summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2016-02-08 03:06:43 -0500
committerAnthony G. Basile <blueness@gentoo.org>2016-02-08 03:06:43 -0500
commit2ba70c31916532781f96e738155b5be997778910 (patch)
treea441d7358698b15edeb9c75698c2b2764eded49e
parentgrsecurity-3.1-4.3.5-201602032209 (diff)
downloadhardened-patchset-2ba70c31916532781f96e738155b5be997778910.tar.gz
hardened-patchset-2ba70c31916532781f96e738155b5be997778910.tar.bz2
hardened-patchset-2ba70c31916532781f96e738155b5be997778910.zip
grsecurity-3.1-4.3.5-20160207091020160207
-rw-r--r--4.3.5/0000_README2
-rw-r--r--4.3.5/4420_grsecurity-3.1-4.3.5-201602070910.patch (renamed from 4.3.5/4420_grsecurity-3.1-4.3.5-201602032209.patch)429
2 files changed, 201 insertions, 230 deletions
diff --git a/4.3.5/0000_README b/4.3.5/0000_README
index 3ec071f..40c470e 100644
--- a/4.3.5/0000_README
+++ b/4.3.5/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.3.5-201602032209.patch
+Patch: 4420_grsecurity-3.1-4.3.5-201602070910.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.3.5/4420_grsecurity-3.1-4.3.5-201602032209.patch b/4.3.5/4420_grsecurity-3.1-4.3.5-201602070910.patch
index 562e55c..e639b69 100644
--- a/4.3.5/4420_grsecurity-3.1-4.3.5-201602032209.patch
+++ b/4.3.5/4420_grsecurity-3.1-4.3.5-201602070910.patch
@@ -1048,10 +1048,18 @@ index 78c0621..94cd626 100644
Counts number of I and D TLB Misses and exports them via Debugfs
The counters can be cleared via Debugfs as well
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index 639411f..82e6320 100644
+index 639411f..d4b3233 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
-@@ -1785,7 +1785,7 @@ config ALIGNMENT_TRAP
+@@ -1708,6 +1708,7 @@ config HIGHPTE
+ config CPU_SW_DOMAIN_PAN
+ bool "Enable use of CPU domains to implement privileged no-access"
+ depends on MMU && !ARM_LPAE
++ depends on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+ default y
+ help
+ Increase kernel security by ensuring that normal kernel accesses
+@@ -1785,7 +1786,7 @@ config ALIGNMENT_TRAP
config UACCESS_WITH_MEMCPY
bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
@@ -1060,7 +1068,7 @@ index 639411f..82e6320 100644
default y if CPU_FEROCEON
help
Implement faster copy_to_user and clear_user methods for CPU
-@@ -2022,6 +2022,7 @@ config KEXEC
+@@ -2022,6 +2023,7 @@ config KEXEC
depends on (!SMP || PM_SLEEP_SMP)
depends on !CPU_V7M
select KEXEC_CORE
@@ -1747,7 +1755,7 @@ index 0f84249..8e83c55 100644
struct of_cpuidle_method {
const char *method;
diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h
-index fc8ba16..8b84f53 100644
+index fc8ba16..0c20017 100644
--- a/arch/arm/include/asm/domain.h
+++ b/arch/arm/include/asm/domain.h
@@ -42,7 +42,6 @@
@@ -1786,15 +1794,47 @@ index fc8ba16..8b84f53 100644
#define domain_mask(dom) ((3) << (2 * (dom)))
#define domain_val(dom,type) ((type) << (2 * (dom)))
-@@ -62,7 +79,7 @@
+@@ -62,13 +79,19 @@
#define DACR_INIT \
(domain_val(DOMAIN_USER, DOMAIN_NOACCESS) | \
domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
- domain_val(DOMAIN_IO, DOMAIN_CLIENT) | \
+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \
domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT))
++#elif CONFIG_PAX_MEMORY_UDEREF
++ /* DOMAIN_VECTORS is defined to DOMAIN_KERNEL */
++#define DACR_INIT \
++ (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
++ domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT))
#else
#define DACR_INIT \
+- (domain_val(DOMAIN_USER, DOMAIN_CLIENT) | \
++ (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
+ domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
+- domain_val(DOMAIN_IO, DOMAIN_CLIENT) | \
++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \
+ domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT))
+ #endif
+
+@@ -113,6 +136,17 @@ static inline void set_domain(unsigned val)
+ set_domain(domain); \
+ } while (0)
+
++#elif defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++#define modify_domain(dom,type) \
++ do { \
++ struct thread_info *thread = current_thread_info(); \
++ unsigned int domain = get_domain(); \
++ domain &= ~domain_mask(dom); \
++ domain = domain | domain_val(dom, type); \
++ thread->cpu_domain = domain; \
++ set_domain(domain); \
++ } while (0)
++
+ #else
+ static inline void modify_domain(unsigned dom, unsigned type) { }
+ #endif
diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
index d2315ff..f60b47b 100644
--- a/arch/arm/include/asm/elf.h
@@ -1830,61 +1870,17 @@ index de53547..52b9a28 100644
(unsigned long)(dest_buf) + (size)); \
\
diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
-index 6795368..b784325 100644
+index 6795368..6c4d749 100644
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
-@@ -52,6 +52,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
- return -EFAULT;
-
-+ pax_open_userland();
-+
- smp_mb();
- /* Prefetching cannot fault */
- prefetchw(uaddr);
-@@ -71,6 +73,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
- uaccess_restore(__ua_flags);
- smp_mb();
-
-+ pax_close_userland();
-+
- *uval = val;
- return ret;
- }
-@@ -107,6 +111,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+@@ -107,6 +107,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
return -EFAULT;
preempt_disable();
-+ pax_open_userland();
+
__ua_flags = uaccess_save_and_enable();
__asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
"1: " TUSER(ldr) " %1, [%4]\n"
-@@ -119,6 +125,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
- : "cc", "memory");
- uaccess_restore(__ua_flags);
-
-+ pax_close_userland();
-+
- *uval = val;
- preempt_enable();
-
-@@ -146,6 +154,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
- preempt_disable();
- #endif
- pagefault_disable();
-+ pax_open_userland();
-
- switch (op) {
- case FUTEX_OP_SET:
-@@ -167,6 +176,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
- ret = -ENOSYS;
- }
-
-+ pax_close_userland();
- pagefault_enable();
- #ifndef CONFIG_SMP
- preempt_enable();
diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h
index 83eb2f7..ed77159 100644
--- a/arch/arm/include/asm/kmap_types.h
@@ -2202,10 +2198,20 @@ index ef35665..d69146d 100644
struct of_cpu_method {
const char *method;
diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
-index 776757d..5a598df 100644
+index 776757d..a552c1d 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
-@@ -143,6 +143,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
+@@ -73,6 +73,9 @@ struct thread_info {
+ .flags = 0, \
+ .preempt_count = INIT_PREEMPT_COUNT, \
+ .addr_limit = KERNEL_DS, \
++ .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
++ domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \
++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \
+ }
+
+ #define init_thread_info (init_thread_union.thread_info)
+@@ -143,6 +146,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */
#define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
#define TIF_SECCOMP 7 /* seccomp syscall filtering active */
@@ -2216,7 +2222,7 @@ index 776757d..5a598df 100644
#define TIF_NOHZ 12 /* in adaptive nohz mode */
#define TIF_USING_IWMMXT 17
-@@ -158,10 +162,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
+@@ -158,10 +165,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
#define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
@@ -2252,7 +2258,7 @@ index 5f833f7..76e6644 100644
}
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
-index 8cc85a4..5f24fe2 100644
+index 8cc85a4..28c2880 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -18,6 +18,7 @@
@@ -2263,16 +2269,35 @@ index 8cc85a4..5f24fe2 100644
#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
#include <asm-generic/uaccess-unaligned.h>
-@@ -99,11 +100,38 @@ extern int __put_user_bad(void);
- static inline void set_fs(mm_segment_t fs)
- {
- current_thread_info()->addr_limit = fs;
-- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
-+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
- }
-
- #define segment_eq(a, b) ((a) == (b))
+@@ -50,6 +51,59 @@ struct exception_table_entry
+ extern int fixup_exception(struct pt_regs *regs);
+ /*
++ * These two are intentionally not defined anywhere - if the kernel
++ * code generates any references to them, that's a bug.
++ */
++extern int __get_user_bad(void);
++extern int __put_user_bad(void);
++
++/*
++ * Note that this is actually 0x1,0000,0000
++ */
++#define KERNEL_DS 0x00000000
++#define get_ds() (KERNEL_DS)
++
++#ifdef CONFIG_MMU
++
++#define USER_DS TASK_SIZE
++#define get_fs() (current_thread_info()->addr_limit)
++
++static inline void set_fs(mm_segment_t fs)
++{
++ current_thread_info()->addr_limit = fs;
++ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
++}
++
++#define segment_eq(a, b) ((a) == (b))
++
+#define __HAVE_ARCH_PAX_OPEN_USERLAND
+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
+
@@ -2300,38 +2325,57 @@ index 8cc85a4..5f24fe2 100644
+
+}
+
++/*
+ * These two functions allow hooking accesses to userspace to increase
+ * system integrity by ensuring that the kernel can not inadvertantly
+ * perform such accesses (eg, via list poison values) which could then
+@@ -66,6 +120,7 @@ static inline unsigned int uaccess_save_and_enable(void)
+
+ return old_domain;
+ #else
++ pax_open_userland();
+ return 0;
+ #endif
+ }
+@@ -75,35 +130,11 @@ static inline void uaccess_restore(unsigned int flags)
+ #ifdef CONFIG_CPU_SW_DOMAIN_PAN
+ /* Restore the user access mask */
+ set_domain(flags);
++#else
++ pax_close_userland();
+ #endif
+ }
+
+-/*
+- * These two are intentionally not defined anywhere - if the kernel
+- * code generates any references to them, that's a bug.
+- */
+-extern int __get_user_bad(void);
+-extern int __put_user_bad(void);
+-
+-/*
+- * Note that this is actually 0x1,0000,0000
+- */
+-#define KERNEL_DS 0x00000000
+-#define get_ds() (KERNEL_DS)
+-
+-#ifdef CONFIG_MMU
+-
+-#define USER_DS TASK_SIZE
+-#define get_fs() (current_thread_info()->addr_limit)
+-
+-static inline void set_fs(mm_segment_t fs)
+-{
+- current_thread_info()->addr_limit = fs;
+- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
+-}
+-
+-#define segment_eq(a, b) ((a) == (b))
+-
#define __addr_ok(addr) ({ \
unsigned long flag; \
__asm__("cmp %2, %0; movlo %0, #0" \
-@@ -229,8 +257,12 @@ extern int __get_user_64t_4(void *);
-
- #define get_user(x, p) \
- ({ \
-+ int __e; \
- might_fault(); \
-- __get_user_check(x, p); \
-+ pax_open_userland(); \
-+ __e = __get_user_check((x), (p)); \
-+ pax_close_userland(); \
-+ __e; \
- })
-
- extern int __put_user_1(void *, unsigned int);
-@@ -277,8 +309,12 @@ extern int __put_user_8(void *, unsigned long long);
-
- #define put_user(x, p) \
- ({ \
-+ int __e; \
- might_fault(); \
-- __put_user_check(x, p); \
-+ pax_open_userland(); \
-+ __e = __put_user_check((x), (p)); \
-+ pax_close_userland(); \
-+ __e; \
- })
-
- #else /* CONFIG_MMU */
-@@ -302,6 +338,7 @@ static inline void set_fs(mm_segment_t fs)
+@@ -302,6 +333,7 @@ static inline void set_fs(mm_segment_t fs)
#endif /* CONFIG_MMU */
@@ -2339,43 +2383,7 @@ index 8cc85a4..5f24fe2 100644
#define access_ok(type, addr, size) (__range_ok(addr, size) == 0)
#define user_addr_max() \
-@@ -319,13 +356,17 @@ static inline void set_fs(mm_segment_t fs)
- #define __get_user(x, ptr) \
- ({ \
- long __gu_err = 0; \
-+ pax_open_userland(); \
- __get_user_err((x), (ptr), __gu_err); \
-+ pax_close_userland(); \
- __gu_err; \
- })
-
- #define __get_user_error(x, ptr, err) \
- ({ \
-+ pax_open_userland(); \
- __get_user_err((x), (ptr), err); \
-+ pax_close_userland(); \
- (void) 0; \
- })
-
-@@ -392,13 +433,17 @@ do { \
- #define __put_user(x, ptr) \
- ({ \
- long __pu_err = 0; \
-+ pax_open_userland(); \
- __put_user_err((x), (ptr), __pu_err); \
-+ pax_close_userland(); \
- __pu_err; \
- })
-
- #define __put_user_error(x, ptr, err) \
- ({ \
-+ pax_open_userland(); \
- __put_user_err((x), (ptr), err); \
-+ pax_close_userland(); \
- (void) 0; \
- })
-
-@@ -490,35 +535,41 @@ do { \
+@@ -490,35 +522,41 @@ do { \
#ifdef CONFIG_MMU
@@ -2425,7 +2433,7 @@ index 8cc85a4..5f24fe2 100644
__clear_user_std(void __user *addr, unsigned long n);
static inline unsigned long __must_check
-@@ -538,6 +589,9 @@ __clear_user(void __user *addr, unsigned long n)
+@@ -538,6 +576,9 @@ __clear_user(void __user *addr, unsigned long n)
static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
{
@@ -2435,7 +2443,7 @@ index 8cc85a4..5f24fe2 100644
if (access_ok(VERIFY_READ, from, n))
n = __copy_from_user(to, from, n);
else /* security hole - plug it */
-@@ -547,6 +601,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
+@@ -547,6 +588,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
{
@@ -2485,7 +2493,7 @@ index 318da33..373689f 100644
/**
* arm_cpuidle_simple_enter() - a wrapper to cpu_do_idle()
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
-index 3e1c26e..9ea61e6 100644
+index 3e1c26e..97a5f9e 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -50,6 +50,87 @@
@@ -2608,7 +2616,7 @@ index 3e1c26e..9ea61e6 100644
mov r6, #-1 @ "" "" "" ""
+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
+ @ offset sp by 8 as done in pax_enter_kernel
-+ add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4)
++ add r2, sp, #(S_FRAME_SIZE + 8 + \stack_hole + 4)
+#else
add r2, sp, #(S_FRAME_SIZE + 8 + \stack_hole - 4)
+#endif
@@ -2956,7 +2964,7 @@ index 69bda1a..755113a 100644
if (waddr != addr) {
flush_kernel_vmap_range(waddr, twopage ? size / 2 : size);
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index 7a7c4ce..bc91093 100644
+index 7a7c4ce..f0de3eb 100644
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -98,8 +98,8 @@ void __show_regs(struct pt_regs *regs)
@@ -2970,6 +2978,15 @@ index 7a7c4ce..bc91093 100644
printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
"sp : %08lx ip : %08lx fp : %08lx\n",
regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
+@@ -226,7 +226,7 @@ copy_thread(unsigned long clone_flags, unsigned long stack_start,
+
+ memset(&thread->cpu_context, 0, sizeof(struct cpu_context_save));
+
+-#ifdef CONFIG_CPU_USE_DOMAINS
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
+ /*
+ * Copy the initial value of the domain access control register
+ * from the current thread: thread->addr_limit will have been
@@ -309,12 +309,6 @@ unsigned long get_wchan(struct task_struct *p)
return 0;
}
@@ -3839,71 +3856,6 @@ index df7537f..b931a5f 100644
exploits.
If all of the binaries and libraries which run on your platform
-diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
-index 00b7f7d..6fc28bc 100644
---- a/arch/arm/mm/alignment.c
-+++ b/arch/arm/mm/alignment.c
-@@ -216,10 +216,12 @@ union offset_union {
- #define __get16_unaligned_check(ins,val,addr) \
- do { \
- unsigned int err = 0, v, a = addr; \
-+ pax_open_userland(); \
- __get8_unaligned_check(ins,v,a,err); \
- val = v << ((BE) ? 8 : 0); \
- __get8_unaligned_check(ins,v,a,err); \
- val |= v << ((BE) ? 0 : 8); \
-+ pax_close_userland(); \
- if (err) \
- goto fault; \
- } while (0)
-@@ -233,6 +235,7 @@ union offset_union {
- #define __get32_unaligned_check(ins,val,addr) \
- do { \
- unsigned int err = 0, v, a = addr; \
-+ pax_open_userland(); \
- __get8_unaligned_check(ins,v,a,err); \
- val = v << ((BE) ? 24 : 0); \
- __get8_unaligned_check(ins,v,a,err); \
-@@ -241,6 +244,7 @@ union offset_union {
- val |= v << ((BE) ? 8 : 16); \
- __get8_unaligned_check(ins,v,a,err); \
- val |= v << ((BE) ? 0 : 24); \
-+ pax_close_userland(); \
- if (err) \
- goto fault; \
- } while (0)
-@@ -254,6 +258,7 @@ union offset_union {
- #define __put16_unaligned_check(ins,val,addr) \
- do { \
- unsigned int err = 0, v = val, a = addr; \
-+ pax_open_userland(); \
- __asm__( FIRST_BYTE_16 \
- ARM( "1: "ins" %1, [%2], #1\n" ) \
- THUMB( "1: "ins" %1, [%2]\n" ) \
-@@ -273,6 +278,7 @@ union offset_union {
- " .popsection\n" \
- : "=r" (err), "=&r" (v), "=&r" (a) \
- : "0" (err), "1" (v), "2" (a)); \
-+ pax_close_userland(); \
- if (err) \
- goto fault; \
- } while (0)
-@@ -286,6 +292,7 @@ union offset_union {
- #define __put32_unaligned_check(ins,val,addr) \
- do { \
- unsigned int err = 0, v = val, a = addr; \
-+ pax_open_userland(); \
- __asm__( FIRST_BYTE_32 \
- ARM( "1: "ins" %1, [%2], #1\n" ) \
- THUMB( "1: "ins" %1, [%2]\n" ) \
-@@ -315,6 +322,7 @@ union offset_union {
- " .popsection\n" \
- : "=r" (err), "=&r" (v), "=&r" (a) \
- : "0" (err), "1" (v), "2" (a)); \
-+ pax_close_userland(); \
- if (err) \
- goto fault; \
- } while (0)
diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
index 493692d..42a4504 100644
--- a/arch/arm/mm/cache-l2x0.c
@@ -113574,7 +113526,7 @@ index 04e91ff..2419384 100644
}
EXPORT_SYMBOL(__stack_chk_fail);
diff --git a/kernel/pid.c b/kernel/pid.c
-index ca36879..1f6c7bd 100644
+index ca36879..1f368d5 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -33,6 +33,7 @@
@@ -113613,15 +113565,14 @@ index ca36879..1f6c7bd 100644
}
struct task_struct *find_task_by_vpid(pid_t vnr)
-@@ -461,13 +470,21 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
+@@ -461,13 +470,20 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
}
+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
+{
-+ rcu_lockdep_assert(rcu_read_lock_held(),
-+ "find_task_by_pid_ns() needs rcu_read_lock()"
-+ " protection");
++ RCU_LOCKDEP_WARN(!rcu_read_lock_held(),
++ "find_task_by_pid_ns() needs rcu_read_lock() protection");
+ return pid_task(find_pid_ns(vnr, task_active_pid_ns(current)), PIDTYPE_PID);
+}
+
@@ -113636,7 +113587,7 @@ index ca36879..1f6c7bd 100644
rcu_read_unlock();
return pid;
}
-@@ -528,7 +545,7 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
+@@ -528,7 +544,7 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
if (likely(pid_alive(task))) {
if (type != PIDTYPE_PID)
task = task->group_leader;
@@ -113837,10 +113788,10 @@ index 99513e1..0caa643 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 787320d..9873654 100644
+index 787320d..64d61aa 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
-@@ -207,18 +207,45 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
+@@ -207,18 +207,46 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
return ret;
}
@@ -113881,6 +113832,7 @@ index 787320d..9873654 100644
const struct cred *cred = current_cred(), *tcred;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
++ int dumpable = 0;
+
+ if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
+ WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
@@ -113889,7 +113841,13 @@ index 787320d..9873654 100644
/* May we inspect the given task?
* This check is used both for attaching with ptrace
-@@ -233,15 +260,30 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+@@ -228,20 +256,35 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ * because setting up the necessary parent/child relationship
+ * or halting the specified task is impossible.
+ */
+- int dumpable = 0;
++
+ /* Don't let security modules deny introspection */
if (same_thread_group(task, current))
return 0;
rcu_read_lock();
@@ -113927,7 +113885,7 @@ index 787320d..9873654 100644
goto ok;
rcu_read_unlock();
return -EPERM;
-@@ -252,7 +294,7 @@ ok:
+@@ -252,7 +295,7 @@ ok:
dumpable = get_dumpable(task->mm);
rcu_read_lock();
if (dumpable != SUID_DUMP_USER &&
@@ -113936,7 +113894,7 @@ index 787320d..9873654 100644
rcu_read_unlock();
return -EPERM;
}
-@@ -306,7 +348,7 @@ static int ptrace_attach(struct task_struct *task, long request,
+@@ -306,7 +349,7 @@ static int ptrace_attach(struct task_struct *task, long request,
goto out;
task_lock(task);
@@ -113945,7 +113903,7 @@ index 787320d..9873654 100644
task_unlock(task);
if (retval)
goto unlock_creds;
-@@ -321,7 +363,7 @@ static int ptrace_attach(struct task_struct *task, long request,
+@@ -321,7 +364,7 @@ static int ptrace_attach(struct task_struct *task, long request,
if (seize)
flags |= PT_SEIZED;
rcu_read_lock();
@@ -113954,7 +113912,7 @@ index 787320d..9873654 100644
flags |= PT_PTRACE_CAP;
rcu_read_unlock();
task->ptrace = flags;
-@@ -514,7 +556,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
+@@ -514,7 +557,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
break;
return -EIO;
}
@@ -113963,7 +113921,7 @@ index 787320d..9873654 100644
return -EFAULT;
copied += retval;
src += retval;
-@@ -815,7 +857,7 @@ int ptrace_request(struct task_struct *child, long request,
+@@ -815,7 +858,7 @@ int ptrace_request(struct task_struct *child, long request,
bool seized = child->ptrace & PT_SEIZED;
int ret = -EIO;
siginfo_t siginfo, *si;
@@ -113972,7 +113930,7 @@ index 787320d..9873654 100644
unsigned long __user *datalp = datavp;
unsigned long flags;
-@@ -1061,14 +1103,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+@@ -1061,14 +1104,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
goto out;
}
@@ -113995,7 +113953,7 @@ index 787320d..9873654 100644
goto out_put_task_struct;
}
-@@ -1096,7 +1145,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
+@@ -1096,7 +1146,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
if (copied != sizeof(tmp))
return -EIO;
@@ -114004,7 +113962,7 @@ index 787320d..9873654 100644
}
int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
-@@ -1189,7 +1238,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+@@ -1189,7 +1239,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
}
COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
@@ -114013,7 +113971,7 @@ index 787320d..9873654 100644
{
struct task_struct *child;
long ret;
-@@ -1205,14 +1254,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
+@@ -1205,14 +1255,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
goto out;
}
@@ -126058,10 +126016,24 @@ index ade7737..70ed9be 100644
goto err_reg;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 064f1a0..e6e7d27 100644
+index 064f1a0..47f24ef 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
-@@ -786,7 +786,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
+@@ -265,11 +265,13 @@ static void tcp_ecn_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th)
+ tp->ecn_flags &= ~TCP_ECN_OK;
+ }
+
++#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
+ static void tcp_ecn_rcv_syn(struct tcp_sock *tp, const struct tcphdr *th)
+ {
+ if ((tp->ecn_flags & TCP_ECN_OK) && (!th->ece || !th->cwr))
+ tp->ecn_flags &= ~TCP_ECN_OK;
+ }
++#endif
+
+ static bool tcp_ecn_rcv_ecn_echo(const struct tcp_sock *tp, const struct tcphdr *th)
+ {
+@@ -786,7 +788,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
* without any lock. We want to make sure compiler wont store
* intermediate values in this location.
*/
@@ -126070,7 +126042,7 @@ index 064f1a0..e6e7d27 100644
sk->sk_max_pacing_rate);
}
-@@ -4650,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -4650,7 +4652,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -126079,7 +126051,7 @@ index 064f1a0..e6e7d27 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
-@@ -5645,6 +5645,7 @@ discard:
+@@ -5645,6 +5647,7 @@ discard:
tcp_paws_reject(&tp->rx_opt, 0))
goto discard_and_undo;
@@ -126087,7 +126059,7 @@ index 064f1a0..e6e7d27 100644
if (th->syn) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
-@@ -5696,6 +5697,7 @@ discard:
+@@ -5696,6 +5699,7 @@ discard:
goto discard;
#endif
}
@@ -126095,7 +126067,7 @@ index 064f1a0..e6e7d27 100644
/* "fifth, if neither of the SYN or RST bits is set then
* drop the segment and return."
*/
-@@ -5742,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5742,7 +5746,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -126104,7 +126076,7 @@ index 064f1a0..e6e7d27 100644
goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
-@@ -6072,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
+@@ -6072,7 +6076,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
kmemcheck_annotate_bitfield(ireq, flags);
ireq->opt = NULL;
@@ -132090,10 +132062,10 @@ index 8e5aee6..445cf3d 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index e452378..3e213c66 100644
+index e452378..16eb80f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,981 @@
+@@ -4,6 +4,980 @@
menu "Security options"
@@ -132928,7 +132900,6 @@ index e452378..3e213c66 100644
+ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && !(X86_64 && GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
+ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN
+ select PAX_PER_CPU_PGD if X86_64
-+ select CPU_SW_DOMAIN_PAN if ARM
+ help
+ By saying Y here the kernel will be prevented from dereferencing
+ userland pointers in contexts where the kernel expects only kernel
@@ -133075,7 +133046,7 @@ index e452378..3e213c66 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -104,7 +1079,7 @@ config INTEL_TXT
+@@ -104,7 +1078,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX