Grsec/PaX: 2.9.1-{2.6.32.60,3.2.38,3.7.6}-20130207193820130207

2 files changed, 63 insertions, 33 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index ff482d8..b9830e4 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch
index c356f5e..ffae5a9 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302071937.patch
@@ -1417,7 +1417,7 @@ index ba8ccfe..2dc34dc 100644
  	.gdb_bpt_instr		= {0xfe, 0xde, 0xff, 0xe7}
  #else /* ! __ARMEB__ */
 diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index 61f90d3..771ab27 100644
+index 61f90d3..b1b8ab9 100644
 --- a/arch/arm/kernel/process.c
 +++ b/arch/arm/kernel/process.c
 @@ -83,7 +83,7 @@ static int __init hlt_setup(char *__unused)
@@ -1454,6 +1454,17 @@ index 61f90d3..771ab27 100644
  }
  
  void machine_restart(char *cmd)
+@@ -218,8 +220,8 @@ void __show_regs(struct pt_regs *regs)
+ 		smp_processor_id(), print_tainted(), init_utsname()->release,
+ 		(int)strcspn(init_utsname()->version, " "),
+ 		init_utsname()->version);
+-	print_symbol("PC is at %s\n", instruction_pointer(regs));
+-	print_symbol("LR is at %s\n", regs->ARM_lr);
++	printk("PC is at %pA\n", instruction_pointer(regs));
++	printk("LR is at %pA\n", regs->ARM_lr);
+ 	printk("pc : [<%08lx>]    lr : [<%08lx>]    psr: %08lx\n"
+ 	       "sp : %08lx  ip : %08lx  fp : %08lx\n",
+ 		regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
 diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
 index a2ea385..4783488 100644
 --- a/arch/arm/kernel/ptrace.c
@@ -1504,10 +1515,22 @@ index c6c57b6..8ec5c3f 100644
  
  struct stack {
 diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index 3f361a7..6e806e1 100644
+index 3f361a7..aa0d108 100644
 --- a/arch/arm/kernel/traps.c
 +++ b/arch/arm/kernel/traps.c
-@@ -247,6 +247,8 @@ static void __die(const char *str, int err, struct thread_info *thread, struct p
+@@ -50,10 +50,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
+ void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
+ {
+ #ifdef CONFIG_KALLSYMS
+-	char sym1[KSYM_SYMBOL_LEN], sym2[KSYM_SYMBOL_LEN];
+-	sprint_symbol(sym1, where);
+-	sprint_symbol(sym2, from);
+-	printk("[<%08lx>] (%s) from [<%08lx>] (%s)\n", where, sym1, from, sym2);
++	printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from);
+ #else
+ 	printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
+ #endif
+@@ -247,6 +244,8 @@ static void __die(const char *str, int err, struct thread_info *thread, struct p
  
  DEFINE_SPINLOCK(die_lock);
  
@@ -1516,7 +1539,7 @@ index 3f361a7..6e806e1 100644
  /*
   * This function is protected against re-entrancy.
   */
-@@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, struct pt_regs *regs, int err)
+@@ -271,6 +270,8 @@ NORET_TYPE void die(const char *str, struct pt_regs *regs, int err)
  	if (panic_on_oops)
  		panic("Fatal exception");
  
@@ -26634,7 +26657,7 @@ index 61b41ca..5fef66a 100644
  		extern u32 pnp_bios_is_utter_crap;
  		pnp_bios_is_utter_crap = 1;
 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index 249ad57..bbe82fd 100644
+index 249ad57..8d4b579 100644
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
 @@ -11,10 +11,19 @@
@@ -26876,10 +26899,12 @@ index 249ad57..bbe82fd 100644
  	/* User mode accesses just cause a SIGSEGV */
  	if (error_code & PF_USER) {
  		/*
-@@ -720,6 +827,21 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
+@@ -720,12 +827,30 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
  		if (is_errata100(regs, address))
  			return;
  
+-		if (unlikely(show_unhandled_signals))
+-			show_signal_msg(regs, error_code, address, tsk);
 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
 +		if (pax_is_fetch_fault(regs, error_code, address)) {
 +
@@ -26894,11 +26919,21 @@ index 249ad57..bbe82fd 100644
 +			do_group_exit(SIGKILL);
 +		}
 +#endif
+ 
+ 		/* Kernel addresses are always protection faults: */
++		if (address >= TASK_SIZE)
++			error_code |= PF_PROT;
++
++		if (show_unhandled_signals)
++			show_signal_msg(regs, error_code, address, tsk);
 +
- 		if (unlikely(show_unhandled_signals))
- 			show_signal_msg(regs, error_code, address, tsk);
+ 		tsk->thread.cr2		= address;
+-		tsk->thread.error_code	= error_code | (address >= TASK_SIZE);
++		tsk->thread.error_code	= error_code;
+ 		tsk->thread.trap_no	= 14;
  
-@@ -816,7 +938,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
+ 		force_sig_info_fault(SIGSEGV, si_code, address, tsk);
+@@ -816,7 +941,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
  	if (fault & VM_FAULT_HWPOISON) {
  		printk(KERN_ERR
  	"MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
@@ -26907,7 +26942,7 @@ index 249ad57..bbe82fd 100644
  		code = BUS_MCEERR_AR;
  	}
  #endif
-@@ -855,6 +977,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
+@@ -855,6 +980,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
  	return 1;
  }
  
@@ -27007,7 +27042,7 @@ index 249ad57..bbe82fd 100644
  /*
   * Handle a spurious fault caused by a stale TLB entry.
   *
-@@ -921,6 +1136,9 @@ int show_unhandled_signals = 1;
+@@ -921,6 +1139,9 @@ int show_unhandled_signals = 1;
  static inline int
  access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
  {
@@ -27017,7 +27052,7 @@ index 249ad57..bbe82fd 100644
  	if (write) {
  		/* write, present and write, not present: */
  		if (unlikely(!(vma->vm_flags & VM_WRITE)))
-@@ -954,16 +1172,30 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -954,16 +1175,30 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
  {
  	struct vm_area_struct *vma;
  	struct task_struct *tsk;
@@ -27053,7 +27088,7 @@ index 249ad57..bbe82fd 100644
  
  	/*
  	 * Detect and handle instructions that would cause a page fault for
-@@ -1024,7 +1256,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -1024,7 +1259,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
  	 * User-mode registers count as a user access even for any
  	 * potential system fault or CPU buglet:
  	 */
@@ -27062,7 +27097,7 @@ index 249ad57..bbe82fd 100644
  		local_irq_enable();
  		error_code |= PF_USER;
  	} else {
-@@ -1078,6 +1310,11 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -1078,6 +1313,11 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
  		might_sleep();
  	}
  
@@ -27074,7 +27109,7 @@ index 249ad57..bbe82fd 100644
  	vma = find_vma(mm, address);
  	if (unlikely(!vma)) {
  		bad_area(regs, error_code, address);
-@@ -1089,18 +1326,24 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
+@@ -1089,18 +1329,24 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
  		bad_area(regs, error_code, address);
  		return;
  	}
@@ -27110,7 +27145,7 @@ index 249ad57..bbe82fd 100644
  	if (unlikely(expand_stack(vma, address))) {
  		bad_area(regs, error_code, address);
  		return;
-@@ -1144,3 +1387,292 @@ good_area:
+@@ -1144,3 +1390,292 @@ good_area:
  
  	up_read(&mm->mmap_sem);
  }
@@ -91633,10 +91668,10 @@ index 0000000..bc0be01
 +}
 diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
 new file mode 100644
-index 0000000..197bdd5
+index 0000000..80a3a4b
 --- /dev/null
 +++ b/grsecurity/grsec_chroot.c
-@@ -0,0 +1,386 @@
+@@ -0,0 +1,375 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -91725,17 +91760,6 @@ index 0000000..197bdd5
 +}
 +
 +int
-+gr_handle_chroot_rawio(const struct inode *inode)
-+{
-+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
-+	if (grsec_enable_chroot_caps && proc_is_chrooted(current) && 
-+	    inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
-+		return 1;
-+#endif
-+	return 0;
-+}
-+
-+int
 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
 +{
 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
@@ -118094,10 +118118,10 @@ index d52f7a0..b66cdd9 100755
  		rm -f tags
  		xtags ctags
 diff --git a/security/Kconfig b/security/Kconfig
-index fb363cd..4cf6d28 100644
+index fb363cd..9fc4cfa 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,890 @@
+@@ -4,6 +4,896 @@
  
  menu "Security options"
  
@@ -118940,6 +118964,12 @@ index fb363cd..4cf6d28 100644
 +	  Since this has a negligible performance impact, you should enable
 +	  this feature.
 +
++
++config PAX_USERCOPY_DEBUG
++	bool
++	depends on X86 && PAX_USERCOPY
++	default n
++
 +config PAX_SIZE_OVERFLOW
 +	bool "Prevent various integer overflows in function size parameters"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -118988,7 +119018,7 @@ index fb363cd..4cf6d28 100644
  config KEYS
  	bool "Enable access key retention support"
  	help
-@@ -146,7 +1030,7 @@ config INTEL_TXT
+@@ -146,7 +1036,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX