commit: c93aa17d5126ba7c50c7e204d699491674712983
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun May 11 11:55:06 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May 11 11:55:06 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=c93aa17d
Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405101947
---
3.14.3/0000_README | 2 +-
... 4420_grsecurity-3.0-3.14.3-201405101947.patch} | 203 +++++++++++++----
3.2.58/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.58-201405101946.patch} | 242 ++++++++++++++++++---
4 files changed, 368 insertions(+), 81 deletions(-)
diff --git a/3.14.3/0000_README b/3.14.3/0000_README
index 108ad48..4ea0a4a 100644
--- a/3.14.3/0000_README
+++ b/3.14.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.3-201405092337.patch
+Patch: 4420_grsecurity-3.0-3.14.3-201405101947.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
similarity index 99%
rename from 3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
rename to 3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
index 4e0c19f..d17eca9 100644
--- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
+++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405101947.patch
@@ -6784,7 +6784,7 @@ index 44a1f79..2bd6aa3 100644
void __init gt641xx_irq_init(void)
diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
-index d1fea7a..45602ea 100644
+index d1fea7a..2e591b0 100644
--- a/arch/mips/kernel/irq.c
+++ b/arch/mips/kernel/irq.c
@@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq)
@@ -6808,6 +6808,25 @@ index d1fea7a..45602ea 100644
}
void __init init_IRQ(void)
+@@ -110,7 +110,10 @@ void __init init_IRQ(void)
+ #endif
+ }
+
++
+ #ifdef DEBUG_STACKOVERFLOW
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ unsigned long sp;
+@@ -126,6 +129,7 @@ static inline void check_stack_overflow(void)
+ printk("do_IRQ: stack overflow: %ld\n",
+ sp - sizeof(struct thread_info));
+ dump_stack();
++ gr_handle_kernel_exploit();
+ }
+ }
+ #else
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index 6ae540e..b7396dc 100644
--- a/arch/mips/kernel/process.c
@@ -8435,6 +8454,27 @@ index 38d5073..f00af8d 100644
mr r5,r3
addi r3,r1,STACK_FRAME_OVERHEAD
lwz r4,_DAR(r1)
+diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
+index 1d0848b..d74685f 100644
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -447,6 +447,8 @@ void migrate_irqs(void)
+ }
+ #endif
+
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+@@ -459,6 +461,7 @@ static inline void check_stack_overflow(void)
+ printk("do_IRQ: stack overflow: %ld\n",
+ sp - sizeof(struct thread_info));
+ dump_stack();
++ gr_handle_kernel_exploit();
+ }
+ #endif
+ }
diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
index 6cff040..74ac5d1 100644
--- a/arch/powerpc/kernel/module_32.c
@@ -21668,7 +21708,7 @@ index d9c12d3..7858b62 100644
if (__die(str, regs, err))
diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index f2a1770..540657f 100644
+index f2a1770..10fa52d 100644
--- a/arch/x86/kernel/dumpstack_32.c
+++ b/arch/x86/kernel/dumpstack_32.c
@@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs
*regs,
@@ -21746,7 +21786,7 @@ index f2a1770..540657f 100644
return ud2 == 0x0b0f;
}
+
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
+void pax_check_alloca(unsigned long size)
+{
+ unsigned long sp = (unsigned long)&sp, stack_left;
@@ -21758,7 +21798,7 @@ index f2a1770..540657f 100644
+EXPORT_SYMBOL(pax_check_alloca);
+#endif
diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index addb207..99635fa 100644
+index addb207..921706b 100644
--- a/arch/x86/kernel/dumpstack_64.c
+++ b/arch/x86/kernel/dumpstack_64.c
@@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs
*regs,
@@ -21827,7 +21867,7 @@ index addb207..99635fa 100644
return ud2 == 0x0b0f;
}
+
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
+void pax_check_alloca(unsigned long size)
+{
+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
@@ -24891,10 +24931,19 @@ index d99f31d..1c0f466 100644
}
diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index d7fcbed..1f747f7 100644
+index d7fcbed..96e715a 100644
--- a/arch/x86/kernel/irq_32.c
+++ b/arch/x86/kernel/irq_32.c
-@@ -39,7 +39,7 @@ static int check_stack_overflow(void)
+@@ -29,6 +29,8 @@ EXPORT_PER_CPU_SYMBOL(irq_regs);
+
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+
++extern void gr_handle_kernel_exploit(void);
++
+ int sysctl_panic_on_stackoverflow __read_mostly;
+
+ /* Debugging check for stack overflow: is there less than 1KB free? */
+@@ -39,13 +41,14 @@ static int check_stack_overflow(void)
__asm__ __volatile__("andl %%esp,%0" :
"=r" (sp) : "0" (THREAD_SIZE - 1));
@@ -24903,7 +24952,14 @@ index d7fcbed..1f747f7 100644
}
static void print_stack_overflow(void)
-@@ -59,8 +59,8 @@ static inline void print_stack_overflow(void) { }
+ {
+ printk(KERN_WARNING "low stack detected by irq handler\n");
+ dump_stack();
++ gr_handle_kernel_exploit();
+ if (sysctl_panic_on_stackoverflow)
+ panic("low stack detected by irq handler - check messages\n");
+ }
+@@ -59,8 +62,8 @@ static inline void print_stack_overflow(void) { }
* per-CPU IRQ handling contexts (thread information and stack)
*/
union irq_ctx {
@@ -24914,7 +24970,7 @@ index d7fcbed..1f747f7 100644
} __attribute__((aligned(THREAD_SIZE)));
static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
-@@ -80,10 +80,9 @@ static void call_on_stack(void *func, void *stack)
+@@ -80,10 +83,9 @@ static void call_on_stack(void *func, void *stack)
static inline int
execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
{
@@ -24926,7 +24982,7 @@ index d7fcbed..1f747f7 100644
irqctx = __this_cpu_read(hardirq_ctx);
/*
-@@ -92,13 +91,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
+@@ -92,13 +94,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
* handler) we can't do that and just have to keep using the
* current stack (which is the irq stack already after all)
*/
@@ -24947,7 +25003,7 @@ index d7fcbed..1f747f7 100644
if (unlikely(overflow))
call_on_stack(print_stack_overflow, isp);
-@@ -110,6 +112,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
+@@ -110,6 +115,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
: "0" (irq), "1" (desc), "2" (isp),
"D" (desc->handle_irq)
: "memory", "cc", "ecx");
@@ -24959,7 +25015,7 @@ index d7fcbed..1f747f7 100644
return 1;
}
-@@ -118,48 +125,34 @@ execute_on_irq_stack(int overflow, struct irq_desc
*desc, int irq)
+@@ -118,48 +128,34 @@ execute_on_irq_stack(int overflow, struct irq_desc
*desc, int irq)
*/
void irq_ctx_init(int cpu)
{
@@ -25021,7 +25077,7 @@ index d7fcbed..1f747f7 100644
}
bool handle_irq(unsigned irq, struct pt_regs *regs)
-@@ -173,7 +166,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
+@@ -173,7 +169,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
if (unlikely(!desc))
return false;
@@ -25031,10 +25087,19 @@ index d7fcbed..1f747f7 100644
print_stack_overflow();
desc->handle_irq(irq, desc);
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
-index 4d1c746..232961d 100644
+index 4d1c746..55a22d6 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
-@@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
+ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+
++extern void gr_handle_kernel_exploit(void);
++
+ int sysctl_panic_on_stackoverflow;
+
+ /*
+@@ -44,7 +46,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
u64 estack_top, estack_bottom;
u64 curbase = (u64)task_stack_page(current);
@@ -25043,6 +25108,15 @@ index 4d1c746..232961d 100644
return;
if (regs->sp >= curbase + sizeof(struct thread_info) +
+@@ -69,6 +71,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ irq_stack_top, irq_stack_bottom,
+ estack_top, estack_bottom);
+
++ gr_handle_kernel_exploit();
++
+ if (sysctl_panic_on_stackoverflow)
+ panic("low stack detected by irq handler - check messages\n");
+ #endif
diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
index 26d5a55..a01160a 100644
--- a/arch/x86/kernel/jump_label.c
@@ -58399,7 +58473,7 @@ index e4141f2..d8263e8 100644
i += packet_length_size;
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
diff --git a/fs/exec.c b/fs/exec.c
-index 3d78fcc..5a38b6b 100644
+index 3d78fcc..460e2a0 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,8 +55,20 @@
@@ -58882,7 +58956,7 @@ index 3d78fcc..5a38b6b 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1626,3 +1800,295 @@ asmlinkage long compat_sys_execve(const char __user *
filename,
+@@ -1626,3 +1800,296 @@ asmlinkage long compat_sys_execve(const char __user *
filename,
return compat_do_execve(getname(filename), argv, envp);
}
#endif
@@ -59099,6 +59173,7 @@ index 3d78fcc..5a38b6b 100644
+#endif
+
+#ifdef CONFIG_PAX_USERCOPY
++
+static inline bool check_kernel_text_object(unsigned long low, unsigned long
high)
+{
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
@@ -64219,7 +64294,7 @@ index 87dbcbe..55e1b4d 100644
}
diff --git a/fs/proc/stat.c b/fs/proc/stat.c
-index 6f599c6..8f4644f 100644
+index 6f599c6..bd00271 100644
--- a/fs/proc/stat.c
+++ b/fs/proc/stat.c
@@ -11,6 +11,7 @@
@@ -64249,34 +64324,63 @@ index 6f599c6..8f4644f 100644
user = nice = system = idle = iowait =
irq = softirq = steal = 0;
-@@ -94,6 +107,7 @@ static int show_stat(struct seq_file *p, void *v)
- getboottime(&boottime);
- jif = boottime.tv_sec;
-
-+ if (unrestricted) {
- for_each_possible_cpu(i) {
- user += kcpustat_cpu(i).cpustat[CPUTIME_USER];
+@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v)
nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
-@@ -116,6 +130,7 @@ static int show_stat(struct seq_file *p, void *v)
+ system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
+ idle += get_idle_time(i);
+- iowait += get_iowait_time(i);
+- irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
+- softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
+- steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+- guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+- guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+- sum += kstat_cpu_irqs_sum(i);
+- sum += arch_irq_stat_cpu(i);
++ if (unrestricted) {
++ iowait += get_iowait_time(i);
++ irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
++ softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
++ steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
++ guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
++ guest_nice +=
kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++ sum += kstat_cpu_irqs_sum(i);
++ sum += arch_irq_stat_cpu(i);
++ for (j = 0; j < NR_SOFTIRQS; j++) {
++ unsigned int softirq_stat =
kstat_softirqs_cpu(j, i);
+
+- for (j = 0; j < NR_SOFTIRQS; j++) {
+- unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
+-
+- per_softirq_sums[j] += softirq_stat;
+- sum_softirq += softirq_stat;
++ per_softirq_sums[j] += softirq_stat;
++ sum_softirq += softirq_stat;
++ }
}
}
- sum += arch_irq_stat();
-+ }
+- sum += arch_irq_stat();
++ if (unrestricted)
++ sum += arch_irq_stat();
seq_puts(p, "cpu ");
seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
-@@ -131,6 +146,7 @@ static int show_stat(struct seq_file *p, void *v)
- seq_putc(p, '\n');
-
- for_each_online_cpu(i) {
-+ if (unrestricted) {
- /* Copy values here to work around gcc-2.95.3, gcc-2.96 */
- user = kcpustat_cpu(i).cpustat[CPUTIME_USER];
+@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v)
nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
-@@ -142,6 +158,7 @@ static int show_stat(struct seq_file *p, void *v)
- steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
- guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
- guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+ system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
+ idle = get_idle_time(i);
+- iowait = get_iowait_time(i);
+- irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
+- softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
+- steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+- guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+- guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++ if (unrestricted) {
++ iowait = get_iowait_time(i);
++ irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
++ softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
++ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
++ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
++ guest_nice =
kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
+ }
seq_printf(p, "cpu%d", i);
seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
@@ -82480,16 +82584,26 @@ index 387fa7d..3fcde6b 100644
#ifdef CONFIG_MAGIC_SYSRQ
diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
-index fddbe20..0312de8 100644
+index fddbe20..e4cce53 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
-@@ -161,6 +161,15 @@ static inline bool test_and_clear_restore_sigmask(void)
+@@ -161,6 +161,25 @@ static inline bool test_and_clear_restore_sigmask(void)
#error "no set_restore_sigmask() provided and default one won't work"
#endif
+extern void __check_object_size(const void *ptr, unsigned long n, bool
to_user);
++
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++extern void pax_check_alloca(unsigned long size);
++#endif
++
+static inline void check_object_size(const void *ptr, unsigned long n, bool
to_user)
+{
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++ /* always check if we've overflowed the stack in a copy*user */
++ pax_check_alloca(sizeof(unsigned long));
++#endif
++
+#ifndef CONFIG_PAX_USERCOPY_DEBUG
+ if (!__builtin_constant_p(n))
+#endif
@@ -103516,10 +103630,10 @@ index 8fac3fd..32ff38d 100644
unsigned int secindex_strings;
diff --git a/security/Kconfig b/security/Kconfig
-index beb86b5..1ea5a01 100644
+index beb86b5..55198cd 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,960 @@
+@@ -4,6 +4,961 @@
menu "Security options"
@@ -103556,6 +103670,7 @@ index beb86b5..1ea5a01 100644
+ select TTY
+ select DEBUG_KERNEL
+ select DEBUG_LIST
++ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
@@ -104480,7 +104595,7 @@ index beb86b5..1ea5a01 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1057,7 @@ config INTEL_TXT
+@@ -103,7 +1058,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
diff --git a/3.2.58/0000_README b/3.2.58/0000_README
index df97a0f..ad7286d 100644
--- a/3.2.58/0000_README
+++ b/3.2.58/0000_README
@@ -150,7 +150,7 @@ Patch: 1057_linux-3.2.58.patch
From: http://www.kernel.org
Desc: Linux 3.2.58
-Patch: 4420_grsecurity-3.0-3.2.58-201405092334.patch
+Patch: 4420_grsecurity-3.0-3.2.58-201405101946.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
b/3.2.58/4420_grsecurity-3.0-3.2.58-201405101946.patch
similarity index 99%
rename from 3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
rename to 3.2.58/4420_grsecurity-3.0-3.2.58-201405101946.patch
index 4f95c38..ed3fd8f 100644
--- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
+++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405101946.patch
@@ -4059,6 +4059,29 @@ index 883fc6c..28c0acd 100644
}
void __init gt641xx_irq_init(void)
+diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
+index 7f50318..20685b9 100644
+--- a/arch/mips/kernel/irq.c
++++ b/arch/mips/kernel/irq.c
+@@ -111,7 +111,10 @@ void __init init_IRQ(void)
+ #endif
+ }
+
++
+ #ifdef DEBUG_STACKOVERFLOW
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ unsigned long sp;
