diff options
-rw-r--r-- | 2.6.32/0000_README | 8 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch) | 19 | ||||
-rw-r--r-- | 2.6.32/4475_emutramp_default_on.patch | 21 | ||||
-rw-r--r-- | 2.6.32/4480_check_ssp_fix.patch (renamed from 2.6.32/4475_check_ssp_fix.patch) | 0 | ||||
-rw-r--r-- | 3.2.45/0000_README | 6 | ||||
-rw-r--r-- | 3.2.45/4420_grsecurity-2.9.1-3.2.45-201305162326.patch (renamed from 3.2.45/4420_grsecurity-2.9.1-3.2.45-201305142033.patch) | 32 | ||||
-rw-r--r-- | 3.2.45/4475_emutramp_default_on.patch | 21 | ||||
-rw-r--r-- | 3.9.2/0000_README | 6 | ||||
-rw-r--r-- | 3.9.2/4420_grsecurity-2.9.1-3.9.2-201305172333.patch (renamed from 3.9.2/4420_grsecurity-2.9.1-3.9.2-201305142035.patch) | 294 | ||||
-rw-r--r-- | 3.9.2/4425_grsec_remove_EI_PAX.patch | 2 | ||||
-rw-r--r-- | 3.9.2/4450_grsec-kconfig-default-gids.patch | 8 | ||||
-rw-r--r-- | 3.9.2/4475_emutramp_default_on.patch | 21 |
12 files changed, 381 insertions, 57 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 64c91d5..755285c 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity @@ -67,6 +67,10 @@ From: Gordon Malm <gengor@gentoo.org> Kerin Millar <kerframil@gmail.com> Desc: Disables VDSO_COMPAT operation completely -Patch: 4475_check_ssp_fix.patch +Patch: 4475_emutramp_default_on.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 + +Patch: 4480_check_ssp_fix.patch From: Magnus Granberg <zorry@gentoo.org> Desc: Fixes kernel check script for ssp diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch index f34ed36..3482354 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305142032.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305162326.patch @@ -22024,7 +22024,7 @@ index d559af9..524c6ad 100644 * Up to this point, the boot CPU has been using .data.init * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 6a44a76..a9287a1 100644 +index 6a44a76..3cab8c7 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -22110,6 +22110,23 @@ index 6a44a76..a9287a1 100644 return; if (current_thread_info()->status & TS_RESTORE_SIGMASK) +@@ -799,6 +804,7 @@ static void do_signal(struct pt_regs *regs) + + signr = get_signal_to_deliver(&info, &ka, regs, NULL); + if (signr > 0) { ++ sigset_t sigcopy = *oldset; + /* + * Re-enable any watchpoints before delivering the + * signal to user space. The processor register will +@@ -809,7 +815,7 @@ static void do_signal(struct pt_regs *regs) + set_debugreg(current->thread.debugreg7, 7); + + /* Whee! Actually deliver the signal. */ +- if (handle_signal(signr, &info, &ka, oldset, regs) == 0) { ++ if (handle_signal(signr, &info, &ka, &sigcopy, regs) == 0) { + /* + * A signal was successfully delivered; the saved + * sigmask will have been stored in the signal frame, diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c index 29f0a78..374912c 100644 --- a/arch/x86/kernel/smp.c diff --git a/2.6.32/4475_emutramp_default_on.patch b/2.6.32/4475_emutramp_default_on.patch new file mode 100644 index 0000000..2d7124b --- /dev/null +++ b/2.6.32/4475_emutramp_default_on.patch @@ -0,0 +1,21 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines. +We default PAX_EMUTRAMP='y' since almost all hardened users will want this. + +See bug: + http://bugs.gentoo.org/show_bug.cgi?id=329499 + http://bugs.gentoo.org/show_bug.cgi?id=457194 + +diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig +--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 ++++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 +@@ -424,7 +424,7 @@ + + config PAX_EMUTRAMP + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) +- default y if PARISC ++ default y + help + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from diff --git a/2.6.32/4475_check_ssp_fix.patch b/2.6.32/4480_check_ssp_fix.patch index 40e0467..40e0467 100644 --- a/2.6.32/4475_check_ssp_fix.patch +++ b/2.6.32/4480_check_ssp_fix.patch diff --git a/3.2.45/0000_README b/3.2.45/0000_README index 931a45e..8925c1f 100644 --- a/3.2.45/0000_README +++ b/3.2.45/0000_README @@ -98,7 +98,7 @@ Patch: 1044_linux-3.2.45.patch From: http://www.kernel.org Desc: Linux 3.2.45 -Patch: 4420_grsecurity-2.9.1-3.2.45-201305142033.patch +Patch: 4420_grsecurity-2.9.1-3.2.45-201305162326.