diff options
author | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-25 13:15:40 +0000 |
---|---|---|
committer | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-25 13:15:40 +0000 |
commit | 26118403f03d5df6f4c4ac33f78979972cdebe34 (patch) | |
tree | 5a13382d34b9de980f6445a772bcc068648986d5 /sys-kernel | |
parent | excluding speakup as the patch doesn't quite work on 2.6.10. It will be back... (diff) | |
download | historical-26118403f03d5df6f4c4ac33f78979972cdebe34.tar.gz historical-26118403f03d5df6f4c4ac33f78979972cdebe34.tar.bz2 historical-26118403f03d5df6f4c4ac33f78979972cdebe34.zip |
Security bump for bugs #72452 and #74464; please thank tocharian for the ebuild.
Diffstat (limited to 'sys-kernel')
5 files changed, 721 insertions, 1 deletions
diff --git a/sys-kernel/grsec-sources/ChangeLog b/sys-kernel/grsec-sources/ChangeLog index 0bc594da810a..f62a6e030091 100644 --- a/sys-kernel/grsec-sources/ChangeLog +++ b/sys-kernel/grsec-sources/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-kernel/grsec-sources # Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/ChangeLog,v 1.39 2004/12/15 06:59:46 solar Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/ChangeLog,v 1.40 2004/12/25 13:15:40 plasmaroo Exp $ + +*grsec-sources-2.4.28.2.0.2-r3 (25 Dec 2004) + + 25 Dec 2004; <plasmaroo@gentoo.org> +grsec-sources-2.4.28.2.0.2-r3.ebuild, + +files/CAN-2004-1056.patch, +files/CAN-2004-1074.patch: + Security bump for bugs #72452 and #74464; please thank tocharian for the + ebuild. *grsec-sources-2.4.28.2.0.2-r2 (15 Dec 2004) diff --git a/sys-kernel/grsec-sources/files/CAN-2004-1056.patch b/sys-kernel/grsec-sources/files/CAN-2004-1056.patch new file mode 100644 index 000000000000..53b777acaac5 --- /dev/null +++ b/sys-kernel/grsec-sources/files/CAN-2004-1056.patch @@ -0,0 +1,321 @@ +diff -ur linux-2.4.28/drivers/char/drm/i810.h linux-2.4.28.plasmaroo/drivers/char/drm/i810.h +--- linux-2.4.28/drivers/char/drm/i810.h 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810.h 2004-12-23 16:26:31.000000000 +0000 +@@ -114,4 +114,14 @@ + #define DRIVER_AGP_BUFFERS_MAP( dev ) \ + ((drm_i810_private_t *)((dev)->dev_private))->buffer_map + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + #endif +diff -ur linux-2.4.28/drivers/char/drm/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c +--- linux-2.4.28/drivers/char/drm/i810_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-23 16:27:16.000000000 +0000 +@@ -948,10 +948,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_flush_queue(dev); + return 0; +@@ -973,10 +970,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL; + +@@ -1004,10 +998,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1026,10 +1017,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1064,10 +1052,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +@@ -1174,11 +1159,7 @@ + if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc))) + return -EFAULT; + +- +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_mc called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used, + mc.last_render ); +@@ -1223,10 +1204,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_fstatus called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + return I810_READ(0x30008); + } + +@@ -1237,10 +1215,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_ov0_flip called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + //Tell the overlay to update + I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000); +diff -ur linux-2.4.28/drivers/char/drm/i830.h linux-2.4.28.plasmaroo/drivers/char/drm/i830.h +--- linux-2.4.28/drivers/char/drm/i830.h 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830.h 2004-12-23 16:31:33.000000000 +0000 +@@ -154,4 +154,14 @@ + #define DRIVER_AGP_BUFFERS_MAP( dev ) \ + ((drm_i830_private_t *)((dev)->dev_private))->buffer_map + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + #endif +diff -ur linux-2.4.28/drivers/char/drm/i830_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c +--- linux-2.4.28/drivers/char/drm/i830_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-23 16:32:08.000000000 +0000 +@@ -1330,10 +1330,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i830_flush_queue(dev); + return 0; +@@ -1354,10 +1351,7 @@ + if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1384,10 +1378,7 @@ + if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1409,10 +1400,7 @@ + + DRM_DEBUG("i830_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i830_dma_dispatch_swap( dev ); + return 0; +@@ -1453,10 +1441,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if (!dev_priv->page_flipping) + i830_do_init_pageflip( dev ); +@@ -1495,10 +1480,7 @@ + if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +diff -ur linux-2.4.28/drivers/char/drm/i830_irq.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c +--- linux-2.4.28/drivers/char/drm/i830_irq.c 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-23 16:39:47.000000000 +0000 +@@ -130,10 +130,7 @@ + drm_i830_irq_emit_t emit; + int result; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_irq_emit called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if ( !dev_priv ) { + DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ ); +diff -ur linux-2.4.28/drivers/char/drm-4.0/drmP.h linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h +--- linux-2.4.28/drivers/char/drm-4.0/drmP.h 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h 2004-12-23 16:21:30.000000000 +0000 +@@ -294,6 +294,16 @@ + #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x)) + #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist) + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + typedef int drm_ioctl_t(struct inode *inode, struct file *filp, + unsigned int cmd, unsigned long arg); + +diff -ur linux-2.4.28/drivers/char/drm-4.0/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c +--- linux-2.4.28/drivers/char/drm-4.0/i810_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c 2004-12-23 16:21:30.000000000 +0000 +@@ -1249,10 +1249,7 @@ + drm_device_t *dev = priv->dev; + + DRM_DEBUG("i810_flush_ioctl\n"); +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_flush_queue(dev); + return 0; +@@ -1274,10 +1271,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1308,10 +1302,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_clear( dev, clear.flags, + clear.clear_color, +@@ -1327,10 +1318,7 @@ + + DRM_DEBUG("i810_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1366,10 +1354,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +@@ -1399,10 +1384,7 @@ + drm_i810_buf_priv_t *buf_priv; + drm_device_dma_t *dma = dev->dma; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d))) + return -EFAULT; diff --git a/sys-kernel/grsec-sources/files/CAN-2004-1074.patch b/sys-kernel/grsec-sources/files/CAN-2004-1074.patch new file mode 100644 index 000000000000..57fe2f42bfc0 --- /dev/null +++ b/sys-kernel/grsec-sources/files/CAN-2004-1074.patch @@ -0,0 +1,352 @@ +diff -Nru linux-2.4.28/arch/ia64/ia32/binfmt_elf32.c linux-2.4.28-hardened/arch/ia64/ia32/binfmt_elf32.c +--- linux-2.4.28/arch/ia64/ia32/binfmt_elf32.c 2004-12-21 20:59:35.000000000 -0500 ++++ linux-2.4.28-hardened/arch/ia64/ia32/binfmt_elf32.c 2004-12-21 21:07:11.095515536 -0500 +@@ -105,7 +105,11 @@ + vma->vm_private_data = NULL; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -127,7 +131,11 @@ + vma->vm_private_data = NULL; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -174,7 +182,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -205,7 +213,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = 0; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru linux-2.4.28/arch/ia64/kernel/perfmon.c linux-2.4.28-hardened/arch/ia64/kernel/perfmon.c +--- linux-2.4.28/arch/ia64/kernel/perfmon.c 2004-12-21 20:47:22.000000000 -0500 ++++ linux-2.4.28-hardened/arch/ia64/kernel/perfmon.c 2004-12-21 21:07:11.102514472 -0500 +@@ -967,7 +967,8 @@ + * now insert the vma in the vm list for the process, must be + * done with mmap lock held + */ +- insert_vm_struct(mm, vma); ++ if(insert_vm_struct(mm, vma)) /* Handle -ENOMEM et al. */ ++ goto error; + + mm->total_vm += size >> PAGE_SHIFT; + +diff -Nru linux-2.4.28/arch/ia64/mm/init.c linux-2.4.28-hardened/arch/ia64/mm/init.c +--- linux-2.4.28/arch/ia64/mm/init.c 2004-12-21 20:59:35.000000000 -0500 ++++ linux-2.4.28-hardened/arch/ia64/mm/init.c 2004-12-21 21:07:11.104514168 -0500 +@@ -105,7 +105,13 @@ + vma->vm_pgoff = 0; + vma->vm_file = NULL; + vma->vm_private_data = NULL; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + + /* map NaT-page at address zero to speed up speculative dereferencing of NULL: */ +@@ -117,7 +123,13 @@ + vma->vm_end = PAGE_SIZE; + vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT); + vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + } + } +diff -Nru linux-2.4.28/arch/ppc/mm/fault.c linux-2.4.28-hardened/arch/ppc/mm/fault.c +--- linux-2.4.28/arch/ppc/mm/fault.c 2004-12-21 20:57:02.000000000 -0500 ++++ linux-2.4.28-hardened/arch/ppc/mm/fault.c 2004-12-21 21:07:11.107513712 -0500 +@@ -83,8 +83,10 @@ + nopage: pax_syscall_nopage, + }; + +-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) + { ++ int ret; ++ + vma->vm_mm = current->mm; + vma->vm_start = addr; + vma->vm_end = addr + PAGE_SIZE; +@@ -94,8 +96,15 @@ + vma->vm_pgoff = 0UL; + vma->vm_file = NULL; + vma->vm_private_data = NULL; +- insert_vm_struct(current->mm, vma); ++ ret = insert_vm_struct(current->mm, vma); ++ if(ret != 0) ++ { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return ret; ++ } + ++current->mm->total_vm; ++ return 0; + } + #endif + +@@ -333,7 +342,8 @@ + return 1; + } + +- pax_insert_vma(vma, call_syscall); ++ if(pax_insert_vma(vma, call_syscall)) ++ return 1; /* VMA overlapping attempt; bye bye! */ + current->mm->call_syscall = call_syscall; + up_write(¤t->mm->mmap_sem); + +@@ -377,7 +387,8 @@ + return 1; + } + +- pax_insert_vma(vma, call_syscall); ++ if(pax_insert_vma(vma, call_syscall)) ++ return 1; /* VMA overlapping attempt; bye bye! */ + current->mm->call_syscall = call_syscall; + up_write(¤t->mm->mmap_sem); + +diff -Nru linux-2.4.28/arch/s390x/kernel/exec32.c linux-2.4.28-hardened/arch/s390x/kernel/exec32.c +--- linux-2.4.28/arch/s390x/kernel/exec32.c 2004-12-21 20:59:35.000000000 -0500 ++++ linux-2.4.28-hardened/arch/s390x/kernel/exec32.c 2004-12-21 21:07:11.109513408 -0500 +@@ -41,7 +41,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -65,7 +65,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = (void *) 0; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru linux-2.4.28/arch/sparc/mm/fault.c linux-2.4.28-hardened/arch/sparc/mm/fault.c +--- linux-2.4.28/arch/sparc/mm/fault.c 2004-12-21 20:57:02.000000000 -0500 ++++ linux-2.4.28-hardened/arch/sparc/mm/fault.c 2004-12-21 21:07:11.111513104 -0500 +@@ -250,8 +250,10 @@ + nopage: pax_emuplt_nopage, + }; + +-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) + { ++ int ret; ++ + vma->vm_mm = current->mm; + vma->vm_start = addr; + vma->vm_end = addr + PAGE_SIZE; +@@ -261,8 +263,15 @@ + vma->vm_pgoff = 0UL; + vma->vm_file = NULL; + vma->vm_private_data = NULL; +- insert_vm_struct(current->mm, vma); ++ ret = insert_vm_struct(current->mm, vma); ++ if(ret != 0) ++ { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return ret; ++ } + ++current->mm->total_vm; ++ return 0; + } + + /* +@@ -423,7 +432,8 @@ + return 1; + } + +- pax_insert_vma(vma, call_dl_resolve); ++ if(pax_insert_vma(vma, call_dl_resolve)) ++ return 1; /* VMA overlapping attempt; bye bye! */ + current->mm->call_dl_resolve = call_dl_resolve; + up_write(¤t->mm->mmap_sem); + +diff -Nru linux-2.4.28/arch/sparc64/mm/fault.c linux-2.4.28-hardened/arch/sparc64/mm/fault.c +--- linux-2.4.28/arch/sparc64/mm/fault.c 2004-12-21 20:57:02.000000000 -0500 ++++ linux-2.4.28-hardened/arch/sparc64/mm/fault.c 2004-12-21 21:07:11.117512192 -0500 +@@ -338,8 +338,10 @@ + nopage: pax_emuplt_nopage, + }; + +-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) + { ++ int ret; ++ + vma->vm_mm = current->mm; + vma->vm_start = addr; + vma->vm_end = addr + PAGE_SIZE; +@@ -349,8 +351,15 @@ + vma->vm_pgoff = 0UL; + vma->vm_file = NULL; + vma->vm_private_data = NULL; +- insert_vm_struct(current->mm, vma); ++ ret = insert_vm_struct(current->mm, vma); ++ if(ret != 0) ++ { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return ret; ++ } + ++current->mm->total_vm; ++ return 0; + } + #endif + +@@ -633,7 +642,8 @@ + return 1; + } + +- pax_insert_vma(vma, call_dl_resolve); ++ if(pax_insert_vma(vma, call_dl_resolve)) ++ return 1; /* VMA overlapping attempt; bye bye! */ + current->mm->call_dl_resolve = call_dl_resolve; + up_write(¤t->mm->mmap_sem); + +diff -Nru linux-2.4.28/arch/x86_64/ia32/ia32_binfmt.c linux-2.4.28-hardened/arch/x86_64/ia32/ia32_binfmt.c +--- linux-2.4.28/arch/x86_64/ia32/ia32_binfmt.c 2004-12-21 20:59:35.000000000 -0500 ++++ linux-2.4.28-hardened/arch/x86_64/ia32/ia32_binfmt.c 2004-12-21 21:07:11.122511432 -0500 +@@ -243,7 +243,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -274,7 +274,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = (void *) 0; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru linux-2.4.28/include/linux/mm.h linux-2.4.28-hardened/include/linux/mm.h +--- linux-2.4.28/include/linux/mm.h 2004-12-21 20:59:35.000000000 -0500 ++++ linux-2.4.28-hardened/include/linux/mm.h 2004-12-21 21:07:11.000000000 -0500 +@@ -568,7 +568,7 @@ + /* mmap.c */ + extern void lock_vma_mappings(struct vm_area_struct *); + extern void unlock_vma_mappings(struct vm_area_struct *); +-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *); ++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *); + extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *); + extern void build_mmap_rb(struct mm_struct *); + extern void exit_mmap(struct mm_struct *); +diff -Nru linux-2.4.28/mm/mmap.c linux-2.4.28-hardened/mm/mmap.c +--- linux-2.4.28/mm/mmap.c 2004-12-21 20:59:35.000000000 -0500 ++++ linux-2.4.28-hardened/mm/mmap.c 2004-12-21 21:07:11.000000000 -0500 +@@ -1478,14 +1478,15 @@ + validate_mm(mm); + } + +-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) ++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) + { + struct vm_area_struct * __vma, * prev; + rb_node_t ** rb_link, * rb_parent; + + __vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent); + if (__vma && __vma->vm_start < vma->vm_end) +- BUG(); ++ return -ENOMEM; + vma_link(mm, vma, prev, rb_link, rb_parent); + validate_mm(mm); ++ return 0; + } +--- linux-2.4.28-grsec/fs/exec.c 2004-12-24 15:27:42.000000000 -0500 ++++ linux-2.4.28-grsec-2.0.2/fs/exec.c 2004-12-24 15:47:07.208307624 -0500 +@@ -358,7 +358,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + struct vm_area_struct *mpnt_m = NULL; +@@ -387,7 +387,6 @@ + + down_write(¤t->mm->mmap_sem); + { +- struct vm_area_struct *vma; + mpnt->vm_mm = current->mm; + mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; + mpnt->vm_end = STACK_TOP; +@@ -402,13 +401,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = (void *) 0; +- vma = find_vma(current->mm, mpnt->vm_start); +- if (vma) { +- up_write(¤t->mm->mmap_sem); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); + kmem_cache_free(vm_area_cachep, mpnt); +- return -ENOMEM; ++ return ret; + } +- insert_vm_struct(current->mm, mpnt); + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + + #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC diff --git a/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r3 b/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r3 new file mode 100644 index 000000000000..04b30398565d --- /dev/null +++ b/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r3 @@ -0,0 +1,2 @@ +MD5 2f2e5e29772fdacd04129ba16a24afcf grsecurity-2.0.2-2.4.28.patch.gz 141933 +MD5 ac7735000d185bc7778c08288760a8a3 linux-2.4.28.tar.bz2 31064046 diff --git a/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild b/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild new file mode 100644 index 000000000000..8b087bc76f21 --- /dev/null +++ b/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild @@ -0,0 +1,38 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild,v 1.1 2004/12/25 13:15:40 plasmaroo Exp $ + +ETYPE="sources" +UNIPATCH_STRICTORDER="yes" +inherit kernel-2 +detect_version + +OKV="${KV_MAJOR}.${KV_MINOR}.${KV_PATCH/.*/}" +PATCH_BASE="${PV/${OKV}./}" +PATCH_BASE="${PATCH_BASE/_/-}" +EXTRAVERSION="-grsec-${PATCH_BASE}" +KV_FULL="${OKV}${EXTRAVERSION}" + +PATCH_SRC_BASE="grsecurity-${PATCH_BASE}-${OKV}.patch.gz" +DESCRIPTION="Vanilla sources of the linux kernel with the grsecurity ${PATCH_BASE} patch" +SRC_URI="http://grsecurity.net/grsecurity-${PATCH_BASE}-${OKV}.patch.gz \ + http://www.kernel.org/pub/linux/kernel/v2.4/linux-${OKV}.tar.bz2" + +HOMEPAGE="http://www.kernel.org/ http://www.grsecurity.net" +KEYWORDS="x86 sparc ppc alpha amd64 -hppa" +RESTRICT="buildpkg" +IUSE="" + +UNIPATCH_LIST="${DISTDIR}/${PATCH_SRC_BASE} \ + ${FILESDIR}/2.4.28-binfmt_a.out.patch \ + ${FILESDIR}/CAN-2004-1016.patch \ + ${FILESDIR}/CAN-2004-1074.patch \ + ${FILESDIR}/CAN-2004-1056.patch" + +src_unpack() { + kernel-2_src_unpack + + # users are often confused by what settings should be set. + # so we provide an example of what a P4 desktop would look like. + cp ${FILESDIR}/2.4.24-x86.config gentoo-grsec-custom-example-2.4.2x-x86.config +} |