Hi folks, I have made another rsbac fixation patch to rsbac kernel 3.8
http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=summary
and with PaX 3.8.13
http://grsecurity.net/test/pax-linux-3.8.13-test24.patch
I'm not sure if the stuff related with namei.c file is correct
#ifdef CONFIG_RSBAC_SYM_REDIR
rsbac_name = rsbac_symlink_redirect(dentry-
>d_inode, link, buflen);
if (rsbac_name) {
len = strlen(rsbac_name);
if (copy_to_user(buffer, rsbac_name, len))
len = -EFAULT;
kfree(rsbac_name);
}
else
#endif
if (len < sizeof(tmpbuf)) {
memcpy(tmpbuf, link, len);
newlink = tmpbuf;
} else
newlink = link;
if (copy_to_user(buffer, newlink, len))
len = -EFAULT;
out:
return len;
}
/*
PaX tries to do this modification to rsbac git code:
--- fs/namei.c 2013-03-19 01:53:21.091281869 +0100
+++ fs/namei.c 2013-03-19 01:53:31.251281326 +0100
@@ -3954,7 +3956,14 @@
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
- if (copy_to_user(buffer, link, len))
+
+ if (len < sizeof(tmpbuf)) {
+ memcpy(tmpbuf, link, len);
+ newlink = tmpbuf;
+ } else
+ newlink = link;
+
+ if (copy_to_user(buffer, newlink, len))
len = -EFAULT;
out:
return len;
In fixation patch if CONFIG_RSBAC_SYM_REDIR is defined then test is:
if (copy_to_user(buffer, rsbac_name, len))
len = -EFAULT;
if you don't think this is correct any stuff is highly appreciated.
diff -rupN '--exclude=*.rej' '--exclude=*.orig' linux-3.8.y-c37ee4f_paxbroken/fs/namei.c linux-3.8.y-c37ee4f/fs/namei.c
--- linux-3.8.y-c37ee4f_paxbroken/fs/namei.c 2013-07-29 05:38:17.000000000 +0200
+++ linux-3.8.y-c37ee4f/fs/namei.c 2013-07-29 05:55:39.000000000 +0200
@@ -4806,7 +4806,13 @@ int vfs_readlink(struct dentry *dentry,
}
else
#endif
- if (copy_to_user(buffer, link, len))
+ if (len < sizeof(tmpbuf)) {
+ memcpy(tmpbuf, link, len);
+ newlink = tmpbuf;
+ } else
+ newlink = link;
+
+ if (copy_to_user(buffer, newlink, len))
len = -EFAULT;
out:
return len;
diff -rupN '--exclude=*.rej' '--exclude=*.orig' linux-3.8.y-c37ee4f_paxbroken/fs/pipe.c linux-3.8.y-c37ee4f/fs/pipe.c
--- linux-3.8.y-c37ee4f_paxbroken/fs/pipe.c 2013-07-29 05:38:17.000000000 +0200
+++ linux-3.8.y-c37ee4f/fs/pipe.c 2013-07-29 05:52:33.000000000 +0200
@@ -821,10 +821,10 @@ pipe_release(struct inode *inode, int de
mutex_lock(&inode->i_mutex);
pipe = inode->i_pipe;
- pipe->readers -= decr;
- pipe->writers -= decw;
+ atomic_sub(decr, &pipe->readers);
+ atomic_sub(decw, &pipe->writers);
- if (!pipe->readers && !pipe->writers) {
+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
#ifdef CONFIG_RSBAC
union rsbac_target_id_t rsbac_target_id;
diff -rupN '--exclude=*.rej' '--exclude=*.orig' linux-3.8.y-c37ee4f_paxbroken/init/do_mounts.c linux-3.8.y-c37ee4f/init/do_mounts.c
--- linux-3.8.y-c37ee4f_paxbroken/init/do_mounts.c 2013-07-29 05:38:17.000000000 +0200
+++ linux-3.8.y-c37ee4f/init/do_mounts.c 2013-07-29 05:49:05.000000000 +0200
@@ -593,8 +593,8 @@ void __init prepare_namespace(void)
mount_root();
out:
devtmpfs_mount("dev");
- sys_mount(".", "/", NULL, MS_MOVE, NULL);
- sys_chroot(".");
+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
+ sys_chroot((const char __force_user *)".");
#ifdef CONFIG_RSBAC
#ifdef CONFIG_RSBAC_INIT_DELAY
diff -rupN '--exclude=*.rej' '--exclude=*.orig' linux-3.8.y-c37ee4f_paxbroken/mm/mprotect.c linux-3.8.y-c37ee4f/mm/mprotect.c
--- linux-3.8.y-c37ee4f_paxbroken/mm/mprotect.c 2013-07-29 05:38:17.000000000 +0200
+++ linux-3.8.y-c37ee4f/mm/mprotect.c 2013-07-29 05:57:07.000000000 +0200
@@ -23,10 +23,17 @@
#include <linux/mmu_notifier.h>
#include <linux/migrate.h>
#include <linux/perf_event.h>
+
+#ifdef CONFIG_PAX_MPROTECT
+#include <linux/elf.h>
+#include <linux/binfmts.h>
+#endif
+
#include <asm/uaccess.h>
#include <asm/pgtable.h>
#include <asm/cacheflush.h>
#include <asm/tlbflush.h>
+#include <asm/mmu_context.h>
#include <rsbac/hooks.h>
#ifndef pgprot_modify
