Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.59/, 3.14.4/
Date: Thu, 29 May 2014 21:52:38
Message-Id: 1401400471.42f2ed22cb151c6a136a4d39d9e973d36ec5d99b.blueness@gentoo
1 commit: 42f2ed22cb151c6a136a4d39d9e973d36ec5d99b
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Thu May 29 21:54:31 2014 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Thu May 29 21:54:31 2014 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=42f2ed22
7
8 Grsec/PaX: 3.0-{3.2.59,3.14.4}-201405281922
9
10 ---
11 3.14.4/0000_README | 2 +-
12 ... 4420_grsecurity-3.0-3.14.4-201405281922.patch} | 13 ++---
13 3.14.4/4425_grsec_remove_EI_PAX.patch | 2 +-
14 3.14.4/4450_grsec-kconfig-default-gids.patch | 8 ++--
15 3.14.4/4475_emutramp_default_on.patch | 2 +-
16 3.2.59/0000_README | 2 +-
17 ... 4420_grsecurity-3.0-3.2.59-201405281920.patch} | 55 +++++++++++++---------
18 7 files changed, 47 insertions(+), 37 deletions(-)
19
20 diff --git a/3.14.4/0000_README b/3.14.4/0000_README
21 index 4203555..275b0d1 100644
22 --- a/3.14.4/0000_README
23 +++ b/3.14.4/0000_README
24 @@ -2,7 +2,7 @@ README
25 -----------------------------------------------------------------------------
26 Individual Patch Descriptions:
27 -----------------------------------------------------------------------------
28 -Patch: 4420_grsecurity-3.0-3.14.4-201405271114.patch
29 +Patch: 4420_grsecurity-3.0-3.14.4-201405281922.patch
30 From: http://www.grsecurity.net
31 Desc: hardened-sources base patch from upstream grsecurity
32
33
34 diff --git a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch
35 similarity index 99%
36 rename from 3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch
37 rename to 3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch
38 index 3537db8..c9100d1 100644
39 --- a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch
40 +++ b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch
41 @@ -58838,7 +58838,7 @@ index e4141f2..d8263e8 100644
42 i += packet_length_size;
43 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
44 diff --git a/fs/exec.c b/fs/exec.c
45 -index 3d78fcc..cd4f983 100644
46 +index 3d78fcc..122929d 100644
47 --- a/fs/exec.c
48 +++ b/fs/exec.c
49 @@ -55,8 +55,20 @@
50 @@ -59329,7 +59329,7 @@ index 3d78fcc..cd4f983 100644
51 out:
52 if (bprm->mm) {
53 acct_arg_size(bprm, 0);
54 -@@ -1626,3 +1801,296 @@ asmlinkage long compat_sys_execve(const char __user * filename,
55 +@@ -1626,3 +1801,298 @@ asmlinkage long compat_sys_execve(const char __user * filename,
56 return compat_do_execve(getname(filename), argv, envp);
57 }
58 #endif
59 @@ -59613,6 +59613,8 @@ index 3d78fcc..cd4f983 100644
60 + if (sp < current_thread_info()->lowest_stack &&
61 + sp > (unsigned long)task_stack_page(current))
62 + current_thread_info()->lowest_stack = sp;
63 ++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
64 ++ BUG();
65 +}
66 +EXPORT_SYMBOL(pax_track_stack);
67 +#endif
68 @@ -104215,10 +104217,10 @@ index 8fac3fd..32ff38d 100644
69 unsigned int secindex_strings;
70
71 diff --git a/security/Kconfig b/security/Kconfig
72 -index beb86b5..55198cd 100644
73 +index beb86b5..1ea5a01 100644
74 --- a/security/Kconfig
75 +++ b/security/Kconfig
76 -@@ -4,6 +4,961 @@
77 +@@ -4,6 +4,960 @@
78
79 menu "Security options"
80
81 @@ -104255,7 +104257,6 @@ index beb86b5..55198cd 100644
82 + select TTY
83 + select DEBUG_KERNEL
84 + select DEBUG_LIST
85 -+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
86 + help
87 + If you say Y here, you will be able to configure many features
88 + that will enhance the security of your system. It is highly
89 @@ -105180,7 +105181,7 @@ index beb86b5..55198cd 100644
90 source security/keys/Kconfig
