Author: hawk Date: Fri Dec 5 23:42:52 2008 GMT
Module: SOURCES Tag: Titanium
---- Log message:
-
http://www.grsecurity.net/~spender/grsecurity-2.1.12-2.6.27.7-200811291903.patch
with localversion killed
---- Files affected:
SOURCES:
linux-2.6-grsecurity.patch (1.1.2.29 -> 1.1.2.30)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsecurity.patch
diff -u SOURCES/linux-2.6-grsecurity.patch:1.1.2.29
SOURCES/linux-2.6-grsecurity.patch:1.1.2.30
--- SOURCES/linux-2.6-grsecurity.patch:1.1.2.29 Sat Nov 22 12:13:39 2008
+++ SOURCES/linux-2.6-grsecurity.patch Sat Dec 6 00:42:46 2008
@@ -9718,7 +9718,7 @@
pnp_bios_is_utter_crap = 1;
diff -urNp linux-2.6.27.7/arch/x86/mm/fault.c
linux-2.6.27.7/arch/x86/mm/fault.c
--- linux-2.6.27.7/arch/x86/mm/fault.c 2008-11-07 12:55:34.000000000 -0500
-+++ linux-2.6.27.7/arch/x86/mm/fault.c 2008-11-18 03:38:44.000000000 -0500
++++ linux-2.6.27.7/arch/x86/mm/fault.c 2008-11-29 19:01:27.000000000 -0500
@@ -26,6 +26,8 @@
#include <linux/kprobes.h>
#include <linux/uaccess.h>
@@ -9984,10 +9984,28 @@
vma = find_vma(mm, address);
if (!vma)
goto bad_area;
-@@ -719,6 +863,12 @@ again:
- if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp)
- goto bad_area;
- }
+@@ -709,16 +853,20 @@ again:
+ goto good_area;
+ if (!(vma->vm_flags & VM_GROWSDOWN))
+ goto bad_area;
+- if (error_code & PF_USER) {
+- /*
+- * Accessing the stack below %sp is always a bug.
+- * The large cushion allows instructions like enter
+- * and pusha to work. ("enter $65535,$31" pushes
+- * 32 pointers and then decrements %sp by 65535.)
+- */
+- if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp)
+- goto bad_area;
+- }
++ /*
++ * Accessing the stack below %sp is always a bug.
++ * The large cushion allows instructions like enter
++ * and pusha to work. ("enter $65535,$31" pushes
++ * 32 pointers and then decrements %sp by 65535.)
++ */
++ if (address + 65536 + 32 * sizeof(unsigned long) < regs->sp)
++ goto bad_area;
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end -
SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
@@ -9997,7 +10015,7 @@
if (expand_stack(vma, address))
goto bad_area;
/*
-@@ -728,6 +878,8 @@ again:
+@@ -728,6 +876,8 @@ again:
good_area:
si_code = SEGV_ACCERR;
write = 0;
@@ -10006,7 +10024,7 @@
switch (error_code & (PF_PROT|PF_WRITE)) {
default: /* 3: write, present */
/* fall through */
-@@ -785,6 +937,54 @@ bad_area:
+@@ -785,6 +935,54 @@ bad_area:
up_read(&mm->mmap_sem);
bad_area_nosemaphore:
@@ -10061,7 +10079,7 @@
/* User mode accesses just cause a SIGSEGV */
if (error_code & PF_USER) {
/*
-@@ -863,7 +1063,7 @@ no_context:
+@@ -863,7 +1061,7 @@ no_context:
#ifdef CONFIG_X86_32
die("Oops", regs, error_code);
bust_spinlocks(0);
@@ -10070,7 +10088,7 @@
#else
if (__die("Oops", regs, error_code))
regs = NULL;
-@@ -877,17 +1077,17 @@ no_context:
+@@ -877,17 +1075,17 @@ no_context:
* us unable to handle the page fault gracefully.
*/
out_of_memory:
@@ -10090,7 +10108,7 @@
printk("VM: killing process %s\n", tsk->comm);
if (error_code & PF_USER)
do_group_exit(SIGKILL);
-@@ -959,3 +1159,174 @@ void vmalloc_sync_all(void)
+@@ -959,3 +1157,174 @@ void vmalloc_sync_all(void)
}
#endif
}
@@ -31417,8 +31435,15 @@
* Should always be manipulated under cpu_add_remove_lock
diff -urNp linux-2.6.27.7/kernel/exit.c linux-2.6.27.7/kernel/exit.c
--- linux-2.6.27.7/kernel/exit.c 2008-11-07 12:55:34.000000000 -0500
-+++ linux-2.6.27.7/kernel/exit.c 2008-11-18 11:34:28.000000000 -0500
-@@ -47,6 +47,11 @@
++++ linux-2.6.27.7/kernel/exit.c 2008-11-29 19:01:27.000000000 -0500
+@@ -40,13 +40,17 @@
+ #include <linux/cn_proc.h>
+ #include <linux/mutex.h>
+ #include <linux/futex.h>
+-#include <linux/compat.h>
+ #include <linux/pipe_fs_i.h>
+ #include <linux/audit.h> /* for audit_free() */
+ #include <linux/resource.h>
#include <linux/blkdev.h>
#include <linux/task_io_accounting_ops.h>
#include <linux/tracehook.h>
@@ -31430,7 +31455,7 @@
#include <asm/uaccess.h>
#include <asm/unistd.h>
-@@ -133,7 +138,6 @@ static void __exit_signal(struct task_st
+@@ -133,7 +137,6 @@ static void __exit_signal(struct task_st
* doing sigqueue_free() if we have SIGQUEUE_PREALLOC signals.
*/
flush_sigqueue(&tsk->pending);
@@ -31438,7 +31463,7 @@
tsk->signal = NULL;
tsk->sighand = NULL;
spin_unlock(&sighand->siglock);
-@@ -158,6 +162,8 @@ void release_task(struct task_struct * p
+@@ -158,6 +161,8 @@ void release_task(struct task_struct * p
struct task_struct *leader;
int zap_leader;
repeat:
@@ -31447,7 +31472,7 @@
tracehook_prepare_release_task(p);
atomic_dec(&p->user->processes);
proc_flush_task(p);
-@@ -321,11 +327,22 @@ static void reparent_to_kthreadd(void)
+@@ -321,11 +326,22 @@ static void reparent_to_kthreadd(void)
{
write_lock_irq(&tasklist_lock);
@@ -31470,7 +31495,7 @@
/* Set the exit signal to SIGCHLD so we signal init on exit */
current->exit_signal = SIGCHLD;
-@@ -419,6 +436,17 @@ void daemonize(const char *name, ...)
+@@ -419,6 +435,17 @@ void daemonize(const char *name, ...)
vsnprintf(current->comm, sizeof(current->comm), name, args);
va_end(args);
@@ -31488,7 +31513,22 @@
/*
* If we were started as result of loading a module, close all of the
* user space pages. We don't need them, and if we didn't close them
-@@ -1070,6 +1098,9 @@ NORET_TYPE void do_exit(long code)
+@@ -1054,14 +1081,6 @@ NORET_TYPE void do_exit(long code)
+ exit_itimers(tsk->signal);
+ }
+ acct_collect(code, group_dead);
+-#ifdef CONFIG_FUTEX
+- if (unlikely(tsk->robust_list))
+- exit_robust_list(tsk);
+-#ifdef CONFIG_COMPAT
+- if (unlikely(tsk->compat_robust_list))
+- compat_exit_robust_list(tsk);
+-#endif
+-#endif
+ if (group_dead)
+ tty_audit_exit();
+ if (unlikely(tsk->audit_context))
+@@ -1070,6 +1089,9 @@ NORET_TYPE void do_exit(long code)
tsk->exit_code = code;
taskstats_exit(tsk, group_dead);
@@ -31498,7 +31538,7 @@
exit_mm(tsk);
if (group_dead)
-@@ -1272,7 +1303,7 @@ static int wait_task_zombie(struct task_
+@@ -1272,7 +1294,7 @@ static int wait_task_zombie(struct task_
if (unlikely(options & WNOWAIT)) {
uid_t uid = p->uid;
int exit_code = p->exit_code;
@@ -31509,8 +31549,16 @@
read_unlock(&tasklist_lock);
diff -urNp linux-2.6.27.7/kernel/fork.c linux-2.6.27.7/kernel/fork.c
--- linux-2.6.27.7/kernel/fork.c 2008-11-07 12:55:34.000000000 -0500
-+++ linux-2.6.27.7/kernel/fork.c 2008-11-18 03:38:45.000000000 -0500
-@@ -58,6 +58,7 @@
++++ linux-2.6.27.7/kernel/fork.c 2008-11-29 19:01:27.000000000 -0500
+@@ -40,6 +40,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/tracehook.h>
+ #include <linux/futex.h>
++#include <linux/compat.h>
+ #include <linux/task_io_accounting_ops.h>
+ #include <linux/rcupdate.h>
+ #include <linux/ptrace.h>
+@@ -58,6 +59,7 @@
#include <linux/tty.h>
#include <linux/proc_fs.h>
#include <linux/blkdev.h>
@@ -31518,7 +31566,7 @@
#include <asm/pgtable.h>
#include <asm/pgalloc.h>
-@@ -234,7 +235,7 @@ static struct task_struct *dup_task_stru
+@@ -234,7 +236,7 @@ static struct task_struct *dup_task_stru
setup_thread_stack(tsk, orig);
#ifdef CONFIG_CC_STACKPROTECTOR
@@ -31527,7 +31575,7 @@
#endif
/* One for us, one for whoever does the "release_task()" (usually
parent) */
-@@ -271,8 +272,8 @@ static int dup_mmap(struct mm_struct *mm
+@@ -271,8 +273,8 @@ static int dup_mmap(struct mm_struct *mm
mm->locked_vm = 0;
mm->mmap = NULL;
mm->mmap_cache = NULL;
@@ -31538,7 +31586,7 @@
mm->map_count = 0;
cpus_clear(mm->cpu_vm_mask);
mm->mm_rb = RB_ROOT;
-@@ -309,6 +310,7 @@ static int dup_mmap(struct mm_struct *mm
+@@ -309,6 +311,7 @@ static int dup_mmap(struct mm_struct *mm
tmp->vm_flags &= ~VM_LOCKED;
tmp->vm_mm = mm;
tmp->vm_next = NULL;
@@ -31546,7 +31594,7 @@
anon_vma_link(tmp);
file = tmp->vm_file;
if (file) {
-@@ -353,6 +355,31 @@ static int dup_mmap(struct mm_struct *mm
+@@ -353,6 +356,31 @@ static int dup_mmap(struct mm_struct *mm
if (retval)
goto out;
}
@@ -31578,7 +31626,24 @@
/* a new mm has just been created */
arch_dup_mmap(oldmm, mm);
retval = 0;
-@@ -536,7 +563,7 @@ void mm_release(struct task_struct *tsk,
+@@ -518,6 +546,16 @@ void mm_release(struct task_struct *tsk,
+ {
+ struct completion *vfork_done = tsk->vfork_done;
+
++ /* Get rid of any futexes when releasing the mm */
++#ifdef CONFIG_FUTEX
++ if (unlikely(tsk->robust_list))
++ exit_robust_list(tsk);
++#ifdef CONFIG_COMPAT
++ if (unlikely(tsk->compat_robust_list))
++ compat_exit_robust_list(tsk);
++#endif
++#endif
++
+ /* Get rid of any cached register state */
+ deactivate_mm(tsk, mm);
+
+@@ -536,7 +574,7 @@ void mm_release(struct task_struct *tsk,
if (tsk->clear_child_tid
&& !(tsk->flags & PF_SIGNALED)
&& atomic_read(&mm->mm_users) > 1) {
@@ -31587,7 +31652,7 @@
tsk->clear_child_tid = NULL;
/*
-@@ -544,7 +571,7 @@ void mm_release(struct task_struct *tsk,
+@@ -544,7 +582,7 @@ void mm_release(struct task_struct *tsk,
* not set up a proper pointer then tough luck.
*/
put_user(0, tidptr);
@@ -31596,7 +31661,7 @@
}
}
-@@ -939,6 +966,9 @@ static struct task_struct *copy_process(
+@@ -939,6 +977,9 @@ static struct task_struct *copy_process(
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -31606,7 +31671,7 @@
if (atomic_read(&p->user->processes) >=
p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
-@@ -1105,6 +1135,8 @@ static struct task_struct *copy_process(
+@@ -1105,6 +1146,8 @@ static struct task_struct *copy_process(
goto bad_fork_free_pid;
}
@@ -31615,7 +31680,7 @@
p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr :
NULL;
/*
* Clear TID on mm_release()?
-@@ -1290,6 +1322,8 @@ bad_fork_cleanup_count:
+@@ -1290,6 +1333,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -31624,7 +31689,7 @@
return ERR_PTR(retval);
}
-@@ -1366,6 +1400,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1366,6 +1411,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -33912,7 +33977,7 @@
ret = do_mlockall(flags);
diff -urNp linux-2.6.27.7/mm/mmap.c linux-2.6.27.7/mm/mmap.c
--- linux-2.6.27.7/mm/mmap.c 2008-11-07 12:55:34.000000000 -0500
-+++ linux-2.6.27.7/mm/mmap.c 2008-11-18 03:38:45.000000000 -0500
++++ linux-2.6.27.7/mm/mmap.c 2008-11-29 19:01:27.000000000 -0500
@@ -27,6 +27,7 @@
#include <linux/mempolicy.h>
#include <linux/rmap.h>
@@ -34466,7 +34531,7 @@
+ BUG_ON(vma->vm_mirror);
+ return NULL;
+ }
-+ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start -
SEGMEXEC_TASK_SIZE - 1);
++ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE <
vma->vm_end);
+ vma_m = vma->vm_mirror;
+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
+ BUG_ON(vma->vm_file != vma_m->vm_file);
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsecurity.patch?r1=1.1.2.29&r2=1.1.2.30&f=u
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
