commit: 2ba70c31916532781f96e738155b5be997778910 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Mon Feb 8 08:06:43 2016 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Mon Feb 8 08:06:43 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=2ba70c31
grsecurity-3.1-4.3.5-201602070910 4.3.5/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.3.5-201602070910.patch} | 429 ++++++++++----------- 2 files changed, 201 insertions(+), 230 deletions(-) diff --git a/4.3.5/0000_README b/4.3.5/0000_README index 3ec071f..40c470e 100644 --- a/4.3.5/0000_README +++ b/4.3.5/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.3.5-201602032209.patch +Patch: 4420_grsecurity-3.1-4.3.5-201602070910.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.3.5/4420_grsecurity-3.1-4.3.5-201602032209.patch b/4.3.5/4420_grsecurity-3.1-4.3.5-201602070910.patch similarity index 99% rename from 4.3.5/4420_grsecurity-3.1-4.3.5-201602032209.patch rename to 4.3.5/4420_grsecurity-3.1-4.3.5-201602070910.patch index 562e55c..e639b69 100644 --- a/4.3.5/4420_grsecurity-3.1-4.3.5-201602032209.patch +++ b/4.3.5/4420_grsecurity-3.1-4.3.5-201602070910.patch @@ -1048,10 +1048,18 @@ index 78c0621..94cd626 100644 Counts number of I and D TLB Misses and exports them via Debugfs The counters can be cleared via Debugfs as well diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 639411f..82e6320 100644 +index 639411f..d4b3233 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1785,7 +1785,7 @@ config ALIGNMENT_TRAP +@@ -1708,6 +1708,7 @@ config HIGHPTE + config CPU_SW_DOMAIN_PAN + bool "Enable use of CPU domains to implement privileged no-access" + depends on MMU && !ARM_LPAE ++ depends on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + default y + help + Increase kernel security by ensuring that normal kernel accesses +@@ -1785,7 +1786,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" @@ -1060,7 +1068,7 @@ index 639411f..82e6320 100644 default y if CPU_FEROCEON help Implement faster copy_to_user and clear_user methods for CPU -@@ -2022,6 +2022,7 @@ config KEXEC +@@ -2022,6 +2023,7 @@ config KEXEC depends on (!SMP || PM_SLEEP_SMP) depends on !CPU_V7M select KEXEC_CORE @@ -1747,7 +1755,7 @@ index 0f84249..8e83c55 100644 struct of_cpuidle_method { const char *method; diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h -index fc8ba16..8b84f53 100644 +index fc8ba16..0c20017 100644 --- a/arch/arm/include/asm/domain.h +++ b/arch/arm/include/asm/domain.h @@ -42,7 +42,6 @@ @@ -1786,15 +1794,47 @@ index fc8ba16..8b84f53 100644 #define domain_mask(dom) ((3) << (2 * (dom))) #define domain_val(dom,type) ((type) << (2 * (dom))) -@@ -62,7 +79,7 @@ +@@ -62,13 +79,19 @@ #define DACR_INIT \ (domain_val(DOMAIN_USER, DOMAIN_NOACCESS) | \ domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ - domain_val(DOMAIN_IO, DOMAIN_CLIENT) | \ + domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \ domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT)) ++#elif CONFIG_PAX_MEMORY_UDEREF ++ /* DOMAIN_VECTORS is defined to DOMAIN_KERNEL */ ++#define DACR_INIT \ ++ (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \ ++ domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ ++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT)) #else #define DACR_INIT \ +- (domain_val(DOMAIN_USER, DOMAIN_CLIENT) | \ ++ (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \ + domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ +- domain_val(DOMAIN_IO, DOMAIN_CLIENT) | \ ++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \ + domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT)) + #endif + +@@ -113,6 +136,17 @@ static inline void set_domain(unsigned val) + set_domain(domain); \ + } while (0) + ++#elif defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++#define modify_domain(dom,type) \ ++ do { \ ++ struct thread_info *thread = current_thread_info(); \ ++ unsigned int domain = get_domain(); \ ++ domain &= ~domain_mask(dom); \ ++ domain = domain | domain_val(dom, type); \ ++ thread->cpu_domain = domain; \ ++ set_domain(domain); \ ++ } while (0) ++ + #else + static inline void modify_domain(unsigned dom, unsigned type) { } + #endif diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h index d2315ff..f60b47b 100644 --- a/arch/arm/include/asm/elf.h @@ -1830,61 +1870,17 @@ index de53547..52b9a28 100644 (unsigned long)(dest_buf) + (size)); \ \ diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h -index 6795368..b784325 100644 +index 6795368..6c4d749 100644 --- a/arch/arm/include/asm/futex.h +++ b/arch/arm/include/asm/futex.h -@@ -52,6 +52,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) - return -EFAULT; - -+ pax_open_userland(); -+ - smp_mb(); - /* Prefetching cannot fault */ - prefetchw(uaddr); -@@ -71,6 +73,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, - uaccess_restore(__ua_flags); - smp_mb(); - -+ pax_close_userland(); -+ - *uval = val; - return ret; - } -@@ -107,6 +111,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -107,6 +107,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, return -EFAULT; preempt_disable(); -+ pax_open_userland(); + __ua_flags = uaccess_save_and_enable(); __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n" "1: " TUSER(ldr) " %1, [%4]\n" -@@ -119,6 +125,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, - : "cc", "memory"); - uaccess_restore(__ua_flags); - -+ pax_close_userland(); -+ - *uval = val; - preempt_enable(); - -@@ -146,6 +154,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) - preempt_disable(); - #endif - pagefault_disable(); -+ pax_open_userland(); - - switch (op) { - case FUTEX_OP_SET: -@@ -167,6 +176,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) - ret = -ENOSYS; - } - -+ pax_close_userland(); - pagefault_enable(); - #ifndef CONFIG_SMP - preempt_enable(); diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h index 83eb2f7..ed77159 100644 --- a/arch/arm/include/asm/kmap_types.h @@ -2202,10 +2198,20 @@ index ef35665..d69146d 100644 struct of_cpu_method { const char *method; diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h -index 776757d..5a598df 100644 +index 776757d..a552c1d 100644 --- a/arch/arm/include/asm/thread_info.h +++ b/arch/arm/include/asm/thread_info.h -@@ -143,6 +143,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, +@@ -73,6 +73,9 @@ struct thread_info { + .flags = 0, \ + .preempt_count = INIT_PREEMPT_COUNT, \ + .addr_limit = KERNEL_DS, \ ++ .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \ ++ domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \ ++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \ + } + + #define init_thread_info (init_thread_union.thread_info) +@@ -143,6 +146,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, #define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */ #define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */ #define TIF_SECCOMP 7 /* seccomp syscall filtering active */ @@ -2216,7 +2222,7 @@ index 776757d..5a598df 100644 #define TIF_NOHZ 12 /* in adaptive nohz mode */ #define TIF_USING_IWMMXT 17 -@@ -158,10 +162,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, +@@ -158,10 +165,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) #define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) @@ -2252,7 +2258,7 @@ index 5f833f7..76e6644 100644 } diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 8cc85a4..5f24fe2 100644 +index 8cc85a4..28c2880 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -18,6 +18,7 @@ @@ -2263,16 +2269,35 @@ index 8cc85a4..5f24fe2 100644 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS #include <asm-generic/uaccess-unaligned.h> -@@ -99,11 +100,38 @@ extern int __put_user_bad(void); - static inline void set_fs(mm_segment_t fs) - { - current_thread_info()->addr_limit = fs; -- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER); -+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER); - } - - #define segment_eq(a, b) ((a) == (b)) +@@ -50,6 +51,59 @@ struct exception_table_entry + extern int fixup_exception(struct pt_regs *regs); + /* ++ * These two are intentionally not defined anywhere - if the kernel ++ * code generates any references to them, that's a bug. ++ */ ++extern int __get_user_bad(void); ++extern int __put_user_bad(void); ++ ++/* ++ * Note that this is actually 0x1,0000,0000 ++ */ ++#define KERNEL_DS 0x00000000 ++#define get_ds() (KERNEL_DS) ++ ++#ifdef CONFIG_MMU ++ ++#define USER_DS TASK_SIZE ++#define get_fs() (current_thread_info()->addr_limit) ++ ++static inline void set_fs(mm_segment_t fs) ++{ ++ current_thread_info()->addr_limit = fs; ++ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER); ++} ++ ++#define segment_eq(a, b) ((a) == (b)) ++ +#define __HAVE_ARCH_PAX_OPEN_USERLAND +#define __HAVE_ARCH_PAX_CLOSE_USERLAND + @@ -2300,38 +2325,57 @@ index 8cc85a4..5f24fe2 100644 + +} + ++/* + * These two functions allow hooking accesses to userspace to increase + * system integrity by ensuring that the kernel can not inadvertantly + * perform such accesses (eg, via list poison values) which could then +@@ -66,6 +120,7 @@ static inline unsigned int uaccess_save_and_enable(void) + + return old_domain; + #else ++ pax_open_userland(); + return 0; + #endif + } +@@ -75,35 +130,11 @@ static inline void uaccess_restore(unsigned int flags) + #ifdef CONFIG_CPU_SW_DOMAIN_PAN + /* Restore the user access mask */ + set_domain(flags); ++#else ++ pax_close_userland(); + #endif + } + +-/* +- * These two are intentionally not defined anywhere - if the kernel +- * code generates any references to them, that's a bug. +- */ +-extern int __get_user_bad(void); +-extern int __put_user_bad(void); +- +-/* +- * Note that this is actually 0x1,0000,0000 +- */ +-#define KERNEL_DS 0x00000000 +-#define get_ds() (KERNEL_DS) +- +-#ifdef CONFIG_MMU +- +-#define USER_DS TASK_SIZE +-#define get_fs() (current_thread_info()->addr_limit) +- +-static inline void set_fs(mm_segment_t fs) +-{ +- current_thread_info()->addr_limit = fs; +- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER); +-} +- +-#define segment_eq(a, b) ((a) == (b)) +- #define __addr_ok(addr) ({ \ unsigned long flag; \ __asm__("cmp %2, %0; movlo %0, #0" \ -@@ -229,8 +257,12 @@ extern int __get_user_64t_4(void *); - - #define get_user(x, p) \ - ({ \ -+ int __e; \ - might_fault(); \ -- __get_user_check(x, p); \ -+ pax_open_userland(); \ -+ __e = __get_user_check((x), (p)); \ -+ pax_close_userland(); \ -+ __e; \ - }) - - extern int __put_user_1(void *, unsigned int); -@@ -277,8 +309,12 @@ extern int __put_user_8(void *, unsigned long long); - - #define put_user(x, p) \ - ({ \ -+ int __e; \ - might_fault(); \ -- __put_user_check(x, p); \ -+ pax_open_userland(); \ -+ __e = __put_user_check((x), (p)); \ -+ pax_close_userland(); \ -+ __e; \ - }) - - #else /* CONFIG_MMU */ -@@ -302,6 +338,7 @@ static inline void set_fs(mm_segment_t fs) +@@ -302,6 +333,7 @@ static inline void set_fs(mm_segment_t fs) #endif /* CONFIG_MMU */ @@ -2339,43 +2383,7 @@ index 8cc85a4..5f24fe2 100644 #define access_ok(type, addr, size) (__range_ok(addr, size) == 0) #define user_addr_max() \ -@@ -319,13 +356,17 @@ static inline void set_fs(mm_segment_t fs) - #define __get_user(x, ptr) \ - ({ \ - long __gu_err = 0; \ -+ pax_open_userland(); \ - __get_user_err((x), (ptr), __gu_err); \ -+ pax_close_userland(); \ - __gu_err; \ - }) - - #define __get_user_error(x, ptr, err) \ - ({ \ -+ pax_open_userland(); \ - __get_user_err((x), (ptr), err); \ -+ pax_close_userland(); \ - (void) 0; \ - }) - -@@ -392,13 +433,17 @@ do { \ - #define __put_user(x, ptr) \ - ({ \ - long __pu_err = 0; \ -+ pax_open_userland(); \ - __put_user_err((x), (ptr), __pu_err); \ -+ pax_close_userland(); \ - __pu_err; \ - }) - - #define __put_user_error(x, ptr, err) \ - ({ \ -+ pax_open_userland(); \ - __put_user_err((x), (ptr), err); \ -+ pax_close_userland(); \ - (void) 0; \ - }) - -@@ -490,35 +535,41 @@ do { \ +@@ -490,35 +522,41 @@ do { \ #ifdef CONFIG_MMU @@ -2425,7 +2433,7 @@ index 8cc85a4..5f24fe2 100644 __clear_user_std(void __user *addr, unsigned long n); static inline unsigned long __must_check -@@ -538,6 +589,9 @@ __clear_user(void __user *addr, unsigned long n) +@@ -538,6 +576,9 @@ __clear_user(void __user *addr, unsigned long n) static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { @@ -2435,7 +2443,7 @@ index 8cc85a4..5f24fe2 100644 if (access_ok(VERIFY_READ, from, n)) n = __copy_from_user(to, from, n); else /* security hole - plug it */ -@@ -547,6 +601,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u +@@ -547,6 +588,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -2485,7 +2493,7 @@ index 318da33..373689f 100644 /** * arm_cpuidle_simple_enter() - a wrapper to cpu_do_idle() diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S -index 3e1c26e..9ea61e6 100644 +index 3e1c26e..97a5f9e 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -50,6 +50,87 @@ @@ -2608,7 +2616,7 @@ index 3e1c26e..9ea61e6 100644 mov r6, #-1 @ "" "" "" "" +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + @ offset sp by 8 as done in pax_enter_kernel -+ add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4) ++ add r2, sp, #(S_FRAME_SIZE + 8 + \stack_hole + 4) +#else add r2, sp, #(S_FRAME_SIZE + 8 + \stack_hole - 4) +#endif @@ -2956,7 +2964,7 @@ index 69bda1a..755113a 100644 if (waddr != addr) { flush_kernel_vmap_range(waddr, twopage ? size / 2 : size); diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 7a7c4ce..bc91093 100644 +index 7a7c4ce..f0de3eb 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -98,8 +98,8 @@ void __show_regs(struct pt_regs *regs) @@ -2970,6 +2978,15 @@ index 7a7c4ce..bc91093 100644 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" "sp : %08lx ip : %08lx fp : %08lx\n", regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, +@@ -226,7 +226,7 @@ copy_thread(unsigned long clone_flags, unsigned long stack_start, + + memset(&thread->cpu_context, 0, sizeof(struct cpu_context_save)); + +-#ifdef CONFIG_CPU_USE_DOMAINS ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + /* + * Copy the initial value of the domain access control register + * from the current thread: thread->addr_limit will have been @@ -309,12 +309,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -3839,71 +3856,6 @@ index df7537f..b931a5f 100644 exploits. If all of the binaries and libraries which run on your platform -diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c -index 00b7f7d..6fc28bc 100644 ---- a/arch/arm/mm/alignment.c -+++ b/arch/arm/mm/alignment.c -@@ -216,10 +216,12 @@ union offset_union { - #define __get16_unaligned_check(ins,val,addr) \ - do { \ - unsigned int err = 0, v, a = addr; \ -+ pax_open_userland(); \ - __get8_unaligned_check(ins,v,a,err); \ - val = v << ((BE) ? 8 : 0); \ - __get8_unaligned_check(ins,v,a,err); \ - val |= v << ((BE) ? 0 : 8); \ -+ pax_close_userland(); \ - if (err) \ - goto fault; \ - } while (0) -@@ -233,6 +235,7 @@ union offset_union { - #define __get32_unaligned_check(ins,val,addr) \ - do { \ - unsigned int err = 0, v, a = addr; \ -+ pax_open_userland(); \ - __get8_unaligned_check(ins,v,a,err); \ - val = v << ((BE) ? 24 : 0); \ - __get8_unaligned_check(ins,v,a,err); \ -@@ -241,6 +244,7 @@ union offset_union { - val |= v << ((BE) ? 8 : 16); \ - __get8_unaligned_check(ins,v,a,err); \ - val |= v << ((BE) ? 0 : 24); \ -+ pax_close_userland(); \ - if (err) \ - goto fault; \ - } while (0) -@@ -254,6 +258,7 @@ union offset_union { - #define __put16_unaligned_check(ins,val,addr) \ - do { \ - unsigned int err = 0, v = val, a = addr; \ -+ pax_open_userland(); \ - __asm__( FIRST_BYTE_16 \ - ARM( "1: "ins" %1, [%2], #1\n" ) \ - THUMB( "1: "ins" %1, [%2]\n" ) \ -@@ -273,6 +278,7 @@ union offset_union { - " .popsection\n" \ - : "=r" (err), "=&r" (v), "=&r" (a) \ - : "0" (err), "1" (v), "2" (a)); \ -+ pax_close_userland(); \ - if (err) \ - goto fault; \ - } while (0) -@@ -286,6 +292,7 @@ union offset_union { - #define __put32_unaligned_check(ins,val,addr) \ - do { \ - unsigned int err = 0, v = val, a = addr; \ -+ pax_open_userland(); \ - __asm__( FIRST_BYTE_32 \ - ARM( "1: "ins" %1, [%2], #1\n" ) \ - THUMB( "1: "ins" %1, [%2]\n" ) \ -@@ -315,6 +322,7 @@ union offset_union { - " .popsection\n" \ - : "=r" (err), "=&r" (v), "=&r" (a) \ - : "0" (err), "1" (v), "2" (a)); \ -+ pax_close_userland(); \ - if (err) \ - goto fault; \ - } while (0) diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c index 493692d..42a4504 100644 --- a/arch/arm/mm/cache-l2x0.c @@ -113574,7 +113526,7 @@ index 04e91ff..2419384 100644 } EXPORT_SYMBOL(__stack_chk_fail); diff --git a/kernel/pid.c b/kernel/pid.c -index ca36879..1f6c7bd 100644 +index ca36879..1f368d5 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -33,6 +33,7 @@ @@ -113613,15 +113565,14 @@ index ca36879..1f6c7bd 100644 } struct task_struct *find_task_by_vpid(pid_t vnr) -@@ -461,13 +470,21 @@ struct task_struct *find_task_by_vpid(pid_t vnr) +@@ -461,13 +470,20 @@ struct task_struct *find_task_by_vpid(pid_t vnr) return find_task_by_pid_ns(vnr, task_active_pid_ns(current)); } +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr) +{ -+ rcu_lockdep_assert(rcu_read_lock_held(), -+ "find_task_by_pid_ns() needs rcu_read_lock()" -+ " protection"); ++ RCU_LOCKDEP_WARN(!rcu_read_lock_held(), ++ "find_task_by_pid_ns() needs rcu_read_lock() protection"); + return pid_task(find_pid_ns(vnr, task_active_pid_ns(current)), PIDTYPE_PID); +} + @@ -113636,7 +113587,7 @@ index ca36879..1f6c7bd 100644 rcu_read_unlock(); return pid; } -@@ -528,7 +545,7 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, +@@ -528,7 +544,7 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, if (likely(pid_alive(task))) { if (type != PIDTYPE_PID) task = task->group_leader; @@ -113837,10 +113788,10 @@ index 99513e1..0caa643 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 787320d..9873654 100644 +index 787320d..64d61aa 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c -@@ -207,18 +207,45 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) +@@ -207,18 +207,46 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) return ret; } @@ -113881,6 +113832,7 @@ index 787320d..9873654 100644 const struct cred *cred = current_cred(), *tcred; + kuid_t caller_uid; + kgid_t caller_gid; ++ int dumpable = 0; + + if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { + WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); @@ -113889,7 +113841,13 @@ index 787320d..9873654 100644 /* May we inspect the given task? * This check is used both for attaching with ptrace -@@ -233,15 +260,30 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) +@@ -228,20 +256,35 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + * because setting up the necessary parent/child relationship + * or halting the specified task is impossible. + */ +- int dumpable = 0; ++ + /* Don't let security modules deny introspection */ if (same_thread_group(task, current)) return 0; rcu_read_lock(); @@ -113927,7 +113885,7 @@ index 787320d..9873654 100644 goto ok; rcu_read_unlock(); return -EPERM; -@@ -252,7 +294,7 @@ ok: +@@ -252,7 +295,7 @@ ok: dumpable = get_dumpable(task->mm); rcu_read_lock(); if (dumpable != SUID_DUMP_USER && @@ -113936,7 +113894,7 @@ index 787320d..9873654 100644 rcu_read_unlock(); return -EPERM; } -@@ -306,7 +348,7 @@ static int ptrace_attach(struct task_struct *task, long request, +@@ -306,7 +349,7 @@ static int ptrace_attach(struct task_struct *task, long request, goto out; task_lock(task); @@ -113945,7 +113903,7 @@ index 787320d..9873654 100644 task_unlock(task); if (retval) goto unlock_creds; -@@ -321,7 +363,7 @@ static int ptrace_attach(struct task_struct *task, long request, +@@ -321,7 +364,7 @@ static int ptrace_attach(struct task_struct *task, long request, if (seize) flags |= PT_SEIZED; rcu_read_lock(); @@ -113954,7 +113912,7 @@ index 787320d..9873654 100644 flags |= PT_PTRACE_CAP; rcu_read_unlock(); task->ptrace = flags; -@@ -514,7 +556,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst +@@ -514,7 +557,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst break; return -EIO; } @@ -113963,7 +113921,7 @@ index 787320d..9873654 100644 return -EFAULT; copied += retval; src += retval; -@@ -815,7 +857,7 @@ int ptrace_request(struct task_struct *child, long request, +@@ -815,7 +858,7 @@ int ptrace_request(struct task_struct *child, long request, bool seized = child->ptrace & PT_SEIZED; int ret = -EIO; siginfo_t siginfo, *si; @@ -113972,7 +113930,7 @@ index 787320d..9873654 100644 unsigned long __user *datalp = datavp; unsigned long flags; -@@ -1061,14 +1103,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, +@@ -1061,14 +1104,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, goto out; } @@ -113995,7 +113953,7 @@ index 787320d..9873654 100644 goto out_put_task_struct; } -@@ -1096,7 +1145,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, +@@ -1096,7 +1146,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0); if (copied != sizeof(tmp)) return -EIO; @@ -114004,7 +113962,7 @@ index 787320d..9873654 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr, -@@ -1189,7 +1238,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -1189,7 +1239,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, } COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, @@ -114013,7 +113971,7 @@ index 787320d..9873654 100644 { struct task_struct *child; long ret; -@@ -1205,14 +1254,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, +@@ -1205,14 +1255,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, goto out; } @@ -126058,10 +126016,24 @@ index ade7737..70ed9be 100644 goto err_reg; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 064f1a0..e6e7d27 100644 +index 064f1a0..47f24ef 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -786,7 +786,7 @@ static void tcp_update_pacing_rate(struct sock *sk) +@@ -265,11 +265,13 @@ static void tcp_ecn_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th) + tp->ecn_flags &= ~TCP_ECN_OK; + } + ++#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT + static void tcp_ecn_rcv_syn(struct tcp_sock *tp, const struct tcphdr *th) + { + if ((tp->ecn_flags & TCP_ECN_OK) && (!th->ece || !th->cwr)) + tp->ecn_flags &= ~TCP_ECN_OK; + } ++#endif + + static bool tcp_ecn_rcv_ecn_echo(const struct tcp_sock *tp, const struct tcphdr *th) + { +@@ -786,7 +788,7 @@ static void tcp_update_pacing_rate(struct sock *sk) * without any lock. We want to make sure compiler wont store * intermediate values in this location. */ @@ -126070,7 +126042,7 @@ index 064f1a0..e6e7d27 100644 sk->sk_max_pacing_rate); } -@@ -4650,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -4650,7 +4652,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -126079,7 +126051,7 @@ index 064f1a0..e6e7d27 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5645,6 +5645,7 @@ discard: +@@ -5645,6 +5647,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -126087,7 +126059,7 @@ index 064f1a0..e6e7d27 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5696,6 +5697,7 @@ discard: +@@ -5696,6 +5699,7 @@ discard: goto discard; #endif } @@ -126095,7 +126067,7 @@ index 064f1a0..e6e7d27 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5742,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5742,7 +5746,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -126104,7 +126076,7 @@ index 064f1a0..e6e7d27 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; -@@ -6072,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, +@@ -6072,7 +6076,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, kmemcheck_annotate_bitfield(ireq, flags); ireq->opt = NULL; @@ -132090,10 +132062,10 @@ index 8e5aee6..445cf3d 100755 # Find all available archs find_all_archs() diff --git a/security/Kconfig b/security/Kconfig -index e452378..3e213c66 100644 +index e452378..16eb80f 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,981 @@ +@@ -4,6 +4,980 @@ menu "Security options" @@ -132928,7 +132900,6 @@ index e452378..3e213c66 100644 + default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && !(X86_64 && GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) + depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN + select PAX_PER_CPU_PGD if X86_64 -+ select CPU_SW_DOMAIN_PAN if ARM + help + By saying Y here the kernel will be prevented from dereferencing + userland pointers in contexts where the kernel expects only kernel @@ -133075,7 +133046,7 @@ index e452378..3e213c66 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -104,7 +1079,7 @@ config INTEL_TXT +@@ -104,7 +1078,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX
