* [gentoo-commits] proj/hardened-patchset:master commit in: 4.8.17/
@ 2017-01-14 10:13 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2017-01-14 10:13 UTC (permalink / raw
To: gentoo-commits
commit: de1872a478846a6eff5d790c525296c1dde6ad5f
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 14 10:12:23 2017 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jan 14 10:12:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=de1872a4
grsecurity-3.1-4.8.17-201701121950
4.8.17/0000_README | 2 +-
... 4420_grsecurity-3.1-4.8.17-201701121950.patch} | 31 +++++++++++++++++++++-
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/4.8.17/0000_README b/4.8.17/0000_README
index c7c05dd..a2e828f 100644
--- a/4.8.17/0000_README
+++ b/4.8.17/0000_README
@@ -6,7 +6,7 @@ Patch: 1016_linux-4.8.17.patch
From: http://www.kernel.org
Desc: Linux 4.8.17
-Patch: 4420_grsecurity-3.1-4.8.17-201701090823.patch
+Patch: 4420_grsecurity-3.1-4.8.17-201701121950.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.8.17/4420_grsecurity-3.1-4.8.17-201701090823.patch b/4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch
similarity index 99%
rename from 4.8.17/4420_grsecurity-3.1-4.8.17-201701090823.patch
rename to 4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch
index 2dc50ac..07572d7 100644
--- a/4.8.17/4420_grsecurity-3.1-4.8.17-201701090823.patch
+++ b/4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch
@@ -155668,7 +155668,7 @@ index 38aa5e0..9b3e13b 100644
return -ENOMEM;
diff --git a/mm/slab.c b/mm/slab.c
-index 525a911..227387b 100644
+index 525a911..b6279c0 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -116,6 +116,7 @@
@@ -155761,6 +155761,35 @@ index 525a911..227387b 100644
/*
* Check that size is in terms of words. This is needed to avoid
* unaligned accesses for some archs when redzoning is used, and makes
+@@ -2482,7 +2489,6 @@ union freelist_init_state {
+ unsigned int pos;
+ unsigned int *list;
+ unsigned int count;
+- unsigned int rand;
+ };
+ struct rnd_state rnd_state;
+ };
+@@ -2508,8 +2514,7 @@ static bool freelist_state_initialize(union freelist_init_state *state,
+ } else {
+ state->list = cachep->random_seq;
+ state->count = count;
+- state->pos = 0;
+- state->rand = rand;
++ state->pos = rand % count;
+ ret = true;
+ }
+ return ret;
+@@ -2518,7 +2523,9 @@ static bool freelist_state_initialize(union freelist_init_state *state,
+ /* Get the next entry on the list and randomize it using a random shift */
+ static freelist_idx_t next_random_slot(union freelist_init_state *state)
+ {
+- return (state->list[state->pos++] + state->rand) % state->count;
++ if (state->pos >= state->count)
++ state->pos = 0;
++ return state->list[state->pos++];
+ }
+
+ /* Swap two freelist entries */
@@ -3524,6 +3531,20 @@ void ___cache_free(struct kmem_cache *cachep, void *objp,
struct array_cache *ac = cpu_cache_get(cachep);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.8.17/
@ 2017-01-16 21:39 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2017-01-16 21:39 UTC (permalink / raw
To: gentoo-commits
commit: c6ce1c33ba9c383aa31a43e5d473db494f3eb6f1
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 16 21:38:51 2017 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Jan 16 21:38:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=c6ce1c33
grsecurity-3.1-4.8.17-201701151620
4.8.17/0000_README | 2 +-
... 4420_grsecurity-3.1-4.8.17-201701151620.patch} | 198 ++++++++++++++-------
4.8.17/4427_force_XATTR_PAX_tmpfs.patch | 2 +-
4.8.17/4475_emutramp_default_on.patch | 4 +-
4 files changed, 133 insertions(+), 73 deletions(-)
diff --git a/4.8.17/0000_README b/4.8.17/0000_README
index a2e828f..96fd06a 100644
--- a/4.8.17/0000_README
+++ b/4.8.17/0000_README
@@ -6,7 +6,7 @@ Patch: 1016_linux-4.8.17.patch
From: http://www.kernel.org
Desc: Linux 4.8.17
-Patch: 4420_grsecurity-3.1-4.8.17-201701121950.patch
+Patch: 4420_grsecurity-3.1-4.8.17-201701151620.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch b/4.8.17/4420_grsecurity-3.1-4.8.17-201701151620.patch
similarity index 99%
rename from 4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch
rename to 4.8.17/4420_grsecurity-3.1-4.8.17-201701151620.patch
index 07572d7..147c250 100644
--- a/4.8.17/4420_grsecurity-3.1-4.8.17-201701121950.patch
+++ b/4.8.17/4420_grsecurity-3.1-4.8.17-201701151620.patch
@@ -152755,7 +152755,7 @@ index 19e796d..9c8fa80 100644
/*
* free pages are specially detected outside this table:
diff --git a/mm/memory.c b/mm/memory.c
-index 793fe0f..6e94a87 100644
+index 793fe0f..9e24e98 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -427,6 +427,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -153209,7 +153209,32 @@ index 793fe0f..6e94a87 100644
/* no need to invalidate: a not-present page won't be cached */
update_mmu_cache(vma, fe->address, fe->pte);
-@@ -3552,6 +3763,11 @@ static int handle_pte_fault(struct fault_env *fe)
+@@ -3226,6 +3437,11 @@ static int do_cow_fault(struct fault_env *fe, pgoff_t pgoff)
+ copy_user_highpage(new_page, fault_page, fe->address, vma);
+ __SetPageUptodate(new_page);
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (pax_find_mirror_vma(vma))
++ BUG_ON(!trylock_page(new_page));
++#endif
++
+ ret |= alloc_set_pte(fe, memcg, new_page);
+ if (fe->pte)
+ pte_unmap_unlock(fe->pte, fe->ptl);
+@@ -3235,6 +3451,12 @@ static int do_cow_fault(struct fault_env *fe, pgoff_t pgoff)
+ } else {
+ dax_unlock_mapping_entry(vma->vm_file->f_mapping, pgoff);
+ }
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (pax_find_mirror_vma(vma))
++ unlock_page(new_page);
++#endif
++
+ if (unlikely(ret & (VM_FAULT_ERROR | VM_FAULT_NOPAGE | VM_FAULT_RETRY)))
+ goto uncharge_out;
+ return ret;
+@@ -3552,6 +3774,11 @@ static int handle_pte_fault(struct fault_env *fe)
if (fe->flags & FAULT_FLAG_WRITE)
flush_tlb_fix_spurious_fault(fe->vma, fe->address);
}
@@ -153221,7 +153246,7 @@ index 793fe0f..6e94a87 100644
unlock:
pte_unmap_unlock(fe->pte, fe->ptl);
return 0;
-@@ -3575,14 +3791,49 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
+@@ -3575,14 +3802,49 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
pgd_t *pgd;
pud_t *pud;
@@ -153275,7 +153300,7 @@ index 793fe0f..6e94a87 100644
int ret = create_huge_pmd(&fe);
if (!(ret & VM_FAULT_FALLBACK))
return ret;
-@@ -3592,7 +3843,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
+@@ -3592,7 +3854,7 @@ static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
barrier();
if (pmd_trans_huge(orig_pmd) || pmd_devmap(orig_pmd)) {
@@ -153284,7 +153309,7 @@ index 793fe0f..6e94a87 100644
return do_huge_pmd_numa_page(&fe, orig_pmd);
if ((fe.flags & FAULT_FLAG_WRITE) &&
-@@ -3667,7 +3918,7 @@ EXPORT_SYMBOL_GPL(handle_mm_fault);
+@@ -3667,7 +3929,7 @@ EXPORT_SYMBOL_GPL(handle_mm_fault);
* Allocate page upper directory.
* We've already handled the fast-path in-line.
*/
@@ -153293,7 +153318,7 @@ index 793fe0f..6e94a87 100644
{
pud_t *new = pud_alloc_one(mm, address);
if (!new)
-@@ -3678,11 +3929,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3678,11 +3940,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
spin_lock(&mm->page_table_lock);
if (pgd_present(*pgd)) /* Another has populated it */
pud_free(mm, new);
@@ -153317,7 +153342,7 @@ index 793fe0f..6e94a87 100644
#endif /* __PAGETABLE_PUD_FOLDED */
#ifndef __PAGETABLE_PMD_FOLDED
-@@ -3690,7 +3953,7 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3690,7 +3964,7 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
* Allocate page middle directory.
* We've already handled the fast-path in-line.
*/
@@ -153326,7 +153351,7 @@ index 793fe0f..6e94a87 100644
{
pmd_t *new = pmd_alloc_one(mm, address);
if (!new)
-@@ -3702,19 +3965,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3702,19 +3976,35 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
#ifndef __ARCH_HAS_4LEVEL_HACK
if (!pud_present(*pud)) {
mm_inc_nr_pmds(mm);
@@ -153364,7 +153389,7 @@ index 793fe0f..6e94a87 100644
#endif /* __PAGETABLE_PMD_FOLDED */
static int __follow_pte(struct mm_struct *mm, unsigned long address,
-@@ -3824,8 +4103,8 @@ out:
+@@ -3824,8 +4114,8 @@ out:
return ret;
}
@@ -153375,7 +153400,7 @@ index 793fe0f..6e94a87 100644
{
resource_size_t phys_addr;
unsigned long prot = 0;
-@@ -3851,8 +4130,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
+@@ -3851,8 +4141,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
* Access another process' address space as given in mm. If non-NULL, use the
* given task for page fault accounting.
*/
@@ -153386,7 +153411,7 @@ index 793fe0f..6e94a87 100644
{
struct vm_area_struct *vma;
void *old_buf = buf;
-@@ -3860,7 +4139,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3860,7 +4150,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
down_read(&mm->mmap_sem);
/* ignore errors, just check how much was successfully transferred */
while (len) {
@@ -153395,7 +153420,7 @@ index 793fe0f..6e94a87 100644
void *maddr;
struct page *page = NULL;
-@@ -3921,8 +4200,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3921,8 +4211,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
*
* The caller must hold a reference on @mm.
*/
@@ -153406,7 +153431,7 @@ index 793fe0f..6e94a87 100644
{
return __access_remote_vm(NULL, mm, addr, buf, len, write);
}
-@@ -3932,11 +4211,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
+@@ -3932,11 +4222,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
* Source/target buffer must be kernel space,
* Do not walk the page table directly, use get_user_pages
*/
@@ -168783,7 +168808,7 @@ index 8b29dc1..ec1516e 100644
diff --git a/scripts/gcc-plugins/checker_plugin.c b/scripts/gcc-plugins/checker_plugin.c
new file mode 100644
-index 0000000..0cd5656
+index 0000000..27fed8d
--- /dev/null
+++ b/scripts/gcc-plugins/checker_plugin.c
@@ -0,0 +1,491 @@
@@ -169264,7 +169289,7 @@ index 0000000..0cd5656
+ enable_context = true;
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ if (enable_user)
@@ -169280,7 +169305,7 @@ index 0000000..0cd5656
+}
diff --git a/scripts/gcc-plugins/colorize_plugin.c b/scripts/gcc-plugins/colorize_plugin.c
new file mode 100644
-index 0000000..e6a0d72
+index 0000000..a229d00
--- /dev/null
+++ b/scripts/gcc-plugins/colorize_plugin.c
@@ -0,0 +1,158 @@
@@ -169432,7 +169457,7 @@ index 0000000..e6a0d72
+ error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ if (colorize) {
@@ -169444,7 +169469,7 @@ index 0000000..e6a0d72
+}
diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
new file mode 100644
-index 0000000..e9051b5
+index 0000000..3cd0652
--- /dev/null
+++ b/scripts/gcc-plugins/constify_plugin.c
@@ -0,0 +1,577 @@
@@ -170006,7 +170031,7 @@ index 0000000..e9051b5
+ enabled = false;
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
@@ -170488,10 +170513,10 @@ index 0000000..7514850
+fi
diff --git a/scripts/gcc-plugins/initify_plugin.c b/scripts/gcc-plugins/initify_plugin.c
new file mode 100644
-index 0000000..07af312
+index 0000000..0fa1d7f
--- /dev/null
+++ b/scripts/gcc-plugins/initify_plugin.c
-@@ -0,0 +1,1805 @@
+@@ -0,0 +1,1831 @@
+/*
+ * Copyright 2015-2017 by Emese Revfy <re.emese@gmail.com>
+ * Licensed under the GPL v2
@@ -170541,7 +170566,7 @@ index 0000000..07af312
+__visible int plugin_is_GPL_compatible;
+
+static struct plugin_info initify_plugin_info = {
-+ .version = "20161208",
++ .version = "20170112",
+ .help = "disable\tturn off the initify plugin\n"
+ "verbose\tprint all initified strings and all"
+ " functions which should be __init/__exit\n"
@@ -172013,14 +172038,46 @@ index 0000000..07af312
+ }
+}
+
++static bool has_non_init_caller(struct cgraph_node *callee)
++{
++ struct cgraph_edge *e = callee->callers;
++
++ if (!e)
++ return true;
++
++ for (; e; e = e->next_caller) {
++ enum section_type caller_section;
++ struct cgraph_node *caller = e->caller;
++
++ caller_section = get_init_exit_section(NODE_DECL(caller));
++ if (caller_section == NONE && NODE_SYMBOL(caller)->aux == (void *)NONE)
++ return true;
++ }
++
++ return false;
++}
++
++static void has_non_init_clone(struct cgraph_node *node, bool *has_non_init)
++{
++ if (*has_non_init)
++ return;
++
++ if (has_non_init_caller(node))
++ *has_non_init = true;
++
++ if (node->clones)
++ has_non_init_clone(node->clones, has_non_init);
++ if (node->clone_of)
++ has_non_init_clone(node->clone_of, has_non_init);
++}
++
+/*
+ * If the function is called by only __init/__exit functions then it can become
+ * an __init/__exit function as well.
+ */
+static bool should_init_exit(struct cgraph_node *callee)
+{
-+ struct cgraph_edge *e;
-+ bool only_init_callers;
++ bool has_non_init;
+ const_tree callee_decl = NODE_DECL(callee);
+
+ if (NODE_SYMBOL(callee)->aux != (void *)NONE)
@@ -172035,39 +172092,33 @@ index 0000000..07af312
+ if (NODE_SYMBOL(callee)->address_taken)
+ return false;
+
-+ e = callee->callers;
-+ if (!e)
-+ return false;
-+
-+ only_init_callers = true;
-+ for (; e; e = e->next_caller) {
-+ enum section_type caller_section;
-+ struct cgraph_node *caller = e->caller;
-+
-+ caller_section = get_init_exit_section(NODE_DECL(caller));
-+ if (caller_section == NONE && NODE_SYMBOL(caller)->aux == (void *)NONE)
-+ only_init_callers = false;
-+ }
-+
-+ return only_init_callers;
++ has_non_init = false;
++ has_non_init_clone(callee, &has_non_init);
++ return !has_non_init;
+}
+
-+static bool inherit_section(struct cgraph_node *callee, struct cgraph_node *caller, enum section_type curfn_section)
++static bool inherit_section(struct cgraph_node *callee, struct cgraph_node *caller, enum section_type caller_section)
+{
-+ if (curfn_section == NONE)
-+ curfn_section = (enum section_type)(unsigned long)NODE_SYMBOL(caller)->aux;
++ enum section_type callee_section;
++
++ if (caller_section == NONE)
++ caller_section = (enum section_type)(unsigned long)NODE_SYMBOL(caller)->aux;
++
++ callee_section = (enum section_type)(unsigned long)NODE_SYMBOL(callee)->aux;
++ if (caller_section == INIT && callee_section == EXIT)
++ goto both_section;
+
-+ if (curfn_section == INIT && NODE_SYMBOL(callee)->aux == (void *)EXIT)
++ if (caller_section == EXIT && callee_section == INIT)
+ goto both_section;
+
-+ if (curfn_section == EXIT && NODE_SYMBOL(callee)->aux == (void *)INIT)
++ if (caller_section == BOTH && (callee_section == INIT || callee_section == EXIT))
+ goto both_section;
+
+ if (!should_init_exit(callee))
+ return false;
+
-+ gcc_assert(NODE_SYMBOL(callee)->aux == (void *)NONE);
-+ NODE_SYMBOL(callee)->aux = (void *)curfn_section;
++ gcc_assert(callee_section == NONE);
++ NODE_SYMBOL(callee)->aux = (void *)caller_section;
+ return true;
+
+both_section:
@@ -172285,7 +172336,7 @@ index 0000000..07af312
+ continue;
+ }
+
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &initify_plugin_info);
@@ -172436,7 +172487,7 @@ index 0000000..0a9214d
+}
diff --git a/scripts/gcc-plugins/kernexec_plugin.c b/scripts/gcc-plugins/kernexec_plugin.c
new file mode 100644
-index 0000000..9ac2ebb
+index 0000000..1a35a0c
--- /dev/null
+++ b/scripts/gcc-plugins/kernexec_plugin.c
@@ -0,0 +1,393 @@
@@ -172821,7 +172872,7 @@ index 0000000..9ac2ebb
+ error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+ if (!kernexec_instrument_fptr || !kernexec_instrument_retaddr)
+ error(G_("no instrumentation method was selected via '-fplugin-arg-%s-method'"), plugin_name);
@@ -172835,7 +172886,7 @@ index 0000000..9ac2ebb
+}
diff --git a/scripts/gcc-plugins/latent_entropy_plugin.c b/scripts/gcc-plugins/latent_entropy_plugin.c
new file mode 100644
-index 0000000..56b1ece
+index 0000000..d5a37cb
--- /dev/null
+++ b/scripts/gcc-plugins/latent_entropy_plugin.c
@@ -0,0 +1,609 @@
@@ -173435,7 +173486,7 @@ index 0000000..56b1ece
+ enabled = false;
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &latent_entropy_plugin_info);
@@ -173450,7 +173501,7 @@ index 0000000..56b1ece
+}
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
new file mode 100644
-index 0000000..2ca34f1
+index 0000000..71911c82
--- /dev/null
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -0,0 +1,940 @@
