diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-08-25 17:32:30 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-08-25 17:32:30 -0400 |
commit | 7a1d378a94319f2dd5b0a6e0e60bc22cb4110be7 (patch) | |
tree | 5fe4853db7f07dfa2a4651ace6b3f102de88248a | |
parent | Grsec/PaX: 2.9.1-{2.6.32.59,3.2.28,3.5.2}-201208222031 (diff) | |
download | hardened-patchset-7a1d378a94319f2dd5b0a6e0e60bc22cb4110be7.tar.gz hardened-patchset-7a1d378a94319f2dd5b0a6e0e60bc22cb4110be7.tar.bz2 hardened-patchset-7a1d378a94319f2dd5b0a6e0e60bc22cb4110be7.zip |
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.28,3.5.2}-20120824194320120824
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch) | 77 | ||||
-rw-r--r-- | 3.2.28/0000_README | 2 | ||||
-rw-r--r-- | 3.2.28/4420_grsecurity-2.9.1-3.2.28-201208232048.patch (renamed from 3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch) | 36 | ||||
-rw-r--r-- | 3.5.2/0000_README | 2 | ||||
-rw-r--r-- | 3.5.2/4420_grsecurity-2.9.1-3.5.2-201208241943.patch (renamed from 3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch) | 404 |
6 files changed, 351 insertions, 172 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 24bc841..9c19fa1 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch index a4b7131..da02455 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch @@ -55117,6 +55117,23 @@ index b38d3b7..b1cff23 100644 { /* Sometime a Level-One switch card. */ "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII}, { "Winbond W89c840", CanHaveMII | HasBrokenTx}, +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 0f77aca..a69420d 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1121,9 +1121,11 @@ static long tun_chr_ioctl(struct file *file, unsigned int cmd, + int sndbuf; + int ret; + +- if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) ++ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { + if (copy_from_user(&ifr, argp, sizeof ifr)) + return -EFAULT; ++ } else ++ memset(&ifr, 0, sizeof(ifr)); + + if (cmd == TUNGETFEATURES) { + /* Currently this just means: "what IFF flags are valid?". diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index f450bc9..2b747c8 100644 --- a/drivers/net/usb/hso.c @@ -72050,6 +72067,18 @@ index 6c75110..19d2c3c 100644 error = -EFAULT; return error; +diff --git a/fs/isofs/export.c b/fs/isofs/export.c +index e81a305..caec670 100644 +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry, + len = 3; + fh32[0] = ei->i_iget5_block; + fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ ++ fh16[3] = 0; /* avoid leaking uninitialized data */ + fh32[2] = inode->i_generation; + if (connectable && !S_ISDIR(inode->i_mode)) { + struct inode *parent; diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c index b0435dd..81ee0be 100644 --- a/fs/jbd/checkpoint.c @@ -75925,6 +75954,18 @@ index 9215700..bf1f68e 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 21dad8c..b754151 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1331,6 +1331,7 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp, + *lenp = 3; + fid->udf.block = location.logicalBlockNum; + fid->udf.partref = location.partitionReferenceNum; ++ fid->udf.parent_partref = 0; + fid->udf.generation = inode->i_generation; + + if (connectable && !S_ISDIR(inode->i_mode)) { diff --git a/fs/udf/super.c b/fs/udf/super.c index ee6b3af..ab17bcd 100644 --- a/fs/udf/super.c @@ -91431,6 +91472,18 @@ index 0000000..3891139 +int do_syslog(int type, char __user *buf, int count, bool from_file); + +#endif /* _LINUX_SYSLOG_H */ +diff --git a/include/linux/tfrc.h b/include/linux/tfrc.h +index 8a8462b..097fe78 100644 +--- a/include/linux/tfrc.h ++++ b/include/linux/tfrc.h +@@ -50,6 +50,7 @@ struct tfrc_tx_info { + __u32 tfrctx_p; + __u32 tfrctx_rto; + __u32 tfrctx_ipi; ++ __u32 padding; + }; + + #endif /* _LINUX_TFRC_H_ */ diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index a8cc4e1..98d3b85 100644 --- a/include/linux/thread_info.h @@ -103710,6 +103763,18 @@ index facedd2..ab260b0 100644 rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, optval, optlen); return rc; +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index 34dcc79..ca75875 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -618,6 +618,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len, + return -EINVAL; + len = sizeof(hctx->ccid3hctx_tfrc); + val = &hctx->ccid3hctx_tfrc; ++ hctx->ccid3hctx_tfrc.padding = 0; + break; + default: + return -ENOPROTOOPT; diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c index 2036568..c55883d 100644 --- a/net/decnet/sysctl_net_decnet.c @@ -107019,7 +107084,7 @@ index cb81ca3..e15d49a 100644 goto restart; } diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index b95a2d6..85c4d78 100644 +index b95a2d6..53a422d 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) @@ -107031,7 +107096,15 @@ index b95a2d6..85c4d78 100644 if (xp->xfrm_nr == 0) return 0; -@@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -1176,6 +1178,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) + struct xfrm_user_tmpl *up = &vec[i]; + struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; + ++ memset(up, 0, sizeof(*up)); + memcpy(&up->id, &kp->id, sizeof(up->id)); + up->family = kp->encap_family; + memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); +@@ -1784,6 +1787,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, int err; int n = 0; diff --git a/3.2.28/0000_README b/3.2.28/0000_README index c88942b..af762d4 100644 --- a/3.2.28/0000_README +++ b/3.2.28/0000_README @@ -30,7 +30,7 @@ Patch: 1027_linux-3.2.28.patch From: http://www.kernel.org Desc: Linux 3.2.28 -Patch: 4420_grsecurity-2.9.1-3.2.28-201208222030.patch +Patch: 4420_grsecurity-2.9.1-3.2.28-201208232048.