91
92 config SECURITY_DMESG_RESTRICT
93 -@@ -103,7 +1058,7 @@ config INTEL_TXT
94 +@@ -103,7 +1057,7 @@ config INTEL_TXT
95 config LSM_MMAP_MIN_ADDR
96 int "Low address space for LSM to protect from user allocation"
97 depends on SECURITY && SECURITY_SELINUX
98
99 diff --git a/3.14.4/4425_grsec_remove_EI_PAX.patch b/3.14.4/4425_grsec_remove_EI_PAX.patch
100 index 23631d1..fc51f79 100644
101 --- a/3.14.4/4425_grsec_remove_EI_PAX.patch
102 +++ b/3.14.4/4425_grsec_remove_EI_PAX.patch
103 @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
104 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
105 --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
106 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
107 -@@ -269,7 +269,7 @@
108 +@@ -268,7 +268,7 @@
109
110 config PAX_EI_PAX
111 bool 'Use legacy ELF header marking'
112
113 diff --git a/3.14.4/4450_grsec-kconfig-default-gids.patch b/3.14.4/4450_grsec-kconfig-default-gids.patch
114 index a965a27..19a4285 100644
115 --- a/3.14.4/4450_grsec-kconfig-default-gids.patch
116 +++ b/3.14.4/4450_grsec-kconfig-default-gids.patch
117 @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
118 diff -Nuar a/security/Kconfig b/security/Kconfig
119 --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
120 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
121 -@@ -197,7 +197,7 @@
122 +@@ -196,7 +196,7 @@
123
124 config GRKERNSEC_PROC_GID
125 int "GID exempted from /proc restrictions"
126 @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
127 help
128 Setting this GID determines which group will be exempted from
129 grsecurity's /proc restrictions, allowing users of the specified
130 -@@ -208,7 +208,7 @@
131 +@@ -207,7 +207,7 @@
132 config GRKERNSEC_TPE_UNTRUSTED_GID
133 int "GID for TPE-untrusted users"
134 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
135 @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
136 help
137 Setting this GID determines which group untrusted users should
138 be added to. These users will be placed under grsecurity's Trusted Path
139 -@@ -220,7 +220,7 @@
140 +@@ -219,7 +219,7 @@
141 config GRKERNSEC_TPE_TRUSTED_GID
142 int "GID for TPE-trusted users"
143 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
144 @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
145 help
146 Setting this GID determines what group TPE restrictions will be
147 *disabled* for. If the sysctl option is enabled, a sysctl option
148 -@@ -229,7 +229,7 @@
149 +@@ -228,7 +228,7 @@
150 config GRKERNSEC_SYMLINKOWN_GID
151 int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
152 depends on GRKERNSEC_CONFIG_SERVER
153
154 diff --git a/3.14.4/4475_emutramp_default_on.patch b/3.14.4/4475_emutramp_default_on.patch
155 index 2c704b9..a453a5b 100644
156 --- a/3.14.4/4475_emutramp_default_on.patch
157 +++ b/3.14.4/4475_emutramp_default_on.patch
158 @@ -10,7 +10,7 @@ See bug:
159 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
160 --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
161 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
162 -@@ -429,7 +429,7 @@
163 +@@ -428,7 +428,7 @@
164
165 config PAX_EMUTRAMP
166 bool "Emulate trampolines"
167
168 diff --git a/3.2.59/0000_README b/3.2.59/0000_README
169 index e328e8d..4d1e516 100644
170 --- a/3.2.59/0000_README
171 +++ b/3.2.59/0000_README
172 @@ -154,7 +154,7 @@ Patch: 1058_linux-3.2.59.patch
173 From: http://www.kernel.org
174 Desc: Linux 3.2.59
175
176 -Patch: 4420_grsecurity-3.0-3.2.59-201405252042.patch
177 +Patch: 4420_grsecurity-3.0-3.2.59-201405281920.patch
178 From: http://www.grsecurity.net
179 Desc: hardened-sources base patch from upstream grsecurity
180
181
182 diff --git a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch
183 similarity index 99%
184 rename from 3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch
185 rename to 3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch
186 index a27bb43..ae61f08 100644
187 --- a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch
188 +++ b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch
189 @@ -21377,7 +21377,7 @@ index 7209070..ada4d63 100644
190 * Shouldn't happen, we returned above if in_interrupt():
191 */
192 diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
193 -index 69bca46..fe78277 100644
194 +index 69bca46..1ac9a15 100644
195 --- a/arch/x86/kernel/irq_64.c
196 +++ b/arch/x86/kernel/irq_64.c
197 @@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
198 @@ -21389,7 +21389,7 @@ index 69bca46..fe78277 100644
199 /*
200 * Probabilistic stack overflow check:
201 *
202 -@@ -38,7 +40,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
203 +@@ -38,16 +40,16 @@ static inline void stack_overflow_check(struct pt_regs *regs)
204 #ifdef CONFIG_DEBUG_STACKOVERFLOW
205 u64 curbase = (u64)task_stack_page(current);
206
207 @@ -21397,11 +21397,19 @@ index 69bca46..fe78277 100644
208 + if (user_mode(regs))
209 return;
210
211 - WARN_ONCE(regs->sp >= curbase &&
212 -@@ -48,6 +50,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
213 -
214 - "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
215 - current->comm, curbase, regs->sp);
216 +- WARN_ONCE(regs->sp >= curbase &&
217 +- regs->sp <= curbase + THREAD_SIZE &&
218 +- regs->sp < curbase + sizeof(struct thread_info) +
219 +- sizeof(struct pt_regs) + 128,
220 +-
221 +- "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
222 +- current->comm, curbase, regs->sp);
223 ++ if (regs->sp >= curbase + sizeof(struct thread_info) +
224 ++ sizeof(struct pt_regs) + 128 &&
225 ++ regs->sp <= curbase + THREAD_SIZE)
226 ++ return;
227 ++ WARN_ONCE(1, "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
228 ++ current->comm, curbase, regs->sp);
229 + gr_handle_kernel_exploit();
230 #endif
231 }
232 @@ -56716,7 +56724,7 @@ index 451b9b8..12e5a03 100644
233
234 out_free_fd:
235 diff --git a/fs/exec.c b/fs/exec.c
236 -index 78199eb..80dac79 100644
237 +index 78199eb..125722f 100644
238 --- a/fs/exec.c
239 +++ b/fs/exec.c
240 @@ -55,12 +55,35 @@
241 @@ -57329,7 +57337,7 @@ index 78199eb..80dac79 100644
242 cn->corename = kmalloc(cn->size, GFP_KERNEL);
243 cn->used = 0;
244
245 -@@ -1833,6 +2016,293 @@ out:
246 +@@ -1833,6 +2016,295 @@ out:
247 return ispipe;
248 }
249
250 @@ -57606,6 +57614,8 @@ index 78199eb..80dac79 100644
251 + if (sp < current_thread_info()->lowest_stack &&
252 + sp > (unsigned long)task_stack_page(current))
253 + current_thread_info()->lowest_stack = sp;
254 ++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
255 ++ BUG();
256 +}
257 +EXPORT_SYMBOL(pax_track_stack);
258 +#endif
259 @@ -57623,7 +57633,7 @@ index 78199eb..80dac79 100644
260 static int zap_process(struct task_struct *start, int exit_code)
261 {
262 struct task_struct *t;
263 -@@ -2006,17 +2476,17 @@ static void coredump_finish(struct mm_struct *mm)
264 +@@ -2006,17 +2478,17 @@ static void coredump_finish(struct mm_struct *mm)
265 void set_dumpable(struct mm_struct *mm, int value)
266 {
267 switch (value) {
268 @@ -57644,7 +57654,7 @@ index 78199eb..80dac79 100644
269 set_bit(MMF_DUMP_SECURELY, &mm->flags);
270 smp_wmb();
271 set_bit(MMF_DUMPABLE, &mm->flags);
272 -@@ -2029,7 +2499,7 @@ static int __get_dumpable(unsigned long mm_flags)
273 +@@ -2029,7 +2501,7 @@ static int __get_dumpable(unsigned long mm_flags)
274 int ret;
275
276 ret = mm_flags & MMF_DUMPABLE_MASK;
277 @@ -57653,7 +57663,7 @@ index 78199eb..80dac79 100644
278 }
279
280 /*
281 -@@ -2050,17 +2520,17 @@ static void wait_for_dump_helpers(struct file *file)
282 +@@ -2050,17 +2522,17 @@ static void wait_for_dump_helpers(struct file *file)
283 pipe = file->f_path.dentry->d_inode->i_pipe;
284
285 pipe_lock(pipe);
286 @@ -57676,7 +57686,7 @@ index 78199eb..80dac79 100644
287 pipe_unlock(pipe);
288
289 }
290 -@@ -2121,7 +2591,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
291 +@@ -2121,7 +2593,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
292 int retval = 0;
293 int flag = 0;
294 int ispipe;
295 @@ -57686,7 +57696,7 @@ index 78199eb..80dac79 100644
296 struct coredump_params cprm = {
297 .signr = signr,
298 .regs = regs,
299 -@@ -2136,6 +2607,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
300 +@@ -2136,6 +2609,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
301
302 audit_core_dumps(signr);
303
304 @@ -57696,7 +57706,7 @@ index 78199eb..80dac79 100644
305 binfmt = mm->binfmt;
306 if (!binfmt || !binfmt->core_dump)
307 goto fail;
308 -@@ -2146,14 +2620,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
309 +@@ -2146,14 +2622,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
310 if (!cred)
311 goto fail;
312 /*
313 @@ -57717,7 +57727,7 @@ index 78199eb..80dac79 100644
314 }
315
316 retval = coredump_wait(exit_code, &core_state);
317 -@@ -2203,7 +2679,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
318 +@@ -2203,7 +2681,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
319 }
320 cprm.limit = RLIM_INFINITY;
321
322 @@ -57726,7 +57736,7 @@ index 78199eb..80dac79 100644
323 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
324 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
325 task_tgid_vnr(current), current->comm);
326 -@@ -2230,9 +2706,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
327 +@@ -2230,9 +2708,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
328 } else {
329 struct inode *inode;
330
331 @@ -57746,7 +57756,7 @@ index 78199eb..80dac79 100644
332 cprm.file = filp_open(cn.corename,
333 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
334 0600);
335 -@@ -2273,7 +2759,7 @@ close_fail:
336 +@@ -2273,7 +2761,7 @@ close_fail:
337 filp_close(cprm.file, NULL);
338 fail_dropcount:
339 if (ispipe)
340 @@ -57755,7 +57765,7 @@ index 78199eb..80dac79 100644
341 fail_unlock:
342 kfree(cn.corename);
343 fail_corename:
344 -@@ -2292,7 +2778,7 @@ fail:
345 +@@ -2292,7 +2780,7 @@ fail:
346 */
347 int dump_write(struct file *file, const void *addr, int nr)
348 {
349 @@ -106824,10 +106834,10 @@ index 38f6617..e70b72b 100755
350
351 exuberant()
352 diff --git a/security/Kconfig b/security/Kconfig
353 -index 51bd5a0..f75fbf0 100644
354 +index 51bd5a0..d4191c5 100644
355 --- a/security/Kconfig
356 +++ b/security/Kconfig
357 -@@ -4,6 +4,956 @@
358 +@@ -4,6 +4,955 @@
359
360 menu "Security options"
361
362 @@ -106863,7 +106873,6 @@ index 51bd5a0..f75fbf0 100644
363 + select STOP_MACHINE
364 + select DEBUG_KERNEL
365 + select DEBUG_LIST
366 -+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
367 + help
368 + If you say Y here, you will be able to configure many features
369 + that will enhance the security of your system. It is highly
370 @@ -107784,7 +107793,7 @@ index 51bd5a0..f75fbf0 100644
371 config KEYS
372 bool "Enable access key retention support"
373 help
374 -@@ -169,7 +1119,7 @@ config INTEL_TXT
375 +@@ -169,7 +1118,7 @@ config INTEL_TXT
376 config LSM_MMAP_MIN_ADDR
377 int "Low address space for LSM to protect from user allocation"
378 depends on SECURITY && SECURITY_SELINUX
Report Message
Find on MARC Find on Google Groups