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity @@ -134,3 +134,7 @@ Patch: 4470_disable-compat_vdso.patch From: Gordon Malm <gengor@gentoo.org> Kerin Millar <kerframil@gmail.com> Desc: Disables VDSO_COMPAT operation completely + +Patch: 4475_emutramp_default_on.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 diff --git a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305142033.patch b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305162326.patch index d1995bd..3625b94 100644 --- a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305142033.patch +++ b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305162326.patch @@ -20806,7 +20806,7 @@ index 5a98aa2..5aa4ffc 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 54ddaeb2..22c3bdc 100644 +index 54ddaeb2..158e022 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -20874,7 +20874,33 @@ index 54ddaeb2..22c3bdc 100644 } put_user_catch(err); if (err) -@@ -769,7 +772,7 @@ static void do_signal(struct pt_regs *regs) +@@ -655,19 +658,22 @@ setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info, + { + int usig = signr_convert(sig); + sigset_t *set = ¤t->blocked; ++ sigset_t sigcopy; + int ret; + + if (current_thread_info()->status & TS_RESTORE_SIGMASK) + set = ¤t->saved_sigmask; + ++ sigcopy = *set; ++ + /* Set up the stack frame */ + if (is_ia32) { + if (ka->sa.sa_flags & SA_SIGINFO) +- ret = ia32_setup_rt_frame(usig, ka, info, set, regs); ++ ret = ia32_setup_rt_frame(usig, ka, info, &sigcopy, regs); + else +- ret = ia32_setup_frame(usig, ka, set, regs); ++ ret = ia32_setup_frame(usig, ka, &sigcopy, regs); + } else +- ret = __setup_rt_frame(sig, ka, info, set, regs); ++ ret = __setup_rt_frame(sig, ka, info, &sigcopy, regs); + + if (ret) { + force_sigsegv(sig, current); +@@ -769,7 +775,7 @@ static void do_signal(struct pt_regs *regs) * X86_32: vm86 regs switched out by assembly code before reaching * here, so testing against kernel CS suffices. */ @@ -34972,7 +34998,7 @@ index cabc95f..14b3d77 100644 for (;;) { diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c -index 8a8725c..afed796 100644 +index 8a8725c2..afed796 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv, diff --git a/3.2.45/4475_emutramp_default_on.patch b/3.2.45/4475_emutramp_default_on.patch new file mode 100644 index 0000000..30f6978 --- /dev/null +++ b/3.2.45/4475_emutramp_default_on.patch @@ -0,0 +1,21 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines. +We default PAX_EMUTRAMP='y' since almost all hardened users will want this. + +See bug: + http://bugs.gentoo.org/show_bug.cgi?id=329499 + http://bugs.gentoo.org/show_bug.cgi?id=457194 + +diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig +--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 ++++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 +@@ -428,7 +428,7 @@ + + config PAX_EMUTRAMP + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) +- default y if PARISC ++ default y + help + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from diff --git a/3.9.2/0000_README b/3.9.2/0000_README index 8bbbbef..5853027 100644 --- a/3.9.2/0000_README +++ b/3.9.2/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.9.2-201305142035.patch +Patch: 4420_grsecurity-2.9.1-3.9.2-201305172333.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity @@ -38,3 +38,7 @@ Patch: 4470_disable-compat_vdso.patch From: Gordon Malm <gengor@gentoo.org> Kerin Millar <kerframil@gmail.com> Desc: Disables VDSO_COMPAT operation completely + +Patch: 4475_emutramp_default_on.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 diff --git a/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305142035.patch b/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305172333.patch index 7808b27..e39d39f 100644 --- a/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305142035.patch +++ b/3.9.2/4420_grsecurity-2.9.1-3.9.2-201305172333.patch @@ -2028,6 +2028,19 @@ index 06e7d50..8a8e251 100644 nommu_start_thread(regs); \ }) +diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h +index ce0dbe7..c085b6f 100644 +--- a/arch/arm/include/asm/psci.h ++++ b/arch/arm/include/asm/psci.h +@@ -29,7 +29,7 @@ struct psci_operations { + int (*cpu_off)(struct psci_power_state state); + int (*cpu_on)(unsigned long cpuid, unsigned long entry_point); + int (*migrate)(unsigned long cpuid); +-}; ++} __no_const; + + extern struct psci_operations psci_ops; + diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h index d3a22be..3a69ad5 100644 --- a/arch/arm/include/asm/smp.h @@ -2824,6 +2837,19 @@ index 047d3e4..7e96107 100644 return 0; } arch_initcall(gate_vma_init); +diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c +index 3653164..d83e55d 100644 +--- a/arch/arm/kernel/psci.c ++++ b/arch/arm/kernel/psci.c +@@ -24,7 +24,7 @@ + #include <asm/opcodes-virt.h> + #include <asm/psci.h> + +-struct psci_operations psci_ops; ++struct psci_operations psci_ops __read_only; + + static int (*invoke_psci_fn)(u32, u32, u32, u32); + diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index 03deeff..741ce88 100644 --- a/arch/arm/kernel/ptrace.c @@ -14276,7 +14302,7 @@ index 4cc9f2b..5fd9226 100644 /* diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index 1e67223..9183226 100644 +index 1e67223..dd6e7ea 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); @@ -14339,7 +14365,19 @@ index 1e67223..9183226 100644 static inline int pte_dirty(pte_t pte) { return pte_flags(pte) & _PAGE_DIRTY; -@@ -200,9 +240,29 @@ static inline pte_t pte_wrprotect(pte_t pte) +@@ -147,6 +187,11 @@ static inline unsigned long pud_pfn(pud_t pud) + return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT; + } + ++static inline unsigned long pgd_pfn(pgd_t pgd) ++{ ++ return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT; ++} ++ + #define pte_page(pte) pfn_to_page(pte_pfn(pte)) + + static inline int pmd_large(pmd_t pte) +@@ -200,9 +245,29 @@ static inline pte_t pte_wrprotect(pte_t pte) return pte_clear_flags(pte, _PAGE_RW); } @@ -14370,7 +14408,7 @@ index 1e67223..9183226 100644 } static inline pte_t pte_mkdirty(pte_t pte) -@@ -394,6 +454,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); +@@ -394,6 +459,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); #endif #ifndef __ASSEMBLY__ @@ -14386,7 +14424,25 @@ index 1e67223..9183226 100644 #include <linux/mm_types.h> #include <linux/log2.h> -@@ -584,7 +653,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) +@@ -529,7 +603,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pud_page(pud) pfn_to_page(pud_val(pud) >> PAGE_SHIFT) ++#define pud_page(pud) pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT) + + /* Find an entry in the second-level page table.. */ + static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) +@@ -569,7 +643,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT) ++#define pgd_page(pgd) pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT) + + /* to find an entry in a page-table-directory. */ + static inline unsigned long pud_index(unsigned long address) +@@ -584,7 +658,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) static inline int pgd_bad(pgd_t pgd) { @@ -14395,7 +14451,7 @@ index 1e67223..9183226 100644 } static inline int pgd_none(pgd_t pgd) -@@ -607,7 +676,12 @@ static inline int pgd_none(pgd_t pgd) +@@ -607,7 +681,12 @@ static inline int pgd_none(pgd_t pgd) * pgd_offset() returns a (pgd_t *) * pgd_index() is used get the offset into the pgd page's array of pgd_t's; */ @@ -14409,7 +14465,7 @@ index 1e67223..9183226 100644 /* * a shortcut which implies the use of the kernel's pgd, instead * of a process's -@@ -618,6 +692,22 @@ static inline int pgd_none(pgd_t pgd) +@@ -618,6 +697,22 @@ static inline int pgd_none(pgd_t pgd) #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) @@ -14432,7 +14488,7 @@ index 1e67223..9183226 100644 #ifndef __ASSEMBLY__ extern int direct_gbpages; -@@ -784,11 +874,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, +@@ -784,11 +879,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, * dst and src can be on the same page, but the range must not overlap, * and must not cross a page boundary. */ @@ -22547,7 +22603,7 @@ index 5cdff03..80fa283 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 6956299..6797253 100644 +index 6956299..f20beae 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -22601,6 +22657,29 @@ index 6956299..6797253 100644 } put_user_catch(err); err |= copy_siginfo_to_user(&frame->info, &ksig->info); +@@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) + { + int usig = signr_convert(ksig->sig); + sigset_t *set = sigmask_to_save(); +- compat_sigset_t *cset = (compat_sigset_t *) set; ++ sigset_t sigcopy; ++ compat_sigset_t *cset; ++ ++ sigcopy = *set; ++ ++ cset = (compat_sigset_t *) &sigcopy; + + /* Set up the stack frame */ + if (is_ia32_frame()) { +@@ -626,7 +634,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) + } else if (is_x32_frame()) { + return x32_setup_rt_frame(ksig, cset, regs); + } else { +- return __setup_rt_frame(ksig->sig, ksig, set, regs); ++ return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs); + } + } + diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c index 48d2b7d..90d328a 100644 --- a/arch/x86/kernel/smp.c @@ -22953,7 +23032,7 @@ index 0000000..207bec6 + return addr; +} diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index dbded5a..7916f74 100644 +index dbded5a..ace2781 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -81,8 +81,8 @@ out: @@ -23020,7 +23099,7 @@ index dbded5a..7916f74 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -161,6 +167,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -161,12 +167,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) goto bottomup; @@ -23031,7 +23110,14 @@ index dbded5a..7916f74 100644 /* requesting a specific address */ if (addr) { addr = PAGE_ALIGN(addr); -@@ -176,6 +186,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -176,6 +185,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, info.high_limit = mm->mmap_base; info.align_mask = filp ? get_align_mask() : 0; info.align_offset = pgoff << PAGE_SHIFT; @@ -35917,7 +36003,7 @@ index 4640adb..e1384ed 100644 for (;;) { diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c -index 8a8725c..afed796 100644 +index 8a8725c2..afed796 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv, @@ -36111,6 +36197,55 @@ index a14f634..2916ee2 100644 int err; /* Set up read-only sensors */ +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index 9add6092..ee7ba3f 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -781,7 +781,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr) + return 0; + } + +-static void pmbus_dev_attr_init(struct device_attribute *dev_attr, ++static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr, + const char *name, + umode_t mode, + ssize_t (*show)(struct device *dev, +@@ -798,7 +798,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr, + dev_attr->store = store; + } + +-static void pmbus_attr_init(struct sensor_device_attribute *a, ++static void pmbus_attr_init(sensor_device_attribute_no_const *a, + const char *name, + umode_t mode, + ssize_t (*show)(struct device *dev, +@@ -820,7 +820,7 @@ static int pmbus_add_boolean(struct pmbus_data *data, + u16 reg, u8 mask) + { + struct pmbus_boolean *boolean; +- struct sensor_device_attribute *a; ++ sensor_device_attribute_no_const *a; + + boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL); + if (!boolean) +@@ -845,7 +845,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data, + bool update, bool readonly) + { + struct pmbus_sensor *sensor; +- struct device_attribute *a; ++ device_attribute_no_const *a; + + sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL); + if (!sensor) +@@ -876,7 +876,7 @@ static int pmbus_add_label(struct pmbus_data *data, + const char *lstring, int index) + { + struct pmbus_label *label; +- struct device_attribute *a; ++ device_attribute_no_const *a; + + label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL); + if (!label) diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c index 2507f90..1645765 100644 --- a/drivers/hwmon/sht15.c @@ -37129,7 +37264,7 @@ index 7c11ff3..5b2d7a7 100644 bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip) diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c -index fc6aebf..94d5248 100644 +index fc6aebf..762c5f5 100644 --- a/drivers/irqchip/irq-gic.c +++ b/drivers/irqchip/irq-gic.c @@ -83,7 +83,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; @@ -37137,7 +37272,7 @@ index fc6aebf..94d5248 100644 * Default make them NULL. */ -struct irq_chip gic_arch_extn = { -+irq_chip_no_const gic_arch_extn __read_only = { ++irq_chip_no_const gic_arch_extn = { .irq_eoi = NULL, .irq_mask = NULL, .irq_unmask = NULL, @@ -39318,6 +39453,50 @@ index fbe5363..266b4e3 100644 fifo->mempool = __vxge_hw_mempool_create(vpath->hldev, fifo->config->memblock_size, +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +index 5c033f2..7bbb0d8 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +@@ -1894,7 +1894,9 @@ int qlcnic_83xx_config_default_opmode(struct qlcnic_adapter *adapter) + op_mode = QLCRDX(ahw, QLC_83XX_DRV_OP_MODE); + + if (op_mode == QLC_83XX_DEFAULT_OPMODE) { +- adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver; ++ pax_open_kernel(); ++ *(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver; ++ pax_close_kernel(); + ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry; + } else { + return -EIO; +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c +index b0c3de9..fc5857e 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c +@@ -200,15 +200,21 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter) + if (priv_level == QLCNIC_NON_PRIV_FUNC) { + ahw->op_mode = QLCNIC_NON_PRIV_FUNC; + ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry; +- nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic; ++ pax_open_kernel(); ++ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic; ++ pax_close_kernel(); + } else if (priv_level == QLCNIC_PRIV_FUNC) { + ahw->op_mode = QLCNIC_PRIV_FUNC; + ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry; +- nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic; ++ pax_open_kernel(); ++ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic; ++ pax_close_kernel(); + } else if (priv_level == QLCNIC_MGMT_FUNC) { + ahw->op_mode = QLCNIC_MGMT_FUNC; + ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry; +- nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic; ++ pax_open_kernel(); ++ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic; ++ pax_close_kernel(); + } else { + return -EIO; + } diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c index 15ba8c4..3f56838 100644 --- a/drivers/net/ethernet/realtek/r8169.c @@ -40628,6 +40807,19 @@ index 0b00947..64f7c0a 100644 proc_create("devices", 0, proc_bus_pci_dir, &proc_bus_pci_dev_operations); proc_initialized = 1; +diff --git a/drivers/platform/x86/chromeos_laptop.c b/drivers/platform/x86/chromeos_laptop.c +index 3e5b4497..dcdfb70 100644 +--- a/drivers/platform/x86/chromeos_laptop.c ++++ b/drivers/platform/x86/chromeos_laptop.c +@@ -301,7 +301,7 @@ static int __init setup_tsl2563_als(const struct dmi_system_id *id) + return 0; + } + +-static struct dmi_system_id __initdata chromeos_laptop_dmi_table[] = { ++static struct dmi_system_id __initconst chromeos_laptop_dmi_table[] = { + { + .ident = "Samsung Series 5 550 - Touchpad", + .matches = { diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c index 6b22938..bc9700e 100644 --- a/drivers/platform/x86/msi-laptop.c @@ -52386,27 +52578,9 @@ index a6597d6..41b30ec 100644 /* diff --git a/fs/jfs/super.c b/fs/jfs/super.c -index 2003e83..5e1975d 100644 +index 2003e83..40db287 100644 --- a/fs/jfs/super.c +++ b/fs/jfs/super.c -@@ -225,7 +225,7 @@ static const match_table_t tokens = { - static int parse_options(char *options, struct super_block *sb, s64 *newLVSize, - int *flag) - { -- void *nls_map = (void *)-1; /* -1: no change; NULL: none */ -+ const void *nls_map = (const void *)-1; /* -1: no change; NULL: none */ - char *p; - struct jfs_sb_info *sbi = JFS_SBI(sb); - -@@ -253,7 +253,7 @@ static int parse_options(char *options, struct super_block *sb, s64 *newLVSize, - /* Don't do anything ;-) */ - break; - case Opt_iocharset: -- if (nls_map && nls_map != (void *) -1) -+ if (nls_map && nls_map != (const void *) -1) - unload_nls(nls_map); - if (!strcmp(args[0].from, "none")) - nls_map = NULL; @@ -856,7 +856,7 @@ static int __init init_jfs_fs(void) jfs_inode_cachep = @@ -68845,11 +69019,15 @@ index bc4e066..50468a9 100644 /* * irq_chip specific flags diff --git a/include/linux/irqchip/arm-gic.h b/include/linux/irqchip/arm-gic.h -index 3fd8e42..d5403e1 100644 +index 3fd8e42..a73e966 100644 --- a/include/linux/irqchip/arm-gic.h +++ b/include/linux/irqchip/arm-gic.h -@@ -61,7 +61,7 @@ +@@ -59,9 +59,11 @@ + #ifndef __ASSEMBLY__ + ++#include <linux/irq.h> ++ struct device_node; -extern struct irq_chip gic_arch_extn; @@ -72219,6 +72397,19 @@ index b797e8f..8e2c3aa 100644 /** +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index ff6c741..393815f 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -130,7 +130,7 @@ struct snd_compr_ops { + struct snd_compr_caps *caps); + int (*get_codec_caps) (struct snd_compr_stream *stream, + struct snd_compr_codec_caps *codec); +-}; ++} __no_const; + + /** + * struct snd_compr: Compressed device diff --git a/include/sound/soc.h b/include/sound/soc.h index a6a059c..2243336 100644 --- a/include/sound/soc.h @@ -87228,7 +87419,7 @@ index 5b1e5af..2358147 100644 return res; } diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c -index 843d8c4..6e0a0ff 100644 +index 843d8c4..cb04fa1 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -799,7 +799,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy, @@ -87255,8 +87446,8 @@ index 843d8c4..6e0a0ff 100644 ret = 0; - } else if (local->open_count > 0 && - local->open_count == local->monitors && -+ } else if (atomic_read(&local->open_count) > 0 && -+ atomic_read(&local->open_count) == local->monitors && ++ } else if (local_read(&local->open_count) > 0 && ++ local_read(&local->open_count) == local->monitors && sdata->vif.type == NL80211_IFTYPE_MONITOR) { if (local->use_chanctx) *chandef = local->monitor_chandef; @@ -90177,10 +90368,10 @@ index f5eb43d..1814de8 100644 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff)); shstrtab_sec = shdr + r2(&ehdr->e_shstrndx); diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..eef8ada 100644 +index e9c6ac7..e6254cf 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,943 @@ +@@ -4,6 +4,944 @@ menu "Security options" @@ -90214,6 +90405,7 @@ index e9c6ac7..eef8ada 100644 + select CRYPTO_SHA256 + select PROC_FS + select STOP_MACHINE ++ select TTY + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly @@ -91124,7 +91316,7 @@ index e9c6ac7..eef8ada 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1040,7 @@ config INTEL_TXT +@@ -103,7 +1041,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -92082,6 +92274,19 @@ index 22056c5..25d3244 100644 chip->card = card; chip->pci = pci; chip->irq = -1; +diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c +index 7decbd9..d17d9d0 100644 +--- a/sound/soc/fsl/fsl_ssi.c ++++ b/sound/soc/fsl/fsl_ssi.c +@@ -643,7 +643,7 @@ static int fsl_ssi_probe(struct platform_device *pdev) + { + struct fsl_ssi_private *ssi_private; + int ret = 0; +- struct device_attribute *dev_attr = NULL; ++ device_attribute_no_const *dev_attr = NULL; + struct device_node *np = pdev->dev.of_node; + const char *p, *sprop; + const uint32_t *iprop; diff --git a/tools/gcc/.gitignore b/tools/gcc/.gitignore new file mode 100644 index 0000000..50f2f2f @@ -102415,10 +102620,10 @@ index 0000000..ac2901e +} diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c new file mode 100644 -index 0000000..b07fe22 +index 0000000..4fae911 --- /dev/null +++ b/tools/gcc/structleak_plugin.c -@@ -0,0 +1,276 @@ +@@ -0,0 +1,277 @@ +/* + * Copyright 2013 by PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -102559,11 +102764,12 @@ index 0000000..b07fe22 + // first check if the variable is already initialized, warn otherwise + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { + gimple stmt = gsi_stmt(gsi); -+ tree rhs1 = gimple_assign_rhs1(stmt); ++ tree rhs1; + + // we're looking for an assignment of a single rhs... + if (!gimple_assign_single_p(stmt)) + continue; ++ rhs1 = gimple_assign_rhs1(stmt); +#if BUILDING_GCC_VERSION >= 4007 + // ... of a non-clobbering expression... + if (TREE_CLOBBER_P(rhs1)) diff --git a/3.9.2/4425_grsec_remove_EI_PAX.patch b/3.9.2/4425_grsec_remove_EI_PAX.patch index 7d06ac2..415fda5 100644 --- a/3.9.2/4425_grsec_remove_EI_PAX.patch +++ b/3.9.2/4425_grsec_remove_EI_PAX.patch @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 -@@ -265,7 +265,7 @@ +@@ -266,7 +266,7 @@ config PAX_EI_PAX bool 'Use legacy ELF header marking' diff --git a/3.9.2/4450_grsec-kconfig-default-gids.patch b/3.9.2/4450_grsec-kconfig-default-gids.patch index 6f5b79b..190e85d 100644 --- a/3.9.2/4450_grsec-kconfig-default-gids.patch +++ b/3.9.2/4450_grsec-kconfig-default-gids.patch @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig diff -Nuar a/security/Kconfig b/security/Kconfig --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 -@@ -193,7 +193,7 @@ +@@ -194,7 +194,7 @@ config GRKERNSEC_PROC_GID int "GID exempted from /proc restrictions" @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified -@@ -204,7 +204,7 @@ +@@ -205,7 +205,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group untrusted users should be added to. These users will be placed under grsecurity's Trusted Path -@@ -216,7 +216,7 @@ +@@ -217,7 +217,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -225,7 +225,7 @@ +@@ -226,7 +226,7 @@ config GRKERNSEC_SYMLINKOWN_GID int "GID for users with kernel-enforced SymlinksIfOwnerMatch" depends on GRKERNSEC_CONFIG_SERVER diff --git a/3.9.2/4475_emutramp_default_on.patch b/3.9.2/4475_emutramp_default_on.patch new file mode 100644 index 0000000..27bfc2d --- /dev/null +++ b/3.9.2/4475_emutramp_default_on.patch @@ -0,0 +1,21 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +PAX_EMUTRAMP is needed for libffi to avoid RWX mmap-ings using PaX emulation of trampolines. +We default PAX_EMUTRAMP='y' since almost all hardened users will want this. + +See bug: + http://bugs.gentoo.org/show_bug.cgi?id=329499 + http://bugs.gentoo.org/show_bug.cgi?id=457194 + +diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig +--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 ++++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 +@@ -429,7 +429,7 @@ + + config PAX_EMUTRAMP + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) +- default y if PARISC ++ default y + help + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from |