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208232048.patch index 0f3c55e..3457f14 100644 --- a/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch +++ b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208232048.patch @@ -47355,6 +47355,18 @@ index ee4e66b..9a39f9c 100644 wake_up_bit(&inode->i_state, __I_NEW); spin_unlock(&inode->i_lock); } +diff --git a/fs/isofs/export.c b/fs/isofs/export.c +index dd4687f..e9b81e0 100644 +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -135,6 +135,7 @@ isofs_export_encode_fh(struct dentry *dentry, + len = 3; + fh32[0] = ei->i_iget5_block; + fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ ++ fh16[3] = 0; /* avoid leaking uninitialized data */ + fh32[2] = inode->i_generation; + if (connectable && !S_ISDIR(inode->i_mode)) { + struct inode *parent; diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index e513f19..2ab1351 100644 --- a/fs/jffs2/erase.c @@ -50547,6 +50559,18 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 4639e13..71c97fb 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1293,6 +1293,7 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp, + *lenp = 3; + fid->udf.block = location.logicalBlockNum; + fid->udf.partref = location.partitionReferenceNum; ++ fid->udf.parent_partref = 0; + fid->udf.generation = inode->i_generation; + + if (connectable && !S_ISDIR(inode->i_mode)) { diff --git a/fs/utimes.c b/fs/utimes.c index ba653f3..06ea4b1 100644 --- a/fs/utimes.c @@ -80463,6 +80487,18 @@ index 0174034..65eaf78 100644 } } +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 7cae73e..fe80421 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1401,6 +1401,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) + struct xfrm_user_tmpl *up = &vec[i]; + struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; + ++ memset(up, 0, sizeof(*up)); + memcpy(&up->id, &kp->id, sizeof(up->id)); + up->family = kp->encap_family; + memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); diff --git a/scripts/Makefile.build b/scripts/Makefile.build index d2b366c..2d5a6f8 100644 --- a/scripts/Makefile.build diff --git a/3.5.2/0000_README b/3.5.2/0000_README index 268fe76..1900e0a 100644 --- a/3.5.2/0000_README +++ b/3.5.2/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.5.2-201208222031.patch +Patch: 4420_grsecurity-2.9.1-3.5.2-201208241943.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208241943.patch index f04a5aa..8f28b61 100644 --- a/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch +++ b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208241943.patch @@ -8606,7 +8606,7 @@ index 673ac9b..7a8c5df 100644 if (err) diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 20e5f7b..eab8751 100644 +index 20e5f7b..f33c779 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -14,8 +14,10 @@ @@ -8666,7 +8666,7 @@ index 20e5f7b..eab8751 100644 movl %ebp,%ebp /* zero extension */ pushq_cfi $__USER32_DS /*CFI_REL_OFFSET ss,0*/ -@@ -134,22 +156,37 @@ ENTRY(ia32_sysenter_target) +@@ -134,22 +156,42 @@ ENTRY(ia32_sysenter_target) CFI_REL_OFFSET rsp,0 pushfq_cfi /*CFI_REL_OFFSET rflags,0*/ @@ -8686,6 +8686,11 @@ index 20e5f7b..eab8751 100644 cld SAVE_ARGS 0,1,0 + pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + /* + * No need to follow this irqs on/off section: the syscall + * disabled irqs, here we enable it straight after entry: @@ -8709,7 +8714,7 @@ index 20e5f7b..eab8751 100644 CFI_REMEMBER_STATE jnz sysenter_tracesys cmpq $(IA32_NR_syscalls-1),%rax -@@ -159,12 +196,15 @@ sysenter_do_call: +@@ -159,12 +201,15 @@ sysenter_do_call: sysenter_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -8727,7 +8732,7 @@ index 20e5f7b..eab8751 100644 /* clear IF, that popfq doesn't enable interrupts early */ andl $~0x200,EFLAGS-R11(%rsp) movl RIP-R11(%rsp),%edx /* User %eip */ -@@ -190,6 +230,9 @@ sysexit_from_sys_call: +@@ -190,6 +235,9 @@ sysexit_from_sys_call: movl %eax,%esi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ call __audit_syscall_entry @@ -8737,7 +8742,7 @@ index 20e5f7b..eab8751 100644 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ cmpq $(IA32_NR_syscalls-1),%rax ja ia32_badsys -@@ -201,7 +244,7 @@ sysexit_from_sys_call: +@@ -201,7 +249,7 @@ sysexit_from_sys_call: .endm .macro auditsys_exit exit @@ -8746,7 +8751,7 @@ index 20e5f7b..eab8751 100644 jnz ia32_ret_from_sys_call TRACE_IRQS_ON sti -@@ -212,11 +255,12 @@ sysexit_from_sys_call: +@@ -212,11 +260,12 @@ sysexit_from_sys_call: 1: setbe %al /* 1 if error, 0 if not */ movzbl %al,%edi /* zero-extend that into %edi */ call __audit_syscall_exit @@ -8760,7 +8765,7 @@ index 20e5f7b..eab8751 100644 jz \exit CLEAR_RREGS -ARGOFFSET jmp int_with_check -@@ -234,7 +278,7 @@ sysexit_audit: +@@ -234,7 +283,7 @@ sysexit_audit: sysenter_tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -8769,17 +8774,17 @@ index 20e5f7b..eab8751 100644 jz sysenter_auditsys #endif SAVE_REST -@@ -242,6 +286,9 @@ sysenter_tracesys: - movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */ - movq %rsp,%rdi /* &pt_regs -> arg1 */ - call syscall_trace_enter +@@ -246,6 +295,9 @@ sysenter_tracesys: + RESTORE_REST + cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ + + pax_erase_kstack + - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST - cmpq $(IA32_NR_syscalls-1),%rax -@@ -273,19 +320,20 @@ ENDPROC(ia32_sysenter_target) + jmp sysenter_do_call + CFI_ENDPROC + ENDPROC(ia32_sysenter_target) +@@ -273,19 +325,25 @@ ENDPROC(ia32_sysenter_target) ENTRY(ia32_cstar_target) CFI_STARTPROC32 simple CFI_SIGNAL_FRAME @@ -8793,6 +8798,11 @@ index 20e5f7b..eab8751 100644 movq PER_CPU_VAR(kernel_stack),%rsp + SAVE_ARGS 8*6,0,0 + pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ /* * No need to follow this irqs on/off section: the syscall * disabled irqs and here we enable it straight after entry: @@ -8802,7 +8812,7 @@ index 20e5f7b..eab8751 100644 movl %eax,%eax /* zero extension */ movq %rax,ORIG_RAX-ARGOFFSET(%rsp) movq %rcx,RIP-ARGOFFSET(%rsp) -@@ -301,10 +349,17 @@ ENTRY(ia32_cstar_target) +@@ -301,10 +359,17 @@ ENTRY(ia32_cstar_target) /* no need to do an access_ok check here because r8 has been 32bit zero extended */ /* hardware stack frame is complete now */ @@ -8822,7 +8832,7 @@ index 20e5f7b..eab8751 100644 CFI_REMEMBER_STATE jnz cstar_tracesys cmpq $IA32_NR_syscalls-1,%rax -@@ -314,12 +369,15 @@ cstar_do_call: +@@ -314,12 +379,15 @@ cstar_do_call: cstar_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -8840,7 +8850,7 @@ index 20e5f7b..eab8751 100644 RESTORE_ARGS 0,-ARG_SKIP,0,0,0 movl RIP-ARGOFFSET(%rsp),%ecx CFI_REGISTER rip,rcx -@@ -347,7 +405,7 @@ sysretl_audit: +@@ -347,7 +415,7 @@ sysretl_audit: cstar_tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -8849,17 +8859,17 @@ index 20e5f7b..eab8751 100644 jz cstar_auditsys #endif xchgl %r9d,%ebp -@@ -356,6 +414,9 @@ cstar_tracesys: - movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ - movq %rsp,%rdi /* &pt_regs -> arg1 */ - call syscall_trace_enter +@@ -361,6 +429,9 @@ cstar_tracesys: + xchgl %ebp,%r9d + cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ + + pax_erase_kstack + - LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ - RESTORE_REST - xchgl %ebp,%r9d -@@ -401,19 +462,21 @@ ENTRY(ia32_syscall) + jmp cstar_do_call + END(ia32_cstar_target) + +@@ -401,19 +472,26 @@ ENTRY(ia32_syscall) CFI_REL_OFFSET rip,RIP-RIP PARAVIRT_ADJUST_EXCEPTION_FRAME SWAPGS @@ -8877,6 +8887,11 @@ index 20e5f7b..eab8751 100644 - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) + pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + /* + * No need to follow this irqs on/off section: the syscall + * disabled irqs and here we enable it straight after entry: @@ -8888,16 +8903,16 @@ index 20e5f7b..eab8751 100644 jnz ia32_tracesys cmpq $(IA32_NR_syscalls-1),%rax ja ia32_badsys -@@ -432,6 +495,9 @@ ia32_tracesys: - movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ - movq %rsp,%rdi /* &pt_regs -> arg1 */ - call syscall_trace_enter +@@ -436,6 +514,9 @@ ia32_tracesys: + RESTORE_REST + cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ + + pax_erase_kstack + - LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ - RESTORE_REST - cmpq $(IA32_NR_syscalls-1),%rax + jmp ia32_do_call + END(ia32_syscall) + diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c index 4540bec..714d913 100644 --- a/arch/x86/ia32/sys_ia32.c @@ -14825,10 +14840,10 @@ index 9b9f18b..9fcaa04 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 623f288..0683156 100644 +index 623f288..8bdd78a 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S -@@ -176,13 +176,146 @@ +@@ -176,13 +176,153 @@ /*CFI_REL_OFFSET gs, PT_GS*/ .endm .macro SET_KERNEL_GS reg @@ -14932,10 +14947,10 @@ index 623f288..0683156 100644 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK +/* + * ebp: thread_info -+ * ecx, edx: can be clobbered + */ +ENTRY(pax_erase_kstack) + pushl %edi ++ pushl %ecx + pushl %eax + + mov TI_lowest_stack(%ebp), %edi @@ -14959,6 +14974,12 @@ index 623f288..0683156 100644 +2: cld + mov %esp, %ecx + sub %edi, %ecx ++ ++ cmp $THREAD_SIZE_asm, %ecx ++ jb 3f ++ ud2 ++3: ++ + shr $2, %ecx + rep stosl + @@ -14967,6 +14988,7 @@ index 623f288..0683156 100644 + mov %edi, TI_lowest_stack(%ebp) + + popl %eax ++ popl %ecx + popl %edi + ret +ENDPROC(pax_erase_kstack) @@ -14976,7 +14998,7 @@ index 623f288..0683156 100644 cld PUSH_GS pushl_cfi %fs -@@ -205,7 +338,7 @@ +@@ -205,7 +345,7 @@ CFI_REL_OFFSET ecx, 0 pushl_cfi %ebx CFI_REL_OFFSET ebx, 0 @@ -14985,7 +15007,7 @@ index 623f288..0683156 100644 movl %edx, %ds movl %edx, %es movl $(__KERNEL_PERCPU), %edx -@@ -213,6 +346,15 @@ +@@ -213,6 +353,15 @@ SET_KERNEL_GS %edx .endm @@ -15001,7 +15023,7 @@ index 623f288..0683156 100644 .macro RESTORE_INT_REGS popl_cfi %ebx CFI_RESTORE ebx -@@ -296,7 +438,7 @@ ENTRY(ret_from_fork) +@@ -296,7 +445,7 @@ ENTRY(ret_from_fork) popfl_cfi jmp syscall_exit CFI_ENDPROC @@ -15010,7 +15032,7 @@ index 623f288..0683156 100644 /* * Interrupt exit functions should be protected against kprobes -@@ -329,7 +471,15 @@ ret_from_intr: +@@ -329,7 +478,15 @@ ret_from_intr: andl $SEGMENT_RPL_MASK, %eax #endif cmpl $USER_RPL, %eax @@ -15026,7 +15048,7 @@ index 623f288..0683156 100644 ENTRY(resume_userspace) LOCKDEP_SYS_EXIT -@@ -341,8 +491,8 @@ ENTRY(resume_userspace) +@@ -341,8 +498,8 @@ ENTRY(resume_userspace) andl $_TIF_WORK_MASK, %ecx # is there any work to be done on # int/exception return? jne work_pending @@ -15037,7 +15059,7 @@ index 623f288..0683156 100644 #ifdef CONFIG_PREEMPT ENTRY(resume_kernel) -@@ -357,7 +507,7 @@ need_resched: +@@ -357,7 +514,7 @@ need_resched: jz restore_all call preempt_schedule_irq jmp need_resched @@ -15046,7 +15068,7 @@ index 623f288..0683156 100644 #endif CFI_ENDPROC /* -@@ -391,23 +541,34 @@ sysenter_past_esp: +@@ -391,28 +548,43 @@ sysenter_past_esp: /*CFI_REL_OFFSET cs, 0*/ /* * Push current_thread_info()->sysenter_return to the stack. @@ -15084,7 +15106,16 @@ index 623f288..0683156 100644 movl %ebp,PT_EBP(%esp) _ASM_EXTABLE(1b,syscall_fault) -@@ -427,12 +588,24 @@ sysenter_do_call: + GET_THREAD_INFO(%ebp) + ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) + jnz sysenter_audit + sysenter_do_call: +@@ -427,12 +599,24 @@ sysenter_do_call: testl $_TIF_ALLWORK_MASK, %ecx jne sysexit_audit sysenter_exit: @@ -15109,7 +15140,7 @@ index 623f288..0683156 100644 PTGS_TO_GS ENABLE_INTERRUPTS_SYSEXIT -@@ -449,6 +622,9 @@ sysenter_audit: +@@ -449,6 +633,9 @@ sysenter_audit: movl %eax,%edx /* 2nd arg: syscall number */ movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ call __audit_syscall_entry @@ -15119,7 +15150,7 @@ index 623f288..0683156 100644 pushl_cfi %ebx movl PT_EAX(%esp),%eax /* reload syscall number */ jmp sysenter_do_call -@@ -474,10 +650,16 @@ sysexit_audit: +@@ -474,10 +661,16 @@ sysexit_audit: CFI_ENDPROC .pushsection .fixup,"ax" @@ -15138,7 +15169,19 @@ index 623f288..0683156 100644 PTGS_TO_GS_EX ENDPROC(ia32_sysenter_target) -@@ -509,6 +691,15 @@ syscall_exit: +@@ -491,6 +684,11 @@ ENTRY(system_call) + pushl_cfi %eax # save orig_eax + SAVE_ALL + GET_THREAD_INFO(%ebp) ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + # system call tracing in operation / emulation + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) + jnz syscall_trace_entry +@@ -509,6 +707,15 @@ syscall_exit: testl $_TIF_ALLWORK_MASK, %ecx # current->work jne syscall_exit_work @@ -15154,7 +15197,7 @@ index 623f288..0683156 100644 restore_all: TRACE_IRQS_IRET restore_all_notrace: -@@ -565,14 +756,34 @@ ldt_ss: +@@ -565,14 +772,34 @@ ldt_ss: * compensating for the offset by changing to the ESPFIX segment with * a base address that matches for the difference. */ @@ -15192,7 +15235,7 @@ index 623f288..0683156 100644 pushl_cfi $__ESPFIX_SS pushl_cfi %eax /* new kernel esp */ /* Disable interrupts, but do not irqtrace this section: we -@@ -601,35 +812,23 @@ work_resched: +@@ -601,35 +828,23 @@ work_resched: movl TI_flags(%ebp), %ecx andl $_TIF_WORK_MASK, %ecx # is there any work to be done other # than syscall tracing? @@ -15232,7 +15275,7 @@ index 623f288..0683156 100644 #endif TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -640,7 +839,7 @@ work_notifysig_v86: +@@ -640,7 +855,7 @@ work_notifysig_v86: xorl %edx, %edx call do_notify_resume jmp resume_userspace @@ -15241,7 +15284,7 @@ index 623f288..0683156 100644 # perform syscall exit tracing ALIGN -@@ -648,11 +847,14 @@ syscall_trace_entry: +@@ -648,11 +863,14 @@ syscall_trace_entry: movl $-ENOSYS,PT_EAX(%esp) movl %esp, %eax call syscall_trace_enter @@ -15257,7 +15300,7 @@ index 623f288..0683156 100644 # perform syscall exit tracing ALIGN -@@ -665,20 +867,24 @@ syscall_exit_work: +@@ -665,20 +883,24 @@ syscall_exit_work: movl %esp, %eax call syscall_trace_leave jmp resume_userspace @@ -15285,7 +15328,7 @@ index 623f288..0683156 100644 CFI_ENDPROC /* * End of kprobes section -@@ -750,6 +956,36 @@ ENTRY(ptregs_clone) +@@ -750,6 +972,36 @@ ENTRY(ptregs_clone) CFI_ENDPROC ENDPROC(ptregs_clone) @@ -15322,7 +15365,7 @@ index 623f288..0683156 100644 .macro FIXUP_ESPFIX_STACK /* * Switch back for ESPFIX stack to the normal zerobased stack -@@ -759,8 +995,15 @@ ENDPROC(ptregs_clone) +@@ -759,8 +1011,15 @@ ENDPROC(ptregs_clone) * normal stack and adjusts ESP with the matching offset. */ /* fixup the stack */ @@ -15340,7 +15383,7 @@ index 623f288..0683156 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -813,7 +1056,7 @@ vector=vector+1 +@@ -813,7 +1072,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -15349,7 +15392,7 @@ index 623f288..0683156 100644 .previous END(interrupt) -@@ -861,7 +1104,7 @@ ENTRY(coprocessor_error) +@@ -861,7 +1120,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -15358,7 +15401,7 @@ index 623f288..0683156 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -882,7 +1125,7 @@ ENTRY(simd_coprocessor_error) +@@ -882,7 +1141,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -15367,7 +15410,7 @@ index 623f288..0683156 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -890,18 +1133,18 @@ ENTRY(device_not_available) +@@ -890,18 +1149,18 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -15389,7 +15432,7 @@ index 623f288..0683156 100644 #endif ENTRY(overflow) -@@ -910,7 +1153,7 @@ ENTRY(overflow) +@@ -910,7 +1169,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -15398,7 +15441,7 @@ index 623f288..0683156 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -918,7 +1161,7 @@ ENTRY(bounds) +@@ -918,7 +1177,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -15407,7 +15450,7 @@ index 623f288..0683156 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -926,7 +1169,7 @@ ENTRY(invalid_op) +@@ -926,7 +1185,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -15416,7 +15459,7 @@ index 623f288..0683156 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -934,35 +1177,35 @@ ENTRY(coprocessor_segment_overrun) +@@ -934,35 +1193,35 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -15457,7 +15500,7 @@ index 623f288..0683156 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -970,7 +1213,7 @@ ENTRY(divide_error) +@@ -970,7 +1229,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -15466,7 +15509,7 @@ index 623f288..0683156 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -979,7 +1222,7 @@ ENTRY(machine_check) +@@ -979,7 +1238,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -15475,7 +15518,7 @@ index 623f288..0683156 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -988,7 +1231,7 @@ ENTRY(spurious_interrupt_bug) +@@ -988,7 +1247,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -15484,7 +15527,7 @@ index 623f288..0683156 100644 /* * End of kprobes section */ -@@ -1100,7 +1343,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, +@@ -1100,7 +1359,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, ENTRY(mcount) ret @@ -15493,7 +15536,7 @@ index 623f288..0683156 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1129,7 +1372,7 @@ ftrace_graph_call: +@@ -1129,7 +1388,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -15502,7 +15545,7 @@ index 623f288..0683156 100644 #else /* ! CONFIG_DYNAMIC_FTRACE */ -@@ -1165,7 +1408,7 @@ trace: +@@ -1165,7 +1424,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -15511,7 +15554,7 @@ index 623f288..0683156 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1186,7 +1429,7 @@ ENTRY(ftrace_graph_caller) +@@ -1186,7 +1445,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -15520,7 +15563,7 @@ index 623f288..0683156 100644 .globl return_to_handler return_to_handler: -@@ -1241,15 +1484,18 @@ error_code: +@@ -1241,15 +1500,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -15541,7 +15584,7 @@ index 623f288..0683156 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1291,7 +1537,7 @@ debug_stack_correct: +@@ -1291,7 +1553,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -15550,7 +15593,7 @@ index 623f288..0683156 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1328,6 +1574,9 @@ nmi_stack_correct: +@@ -1328,6 +1590,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -15560,7 +15603,7 @@ index 623f288..0683156 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1364,12 +1613,15 @@ nmi_espfix_stack: +@@ -1364,12 +1629,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -15577,7 +15620,7 @@ index 623f288..0683156 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1381,14 +1633,14 @@ ENTRY(int3) +@@ -1381,14 +1649,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -15594,7 +15637,7 @@ index 623f288..0683156 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1396,7 +1648,7 @@ ENTRY(async_page_fault) +@@ -1396,7 +1664,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -15604,7 +15647,7 @@ index 623f288..0683156 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 7d65133..27bce5b 100644 +index 7d65133..c888d5f 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -57,6 +57,8 @@ @@ -15680,7 +15723,7 @@ index 7d65133..27bce5b 100644 jmp *%rdi #endif -@@ -180,6 +188,282 @@ ENTRY(native_usergs_sysret64) +@@ -180,6 +188,280 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -15909,12 +15952,9 @@ index 7d65133..27bce5b 100644 +.endm + +#ifdef CONFIG_PAX_MEMORY_STACKLEAK -+/* -+ * r11: thread_info -+ * rcx, rdx: can be clobbered -+ */ +ENTRY(pax_erase_kstack) + pushq %rdi ++ pushq %rcx + pushq %rax + pushq %r11 + @@ -15955,6 +15995,7 @@ index 7d65133..27bce5b 100644 + + popq %r11 + popq %rax ++ popq %rcx + popq %rdi + pax_force_retaddr + ret @@ -15963,7 +16004,7 @@ index 7d65133..27bce5b 100644 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -271,8 +555,8 @@ ENDPROC(native_usergs_sysret64) +@@ -271,8 +553,8 @@ ENDPROC(native_usergs_sysret64) .endm .macro UNFAKE_STACK_FRAME @@ -15974,7 +16015,7 @@ index 7d65133..27bce5b 100644 .endm /* -@@ -359,7 +643,7 @@ ENDPROC(native_usergs_sysret64) +@@ -359,7 +641,7 @@ ENDPROC(native_usergs_sysret64) movq %rsp, %rsi leaq -RBP(%rsp),%rdi /* arg1 for handler */ @@ -15983,7 +16024,7 @@ index 7d65133..27bce5b 100644 je 1f SWAPGS /* -@@ -394,9 +678,10 @@ ENTRY(save_rest) +@@ -394,9 +676,10 @@ ENTRY(save_rest) movq_cfi r15, R15+16 movq %r11, 8(%rsp) /* return address */ FIXUP_TOP_OF_STACK %r11, 16 @@ -15995,7 +16036,7 @@ index 7d65133..27bce5b 100644 /* save complete stack frame */ .pushsection .kprobes.text, "ax" -@@ -425,9 +710,10 @@ ENTRY(save_paranoid) +@@ -425,9 +708,10 @@ ENTRY(save_paranoid) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -16008,7 +16049,7 @@ index 7d65133..27bce5b 100644 .popsection /* -@@ -449,7 +735,7 @@ ENTRY(ret_from_fork) +@@ -449,7 +733,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -16017,7 +16058,7 @@ index 7d65133..27bce5b 100644 jz retint_restore_args testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -459,7 +745,7 @@ ENTRY(ret_from_fork) +@@ -459,7 +743,7 @@ ENTRY(ret_from_fork) jmp ret_from_sys_call # go to the SYSRET fastpath CFI_ENDPROC @@ -16026,7 +16067,7 @@ index 7d65133..27bce5b 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -495,7 +781,7 @@ END(ret_from_fork) +@@ -495,7 +779,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -16035,12 +16076,17 @@ index 7d65133..27bce5b 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -508,16 +794,18 @@ GLOBAL(system_call_after_swapgs) +@@ -508,16 +792,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp + SAVE_ARGS 8*6,0 + pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ /* * No need to follow this irqs off/on section - it's straight * and short: @@ -16056,7 +16102,7 @@ index 7d65133..27bce5b 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -527,7 +815,7 @@ system_call_fastpath: +@@ -527,7 +818,7 @@ system_call_fastpath: cmpl $__NR_syscall_max,%eax #endif ja badsys @@ -16065,7 +16111,7 @@ index 7d65133..27bce5b 100644 call *sys_call_table(,%rax,8) # XXX: rip relative movq %rax,RAX-ARGOFFSET(%rsp) /* -@@ -541,10 +829,13 @@ sysret_check: +@@ -541,10 +832,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -16080,7 +16126,7 @@ index 7d65133..27bce5b 100644 /* * sysretq will re-enable interrupts: */ -@@ -596,14 +887,18 @@ badsys: +@@ -596,14 +890,18 @@ badsys: * jump back to the normal fast path. */ auditsys: @@ -16100,7 +16146,7 @@ index 7d65133..27bce5b 100644 jmp system_call_fastpath /* -@@ -624,7 +919,7 @@ sysret_audit: +@@ -624,7 +922,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -16109,7 +16155,7 @@ index 7d65133..27bce5b 100644 jz auditsys #endif SAVE_REST -@@ -632,12 +927,16 @@ tracesys: +@@ -632,12 +930,16 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -16126,7 +16172,7 @@ index 7d65133..27bce5b 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -646,7 +945,7 @@ tracesys: +@@ -646,7 +948,7 @@ tracesys: cmpl $__NR_syscall_max,%eax #endif ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ @@ -16135,15 +16181,18 @@ index 7d65133..27bce5b 100644 call *sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) /* Use IRET because user could have changed frame */ -@@ -667,6 +966,7 @@ GLOBAL(int_with_check) +@@ -667,7 +969,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) +- jmp retint_swapgs ++ pax_exit_kernel_user + pax_erase_kstack - jmp retint_swapgs ++ jmp retint_swapgs_pax /* Either reschedule or signal or syscall exit tracking needed. */ -@@ -713,7 +1013,7 @@ int_restore_rest: + /* First do a reschedule test. */ +@@ -713,7 +1017,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -16152,7 +16201,7 @@ index 7d65133..27bce5b 100644 /* * Certain special system calls that need to save a complete full stack frame. -@@ -729,7 +1029,7 @@ ENTRY(\label) +@@ -729,7 +1033,7 @@ ENTRY(\label) call \func jmp ptregscall_common CFI_ENDPROC @@ -16161,7 +16210,7 @@ index 7d65133..27bce5b 100644 .endm PTREGSCALL stub_clone, sys_clone, %r8 -@@ -747,9 +1047,10 @@ ENTRY(ptregscall_common) +@@ -747,9 +1051,10 @@ ENTRY(ptregscall_common) movq_cfi_restore R12+8, r12 movq_cfi_restore RBP+8, rbp movq_cfi_restore RBX+8, rbx @@ -16173,7 +16222,7 @@ index 7d65133..27bce5b 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -764,7 +1065,7 @@ ENTRY(stub_execve) +@@ -764,7 +1069,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -16182,7 +16231,7 @@ index 7d65133..27bce5b 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -782,7 +1083,7 @@ ENTRY(stub_rt_sigreturn) +@@ -782,7 +1087,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -16191,7 +16240,7 @@ index 7d65133..27bce5b 100644 #ifdef CONFIG_X86_X32_ABI PTREGSCALL stub_x32_sigaltstack, sys32_sigaltstack, %rdx -@@ -851,7 +1152,7 @@ vector=vector+1 +@@ -851,7 +1156,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -16200,7 +16249,7 @@ index 7d65133..27bce5b 100644 .previous END(interrupt) -@@ -871,6 +1172,16 @@ END(interrupt) +@@ -871,6 +1176,16 @@ END(interrupt) subq $ORIG_RAX-RBP, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP SAVE_ARGS_IRQ @@ -16217,7 +16266,7 @@ index 7d65133..27bce5b 100644 call \func .endm -@@ -902,7 +1213,7 @@ ret_from_intr: +@@ -902,7 +1217,7 @@ ret_from_intr: exit_intr: GET_THREAD_INFO(%rcx) @@ -16226,11 +16275,12 @@ index 7d65133..27bce5b 100644 je retint_kernel /* Interrupt came from user space */ -@@ -924,12 +1235,15 @@ retint_swapgs: /* return to user-space */ +@@ -924,12 +1239,16 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel_user ++retint_swapgs_pax: TRACE_IRQS_IRETQ SWAPGS jmp restore_args @@ -16242,7 +16292,7 @@ index 7d65133..27bce5b 100644 /* * The iretq could re-enable interrupts: */ -@@ -1012,7 +1326,7 @@ ENTRY(retint_kernel) +@@ -1012,7 +1331,7 @@ ENTRY(retint_kernel) #endif CFI_ENDPROC @@ -16251,7 +16301,7 @@ index 7d65133..27bce5b 100644 /* * End of kprobes section */ -@@ -1029,7 +1343,7 @@ ENTRY(\sym) +@@ -1029,7 +1348,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -16260,7 +16310,7 @@ index 7d65133..27bce5b 100644 .endm #ifdef CONFIG_SMP -@@ -1102,12 +1416,22 @@ ENTRY(\sym) +@@ -1102,12 +1421,22 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -16284,7 +16334,7 @@ index 7d65133..27bce5b 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1119,15 +1443,25 @@ ENTRY(\sym) +@@ -1119,15 +1448,25 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -16312,7 +16362,7 @@ index 7d65133..27bce5b 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1137,14 +1471,30 @@ ENTRY(\sym) +@@ -1137,14 +1476,30 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF_DEBUG @@ -16344,7 +16394,7 @@ index 7d65133..27bce5b 100644 .endm .macro errorentry sym do_sym -@@ -1155,13 +1505,23 @@ ENTRY(\sym) +@@ -1155,13 +1510,23 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -16369,7 +16419,7 @@ index 7d65133..27bce5b 100644 .endm /* error code is on the stack already */ -@@ -1174,13 +1534,23 @@ ENTRY(\sym) +@@ -1174,13 +1539,23 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -16394,7 +16444,7 @@ index 7d65133..27bce5b 100644 .endm zeroentry divide_error do_divide_error -@@ -1210,9 +1580,10 @@ gs_change: +@@ -1210,9 +1585,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -16406,7 +16456,7 @@ index 7d65133..27bce5b 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1231,13 +1602,14 @@ ENTRY(kernel_thread_helper) +@@ -1231,13 +1607,14 @@ ENTRY(kernel_thread_helper) * Here we are in the child and the registers are set as they were * at kernel_thread() invocation in the parent. */ @@ -16422,7 +16472,7 @@ index 7d65133..27bce5b 100644 /* * execve(). This function needs to use IRET, not SYSRET, to set up all state properly. -@@ -1264,11 +1636,11 @@ ENTRY(kernel_execve) +@@ -1264,11 +1641,11 @@ ENTRY(kernel_execve) RESTORE_REST testq %rax,%rax je int_ret_from_sys_call @@ -16436,7 +16486,7 @@ index 7d65133..27bce5b 100644 /* Call softirq on interrupt stack. Interrupts are off. */ ENTRY(call_softirq) -@@ -1286,9 +1658,10 @@ ENTRY(call_softirq) +@@ -1286,9 +1663,10 @@ ENTRY(call_softirq) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -16448,7 +16498,7 @@ index 7d65133..27bce5b 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1326,7 +1699,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1326,7 +1704,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -16457,7 +16507,7 @@ index 7d65133..27bce5b 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1385,7 +1758,7 @@ ENTRY(xen_failsafe_callback) +@@ -1385,7 +1763,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -16466,7 +16516,7 @@ index 7d65133..27bce5b 100644 apicinterrupt XEN_HVM_EVTCHN_CALLBACK \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1434,16 +1807,31 @@ ENTRY(paranoid_exit) +@@ -1434,16 +1812,31 @@ ENTRY(paranoid_exit) TRACE_IRQS_OFF_DEBUG testl %ebx,%ebx /* swapgs needed? */ jnz paranoid_restore @@ -16499,7 +16549,7 @@ index 7d65133..27bce5b 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1472,7 +1860,7 @@ paranoid_schedule: +@@ -1472,7 +1865,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -16508,7 +16558,7 @@ index 7d65133..27bce5b 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1499,12 +1887,13 @@ ENTRY(error_entry) +@@ -1499,12 +1892,13 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -16523,7 +16573,7 @@ index 7d65133..27bce5b 100644 ret /* -@@ -1531,7 +1920,7 @@ bstep_iret: +@@ -1531,7 +1925,7 @@ bstep_iret: movq %rcx,RIP+8(%rsp) jmp error_swapgs CFI_ENDPROC @@ -16532,7 +16582,7 @@ index 7d65133..27bce5b 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1551,7 +1940,7 @@ ENTRY(error_exit) +@@ -1551,7 +1945,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -16541,7 +16591,7 @@ index 7d65133..27bce5b 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1609,9 +1998,11 @@ ENTRY(nmi) +@@ -1609,9 +2003,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -16554,7 +16604,7 @@ index 7d65133..27bce5b 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1758,6 +2149,16 @@ end_repeat_nmi: +@@ -1758,6 +2154,16 @@ end_repeat_nmi: */ call save_paranoid DEFAULT_FRAME 0 @@ -16571,7 +16621,7 @@ index 7d65133..27bce5b 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1765,21 +2166,32 @@ end_repeat_nmi: +@@ -1765,21 +2171,32 @@ end_repeat_nmi: testl %ebx,%ebx /* swapgs needed? */ jnz nmi_restore nmi_swapgs: @@ -46919,6 +46969,18 @@ index c99163b..a11ad40 100644 res = next - LAST_INO_BATCH; } +diff --git a/fs/isofs/export.c b/fs/isofs/export.c +index aa4356d..1d38044 100644 +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -134,6 +134,7 @@ isofs_export_encode_fh(struct inode *inode, + len = 3; + fh32[0] = ei->i_iget5_block; + fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ ++ fh16[3] = 0; /* avoid leaking uninitialized data */ + fh32[2] = inode->i_generation; + if (parent) { + struct iso_inode_info *eparent; diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index 4a6cf28..d3a29d3 100644 --- a/fs/jffs2/erase.c @@ -49908,6 +49970,18 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 1802417..c31deb3 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1279,6 +1279,7 @@ static int udf_encode_fh(struct inode *inode, __u32 *fh, int *lenp, + *lenp = 3; + fid->udf.block = location.logicalBlockNum; + fid->udf.partref = location.partitionReferenceNum; ++ fid->udf.parent_partref = 0; + fid->udf.generation = inode->i_generation; + + if (parent) { diff --git a/fs/utimes.c b/fs/utimes.c index fa4dbe4..e12d1b9 100644 --- a/fs/utimes.c @@ -62371,7 +62445,7 @@ index 8185f57..7b2d222 100644 }; diff --git a/include/linux/init.h