1 |
commit: aa9317219e543d3f6f95d00619ba2af268edced9 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Aug 1 23:18:00 2012 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Aug 1 23:18:00 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=aa931721 |
7 |
|
8 |
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.24,3.4.6}-201207311908 |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 2 +- |
12 |
..._grsecurity-2.9.1-2.6.32.59-201207311908.patch} | 168 +++++- |
13 |
3.2.24/0000_README | 2 +- |
14 |
...420_grsecurity-2.9.1-3.2.24-201207311909.patch} | 463 +++++++++++++--- |
15 |
3.4.6/0000_README | 2 +- |
16 |
...4420_grsecurity-2.9.1-3.4.7-201207311909.patch} | 618 +++++++++++--------- |
17 |
6 files changed, 863 insertions(+), 392 deletions(-) |
18 |
|
19 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
20 |
index d4f6601..3010d85 100644 |
21 |
--- a/2.6.32/0000_README |
22 |
+++ b/2.6.32/0000_README |
23 |
@@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch |
24 |
From: http://www.kernel.org |
25 |
Desc: Linux 2.6.32.59 |
26 |
|
27 |
-Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch |
28 |
+Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
29 |
From: http://www.grsecurity.net |
30 |
Desc: hardened-sources base patch from upstream grsecurity |
31 |
|
32 |
|
33 |
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
34 |
similarity index 99% |
35 |
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch |
36 |
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
37 |
index 227df5e..a17194d 100644 |
38 |
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207281944.patch |
39 |
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
40 |
@@ -8939,7 +8939,7 @@ index bcbd36c..b1754af 100644 |
41 |
|
42 |
printf(".section \".rodata.compressed\",\"a\",@progbits\n"); |
43 |
diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c |
44 |
-index bbeb0c3..f5167ab 100644 |
45 |
+index bbeb0c3..1eb0571 100644 |
46 |
--- a/arch/x86/boot/compressed/relocs.c |
47 |
+++ b/arch/x86/boot/compressed/relocs.c |
48 |
@@ -10,8 +10,11 @@ |
49 |
@@ -9113,7 +9113,7 @@ index bbeb0c3..f5167ab 100644 |
50 |
+ |
51 |
+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) |
52 |
+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ |
53 |
-+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext")) |
54 |
++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) |
55 |
+ continue; |
56 |
+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) |
57 |
+ continue; |
58 |
@@ -23007,7 +23007,7 @@ index d430e4c..831f817 100644 |
59 |
|
60 |
local_irq_save(flags); |
61 |
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S |
62 |
-index 3c68fe2..12c8280 100644 |
63 |
+index 3c68fe2..7a8c35b 100644 |
64 |
--- a/arch/x86/kernel/vmlinux.lds.S |
65 |
+++ b/arch/x86/kernel/vmlinux.lds.S |
66 |
@@ -26,6 +26,13 @@ |
67 |
@@ -23088,7 +23088,7 @@ index 3c68fe2..12c8280 100644 |
68 |
HEAD_TEXT |
69 |
#ifdef CONFIG_X86_32 |
70 |
. = ALIGN(PAGE_SIZE); |
71 |
-@@ -82,28 +102,71 @@ SECTIONS |
72 |
+@@ -82,28 +102,72 @@ SECTIONS |
73 |
IRQENTRY_TEXT |
74 |
*(.fixup) |
75 |
*(.gnu.warning) |
76 |
@@ -23113,8 +23113,8 @@ index 3c68fe2..12c8280 100644 |
77 |
+ MODULES_EXEC_VADDR = .; |
78 |
+ BYTE(0) |
79 |
+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024); |
80 |
-+ . = ALIGN(HPAGE_SIZE); |
81 |
-+ MODULES_EXEC_END = . - 1; |
82 |
++ . = ALIGN(HPAGE_SIZE) - 1; |
83 |
++ MODULES_EXEC_END = .; |
84 |
+#endif |
85 |
+ |
86 |
+ } :module |
87 |
@@ -23122,6 +23122,7 @@ index 3c68fe2..12c8280 100644 |
88 |
+ |
89 |
+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) { |
90 |
+ /* End of text section */ |
91 |
++ BYTE(0) |
92 |
+ _etext = . - __KERNEL_TEXT_OFFSET; |
93 |
+ } |
94 |
+ |
95 |
@@ -23167,7 +23168,7 @@ index 3c68fe2..12c8280 100644 |
96 |
|
97 |
PAGE_ALIGNED_DATA(PAGE_SIZE) |
98 |
|
99 |
-@@ -112,6 +175,8 @@ SECTIONS |
100 |
+@@ -112,6 +176,8 @@ SECTIONS |
101 |
DATA_DATA |
102 |
CONSTRUCTORS |
103 |
|
104 |
@@ -23176,7 +23177,7 @@ index 3c68fe2..12c8280 100644 |
105 |
/* rarely changed data like cpu maps */ |
106 |
READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES) |
107 |
|
108 |
-@@ -166,12 +231,6 @@ SECTIONS |
109 |
+@@ -166,12 +232,6 @@ SECTIONS |
110 |
} |
111 |
vgetcpu_mode = VVIRT(.vgetcpu_mode); |
112 |
|
113 |
@@ -23189,7 +23190,7 @@ index 3c68fe2..12c8280 100644 |
114 |
.vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) { |
115 |
*(.vsyscall_3) |
116 |
} |
117 |
-@@ -187,12 +246,19 @@ SECTIONS |
118 |
+@@ -187,12 +247,19 @@ SECTIONS |
119 |
#endif /* CONFIG_X86_64 */ |
120 |
|
121 |
/* Init code and data - will be freed after init */ |
122 |
@@ -23212,7 +23213,7 @@ index 3c68fe2..12c8280 100644 |
123 |
/* |
124 |
* percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the |
125 |
* output PHDR, so the next output section - .init.text - should |
126 |
-@@ -201,12 +267,27 @@ SECTIONS |
127 |
+@@ -201,12 +268,27 @@ SECTIONS |
128 |
PERCPU_VADDR(0, :percpu) |
129 |
#endif |
130 |
|
131 |
@@ -23245,7 +23246,7 @@ index 3c68fe2..12c8280 100644 |
132 |
|
133 |
.x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) { |
134 |
__x86_cpu_dev_start = .; |
135 |
-@@ -232,19 +313,11 @@ SECTIONS |
136 |
+@@ -232,19 +314,11 @@ SECTIONS |
137 |
*(.altinstr_replacement) |
138 |
} |
139 |
|
140 |
@@ -23266,7 +23267,7 @@ index 3c68fe2..12c8280 100644 |
141 |
PERCPU(PAGE_SIZE) |
142 |
#endif |
143 |
|
144 |
-@@ -267,12 +340,6 @@ SECTIONS |
145 |
+@@ -267,12 +341,6 @@ SECTIONS |
146 |
. = ALIGN(PAGE_SIZE); |
147 |
} |
148 |
|
149 |
@@ -23279,7 +23280,7 @@ index 3c68fe2..12c8280 100644 |
150 |
/* BSS */ |
151 |
. = ALIGN(PAGE_SIZE); |
152 |
.bss : AT(ADDR(.bss) - LOAD_OFFSET) { |
153 |
-@@ -288,6 +355,7 @@ SECTIONS |
154 |
+@@ -288,6 +356,7 @@ SECTIONS |
155 |
__brk_base = .; |
156 |
. += 64 * 1024; /* 64k alignment slop space */ |
157 |
*(.brk_reservation) /* areas brk users have reserved */ |
158 |
@@ -23287,7 +23288,7 @@ index 3c68fe2..12c8280 100644 |
159 |
__brk_limit = .; |
160 |
} |
161 |
|
162 |
-@@ -316,13 +384,12 @@ SECTIONS |
163 |
+@@ -316,13 +385,12 @@ SECTIONS |
164 |
* for the boot processor. |
165 |
*/ |
166 |
#define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load |
167 |
@@ -75400,7 +75401,7 @@ index fd38ce2..f5381b8 100644 |
168 |
return -EINVAL; |
169 |
|
170 |
diff --git a/fs/seq_file.c b/fs/seq_file.c |
171 |
-index eae7d9d..b7613c6 100644 |
172 |
+index eae7d9d..c6bba46 100644 |
173 |
--- a/fs/seq_file.c |
174 |
+++ b/fs/seq_file.c |
175 |
@@ -9,6 +9,7 @@ |
176 |
@@ -75421,7 +75422,55 @@ index eae7d9d..b7613c6 100644 |
177 |
|
178 |
/* |
179 |
* Wrappers around seq_open(e.g. swaps_open) need to be |
180 |
-@@ -551,7 +555,7 @@ static void single_stop(struct seq_file *p, void *v) |
181 |
+@@ -76,7 +80,11 @@ static int traverse(struct seq_file *m, loff_t offset) |
182 |
+ return 0; |
183 |
+ } |
184 |
+ if (!m->buf) { |
185 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
186 |
++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY); |
187 |
++#else |
188 |
+ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); |
189 |
++#endif |
190 |
+ if (!m->buf) |
191 |
+ return -ENOMEM; |
192 |
+ } |
193 |
+@@ -116,7 +124,11 @@ static int traverse(struct seq_file *m, loff_t offset) |
194 |
+ Eoverflow: |
195 |
+ m->op->stop(m, p); |
196 |
+ kfree(m->buf); |
197 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
198 |
++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY); |
199 |
++#else |
200 |
+ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); |
201 |
++#endif |
202 |
+ return !m->buf ? -ENOMEM : -EAGAIN; |
203 |
+ } |
204 |
+ |
205 |
+@@ -169,7 +181,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) |
206 |
+ m->version = file->f_version; |
207 |
+ /* grab buffer if we didn't have one */ |
208 |
+ if (!m->buf) { |
209 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
210 |
++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY); |
211 |
++#else |
212 |
+ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); |
213 |
++#endif |
214 |
+ if (!m->buf) |
215 |
+ goto Enomem; |
216 |
+ } |
217 |
+@@ -210,7 +226,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) |
218 |
+ goto Fill; |
219 |
+ m->op->stop(m, p); |
220 |
+ kfree(m->buf); |
221 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
222 |
++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY); |
223 |
++#else |
224 |
+ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); |
225 |
++#endif |
226 |
+ if (!m->buf) |
227 |
+ goto Enomem; |
228 |
+ m->count = 0; |
229 |
+@@ -551,7 +571,7 @@ static void single_stop(struct seq_file *p, void *v) |
230 |
int single_open(struct file *file, int (*show)(struct seq_file *, void *), |
231 |
void *data) |
232 |
{ |
233 |
@@ -76190,10 +76239,10 @@ index 8f32f50..b6a41e8 100644 |
234 |
link[pathlen] = '\0'; |
235 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
236 |
new file mode 100644 |
237 |
-index 0000000..c20c1db |
238 |
+index 0000000..bbbfa1c |
239 |
--- /dev/null |
240 |
+++ b/grsecurity/Kconfig |
241 |
-@@ -0,0 +1,939 @@ |
242 |
+@@ -0,0 +1,940 @@ |
243 |
+# |
244 |
+# grecurity configuration |
245 |
+# |
246 |
@@ -76320,6 +76369,7 @@ index 0000000..c20c1db |
247 |
+ |
248 |
+config GRKERNSEC_HIDESYM |
249 |
+ bool "Hide kernel symbols" |
250 |
++ select PAX_USERCOPY_SLABS |
251 |
+ default y if GRKERNSEC_CONFIG_AUTO |
252 |
+ help |
253 |
+ If you say Y here, getting information on loaded modules, and |
254 |
@@ -95468,10 +95518,25 @@ index 67578ca..4115fbf 100644 |
255 |
|
256 |
static inline void mutex_clear_owner(struct mutex *lock) |
257 |
diff --git a/kernel/panic.c b/kernel/panic.c |
258 |
-index 96b45d0..7677a03 100644 |
259 |
+index 96b45d0..98fb1c3 100644 |
260 |
--- a/kernel/panic.c |
261 |
+++ b/kernel/panic.c |
262 |
-@@ -71,7 +71,11 @@ NORET_TYPE void panic(const char * fmt, ...) |
263 |
+@@ -59,6 +59,14 @@ NORET_TYPE void panic(const char * fmt, ...) |
264 |
+ long i; |
265 |
+ |
266 |
+ /* |
267 |
++ * Disable local interrupts. This will prevent panic_smp_self_stop |
268 |
++ * from deadlocking the first cpu that invokes the panic, since |
269 |
++ * there is nothing to prevent an interrupt handler (that runs |
270 |
++ * after the panic_lock is acquired) from invoking panic again. |
271 |
++ */ |
272 |
++ local_irq_disable(); |
273 |
++ |
274 |
++ /* |
275 |
+ * It's possible to come here directly from a panic-assertion and |
276 |
+ * not have preempt disabled. Some functions called from here want |
277 |
+ * preempt to be disabled. No point enabling it later though... |
278 |
+@@ -71,7 +79,11 @@ NORET_TYPE void panic(const char * fmt, ...) |
279 |
va_end(args); |
280 |
printk(KERN_EMERG "Kernel panic - not syncing: %s\n",buf); |
281 |
#ifdef CONFIG_DEBUG_BUGVERBOSE |
282 |
@@ -95484,7 +95549,7 @@ index 96b45d0..7677a03 100644 |
283 |
#endif |
284 |
|
285 |
/* |
286 |
-@@ -352,7 +356,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, struc |
287 |
+@@ -352,7 +364,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, struc |
288 |
const char *board; |
289 |
|
290 |
printk(KERN_WARNING "------------[ cut here ]------------\n"); |
291 |
@@ -95493,7 +95558,7 @@ index 96b45d0..7677a03 100644 |
292 |
board = dmi_get_system_info(DMI_PRODUCT_NAME); |
293 |
if (board) |
294 |
printk(KERN_WARNING "Hardware name: %s\n", board); |
295 |
-@@ -392,7 +396,8 @@ EXPORT_SYMBOL(warn_slowpath_null); |
296 |
+@@ -392,7 +404,8 @@ EXPORT_SYMBOL(warn_slowpath_null); |
297 |
*/ |
298 |
void __stack_chk_fail(void) |
299 |
{ |
300 |
@@ -98299,7 +98364,7 @@ index 217d5c4..45aba8a 100644 |
301 |
|
302 |
/** |
303 |
diff --git a/lib/vsprintf.c b/lib/vsprintf.c |
304 |
-index 33bed5e..1477e46 100644 |
305 |
+index 33bed5e..ab4e52f 100644 |
306 |
--- a/lib/vsprintf.c |
307 |
+++ b/lib/vsprintf.c |
308 |
@@ -16,6 +16,9 @@ |
309 |
@@ -98369,7 +98434,30 @@ index 33bed5e..1477e46 100644 |
310 |
return symbol_string(buf, end, ptr, spec, *fmt); |
311 |
case 'R': |
312 |
return resource_string(buf, end, ptr, spec); |
313 |
-@@ -1445,7 +1458,7 @@ do { \ |
314 |
+@@ -853,7 +866,22 @@ static char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
315 |
+ return ip4_addr_string(buf, end, ptr, spec, fmt); |
316 |
+ } |
317 |
+ break; |
318 |
++ case 'P': |
319 |
++ break; |
320 |
+ } |
321 |
++ |
322 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
323 |
++ /* 'P' = approved pointers to copy to userland, |
324 |
++ as in the /proc/kallsyms case, as we make it display nothing |
325 |
++ for non-root users, and the real contents for root users |
326 |
++ */ |
327 |
++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) { |
328 |
++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@××××××××××.net.\n"); |
329 |
++ dump_stack(); |
330 |
++ ptr = NULL; |
331 |
++ } |
332 |
++#endif |
333 |
++ |
334 |
+ spec.flags |= SMALL; |
335 |
+ if (spec.field_width == -1) { |
336 |
+ spec.field_width = 2*sizeof(void *); |
337 |
+@@ -1445,7 +1473,7 @@ do { \ |
338 |
size_t len; |
339 |
if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE |
340 |
|| (unsigned long)save_str < PAGE_SIZE) |
341 |
@@ -98378,7 +98466,7 @@ index 33bed5e..1477e46 100644 |
342 |
len = strlen(save_str); |
343 |
if (str + len + 1 < end) |
344 |
memcpy(str, save_str, len + 1); |
345 |
-@@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
346 |
+@@ -1555,11 +1583,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
347 |
typeof(type) value; \ |
348 |
if (sizeof(type) == 8) { \ |
349 |
args = PTR_ALIGN(args, sizeof(u32)); \ |
350 |
@@ -98393,7 +98481,7 @@ index 33bed5e..1477e46 100644 |
351 |
} \ |
352 |
args += sizeof(type); \ |
353 |
value; \ |
354 |
-@@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
355 |
+@@ -1622,7 +1650,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
356 |
const char *str_arg = args; |
357 |
size_t len = strlen(str_arg); |
358 |
args += len + 1; |
359 |
@@ -105574,6 +105662,27 @@ index de4a1b1..94ec861 100644 |
360 |
src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr; |
361 |
dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr; |
362 |
|
363 |
+diff --git a/net/rds/recv.c b/net/rds/recv.c |
364 |
+index 6a2654a..c45a881c 100644 |
365 |
+--- a/net/rds/recv.c |
366 |
++++ b/net/rds/recv.c |
367 |
+@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, |
368 |
+ |
369 |
+ rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); |
370 |
+ |
371 |
++ msg->msg_namelen = 0; |
372 |
++ |
373 |
+ if (msg_flags & MSG_OOB) |
374 |
+ goto out; |
375 |
+ |
376 |
+@@ -486,6 +488,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, |
377 |
+ sin->sin_port = inc->i_hdr.h_sport; |
378 |
+ sin->sin_addr.s_addr = inc->i_saddr; |
379 |
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); |
380 |
++ msg->msg_namelen = sizeof(*sin); |
381 |
+ } |
382 |
+ break; |
383 |
+ } |
384 |
diff --git a/net/rds/tcp.c b/net/rds/tcp.c |
385 |
index b5198ae..8b9fb90 100644 |
386 |
--- a/net/rds/tcp.c |
387 |
@@ -107155,10 +107264,10 @@ index d52f7a0..b66cdd9 100755 |
388 |
rm -f tags |
389 |
xtags ctags |
390 |
diff --git a/security/Kconfig b/security/Kconfig |
391 |
-index fb363cd..6426142 100644 |
392 |
+index fb363cd..124d914 100644 |
393 |
--- a/security/Kconfig |
394 |
+++ b/security/Kconfig |
395 |
-@@ -4,6 +4,869 @@ |
396 |
+@@ -4,6 +4,870 @@ |
397 |
|
398 |
menu "Security options" |
399 |
|
400 |
@@ -107190,6 +107299,7 @@ index fb363cd..6426142 100644 |
401 |
+ bool "Grsecurity" |
402 |
+ select CRYPTO |
403 |
+ select CRYPTO_SHA256 |
404 |
++ select PROC_FS |
405 |
+ select STOP_MACHINE |
406 |
+ help |
407 |
+ If you say Y here, you will be able to configure many features |
408 |
@@ -108028,7 +108138,7 @@ index fb363cd..6426142 100644 |
409 |
config KEYS |
410 |
bool "Enable access key retention support" |
411 |
help |
412 |
-@@ -146,7 +1009,7 @@ config INTEL_TXT |
413 |
+@@ -146,7 +1010,7 @@ config INTEL_TXT |
414 |
config LSM_MMAP_MIN_ADDR |
415 |
int "Low address space for LSM to protect from user allocation" |
416 |
depends on SECURITY && SECURITY_SELINUX |
417 |
|
418 |
diff --git a/3.2.24/0000_README b/3.2.24/0000_README |
419 |
index 51bc4a5..e45dbd8 100644 |
420 |
--- a/3.2.24/0000_README |
421 |
+++ b/3.2.24/0000_README |
422 |
@@ -14,7 +14,7 @@ Patch: 1023_linux-3.2.24.patch |
423 |
From: http://www.kernel.org |
424 |
Desc: Linux 3.2.24 |
425 |
|
426 |
-Patch: 4420_grsecurity-2.9.1-3.2.24-201207281946.patch |
427 |
+Patch: 4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
428 |
From: http://www.grsecurity.net |
429 |
Desc: hardened-sources base patch from upstream grsecurity |
430 |
|
431 |
|
432 |
diff --git a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207281946.patch b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
433 |
similarity index 99% |
434 |
rename from 3.2.24/4420_grsecurity-2.9.1-3.2.24-201207281946.patch |
435 |
rename to 3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
436 |
index d960312..4c10305 100644 |
437 |
--- a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207281946.patch |
438 |
+++ b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
439 |
@@ -211,6 +211,39 @@ index 81c287f..d456d02 100644 |
440 |
pcbit= [HW,ISDN] |
441 |
|
442 |
pcd. [PARIDE] |
443 |
+diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt |
444 |
+index 88fd7f5..b318a78 100644 |
445 |
+--- a/Documentation/sysctl/fs.txt |
446 |
++++ b/Documentation/sysctl/fs.txt |
447 |
+@@ -163,16 +163,22 @@ This value can be used to query and set the core dump mode for setuid |
448 |
+ or otherwise protected/tainted binaries. The modes are |
449 |
+ |
450 |
+ 0 - (default) - traditional behaviour. Any process which has changed |
451 |
+- privilege levels or is execute only will not be dumped |
452 |
++ privilege levels or is execute only will not be dumped. |
453 |
+ 1 - (debug) - all processes dump core when possible. The core dump is |
454 |
+ owned by the current user and no security is applied. This is |
455 |
+ intended for system debugging situations only. Ptrace is unchecked. |
456 |
++ This is insecure as it allows regular users to examine the memory |
457 |
++ contents of privileged processes. |
458 |
+ 2 - (suidsafe) - any binary which normally would not be dumped is dumped |
459 |
+- readable by root only. This allows the end user to remove |
460 |
+- such a dump but not access it directly. For security reasons |
461 |
+- core dumps in this mode will not overwrite one another or |
462 |
+- other files. This mode is appropriate when administrators are |
463 |
+- attempting to debug problems in a normal environment. |
464 |
++ anyway, but only if the "core_pattern" kernel sysctl is set to |
465 |
++ either a pipe handler or a fully qualified path. (For more details |
466 |
++ on this limitation, see CVE-2006-2451.) This mode is appropriate |
467 |
++ when administrators are attempting to debug problems in a normal |
468 |
++ environment, and either have a core dump pipe handler that knows |
469 |
++ to treat privileged core dumps with care, or specific directory |
470 |
++ defined for catching core dumps. If a core dump happens without |
471 |
++ a pipe handler or fully qualifid path, a message will be emitted |
472 |
++ to syslog warning about the lack of a correct setting. |
473 |
+ |
474 |
+ ============================================================== |
475 |
+ |
476 |
diff --git a/Makefile b/Makefile |
477 |
index 80bb4fd..964ea28 100644 |
478 |
--- a/Makefile |
479 |
@@ -20032,7 +20065,7 @@ index 04b8726..0c35b29 100644 |
480 |
goto cannot_handle; |
481 |
if ((segoffs >> 16) == BIOSSEG) |
482 |
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S |
483 |
-index 0f703f1..9e15f64 100644 |
484 |
+index 0f703f1..3b426f3 100644 |
485 |
--- a/arch/x86/kernel/vmlinux.lds.S |
486 |
+++ b/arch/x86/kernel/vmlinux.lds.S |
487 |
@@ -26,6 +26,13 @@ |
488 |
@@ -20101,7 +20134,7 @@ index 0f703f1..9e15f64 100644 |
489 |
HEAD_TEXT |
490 |
#ifdef CONFIG_X86_32 |
491 |
. = ALIGN(PAGE_SIZE); |
492 |
-@@ -108,13 +128,47 @@ SECTIONS |
493 |
+@@ -108,13 +128,48 @@ SECTIONS |
494 |
IRQENTRY_TEXT |
495 |
*(.fixup) |
496 |
*(.gnu.warning) |
497 |
@@ -20121,8 +20154,8 @@ index 0f703f1..9e15f64 100644 |
498 |
+ MODULES_EXEC_VADDR = .; |
499 |
+ BYTE(0) |
500 |
+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024); |
501 |
-+ . = ALIGN(HPAGE_SIZE); |
502 |
-+ MODULES_EXEC_END = . - 1; |
503 |
++ . = ALIGN(HPAGE_SIZE) - 1; |
504 |
++ MODULES_EXEC_END = .; |
505 |
+#endif |
506 |
+ |
507 |
+ } :module |
508 |
@@ -20130,6 +20163,7 @@ index 0f703f1..9e15f64 100644 |
509 |
+ |
510 |
+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) { |
511 |
+ /* End of text section */ |
512 |
++ BYTE(0) |
513 |
+ _etext = . - __KERNEL_TEXT_OFFSET; |
514 |
+ } |
515 |
+ |
516 |
@@ -20153,7 +20187,7 @@ index 0f703f1..9e15f64 100644 |
517 |
|
518 |
#if defined(CONFIG_DEBUG_RODATA) |
519 |
/* .text should occupy whole number of pages */ |
520 |
-@@ -126,16 +180,20 @@ SECTIONS |
521 |
+@@ -126,16 +181,20 @@ SECTIONS |
522 |
|
523 |
/* Data */ |
524 |
.data : AT(ADDR(.data) - LOAD_OFFSET) { |
525 |
@@ -20177,7 +20211,7 @@ index 0f703f1..9e15f64 100644 |
526 |
|
527 |
PAGE_ALIGNED_DATA(PAGE_SIZE) |
528 |
|
529 |
-@@ -176,12 +234,19 @@ SECTIONS |
530 |
+@@ -176,12 +235,19 @@ SECTIONS |
531 |
#endif /* CONFIG_X86_64 */ |
532 |
|
533 |
/* Init code and data - will be freed after init */ |
534 |
@@ -20200,7 +20234,7 @@ index 0f703f1..9e15f64 100644 |
535 |
/* |
536 |
* percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the |
537 |
* output PHDR, so the next output section - .init.text - should |
538 |
-@@ -190,12 +255,27 @@ SECTIONS |
539 |
+@@ -190,12 +256,27 @@ SECTIONS |
540 |
PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu) |
541 |
#endif |
542 |
|
543 |
@@ -20233,7 +20267,7 @@ index 0f703f1..9e15f64 100644 |
544 |
|
545 |
/* |
546 |
* Code and data for a variety of lowlevel trampolines, to be |
547 |
-@@ -269,19 +349,12 @@ SECTIONS |
548 |
+@@ -269,19 +350,12 @@ SECTIONS |
549 |
} |
550 |
|
551 |
. = ALIGN(8); |
552 |
@@ -20254,7 +20288,7 @@ index 0f703f1..9e15f64 100644 |
553 |
PERCPU_SECTION(INTERNODE_CACHE_BYTES) |
554 |
#endif |
555 |
|
556 |
-@@ -300,16 +373,10 @@ SECTIONS |
557 |
+@@ -300,16 +374,10 @@ SECTIONS |
558 |
.smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) { |
559 |
__smp_locks = .; |
560 |
*(.smp_locks) |
561 |
@@ -20272,7 +20306,7 @@ index 0f703f1..9e15f64 100644 |
562 |
/* BSS */ |
563 |
. = ALIGN(PAGE_SIZE); |
564 |
.bss : AT(ADDR(.bss) - LOAD_OFFSET) { |
565 |
-@@ -325,6 +392,7 @@ SECTIONS |
566 |
+@@ -325,6 +393,7 @@ SECTIONS |
567 |
__brk_base = .; |
568 |
. += 64 * 1024; /* 64k alignment slop space */ |
569 |
*(.brk_reservation) /* areas brk users have reserved */ |
570 |
@@ -20280,7 +20314,7 @@ index 0f703f1..9e15f64 100644 |
571 |
__brk_limit = .; |
572 |
} |
573 |
|
574 |
-@@ -351,13 +419,12 @@ SECTIONS |
575 |
+@@ -351,13 +420,12 @@ SECTIONS |
576 |
* for the boot processor. |
577 |
*/ |
578 |
#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load |
579 |
@@ -26837,7 +26871,7 @@ index f10c0af..3ec1f95 100644 |
580 |
syscall_init(); /* This sets MSR_*STAR and related */ |
581 |
#endif |
582 |
diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c |
583 |
-index e529730..574ed56 100644 |
584 |
+index e529730..8d08690 100644 |
585 |
--- a/arch/x86/tools/relocs.c |
586 |
+++ b/arch/x86/tools/relocs.c |
587 |
@@ -11,10 +11,13 @@ |
588 |
@@ -26930,7 +26964,7 @@ index e529730..574ed56 100644 |
589 |
} |
590 |
+ base = 0; |
591 |
+ |
592 |
-+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) |
593 |
++#ifdef CONFIG_X86_32 |
594 |
+ for (j = 0; j < ehdr.e_phnum; j++) { |
595 |
+ if (phdr[j].p_type != PT_LOAD ) |
596 |
+ continue; |
597 |
@@ -27007,7 +27041,7 @@ index e529730..574ed56 100644 |
598 |
+ |
599 |
+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) |
600 |
+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ |
601 |
-+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext")) |
602 |
++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) |
603 |
+ continue; |
604 |
+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) |
605 |
+ continue; |
606 |
@@ -34820,6 +34854,19 @@ index 2b1482a..5d33616 100644 |
607 |
union axis_conversion ac; /* hw -> logical axis */ |
608 |
int mapped_btns[3]; |
609 |
|
610 |
+diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c |
611 |
+index 150cd70..1d5d99b 100644 |
612 |
+--- a/drivers/misc/lkdtm.c |
613 |
++++ b/drivers/misc/lkdtm.c |
614 |
+@@ -473,6 +473,8 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, |
615 |
+ int i, n, out; |
616 |
+ |
617 |
+ buf = (char *)__get_free_page(GFP_KERNEL); |
618 |
++ if (buf == NULL) |
619 |
++ return -ENOMEM; |
620 |
+ |
621 |
+ n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); |
622 |
+ for (i = 0; i < ARRAY_SIZE(cp_type); i++) |
623 |
diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c |
624 |
index 2f30bad..c4c13d0 100644 |
625 |
--- a/drivers/misc/sgi-gru/gruhandles.c |
626 |
@@ -35090,6 +35137,22 @@ index 8d082b4..aa749ae 100644 |
627 |
|
628 |
/* |
629 |
* Timer function to enforce the timelimit on the partition disengage. |
630 |
+diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c |
631 |
+index ba168a7..399925d 100644 |
632 |
+--- a/drivers/misc/ti-st/st_core.c |
633 |
++++ b/drivers/misc/ti-st/st_core.c |
634 |
+@@ -347,6 +347,11 @@ void st_int_recv(void *disc_data, |
635 |
+ st_gdata->rx_skb = alloc_skb( |
636 |
+ st_gdata->list[type]->max_frame_size, |
637 |
+ GFP_ATOMIC); |
638 |
++ if (st_gdata->rx_skb == NULL) { |
639 |
++ pr_err("out of memory: dropping\n"); |
640 |
++ goto done; |
641 |
++ } |
642 |
++ |
643 |
+ skb_reserve(st_gdata->rx_skb, |
644 |
+ st_gdata->list[type]->reserve); |
645 |
+ /* next 2 required for BT only */ |
646 |
diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c |
647 |
index 6878a94..fe5c5f1 100644 |
648 |
--- a/drivers/mmc/host/sdhci-pci.c |
649 |
@@ -44481,7 +44544,7 @@ index 608c1c3..7d040a8 100644 |
650 |
return rc; |
651 |
} |
652 |
diff --git a/fs/exec.c b/fs/exec.c |
653 |
-index 160cd2f..5cc2091 100644 |
654 |
+index 160cd2f..78b8d86 100644 |
655 |
--- a/fs/exec.c |
656 |
+++ b/fs/exec.c |
657 |
@@ -55,12 +55,33 @@ |
658 |
@@ -45252,6 +45315,36 @@ index 160cd2f..5cc2091 100644 |
659 |
static int zap_process(struct task_struct *start, int exit_code) |
660 |
{ |
661 |
struct task_struct *t; |
662 |
+@@ -1988,17 +2365,17 @@ static void coredump_finish(struct mm_struct *mm) |
663 |
+ void set_dumpable(struct mm_struct *mm, int value) |
664 |
+ { |
665 |
+ switch (value) { |
666 |
+- case 0: |
667 |
++ case SUID_DUMPABLE_DISABLED: |
668 |
+ clear_bit(MMF_DUMPABLE, &mm->flags); |
669 |
+ smp_wmb(); |
670 |
+ clear_bit(MMF_DUMP_SECURELY, &mm->flags); |
671 |
+ break; |
672 |
+- case 1: |
673 |
++ case SUID_DUMPABLE_ENABLED: |
674 |
+ set_bit(MMF_DUMPABLE, &mm->flags); |
675 |
+ smp_wmb(); |
676 |
+ clear_bit(MMF_DUMP_SECURELY, &mm->flags); |
677 |
+ break; |
678 |
+- case 2: |
679 |
++ case SUID_DUMPABLE_SAFE: |
680 |
+ set_bit(MMF_DUMP_SECURELY, &mm->flags); |
681 |
+ smp_wmb(); |
682 |
+ set_bit(MMF_DUMPABLE, &mm->flags); |
683 |
+@@ -2011,7 +2388,7 @@ static int __get_dumpable(unsigned long mm_flags) |
684 |
+ int ret; |
685 |
+ |
686 |
+ ret = mm_flags & MMF_DUMPABLE_MASK; |
687 |
+- return (ret >= 2) ? 2 : ret; |
688 |
++ return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret; |
689 |
+ } |
690 |
+ |
691 |
+ int get_dumpable(struct mm_struct *mm) |
692 |
@@ -2026,17 +2403,17 @@ static void wait_for_dump_helpers(struct file *file) |
693 |
pipe = file->f_path.dentry->d_inode->i_pipe; |
694 |
|
695 |
@@ -45275,16 +45368,17 @@ index 160cd2f..5cc2091 100644 |
696 |
pipe_unlock(pipe); |
697 |
|
698 |
} |
699 |
-@@ -2097,7 +2474,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
700 |
+@@ -2097,7 +2474,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
701 |
int retval = 0; |
702 |
int flag = 0; |
703 |
int ispipe; |
704 |
- static atomic_t core_dump_count = ATOMIC_INIT(0); |
705 |
++ bool need_nonrelative = false; |
706 |
+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0); |
707 |
struct coredump_params cprm = { |
708 |
.signr = signr, |
709 |
.regs = regs, |
710 |
-@@ -2112,6 +2489,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
711 |
+@@ -2112,6 +2490,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
712 |
|
713 |
audit_core_dumps(signr); |
714 |
|
715 |
@@ -45294,7 +45388,28 @@ index 160cd2f..5cc2091 100644 |
716 |
binfmt = mm->binfmt; |
717 |
if (!binfmt || !binfmt->core_dump) |
718 |
goto fail; |
719 |
-@@ -2179,7 +2559,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
720 |
+@@ -2122,14 +2503,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
721 |
+ if (!cred) |
722 |
+ goto fail; |
723 |
+ /* |
724 |
+- * We cannot trust fsuid as being the "true" uid of the |
725 |
+- * process nor do we know its entire history. We only know it |
726 |
+- * was tainted so we dump it as root in mode 2. |
727 |
++ * We cannot trust fsuid as being the "true" uid of the process |
728 |
++ * nor do we know its entire history. We only know it was tainted |
729 |
++ * so we dump it as root in mode 2, and only into a controlled |
730 |
++ * environment (pipe handler or fully qualified path). |
731 |
+ */ |
732 |
+- if (__get_dumpable(cprm.mm_flags) == 2) { |
733 |
++ if (__get_dumpable(cprm.mm_flags) == SUID_DUMPABLE_SAFE) { |
734 |
+ /* Setuid core dump mode */ |
735 |
+ flag = O_EXCL; /* Stop rewrite attacks */ |
736 |
+ cred->fsuid = 0; /* Dump root private */ |
737 |
++ need_nonrelative = true; |
738 |
+ } |
739 |
+ |
740 |
+ retval = coredump_wait(exit_code, &core_state); |
741 |
+@@ -2179,7 +2562,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
742 |
} |
743 |
cprm.limit = RLIM_INFINITY; |
744 |
|
745 |
@@ -45303,7 +45418,7 @@ index 160cd2f..5cc2091 100644 |
746 |
if (core_pipe_limit && (core_pipe_limit < dump_count)) { |
747 |
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", |
748 |
task_tgid_vnr(current), current->comm); |
749 |
-@@ -2206,6 +2586,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
750 |
+@@ -2206,9 +2589,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
751 |
} else { |
752 |
struct inode *inode; |
753 |
|
754 |
@@ -45312,7 +45427,18 @@ index 160cd2f..5cc2091 100644 |
755 |
if (cprm.limit < binfmt->min_coredump) |
756 |
goto fail_unlock; |
757 |
|
758 |
-@@ -2249,7 +2631,7 @@ close_fail: |
759 |
++ if (need_nonrelative && cn.corename[0] != '/') { |
760 |
++ printk(KERN_WARNING "Pid %d(%s) can only dump core "\ |
761 |
++ "to fully qualified path!\n", |
762 |
++ task_tgid_vnr(current), current->comm); |
763 |
++ printk(KERN_WARNING "Skipping core dump\n"); |
764 |
++ goto fail_unlock; |
765 |
++ } |
766 |
++ |
767 |
+ cprm.file = filp_open(cn.corename, |
768 |
+ O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, |
769 |
+ 0600); |
770 |
+@@ -2249,7 +2642,7 @@ close_fail: |
771 |
filp_close(cprm.file, NULL); |
772 |
fail_dropcount: |
773 |
if (ispipe) |
774 |
@@ -45321,7 +45447,7 @@ index 160cd2f..5cc2091 100644 |
775 |
fail_unlock: |
776 |
kfree(cn.corename); |
777 |
fail_corename: |
778 |
-@@ -2268,7 +2650,7 @@ fail: |
779 |
+@@ -2268,7 +2661,7 @@ fail: |
780 |
*/ |
781 |
int dump_write(struct file *file, const void *addr, int nr) |
782 |
{ |
783 |
@@ -50014,7 +50140,7 @@ index d33418f..2a5345e 100644 |
784 |
return -EINVAL; |
785 |
|
786 |
diff --git a/fs/seq_file.c b/fs/seq_file.c |
787 |
-index dba43c3..4b3f701 100644 |
788 |
+index dba43c3..9ae2292 100644 |
789 |
--- a/fs/seq_file.c |
790 |
+++ b/fs/seq_file.c |
791 |
@@ -9,6 +9,7 @@ |
792 |
@@ -50035,7 +50161,55 @@ index dba43c3..4b3f701 100644 |
793 |
|
794 |
/* |
795 |
* Wrappers around seq_open(e.g. swaps_open) need to be |
796 |
-@@ -549,7 +553,7 @@ static void single_stop(struct seq_file *p, void *v) |
797 |
+@@ -76,7 +80,11 @@ static int traverse(struct seq_file *m, loff_t offset) |
798 |
+ return 0; |
799 |
+ } |
800 |
+ if (!m->buf) { |
801 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
802 |
++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY); |
803 |
++#else |
804 |
+ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); |
805 |
++#endif |
806 |
+ if (!m->buf) |
807 |
+ return -ENOMEM; |
808 |
+ } |
809 |
+@@ -116,7 +124,11 @@ static int traverse(struct seq_file *m, loff_t offset) |
810 |
+ Eoverflow: |
811 |
+ m->op->stop(m, p); |
812 |
+ kfree(m->buf); |
813 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
814 |
++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY); |
815 |
++#else |
816 |
+ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); |
817 |
++#endif |
818 |
+ return !m->buf ? -ENOMEM : -EAGAIN; |
819 |
+ } |
820 |
+ |
821 |
+@@ -169,7 +181,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) |
822 |
+ m->version = file->f_version; |
823 |
+ /* grab buffer if we didn't have one */ |
824 |
+ if (!m->buf) { |
825 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
826 |
++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY); |
827 |
++#else |
828 |
+ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); |
829 |
++#endif |
830 |
+ if (!m->buf) |
831 |
+ goto Enomem; |
832 |
+ } |
833 |
+@@ -210,7 +226,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) |
834 |
+ goto Fill; |
835 |
+ m->op->stop(m, p); |
836 |
+ kfree(m->buf); |
837 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
838 |
++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY); |
839 |
++#else |
840 |
+ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); |
841 |
++#endif |
842 |
+ if (!m->buf) |
843 |
+ goto Enomem; |
844 |
+ m->count = 0; |
845 |
+@@ -549,7 +569,7 @@ static void single_stop(struct seq_file *p, void *v) |
846 |
int single_open(struct file *file, int (*show)(struct seq_file *, void *), |
847 |
void *data) |
848 |
{ |
849 |
@@ -50452,10 +50626,10 @@ index 23ce927..e274cc1 100644 |
850 |
kfree(s); |
851 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
852 |
new file mode 100644 |
853 |
-index 0000000..b9e7d6f |
854 |
+index 0000000..cb7b8ea |
855 |
--- /dev/null |
856 |
+++ b/grsecurity/Kconfig |
857 |
-@@ -0,0 +1,940 @@ |
858 |
+@@ -0,0 +1,941 @@ |
859 |
+# |
860 |
+# grecurity configuration |
861 |
+# |
862 |
@@ -50583,6 +50757,7 @@ index 0000000..b9e7d6f |
863 |
+ |
864 |
+config GRKERNSEC_HIDESYM |
865 |
+ bool "Hide kernel symbols" |
866 |
++ select PAX_USERCOPY_SLABS |
867 |
+ default y if GRKERNSEC_CONFIG_AUTO |
868 |
+ help |
869 |
+ If you say Y here, getting information on loaded modules, and |
870 |
@@ -64045,7 +64220,7 @@ index 2148b12..519b820 100644 |
871 |
|
872 |
static inline void anon_vma_merge(struct vm_area_struct *vma, |
873 |
diff --git a/include/linux/sched.h b/include/linux/sched.h |
874 |
-index 5afa2a3..98df553 100644 |
875 |
+index 5afa2a3..d74a9b4 100644 |
876 |
--- a/include/linux/sched.h |
877 |
+++ b/include/linux/sched.h |
878 |
@@ -101,6 +101,7 @@ struct bio_list; |
879 |
@@ -64070,7 +64245,19 @@ index 5afa2a3..98df553 100644 |
880 |
extern void arch_pick_mmap_layout(struct mm_struct *mm); |
881 |
extern unsigned long |
882 |
arch_get_unmapped_area(struct file *, unsigned long, unsigned long, |
883 |
-@@ -629,6 +633,17 @@ struct signal_struct { |
884 |
+@@ -402,6 +406,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} |
885 |
+ extern void set_dumpable(struct mm_struct *mm, int value); |
886 |
+ extern int get_dumpable(struct mm_struct *mm); |
887 |
+ |
888 |
++/* get/set_dumpable() values */ |
889 |
++#define SUID_DUMPABLE_DISABLED 0 |
890 |
++#define SUID_DUMPABLE_ENABLED 1 |
891 |
++#define SUID_DUMPABLE_SAFE 2 |
892 |
++ |
893 |
+ /* mm flags */ |
894 |
+ /* dumpable bits */ |
895 |
+ #define MMF_DUMPABLE 0 /* core dump is permitted */ |
896 |
+@@ -629,6 +638,17 @@ struct signal_struct { |
897 |
#ifdef CONFIG_TASKSTATS |
898 |
struct taskstats *stats; |
899 |
#endif |
900 |
@@ -64088,7 +64275,7 @@ index 5afa2a3..98df553 100644 |
901 |
#ifdef CONFIG_AUDIT |
902 |
unsigned audit_tty; |
903 |
struct tty_audit_buf *tty_audit_buf; |
904 |
-@@ -710,6 +725,11 @@ struct user_struct { |
905 |
+@@ -710,6 +730,11 @@ struct user_struct { |
906 |
struct key *session_keyring; /* UID's default session keyring */ |
907 |
#endif |
908 |
|
909 |
@@ -64100,7 +64287,7 @@ index 5afa2a3..98df553 100644 |
910 |
/* Hash table maintenance information */ |
911 |
struct hlist_node uidhash_node; |
912 |
uid_t uid; |
913 |
-@@ -1337,8 +1357,8 @@ struct task_struct { |
914 |
+@@ -1337,8 +1362,8 @@ struct task_struct { |
915 |
struct list_head thread_group; |
916 |
|
917 |
struct completion *vfork_done; /* for vfork() */ |
918 |
@@ -64111,7 +64298,7 @@ index 5afa2a3..98df553 100644 |
919 |
|
920 |
cputime_t utime, stime, utimescaled, stimescaled; |
921 |
cputime_t gtime; |
922 |
-@@ -1354,13 +1374,6 @@ struct task_struct { |
923 |
+@@ -1354,13 +1379,6 @@ struct task_struct { |
924 |
struct task_cputime cputime_expires; |
925 |
struct list_head cpu_timers[3]; |
926 |
|
927 |
@@ -64125,7 +64312,7 @@ index 5afa2a3..98df553 100644 |
928 |
char comm[TASK_COMM_LEN]; /* executable name excluding path |
929 |
- access with [gs]et_task_comm (which lock |
930 |
it with task_lock()) |
931 |
-@@ -1377,8 +1390,16 @@ struct task_struct { |
932 |
+@@ -1377,8 +1395,16 @@ struct task_struct { |
933 |
#endif |
934 |
/* CPU-specific state of this task */ |
935 |
struct thread_struct thread; |
936 |
@@ -64142,7 +64329,7 @@ index 5afa2a3..98df553 100644 |
937 |
/* open file information */ |
938 |
struct files_struct *files; |
939 |
/* namespaces */ |
940 |
-@@ -1425,6 +1446,11 @@ struct task_struct { |
941 |
+@@ -1425,6 +1451,11 @@ struct task_struct { |
942 |
struct rt_mutex_waiter *pi_blocked_on; |
943 |
#endif |
944 |
|
945 |
@@ -64154,7 +64341,7 @@ index 5afa2a3..98df553 100644 |
946 |
#ifdef CONFIG_DEBUG_MUTEXES |
947 |
/* mutex deadlock detection */ |
948 |
struct mutex_waiter *blocked_on; |
949 |
-@@ -1540,6 +1566,27 @@ struct task_struct { |
950 |
+@@ -1540,6 +1571,27 @@ struct task_struct { |
951 |
unsigned long default_timer_slack_ns; |
952 |
|
953 |
struct list_head *scm_work_list; |
954 |
@@ -64182,7 +64369,7 @@ index 5afa2a3..98df553 100644 |
955 |
#ifdef CONFIG_FUNCTION_GRAPH_TRACER |
956 |
/* Index of current stored address in ret_stack */ |
957 |
int curr_ret_stack; |
958 |
-@@ -1574,6 +1621,51 @@ struct task_struct { |
959 |
+@@ -1574,6 +1626,51 @@ struct task_struct { |
960 |
#endif |
961 |
}; |
962 |
|
963 |
@@ -64234,7 +64421,7 @@ index 5afa2a3..98df553 100644 |
964 |
/* Future-safe accessor for struct task_struct's cpus_allowed. */ |
965 |
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) |
966 |
|
967 |
-@@ -2089,7 +2181,9 @@ void yield(void); |
968 |
+@@ -2089,7 +2186,9 @@ void yield(void); |
969 |
extern struct exec_domain default_exec_domain; |
970 |
|
971 |
union thread_union { |
972 |
@@ -64244,7 +64431,7 @@ index 5afa2a3..98df553 100644 |
973 |
unsigned long stack[THREAD_SIZE/sizeof(long)]; |
974 |
}; |
975 |
|
976 |
-@@ -2122,6 +2216,7 @@ extern struct pid_namespace init_pid_ns; |
977 |
+@@ -2122,6 +2221,7 @@ extern struct pid_namespace init_pid_ns; |
978 |
*/ |
979 |
|
980 |
extern struct task_struct *find_task_by_vpid(pid_t nr); |
981 |
@@ -64252,7 +64439,7 @@ index 5afa2a3..98df553 100644 |
982 |
extern struct task_struct *find_task_by_pid_ns(pid_t nr, |
983 |
struct pid_namespace *ns); |
984 |
|
985 |
-@@ -2243,6 +2338,12 @@ static inline void mmdrop(struct mm_struct * mm) |
986 |
+@@ -2243,6 +2343,12 @@ static inline void mmdrop(struct mm_struct * mm) |
987 |
extern void mmput(struct mm_struct *); |
988 |
/* Grab a reference to a task's mm, if it is not already going away */ |
989 |
extern struct mm_struct *get_task_mm(struct task_struct *task); |
990 |
@@ -64265,7 +64452,7 @@ index 5afa2a3..98df553 100644 |
991 |
/* Remove the current tasks stale references to the old mm_struct */ |
992 |
extern void mm_release(struct task_struct *, struct mm_struct *); |
993 |
/* Allocate a new mm structure and copy contents from tsk->mm */ |
994 |
-@@ -2259,7 +2360,7 @@ extern void __cleanup_sighand(struct sighand_struct *); |
995 |
+@@ -2259,7 +2365,7 @@ extern void __cleanup_sighand(struct sighand_struct *); |
996 |
extern void exit_itimers(struct signal_struct *); |
997 |
extern void flush_itimer_signals(void); |
998 |
|
999 |
@@ -64274,7 +64461,7 @@ index 5afa2a3..98df553 100644 |
1000 |
|
1001 |
extern void daemonize(const char *, ...); |
1002 |
extern int allow_signal(int); |
1003 |
-@@ -2424,9 +2525,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) |
1004 |
+@@ -2424,9 +2530,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) |
1005 |
|
1006 |
#endif |
1007 |
|
1008 |
@@ -67642,7 +67829,7 @@ index 66ff710..794bc5a 100644 |
1009 |
|
1010 |
static int |
1011 |
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c |
1012 |
-index 079f1d3..a407562 100644 |
1013 |
+index 079f1d3..5299c80 100644 |
1014 |
--- a/kernel/kallsyms.c |
1015 |
+++ b/kernel/kallsyms.c |
1016 |
@@ -11,6 +11,9 @@ |
1017 |
@@ -67738,7 +67925,22 @@ index 079f1d3..a407562 100644 |
1018 |
/* Some debugging symbols have no name. Ignore them. */ |
1019 |
if (!iter->name[0]) |
1020 |
return 0; |
1021 |
-@@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *inode, struct file *file) |
1022 |
+@@ -515,8 +558,14 @@ static int s_show(struct seq_file *m, void *p) |
1023 |
+ */ |
1024 |
+ type = iter->exported ? toupper(iter->type) : |
1025 |
+ tolower(iter->type); |
1026 |
++ |
1027 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
1028 |
++ seq_printf(m, "%pP %c %s\t[%s]\n", (void *)iter->value, |
1029 |
++ type, iter->name, iter->module_name); |
1030 |
++#else |
1031 |
+ seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value, |
1032 |
+ type, iter->name, iter->module_name); |
1033 |
++#endif |
1034 |
+ } else |
1035 |
+ seq_printf(m, "%pK %c %s\n", (void *)iter->value, |
1036 |
+ iter->type, iter->name); |
1037 |
+@@ -540,7 +589,7 @@ static int kallsyms_open(struct inode *inode, struct file *file) |
1038 |
struct kallsym_iter *iter; |
1039 |
int ret; |
1040 |
|
1041 |
@@ -68832,10 +69034,25 @@ index b452599..5d68f4e 100644 |
1042 |
atomic_set(&pd->refcnt, 0); |
1043 |
pd->pinst = pinst; |
1044 |
diff --git a/kernel/panic.c b/kernel/panic.c |
1045 |
-index 3458469..3492363 100644 |
1046 |
+index 3458469..3ed0694 100644 |
1047 |
--- a/kernel/panic.c |
1048 |
+++ b/kernel/panic.c |
1049 |
-@@ -78,7 +78,11 @@ NORET_TYPE void panic(const char * fmt, ...) |
1050 |
+@@ -65,6 +65,14 @@ NORET_TYPE void panic(const char * fmt, ...) |
1051 |
+ int state = 0; |
1052 |
+ |
1053 |
+ /* |
1054 |
++ * Disable local interrupts. This will prevent panic_smp_self_stop |
1055 |
++ * from deadlocking the first cpu that invokes the panic, since |
1056 |
++ * there is nothing to prevent an interrupt handler (that runs |
1057 |
++ * after the panic_lock is acquired) from invoking panic again. |
1058 |
++ */ |
1059 |
++ local_irq_disable(); |
1060 |
++ |
1061 |
++ /* |
1062 |
+ * It's possible to come here directly from a panic-assertion and |
1063 |
+ * not have preempt disabled. Some functions called from here want |
1064 |
+ * preempt to be disabled. No point enabling it later though... |
1065 |
+@@ -78,7 +86,11 @@ NORET_TYPE void panic(const char * fmt, ...) |
1066 |
va_end(args); |
1067 |
printk(KERN_EMERG "Kernel panic - not syncing: %s\n",buf); |
1068 |
#ifdef CONFIG_DEBUG_BUGVERBOSE |
1069 |
@@ -68848,7 +69065,7 @@ index 3458469..3492363 100644 |
1070 |
#endif |
1071 |
|
1072 |
/* |
1073 |
-@@ -382,7 +386,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, |
1074 |
+@@ -382,7 +394,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, |
1075 |
const char *board; |
1076 |
|
1077 |
printk(KERN_WARNING "------------[ cut here ]------------\n"); |
1078 |
@@ -68857,7 +69074,7 @@ index 3458469..3492363 100644 |
1079 |
board = dmi_get_system_info(DMI_PRODUCT_NAME); |
1080 |
if (board) |
1081 |
printk(KERN_WARNING "Hardware name: %s\n", board); |
1082 |
-@@ -437,7 +441,8 @@ EXPORT_SYMBOL(warn_slowpath_null); |
1083 |
+@@ -437,7 +449,8 @@ EXPORT_SYMBOL(warn_slowpath_null); |
1084 |
*/ |
1085 |
void __stack_chk_fail(void) |
1086 |
{ |
1087 |
@@ -70297,7 +70514,7 @@ index 481611f..0754d86 100644 |
1088 |
break; |
1089 |
} |
1090 |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
1091 |
-index ea7ec7f..5b76fb9 100644 |
1092 |
+index ea7ec7f..23d4094 100644 |
1093 |
--- a/kernel/sysctl.c |
1094 |
+++ b/kernel/sysctl.c |
1095 |
@@ -86,6 +86,13 @@ |
1096 |
@@ -70314,7 +70531,7 @@ index ea7ec7f..5b76fb9 100644 |
1097 |
|
1098 |
/* External variables not in a header file. */ |
1099 |
extern int sysctl_overcommit_memory; |
1100 |
-@@ -165,10 +172,8 @@ static int proc_taint(struct ctl_table *table, int write, |
1101 |
+@@ -165,10 +172,13 @@ static int proc_taint(struct ctl_table *table, int write, |
1102 |
void __user *buffer, size_t *lenp, loff_t *ppos); |
1103 |
#endif |
1104 |
|
1105 |
@@ -70322,10 +70539,15 @@ index ea7ec7f..5b76fb9 100644 |
1106 |
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1107 |
void __user *buffer, size_t *lenp, loff_t *ppos); |
1108 |
-#endif |
1109 |
++ |
1110 |
++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, |
1111 |
++ void __user *buffer, size_t *lenp, loff_t *ppos); |
1112 |
++static int proc_dostring_coredump(struct ctl_table *table, int write, |
1113 |
++ void __user *buffer, size_t *lenp, loff_t *ppos); |
1114 |
|
1115 |
#ifdef CONFIG_MAGIC_SYSRQ |
1116 |
/* Note: sysrq code uses it's own private copy */ |
1117 |
-@@ -191,6 +196,7 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, |
1118 |
+@@ -191,6 +201,7 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, |
1119 |
} |
1120 |
|
1121 |
#endif |
1122 |
@@ -70333,7 +70555,7 @@ index ea7ec7f..5b76fb9 100644 |
1123 |
|
1124 |
static struct ctl_table root_table[]; |
1125 |
static struct ctl_table_root sysctl_table_root; |
1126 |
-@@ -220,6 +226,20 @@ extern struct ctl_table epoll_table[]; |
1127 |
+@@ -220,6 +231,20 @@ extern struct ctl_table epoll_table[]; |
1128 |
int sysctl_legacy_va_layout; |
1129 |
#endif |
1130 |
|
1131 |
@@ -70354,7 +70576,7 @@ index ea7ec7f..5b76fb9 100644 |
1132 |
/* The default sysctl tables: */ |
1133 |
|
1134 |
static struct ctl_table root_table[] = { |
1135 |
-@@ -266,6 +286,22 @@ static int max_extfrag_threshold = 1000; |
1136 |
+@@ -266,6 +291,22 @@ static int max_extfrag_threshold = 1000; |
1137 |
#endif |
1138 |
|
1139 |
static struct ctl_table kern_table[] = { |
1140 |
@@ -70377,7 +70599,16 @@ index ea7ec7f..5b76fb9 100644 |
1141 |
{ |
1142 |
.procname = "sched_child_runs_first", |
1143 |
.data = &sysctl_sched_child_runs_first, |
1144 |
-@@ -550,7 +586,7 @@ static struct ctl_table kern_table[] = { |
1145 |
+@@ -420,7 +461,7 @@ static struct ctl_table kern_table[] = { |
1146 |
+ .data = core_pattern, |
1147 |
+ .maxlen = CORENAME_MAX_SIZE, |
1148 |
+ .mode = 0644, |
1149 |
+- .proc_handler = proc_dostring, |
1150 |
++ .proc_handler = proc_dostring_coredump, |
1151 |
+ }, |
1152 |
+ { |
1153 |
+ .procname = "core_pipe_limit", |
1154 |
+@@ -550,7 +591,7 @@ static struct ctl_table kern_table[] = { |
1155 |
.data = &modprobe_path, |
1156 |
.maxlen = KMOD_PATH_LEN, |
1157 |
.mode = 0644, |
1158 |
@@ -70386,7 +70617,7 @@ index ea7ec7f..5b76fb9 100644 |
1159 |
}, |
1160 |
{ |
1161 |
.procname = "modules_disabled", |
1162 |
-@@ -717,16 +753,20 @@ static struct ctl_table kern_table[] = { |
1163 |
+@@ -717,16 +758,20 @@ static struct ctl_table kern_table[] = { |
1164 |
.extra1 = &zero, |
1165 |
.extra2 = &one, |
1166 |
}, |
1167 |
@@ -70408,7 +70639,7 @@ index ea7ec7f..5b76fb9 100644 |
1168 |
{ |
1169 |
.procname = "ngroups_max", |
1170 |
.data = &ngroups_max, |
1171 |
-@@ -1216,6 +1256,13 @@ static struct ctl_table vm_table[] = { |
1172 |
+@@ -1216,6 +1261,13 @@ static struct ctl_table vm_table[] = { |
1173 |
.proc_handler = proc_dointvec_minmax, |
1174 |
.extra1 = &zero, |
1175 |
}, |
1176 |
@@ -70422,7 +70653,16 @@ index ea7ec7f..5b76fb9 100644 |
1177 |
#else |
1178 |
{ |
1179 |
.procname = "nr_trim_pages", |
1180 |
-@@ -1720,6 +1767,17 @@ static int test_perm(int mode, int op) |
1181 |
+@@ -1499,7 +1551,7 @@ static struct ctl_table fs_table[] = { |
1182 |
+ .data = &suid_dumpable, |
1183 |
+ .maxlen = sizeof(int), |
1184 |
+ .mode = 0644, |
1185 |
+- .proc_handler = proc_dointvec_minmax, |
1186 |
++ .proc_handler = proc_dointvec_minmax_coredump, |
1187 |
+ .extra1 = &zero, |
1188 |
+ .extra2 = &two, |
1189 |
+ }, |
1190 |
+@@ -1720,6 +1772,17 @@ static int test_perm(int mode, int op) |
1191 |
int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) |
1192 |
{ |
1193 |
int mode; |
1194 |
@@ -70440,7 +70680,7 @@ index ea7ec7f..5b76fb9 100644 |
1195 |
|
1196 |
if (root->permissions) |
1197 |
mode = root->permissions(root, current->nsproxy, table); |
1198 |
-@@ -2124,6 +2182,16 @@ int proc_dostring(struct ctl_table *table, int write, |
1199 |
+@@ -2124,6 +2187,16 @@ int proc_dostring(struct ctl_table *table, int write, |
1200 |
buffer, lenp, ppos); |
1201 |
} |
1202 |
|
1203 |
@@ -70457,7 +70697,7 @@ index ea7ec7f..5b76fb9 100644 |
1204 |
static size_t proc_skip_spaces(char **buf) |
1205 |
{ |
1206 |
size_t ret; |
1207 |
-@@ -2229,6 +2297,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
1208 |
+@@ -2229,6 +2302,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
1209 |
len = strlen(tmp); |
1210 |
if (len > *size) |
1211 |
len = *size; |
1212 |
@@ -70466,7 +70706,7 @@ index ea7ec7f..5b76fb9 100644 |
1213 |
if (copy_to_user(*buf, tmp, len)) |
1214 |
return -EFAULT; |
1215 |
*size -= len; |
1216 |
-@@ -2421,7 +2491,6 @@ static int proc_taint(struct ctl_table *table, int write, |
1217 |
+@@ -2421,7 +2496,6 @@ static int proc_taint(struct ctl_table *table, int write, |
1218 |
return err; |
1219 |
} |
1220 |
|
1221 |
@@ -70474,7 +70714,7 @@ index ea7ec7f..5b76fb9 100644 |
1222 |
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1223 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
1224 |
{ |
1225 |
-@@ -2430,7 +2499,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1226 |
+@@ -2430,7 +2504,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1227 |
|
1228 |
return proc_dointvec_minmax(table, write, buffer, lenp, ppos); |
1229 |
} |
1230 |
@@ -70482,7 +70722,42 @@ index ea7ec7f..5b76fb9 100644 |
1231 |
|
1232 |
struct do_proc_dointvec_minmax_conv_param { |
1233 |
int *min; |
1234 |
-@@ -2545,8 +2613,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
1235 |
+@@ -2488,6 +2561,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, |
1236 |
+ do_proc_dointvec_minmax_conv, ¶m); |
1237 |
+ } |
1238 |
+ |
1239 |
++static void validate_coredump_safety(void) |
1240 |
++{ |
1241 |
++ if (suid_dumpable == SUID_DUMPABLE_SAFE && |
1242 |
++ core_pattern[0] != '/' && core_pattern[0] != '|') { |
1243 |
++ printk(KERN_WARNING "Unsafe core_pattern used with "\ |
1244 |
++ "suid_dumpable=2. Pipe handler or fully qualified "\ |
1245 |
++ "core dump path required.\n"); |
1246 |
++ } |
1247 |
++} |
1248 |
++ |
1249 |
++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, |
1250 |
++ void __user *buffer, size_t *lenp, loff_t *ppos) |
1251 |
++{ |
1252 |
++ int error = proc_dointvec_minmax(table, write, buffer, lenp, ppos); |
1253 |
++ if (!error) |
1254 |
++ validate_coredump_safety(); |
1255 |
++ return error; |
1256 |
++} |
1257 |
++ |
1258 |
++static int proc_dostring_coredump(struct ctl_table *table, int write, |
1259 |
++ void __user *buffer, size_t *lenp, loff_t *ppos) |
1260 |
++{ |
1261 |
++ int error = proc_dostring(table, write, buffer, lenp, ppos); |
1262 |
++ if (!error) |
1263 |
++ validate_coredump_safety(); |
1264 |
++ return error; |
1265 |
++} |
1266 |
++ |
1267 |
+ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write, |
1268 |
+ void __user *buffer, |
1269 |
+ size_t *lenp, loff_t *ppos, |
1270 |
+@@ -2545,8 +2646,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
1271 |
*i = val; |
1272 |
} else { |
1273 |
val = convdiv * (*i) / convmul; |
1274 |
@@ -70495,7 +70770,7 @@ index ea7ec7f..5b76fb9 100644 |
1275 |
err = proc_put_long(&buffer, &left, val, false); |
1276 |
if (err) |
1277 |
break; |
1278 |
-@@ -2941,6 +3012,12 @@ int proc_dostring(struct ctl_table *table, int write, |
1279 |
+@@ -2941,6 +3045,12 @@ int proc_dostring(struct ctl_table *table, int write, |
1280 |
return -ENOSYS; |
1281 |
} |
1282 |
|
1283 |
@@ -70508,7 +70783,7 @@ index ea7ec7f..5b76fb9 100644 |
1284 |
int proc_dointvec(struct ctl_table *table, int write, |
1285 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
1286 |
{ |
1287 |
-@@ -2997,6 +3074,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
1288 |
+@@ -2997,6 +3107,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
1289 |
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); |
1290 |
EXPORT_SYMBOL(proc_dointvec_ms_jiffies); |
1291 |
EXPORT_SYMBOL(proc_dostring); |
1292 |
@@ -71306,7 +71581,7 @@ index d9df745..e73c2fe 100644 |
1293 |
static inline void *ptr_to_indirect(void *ptr) |
1294 |
{ |
1295 |
diff --git a/lib/vsprintf.c b/lib/vsprintf.c |
1296 |
-index 993599e..f1dbc14 100644 |
1297 |
+index 993599e..9b1cb1f 100644 |
1298 |
--- a/lib/vsprintf.c |
1299 |
+++ b/lib/vsprintf.c |
1300 |
@@ -16,6 +16,9 @@ |
1301 |
@@ -71378,7 +71653,7 @@ index 993599e..f1dbc14 100644 |
1302 |
case 'B': |
1303 |
return symbol_string(buf, end, ptr, spec, *fmt); |
1304 |
case 'R': |
1305 |
-@@ -878,9 +894,15 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
1306 |
+@@ -878,15 +894,24 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
1307 |
case 'U': |
1308 |
return uuid_string(buf, end, ptr, spec, fmt); |
1309 |
case 'V': |
1310 |
@@ -71394,10 +71669,40 @@ index 993599e..f1dbc14 100644 |
1311 |
+ va_end(va); |
1312 |
+ return buf; |
1313 |
+ } |
1314 |
++ case 'P': |
1315 |
++ break; |
1316 |
case 'K': |
1317 |
/* |
1318 |
* %pK cannot be used in IRQ context because its test |
1319 |
-@@ -1608,11 +1630,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
1320 |
+ * for CAP_SYSLOG would be meaningless. |
1321 |
+ */ |
1322 |
+- if (in_irq() || in_serving_softirq() || in_nmi()) { |
1323 |
++ if (kptr_restrict && (in_irq() || in_serving_softirq() || |
1324 |
++ in_nmi())) { |
1325 |
+ if (spec.field_width == -1) |
1326 |
+ spec.field_width = 2 * sizeof(void *); |
1327 |
+ return string(buf, end, "pK-error", spec); |
1328 |
+@@ -897,6 +922,19 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
1329 |
+ ptr = NULL; |
1330 |
+ break; |
1331 |
+ } |
1332 |
++ |
1333 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
1334 |
++ /* 'P' = approved pointers to copy to userland, |
1335 |
++ as in the /proc/kallsyms case, as we make it display nothing |
1336 |
++ for non-root users, and the real contents for root users |
1337 |
++ */ |
1338 |
++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) { |
1339 |
++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@××××××××××.net.\n"); |
1340 |
++ dump_stack(); |
1341 |
++ ptr = NULL; |
1342 |
++ } |
1343 |
++#endif |
1344 |
++ |
1345 |
+ spec.flags |= SMALL; |
1346 |
+ if (spec.field_width == -1) { |
1347 |
+ spec.field_width = 2 * sizeof(void *); |
1348 |
+@@ -1608,11 +1646,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
1349 |
typeof(type) value; \ |
1350 |
if (sizeof(type) == 8) { \ |
1351 |
args = PTR_ALIGN(args, sizeof(u32)); \ |
1352 |
@@ -71412,7 +71717,7 @@ index 993599e..f1dbc14 100644 |
1353 |
} \ |
1354 |
args += sizeof(type); \ |
1355 |
value; \ |
1356 |
-@@ -1675,7 +1697,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
1357 |
+@@ -1675,7 +1713,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
1358 |
case FORMAT_TYPE_STR: { |
1359 |
const char *str_arg = args; |
1360 |
args += strlen(str_arg) + 1; |
1361 |
@@ -78727,6 +79032,27 @@ index 5e57347..3916042 100644 |
1362 |
} |
1363 |
#endif |
1364 |
|
1365 |
+diff --git a/net/rds/recv.c b/net/rds/recv.c |
1366 |
+index bc3f8cd..fc57d31 100644 |
1367 |
+--- a/net/rds/recv.c |
1368 |
++++ b/net/rds/recv.c |
1369 |
+@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, |
1370 |
+ |
1371 |
+ rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); |
1372 |
+ |
1373 |
++ msg->msg_namelen = 0; |
1374 |
++ |
1375 |
+ if (msg_flags & MSG_OOB) |
1376 |
+ goto out; |
1377 |
+ |
1378 |
+@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, |
1379 |
+ sin->sin_port = inc->i_hdr.h_sport; |
1380 |
+ sin->sin_addr.s_addr = inc->i_saddr; |
1381 |
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); |
1382 |
++ msg->msg_namelen = sizeof(*sin); |
1383 |
+ } |
1384 |
+ break; |
1385 |
+ } |
1386 |
diff --git a/net/rds/tcp.c b/net/rds/tcp.c |
1387 |
index edac9ef..16bcb98 100644 |
1388 |
--- a/net/rds/tcp.c |
1389 |
@@ -80276,10 +80602,10 @@ index 38f6617..e70b72b 100755 |
1390 |
|
1391 |
exuberant() |
1392 |
diff --git a/security/Kconfig b/security/Kconfig |
1393 |
-index 51bd5a0..f94ba7f 100644 |
1394 |
+index 51bd5a0..7963a07 100644 |
1395 |
--- a/security/Kconfig |
1396 |
+++ b/security/Kconfig |
1397 |
-@@ -4,6 +4,875 @@ |
1398 |
+@@ -4,6 +4,876 @@ |
1399 |
|
1400 |
menu "Security options" |
1401 |
|
1402 |
@@ -80311,6 +80637,7 @@ index 51bd5a0..f94ba7f 100644 |
1403 |
+ bool "Grsecurity" |
1404 |
+ select CRYPTO |
1405 |
+ select CRYPTO_SHA256 |
1406 |
++ select PROC_FS |
1407 |
+ select STOP_MACHINE |
1408 |
+ help |
1409 |
+ If you say Y here, you will be able to configure many features |
1410 |
@@ -81155,7 +81482,7 @@ index 51bd5a0..f94ba7f 100644 |
1411 |
config KEYS |
1412 |
bool "Enable access key retention support" |
1413 |
help |
1414 |
-@@ -169,7 +1038,7 @@ config INTEL_TXT |
1415 |
+@@ -169,7 +1039,7 @@ config INTEL_TXT |
1416 |
config LSM_MMAP_MIN_ADDR |
1417 |
int "Low address space for LSM to protect from user allocation" |
1418 |
depends on SECURITY && SECURITY_SELINUX |
1419 |
|
1420 |
diff --git a/3.4.6/0000_README b/3.4.6/0000_README |
1421 |
index 0a9e8d9..14b45fc 100644 |
1422 |
--- a/3.4.6/0000_README |
1423 |
+++ b/3.4.6/0000_README |
1424 |
@@ -6,7 +6,7 @@ Patch: 1005_linux-3.4.6.patch |
1425 |
From: http://www.kernel.org |
1426 |
Desc: Linux 3.4.6 |
1427 |
|
1428 |
-Patch: 4420_grsecurity-2.9.1-3.4.6-201207281946.patch |
1429 |
+Patch: 4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
1430 |
From: http://www.grsecurity.net |
1431 |
Desc: hardened-sources base patch from upstream grsecurity |
1432 |
|
1433 |
|
1434 |
diff --git a/3.4.6/4420_grsecurity-2.9.1-3.4.6-201207281946.patch b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
1435 |
similarity index 99% |
1436 |
rename from 3.4.6/4420_grsecurity-2.9.1-3.4.6-201207281946.patch |
1437 |
rename to 3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
1438 |
index 357f472..9da1ccd 100644 |
1439 |
--- a/3.4.6/4420_grsecurity-2.9.1-3.4.6-201207281946.patch |
1440 |
+++ b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
1441 |
@@ -235,8 +235,41 @@ index c1601e5..08557ce 100644 |
1442 |
pcbit= [HW,ISDN] |
1443 |
|
1444 |
pcd. [PARIDE] |
1445 |
+diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt |
1446 |
+index 88fd7f5..b318a78 100644 |
1447 |
+--- a/Documentation/sysctl/fs.txt |
1448 |
++++ b/Documentation/sysctl/fs.txt |
1449 |
+@@ -163,16 +163,22 @@ This value can be used to query and set the core dump mode for setuid |
1450 |
+ or otherwise protected/tainted binaries. The modes are |
1451 |
+ |
1452 |
+ 0 - (default) - traditional behaviour. Any process which has changed |
1453 |
+- privilege levels or is execute only will not be dumped |
1454 |
++ privilege levels or is execute only will not be dumped. |
1455 |
+ 1 - (debug) - all processes dump core when possible. The core dump is |
1456 |
+ owned by the current user and no security is applied. This is |
1457 |
+ intended for system debugging situations only. Ptrace is unchecked. |
1458 |
++ This is insecure as it allows regular users to examine the memory |
1459 |
++ contents of privileged processes. |
1460 |
+ 2 - (suidsafe) - any binary which normally would not be dumped is dumped |
1461 |
+- readable by root only. This allows the end user to remove |
1462 |
+- such a dump but not access it directly. For security reasons |
1463 |
+- core dumps in this mode will not overwrite one another or |
1464 |
+- other files. This mode is appropriate when administrators are |
1465 |
+- attempting to debug problems in a normal environment. |
1466 |
++ anyway, but only if the "core_pattern" kernel sysctl is set to |
1467 |
++ either a pipe handler or a fully qualified path. (For more details |
1468 |
++ on this limitation, see CVE-2006-2451.) This mode is appropriate |
1469 |
++ when administrators are attempting to debug problems in a normal |
1470 |
++ environment, and either have a core dump pipe handler that knows |
1471 |
++ to treat privileged core dumps with care, or specific directory |
1472 |
++ defined for catching core dumps. If a core dump happens without |
1473 |
++ a pipe handler or fully qualifid path, a message will be emitted |
1474 |
++ to syslog warning about the lack of a correct setting. |
1475 |
+ |
1476 |
+ ============================================================== |
1477 |
+ |
1478 |
diff --git a/Makefile b/Makefile |
1479 |
-index 5d0edcb..f69ee4c 100644 |
1480 |
+index e17a98c..e3197fa 100644 |
1481 |
--- a/Makefile |
1482 |
+++ b/Makefile |
1483 |
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
1484 |
@@ -2907,7 +2940,7 @@ index 881d18b..cea38bc 100644 |
1485 |
|
1486 |
/* |
1487 |
diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h |
1488 |
-index 0d85d8e..ec71487 100644 |
1489 |
+index abb13e8..cd2d702 100644 |
1490 |
--- a/arch/mips/include/asm/thread_info.h |
1491 |
+++ b/arch/mips/include/asm/thread_info.h |
1492 |
@@ -123,6 +123,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); |
1493 |
@@ -20079,7 +20112,7 @@ index 255f58a..5e91150 100644 |
1494 |
goto cannot_handle; |
1495 |
if ((segoffs >> 16) == BIOSSEG) |
1496 |
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S |
1497 |
-index 0f703f1..9e15f64 100644 |
1498 |
+index 0f703f1..3b426f3 100644 |
1499 |
--- a/arch/x86/kernel/vmlinux.lds.S |
1500 |
+++ b/arch/x86/kernel/vmlinux.lds.S |
1501 |
@@ -26,6 +26,13 @@ |
1502 |
@@ -20148,7 +20181,7 @@ index 0f703f1..9e15f64 100644 |
1503 |
HEAD_TEXT |
1504 |
#ifdef CONFIG_X86_32 |
1505 |
. = ALIGN(PAGE_SIZE); |
1506 |
-@@ -108,13 +128,47 @@ SECTIONS |
1507 |
+@@ -108,13 +128,48 @@ SECTIONS |
1508 |
IRQENTRY_TEXT |
1509 |
*(.fixup) |
1510 |
*(.gnu.warning) |
1511 |
@@ -20168,8 +20201,8 @@ index 0f703f1..9e15f64 100644 |
1512 |
+ MODULES_EXEC_VADDR = .; |
1513 |
+ BYTE(0) |
1514 |
+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024); |
1515 |
-+ . = ALIGN(HPAGE_SIZE); |
1516 |
-+ MODULES_EXEC_END = . - 1; |
1517 |
++ . = ALIGN(HPAGE_SIZE) - 1; |
1518 |
++ MODULES_EXEC_END = .; |
1519 |
+#endif |
1520 |
+ |
1521 |
+ } :module |
1522 |
@@ -20177,6 +20210,7 @@ index 0f703f1..9e15f64 100644 |
1523 |
+ |
1524 |
+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) { |
1525 |
+ /* End of text section */ |
1526 |
++ BYTE(0) |
1527 |
+ _etext = . - __KERNEL_TEXT_OFFSET; |
1528 |
+ } |
1529 |
+ |
1530 |
@@ -20200,7 +20234,7 @@ index 0f703f1..9e15f64 100644 |
1531 |
|
1532 |
#if defined(CONFIG_DEBUG_RODATA) |
1533 |
/* .text should occupy whole number of pages */ |
1534 |
-@@ -126,16 +180,20 @@ SECTIONS |
1535 |
+@@ -126,16 +181,20 @@ SECTIONS |
1536 |
|
1537 |
/* Data */ |
1538 |
.data : AT(ADDR(.data) - LOAD_OFFSET) { |
1539 |
@@ -20224,7 +20258,7 @@ index 0f703f1..9e15f64 100644 |
1540 |
|
1541 |
PAGE_ALIGNED_DATA(PAGE_SIZE) |
1542 |
|
1543 |
-@@ -176,12 +234,19 @@ SECTIONS |
1544 |
+@@ -176,12 +235,19 @@ SECTIONS |
1545 |
#endif /* CONFIG_X86_64 */ |
1546 |
|
1547 |
/* Init code and data - will be freed after init */ |
1548 |
@@ -20247,7 +20281,7 @@ index 0f703f1..9e15f64 100644 |
1549 |
/* |
1550 |
* percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the |
1551 |
* output PHDR, so the next output section - .init.text - should |
1552 |
-@@ -190,12 +255,27 @@ SECTIONS |
1553 |
+@@ -190,12 +256,27 @@ SECTIONS |
1554 |
PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu) |
1555 |
#endif |
1556 |
|
1557 |
@@ -20280,7 +20314,7 @@ index 0f703f1..9e15f64 100644 |
1558 |
|
1559 |
/* |
1560 |
* Code and data for a variety of lowlevel trampolines, to be |
1561 |
-@@ -269,19 +349,12 @@ SECTIONS |
1562 |
+@@ -269,19 +350,12 @@ SECTIONS |
1563 |
} |
1564 |
|
1565 |
. = ALIGN(8); |
1566 |
@@ -20301,7 +20335,7 @@ index 0f703f1..9e15f64 100644 |
1567 |
PERCPU_SECTION(INTERNODE_CACHE_BYTES) |
1568 |
#endif |
1569 |
|
1570 |
-@@ -300,16 +373,10 @@ SECTIONS |
1571 |
+@@ -300,16 +374,10 @@ SECTIONS |
1572 |
.smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) { |
1573 |
__smp_locks = .; |
1574 |
*(.smp_locks) |
1575 |
@@ -20319,7 +20353,7 @@ index 0f703f1..9e15f64 100644 |
1576 |
/* BSS */ |
1577 |
. = ALIGN(PAGE_SIZE); |
1578 |
.bss : AT(ADDR(.bss) - LOAD_OFFSET) { |
1579 |
-@@ -325,6 +392,7 @@ SECTIONS |
1580 |
+@@ -325,6 +393,7 @@ SECTIONS |
1581 |
__brk_base = .; |
1582 |
. += 64 * 1024; /* 64k alignment slop space */ |
1583 |
*(.brk_reservation) /* areas brk users have reserved */ |
1584 |
@@ -20327,7 +20361,7 @@ index 0f703f1..9e15f64 100644 |
1585 |
__brk_limit = .; |
1586 |
} |
1587 |
|
1588 |
-@@ -351,13 +419,12 @@ SECTIONS |
1589 |
+@@ -351,13 +420,12 @@ SECTIONS |
1590 |
* for the boot processor. |
1591 |
*/ |
1592 |
#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load |
1593 |
@@ -26764,7 +26798,7 @@ index 218cdb1..fd55c08 100644 |
1594 |
syscall_init(); /* This sets MSR_*STAR and related */ |
1595 |
#endif |
1596 |
diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c |
1597 |
-index b685296..e00eb65 100644 |
1598 |
+index b685296..4ac6aaa 100644 |
1599 |
--- a/arch/x86/tools/relocs.c |
1600 |
+++ b/arch/x86/tools/relocs.c |
1601 |
@@ -12,10 +12,13 @@ |
1602 |
@@ -26857,7 +26891,7 @@ index b685296..e00eb65 100644 |
1603 |
} |
1604 |
+ base = 0; |
1605 |
+ |
1606 |
-+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) |
1607 |
++#ifdef CONFIG_X86_32 |
1608 |
+ for (j = 0; j < ehdr.e_phnum; j++) { |
1609 |
+ if (phdr[j].p_type != PT_LOAD ) |
1610 |
+ continue; |
1611 |
@@ -26934,7 +26968,7 @@ index b685296..e00eb65 100644 |
1612 |
+ |
1613 |
+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) |
1614 |
+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ |
1615 |
-+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext")) |
1616 |
++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) |
1617 |
+ continue; |
1618 |
+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) |
1619 |
+ continue; |
1620 |
@@ -31272,10 +31306,10 @@ index 8a8725c..afed796 100644 |
1621 |
marker = list_first_entry(&queue->head, |
1622 |
struct vmw_marker, head); |
1623 |
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c |
1624 |
-index 054677b..741672a 100644 |
1625 |
+index 973c238..981f5ed 100644 |
1626 |
--- a/drivers/hid/hid-core.c |
1627 |
+++ b/drivers/hid/hid-core.c |
1628 |
-@@ -2070,7 +2070,7 @@ static bool hid_ignore(struct hid_device *hdev) |
1629 |
+@@ -2071,7 +2071,7 @@ static bool hid_ignore(struct hid_device *hdev) |
1630 |
|
1631 |
int hid_add_device(struct hid_device *hdev) |
1632 |
{ |
1633 |
@@ -31284,7 +31318,7 @@ index 054677b..741672a 100644 |
1634 |
int ret; |
1635 |
|
1636 |
if (WARN_ON(hdev->status & HID_STAT_ADDED)) |
1637 |
-@@ -2085,7 +2085,7 @@ int hid_add_device(struct hid_device *hdev) |
1638 |
+@@ -2086,7 +2086,7 @@ int hid_add_device(struct hid_device *hdev) |
1639 |
/* XXX hack, any other cleaner solution after the driver core |
1640 |
* is converted to allow more than 20 bytes as the device name? */ |
1641 |
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, |
1642 |
@@ -33142,7 +33176,7 @@ index a1a3e6d..1918bfc 100644 |
1643 |
DMWARN("name not supplied when creating device"); |
1644 |
return -EINVAL; |
1645 |
diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c |
1646 |
-index d039de8..0cf5b87 100644 |
1647 |
+index b58b7a3..8018b19 100644 |
1648 |
--- a/drivers/md/dm-raid1.c |
1649 |
+++ b/drivers/md/dm-raid1.c |
1650 |
@@ -40,7 +40,7 @@ enum dm_raid1_error { |
1651 |
@@ -33208,7 +33242,7 @@ index d039de8..0cf5b87 100644 |
1652 |
ms->mirror[mirror].error_type = 0; |
1653 |
ms->mirror[mirror].offset = offset; |
1654 |
|
1655 |
-@@ -1351,7 +1351,7 @@ static void mirror_resume(struct dm_target *ti) |
1656 |
+@@ -1352,7 +1352,7 @@ static void mirror_resume(struct dm_target *ti) |
1657 |
*/ |
1658 |
static char device_status_char(struct mirror *m) |
1659 |
{ |
1660 |
@@ -33353,7 +33387,7 @@ index e24143c..ce2f21a1 100644 |
1661 |
|
1662 |
void dm_uevent_add(struct mapped_device *md, struct list_head *elist) |
1663 |
diff --git a/drivers/md/md.c b/drivers/md/md.c |
1664 |
-index 2b30ffd..362b519 100644 |
1665 |
+index 9ee8ce3..362b519 100644 |
1666 |
--- a/drivers/md/md.c |
1667 |
+++ b/drivers/md/md.c |
1668 |
@@ -277,10 +277,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); |
1669 |
@@ -33425,125 +33459,7 @@ index 2b30ffd..362b519 100644 |
1670 |
|
1671 |
INIT_LIST_HEAD(&rdev->same_set); |
1672 |
init_waitqueue_head(&rdev->blocked_wait); |
1673 |
-@@ -3744,8 +3744,8 @@ array_state_show(struct mddev *mddev, char *page) |
1674 |
- return sprintf(page, "%s\n", array_states[st]); |
1675 |
- } |
1676 |
- |
1677 |
--static int do_md_stop(struct mddev * mddev, int ro, int is_open); |
1678 |
--static int md_set_readonly(struct mddev * mddev, int is_open); |
1679 |
-+static int do_md_stop(struct mddev * mddev, int ro, struct block_device *bdev); |
1680 |
-+static int md_set_readonly(struct mddev * mddev, struct block_device *bdev); |
1681 |
- static int do_md_run(struct mddev * mddev); |
1682 |
- static int restart_array(struct mddev *mddev); |
1683 |
- |
1684 |
-@@ -3761,14 +3761,14 @@ array_state_store(struct mddev *mddev, const char *buf, size_t len) |
1685 |
- /* stopping an active array */ |
1686 |
- if (atomic_read(&mddev->openers) > 0) |
1687 |
- return -EBUSY; |
1688 |
-- err = do_md_stop(mddev, 0, 0); |
1689 |
-+ err = do_md_stop(mddev, 0, NULL); |
1690 |
- break; |
1691 |
- case inactive: |
1692 |
- /* stopping an active array */ |
1693 |
- if (mddev->pers) { |
1694 |
- if (atomic_read(&mddev->openers) > 0) |
1695 |
- return -EBUSY; |
1696 |
-- err = do_md_stop(mddev, 2, 0); |
1697 |
-+ err = do_md_stop(mddev, 2, NULL); |
1698 |
- } else |
1699 |
- err = 0; /* already inactive */ |
1700 |
- break; |
1701 |
-@@ -3776,7 +3776,7 @@ array_state_store(struct mddev *mddev, const char *buf, size_t len) |
1702 |
- break; /* not supported yet */ |
1703 |
- case readonly: |
1704 |
- if (mddev->pers) |
1705 |
-- err = md_set_readonly(mddev, 0); |
1706 |
-+ err = md_set_readonly(mddev, NULL); |
1707 |
- else { |
1708 |
- mddev->ro = 1; |
1709 |
- set_disk_ro(mddev->gendisk, 1); |
1710 |
-@@ -3786,7 +3786,7 @@ array_state_store(struct mddev *mddev, const char *buf, size_t len) |
1711 |
- case read_auto: |
1712 |
- if (mddev->pers) { |
1713 |
- if (mddev->ro == 0) |
1714 |
-- err = md_set_readonly(mddev, 0); |
1715 |
-+ err = md_set_readonly(mddev, NULL); |
1716 |
- else if (mddev->ro == 1) |
1717 |
- err = restart_array(mddev); |
1718 |
- if (err == 0) { |
1719 |
-@@ -5124,15 +5124,17 @@ void md_stop(struct mddev *mddev) |
1720 |
- } |
1721 |
- EXPORT_SYMBOL_GPL(md_stop); |
1722 |
- |
1723 |
--static int md_set_readonly(struct mddev *mddev, int is_open) |
1724 |
-+static int md_set_readonly(struct mddev *mddev, struct block_device *bdev) |
1725 |
- { |
1726 |
- int err = 0; |
1727 |
- mutex_lock(&mddev->open_mutex); |
1728 |
-- if (atomic_read(&mddev->openers) > is_open) { |
1729 |
-+ if (atomic_read(&mddev->openers) > !!bdev) { |
1730 |
- printk("md: %s still in use.\n",mdname(mddev)); |
1731 |
- err = -EBUSY; |
1732 |
- goto out; |
1733 |
- } |
1734 |
-+ if (bdev) |
1735 |
-+ sync_blockdev(bdev); |
1736 |
- if (mddev->pers) { |
1737 |
- __md_stop_writes(mddev); |
1738 |
- |
1739 |
-@@ -5154,18 +5156,26 @@ out: |
1740 |
- * 0 - completely stop and dis-assemble array |
1741 |
- * 2 - stop but do not disassemble array |
1742 |
- */ |
1743 |
--static int do_md_stop(struct mddev * mddev, int mode, int is_open) |
1744 |
-+static int do_md_stop(struct mddev * mddev, int mode, |
1745 |
-+ struct block_device *bdev) |
1746 |
- { |
1747 |
- struct gendisk *disk = mddev->gendisk; |
1748 |
- struct md_rdev *rdev; |
1749 |
- |
1750 |
- mutex_lock(&mddev->open_mutex); |
1751 |
-- if (atomic_read(&mddev->openers) > is_open || |
1752 |
-+ if (atomic_read(&mddev->openers) > !!bdev || |
1753 |
- mddev->sysfs_active) { |
1754 |
- printk("md: %s still in use.\n",mdname(mddev)); |
1755 |
- mutex_unlock(&mddev->open_mutex); |
1756 |
- return -EBUSY; |
1757 |
- } |
1758 |
-+ if (bdev) |
1759 |
-+ /* It is possible IO was issued on some other |
1760 |
-+ * open file which was closed before we took ->open_mutex. |
1761 |
-+ * As that was not the last close __blkdev_put will not |
1762 |
-+ * have called sync_blockdev, so we must. |
1763 |
-+ */ |
1764 |
-+ sync_blockdev(bdev); |
1765 |
- |
1766 |
- if (mddev->pers) { |
1767 |
- if (mddev->ro) |
1768 |
-@@ -5239,7 +5249,7 @@ static void autorun_array(struct mddev *mddev) |
1769 |
- err = do_md_run(mddev); |
1770 |
- if (err) { |
1771 |
- printk(KERN_WARNING "md: do_md_run() returned %d\n", err); |
1772 |
-- do_md_stop(mddev, 0, 0); |
1773 |
-+ do_md_stop(mddev, 0, NULL); |
1774 |
- } |
1775 |
- } |
1776 |
- |
1777 |
-@@ -6237,11 +6247,11 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, |
1778 |
- goto done_unlock; |
1779 |
- |
1780 |
- case STOP_ARRAY: |
1781 |
-- err = do_md_stop(mddev, 0, 1); |
1782 |
-+ err = do_md_stop(mddev, 0, bdev); |
1783 |
- goto done_unlock; |
1784 |
- |
1785 |
- case STOP_ARRAY_RO: |
1786 |
-- err = md_set_readonly(mddev, 1); |
1787 |
-+ err = md_set_readonly(mddev, bdev); |
1788 |
- goto done_unlock; |
1789 |
- |
1790 |
- case BLKROSET: |
1791 |
-@@ -6738,7 +6748,7 @@ static int md_seq_show(struct seq_file *seq, void *v) |
1792 |
+@@ -6748,7 +6748,7 @@ static int md_seq_show(struct seq_file *seq, void *v) |
1793 |
|
1794 |
spin_unlock(&pers_lock); |
1795 |
seq_printf(seq, "\n"); |
1796 |
@@ -33552,7 +33468,7 @@ index 2b30ffd..362b519 100644 |
1797 |
return 0; |
1798 |
} |
1799 |
if (v == (void*)2) { |
1800 |
-@@ -6841,7 +6851,7 @@ static int md_seq_open(struct inode *inode, struct file *file) |
1801 |
+@@ -6851,7 +6851,7 @@ static int md_seq_open(struct inode *inode, struct file *file) |
1802 |
return error; |
1803 |
|
1804 |
seq = file->private_data; |
1805 |
@@ -33561,7 +33477,7 @@ index 2b30ffd..362b519 100644 |
1806 |
return error; |
1807 |
} |
1808 |
|
1809 |
-@@ -6855,7 +6865,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) |
1810 |
+@@ -6865,7 +6865,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) |
1811 |
/* always allow read */ |
1812 |
mask = POLLIN | POLLRDNORM; |
1813 |
|
1814 |
@@ -33570,7 +33486,7 @@ index 2b30ffd..362b519 100644 |
1815 |
mask |= POLLERR | POLLPRI; |
1816 |
return mask; |
1817 |
} |
1818 |
-@@ -6899,7 +6909,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) |
1819 |
+@@ -6909,7 +6909,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) |
1820 |
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; |
1821 |
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + |
1822 |
(int)part_stat_read(&disk->part0, sectors[1]) - |
1823 |
@@ -33660,7 +33576,7 @@ index 1cbfc6b..56e1dbb 100644 |
1824 |
/*----------------------------------------------------------------*/ |
1825 |
|
1826 |
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c |
1827 |
-index d1f74ab..d1b24fd 100644 |
1828 |
+index d7add9d..68e3dde 100644 |
1829 |
--- a/drivers/md/raid1.c |
1830 |
+++ b/drivers/md/raid1.c |
1831 |
@@ -1688,7 +1688,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) |
1832 |
@@ -33672,7 +33588,7 @@ index d1f74ab..d1b24fd 100644 |
1833 |
} |
1834 |
sectors -= s; |
1835 |
sect += s; |
1836 |
-@@ -1902,7 +1902,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, |
1837 |
+@@ -1908,7 +1908,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, |
1838 |
test_bit(In_sync, &rdev->flags)) { |
1839 |
if (r1_sync_page_io(rdev, sect, s, |
1840 |
conf->tmppage, READ)) { |
1841 |
@@ -34311,6 +34227,19 @@ index 2b1482a..5d33616 100644 |
1842 |
union axis_conversion ac; /* hw -> logical axis */ |
1843 |
int mapped_btns[3]; |
1844 |
|
1845 |
+diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c |
1846 |
+index 28adefe..08aad69 100644 |
1847 |
+--- a/drivers/misc/lkdtm.c |
1848 |
++++ b/drivers/misc/lkdtm.c |
1849 |
+@@ -477,6 +477,8 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, |
1850 |
+ int i, n, out; |
1851 |
+ |
1852 |
+ buf = (char *)__get_free_page(GFP_KERNEL); |
1853 |
++ if (buf == NULL) |
1854 |
++ return -ENOMEM; |
1855 |
+ |
1856 |
+ n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); |
1857 |
+ for (i = 0; i < ARRAY_SIZE(cp_type); i++) |
1858 |
diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c |
1859 |
index 2f30bad..c4c13d0 100644 |
1860 |
--- a/drivers/misc/sgi-gru/gruhandles.c |
1861 |
@@ -34581,6 +34510,22 @@ index 8d082b4..aa749ae 100644 |
1862 |
|
1863 |
/* |
1864 |
* Timer function to enforce the timelimit on the partition disengage. |
1865 |
+diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c |
1866 |
+index 2b62232..acfaeeb 100644 |
1867 |
+--- a/drivers/misc/ti-st/st_core.c |
1868 |
++++ b/drivers/misc/ti-st/st_core.c |
1869 |
+@@ -349,6 +349,11 @@ void st_int_recv(void *disc_data, |
1870 |
+ st_gdata->rx_skb = alloc_skb( |
1871 |
+ st_gdata->list[type]->max_frame_size, |
1872 |
+ GFP_ATOMIC); |
1873 |
++ if (st_gdata->rx_skb == NULL) { |
1874 |
++ pr_err("out of memory: dropping\n"); |
1875 |
++ goto done; |
1876 |
++ } |
1877 |
++ |
1878 |
+ skb_reserve(st_gdata->rx_skb, |
1879 |
+ st_gdata->list[type]->reserve); |
1880 |
+ /* next 2 required for BT only */ |
1881 |
diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c |
1882 |
index 69ef0be..f3ef91e 100644 |
1883 |
--- a/drivers/mmc/host/sdhci-pci.c |
1884 |
@@ -37585,51 +37530,6 @@ index 0d4aa82..f7832d4 100644 |
1885 |
extern void tmem_register_hostops(struct tmem_hostops *m); |
1886 |
|
1887 |
/* core tmem accessor functions */ |
1888 |
-diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c |
1889 |
-index 30a6770..fa323f8 100644 |
1890 |
---- a/drivers/target/target_core_cdb.c |
1891 |
-+++ b/drivers/target/target_core_cdb.c |
1892 |
-@@ -1107,7 +1107,7 @@ int target_emulate_write_same(struct se_task *task) |
1893 |
- if (num_blocks != 0) |
1894 |
- range = num_blocks; |
1895 |
- else |
1896 |
-- range = (dev->transport->get_blocks(dev) - lba); |
1897 |
-+ range = (dev->transport->get_blocks(dev) - lba) + 1; |
1898 |
- |
1899 |
- pr_debug("WRITE_SAME UNMAP: LBA: %llu Range: %llu\n", |
1900 |
- (unsigned long long)lba, (unsigned long long)range); |
1901 |
-diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c |
1902 |
-index c3148b1..89d10e6 100644 |
1903 |
---- a/drivers/target/target_core_pr.c |
1904 |
-+++ b/drivers/target/target_core_pr.c |
1905 |
-@@ -2038,7 +2038,7 @@ static int __core_scsi3_write_aptpl_to_file( |
1906 |
- if (IS_ERR(file) || !file || !file->f_dentry) { |
1907 |
- pr_err("filp_open(%s) for APTPL metadata" |
1908 |
- " failed\n", path); |
1909 |
-- return (PTR_ERR(file) < 0 ? PTR_ERR(file) : -ENOENT); |
1910 |
-+ return IS_ERR(file) ? PTR_ERR(file) : -ENOENT; |
1911 |
- } |
1912 |
- |
1913 |
- iov[0].iov_base = &buf[0]; |
1914 |
-@@ -3826,7 +3826,7 @@ int target_scsi3_emulate_pr_out(struct se_task *task) |
1915 |
- " SPC-2 reservation is held, returning" |
1916 |
- " RESERVATION_CONFLICT\n"); |
1917 |
- cmd->scsi_sense_reason = TCM_RESERVATION_CONFLICT; |
1918 |
-- ret = EINVAL; |
1919 |
-+ ret = -EINVAL; |
1920 |
- goto out; |
1921 |
- } |
1922 |
- |
1923 |
-@@ -3836,7 +3836,8 @@ int target_scsi3_emulate_pr_out(struct se_task *task) |
1924 |
- */ |
1925 |
- if (!cmd->se_sess) { |
1926 |
- cmd->scsi_sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; |
1927 |
-- return -EINVAL; |
1928 |
-+ ret = -EINVAL; |
1929 |
-+ goto out; |
1930 |
- } |
1931 |
- |
1932 |
- if (cmd->data_length < 24) { |
1933 |
diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c |
1934 |
index f015839..b15dfc4 100644 |
1935 |
--- a/drivers/target/target_core_tmr.c |
1936 |
@@ -37686,19 +37586,6 @@ index 443704f..92d3517 100644 |
1937 |
cmd->t_task_list_num) |
1938 |
cmd->transport_state |= CMD_T_SENT; |
1939 |
|
1940 |
-diff --git a/drivers/target/tcm_fc/tfc_cmd.c b/drivers/target/tcm_fc/tfc_cmd.c |
1941 |
-index a375f25..da90f64 100644 |
1942 |
---- a/drivers/target/tcm_fc/tfc_cmd.c |
1943 |
-+++ b/drivers/target/tcm_fc/tfc_cmd.c |
1944 |
-@@ -240,6 +240,8 @@ u32 ft_get_task_tag(struct se_cmd *se_cmd) |
1945 |
- { |
1946 |
- struct ft_cmd *cmd = container_of(se_cmd, struct ft_cmd, se_cmd); |
1947 |
- |
1948 |
-+ if (cmd->aborted) |
1949 |
-+ return ~0; |
1950 |
- return fc_seq_exch(cmd->seq)->rxid; |
1951 |
- } |
1952 |
- |
1953 |
diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c |
1954 |
index 3436436..772237b 100644 |
1955 |
--- a/drivers/tty/hvc/hvcs.c |
1956 |
@@ -43719,7 +43606,7 @@ index b2a34a1..162fa69 100644 |
1957 |
return rc; |
1958 |
} |
1959 |
diff --git a/fs/exec.c b/fs/exec.c |
1960 |
-index 29e5f84..8bfc7cb 100644 |
1961 |
+index 29e5f84..7acfbdb 100644 |
1962 |
--- a/fs/exec.c |
1963 |
+++ b/fs/exec.c |
1964 |
@@ -55,6 +55,15 @@ |
1965 |
@@ -44430,6 +44317,36 @@ index 29e5f84..8bfc7cb 100644 |
1966 |
static int zap_process(struct task_struct *start, int exit_code) |
1967 |
{ |
1968 |
struct task_struct *t; |
1969 |
+@@ -1980,17 +2356,17 @@ static void coredump_finish(struct mm_struct *mm) |
1970 |
+ void set_dumpable(struct mm_struct *mm, int value) |
1971 |
+ { |
1972 |
+ switch (value) { |
1973 |
+- case 0: |
1974 |
++ case SUID_DUMPABLE_DISABLED: |
1975 |
+ clear_bit(MMF_DUMPABLE, &mm->flags); |
1976 |
+ smp_wmb(); |
1977 |
+ clear_bit(MMF_DUMP_SECURELY, &mm->flags); |
1978 |
+ break; |
1979 |
+- case 1: |
1980 |
++ case SUID_DUMPABLE_ENABLED: |
1981 |
+ set_bit(MMF_DUMPABLE, &mm->flags); |
1982 |
+ smp_wmb(); |
1983 |
+ clear_bit(MMF_DUMP_SECURELY, &mm->flags); |
1984 |
+ break; |
1985 |
+- case 2: |
1986 |
++ case SUID_DUMPABLE_SAFE: |
1987 |
+ set_bit(MMF_DUMP_SECURELY, &mm->flags); |
1988 |
+ smp_wmb(); |
1989 |
+ set_bit(MMF_DUMPABLE, &mm->flags); |
1990 |
+@@ -2003,7 +2379,7 @@ static int __get_dumpable(unsigned long mm_flags) |
1991 |
+ int ret; |
1992 |
+ |
1993 |
+ ret = mm_flags & MMF_DUMPABLE_MASK; |
1994 |
+- return (ret >= 2) ? 2 : ret; |
1995 |
++ return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret; |
1996 |
+ } |
1997 |
+ |
1998 |
+ int get_dumpable(struct mm_struct *mm) |
1999 |
@@ -2018,17 +2394,17 @@ static void wait_for_dump_helpers(struct file *file) |
2000 |
pipe = file->f_path.dentry->d_inode->i_pipe; |
2001 |
|
2002 |
@@ -44453,16 +44370,17 @@ index 29e5f84..8bfc7cb 100644 |
2003 |
pipe_unlock(pipe); |
2004 |
|
2005 |
} |
2006 |
-@@ -2089,7 +2465,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2007 |
+@@ -2089,7 +2465,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2008 |
int retval = 0; |
2009 |
int flag = 0; |
2010 |
int ispipe; |
2011 |
- static atomic_t core_dump_count = ATOMIC_INIT(0); |
2012 |
++ bool need_nonrelative = false; |
2013 |
+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0); |
2014 |
struct coredump_params cprm = { |
2015 |
.signr = signr, |
2016 |
.regs = regs, |
2017 |
-@@ -2104,6 +2480,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2018 |
+@@ -2104,6 +2481,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2019 |
|
2020 |
audit_core_dumps(signr); |
2021 |
|
2022 |
@@ -44472,7 +44390,28 @@ index 29e5f84..8bfc7cb 100644 |
2023 |
binfmt = mm->binfmt; |
2024 |
if (!binfmt || !binfmt->core_dump) |
2025 |
goto fail; |
2026 |
-@@ -2171,7 +2550,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2027 |
+@@ -2114,14 +2494,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2028 |
+ if (!cred) |
2029 |
+ goto fail; |
2030 |
+ /* |
2031 |
+- * We cannot trust fsuid as being the "true" uid of the |
2032 |
+- * process nor do we know its entire history. We only know it |
2033 |
+- * was tainted so we dump it as root in mode 2. |
2034 |
++ * We cannot trust fsuid as being the "true" uid of the process |
2035 |
++ * nor do we know its entire history. We only know it was tainted |
2036 |
++ * so we dump it as root in mode 2, and only into a controlled |
2037 |
++ * environment (pipe handler or fully qualified path). |
2038 |
+ */ |
2039 |
+- if (__get_dumpable(cprm.mm_flags) == 2) { |
2040 |
++ if (__get_dumpable(cprm.mm_flags) == SUID_DUMPABLE_SAFE) { |
2041 |
+ /* Setuid core dump mode */ |
2042 |
+ flag = O_EXCL; /* Stop rewrite attacks */ |
2043 |
+ cred->fsuid = 0; /* Dump root private */ |
2044 |
++ need_nonrelative = true; |
2045 |
+ } |
2046 |
+ |
2047 |
+ retval = coredump_wait(exit_code, &core_state); |
2048 |
+@@ -2171,7 +2553,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2049 |
} |
2050 |
cprm.limit = RLIM_INFINITY; |
2051 |
|
2052 |
@@ -44481,7 +44420,7 @@ index 29e5f84..8bfc7cb 100644 |
2053 |
if (core_pipe_limit && (core_pipe_limit < dump_count)) { |
2054 |
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", |
2055 |
task_tgid_vnr(current), current->comm); |
2056 |
-@@ -2198,6 +2577,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2057 |
+@@ -2198,9 +2580,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
2058 |
} else { |
2059 |
struct inode *inode; |
2060 |
|
2061 |
@@ -44490,7 +44429,18 @@ index 29e5f84..8bfc7cb 100644 |
2062 |
if (cprm.limit < binfmt->min_coredump) |
2063 |
goto fail_unlock; |
2064 |
|
2065 |
-@@ -2241,7 +2622,7 @@ close_fail: |
2066 |
++ if (need_nonrelative && cn.corename[0] != '/') { |
2067 |
++ printk(KERN_WARNING "Pid %d(%s) can only dump core "\ |
2068 |
++ "to fully qualified path!\n", |
2069 |
++ task_tgid_vnr(current), current->comm); |
2070 |
++ printk(KERN_WARNING "Skipping core dump\n"); |
2071 |
++ goto fail_unlock; |
2072 |
++ } |
2073 |
++ |
2074 |
+ cprm.file = filp_open(cn.corename, |
2075 |
+ O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, |
2076 |
+ 0600); |
2077 |
+@@ -2241,7 +2633,7 @@ close_fail: |
2078 |
filp_close(cprm.file, NULL); |
2079 |
fail_dropcount: |
2080 |
if (ispipe) |
2081 |
@@ -44499,7 +44449,7 @@ index 29e5f84..8bfc7cb 100644 |
2082 |
fail_unlock: |
2083 |
kfree(cn.corename); |
2084 |
fail_corename: |
2085 |
-@@ -2260,7 +2641,7 @@ fail: |
2086 |
+@@ -2260,7 +2652,7 @@ fail: |
2087 |
*/ |
2088 |
int dump_write(struct file *file, const void *addr, int nr) |
2089 |
{ |
2090 |
@@ -44587,18 +44537,6 @@ index 0e01e90..ae2bd5e 100644 |
2091 |
atomic_t s_lock_busy; |
2092 |
|
2093 |
/* locality groups */ |
2094 |
-diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c |
2095 |
-index 1365903..9727522 100644 |
2096 |
---- a/fs/ext4/ioctl.c |
2097 |
-+++ b/fs/ext4/ioctl.c |
2098 |
-@@ -261,7 +261,6 @@ group_extend_out: |
2099 |
- err = ext4_move_extents(filp, donor_filp, me.orig_start, |
2100 |
- me.donor_start, me.len, &me.moved_len); |
2101 |
- mnt_drop_write_file(filp); |
2102 |
-- mnt_drop_write(filp->f_path.mnt); |
2103 |
- |
2104 |
- if (copy_to_user((struct move_extent __user *)arg, |
2105 |
- &me, sizeof(me))) |
2106 |
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c |
2107 |
index 6b0a57e..1955a44 100644 |
2108 |
--- a/fs/ext4/mballoc.c |
2109 |
@@ -63021,7 +62959,7 @@ index fd07c45..4676b8e 100644 |
2110 |
static inline void anon_vma_merge(struct vm_area_struct *vma, |
2111 |
struct vm_area_struct *next) |
2112 |
diff --git a/include/linux/sched.h b/include/linux/sched.h |
2113 |
-index 7b06169..c92adbe 100644 |
2114 |
+index 7b06169..eb46ae3 100644 |
2115 |
--- a/include/linux/sched.h |
2116 |
+++ b/include/linux/sched.h |
2117 |
@@ -100,6 +100,7 @@ struct bio_list; |
2118 |
@@ -63046,7 +62984,19 @@ index 7b06169..c92adbe 100644 |
2119 |
extern void arch_pick_mmap_layout(struct mm_struct *mm); |
2120 |
extern unsigned long |
2121 |
arch_get_unmapped_area(struct file *, unsigned long, unsigned long, |
2122 |
-@@ -643,6 +647,17 @@ struct signal_struct { |
2123 |
+@@ -404,6 +408,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} |
2124 |
+ extern void set_dumpable(struct mm_struct *mm, int value); |
2125 |
+ extern int get_dumpable(struct mm_struct *mm); |
2126 |
+ |
2127 |
++/* get/set_dumpable() values */ |
2128 |
++#define SUID_DUMPABLE_DISABLED 0 |
2129 |
++#define SUID_DUMPABLE_ENABLED 1 |
2130 |
++#define SUID_DUMPABLE_SAFE 2 |
2131 |
++ |
2132 |
+ /* mm flags */ |
2133 |
+ /* dumpable bits */ |
2134 |
+ #define MMF_DUMPABLE 0 /* core dump is permitted */ |
2135 |
+@@ -643,6 +652,17 @@ struct signal_struct { |
2136 |
#ifdef CONFIG_TASKSTATS |
2137 |
struct taskstats *stats; |
2138 |
#endif |
2139 |
@@ -63064,7 +63014,7 @@ index 7b06169..c92adbe 100644 |
2140 |
#ifdef CONFIG_AUDIT |
2141 |
unsigned audit_tty; |
2142 |
struct tty_audit_buf *tty_audit_buf; |
2143 |
-@@ -726,6 +741,11 @@ struct user_struct { |
2144 |
+@@ -726,6 +746,11 @@ struct user_struct { |
2145 |
struct key *session_keyring; /* UID's default session keyring */ |
2146 |
#endif |
2147 |
|
2148 |
@@ -63076,7 +63026,7 @@ index 7b06169..c92adbe 100644 |
2149 |
/* Hash table maintenance information */ |
2150 |
struct hlist_node uidhash_node; |
2151 |
uid_t uid; |
2152 |
-@@ -1386,8 +1406,8 @@ struct task_struct { |
2153 |
+@@ -1386,8 +1411,8 @@ struct task_struct { |
2154 |
struct list_head thread_group; |
2155 |
|
2156 |
struct completion *vfork_done; /* for vfork() */ |
2157 |
@@ -63087,7 +63037,7 @@ index 7b06169..c92adbe 100644 |
2158 |
|
2159 |
cputime_t utime, stime, utimescaled, stimescaled; |
2160 |
cputime_t gtime; |
2161 |
-@@ -1403,13 +1423,6 @@ struct task_struct { |
2162 |
+@@ -1403,13 +1428,6 @@ struct task_struct { |
2163 |
struct task_cputime cputime_expires; |
2164 |
struct list_head cpu_timers[3]; |
2165 |
|
2166 |
@@ -63101,7 +63051,7 @@ index 7b06169..c92adbe 100644 |
2167 |
char comm[TASK_COMM_LEN]; /* executable name excluding path |
2168 |
- access with [gs]et_task_comm (which lock |
2169 |
it with task_lock()) |
2170 |
-@@ -1426,8 +1439,16 @@ struct task_struct { |
2171 |
+@@ -1426,8 +1444,16 @@ struct task_struct { |
2172 |
#endif |
2173 |
/* CPU-specific state of this task */ |
2174 |
struct thread_struct thread; |
2175 |
@@ -63118,7 +63068,7 @@ index 7b06169..c92adbe 100644 |
2176 |
/* open file information */ |
2177 |
struct files_struct *files; |
2178 |
/* namespaces */ |
2179 |
-@@ -1469,6 +1490,11 @@ struct task_struct { |
2180 |
+@@ -1469,6 +1495,11 @@ struct task_struct { |
2181 |
struct rt_mutex_waiter *pi_blocked_on; |
2182 |
#endif |
2183 |
|
2184 |
@@ -63130,7 +63080,7 @@ index 7b06169..c92adbe 100644 |
2185 |
#ifdef CONFIG_DEBUG_MUTEXES |
2186 |
/* mutex deadlock detection */ |
2187 |
struct mutex_waiter *blocked_on; |
2188 |
-@@ -1585,6 +1611,27 @@ struct task_struct { |
2189 |
+@@ -1585,6 +1616,27 @@ struct task_struct { |
2190 |
unsigned long default_timer_slack_ns; |
2191 |
|
2192 |
struct list_head *scm_work_list; |
2193 |
@@ -63158,7 +63108,7 @@ index 7b06169..c92adbe 100644 |
2194 |
#ifdef CONFIG_FUNCTION_GRAPH_TRACER |
2195 |
/* Index of current stored address in ret_stack */ |
2196 |
int curr_ret_stack; |
2197 |
-@@ -1619,6 +1666,51 @@ struct task_struct { |
2198 |
+@@ -1619,6 +1671,51 @@ struct task_struct { |
2199 |
#endif |
2200 |
}; |
2201 |
|
2202 |
@@ -63210,7 +63160,7 @@ index 7b06169..c92adbe 100644 |
2203 |
/* Future-safe accessor for struct task_struct's cpus_allowed. */ |
2204 |
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) |
2205 |
|
2206 |
-@@ -2146,7 +2238,9 @@ void yield(void); |
2207 |
+@@ -2146,7 +2243,9 @@ void yield(void); |
2208 |
extern struct exec_domain default_exec_domain; |
2209 |
|
2210 |
union thread_union { |
2211 |
@@ -63220,7 +63170,7 @@ index 7b06169..c92adbe 100644 |
2212 |
unsigned long stack[THREAD_SIZE/sizeof(long)]; |
2213 |
}; |
2214 |
|
2215 |
-@@ -2179,6 +2273,7 @@ extern struct pid_namespace init_pid_ns; |
2216 |
+@@ -2179,6 +2278,7 @@ extern struct pid_namespace init_pid_ns; |
2217 |
*/ |
2218 |
|
2219 |
extern struct task_struct *find_task_by_vpid(pid_t nr); |
2220 |
@@ -63228,7 +63178,7 @@ index 7b06169..c92adbe 100644 |
2221 |
extern struct task_struct *find_task_by_pid_ns(pid_t nr, |
2222 |
struct pid_namespace *ns); |
2223 |
|
2224 |
-@@ -2322,7 +2417,7 @@ extern void __cleanup_sighand(struct sighand_struct *); |
2225 |
+@@ -2322,7 +2422,7 @@ extern void __cleanup_sighand(struct sighand_struct *); |
2226 |
extern void exit_itimers(struct signal_struct *); |
2227 |
extern void flush_itimer_signals(void); |
2228 |
|
2229 |
@@ -63237,7 +63187,7 @@ index 7b06169..c92adbe 100644 |
2230 |
|
2231 |
extern void daemonize(const char *, ...); |
2232 |
extern int allow_signal(int); |
2233 |
-@@ -2523,9 +2618,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) |
2234 |
+@@ -2523,9 +2623,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) |
2235 |
|
2236 |
#endif |
2237 |
|
2238 |
@@ -67683,10 +67633,25 @@ index a307cc9..27fd2e9 100644 |
2239 |
|
2240 |
/* set it to 0 if there are no waiters left: */ |
2241 |
diff --git a/kernel/panic.c b/kernel/panic.c |
2242 |
-index 9ed023b..e49543e 100644 |
2243 |
+index 9ed023b..4846159 100644 |
2244 |
--- a/kernel/panic.c |
2245 |
+++ b/kernel/panic.c |
2246 |
-@@ -402,7 +402,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, |
2247 |
+@@ -75,6 +75,14 @@ void panic(const char *fmt, ...) |
2248 |
+ int state = 0; |
2249 |
+ |
2250 |
+ /* |
2251 |
++ * Disable local interrupts. This will prevent panic_smp_self_stop |
2252 |
++ * from deadlocking the first cpu that invokes the panic, since |
2253 |
++ * there is nothing to prevent an interrupt handler (that runs |
2254 |
++ * after the panic_lock is acquired) from invoking panic again. |
2255 |
++ */ |
2256 |
++ local_irq_disable(); |
2257 |
++ |
2258 |
++ /* |
2259 |
+ * It's possible to come here directly from a panic-assertion and |
2260 |
+ * not have preempt disabled. Some functions called from here want |
2261 |
+ * preempt to be disabled. No point enabling it later though... |
2262 |
+@@ -402,7 +410,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, |
2263 |
const char *board; |
2264 |
|
2265 |
printk(KERN_WARNING "------------[ cut here ]------------\n"); |
2266 |
@@ -67695,7 +67660,7 @@ index 9ed023b..e49543e 100644 |
2267 |
board = dmi_get_system_info(DMI_PRODUCT_NAME); |
2268 |
if (board) |
2269 |
printk(KERN_WARNING "Hardware name: %s\n", board); |
2270 |
-@@ -457,7 +457,8 @@ EXPORT_SYMBOL(warn_slowpath_null); |
2271 |
+@@ -457,7 +465,8 @@ EXPORT_SYMBOL(warn_slowpath_null); |
2272 |
*/ |
2273 |
void __stack_chk_fail(void) |
2274 |
{ |
2275 |
@@ -69107,7 +69072,7 @@ index e7006eb..8fb7c51 100644 |
2276 |
break; |
2277 |
} |
2278 |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
2279 |
-index 4ab1187..0b75ced 100644 |
2280 |
+index 4ab1187..33f4f2b 100644 |
2281 |
--- a/kernel/sysctl.c |
2282 |
+++ b/kernel/sysctl.c |
2283 |
@@ -91,7 +91,6 @@ |
2284 |
@@ -69118,7 +69083,7 @@ index 4ab1187..0b75ced 100644 |
2285 |
/* External variables not in a header file. */ |
2286 |
extern int sysctl_overcommit_memory; |
2287 |
extern int sysctl_overcommit_ratio; |
2288 |
-@@ -169,10 +168,8 @@ static int proc_taint(struct ctl_table *table, int write, |
2289 |
+@@ -169,10 +168,13 @@ static int proc_taint(struct ctl_table *table, int write, |
2290 |
void __user *buffer, size_t *lenp, loff_t *ppos); |
2291 |
#endif |
2292 |
|
2293 |
@@ -69126,10 +69091,15 @@ index 4ab1187..0b75ced 100644 |
2294 |
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
2295 |
void __user *buffer, size_t *lenp, loff_t *ppos); |
2296 |
-#endif |
2297 |
++ |
2298 |
++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, |
2299 |
++ void __user *buffer, size_t *lenp, loff_t *ppos); |
2300 |
++static int proc_dostring_coredump(struct ctl_table *table, int write, |
2301 |
++ void __user *buffer, size_t *lenp, loff_t *ppos); |
2302 |
|
2303 |
#ifdef CONFIG_MAGIC_SYSRQ |
2304 |
/* Note: sysrq code uses it's own private copy */ |
2305 |
-@@ -196,6 +193,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, |
2306 |
+@@ -196,6 +198,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, |
2307 |
|
2308 |
#endif |
2309 |
|
2310 |
@@ -69138,7 +69108,7 @@ index 4ab1187..0b75ced 100644 |
2311 |
static struct ctl_table kern_table[]; |
2312 |
static struct ctl_table vm_table[]; |
2313 |
static struct ctl_table fs_table[]; |
2314 |
-@@ -210,6 +209,20 @@ extern struct ctl_table epoll_table[]; |
2315 |
+@@ -210,6 +214,20 @@ extern struct ctl_table epoll_table[]; |
2316 |
int sysctl_legacy_va_layout; |
2317 |
#endif |
2318 |
|
2319 |
@@ -69159,7 +69129,7 @@ index 4ab1187..0b75ced 100644 |
2320 |
/* The default sysctl tables: */ |
2321 |
|
2322 |
static struct ctl_table sysctl_base_table[] = { |
2323 |
-@@ -256,6 +269,22 @@ static int max_extfrag_threshold = 1000; |
2324 |
+@@ -256,6 +274,22 @@ static int max_extfrag_threshold = 1000; |
2325 |
#endif |
2326 |
|
2327 |
static struct ctl_table kern_table[] = { |
2328 |
@@ -69182,7 +69152,16 @@ index 4ab1187..0b75ced 100644 |
2329 |
{ |
2330 |
.procname = "sched_child_runs_first", |
2331 |
.data = &sysctl_sched_child_runs_first, |
2332 |
-@@ -540,7 +569,7 @@ static struct ctl_table kern_table[] = { |
2333 |
+@@ -410,7 +444,7 @@ static struct ctl_table kern_table[] = { |
2334 |
+ .data = core_pattern, |
2335 |
+ .maxlen = CORENAME_MAX_SIZE, |
2336 |
+ .mode = 0644, |
2337 |
+- .proc_handler = proc_dostring, |
2338 |
++ .proc_handler = proc_dostring_coredump, |
2339 |
+ }, |
2340 |
+ { |
2341 |
+ .procname = "core_pipe_limit", |
2342 |
+@@ -540,7 +574,7 @@ static struct ctl_table kern_table[] = { |
2343 |
.data = &modprobe_path, |
2344 |
.maxlen = KMOD_PATH_LEN, |
2345 |
.mode = 0644, |
2346 |
@@ -69191,7 +69170,7 @@ index 4ab1187..0b75ced 100644 |
2347 |
}, |
2348 |
{ |
2349 |
.procname = "modules_disabled", |
2350 |
-@@ -707,16 +736,20 @@ static struct ctl_table kern_table[] = { |
2351 |
+@@ -707,16 +741,20 @@ static struct ctl_table kern_table[] = { |
2352 |
.extra1 = &zero, |
2353 |
.extra2 = &one, |
2354 |
}, |
2355 |
@@ -69213,7 +69192,7 @@ index 4ab1187..0b75ced 100644 |
2356 |
{ |
2357 |
.procname = "ngroups_max", |
2358 |
.data = &ngroups_max, |
2359 |
-@@ -1215,6 +1248,13 @@ static struct ctl_table vm_table[] = { |
2360 |
+@@ -1215,6 +1253,13 @@ static struct ctl_table vm_table[] = { |
2361 |
.proc_handler = proc_dointvec_minmax, |
2362 |
.extra1 = &zero, |
2363 |
}, |
2364 |
@@ -69227,7 +69206,16 @@ index 4ab1187..0b75ced 100644 |
2365 |
#else |
2366 |
{ |
2367 |
.procname = "nr_trim_pages", |
2368 |
-@@ -1645,6 +1685,16 @@ int proc_dostring(struct ctl_table *table, int write, |
2369 |
+@@ -1498,7 +1543,7 @@ static struct ctl_table fs_table[] = { |
2370 |
+ .data = &suid_dumpable, |
2371 |
+ .maxlen = sizeof(int), |
2372 |
+ .mode = 0644, |
2373 |
+- .proc_handler = proc_dointvec_minmax, |
2374 |
++ .proc_handler = proc_dointvec_minmax_coredump, |
2375 |
+ .extra1 = &zero, |
2376 |
+ .extra2 = &two, |
2377 |
+ }, |
2378 |
+@@ -1645,6 +1690,16 @@ int proc_dostring(struct ctl_table *table, int write, |
2379 |
buffer, lenp, ppos); |
2380 |
} |
2381 |
|
2382 |
@@ -69244,7 +69232,7 @@ index 4ab1187..0b75ced 100644 |
2383 |
static size_t proc_skip_spaces(char **buf) |
2384 |
{ |
2385 |
size_t ret; |
2386 |
-@@ -1750,6 +1800,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
2387 |
+@@ -1750,6 +1805,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
2388 |
len = strlen(tmp); |
2389 |
if (len > *size) |
2390 |
len = *size; |
2391 |
@@ -69253,7 +69241,7 @@ index 4ab1187..0b75ced 100644 |
2392 |
if (copy_to_user(*buf, tmp, len)) |
2393 |
return -EFAULT; |
2394 |
*size -= len; |
2395 |
-@@ -1942,7 +1994,6 @@ static int proc_taint(struct ctl_table *table, int write, |
2396 |
+@@ -1942,7 +1999,6 @@ static int proc_taint(struct ctl_table *table, int write, |
2397 |
return err; |
2398 |
} |
2399 |
|
2400 |
@@ -69261,7 +69249,7 @@ index 4ab1187..0b75ced 100644 |
2401 |
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
2402 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
2403 |
{ |
2404 |
-@@ -1951,7 +2002,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
2405 |
+@@ -1951,7 +2007,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
2406 |
|
2407 |
return proc_dointvec_minmax(table, write, buffer, lenp, ppos); |
2408 |
} |
2409 |
@@ -69269,7 +69257,42 @@ index 4ab1187..0b75ced 100644 |
2410 |
|
2411 |
struct do_proc_dointvec_minmax_conv_param { |
2412 |
int *min; |
2413 |
-@@ -2066,8 +2116,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
2414 |
+@@ -2009,6 +2064,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, |
2415 |
+ do_proc_dointvec_minmax_conv, ¶m); |
2416 |
+ } |
2417 |
+ |
2418 |
++static void validate_coredump_safety(void) |
2419 |
++{ |
2420 |
++ if (suid_dumpable == SUID_DUMPABLE_SAFE && |
2421 |
++ core_pattern[0] != '/' && core_pattern[0] != '|') { |
2422 |
++ printk(KERN_WARNING "Unsafe core_pattern used with "\ |
2423 |
++ "suid_dumpable=2. Pipe handler or fully qualified "\ |
2424 |
++ "core dump path required.\n"); |
2425 |
++ } |
2426 |
++} |
2427 |
++ |
2428 |
++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, |
2429 |
++ void __user *buffer, size_t *lenp, loff_t *ppos) |
2430 |
++{ |
2431 |
++ int error = proc_dointvec_minmax(table, write, buffer, lenp, ppos); |
2432 |
++ if (!error) |
2433 |
++ validate_coredump_safety(); |
2434 |
++ return error; |
2435 |
++} |
2436 |
++ |
2437 |
++static int proc_dostring_coredump(struct ctl_table *table, int write, |
2438 |
++ void __user *buffer, size_t *lenp, loff_t *ppos) |
2439 |
++{ |
2440 |
++ int error = proc_dostring(table, write, buffer, lenp, ppos); |
2441 |
++ if (!error) |
2442 |
++ validate_coredump_safety(); |
2443 |
++ return error; |
2444 |
++} |
2445 |
++ |
2446 |
+ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write, |
2447 |
+ void __user *buffer, |
2448 |
+ size_t *lenp, loff_t *ppos, |
2449 |
+@@ -2066,8 +2149,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
2450 |
*i = val; |
2451 |
} else { |
2452 |
val = convdiv * (*i) / convmul; |
2453 |
@@ -69282,7 +69305,7 @@ index 4ab1187..0b75ced 100644 |
2454 |
err = proc_put_long(&buffer, &left, val, false); |
2455 |
if (err) |
2456 |
break; |
2457 |
-@@ -2459,6 +2512,12 @@ int proc_dostring(struct ctl_table *table, int write, |
2458 |
+@@ -2459,6 +2545,12 @@ int proc_dostring(struct ctl_table *table, int write, |
2459 |
return -ENOSYS; |
2460 |
} |
2461 |
|
2462 |
@@ -69295,7 +69318,7 @@ index 4ab1187..0b75ced 100644 |
2463 |
int proc_dointvec(struct ctl_table *table, int write, |
2464 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
2465 |
{ |
2466 |
-@@ -2515,5 +2574,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
2467 |
+@@ -2515,5 +2607,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
2468 |
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); |
2469 |
EXPORT_SYMBOL(proc_dointvec_ms_jiffies); |
2470 |
EXPORT_SYMBOL(proc_dostring); |
2471 |
@@ -70067,7 +70090,7 @@ index 3ac50dc..240bb7e 100644 |
2472 |
static inline void *ptr_to_indirect(void *ptr) |
2473 |
{ |
2474 |
diff --git a/lib/vsprintf.c b/lib/vsprintf.c |
2475 |
-index abbabec..d5eba6c 100644 |
2476 |
+index abbabec..6779788 100644 |
2477 |
--- a/lib/vsprintf.c |
2478 |
+++ b/lib/vsprintf.c |
2479 |
@@ -16,6 +16,9 @@ |
2480 |
@@ -70110,21 +70133,8 @@ index abbabec..d5eba6c 100644 |
2481 |
* - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref] |
2482 |
* - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201] |
2483 |
* - 'M' For a 6-byte MAC address, it prints the address in the |
2484 |
-@@ -866,14 +875,25 @@ static noinline_for_stack |
2485 |
- char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2486 |
- struct printf_spec spec) |
2487 |
+@@ -868,12 +877,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2488 |
{ |
2489 |
-+#ifdef CONFIG_GRKERNSEC_HIDESYM |
2490 |
-+ /* 'P' = approved pointers to copy to userland, |
2491 |
-+ as in the /proc/kallsyms case, as we make it display nothing |
2492 |
-+ for non-root users, and the real contents for root users |
2493 |
-+ */ |
2494 |
-+ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) { |
2495 |
-+ ptr = NULL; |
2496 |
-+ goto simple; |
2497 |
-+ } |
2498 |
-+#endif |
2499 |
-+ |
2500 |
if (!ptr && *fmt != 'K') { |
2501 |
/* |
2502 |
- * Print (null) with the same width as a pointer so it makes |
2503 |
@@ -70138,7 +70148,7 @@ index abbabec..d5eba6c 100644 |
2504 |
} |
2505 |
|
2506 |
switch (*fmt) { |
2507 |
-@@ -883,6 +903,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2508 |
+@@ -883,6 +892,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2509 |
/* Fallthrough */ |
2510 |
case 'S': |
2511 |
case 's': |
2512 |
@@ -70152,7 +70162,7 @@ index abbabec..d5eba6c 100644 |
2513 |
case 'B': |
2514 |
return symbol_string(buf, end, ptr, spec, *fmt); |
2515 |
case 'R': |
2516 |
-@@ -920,6 +947,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2517 |
+@@ -920,12 +936,15 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2518 |
va_end(va); |
2519 |
return buf; |
2520 |
} |
2521 |
@@ -70161,13 +70171,31 @@ index abbabec..d5eba6c 100644 |
2522 |
case 'K': |
2523 |
/* |
2524 |
* %pK cannot be used in IRQ context because its test |
2525 |
-@@ -942,6 +971,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2526 |
+ * for CAP_SYSLOG would be meaningless. |
2527 |
+ */ |
2528 |
+- if (in_irq() || in_serving_softirq() || in_nmi()) { |
2529 |
++ if (kptr_restrict && (in_irq() || in_serving_softirq() || |
2530 |
++ in_nmi())) { |
2531 |
+ if (spec.field_width == -1) |
2532 |
+ spec.field_width = 2 * sizeof(void *); |
2533 |
+ return string(buf, end, "pK-error", spec); |
2534 |
+@@ -942,6 +961,19 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
2535 |
} |
2536 |
break; |
2537 |
} |
2538 |
++ |
2539 |
+#ifdef CONFIG_GRKERNSEC_HIDESYM |
2540 |
-+simple: |
2541 |
++ /* 'P' = approved pointers to copy to userland, |
2542 |
++ as in the /proc/kallsyms case, as we make it display nothing |
2543 |
++ for non-root users, and the real contents for root users |
2544 |
++ */ |
2545 |
++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) { |
2546 |
++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@××××××××××.net.\n"); |
2547 |
++ dump_stack(); |
2548 |
++ ptr = NULL; |
2549 |
++ } |
2550 |
+#endif |
2551 |
++ |
2552 |
spec.flags |= SMALL; |
2553 |
if (spec.field_width == -1) { |
2554 |
spec.field_width = 2 * sizeof(void *); |
2555 |
@@ -74470,22 +74498,6 @@ index 1196c77..2e608e8 100644 |
2556 |
if (!vas || !vms) |
2557 |
goto err_free2; |
2558 |
|
2559 |
-diff --git a/mm/vmscan.c b/mm/vmscan.c |
2560 |
-index 4607cc6..be5bc0a 100644 |
2561 |
---- a/mm/vmscan.c |
2562 |
-+++ b/mm/vmscan.c |
2563 |
-@@ -3013,7 +3013,10 @@ static void kswapd_try_to_sleep(pg_data_t *pgdat, int order, int classzone_idx) |
2564 |
- * them before going back to sleep. |
2565 |
- */ |
2566 |
- set_pgdat_percpu_threshold(pgdat, calculate_normal_threshold); |
2567 |
-- schedule(); |
2568 |
-+ |
2569 |
-+ if (!kthread_should_stop()) |
2570 |
-+ schedule(); |
2571 |
-+ |
2572 |
- set_pgdat_percpu_threshold(pgdat, calculate_pressure_threshold); |
2573 |
- } else { |
2574 |
- if (remaining) |
2575 |
diff --git a/mm/vmstat.c b/mm/vmstat.c |
2576 |
index 7db1b9b..e9f6b07 100644 |
2577 |
--- a/mm/vmstat.c |
2578 |
@@ -77207,6 +77219,27 @@ index 4503335..db566b4 100644 |
2579 |
} |
2580 |
#endif |
2581 |
|
2582 |
+diff --git a/net/rds/recv.c b/net/rds/recv.c |
2583 |
+index 5c6e9f1..9f0f17c 100644 |
2584 |
+--- a/net/rds/recv.c |
2585 |
++++ b/net/rds/recv.c |
2586 |
+@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, |
2587 |
+ |
2588 |
+ rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); |
2589 |
+ |
2590 |
++ msg->msg_namelen = 0; |
2591 |
++ |
2592 |
+ if (msg_flags & MSG_OOB) |
2593 |
+ goto out; |
2594 |
+ |
2595 |
+@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, |
2596 |
+ sin->sin_port = inc->i_hdr.h_sport; |
2597 |
+ sin->sin_addr.s_addr = inc->i_saddr; |
2598 |
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); |
2599 |
++ msg->msg_namelen = sizeof(*sin); |
2600 |
+ } |
2601 |
+ break; |
2602 |
+ } |
2603 |
diff --git a/net/rds/tcp.c b/net/rds/tcp.c |
2604 |
index edac9ef..16bcb98 100644 |
2605 |
--- a/net/rds/tcp.c |
2606 |
@@ -78688,10 +78721,10 @@ index 5c11312..72742b5 100644 |
2607 |
write_hex_cnt = 0; |
2608 |
for (i = 0; i < logo_clutsize; i++) { |
2609 |
diff --git a/security/Kconfig b/security/Kconfig |
2610 |
-index ccc61f8..5e68d73 100644 |
2611 |
+index ccc61f8..0759500 100644 |
2612 |
--- a/security/Kconfig |
2613 |
+++ b/security/Kconfig |
2614 |
-@@ -4,6 +4,875 @@ |
2615 |
+@@ -4,6 +4,876 @@ |
2616 |
|
2617 |
menu "Security options" |
2618 |
|
2619 |
@@ -78723,6 +78756,7 @@ index ccc61f8..5e68d73 100644 |
2620 |
+ bool "Grsecurity" |
2621 |
+ select CRYPTO |
2622 |
+ select CRYPTO_SHA256 |
2623 |
++ select PROC_FS |
2624 |
+ select STOP_MACHINE |
2625 |
+ help |
2626 |
+ If you say Y here, you will be able to configure many features |
2627 |
@@ -79567,7 +79601,7 @@ index ccc61f8..5e68d73 100644 |
2628 |
config KEYS |
2629 |
bool "Enable access key retention support" |
2630 |
help |
2631 |
-@@ -169,7 +1038,7 @@ config INTEL_TXT |
2632 |
+@@ -169,7 +1039,7 @@ config INTEL_TXT |
2633 |
config LSM_MMAP_MIN_ADDR |
2634 |
int "Low address space for LSM to protect from user allocation" |
2635 |
depends on SECURITY && SECURITY_SELINUX |