+@@ -127,6 +130,7 @@ static inline void check_stack_overflow(void)
+ printk("do_IRQ: stack overflow: %ld\n",
+ sp - sizeof(struct thread_info));
+ dump_stack();
++ gr_handle_kernel_exploit();
+ }
+ }
+ #else
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index bf128d7..bc244d6 100644
--- a/arch/mips/kernel/process.c
@@ -5731,10 +5754,27 @@ index 8c3baa0..4d8c6f1 100644
addi r3,r1,STACK_FRAME_OVERHEAD
lwz r4,_DAR(r1)
diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
-index 745c1e7..59d97a6 100644
+index 745c1e7..d231072 100644
--- a/arch/powerpc/kernel/irq.c
+++ b/arch/powerpc/kernel/irq.c
-@@ -547,9 +547,6 @@ struct irq_host *irq_alloc_host(struct device_node
*of_node,
+@@ -324,6 +324,8 @@ static inline void handle_one_irq(unsigned int irq)
+ set_bits(irqtp->flags, &curtp->flags);
+ }
+
++extern void gr_handle_kernel_exploit(void);
++
+ static inline void check_stack_overflow(void)
+ {
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
+@@ -336,6 +338,7 @@ static inline void check_stack_overflow(void)
+ printk("do_IRQ: stack overflow: %ld\n",
+ sp - sizeof(struct thread_info));
+ dump_stack();
++ gr_handle_kernel_exploit();
+ }
+ #endif
+ }
+@@ -547,9 +550,6 @@ struct irq_host *irq_alloc_host(struct device_node
*of_node,
host->ops = ops;
host->of_node = of_node_get(of_node);
@@ -5744,7 +5784,7 @@ index 745c1e7..59d97a6 100644
raw_spin_lock_irqsave(&irq_big_lock, flags);
/* If it's a legacy controller, check for duplicates and
-@@ -622,7 +619,12 @@ struct irq_host *irq_find_host(struct device_node *node)
+@@ -622,7 +622,12 @@ struct irq_host *irq_find_host(struct device_node *node)
*/
raw_spin_lock_irqsave(&irq_big_lock, flags);
list_for_each_entry(h, &irq_hosts, link)
@@ -18092,7 +18132,7 @@ index 1aae78f..138ca1b 100644
if (__die(str, regs, err))
diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index c99f9ed..025ebd3 100644
+index c99f9ed..76cf602 100644
--- a/arch/x86/kernel/dumpstack_32.c
+++ b/arch/x86/kernel/dumpstack_32.c
@@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs
*regs,
@@ -18163,7 +18203,7 @@ index c99f9ed..025ebd3 100644
return ud2 == 0x0b0f;
}
+
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
+void pax_check_alloca(unsigned long size)
+{
+ unsigned long sp = (unsigned long)&sp, stack_left;
@@ -18175,7 +18215,7 @@ index c99f9ed..025ebd3 100644
+EXPORT_SYMBOL(pax_check_alloca);
+#endif
diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index 6d728d9..80f1867 100644
+index 6d728d9..c4c40f5 100644
--- a/arch/x86/kernel/dumpstack_64.c
+++ b/arch/x86/kernel/dumpstack_64.c
@@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs
*regs,
@@ -18253,7 +18293,7 @@ index 6d728d9..80f1867 100644
return ud2 == 0x0b0f;
}
+
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
++#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
+void pax_check_alloca(unsigned long size)
+{
+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
@@ -21138,10 +21178,20 @@ index 687637b..3e626d9 100644
}
diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index 7209070..cbcd71a 100644
+index 7209070..ada4d63 100644
--- a/arch/x86/kernel/irq_32.c
+++ b/arch/x86/kernel/irq_32.c
-@@ -36,7 +36,7 @@ static int check_stack_overflow(void)
+@@ -28,6 +28,9 @@ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
++
++extern void gr_handle_kernel_exploit(void);
++
+ /* Debugging check for stack overflow: is there less than 1KB free? */
+ static int check_stack_overflow(void)
+ {
+@@ -36,13 +39,14 @@ static int check_stack_overflow(void)
__asm__ __volatile__("andl %%esp,%0" :
"=r" (sp) : "0" (THREAD_SIZE - 1));
@@ -21150,7 +21200,14 @@ index 7209070..cbcd71a 100644
}
static void print_stack_overflow(void)
-@@ -54,8 +54,8 @@ static inline void print_stack_overflow(void) { }
+ {
+ printk(KERN_WARNING "low stack detected by irq handler\n");
+ dump_stack();
++ gr_handle_kernel_exploit();
+ }
+
+ #else
+@@ -54,8 +58,8 @@ static inline void print_stack_overflow(void) { }
* per-CPU IRQ handling contexts (thread information and stack)
*/
union irq_ctx {
@@ -21161,7 +21218,7 @@ index 7209070..cbcd71a 100644
} __attribute__((aligned(THREAD_SIZE)));
static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
-@@ -75,10 +75,9 @@ static void call_on_stack(void *func, void *stack)
+@@ -75,10 +79,9 @@ static void call_on_stack(void *func, void *stack)
static inline int
execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
{
@@ -21173,7 +21230,7 @@ index 7209070..cbcd71a 100644
irqctx = __this_cpu_read(hardirq_ctx);
/*
-@@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
+@@ -87,21 +90,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
* handler) we can't do that and just have to keep using the
* current stack (which is the irq stack already after all)
*/
@@ -21201,7 +21258,7 @@ index 7209070..cbcd71a 100644
if (unlikely(overflow))
call_on_stack(print_stack_overflow, isp);
-@@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
+@@ -113,6 +111,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc,
int irq)
: "0" (irq), "1" (desc), "2" (isp),
"D" (desc->handle_irq)
: "memory", "cc", "ecx");
@@ -21213,7 +21270,7 @@ index 7209070..cbcd71a 100644
return 1;
}
-@@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struct irq_desc
*desc, int irq)
+@@ -121,29 +124,11 @@ execute_on_irq_stack(int overflow, struct irq_desc
*desc, int irq)
*/
void __cpuinit irq_ctx_init(int cpu)
{
@@ -21245,7 +21302,7 @@ index 7209070..cbcd71a 100644
printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
-@@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
+@@ -152,7 +137,6 @@ void __cpuinit irq_ctx_init(int cpu)
asmlinkage void do_softirq(void)
{
unsigned long flags;
@@ -21253,7 +21310,7 @@ index 7209070..cbcd71a 100644
union irq_ctx *irqctx;
u32 *isp;
-@@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
+@@ -162,15 +146,22 @@ asmlinkage void do_softirq(void)
local_irq_save(flags);
if (local_softirq_pending()) {
@@ -21281,10 +21338,19 @@ index 7209070..cbcd71a 100644
* Shouldn't happen, we returned above if in_interrupt():
*/
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
-index 69bca46..0bac999 100644
+index 69bca46..fe78277 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
-@@ -38,7 +38,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
+ DEFINE_PER_CPU(struct pt_regs *, irq_regs);
+ EXPORT_PER_CPU_SYMBOL(irq_regs);
+
++extern void gr_handle_kernel_exploit(void);
++
+ /*
+ * Probabilistic stack overflow check:
+ *
+@@ -38,7 +40,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
#ifdef CONFIG_DEBUG_STACKOVERFLOW
u64 curbase = (u64)task_stack_page(current);
@@ -21293,6 +21359,14 @@ index 69bca46..0bac999 100644
return;
WARN_ONCE(regs->sp >= curbase &&
+@@ -48,6 +50,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+
+ "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n",
+ current->comm, curbase, regs->sp);
++ gr_handle_kernel_exploit();
+ #endif
+ }
+
diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
index 2f45c4c..3f51a0c 100644
--- a/arch/x86/kernel/kgdb.c
@@ -56597,7 +56671,7 @@ index 451b9b8..12e5a03 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index 78199eb..1781a561 100644
+index 78199eb..80dac79 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,12 +55,35 @@
@@ -57210,7 +57284,7 @@ index 78199eb..1781a561 100644
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
-@@ -1833,6 +2016,292 @@ out:
+@@ -1833,6 +2016,293 @@ out:
return ispipe;
}
@@ -57420,6 +57494,7 @@ index 78199eb..1781a561 100644
+#endif
+
+#ifdef CONFIG_PAX_USERCOPY
++
+static inline bool check_kernel_text_object(unsigned long low, unsigned long
high)
+{
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
@@ -57503,7 +57578,7 @@ index 78199eb..1781a561 100644
static int zap_process(struct task_struct *start, int exit_code)
{
struct task_struct *t;
-@@ -2006,17 +2475,17 @@ static void coredump_finish(struct mm_struct *mm)
+@@ -2006,17 +2476,17 @@ static void coredump_finish(struct mm_struct *mm)
void set_dumpable(struct mm_struct *mm, int value)
{
switch (value) {
@@ -57524,7 +57599,7 @@ index 78199eb..1781a561 100644
set_bit(MMF_DUMP_SECURELY, &mm->flags);
smp_wmb();
set_bit(MMF_DUMPABLE, &mm->flags);
-@@ -2029,7 +2498,7 @@ static int __get_dumpable(unsigned long mm_flags)
+@@ -2029,7 +2499,7 @@ static int __get_dumpable(unsigned long mm_flags)
int ret;
ret = mm_flags & MMF_DUMPABLE_MASK;
@@ -57533,7 +57608,7 @@ index 78199eb..1781a561 100644
}
/*
-@@ -2050,17 +2519,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2050,17 +2520,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -57556,7 +57631,7 @@ index 78199eb..1781a561 100644
pipe_unlock(pipe);
}
-@@ -2121,7 +2590,8 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
+@@ -2121,7 +2591,8 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
int retval = 0;
int flag = 0;
int ispipe;
@@ -57566,7 +57641,7 @@ index 78199eb..1781a561 100644
struct coredump_params cprm = {
.signr = signr,
.regs = regs,
-@@ -2136,6 +2606,9 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
+@@ -2136,6 +2607,9 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
audit_core_dumps(signr);
@@ -57576,7 +57651,7 @@ index 78199eb..1781a561 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -2146,14 +2619,16 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
+@@ -2146,14 +2620,16 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
if (!cred)
goto fail;
/*
@@ -57597,7 +57672,7 @@ index 78199eb..1781a561 100644
}
retval = coredump_wait(exit_code, &core_state);
-@@ -2203,7 +2678,7 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
+@@ -2203,7 +2679,7 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
}
cprm.limit = RLIM_INFINITY;
@@ -57606,7 +57681,7 @@ index 78199eb..1781a561 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -2230,9 +2705,19 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
+@@ -2230,9 +2706,19 @@ void do_coredump(long signr, int exit_code, struct
pt_regs *regs)
} else {
struct inode *inode;
@@ -57626,7 +57701,7 @@ index 78199eb..1781a561 100644
cprm.file = filp_open(cn.corename,
O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
0600);
-@@ -2273,7 +2758,7 @@ close_fail:
+@@ -2273,7 +2759,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -57635,7 +57710,7 @@ index 78199eb..1781a561 100644
fail_unlock:
kfree(cn.corename);
fail_corename:
-@@ -2292,7 +2777,7 @@ fail:
+@@ -2292,7 +2778,7 @@ fail:
*/
int dump_write(struct file *file, const void *addr, int nr)
{
@@ -63098,6 +63173,92 @@ index 03102d9..4ae347e 100644
proc_sys_init();
}
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
+index 4c9a859..0b51e6b 100644
+--- a/fs/proc/stat.c
++++ b/fs/proc/stat.c
+@@ -67,6 +67,18 @@ static int show_stat(struct seq_file *p, void *v)
+ u64 sum_softirq = 0;
+ unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
+ struct timespec boottime;
++ int unrestricted = 1;
++
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#if defined(CONFIG_GRKERNSEC_PROC_USER) ||
defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (current_uid()
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(grsec_proc_gid)
++#endif
++ )
++ unrestricted = 0;
++#endif
++#endif
+
+ user = nice = system = idle = iowait =
+ irq = softirq = steal = cputime64_zero;
+@@ -79,24 +91,27 @@ static int show_stat(struct seq_file *p, void *v)
+ nice = cputime64_add(nice, kstat_cpu(i).cpustat.nice);
+ system = cputime64_add(system, kstat_cpu(i).cpustat.system);
+ idle = cputime64_add(idle, get_idle_time(i));
+- iowait = cputime64_add(iowait, get_iowait_time(i));
+- irq = cputime64_add(irq, kstat_cpu(i).cpustat.irq);
+- softirq = cputime64_add(softirq, kstat_cpu(i).cpustat.softirq);
+- steal = cputime64_add(steal, kstat_cpu(i).cpustat.steal);
+- guest = cputime64_add(guest, kstat_cpu(i).cpustat.guest);
+- guest_nice = cputime64_add(guest_nice,
+- kstat_cpu(i).cpustat.guest_nice);
+- sum += kstat_cpu_irqs_sum(i);
+- sum += arch_irq_stat_cpu(i);
++ if (unrestricted) {
++ iowait = cputime64_add(iowait, get_iowait_time(i));
++ irq = cputime64_add(irq, kstat_cpu(i).cpustat.irq);
++ softirq = cputime64_add(softirq,
kstat_cpu(i).cpustat.softirq);
++ steal = cputime64_add(steal,
kstat_cpu(i).cpustat.steal);
++ guest = cputime64_add(guest,
kstat_cpu(i).cpustat.guest);
++ guest_nice = cputime64_add(guest_nice,
++ kstat_cpu(i).cpustat.guest_nice);
++ sum += kstat_cpu_irqs_sum(i);
++ sum += arch_irq_stat_cpu(i);
+
+- for (j = 0; j < NR_SOFTIRQS; j++) {
+- unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
++ for (j = 0; j < NR_SOFTIRQS; j++) {
++ unsigned int softirq_stat =
kstat_softirqs_cpu(j, i);
+
+- per_softirq_sums[j] += softirq_stat;
+- sum_softirq += softirq_stat;
++ per_softirq_sums[j] += softirq_stat;
++ sum_softirq += softirq_stat;
++ }
+ }
+ }
+- sum += arch_irq_stat();
++ if (unrestricted)
++ sum += arch_irq_stat();
+
+ seq_printf(p, "cpu %llu %llu %llu %llu %llu %llu %llu %llu %llu "
+ "%llu\n",
+@@ -116,12 +131,14 @@ static int show_stat(struct seq_file *p, void *v)
+ nice = kstat_cpu(i).cpustat.nice;
+ system = kstat_cpu(i).cpustat.system;
+ idle = get_idle_time(i);
+- iowait = get_iowait_time(i);
+- irq = kstat_cpu(i).cpustat.irq;
+- softirq = kstat_cpu(i).cpustat.softirq;
+- steal = kstat_cpu(i).cpustat.steal;
+- guest = kstat_cpu(i).cpustat.guest;
+- guest_nice = kstat_cpu(i).cpustat.guest_nice;
++ if (unrestricted) {
++ iowait = get_iowait_time(i);
++ irq = kstat_cpu(i).cpustat.irq;
++ softirq = kstat_cpu(i).cpustat.softirq;
++ steal = kstat_cpu(i).cpustat.steal;
++ guest = kstat_cpu(i).cpustat.guest;
++ guest_nice = kstat_cpu(i).cpustat.guest_nice;
++ }
+ seq_printf(p,
+ "cpu%d %llu %llu %llu %llu %llu %llu %llu %llu %llu "
+ "%llu\n",
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index ef1740d..9a18b87 100644
--- a/fs/proc/task_mmu.c
@@ -82409,16 +82570,26 @@ index 7faf933..9b85a0c 100644
#ifdef CONFIG_MAGIC_SYSRQ
diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
-index 8d03f07..e723aa8 100644
+index 8d03f07..66b3cf6 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
-@@ -123,6 +123,13 @@ static inline void set_restore_sigmask(void)
+@@ -123,6 +123,23 @@ static inline void set_restore_sigmask(void)
}
#endif /* TIF_RESTORE_SIGMASK && !HAVE_SET_RESTORE_SIGMASK */
+extern void __check_object_size(const void *ptr, unsigned long n, bool to);
++
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++extern void pax_check_alloca(unsigned long size);
++#endif
++
+static inline void check_object_size(const void *ptr, unsigned long n, bool
to)
+{
++#if defined(CONFIG_X86) && defined(CONFIG_PAX_USERCOPY)
++ /* always check if we've overflowed the stack in a copy*user */
++ pax_check_alloca(sizeof(unsigned long));
++#endif
++
+ if (!__builtin_constant_p(n))
+ __check_object_size(ptr, n, to);
+}
@@ -106618,10 +106789,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..d4191c5 100644
+index 51bd5a0..f75fbf0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,955 @@
+@@ -4,6 +4,956 @@
menu "Security options"
@@ -106657,6 +106828,7 @@ index 51bd5a0..d4191c5 100644
+ select STOP_MACHINE
+ select DEBUG_KERNEL
+ select DEBUG_LIST
++ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
@@ -107577,7 +107749,7 @@ index 51bd5a0..d4191c5 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1118,7 @@ config INTEL_TXT
+@@ -169,7 +1119,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