@@ -174369,7 +174420,7 @@ index 0000000..2ca34f1
+ performance_mode = 1;
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ if (strlen(randstruct_seed) != 64) {
@@ -175062,7 +175113,7 @@ index 0000000..161102f
+}
diff --git a/scripts/gcc-plugins/rap_plugin/rap_plugin.c b/scripts/gcc-plugins/rap_plugin/rap_plugin.c
new file mode 100644
-index 0000000..8359861
+index 0000000..998fc0f
--- /dev/null
+++ b/scripts/gcc-plugins/rap_plugin/rap_plugin.c
@@ -0,0 +1,505 @@
@@ -175548,7 +175599,7 @@ index 0000000..8359861
+ continue;
+ }
+
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &rap_plugin_info);
@@ -175674,7 +175725,7 @@ index 0000000..65bc1cd
+ U64TO8_LE(out, b);
+}
diff --git a/scripts/gcc-plugins/sancov_plugin.c b/scripts/gcc-plugins/sancov_plugin.c
-index aedd611..72265dd 100644
+index aedd611..f39cee3 100644
--- a/scripts/gcc-plugins/sancov_plugin.c
+++ b/scripts/gcc-plugins/sancov_plugin.c
@@ -1,5 +1,5 @@
@@ -175732,6 +175783,15 @@ index aedd611..72265dd 100644
if (!plugin_default_version_check(version, &gcc_version)) {
error(G_("incompatible gcc/plugin versions"));
+@@ -126,7 +124,7 @@ int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version
+ enable = false;
+ continue;
+ }
+- error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &sancov_plugin_info);
@@ -137,7 +135,7 @@ int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version
#if BUILDING_GCC_VERSION < 6000
register_callback(plugin_name, PLUGIN_START_UNIT, &sancov_start_unit, NULL);
@@ -175779,10 +175839,10 @@ index 0000000..a8039b2
+clean-files += *.so
diff --git a/scripts/gcc-plugins/size_overflow_plugin/disable.data b/scripts/gcc-plugins/size_overflow_plugin/disable.data
new file mode 100644
-index 0000000..925b27a
+index 0000000..83975f2
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/disable.data
-@@ -0,0 +1,12471 @@
+@@ -0,0 +1,12472 @@
+disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
+disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
+disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -188254,6 +188314,7 @@ index 0000000..925b27a
+btrfs_get_token_32_fndecl_7192_fns btrfs_get_token_32 fndecl 0 7192 NULL
+btrfs_get_token_16_fndecl_46639_fns btrfs_get_token_16 fndecl 0 46639 NULL
+btrfs_get_token_64_fndecl_54223_fns btrfs_get_token_64 fndecl 0 54223 NULL
++qdisc_tree_reduce_backlog_fndecl_3865_fields qdisc_tree_reduce_backlog fndecl 2 3865 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_aux.data b/scripts/gcc-plugins/size_overflow_plugin/e_aux.data
new file mode 100644
index 0000000..74e91b2
@@ -188359,10 +188420,10 @@ index 0000000..74e91b2
+enable_so_zpios_read_fndecl_64734 zpios_read fndecl 3 64734 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fields.data b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data
new file mode 100644
-index 0000000..4aabb55
+index 0000000..6b5367db
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data
-@@ -0,0 +1,16262 @@
+@@ -0,0 +1,16261 @@
+recv_ctrl_pipe_us_data_0_fields recv_ctrl_pipe us_data 0 0 NULL
+__earlyonly_bootmem_alloc_fndecl_3_fields __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
+size_ttm_mem_reg_8_fields size ttm_mem_reg 0 8 NULL
@@ -189301,7 +189362,6 @@ index 0000000..4aabb55
+find_end_of_node_fndecl_3843_fields find_end_of_node fndecl 0-3-1-2 3843 NULL
+bg_inode_table_hi_ext4_group_desc_3844_fields bg_inode_table_hi ext4_group_desc 0 3844 NULL
+btrfs_dirty_pages_fndecl_3848_fields btrfs_dirty_pages fndecl 6-5 3848 NULL
-+qdisc_tree_reduce_backlog_fndecl_3865_fields qdisc_tree_reduce_backlog fndecl 2 3865 NULL
+ocfs2_free_clusters_fndecl_3866_fields ocfs2_free_clusters fndecl 4 3866 NULL
+minlen_fstrim_range_3870_fields minlen fstrim_range 0 3870 NULL
+size_of_priv_dvb_usb_adapter_fe_properties_3875_fields size_of_priv dvb_usb_adapter_fe_properties 0 3875 NULL
@@ -214621,7 +214681,7 @@ index 0000000..b5291e1
+
diff --git a/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c
new file mode 100644
-index 0000000..4645a29
+index 0000000..4f667bad
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c
@@ -0,0 +1,299 @@
@@ -214900,7 +214960,7 @@ index 0000000..4645a29
+ continue;
+ }
+
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info);
@@ -217198,7 +217258,7 @@ index 0000000..7b24aea
+}
diff --git a/scripts/gcc-plugins/stackleak_plugin.c b/scripts/gcc-plugins/stackleak_plugin.c
new file mode 100644
-index 0000000..b70f0bc
+index 0000000..75524f4
--- /dev/null
+++ b/scripts/gcc-plugins/stackleak_plugin.c
@@ -0,0 +1,342 @@
@@ -217534,7 +217594,7 @@ index 0000000..b70f0bc
+ init_locals = true;
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_START_UNIT, &stackleak_start_unit, NULL);
@@ -217546,7 +217606,7 @@ index 0000000..b70f0bc
+}
diff --git a/scripts/gcc-plugins/structleak_plugin.c b/scripts/gcc-plugins/structleak_plugin.c
new file mode 100644
-index 0000000..0afee93
+index 0000000..7ff562f
--- /dev/null
+++ b/scripts/gcc-plugins/structleak_plugin.c
@@ -0,0 +1,235 @@
@@ -217773,7 +217833,7 @@ index 0000000..0afee93
+ enable = false;
+ continue;
+ }
-+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &structleak_plugin_info);
@@ -218275,7 +218335,7 @@ index b3775a9..be6b9f9 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index 118f454..5c61f40 100644
+index 118f454..288ab93 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,6 +4,1065 @@
@@ -219383,7 +219443,7 @@ index 118f454..5c61f40 100644
- separately allocates pages, are not on the process stack,
- or are part of the kernel text. This kills entire classes
- of heap overflow exploits and similar kernel memory exposures.
-+ def_bool y
++ bool
+ select BUG if BROKEN_SECURITY
config HARDENED_USERCOPY_PAGESPAN
diff --git a/4.8.17/4427_force_XATTR_PAX_tmpfs.patch b/4.8.17/4427_force_XATTR_PAX_tmpfs.patch
index caecb91..ba7da66 100644
--- a/4.8.17/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.8.17/4427_force_XATTR_PAX_tmpfs.patch
@@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive emerge.
diff -Naur a/mm/shmem.c b/mm/shmem.c
--- a/mm/shmem.c 2016-04-29 19:56:25.306101147 -0400
+++ b/mm/shmem.c 2016-04-29 19:59:44.126104490 -0400
-@@ -3255,7 +3255,6 @@
+@@ -3257,7 +3257,6 @@
return simple_xattr_set(&info->xattrs, name, value, size, flags);
}
diff --git a/4.8.17/4475_emutramp_default_on.patch b/4.8.17/4475_emutramp_default_on.patch
index 7b468ee..feb8c7b 100644
--- a/4.8.17/4475_emutramp_default_on.patch
+++ b/4.8.17/4475_emutramp_default_on.patch
@@ -10,7 +10,7 @@ See bug:
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
-@@ -434,7 +434,7 @@
+@@ -440,7 +440,7 @@
config PAX_EMUTRAMP
bool "Emulate trampolines"
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
help
There are some programs and libraries that for one reason or
-@@ -457,6 +457,12 @@
+@@ -463,6 +463,12 @@
utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
for the affected files.
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-16 21:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-16 21:39 [gentoo-commits] proj/hardened-patchset:master commit in: 4.8.17/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2017-01-14 10:13 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox