[gentoo-commits] proj/hardened-dev:master commit in: dev-libs/libffi/files/

[gentoo-commits] proj/hardened-dev:master commit in: dev-libs/libffi/files/

[Magnus Granberg]

commit:     7225131f06c91c81c66a719b6d5e023c91a052c7
Author:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Fri Apr  5 18:26:34 2013 +0000
Commit:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Fri Apr  5 18:26:34 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7225131f

add some check in the libffi patch

---
 .../files/libffi-3.0.13-emutramp_pax_log.patch     |   18 ++++++++++++++----
 1 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch b/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch
index 0a7a37e..c309e3f 100644
--- a/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch
+++ b/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch
@@ -1,6 +1,6 @@
 --- a/src/closures.c	2013-03-17 23:27:11.000000000 +0100
-+++ b/src/closures.c	2013-04-01 21:59:24.967540184 +0200
-@@ -175,12 +175,32 @@ selinux_enabled_check (void)
++++ b/src/closures.c	2013-04-05 20:15:43.733507862 +0200
+@@ -175,12 +175,31 @@ selinux_enabled_check (void)
  /* On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC. */
  #ifdef FFI_MMAP_EXEC_EMUTRAMP_PAX
  #include <stdlib.h>
@@ -24,8 +24,7 @@
 +          if( !strcmp( first, "PaX:" ) )
 +            {
 +              if( second[1] != 'E' )
-+                /* Will log if the binary don't have the E mark on pax enable kernels. */
-+                syslog( LOG_INFO, "PAX: emutramp in not enable on the binary." );
++                syslog( LOG_INFO, "Emutramp in not enable." );
 +            }
 +        }
 +      fclose(f);
@@ -41,3 +40,14 @@
  
  #endif /* !defined(X86_WIN32) && !defined(X86_WIN64) */
  
+@@ -484,7 +504,9 @@ dlmmap (void *start, size_t length, int
+   if (execfd == -1 && is_emutramp_enabled ())
+     {
+       ptr = mmap (start, length, prot & ~PROT_EXEC, flags, fd, offset);
+-      return ptr;
++      if (ptr != MFAIL || (errno != EPERM && errno != EACCES))
++        /* Cool, no need to mess with separate segments.  */
++        return ptr;
+     }
+ 
+   if (execfd == -1 && !is_selinux_enabled ())

[gentoo-commits] proj/hardened-dev:master commit in: dev-libs/libffi/files/

[Magnus Granberg]

commit:     0162b178746027fb9cb09618fc910592e79a91f9
Author:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Wed Apr 10 00:58:21 2013 +0000
Commit:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Wed Apr 10 00:58:21 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0162b178

new version of the pax patch for libffi

---
 .../files/libffi-3.0.13-emutramp_pax_log.patch     |   47 ++++++++++++++------
 1 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch b/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch
index c309e3f..48690b8 100644
--- a/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch
+++ b/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_log.patch
@@ -1,6 +1,6 @@
 --- a/src/closures.c	2013-03-17 23:27:11.000000000 +0100
-+++ b/src/closures.c	2013-04-05 20:15:43.733507862 +0200
-@@ -175,12 +175,31 @@ selinux_enabled_check (void)
++++ b/src/closures.c	2013-04-10 02:46:58.918297707 +0200
+@@ -175,16 +175,43 @@ selinux_enabled_check (void)
  /* On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC. */
  #ifdef FFI_MMAP_EXEC_EMUTRAMP_PAX
  #include <stdlib.h>
@@ -12,27 +12,42 @@
  static int
  emutramp_enabled_check (void)
  {
+-  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+-    return 1;
+-  else
++  if (getenv ("FFI_DISABLE_EMUTRAMP") != NULL)
+     return 0;
 +  FILE *f;
 +  char first[LINE_BUFFER], second[LINE_BUFFER];
 +  char conf_line[LINE_BUFFER];
 +  f  = fopen("/proc/self/status", "r");
-+  if (f != NULL)
++  if  (f != NULL)
 +    {
-+      while( fgets(conf_line, LINE_BUFFER, f) )
++      while (fgets (conf_line, LINE_BUFFER, f) )
 +        {
-+          sscanf(conf_line, "%s %s", first, second );
-+          if( !strcmp( first, "PaX:" ) )
++          sscanf (conf_line, "%s %s", first, second );
++          if( !strcmp (first, "PaX:" ) )
 +            {
 +              if( second[1] != 'E' )
-+                syslog( LOG_INFO, "Emutramp in not enable." );
++                  syslog (LOG_INFO, "Emutramp in not enable.");
++              fclose (f);
++              return 1;
 +            }
 +        }
-+      fclose(f);
++      fclose (f);
 +    }
-   if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
-     return 1;
-   else
-@@ -197,6 +216,7 @@ emutramp_enabled_check (void)
++  else if (f == NULL && !is_selinux_enabled ())
++    {
++      size_t *m;
++      m = mmap (NULL, 1024, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 );
++      if (m == MAP_FAILED )
++        return 1;
++    }
++  return 0;
+ }
+ 
+ #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
+@@ -197,6 +224,7 @@ emutramp_enabled_check (void)
  
  /* Cygwin is Linux-like, but not quite that Linux-like.  */
  #define is_selinux_enabled() 0
@@ -40,7 +55,7 @@
  
  #endif /* !defined(X86_WIN32) && !defined(X86_WIN64) */
  
-@@ -484,7 +504,9 @@ dlmmap (void *start, size_t length, int
+@@ -484,10 +512,12 @@ dlmmap (void *start, size_t length, int
    if (execfd == -1 && is_emutramp_enabled ())
      {
        ptr = mmap (start, length, prot & ~PROT_EXEC, flags, fd, offset);
@@ -50,4 +65,8 @@
 +        return ptr;
      }
  
-   if (execfd == -1 && !is_selinux_enabled ())
+-  if (execfd == -1 && !is_selinux_enabled ())
++    if (execfd == -1 && !is_selinux_enabled ())
+     {
+       ptr = mmap (start, length, prot | PROT_EXEC, flags, fd, offset);
+