b/include/linux/init.h -index 6b95109..bcbdd68 100644 +index 6b95109..7616d09 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -39,9 +39,15 @@ @@ -62418,22 +62492,6 @@ index 6b95109..bcbdd68 100644 #define __meminitdata __section(.meminit.data) #define __meminitconst __section(.meminit.rodata) #define __memexit __section(.memexit.text) __exitused __cold notrace -@@ -294,13 +300,13 @@ void __init parse_early_options(char *cmdline); - - /* Each module must use one module_init(). */ - #define module_init(initfn) \ -- static inline initcall_t __inittest(void) \ -+ static inline __used initcall_t __inittest(void) \ - { return initfn; } \ - int init_module(void) __attribute__((alias(#initfn))); - - /* This is only required if you want to be unloadable. */ - #define module_exit(exitfn) \ -- static inline exitcall_t __exittest(void) \ -+ static inline __used exitcall_t __exittest(void) \ - { return exitfn; } \ - void cleanup_module(void) __attribute__((alias(#exitfn))); - diff --git a/include/linux/init_task.h b/include/linux/init_task.h index 9e65eff..b131e8b 100644 --- a/include/linux/init_task.h @@ -70525,18 +70583,6 @@ index 66ce414..6f0a0dd 100644 err_printk(dev, NULL, "DMA-API: device driver maps memory from" "stack [addr=%p]\n", addr); } -diff --git a/lib/extable.c b/lib/extable.c -index 4cac81e..4d66cfc 100644 ---- a/lib/extable.c -+++ b/lib/extable.c -@@ -13,6 +13,7 @@ - #include <linux/init.h> - #include <linux/sort.h> - #include <asm/uaccess.h> -+#include <asm/pgtable.h> - - #ifndef ARCH_HAS_SORT_EXTABLE - /* diff --git a/lib/inflate.c b/lib/inflate.c index 013a761..c28f3fc 100644 --- a/lib/inflate.c @@ -78991,6 +79037,18 @@ index ccfbd32..9b61cf9f 100644 } } +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 44293b3..be1d3e58 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1413,6 +1413,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) + struct xfrm_user_tmpl *up = &vec[i]; + struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; + ++ memset(up, 0, sizeof(*up)); + memcpy(&up->id, &kp->id, sizeof(up->id)); + up->family = kp->encap_family; + memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); diff --git a/scripts/Makefile.build b/scripts/Makefile.build index ff1720d..ed8475e 100644 --- a/scripts/Makefile.build @@ -79386,10 +79444,10 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..4349785 100644 +index e9c6ac7..58348f4 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,876 @@ +@@ -4,6 +4,888 @@ menu "Security options" @@ -79975,6 +80033,10 @@ index e9c6ac7..4349785 100644 + Select the method used to instrument function pointer dereferences. + Note that binary modules cannot be instrumented by this approach. + ++ Note that the implementation requires a gcc with plugin support, ++ i.e., gcc 4.5 or newer. You may need to install the supporting ++ headers explicitly in addition to the normal gcc package. ++ + config PAX_KERNEXEC_PLUGIN_METHOD_BTS + bool "bts" + help @@ -80148,11 +80210,12 @@ index e9c6ac7..4349785 100644 + and you are advised to test this feature on your expected workload + before deploying it. + -+ Note: full support for this feature requires gcc with plugin support -+ so make sure your compiler is at least gcc 4.5.0. Using older gcc -+ versions means that functions with large enough stack frames may -+ leave uninitialized memory behind that may be exposed to a later -+ syscall leaking the stack. ++ Note that the full feature requires a gcc with plugin support, ++ i.e., gcc 4.5 or newer. You may need to install the supporting ++ headers explicitly in addition to the normal gcc package. Using ++ older gcc versions means that functions with large enough stack ++ frames may leave uninitialized memory behind that may be exposed ++ to a later syscall leaking the stack. + +config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" @@ -80234,11 +80297,14 @@ index e9c6ac7..4349785 100644 + arguments marked by a size_overflow attribute with double integer + precision (DImode/TImode for 32/64 bit integer types). + -+ The recomputed argument is checked against INT_MAX and an event ++ The recomputed argument is checked against TYPE_MAX and an event + is logged on overflow and the triggering process is killed. + -+ Homepage: -+ http://www.grsecurity.net/~ephox/overflow_plugin/ ++ Homepage: http://www.grsecurity.net/~ephox/overflow_plugin/ ++ ++ Note that the implementation requires a gcc with plugin support, ++ i.e., gcc 4.5 or newer. You may need to install the supporting ++ headers explicitly in addition to the normal gcc package. + +config PAX_LATENT_ENTROPY + bool "Generate some entropy during boot" @@ -80250,6 +80316,10 @@ index e9c6ac7..4349785 100644 + there is little 'natural' source of entropy normally. The cost + is some slowdown of the boot process. + ++ Note that the implementation requires a gcc with plugin support, ++ i.e., gcc 4.5 or newer. You may need to install the supporting ++ headers explicitly in addition to the normal gcc package. ++ + Note that entropy extracted this way is not cryptographically + secure! + @@ -80266,7 +80336,7 @@ index e9c6ac7..4349785 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +973,7 @@ config INTEL_TXT +@@ -103,7 +985,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX |