
444 +index 88fd7f5..b318a78 100644
445 +--- a/Documentation/sysctl/fs.txt
446 ++++ b/Documentation/sysctl/fs.txt
447 +@@ -163,16 +163,22 @@ This value can be used to query and set the core dump mode for setuid
448 + or otherwise protected/tainted binaries. The modes are
449 +
450 + 0 - (default) - traditional behaviour. Any process which has changed
451 +- privilege levels or is execute only will not be dumped
452 ++ privilege levels or is execute only will not be dumped.
453 + 1 - (debug) - all processes dump core when possible. The core dump is
454 + owned by the current user and no security is applied. This is
455 + intended for system debugging situations only. Ptrace is unchecked.
456 ++ This is insecure as it allows regular users to examine the memory
457 ++ contents of privileged processes.
458 + 2 - (suidsafe) - any binary which normally would not be dumped is dumped
459 +- readable by root only. This allows the end user to remove
460 +- such a dump but not access it directly. For security reasons
461 +- core dumps in this mode will not overwrite one another or
462 +- other files. This mode is appropriate when administrators are
463 +- attempting to debug problems in a normal environment.
464 ++ anyway, but only if the "core_pattern" kernel sysctl is set to
465 ++ either a pipe handler or a fully qualified path. (For more details
466 ++ on this limitation, see CVE-2006-2451.) This mode is appropriate
467 ++ when administrators are attempting to debug problems in a normal
468 ++ environment, and either have a core dump pipe handler that knows
469 ++ to treat privileged core dumps with care, or specific directory
470 ++ defined for catching core dumps. If a core dump happens without
471 ++ a pipe handler or fully qualifid path, a message will be emitted
472 ++ to syslog warning about the lack of a correct setting.
473 +
474 + ==============================================================
475 +
476 diff --git a/Makefile b/Makefile
477 index 80bb4fd..964ea28 100644
478 --- a/Makefile
479 @@ -20032,7 +20065,7 @@ index 04b8726..0c35b29 100644
480 goto cannot_handle;
481 if ((segoffs >> 16) == BIOSSEG)
482 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
483 -index 0f703f1..9e15f64 100644
484 +index 0f703f1..3b426f3 100644
485 --- a/arch/x86/kernel/vmlinux.lds.S
486 +++ b/arch/x86/kernel/vmlinux.lds.S
487 @@ -26,6 +26,13 @@
488 @@ -20101,7 +20134,7 @@ index 0f703f1..9e15f64 100644
489 HEAD_TEXT
490 #ifdef CONFIG_X86_32
491 . = ALIGN(PAGE_SIZE);
492 -@@ -108,13 +128,47 @@ SECTIONS
493 +@@ -108,13 +128,48 @@ SECTIONS
494 IRQENTRY_TEXT
495 *(.fixup)
496 *(.gnu.warning)
497 @@ -20121,8 +20154,8 @@ index 0f703f1..9e15f64 100644
498 + MODULES_EXEC_VADDR = .;
499 + BYTE(0)
500 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
501 -+ . = ALIGN(HPAGE_SIZE);
502 -+ MODULES_EXEC_END = . - 1;
503 ++ . = ALIGN(HPAGE_SIZE) - 1;
504 ++ MODULES_EXEC_END = .;
505 +#endif
506 +
507 + } :module
508 @@ -20130,6 +20163,7 @@ index 0f703f1..9e15f64 100644
509 +
510 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
511 + /* End of text section */
512 ++ BYTE(0)
513 + _etext = . - __KERNEL_TEXT_OFFSET;
514 + }
515 +
516 @@ -20153,7 +20187,7 @@ index 0f703f1..9e15f64 100644
517
518 #if defined(CONFIG_DEBUG_RODATA)
519 /* .text should occupy whole number of pages */
520 -@@ -126,16 +180,20 @@ SECTIONS
521 +@@ -126,16 +181,20 @@ SECTIONS
522
523 /* Data */
524 .data : AT(ADDR(.data) - LOAD_OFFSET) {
525 @@ -20177,7 +20211,7 @@ index 0f703f1..9e15f64 100644
526
527 PAGE_ALIGNED_DATA(PAGE_SIZE)
528
529 -@@ -176,12 +234,19 @@ SECTIONS
530 +@@ -176,12 +235,19 @@ SECTIONS
531 #endif /* CONFIG_X86_64 */
532
533 /* Init code and data - will be freed after init */
534 @@ -20200,7 +20234,7 @@ index 0f703f1..9e15f64 100644
535 /*
536 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
537 * output PHDR, so the next output section - .init.text - should
538 -@@ -190,12 +255,27 @@ SECTIONS
539 +@@ -190,12 +256,27 @@ SECTIONS
540 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
541 #endif
542
543 @@ -20233,7 +20267,7 @@ index 0f703f1..9e15f64 100644
544
545 /*
546 * Code and data for a variety of lowlevel trampolines, to be
547 -@@ -269,19 +349,12 @@ SECTIONS
548 +@@ -269,19 +350,12 @@ SECTIONS
549 }
550
551 . = ALIGN(8);
552 @@ -20254,7 +20288,7 @@ index 0f703f1..9e15f64 100644
553 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
554 #endif
555
556 -@@ -300,16 +373,10 @@ SECTIONS
557 +@@ -300,16 +374,10 @@ SECTIONS
558 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
559 __smp_locks = .;
560 *(.smp_locks)
561 @@ -20272,7 +20306,7 @@ index 0f703f1..9e15f64 100644
562 /* BSS */
563 . = ALIGN(PAGE_SIZE);
564 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
565 -@@ -325,6 +392,7 @@ SECTIONS
566 +@@ -325,6 +393,7 @@ SECTIONS
567 __brk_base = .;
568 . += 64 * 1024; /* 64k alignment slop space */
569 *(.brk_reservation) /* areas brk users have reserved */
570 @@ -20280,7 +20314,7 @@ index 0f703f1..9e15f64 100644
571 __brk_limit = .;
572 }
573
574 -@@ -351,13 +419,12 @@ SECTIONS
575 +@@ -351,13 +420,12 @@ SECTIONS
576 * for the boot processor.
577 */
578 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
579 @@ -26837,7 +26871,7 @@ index f10c0af..3ec1f95 100644
580 syscall_init(); /* This sets MSR_*STAR and related */
581 #endif
582 diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
583 -index e529730..574ed56 100644
584 +index e529730..8d08690 100644
585 --- a/arch/x86/tools/relocs.c
586 +++ b/arch/x86/tools/relocs.c
587 @@ -11,10 +11,13 @@
588 @@ -26930,7 +26964,7 @@ index e529730..574ed56 100644
589 }
590 + base = 0;
591 +
592 -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
593 ++#ifdef CONFIG_X86_32
594 + for (j = 0; j < ehdr.e_phnum; j++) {
595 + if (phdr[j].p_type != PT_LOAD )
596 + continue;
597 @@ -27007,7 +27041,7 @@ index e529730..574ed56 100644
598 +
599 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
600 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
601 -+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
602 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
603 + continue;
604 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
605 + continue;
606 @@ -34820,6 +34854,19 @@ index 2b1482a..5d33616 100644
607 union axis_conversion ac; /* hw -> logical axis */
608 int mapped_btns[3];
609
610 +diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
611 +index 150cd70..1d5d99b 100644
612 +--- a/drivers/misc/lkdtm.c
613 ++++ b/drivers/misc/lkdtm.c
614 +@@ -473,6 +473,8 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
615 + int i, n, out;
616 +
617 + buf = (char *)__get_free_page(GFP_KERNEL);
618 ++ if (buf == NULL)
619 ++ return -ENOMEM;
620 +
621 + n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
622 + for (i = 0; i < ARRAY_SIZE(cp_type); i++)
623 diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c
624 index 2f30bad..c4c13d0 100644
625 --- a/drivers/misc/sgi-gru/gruhandles.c
626 @@ -35090,6 +35137,22 @@ index 8d082b4..aa749ae 100644
627
628 /*
629 * Timer function to enforce the timelimit on the partition disengage.
630 +diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
631 +index ba168a7..399925d 100644
632 +--- a/drivers/misc/ti-st/st_core.c
633 ++++ b/drivers/misc/ti-st/st_core.c
634 +@@ -347,6 +347,11 @@ void st_int_recv(void *disc_data,
635 + st_gdata->rx_skb = alloc_skb(
636 + st_gdata->list[type]->max_frame_size,
637 + GFP_ATOMIC);
638 ++ if (st_gdata->rx_skb == NULL) {
639 ++ pr_err("out of memory: dropping\n");
640 ++ goto done;
641 ++ }
642 ++
643 + skb_reserve(st_gdata->rx_skb,
644 + st_gdata->list[type]->reserve);
645 + /* next 2 required for BT only */
646 diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c
647 index 6878a94..fe5c5f1 100644
648 --- a/drivers/mmc/host/sdhci-pci.c
649 @@ -44481,7 +44544,7 @@ index 608c1c3..7d040a8 100644
650 return rc;
651 }
652 diff --git a/fs/exec.c b/fs/exec.c
653 -index 160cd2f..5cc2091 100644
654 +index 160cd2f..78b8d86 100644
655 --- a/fs/exec.c
656 +++ b/fs/exec.c
657 @@ -55,12 +55,33 @@
658 @@ -45252,6 +45315,36 @@ index 160cd2f..5cc2091 100644
659 static int zap_process(struct task_struct *start, int exit_code)
660 {
661 struct task_struct *t;
662 +@@ -1988,17 +2365,17 @@ static void coredump_finish(struct mm_struct *mm)
663 + void set_dumpable(struct mm_struct *mm, int value)
664 + {
665 + switch (value) {
666 +- case 0:
667 ++ case SUID_DUMPABLE_DISABLED:
668 + clear_bit(MMF_DUMPABLE, &mm->flags);
669 + smp_wmb();
670 + clear_bit(MMF_DUMP_SECURELY, &mm->flags);
671 + break;
672 +- case 1:
673 ++ case SUID_DUMPABLE_ENABLED:
674 + set_bit(MMF_DUMPABLE, &mm->flags);
675 + smp_wmb();
676 + clear_bit(MMF_DUMP_SECURELY, &mm->flags);
677 + break;
678 +- case 2:
679 ++ case SUID_DUMPABLE_SAFE:
680 + set_bit(MMF_DUMP_SECURELY, &mm->flags);
681 + smp_wmb();
682 + set_bit(MMF_DUMPABLE, &mm->flags);
683 +@@ -2011,7 +2388,7 @@ static int __get_dumpable(unsigned long mm_flags)
684 + int ret;
685 +
686 + ret = mm_flags & MMF_DUMPABLE_MASK;
687 +- return (ret >= 2) ? 2 : ret;
688 ++ return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret;
689 + }
690 +
691 + int get_dumpable(struct mm_struct *mm)
692 @@ -2026,17 +2403,17 @@ static void wait_for_dump_helpers(struct file *file)
693 pipe = file->f_path.dentry->d_inode->i_pipe;
694
695 @@ -45275,16 +45368,17 @@ index 160cd2f..5cc2091 100644
696 pipe_unlock(pipe);
697
698 }
699 -@@ -2097,7 +2474,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
700 +@@ -2097,7 +2474,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
701 int retval = 0;
702 int flag = 0;
703 int ispipe;
704 - static atomic_t core_dump_count = ATOMIC_INIT(0);
705 ++ bool need_nonrelative = false;
706 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
707 struct coredump_params cprm = {
708 .signr = signr,
709 .regs = regs,
710 -@@ -2112,6 +2489,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
711 +@@ -2112,6 +2490,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
712
713 audit_core_dumps(signr);
714
715 @@ -45294,7 +45388,28 @@ index 160cd2f..5cc2091 100644
716 binfmt = mm->binfmt;
717 if (!binfmt || !binfmt->core_dump)
718 goto fail;
719 -@@ -2179,7 +2559,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
720 +@@ -2122,14 +2503,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
721 + if (!cred)
722 + goto fail;
723 + /*
724 +- * We cannot trust fsuid as being the "true" uid of the
725 +- * process nor do we know its entire history. We only know it
726 +- * was tainted so we dump it as root in mode 2.
727 ++ * We cannot trust fsuid as being the "true" uid of the process
728 ++ * nor do we know its entire history. We only know it was tainted
729 ++ * so we dump it as root in mode 2, and only into a controlled
730 ++ * environment (pipe handler or fully qualified path).
731 + */
732 +- if (__get_dumpable(cprm.mm_flags) == 2) {
733 ++ if (__get_dumpable(cprm.mm_flags) == SUID_DUMPABLE_SAFE) {
734 + /* Setuid core dump mode */
735 + flag = O_EXCL; /* Stop rewrite attacks */
736 + cred->fsuid = 0; /* Dump root private */
737 ++ need_nonrelative = true;
738 + }
739 +
740 + retval = coredump_wait(exit_code, &core_state);
741 +@@ -2179,7 +2562,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
742 }
743 cprm.limit = RLIM_INFINITY;
744
745 @@ -45303,7 +45418,7 @@ index 160cd2f..5cc2091 100644
746 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
747 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
748 task_tgid_vnr(current), current->comm);
749 -@@ -2206,6 +2586,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
750 +@@ -2206,9 +2589,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
751 } else {
752 struct inode *inode;
753
754 @@ -45312,7 +45427,18 @@ index 160cd2f..5cc2091 100644
755 if (cprm.limit < binfmt->min_coredump)
756 goto fail_unlock;
757
758 -@@ -2249,7 +2631,7 @@ close_fail:
759 ++ if (need_nonrelative && cn.corename[0] != '/') {
760 ++ printk(KERN_WARNING "Pid %d(%s) can only dump core "\
761 ++ "to fully qualified path!\n",
762 ++ task_tgid_vnr(current), current->comm);
763 ++ printk(KERN_WARNING "Skipping core dump\n");
764 ++ goto fail_unlock;
765 ++ }
766 ++
767 + cprm.file = filp_open(cn.corename,
768 + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
769 + 0600);
770 +@@ -2249,7 +2642,7 @@ close_fail:
771 filp_close(cprm.file, NULL);
772 fail_dropcount:
773 if (ispipe)
774 @@ -45321,7 +45447,7 @@ index 160cd2f..5cc2091 100644
775 fail_unlock:
776 kfree(cn.corename);
777 fail_corename:
778 -@@ -2268,7 +2650,7 @@ fail:
779 +@@ -2268,7 +2661,7 @@ fail:
780 */
781 int dump_write(struct file *file, const void *addr, int nr)
782 {
783 @@ -50014,7 +50140,7 @@ index d33418f..2a5345e 100644
784 return -EINVAL;
785
786 diff --git a/fs/seq_file.c b/fs/seq_file.c
787 -index dba43c3..4b3f701 100644
788 +index dba43c3..9ae2292 100644
789 --- a/fs/seq_file.c
790 +++ b/fs/seq_file.c
791 @@ -9,6 +9,7 @@
792 @@ -50035,7 +50161,55 @@ index dba43c3..4b3f701 100644
793
794 /*
795 * Wrappers around seq_open(e.g. swaps_open) need to be
796 -@@ -549,7 +553,7 @@ static void single_stop(struct seq_file *p, void *v)
797 +@@ -76,7 +80,11 @@ static int traverse(struct seq_file *m, loff_t offset)
798 + return 0;
799 + }
800 + if (!m->buf) {
801 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
802 ++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY);
803 ++#else
804 + m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
805 ++#endif
806 + if (!m->buf)
807 + return -ENOMEM;
808 + }
809 +@@ -116,7 +124,11 @@ static int traverse(struct seq_file *m, loff_t offset)
810 + Eoverflow:
811 + m->op->stop(m, p);
812 + kfree(m->buf);
813 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
814 ++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY);
815 ++#else
816 + m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
817 ++#endif
818 + return !m->buf ? -ENOMEM : -EAGAIN;
819 + }
820 +
821 +@@ -169,7 +181,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
822 + m->version = file->f_version;
823 + /* grab buffer if we didn't have one */
824 + if (!m->buf) {
825 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
826 ++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY);
827 ++#else
828 + m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
829 ++#endif
830 + if (!m->buf)
831 + goto Enomem;
832 + }
833 +@@ -210,7 +226,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
834 + goto Fill;
835 + m->op->stop(m, p);
836 + kfree(m->buf);
837 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
838 ++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY);
839 ++#else
840 + m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
841 ++#endif
842 + if (!m->buf)
843 + goto Enomem;
844 + m->count = 0;
845 +@@ -549,7 +569,7 @@ static void single_stop(struct seq_file *p, void *v)
846 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
847 void *data)
848 {
849 @@ -50452,10 +50626,10 @@ index 23ce927..e274cc1 100644
850 kfree(s);
851 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
852 new file mode 100644
853 -index 0000000..b9e7d6f
854 +index 0000000..cb7b8ea
855 --- /dev/null
856 +++ b/grsecurity/Kconfig
857 -@@ -0,0 +1,940 @@
858 +@@ -0,0 +1,941 @@
859 +#
860 +# grecurity configuration
861 +#
862 @@ -50583,6 +50757,7 @@ index 0000000..b9e7d6f
863 +
864 +config GRKERNSEC_HIDESYM
865 + bool "Hide kernel symbols"
866 ++ select PAX_USERCOPY_SLABS
867 + default y if GRKERNSEC_CONFIG_AUTO
868 + help
869 + If you say Y here, getting information on loaded modules, and
870 @@ -64045,7 +64220,7 @@ index 2148b12..519b820 100644
871
872 static inline void anon_vma_merge(struct vm_area_struct *vma,
873 diff --git a/include/linux/sched.h b/include/linux/sched.h
874 -index 5afa2a3..98df553 100644
875 +index 5afa2a3..d74a9b4 100644
876 --- a/include/linux/sched.h
877 +++ b/include/linux/sched.h
878 @@ -101,6 +101,7 @@ struct bio_list;
879 @@ -64070,7 +64245,19 @@ index 5afa2a3..98df553 100644
880 extern void arch_pick_mmap_layout(struct mm_struct *mm);
881 extern unsigned long
882 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
883 -@@ -629,6 +633,17 @@ struct signal_struct {
884 +@@ -402,6 +406,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {}
885 + extern void set_dumpable(struct mm_struct *mm, int value);
886 + extern int get_dumpable(struct mm_struct *mm);
887 +
888 ++/* get/set_dumpable() values */
889 ++#define SUID_DUMPABLE_DISABLED 0
890 ++#define SUID_DUMPABLE_ENABLED 1
891 ++#define SUID_DUMPABLE_SAFE 2
892 ++
893 + /* mm flags */
894 + /* dumpable bits */
895 + #define MMF_DUMPABLE 0 /* core dump is permitted */
896 +@@ -629,6 +638,17 @@ struct signal_struct {
897 #ifdef CONFIG_TASKSTATS
898 struct taskstats *stats;
899 #endif
900 @@ -64088,7 +64275,7 @@ index 5afa2a3..98df553 100644
901 #ifdef CONFIG_AUDIT
902 unsigned audit_tty;
903 struct tty_audit_buf *tty_audit_buf;
904 -@@ -710,6 +725,11 @@ struct user_struct {
905 +@@ -710,6 +730,11 @@ struct user_struct {
906 struct key *session_keyring; /* UID's default session keyring */
907 #endif
908
909 @@ -64100,7 +64287,7 @@ index 5afa2a3..98df553 100644
910 /* Hash table maintenance information */
911 struct hlist_node uidhash_node;
912 uid_t uid;
913 -@@ -1337,8 +1357,8 @@ struct task_struct {
914 +@@ -1337,8 +1362,8 @@ struct task_struct {
915 struct list_head thread_group;
916
917 struct completion *vfork_done; /* for vfork() */
918 @@ -64111,7 +64298,7 @@ index 5afa2a3..98df553 100644
919
920 cputime_t utime, stime, utimescaled, stimescaled;
921 cputime_t gtime;
922 -@@ -1354,13 +1374,6 @@ struct task_struct {
923 +@@ -1354,13 +1379,6 @@ struct task_struct {
924 struct task_cputime cputime_expires;
925 struct list_head cpu_timers[3];
926
927 @@ -64125,7 +64312,7 @@ index 5afa2a3..98df553 100644
928 char comm[TASK_COMM_LEN]; /* executable name excluding path
929 - access with [gs]et_task_comm (which lock
930 it with task_lock())
931 -@@ -1377,8 +1390,16 @@ struct task_struct {
932 +@@ -1377,8 +1395,16 @@ struct task_struct {
933 #endif
934 /* CPU-specific state of this task */
935 struct thread_struct thread;
936 @@ -64142,7 +64329,7 @@ index 5afa2a3..98df553 100644
937 /* open file information */
938 struct files_struct *files;
939 /* namespaces */
940 -@@ -1425,6 +1446,11 @@ struct task_struct {
941 +@@ -1425,6 +1451,11 @@ struct task_struct {
942 struct rt_mutex_waiter *pi_blocked_on;
943 #endif
944
945 @@ -64154,7 +64341,7 @@ index 5afa2a3..98df553 100644
946 #ifdef CONFIG_DEBUG_MUTEXES
947 /* mutex deadlock detection */
948 struct mutex_waiter *blocked_on;
949 -@@ -1540,6 +1566,27 @@ struct task_struct {
950 +@@ -1540,6 +1571,27 @@ struct task_struct {
951 unsigned long default_timer_slack_ns;
952
953 struct list_head *scm_work_list;
954 @@ -64182,7 +64369,7 @@ index 5afa2a3..98df553 100644
955 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
956 /* Index of current stored address in ret_stack */
957 int curr_ret_stack;
958 -@@ -1574,6 +1621,51 @@ struct task_struct {
959 +@@ -1574,6 +1626,51 @@ struct task_struct {
960 #endif
961 };
962
963 @@ -64234,7 +64421,7 @@ index 5afa2a3..98df553 100644
964 /* Future-safe accessor for struct task_struct's cpus_allowed. */
965 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
966
967 -@@ -2089,7 +2181,9 @@ void yield(void);
968 +@@ -2089,7 +2186,9 @@ void yield(void);
969 extern struct exec_domain default_exec_domain;
970
971 union thread_union {
972 @@ -64244,7 +64431,7 @@ index 5afa2a3..98df553 100644
973 unsigned long stack[THREAD_SIZE/sizeof(long)];
974 };
975
976 -@@ -2122,6 +2216,7 @@ extern struct pid_namespace init_pid_ns;
977 +@@ -2122,6 +2221,7 @@ extern struct pid_namespace init_pid_ns;
978 */
979
980 extern struct task_struct *find_task_by_vpid(pid_t nr);
981 @@ -64252,7 +64439,7 @@ index 5afa2a3..98df553 100644
982 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
983 struct pid_namespace *ns);
984
985 -@@ -2243,6 +2338,12 @@ static inline void mmdrop(struct mm_struct * mm)
986 +@@ -2243,6 +2343,12 @@ static inline void mmdrop(struct mm_struct * mm)
987 extern void mmput(struct mm_struct *);
988 /* Grab a reference to a task's mm, if it is not already going away */
989 extern struct mm_struct *get_task_mm(struct task_struct *task);
990 @@ -64265,7 +64452,7 @@ index 5afa2a3..98df553 100644
991 /* Remove the current tasks stale references to the old mm_struct */
992 extern void mm_release(struct task_struct *, struct mm_struct *);
993 /* Allocate a new mm structure and copy contents from tsk->mm */
994 -@@ -2259,7 +2360,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
995 +@@ -2259,7 +2365,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
996 extern void exit_itimers(struct signal_struct *);
997 extern void flush_itimer_signals(void);
998
999 @@ -64274,7 +64461,7 @@ index 5afa2a3..98df553 100644
1000
1001 extern void daemonize(const char *, ...);
1002 extern int allow_signal(int);
1003 -@@ -2424,9 +2525,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
1004 +@@ -2424,9 +2530,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
1005
1006 #endif
1007
1008 @@ -67642,7 +67829,7 @@ index 66ff710..794bc5a 100644
1009
1010 static int
1011 diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
1012 -index 079f1d3..a407562 100644
1013 +index 079f1d3..5299c80 100644
1014 --- a/kernel/kallsyms.c
1015 +++ b/kernel/kallsyms.c
1016 @@ -11,6 +11,9 @@
1017 @@ -67738,7 +67925,22 @@ index 079f1d3..a407562 100644
1018 /* Some debugging symbols have no name. Ignore them. */
1019 if (!iter->name[0])
1020 return 0;
1021 -@@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *inode, struct file *file)
1022 +@@ -515,8 +558,14 @@ static int s_show(struct seq_file *m, void *p)
1023 + */
1024 + type = iter->exported ? toupper(iter->type) :
1025 + tolower(iter->type);
1026 ++
1027 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
1028 ++ seq_printf(m, "%pP %c %s\t[%s]\n", (void *)iter->value,
1029 ++ type, iter->name, iter->module_name);
1030 ++#else
1031 + seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value,
1032 + type, iter->name, iter->module_name);
1033 ++#endif
1034 + } else
1035 + seq_printf(m, "%pK %c %s\n", (void *)iter->value,
1036 + iter->type, iter->name);
1037 +@@ -540,7 +589,7 @@ static int kallsyms_open(struct inode *inode, struct file *file)
1038 struct kallsym_iter *iter;
1039 int ret;
1040
1041 @@ -68832,10 +69034,25 @@ index b452599..5d68f4e 100644
1042 atomic_set(&pd->refcnt, 0);
1043 pd->pinst = pinst;
1044 diff --git a/kernel/panic.c b/kernel/panic.c
1045 -index 3458469..3492363 100644
1046 +index 3458469..3ed0694 100644
1047 --- a/kernel/panic.c
1048 +++ b/kernel/panic.c
1049 -@@ -78,7 +78,11 @@ NORET_TYPE void panic(const char * fmt, ...)
1050 +@@ -65,6 +65,14 @@ NORET_TYPE void panic(const char * fmt, ...)
1051 + int state = 0;
1052 +
1053 + /*
1054 ++ * Disable local interrupts. This will prevent panic_smp_self_stop
1055 ++ * from deadlocking the first cpu that invokes the panic, since
1056 ++ * there is nothing to prevent an interrupt handler (that runs
1057 ++ * after the panic_lock is acquired) from invoking panic again.
1058 ++ */
1059 ++ local_irq_disable();
1060 ++
1061 ++ /*
1062 + * It's possible to come here directly from a panic-assertion and
1063 + * not have preempt disabled. Some functions called from here want
1064 + * preempt to be disabled. No point enabling it later though...
1065 +@@ -78,7 +86,11 @@ NORET_TYPE void panic(const char * fmt, ...)
1066 va_end(args);
1067 printk(KERN_EMERG "Kernel panic - not syncing: %s\n",buf);
1068 #ifdef CONFIG_DEBUG_BUGVERBOSE
1069 @@ -68848,7 +69065,7 @@ index 3458469..3492363 100644
1070 #endif
1071
1072 /*
1073 -@@ -382,7 +386,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
1074 +@@ -382,7 +394,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
1075 const char *board;
1076
1077 printk(KERN_WARNING "------------[ cut here ]------------\n");
1078 @@ -68857,7 +69074,7 @@ index 3458469..3492363 100644
1079 board = dmi_get_system_info(DMI_PRODUCT_NAME);
1080 if (board)
1081 printk(KERN_WARNING "Hardware name: %s\n", board);
1082 -@@ -437,7 +441,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
1083 +@@ -437,7 +449,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
1084 */
1085 void __stack_chk_fail(void)
1086 {
1087 @@ -70297,7 +70514,7 @@ index 481611f..0754d86 100644
1088 break;
1089 }
1090 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
1091 -index ea7ec7f..5b76fb9 100644
1092 +index ea7ec7f..23d4094 100644
1093 --- a/kernel/sysctl.c
1094 +++ b/kernel/sysctl.c
1095 @@ -86,6 +86,13 @@
1096 @@ -70314,7 +70531,7 @@ index ea7ec7f..5b76fb9 100644
1097
1098 /* External variables not in a header file. */
1099 extern int sysctl_overcommit_memory;
1100 -@@ -165,10 +172,8 @@ static int proc_taint(struct ctl_table *table, int write,
1101 +@@ -165,10 +172,13 @@ static int proc_taint(struct ctl_table *table, int write,
1102 void __user *buffer, size_t *lenp, loff_t *ppos);
1103 #endif
1104
1105 @@ -70322,10 +70539,15 @@ index ea7ec7f..5b76fb9 100644
1106 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1107 void __user *buffer, size_t *lenp, loff_t *ppos);
1108 -#endif
1109 ++
1110 ++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
1111 ++ void __user *buffer, size_t *lenp, loff_t *ppos);
1112 ++static int proc_dostring_coredump(struct ctl_table *table, int write,
1113 ++ void __user *buffer, size_t *lenp, loff_t *ppos);
1114
1115 #ifdef CONFIG_MAGIC_SYSRQ
1116 /* Note: sysrq code uses it's own private copy */
1117 -@@ -191,6 +196,7 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
1118 +@@ -191,6 +201,7 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
1119 }
1120
1121 #endif
1122 @@ -70333,7 +70555,7 @@ index ea7ec7f..5b76fb9 100644
1123
1124 static struct ctl_table root_table[];
1125 static struct ctl_table_root sysctl_table_root;
1126 -@@ -220,6 +226,20 @@ extern struct ctl_table epoll_table[];
1127 +@@ -220,6 +231,20 @@ extern struct ctl_table epoll_table[];
1128 int sysctl_legacy_va_layout;
1129 #endif
1130
1131 @@ -70354,7 +70576,7 @@ index ea7ec7f..5b76fb9 100644
1132 /* The default sysctl tables: */
1133
1134 static struct ctl_table root_table[] = {
1135 -@@ -266,6 +286,22 @@ static int max_extfrag_threshold = 1000;
1136 +@@ -266,6 +291,22 @@ static int max_extfrag_threshold = 1000;
1137 #endif
1138
1139 static struct ctl_table kern_table[] = {
1140 @@ -70377,7 +70599,16 @@ index ea7ec7f..5b76fb9 100644
1141 {
1142 .procname = "sched_child_runs_first",
1143 .data = &sysctl_sched_child_runs_first,
1144 -@@ -550,7 +586,7 @@ static struct ctl_table kern_table[] = {
1145 +@@ -420,7 +461,7 @@ static struct ctl_table kern_table[] = {
1146 + .data = core_pattern,
1147 + .maxlen = CORENAME_MAX_SIZE,
1148 + .mode = 0644,
1149 +- .proc_handler = proc_dostring,
1150 ++ .proc_handler = proc_dostring_coredump,
1151 + },
1152 + {
1153 + .procname = "core_pipe_limit",
1154 +@@ -550,7 +591,7 @@ static struct ctl_table kern_table[] = {
1155 .data = &modprobe_path,
1156 .maxlen = KMOD_PATH_LEN,
1157 .mode = 0644,
1158 @@ -70386,7 +70617,7 @@ index ea7ec7f..5b76fb9 100644
1159 },
1160 {
1161 .procname = "modules_disabled",
1162 -@@ -717,16 +753,20 @@ static struct ctl_table kern_table[] = {
1163 +@@ -717,16 +758,20 @@ static struct ctl_table kern_table[] = {
1164 .extra1 = &zero,
1165 .extra2 = &one,
1166 },
1167 @@ -70408,7 +70639,7 @@ index ea7ec7f..5b76fb9 100644
1168 {
1169 .procname = "ngroups_max",
1170 .data = &ngroups_max,
1171 -@@ -1216,6 +1256,13 @@ static struct ctl_table vm_table[] = {
1172 +@@ -1216,6 +1261,13 @@ static struct ctl_table vm_table[] = {
1173 .proc_handler = proc_dointvec_minmax,
1174 .extra1 = &zero,
1175 },
1176 @@ -70422,7 +70653,16 @@ index ea7ec7f..5b76fb9 100644
1177 #else
1178 {
1179 .procname = "nr_trim_pages",
1180 -@@ -1720,6 +1767,17 @@ static int test_perm(int mode, int op)
1181 +@@ -1499,7 +1551,7 @@ static struct ctl_table fs_table[] = {
1182 + .data = &suid_dumpable,
1183 + .maxlen = sizeof(int),
1184 + .mode = 0644,
1185 +- .proc_handler = proc_dointvec_minmax,
1186 ++ .proc_handler = proc_dointvec_minmax_coredump,
1187 + .extra1 = &zero,
1188 + .extra2 = &two,
1189 + },
1190 +@@ -1720,6 +1772,17 @@ static int test_perm(int mode, int op)
1191 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
1192 {
1193 int mode;
1194 @@ -70440,7 +70680,7 @@ index ea7ec7f..5b76fb9 100644
1195
1196 if (root->permissions)
1197 mode = root->permissions(root, current->nsproxy, table);
1198 -@@ -2124,6 +2182,16 @@ int proc_dostring(struct ctl_table *table, int write,
1199 +@@ -2124,6 +2187,16 @@ int proc_dostring(struct ctl_table *table, int write,
1200 buffer, lenp, ppos);
1201 }
1202
1203 @@ -70457,7 +70697,7 @@ index ea7ec7f..5b76fb9 100644
1204 static size_t proc_skip_spaces(char **buf)
1205 {
1206 size_t ret;
1207 -@@ -2229,6 +2297,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
1208 +@@ -2229,6 +2302,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
1209 len = strlen(tmp);
1210 if (len > *size)
1211 len = *size;
1212 @@ -70466,7 +70706,7 @@ index ea7ec7f..5b76fb9 100644
1213 if (copy_to_user(*buf, tmp, len))
1214 return -EFAULT;
1215 *size -= len;
1216 -@@ -2421,7 +2491,6 @@ static int proc_taint(struct ctl_table *table, int write,
1217 +@@ -2421,7 +2496,6 @@ static int proc_taint(struct ctl_table *table, int write,
1218 return err;
1219 }
1220
1221 @@ -70474,7 +70714,7 @@ index ea7ec7f..5b76fb9 100644
1222 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1223 void __user *buffer, size_t *lenp, loff_t *ppos)
1224 {
1225 -@@ -2430,7 +2499,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1226 +@@ -2430,7 +2504,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1227
1228 return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
1229 }
1230 @@ -70482,7 +70722,42 @@ index ea7ec7f..5b76fb9 100644
1231
1232 struct do_proc_dointvec_minmax_conv_param {
1233 int *min;
1234 -@@ -2545,8 +2613,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
1235 +@@ -2488,6 +2561,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
1236 + do_proc_dointvec_minmax_conv, &param);
1237 + }
1238 +
1239 ++static void validate_coredump_safety(void)
1240 ++{
1241 ++ if (suid_dumpable == SUID_DUMPABLE_SAFE &&
1242 ++ core_pattern[0] != '/' && core_pattern[0] != '|') {
1243 ++ printk(KERN_WARNING "Unsafe core_pattern used with "\
1244 ++ "suid_dumpable=2. Pipe handler or fully qualified "\
1245 ++ "core dump path required.\n");
1246 ++ }
1247 ++}
1248 ++
1249 ++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
1250 ++ void __user *buffer, size_t *lenp, loff_t *ppos)
1251 ++{
1252 ++ int error = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
1253 ++ if (!error)
1254 ++ validate_coredump_safety();
1255 ++ return error;
1256 ++}
1257 ++
1258 ++static int proc_dostring_coredump(struct ctl_table *table, int write,
1259 ++ void __user *buffer, size_t *lenp, loff_t *ppos)
1260 ++{
1261 ++ int error = proc_dostring(table, write, buffer, lenp, ppos);
1262 ++ if (!error)
1263 ++ validate_coredump_safety();
1264 ++ return error;
1265 ++}
1266 ++
1267 + static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write,
1268 + void __user *buffer,
1269 + size_t *lenp, loff_t *ppos,
1270 +@@ -2545,8 +2646,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
1271 *i = val;
1272 } else {
1273 val = convdiv * (*i) / convmul;
1274 @@ -70495,7 +70770,7 @@ index ea7ec7f..5b76fb9 100644
1275 err = proc_put_long(&buffer, &left, val, false);
1276 if (err)
1277 break;
1278 -@@ -2941,6 +3012,12 @@ int proc_dostring(struct ctl_table *table, int write,
1279 +@@ -2941,6 +3045,12 @@ int proc_dostring(struct ctl_table *table, int write,
1280 return -ENOSYS;
1281 }
1282
1283 @@ -70508,7 +70783,7 @@ index ea7ec7f..5b76fb9 100644
1284 int proc_dointvec(struct ctl_table *table, int write,
1285 void __user *buffer, size_t *lenp, loff_t *ppos)
1286 {
1287 -@@ -2997,6 +3074,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
1288 +@@ -2997,6 +3107,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
1289 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
1290 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
1291 EXPORT_SYMBOL(proc_dostring);
1292 @@ -71306,7 +71581,7 @@ index d9df745..e73c2fe 100644
1293 static inline void *ptr_to_indirect(void *ptr)
1294 {
1295 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
1296 -index 993599e..f1dbc14 100644
1297 +index 993599e..9b1cb1f 100644
1298 --- a/lib/vsprintf.c
1299 +++ b/lib/vsprintf.c
1300 @@ -16,6 +16,9 @@
1301 @@ -71378,7 +71653,7 @@ index 993599e..f1dbc14 100644
1302 case 'B':
1303 return symbol_string(buf, end, ptr, spec, *fmt);
1304 case 'R':
1305 -@@ -878,9 +894,15 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
1306 +@@ -878,15 +894,24 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
1307 case 'U':
1308 return uuid_string(buf, end, ptr, spec, fmt);
1309 case 'V':
1310 @@ -71394,10 +71669,40 @@ index 993599e..f1dbc14 100644
1311 + va_end(va);
1312 + return buf;
1313 + }
1314 ++ case 'P':
1315 ++ break;
1316 case 'K':
1317 /*
1318 * %pK cannot be used in IRQ context because its test
1319 -@@ -1608,11 +1630,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
1320 + * for CAP_SYSLOG would be meaningless.
1321 + */
1322 +- if (in_irq() || in_serving_softirq() || in_nmi()) {
1323 ++ if (kptr_restrict && (in_irq() || in_serving_softirq() ||
1324 ++ in_nmi())) {
1325 + if (spec.field_width == -1)
1326 + spec.field_width = 2 * sizeof(void *);
1327 + return string(buf, end, "pK-error", spec);
1328 +@@ -897,6 +922,19 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
1329 + ptr = NULL;
1330 + break;
1331 + }
1332 ++
1333 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
1334 ++ /* 'P' = approved pointers to copy to userland,
1335 ++ as in the /proc/kallsyms case, as we make it display nothing
1336 ++ for non-root users, and the real contents for root users
1337 ++ */
1338 ++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) {
1339 ++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@××××××××××.net.\n");
1340 ++ dump_stack();
1341 ++ ptr = NULL;
1342 ++ }
1343 ++#endif
1344 ++
1345 + spec.flags |= SMALL;
1346 + if (spec.field_width == -1) {
1347 + spec.field_width = 2 * sizeof(void *);
1348 +@@ -1608,11 +1646,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
1349 typeof(type) value; \
1350 if (sizeof(type) == 8) { \
1351 args = PTR_ALIGN(args, sizeof(u32)); \
1352 @@ -71412,7 +71717,7 @@ index 993599e..f1dbc14 100644
1353 } \
1354 args += sizeof(type); \
1355 value; \
1356 -@@ -1675,7 +1697,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
1357 +@@ -1675,7 +1713,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
1358 case FORMAT_TYPE_STR: {
1359 const char *str_arg = args;
1360 args += strlen(str_arg) + 1;
1361 @@ -78727,6 +79032,27 @@ index 5e57347..3916042 100644
1362 }
1363 #endif
1364
1365 +diff --git a/net/rds/recv.c b/net/rds/recv.c
1366 +index bc3f8cd..fc57d31 100644
1367 +--- a/net/rds/recv.c
1368 ++++ b/net/rds/recv.c
1369 +@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
1370 +
1371 + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
1372 +
1373 ++ msg->msg_namelen = 0;
1374 ++
1375 + if (msg_flags & MSG_OOB)
1376 + goto out;
1377 +
1378 +@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
1379 + sin->sin_port = inc->i_hdr.h_sport;
1380 + sin->sin_addr.s_addr = inc->i_saddr;
1381 + memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
1382 ++ msg->msg_namelen = sizeof(*sin);
1383 + }
1384 + break;
1385 + }
1386 diff --git a/net/rds/tcp.c b/net/rds/tcp.c
1387 index edac9ef..16bcb98 100644
1388 --- a/net/rds/tcp.c
1389 @@ -80276,10 +80602,10 @@ index 38f6617..e70b72b 100755
1390
1391 exuberant()
1392 diff --git a/security/Kconfig b/security/Kconfig
1393 -index 51bd5a0..f94ba7f 100644
1394 +index 51bd5a0..7963a07 100644
1395 --- a/security/Kconfig
1396 +++ b/security/Kconfig
1397 -@@ -4,6 +4,875 @@
1398 +@@ -4,6 +4,876 @@
1399
1400 menu "Security options"
1401
1402 @@ -80311,6 +80637,7 @@ index 51bd5a0..f94ba7f 100644
1403 + bool "Grsecurity"
1404 + select CRYPTO
1405 + select CRYPTO_SHA256
1406 ++ select PROC_FS
1407 + select STOP_MACHINE
1408 + help
1409 + If you say Y here, you will be able to configure many features
1410 @@ -81155,7 +81482,7 @@ index 51bd5a0..f94ba7f 100644
1411 config KEYS
1412 bool "Enable access key retention support"
1413 help
1414 -@@ -169,7 +1038,7 @@ config INTEL_TXT
1415 +@@ -169,7 +1039,7 @@ config INTEL_TXT
1416 config LSM_MMAP_MIN_ADDR
1417 int "Low address space for LSM to protect from user allocation"
1418 depends on SECURITY && SECURITY_SELINUX
1419
1420 diff --git a/3.4.6/0000_README b/3.4.6/0000_README
1421 index 0a9e8d9..14b45fc 100644
1422 --- a/3.4.6/0000_README
1423 +++ b/3.4.6/0000_README
1424 @@ -6,7 +6,7 @@ Patch: 1005_linux-3.4.6.patch
1425 From: http://www.kernel.org
1426 Desc: Linux 3.4.6
1427
1428 -Patch: 4420_grsecurity-2.9.1-3.4.6-201207281946.patch
1429 +Patch: 4420_grsecurity-2.9.1-3.4.7-201207311909.patch
1430 From: http://www.grsecurity.net
1431 Desc: hardened-sources base patch from upstream grsecurity
1432
1433
1434 diff --git a/3.4.6/4420_grsecurity-2.9.1-3.4.6-201207281946.patch b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch
1435 similarity index 99%
1436 rename from 3.4.6/4420_grsecurity-2.9.1-3.4.6-201207281946.patch
1437 rename to 3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch
1438 index 357f472..9da1ccd 100644
1439 --- a/3.4.6/4420_grsecurity-2.9.1-3.4.6-201207281946.patch
1440 +++ b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch
1441 @@ -235,8 +235,41 @@ index c1601e5..08557ce 100644
1442 pcbit= [HW,ISDN]
1443
1444 pcd. [PARIDE]
1445 +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
1446 +index 88fd7f5..b318a78 100644
1447 +--- a/Documentation/sysctl/fs.txt
1448 ++++ b/Documentation/sysctl/fs.txt
1449 +@@ -163,16 +163,22 @@ This value can be used to query and set the core dump mode for setuid
1450 + or otherwise protected/tainted binaries. The modes are
1451 +
1452 + 0 - (default) - traditional behaviour. Any process which has changed
1453 +- privilege levels or is execute only will not be dumped
1454 ++ privilege levels or is execute only will not be dumped.
1455 + 1 - (debug) - all processes dump core when possible. The core dump is
1456 + owned by the current user and no security is applied. This is
1457 + intended for system debugging situations only. Ptrace is unchecked.
1458 ++ This is insecure as it allows regular users to examine the memory
1459 ++ contents of privileged processes.
1460 + 2 - (suidsafe) - any binary which normally would not be dumped is dumped
1461 +- readable by root only. This allows the end user to remove
1462 +- such a dump but not access it directly. For security reasons
1463 +- core dumps in this mode will not overwrite one another or
1464 +- other files. This mode is appropriate when administrators are
1465 +- attempting to debug problems in a normal environment.
1466 ++ anyway, but only if the "core_pattern" kernel sysctl is set to
1467 ++ either a pipe handler or a fully qualified path. (For more details
1468 ++ on this limitation, see CVE-2006-2451.) This mode is appropriate
1469 ++ when administrators are attempting to debug problems in a normal
1470 ++ environment, and either have a core dump pipe handler that knows
1471 ++ to treat privileged core dumps with care, or specific directory
1472 ++ defined for catching core dumps. If a core dump happens without
1473 ++ a pipe handler or fully qualifid path, a message will be emitted
1474 ++ to syslog warning about the lack of a correct setting.
1475 +
1476 + ==============================================================
1477 +
1478 diff --git a/Makefile b/Makefile
1479 -index 5d0edcb..f69ee4c 100644
1480 +index e17a98c..e3197fa 100644
1481 --- a/Makefile
1482 +++ b/Makefile
1483 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
1484 @@ -2907,7 +2940,7 @@ index 881d18b..cea38bc 100644
1485
1486 /*
1487 diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
1488 -index 0d85d8e..ec71487 100644
1489 +index abb13e8..cd2d702 100644
1490 --- a/arch/mips/include/asm/thread_info.h
1491 +++ b/arch/mips/include/asm/thread_info.h
1492 @@ -123,6 +123,8 @@ register struct thread_info *__current_thread_info __asm__("$28");
1493 @@ -20079,7 +20112,7 @@ index 255f58a..5e91150 100644
1494 goto cannot_handle;
1495 if ((segoffs >> 16) == BIOSSEG)
1496 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
1497 -index 0f703f1..9e15f64 100644
1498 +index 0f703f1..3b426f3 100644
1499 --- a/arch/x86/kernel/vmlinux.lds.S
1500 +++ b/arch/x86/kernel/vmlinux.lds.S
1501 @@ -26,6 +26,13 @@
1502 @@ -20148,7 +20181,7 @@ index 0f703f1..9e15f64 100644
1503 HEAD_TEXT
1504 #ifdef CONFIG_X86_32
1505 . = ALIGN(PAGE_SIZE);
1506 -@@ -108,13 +128,47 @@ SECTIONS
1507 +@@ -108,13 +128,48 @@ SECTIONS
1508 IRQENTRY_TEXT
1509 *(.fixup)
1510 *(.gnu.warning)
1511 @@ -20168,8 +20201,8 @@ index 0f703f1..9e15f64 100644
1512 + MODULES_EXEC_VADDR = .;
1513 + BYTE(0)
1514 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
1515 -+ . = ALIGN(HPAGE_SIZE);
1516 -+ MODULES_EXEC_END = . - 1;
1517 ++ . = ALIGN(HPAGE_SIZE) - 1;
1518 ++ MODULES_EXEC_END = .;
1519 +#endif
1520 +
1521 + } :module
1522 @@ -20177,6 +20210,7 @@ index 0f703f1..9e15f64 100644
1523 +
1524 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
1525 + /* End of text section */
1526 ++ BYTE(0)
1527 + _etext = . - __KERNEL_TEXT_OFFSET;
1528 + }
1529 +
1530 @@ -20200,7 +20234,7 @@ index 0f703f1..9e15f64 100644
1531
1532 #if defined(CONFIG_DEBUG_RODATA)
1533 /* .text should occupy whole number of pages */
1534 -@@ -126,16 +180,20 @@ SECTIONS
1535 +@@ -126,16 +181,20 @@ SECTIONS
1536
1537 /* Data */
1538 .data : AT(ADDR(.data) - LOAD_OFFSET) {
1539 @@ -20224,7 +20258,7 @@ index 0f703f1..9e15f64 100644
1540
1541 PAGE_ALIGNED_DATA(PAGE_SIZE)
1542
1543 -@@ -176,12 +234,19 @@ SECTIONS
1544 +@@ -176,12 +235,19 @@ SECTIONS
1545 #endif /* CONFIG_X86_64 */
1546
1547 /* Init code and data - will be freed after init */
1548 @@ -20247,7 +20281,7 @@ index 0f703f1..9e15f64 100644
1549 /*
1550 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
1551 * output PHDR, so the next output section - .init.text - should
1552 -@@ -190,12 +255,27 @@ SECTIONS
1553 +@@ -190,12 +256,27 @@ SECTIONS
1554 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
1555 #endif
1556
1557 @@ -20280,7 +20314,7 @@ index 0f703f1..9e15f64 100644
1558
1559 /*
1560 * Code and data for a variety of lowlevel trampolines, to be
1561 -@@ -269,19 +349,12 @@ SECTIONS
1562 +@@ -269,19 +350,12 @@ SECTIONS
1563 }
1564
1565 . = ALIGN(8);
1566 @@ -20301,7 +20335,7 @@ index 0f703f1..9e15f64 100644
1567 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
1568 #endif
1569
1570 -@@ -300,16 +373,10 @@ SECTIONS
1571 +@@ -300,16 +374,10 @@ SECTIONS
1572 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
1573 __smp_locks = .;
1574 *(.smp_locks)
1575 @@ -20319,7 +20353,7 @@ index 0f703f1..9e15f64 100644
1576 /* BSS */
1577 . = ALIGN(PAGE_SIZE);
1578 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
1579 -@@ -325,6 +392,7 @@ SECTIONS
1580 +@@ -325,6 +393,7 @@ SECTIONS
1581 __brk_base = .;
1582 . += 64 * 1024; /* 64k alignment slop space */
1583 *(.brk_reservation) /* areas brk users have reserved */
1584 @@ -20327,7 +20361,7 @@ index 0f703f1..9e15f64 100644
1585 __brk_limit = .;
1586 }
1587
1588 -@@ -351,13 +419,12 @@ SECTIONS
1589 +@@ -351,13 +420,12 @@ SECTIONS
1590 * for the boot processor.
1591 */
1592 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
1593 @@ -26764,7 +26798,7 @@ index 218cdb1..fd55c08 100644
1594 syscall_init(); /* This sets MSR_*STAR and related */
1595 #endif
1596 diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
1597 -index b685296..e00eb65 100644
1598 +index b685296..4ac6aaa 100644
1599 --- a/arch/x86/tools/relocs.c
1600 +++ b/arch/x86/tools/relocs.c
1601 @@ -12,10 +12,13 @@
1602 @@ -26857,7 +26891,7 @@ index b685296..e00eb65 100644
1603 }
1604 + base = 0;
1605 +
1606 -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
1607 ++#ifdef CONFIG_X86_32
1608 + for (j = 0; j < ehdr.e_phnum; j++) {
1609 + if (phdr[j].p_type != PT_LOAD )
1610 + continue;
1611 @@ -26934,7 +26968,7 @@ index b685296..e00eb65 100644
1612 +
1613 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
1614 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
1615 -+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
1616 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
1617 + continue;
1618 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
1619 + continue;
1620 @@ -31272,10 +31306,10 @@ index 8a8725c..afed796 100644
1621 marker = list_first_entry(&queue->head,
1622 struct vmw_marker, head);
1623 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
1624 -index 054677b..741672a 100644
1625 +index 973c238..981f5ed 100644
1626 --- a/drivers/hid/hid-core.c
1627 +++ b/drivers/hid/hid-core.c
1628 -@@ -2070,7 +2070,7 @@ static bool hid_ignore(struct hid_device *hdev)
1629 +@@ -2071,7 +2071,7 @@ static bool hid_ignore(struct hid_device *hdev)
1630
1631 int hid_add_device(struct hid_device *hdev)
1632 {
1633 @@ -31284,7 +31318,7 @@ index 054677b..741672a 100644
1634 int ret;
1635
1636 if (WARN_ON(hdev->status & HID_STAT_ADDED))
1637 -@@ -2085,7 +2085,7 @@ int hid_add_device(struct hid_device *hdev)
1638 +@@ -2086,7 +2086,7 @@ int hid_add_device(struct hid_device *hdev)
1639 /* XXX hack, any other cleaner solution after the driver core
1640 * is converted to allow more than 20 bytes as the device name? */
1641 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
1642 @@ -33142,7 +33176,7 @@ index a1a3e6d..1918bfc 100644
1643 DMWARN("name not supplied when creating device");
1644 return -EINVAL;
1645 diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
1646 -index d039de8..0cf5b87 100644
1647 +index b58b7a3..8018b19 100644
1648 --- a/drivers/md/dm-raid1.c
1649 +++ b/drivers/md/dm-raid1.c
1650 @@ -40,7 +40,7 @@ enum dm_raid1_error {
1651 @@ -33208,7 +33242,7 @@ index d039de8..0cf5b87 100644
1652 ms->mirror[mirror].error_type = 0;
1653 ms->mirror[mirror].offset = offset;
1654
1655 -@@ -1351,7 +1351,7 @@ static void mirror_resume(struct dm_target *ti)
1656 +@@ -1352,7 +1352,7 @@ static void mirror_resume(struct dm_target *ti)
1657 */
1658 static char device_status_char(struct mirror *m)
1659 {
1660 @@ -33353,7 +33387,7 @@ index e24143c..ce2f21a1 100644
1661
1662 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
1663 diff --git a/drivers/md/md.c b/drivers/md/md.c
1664 -index 2b30ffd..362b519 100644
1665 +index 9ee8ce3..362b519 100644
1666 --- a/drivers/md/md.c
1667 +++ b/drivers/md/md.c
1668 @@ -277,10 +277,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
1669 @@ -33425,125 +33459,7 @@ index 2b30ffd..362b519 100644
1670
1671 INIT_LIST_HEAD(&rdev->same_set);
1672 init_waitqueue_head(&rdev->blocked_wait);
1673 -@@ -3744,8 +3744,8 @@ array_state_show(struct mddev *mddev, char *page)
1674 - return sprintf(page, "%s\n", array_states[st]);
1675 - }
1676 -
1677 --static int do_md_stop(struct mddev * mddev, int ro, int is_open);
1678 --static int md_set_readonly(struct mddev * mddev, int is_open);
1679 -+static int do_md_stop(struct mddev * mddev, int ro, struct block_device *bdev);
1680 -+static int md_set_readonly(struct mddev * mddev, struct block_device *bdev);
1681 - static int do_md_run(struct mddev * mddev);
1682 - static int restart_array(struct mddev *mddev);
1683 -
1684 -@@ -3761,14 +3761,14 @@ array_state_store(struct mddev *mddev, const char *buf, size_t len)
1685 - /* stopping an active array */
1686 - if (atomic_read(&mddev->openers) > 0)
1687 - return -EBUSY;
1688 -- err = do_md_stop(mddev, 0, 0);
1689 -+ err = do_md_stop(mddev, 0, NULL);
1690 - break;
1691 - case inactive:
1692 - /* stopping an active array */
1693 - if (mddev->pers) {
1694 - if (atomic_read(&mddev->openers) > 0)
1695 - return -EBUSY;
1696 -- err = do_md_stop(mddev, 2, 0);
1697 -+ err = do_md_stop(mddev, 2, NULL);
1698 - } else
1699 - err = 0; /* already inactive */
1700 - break;
1701 -@@ -3776,7 +3776,7 @@ array_state_store(struct mddev *mddev, const char *buf, size_t len)
1702 - break; /* not supported yet */
1703 - case readonly:
1704 - if (mddev->pers)
1705 -- err = md_set_readonly(mddev, 0);
1706 -+ err = md_set_readonly(mddev, NULL);
1707 - else {
1708 - mddev->ro = 1;
1709 - set_disk_ro(mddev->gendisk, 1);
1710 -@@ -3786,7 +3786,7 @@ array_state_store(struct mddev *mddev, const char *buf, size_t len)
1711 - case read_auto:
1712 - if (mddev->pers) {
1713 - if (mddev->ro == 0)
1714 -- err = md_set_readonly(mddev, 0);
1715 -+ err = md_set_readonly(mddev, NULL);
1716 - else if (mddev->ro == 1)
1717 - err = restart_array(mddev);
1718 - if (err == 0) {
1719 -@@ -5124,15 +5124,17 @@ void md_stop(struct mddev *mddev)
1720 - }
1721 - EXPORT_SYMBOL_GPL(md_stop);
1722 -
1723 --static int md_set_readonly(struct mddev *mddev, int is_open)
1724 -+static int md_set_readonly(struct mddev *mddev, struct block_device *bdev)
1725 - {
1726 - int err = 0;
1727 - mutex_lock(&mddev->open_mutex);
1728 -- if (atomic_read(&mddev->openers) > is_open) {
1729 -+ if (atomic_read(&mddev->openers) > !!bdev) {
1730 - printk("md: %s still in use.\n",mdname(mddev));
1731 - err = -EBUSY;
1732 - goto out;
1733 - }
1734 -+ if (bdev)
1735 -+ sync_blockdev(bdev);
1736 - if (mddev->pers) {
1737 - __md_stop_writes(mddev);
1738 -
1739 -@@ -5154,18 +5156,26 @@ out:
1740 - * 0 - completely stop and dis-assemble array
1741 - * 2 - stop but do not disassemble array
1742 - */
1743 --static int do_md_stop(struct mddev * mddev, int mode, int is_open)
1744 -+static int do_md_stop(struct mddev * mddev, int mode,
1745 -+ struct block_device *bdev)
1746 - {
1747 - struct gendisk *disk = mddev->gendisk;
1748 - struct md_rdev *rdev;
1749 -
1750 - mutex_lock(&mddev->open_mutex);
1751 -- if (atomic_read(&mddev->openers) > is_open ||
1752 -+ if (atomic_read(&mddev->openers) > !!bdev ||
1753 - mddev->sysfs_active) {
1754 - printk("md: %s still in use.\n",mdname(mddev));
1755 - mutex_unlock(&mddev->open_mutex);
1756 - return -EBUSY;
1757 - }
1758 -+ if (bdev)
1759 -+ /* It is possible IO was issued on some other
1760 -+ * open file which was closed before we took ->open_mutex.
1761 -+ * As that was not the last close __blkdev_put will not
1762 -+ * have called sync_blockdev, so we must.
1763 -+ */
1764 -+ sync_blockdev(bdev);
1765 -
1766 - if (mddev->pers) {
1767 - if (mddev->ro)
1768 -@@ -5239,7 +5249,7 @@ static void autorun_array(struct mddev *mddev)
1769 - err = do_md_run(mddev);
1770 - if (err) {
1771 - printk(KERN_WARNING "md: do_md_run() returned %d\n", err);
1772 -- do_md_stop(mddev, 0, 0);
1773 -+ do_md_stop(mddev, 0, NULL);
1774 - }
1775 - }
1776 -
1777 -@@ -6237,11 +6247,11 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
1778 - goto done_unlock;
1779 -
1780 - case STOP_ARRAY:
1781 -- err = do_md_stop(mddev, 0, 1);
1782 -+ err = do_md_stop(mddev, 0, bdev);
1783 - goto done_unlock;
1784 -
1785 - case STOP_ARRAY_RO:
1786 -- err = md_set_readonly(mddev, 1);
1787 -+ err = md_set_readonly(mddev, bdev);
1788 - goto done_unlock;
1789 -
1790 - case BLKROSET:
1791 -@@ -6738,7 +6748,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
1792 +@@ -6748,7 +6748,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
1793
1794 spin_unlock(&pers_lock);
1795 seq_printf(seq, "\n");
1796 @@ -33552,7 +33468,7 @@ index 2b30ffd..362b519 100644
1797 return 0;
1798 }
1799 if (v == (void*)2) {
1800 -@@ -6841,7 +6851,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
1801 +@@ -6851,7 +6851,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
1802 return error;
1803
1804 seq = file->private_data;
1805 @@ -33561,7 +33477,7 @@ index 2b30ffd..362b519 100644
1806 return error;
1807 }
1808
1809 -@@ -6855,7 +6865,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
1810 +@@ -6865,7 +6865,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
1811 /* always allow read */
1812 mask = POLLIN | POLLRDNORM;
1813
1814 @@ -33570,7 +33486,7 @@ index 2b30ffd..362b519 100644
1815 mask |= POLLERR | POLLPRI;
1816 return mask;
1817 }
1818 -@@ -6899,7 +6909,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
1819 +@@ -6909,7 +6909,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
1820 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
1821 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
1822 (int)part_stat_read(&disk->part0, sectors[1]) -
1823 @@ -33660,7 +33576,7 @@ index 1cbfc6b..56e1dbb 100644
1824 /*----------------------------------------------------------------*/
1825
1826 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
1827 -index d1f74ab..d1b24fd 100644
1828 +index d7add9d..68e3dde 100644
1829 --- a/drivers/md/raid1.c
1830 +++ b/drivers/md/raid1.c
1831 @@ -1688,7 +1688,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
1832 @@ -33672,7 +33588,7 @@ index d1f74ab..d1b24fd 100644
1833 }
1834 sectors -= s;
1835 sect += s;
1836 -@@ -1902,7 +1902,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
1837 +@@ -1908,7 +1908,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
1838 test_bit(In_sync, &rdev->flags)) {
1839 if (r1_sync_page_io(rdev, sect, s,
1840 conf->tmppage, READ)) {
1841 @@ -34311,6 +34227,19 @@ index 2b1482a..5d33616 100644
1842 union axis_conversion ac; /* hw -> logical axis */
1843 int mapped_btns[3];
1844
1845 +diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
1846 +index 28adefe..08aad69 100644
1847 +--- a/drivers/misc/lkdtm.c
1848 ++++ b/drivers/misc/lkdtm.c
1849 +@@ -477,6 +477,8 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
1850 + int i, n, out;
1851 +
1852 + buf = (char *)__get_free_page(GFP_KERNEL);
1853 ++ if (buf == NULL)
1854 ++ return -ENOMEM;
1855 +
1856 + n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
1857 + for (i = 0; i < ARRAY_SIZE(cp_type); i++)
1858 diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c
1859 index 2f30bad..c4c13d0 100644
1860 --- a/drivers/misc/sgi-gru/gruhandles.c
1861 @@ -34581,6 +34510,22 @@ index 8d082b4..aa749ae 100644
1862
1863 /*
1864 * Timer function to enforce the timelimit on the partition disengage.
1865 +diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
1866 +index 2b62232..acfaeeb 100644
1867 +--- a/drivers/misc/ti-st/st_core.c
1868 ++++ b/drivers/misc/ti-st/st_core.c
1869 +@@ -349,6 +349,11 @@ void st_int_recv(void *disc_data,
1870 + st_gdata->rx_skb = alloc_skb(
1871 + st_gdata->list[type]->max_frame_size,
1872 + GFP_ATOMIC);
1873 ++ if (st_gdata->rx_skb == NULL) {
1874 ++ pr_err("out of memory: dropping\n");
1875 ++ goto done;
1876 ++ }
1877 ++
1878 + skb_reserve(st_gdata->rx_skb,
1879 + st_gdata->list[type]->reserve);
1880 + /* next 2 required for BT only */
1881 diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c
1882 index 69ef0be..f3ef91e 100644
1883 --- a/drivers/mmc/host/sdhci-pci.c
1884 @@ -37585,51 +37530,6 @@ index 0d4aa82..f7832d4 100644
1885 extern void tmem_register_hostops(struct tmem_hostops *m);
1886
1887 /* core tmem accessor functions */
1888 -diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c
1889 -index 30a6770..fa323f8 100644
1890 ---- a/drivers/target/target_core_cdb.c
1891 -+++ b/drivers/target/target_core_cdb.c
1892 -@@ -1107,7 +1107,7 @@ int target_emulate_write_same(struct se_task *task)
1893 - if (num_blocks != 0)
1894 - range = num_blocks;
1895 - else
1896 -- range = (dev->transport->get_blocks(dev) - lba);
1897 -+ range = (dev->transport->get_blocks(dev) - lba) + 1;
1898 -
1899 - pr_debug("WRITE_SAME UNMAP: LBA: %llu Range: %llu\n",
1900 - (unsigned long long)lba, (unsigned long long)range);
1901 -diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
1902 -index c3148b1..89d10e6 100644
1903 ---- a/drivers/target/target_core_pr.c
1904 -+++ b/drivers/target/target_core_pr.c
1905 -@@ -2038,7 +2038,7 @@ static int __core_scsi3_write_aptpl_to_file(
1906 - if (IS_ERR(file) || !file || !file->f_dentry) {
1907 - pr_err("filp_open(%s) for APTPL metadata"
1908 - " failed\n", path);
1909 -- return (PTR_ERR(file) < 0 ? PTR_ERR(file) : -ENOENT);
1910 -+ return IS_ERR(file) ? PTR_ERR(file) : -ENOENT;
1911 - }
1912 -
1913 - iov[0].iov_base = &buf[0];
1914 -@@ -3826,7 +3826,7 @@ int target_scsi3_emulate_pr_out(struct se_task *task)
1915 - " SPC-2 reservation is held, returning"
1916 - " RESERVATION_CONFLICT\n");
1917 - cmd->scsi_sense_reason = TCM_RESERVATION_CONFLICT;
1918 -- ret = EINVAL;
1919 -+ ret = -EINVAL;
1920 - goto out;
1921 - }
1922 -
1923 -@@ -3836,7 +3836,8 @@ int target_scsi3_emulate_pr_out(struct se_task *task)
1924 - */
1925 - if (!cmd->se_sess) {
1926 - cmd->scsi_sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
1927 -- return -EINVAL;
1928 -+ ret = -EINVAL;
1929 -+ goto out;
1930 - }
1931 -
1932 - if (cmd->data_length < 24) {
1933 diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
1934 index f015839..b15dfc4 100644
1935 --- a/drivers/target/target_core_tmr.c
1936 @@ -37686,19 +37586,6 @@ index 443704f..92d3517 100644
1937 cmd->t_task_list_num)
1938 cmd->transport_state |= CMD_T_SENT;
1939
1940 -diff --git a/drivers/target/tcm_fc/tfc_cmd.c b/drivers/target/tcm_fc/tfc_cmd.c
1941 -index a375f25..da90f64 100644
1942 ---- a/drivers/target/tcm_fc/tfc_cmd.c
1943 -+++ b/drivers/target/tcm_fc/tfc_cmd.c
1944 -@@ -240,6 +240,8 @@ u32 ft_get_task_tag(struct se_cmd *se_cmd)
1945 - {
1946 - struct ft_cmd *cmd = container_of(se_cmd, struct ft_cmd, se_cmd);
1947 -
1948 -+ if (cmd->aborted)
1949 -+ return ~0;
1950 - return fc_seq_exch(cmd->seq)->rxid;
1951 - }
1952 -
1953 diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
1954 index 3436436..772237b 100644
1955 --- a/drivers/tty/hvc/hvcs.c
1956 @@ -43719,7 +43606,7 @@ index b2a34a1..162fa69 100644
1957 return rc;
1958 }
1959 diff --git a/fs/exec.c b/fs/exec.c
1960 -index 29e5f84..8bfc7cb 100644
1961 +index 29e5f84..7acfbdb 100644
1962 --- a/fs/exec.c
1963 +++ b/fs/exec.c
1964 @@ -55,6 +55,15 @@
1965 @@ -44430,6 +44317,36 @@ index 29e5f84..8bfc7cb 100644
1966 static int zap_process(struct task_struct *start, int exit_code)
1967 {
1968 struct task_struct *t;
1969 +@@ -1980,17 +2356,17 @@ static void coredump_finish(struct mm_struct *mm)
1970 + void set_dumpable(struct mm_struct *mm, int value)
1971 + {
1972 + switch (value) {
1973 +- case 0:
1974 ++ case SUID_DUMPABLE_DISABLED:
1975 + clear_bit(MMF_DUMPABLE, &mm->flags);
1976 + smp_wmb();
1977 + clear_bit(MMF_DUMP_SECURELY, &mm->flags);
1978 + break;
1979 +- case 1:
1980 ++ case SUID_DUMPABLE_ENABLED:
1981 + set_bit(MMF_DUMPABLE, &mm->flags);
1982 + smp_wmb();
1983 + clear_bit(MMF_DUMP_SECURELY, &mm->flags);
1984 + break;
1985 +- case 2:
1986 ++ case SUID_DUMPABLE_SAFE:
1987 + set_bit(MMF_DUMP_SECURELY, &mm->flags);
1988 + smp_wmb();
1989 + set_bit(MMF_DUMPABLE, &mm->flags);
1990 +@@ -2003,7 +2379,7 @@ static int __get_dumpable(unsigned long mm_flags)
1991 + int ret;
1992 +
1993 + ret = mm_flags & MMF_DUMPABLE_MASK;
1994 +- return (ret >= 2) ? 2 : ret;
1995 ++ return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret;
1996 + }
1997 +
1998 + int get_dumpable(struct mm_struct *mm)
1999 @@ -2018,17 +2394,17 @@ static void wait_for_dump_helpers(struct file *file)
2000 pipe = file->f_path.dentry->d_inode->i_pipe;
2001
2002 @@ -44453,16 +44370,17 @@ index 29e5f84..8bfc7cb 100644
2003 pipe_unlock(pipe);
2004
2005 }
2006 -@@ -2089,7 +2465,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2007 +@@ -2089,7 +2465,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2008 int retval = 0;
2009 int flag = 0;
2010 int ispipe;
2011 - static atomic_t core_dump_count = ATOMIC_INIT(0);
2012 ++ bool need_nonrelative = false;
2013 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
2014 struct coredump_params cprm = {
2015 .signr = signr,
2016 .regs = regs,
2017 -@@ -2104,6 +2480,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2018 +@@ -2104,6 +2481,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2019
2020 audit_core_dumps(signr);
2021
2022 @@ -44472,7 +44390,28 @@ index 29e5f84..8bfc7cb 100644
2023 binfmt = mm->binfmt;
2024 if (!binfmt || !binfmt->core_dump)
2025 goto fail;
2026 -@@ -2171,7 +2550,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2027 +@@ -2114,14 +2494,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2028 + if (!cred)
2029 + goto fail;
2030 + /*
2031 +- * We cannot trust fsuid as being the "true" uid of the
2032 +- * process nor do we know its entire history. We only know it
2033 +- * was tainted so we dump it as root in mode 2.
2034 ++ * We cannot trust fsuid as being the "true" uid of the process
2035 ++ * nor do we know its entire history. We only know it was tainted
2036 ++ * so we dump it as root in mode 2, and only into a controlled
2037 ++ * environment (pipe handler or fully qualified path).
2038 + */
2039 +- if (__get_dumpable(cprm.mm_flags) == 2) {
2040 ++ if (__get_dumpable(cprm.mm_flags) == SUID_DUMPABLE_SAFE) {
2041 + /* Setuid core dump mode */
2042 + flag = O_EXCL; /* Stop rewrite attacks */
2043 + cred->fsuid = 0; /* Dump root private */
2044 ++ need_nonrelative = true;
2045 + }
2046 +
2047 + retval = coredump_wait(exit_code, &core_state);
2048 +@@ -2171,7 +2553,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2049 }
2050 cprm.limit = RLIM_INFINITY;
2051
2052 @@ -44481,7 +44420,7 @@ index 29e5f84..8bfc7cb 100644
2053 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
2054 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
2055 task_tgid_vnr(current), current->comm);
2056 -@@ -2198,6 +2577,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2057 +@@ -2198,9 +2580,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2058 } else {
2059 struct inode *inode;
2060
2061 @@ -44490,7 +44429,18 @@ index 29e5f84..8bfc7cb 100644
2062 if (cprm.limit < binfmt->min_coredump)
2063 goto fail_unlock;
2064
2065 -@@ -2241,7 +2622,7 @@ close_fail:
2066 ++ if (need_nonrelative && cn.corename[0] != '/') {
2067 ++ printk(KERN_WARNING "Pid %d(%s) can only dump core "\
2068 ++ "to fully qualified path!\n",
2069 ++ task_tgid_vnr(current), current->comm);
2070 ++ printk(KERN_WARNING "Skipping core dump\n");
2071 ++ goto fail_unlock;
2072 ++ }
2073 ++
2074 + cprm.file = filp_open(cn.corename,
2075 + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
2076 + 0600);
2077 +@@ -2241,7 +2633,7 @@ close_fail:
2078 filp_close(cprm.file, NULL);
2079 fail_dropcount:
2080 if (ispipe)
2081 @@ -44499,7 +44449,7 @@ index 29e5f84..8bfc7cb 100644
2082 fail_unlock:
2083 kfree(cn.corename);
2084 fail_corename:
2085 -@@ -2260,7 +2641,7 @@ fail:
2086 +@@ -2260,7 +2652,7 @@ fail:
2087 */
2088 int dump_write(struct file *file, const void *addr, int nr)
2089 {
2090 @@ -44587,18 +44537,6 @@ index 0e01e90..ae2bd5e 100644
2091 atomic_t s_lock_busy;
2092
2093 /* locality groups */
2094 -diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
2095 -index 1365903..9727522 100644
2096 ---- a/fs/ext4/ioctl.c
2097 -+++ b/fs/ext4/ioctl.c
2098 -@@ -261,7 +261,6 @@ group_extend_out:
2099 - err = ext4_move_extents(filp, donor_filp, me.orig_start,
2100 - me.donor_start, me.len, &me.moved_len);
2101 - mnt_drop_write_file(filp);
2102 -- mnt_drop_write(filp->f_path.mnt);
2103 -
2104 - if (copy_to_user((struct move_extent __user *)arg,
2105 - &me, sizeof(me)))
2106 diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
2107 index 6b0a57e..1955a44 100644
2108 --- a/fs/ext4/mballoc.c
2109 @@ -63021,7 +62959,7 @@ index fd07c45..4676b8e 100644
2110 static inline void anon_vma_merge(struct vm_area_struct *vma,
2111 struct vm_area_struct *next)
2112 diff --git a/include/linux/sched.h b/include/linux/sched.h
2113 -index 7b06169..c92adbe 100644
2114 +index 7b06169..eb46ae3 100644
2115 --- a/include/linux/sched.h
2116 +++ b/include/linux/sched.h
2117 @@ -100,6 +100,7 @@ struct bio_list;
2118 @@ -63046,7 +62984,19 @@ index 7b06169..c92adbe 100644
2119 extern void arch_pick_mmap_layout(struct mm_struct *mm);
2120 extern unsigned long
2121 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
2122 -@@ -643,6 +647,17 @@ struct signal_struct {
2123 +@@ -404,6 +408,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {}
2124 + extern void set_dumpable(struct mm_struct *mm, int value);
2125 + extern int get_dumpable(struct mm_struct *mm);
2126 +
2127 ++/* get/set_dumpable() values */
2128 ++#define SUID_DUMPABLE_DISABLED 0
2129 ++#define SUID_DUMPABLE_ENABLED 1
2130 ++#define SUID_DUMPABLE_SAFE 2
2131 ++
2132 + /* mm flags */
2133 + /* dumpable bits */
2134 + #define MMF_DUMPABLE 0 /* core dump is permitted */
2135 +@@ -643,6 +652,17 @@ struct signal_struct {
2136 #ifdef CONFIG_TASKSTATS
2137 struct taskstats *stats;
2138 #endif
2139 @@ -63064,7 +63014,7 @@ index 7b06169..c92adbe 100644
2140 #ifdef CONFIG_AUDIT
2141 unsigned audit_tty;
2142 struct tty_audit_buf *tty_audit_buf;
2143 -@@ -726,6 +741,11 @@ struct user_struct {
2144 +@@ -726,6 +746,11 @@ struct user_struct {
2145 struct key *session_keyring; /* UID's default session keyring */
2146 #endif
2147
2148 @@ -63076,7 +63026,7 @@ index 7b06169..c92adbe 100644
2149 /* Hash table maintenance information */
2150 struct hlist_node uidhash_node;
2151 uid_t uid;
2152 -@@ -1386,8 +1406,8 @@ struct task_struct {
2153 +@@ -1386,8 +1411,8 @@ struct task_struct {
2154 struct list_head thread_group;
2155
2156 struct completion *vfork_done; /* for vfork() */
2157 @@ -63087,7 +63037,7 @@ index 7b06169..c92adbe 100644
2158
2159 cputime_t utime, stime, utimescaled, stimescaled;
2160 cputime_t gtime;
2161 -@@ -1403,13 +1423,6 @@ struct task_struct {
2162 +@@ -1403,13 +1428,6 @@ struct task_struct {
2163 struct task_cputime cputime_expires;
2164 struct list_head cpu_timers[3];
2165
2166 @@ -63101,7 +63051,7 @@ index 7b06169..c92adbe 100644
2167 char comm[TASK_COMM_LEN]; /* executable name excluding path
2168 - access with [gs]et_task_comm (which lock
2169 it with task_lock())
2170 -@@ -1426,8 +1439,16 @@ struct task_struct {
2171 +@@ -1426,8 +1444,16 @@ struct task_struct {
2172 #endif
2173 /* CPU-specific state of this task */
2174 struct thread_struct thread;
2175 @@ -63118,7 +63068,7 @@ index 7b06169..c92adbe 100644
2176 /* open file information */
2177 struct files_struct *files;
2178 /* namespaces */
2179 -@@ -1469,6 +1490,11 @@ struct task_struct {
2180 +@@ -1469,6 +1495,11 @@ struct task_struct {
2181 struct rt_mutex_waiter *pi_blocked_on;
2182 #endif
2183
2184 @@ -63130,7 +63080,7 @@ index 7b06169..c92adbe 100644
2185 #ifdef CONFIG_DEBUG_MUTEXES
2186 /* mutex deadlock detection */
2187 struct mutex_waiter *blocked_on;
2188 -@@ -1585,6 +1611,27 @@ struct task_struct {
2189 +@@ -1585,6 +1616,27 @@ struct task_struct {
2190 unsigned long default_timer_slack_ns;
2191
2192 struct list_head *scm_work_list;
2193 @@ -63158,7 +63108,7 @@ index 7b06169..c92adbe 100644
2194 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2195 /* Index of current stored address in ret_stack */
2196 int curr_ret_stack;
2197 -@@ -1619,6 +1666,51 @@ struct task_struct {
2198 +@@ -1619,6 +1671,51 @@ struct task_struct {
2199 #endif
2200 };
2201
2202 @@ -63210,7 +63160,7 @@ index 7b06169..c92adbe 100644
2203 /* Future-safe accessor for struct task_struct's cpus_allowed. */
2204 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
2205
2206 -@@ -2146,7 +2238,9 @@ void yield(void);
2207 +@@ -2146,7 +2243,9 @@ void yield(void);
2208 extern struct exec_domain default_exec_domain;
2209
2210 union thread_union {
2211 @@ -63220,7 +63170,7 @@ index 7b06169..c92adbe 100644
2212 unsigned long stack[THREAD_SIZE/sizeof(long)];
2213 };
2214
2215 -@@ -2179,6 +2273,7 @@ extern struct pid_namespace init_pid_ns;
2216 +@@ -2179,6 +2278,7 @@ extern struct pid_namespace init_pid_ns;
2217 */
2218
2219 extern struct task_struct *find_task_by_vpid(pid_t nr);
2220 @@ -63228,7 +63178,7 @@ index 7b06169..c92adbe 100644
2221 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
2222 struct pid_namespace *ns);
2223
2224 -@@ -2322,7 +2417,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
2225 +@@ -2322,7 +2422,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
2226 extern void exit_itimers(struct signal_struct *);
2227 extern void flush_itimer_signals(void);
2228
2229 @@ -63237,7 +63187,7 @@ index 7b06169..c92adbe 100644
2230
2231 extern void daemonize(const char *, ...);
2232 extern int allow_signal(int);
2233 -@@ -2523,9 +2618,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
2234 +@@ -2523,9 +2623,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
2235
2236 #endif
2237
2238 @@ -67683,10 +67633,25 @@ index a307cc9..27fd2e9 100644
2239
2240 /* set it to 0 if there are no waiters left: */
2241 diff --git a/kernel/panic.c b/kernel/panic.c
2242 -index 9ed023b..e49543e 100644
2243 +index 9ed023b..4846159 100644
2244 --- a/kernel/panic.c
2245 +++ b/kernel/panic.c
2246 -@@ -402,7 +402,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
2247 +@@ -75,6 +75,14 @@ void panic(const char *fmt, ...)
2248 + int state = 0;
2249 +
2250 + /*
2251 ++ * Disable local interrupts. This will prevent panic_smp_self_stop
2252 ++ * from deadlocking the first cpu that invokes the panic, since
2253 ++ * there is nothing to prevent an interrupt handler (that runs
2254 ++ * after the panic_lock is acquired) from invoking panic again.
2255 ++ */
2256 ++ local_irq_disable();
2257 ++
2258 ++ /*
2259 + * It's possible to come here directly from a panic-assertion and
2260 + * not have preempt disabled. Some functions called from here want
2261 + * preempt to be disabled. No point enabling it later though...
2262 +@@ -402,7 +410,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
2263 const char *board;
2264
2265 printk(KERN_WARNING "------------[ cut here ]------------\n");
2266 @@ -67695,7 +67660,7 @@ index 9ed023b..e49543e 100644
2267 board = dmi_get_system_info(DMI_PRODUCT_NAME);
2268 if (board)
2269 printk(KERN_WARNING "Hardware name: %s\n", board);
2270 -@@ -457,7 +457,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
2271 +@@ -457,7 +465,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
2272 */
2273 void __stack_chk_fail(void)
2274 {
2275 @@ -69107,7 +69072,7 @@ index e7006eb..8fb7c51 100644
2276 break;
2277 }
2278 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
2279 -index 4ab1187..0b75ced 100644
2280 +index 4ab1187..33f4f2b 100644
2281 --- a/kernel/sysctl.c
2282 +++ b/kernel/sysctl.c
2283 @@ -91,7 +91,6 @@
2284 @@ -69118,7 +69083,7 @@ index 4ab1187..0b75ced 100644
2285 /* External variables not in a header file. */
2286 extern int sysctl_overcommit_memory;
2287 extern int sysctl_overcommit_ratio;
2288 -@@ -169,10 +168,8 @@ static int proc_taint(struct ctl_table *table, int write,
2289 +@@ -169,10 +168,13 @@ static int proc_taint(struct ctl_table *table, int write,
2290 void __user *buffer, size_t *lenp, loff_t *ppos);
2291 #endif
2292
2293 @@ -69126,10 +69091,15 @@ index 4ab1187..0b75ced 100644
2294 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
2295 void __user *buffer, size_t *lenp, loff_t *ppos);
2296 -#endif
2297 ++
2298 ++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
2299 ++ void __user *buffer, size_t *lenp, loff_t *ppos);
2300 ++static int proc_dostring_coredump(struct ctl_table *table, int write,
2301 ++ void __user *buffer, size_t *lenp, loff_t *ppos);
2302
2303 #ifdef CONFIG_MAGIC_SYSRQ
2304 /* Note: sysrq code uses it's own private copy */
2305 -@@ -196,6 +193,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
2306 +@@ -196,6 +198,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
2307
2308 #endif
2309
2310 @@ -69138,7 +69108,7 @@ index 4ab1187..0b75ced 100644
2311 static struct ctl_table kern_table[];
2312 static struct ctl_table vm_table[];
2313 static struct ctl_table fs_table[];
2314 -@@ -210,6 +209,20 @@ extern struct ctl_table epoll_table[];
2315 +@@ -210,6 +214,20 @@ extern struct ctl_table epoll_table[];
2316 int sysctl_legacy_va_layout;
2317 #endif
2318
2319 @@ -69159,7 +69129,7 @@ index 4ab1187..0b75ced 100644
2320 /* The default sysctl tables: */
2321
2322 static struct ctl_table sysctl_base_table[] = {
2323 -@@ -256,6 +269,22 @@ static int max_extfrag_threshold = 1000;
2324 +@@ -256,6 +274,22 @@ static int max_extfrag_threshold = 1000;
2325 #endif
2326
2327 static struct ctl_table kern_table[] = {
2328 @@ -69182,7 +69152,16 @@ index 4ab1187..0b75ced 100644
2329 {
2330 .procname = "sched_child_runs_first",
2331 .data = &sysctl_sched_child_runs_first,
2332 -@@ -540,7 +569,7 @@ static struct ctl_table kern_table[] = {
2333 +@@ -410,7 +444,7 @@ static struct ctl_table kern_table[] = {
2334 + .data = core_pattern,
2335 + .maxlen = CORENAME_MAX_SIZE,
2336 + .mode = 0644,
2337 +- .proc_handler = proc_dostring,
2338 ++ .proc_handler = proc_dostring_coredump,
2339 + },
2340 + {
2341 + .procname = "core_pipe_limit",
2342 +@@ -540,7 +574,7 @@ static struct ctl_table kern_table[] = {
2343 .data = &modprobe_path,
2344 .maxlen = KMOD_PATH_LEN,
2345 .mode = 0644,
2346 @@ -69191,7 +69170,7 @@ index 4ab1187..0b75ced 100644
2347 },
2348 {
2349 .procname = "modules_disabled",
2350 -@@ -707,16 +736,20 @@ static struct ctl_table kern_table[] = {
2351 +@@ -707,16 +741,20 @@ static struct ctl_table kern_table[] = {
2352 .extra1 = &zero,
2353 .extra2 = &one,
2354 },
2355 @@ -69213,7 +69192,7 @@ index 4ab1187..0b75ced 100644
2356 {
2357 .procname = "ngroups_max",
2358 .data = &ngroups_max,
2359 -@@ -1215,6 +1248,13 @@ static struct ctl_table vm_table[] = {
2360 +@@ -1215,6 +1253,13 @@ static struct ctl_table vm_table[] = {
2361 .proc_handler = proc_dointvec_minmax,
2362 .extra1 = &zero,
2363 },
2364 @@ -69227,7 +69206,16 @@ index 4ab1187..0b75ced 100644
2365 #else
2366 {
2367 .procname = "nr_trim_pages",
2368 -@@ -1645,6 +1685,16 @@ int proc_dostring(struct ctl_table *table, int write,
2369 +@@ -1498,7 +1543,7 @@ static struct ctl_table fs_table[] = {
2370 + .data = &suid_dumpable,
2371 + .maxlen = sizeof(int),
2372 + .mode = 0644,
2373 +- .proc_handler = proc_dointvec_minmax,
2374 ++ .proc_handler = proc_dointvec_minmax_coredump,
2375 + .extra1 = &zero,
2376 + .extra2 = &two,
2377 + },
2378 +@@ -1645,6 +1690,16 @@ int proc_dostring(struct ctl_table *table, int write,
2379 buffer, lenp, ppos);
2380 }
2381
2382 @@ -69244,7 +69232,7 @@ index 4ab1187..0b75ced 100644
2383 static size_t proc_skip_spaces(char **buf)
2384 {
2385 size_t ret;
2386 -@@ -1750,6 +1800,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
2387 +@@ -1750,6 +1805,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
2388 len = strlen(tmp);
2389 if (len > *size)
2390 len = *size;
2391 @@ -69253,7 +69241,7 @@ index 4ab1187..0b75ced 100644
2392 if (copy_to_user(*buf, tmp, len))
2393 return -EFAULT;
2394 *size -= len;
2395 -@@ -1942,7 +1994,6 @@ static int proc_taint(struct ctl_table *table, int write,
2396 +@@ -1942,7 +1999,6 @@ static int proc_taint(struct ctl_table *table, int write,
2397 return err;
2398 }
2399
2400 @@ -69261,7 +69249,7 @@ index 4ab1187..0b75ced 100644
2401 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
2402 void __user *buffer, size_t *lenp, loff_t *ppos)
2403 {
2404 -@@ -1951,7 +2002,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
2405 +@@ -1951,7 +2007,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
2406
2407 return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
2408 }
2409 @@ -69269,7 +69257,42 @@ index 4ab1187..0b75ced 100644
2410
2411 struct do_proc_dointvec_minmax_conv_param {
2412 int *min;
2413 -@@ -2066,8 +2116,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2414 +@@ -2009,6 +2064,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
2415 + do_proc_dointvec_minmax_conv, &param);
2416 + }
2417 +
2418 ++static void validate_coredump_safety(void)
2419 ++{
2420 ++ if (suid_dumpable == SUID_DUMPABLE_SAFE &&
2421 ++ core_pattern[0] != '/' && core_pattern[0] != '|') {
2422 ++ printk(KERN_WARNING "Unsafe core_pattern used with "\
2423 ++ "suid_dumpable=2. Pipe handler or fully qualified "\
2424 ++ "core dump path required.\n");
2425 ++ }
2426 ++}
2427 ++
2428 ++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
2429 ++ void __user *buffer, size_t *lenp, loff_t *ppos)
2430 ++{
2431 ++ int error = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
2432 ++ if (!error)
2433 ++ validate_coredump_safety();
2434 ++ return error;
2435 ++}
2436 ++
2437 ++static int proc_dostring_coredump(struct ctl_table *table, int write,
2438 ++ void __user *buffer, size_t *lenp, loff_t *ppos)
2439 ++{
2440 ++ int error = proc_dostring(table, write, buffer, lenp, ppos);
2441 ++ if (!error)
2442 ++ validate_coredump_safety();
2443 ++ return error;
2444 ++}
2445 ++
2446 + static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write,
2447 + void __user *buffer,
2448 + size_t *lenp, loff_t *ppos,
2449 +@@ -2066,8 +2149,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2450 *i = val;
2451 } else {
2452 val = convdiv * (*i) / convmul;
2453 @@ -69282,7 +69305,7 @@ index 4ab1187..0b75ced 100644
2454 err = proc_put_long(&buffer, &left, val, false);
2455 if (err)
2456 break;
2457 -@@ -2459,6 +2512,12 @@ int proc_dostring(struct ctl_table *table, int write,
2458 +@@ -2459,6 +2545,12 @@ int proc_dostring(struct ctl_table *table, int write,
2459 return -ENOSYS;
2460 }
2461
2462 @@ -69295,7 +69318,7 @@ index 4ab1187..0b75ced 100644
2463 int proc_dointvec(struct ctl_table *table, int write,
2464 void __user *buffer, size_t *lenp, loff_t *ppos)
2465 {
2466 -@@ -2515,5 +2574,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
2467 +@@ -2515,5 +2607,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
2468 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
2469 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
2470 EXPORT_SYMBOL(proc_dostring);
2471 @@ -70067,7 +70090,7 @@ index 3ac50dc..240bb7e 100644
2472 static inline void *ptr_to_indirect(void *ptr)
2473 {
2474 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
2475 -index abbabec..d5eba6c 100644
2476 +index abbabec..6779788 100644
2477 --- a/lib/vsprintf.c
2478 +++ b/lib/vsprintf.c
2479 @@ -16,6 +16,9 @@
2480 @@ -70110,21 +70133,8 @@ index abbabec..d5eba6c 100644
2481 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
2482 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
2483 * - 'M' For a 6-byte MAC address, it prints the address in the
2484 -@@ -866,14 +875,25 @@ static noinline_for_stack
2485 - char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2486 - struct printf_spec spec)
2487 +@@ -868,12 +877,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2488 {
2489 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
2490 -+ /* 'P' = approved pointers to copy to userland,
2491 -+ as in the /proc/kallsyms case, as we make it display nothing
2492 -+ for non-root users, and the real contents for root users
2493 -+ */
2494 -+ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) {
2495 -+ ptr = NULL;
2496 -+ goto simple;
2497 -+ }
2498 -+#endif
2499 -+
2500 if (!ptr && *fmt != 'K') {
2501 /*
2502 - * Print (null) with the same width as a pointer so it makes
2503 @@ -70138,7 +70148,7 @@ index abbabec..d5eba6c 100644
2504 }
2505
2506 switch (*fmt) {
2507 -@@ -883,6 +903,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2508 +@@ -883,6 +892,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2509 /* Fallthrough */
2510 case 'S':
2511 case 's':
2512 @@ -70152,7 +70162,7 @@ index abbabec..d5eba6c 100644
2513 case 'B':
2514 return symbol_string(buf, end, ptr, spec, *fmt);
2515 case 'R':
2516 -@@ -920,6 +947,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2517 +@@ -920,12 +936,15 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2518 va_end(va);
2519 return buf;
2520 }
2521 @@ -70161,13 +70171,31 @@ index abbabec..d5eba6c 100644
2522 case 'K':
2523 /*
2524 * %pK cannot be used in IRQ context because its test
2525 -@@ -942,6 +971,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2526 + * for CAP_SYSLOG would be meaningless.
2527 + */
2528 +- if (in_irq() || in_serving_softirq() || in_nmi()) {
2529 ++ if (kptr_restrict && (in_irq() || in_serving_softirq() ||
2530 ++ in_nmi())) {
2531 + if (spec.field_width == -1)
2532 + spec.field_width = 2 * sizeof(void *);
2533 + return string(buf, end, "pK-error", spec);
2534 +@@ -942,6 +961,19 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
2535 }
2536 break;
2537 }
2538 ++
2539 +#ifdef CONFIG_GRKERNSEC_HIDESYM
2540 -+simple:
2541 ++ /* 'P' = approved pointers to copy to userland,
2542 ++ as in the /proc/kallsyms case, as we make it display nothing
2543 ++ for non-root users, and the real contents for root users
2544 ++ */
2545 ++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) {
2546 ++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@××××××××××.net.\n");
2547 ++ dump_stack();
2548 ++ ptr = NULL;
2549 ++ }
2550 +#endif
2551 ++
2552 spec.flags |= SMALL;
2553 if (spec.field_width == -1) {
2554 spec.field_width = 2 * sizeof(void *);
2555 @@ -74470,22 +74498,6 @@ index 1196c77..2e608e8 100644
2556 if (!vas || !vms)
2557 goto err_free2;
2558
2559 -diff --git a/mm/vmscan.c b/mm/vmscan.c
2560 -index 4607cc6..be5bc0a 100644
2561 ---- a/mm/vmscan.c
2562 -+++ b/mm/vmscan.c
2563 -@@ -3013,7 +3013,10 @@ static void kswapd_try_to_sleep(pg_data_t *pgdat, int order, int classzone_idx)
2564 - * them before going back to sleep.
2565 - */
2566 - set_pgdat_percpu_threshold(pgdat, calculate_normal_threshold);
2567 -- schedule();
2568 -+
2569 -+ if (!kthread_should_stop())
2570 -+ schedule();
2571 -+
2572 - set_pgdat_percpu_threshold(pgdat, calculate_pressure_threshold);
2573 - } else {
2574 - if (remaining)
2575 diff --git a/mm/vmstat.c b/mm/vmstat.c
2576 index 7db1b9b..e9f6b07 100644
2577 --- a/mm/vmstat.c
2578 @@ -77207,6 +77219,27 @@ index 4503335..db566b4 100644
2579 }
2580 #endif
2581
2582 +diff --git a/net/rds/recv.c b/net/rds/recv.c
2583 +index 5c6e9f1..9f0f17c 100644
2584 +--- a/net/rds/recv.c
2585 ++++ b/net/rds/recv.c
2586 +@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
2587 +
2588 + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
2589 +
2590 ++ msg->msg_namelen = 0;
2591 ++
2592 + if (msg_flags & MSG_OOB)
2593 + goto out;
2594 +
2595 +@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
2596 + sin->sin_port = inc->i_hdr.h_sport;
2597 + sin->sin_addr.s_addr = inc->i_saddr;
2598 + memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
2599 ++ msg->msg_namelen = sizeof(*sin);
2600 + }
2601 + break;
2602 + }
2603 diff --git a/net/rds/tcp.c b/net/rds/tcp.c
2604 index edac9ef..16bcb98 100644
2605 --- a/net/rds/tcp.c
2606 @@ -78688,10 +78721,10 @@ index 5c11312..72742b5 100644
2607 write_hex_cnt = 0;
2608 for (i = 0; i < logo_clutsize; i++) {
2609 diff --git a/security/Kconfig b/security/Kconfig
2610 -index ccc61f8..5e68d73 100644
2611 +index ccc61f8..0759500 100644
2612 --- a/security/Kconfig
2613 +++ b/security/Kconfig
2614 -@@ -4,6 +4,875 @@
2615 +@@ -4,6 +4,876 @@
2616
2617 menu "Security options"
2618
2619 @@ -78723,6 +78756,7 @@ index ccc61f8..5e68d73 100644
2620 + bool "Grsecurity"
2621 + select CRYPTO
2622 + select CRYPTO_SHA256
2623 ++ select PROC_FS
2624 + select STOP_MACHINE
2625 + help
2626 + If you say Y here, you will be able to configure many features
2627 @@ -79567,7 +79601,7 @@ index ccc61f8..5e68d73 100644
2628 config KEYS
2629 bool "Enable access key retention support"
2630 help
2631 -@@ -169,7 +1038,7 @@ config INTEL_TXT
2632 +@@ -169,7 +1039,7 @@ config INTEL_TXT
2633 config LSM_MMAP_MIN_ADDR
2634 int "Low address space for LSM to protect from user allocation"
2635 depends on SECURITY && SECURITY_SELINUX
Report Message
Find on MARC Find on Google Groups