grsec: Apply grsecurity-3.1-4.9.24-201704252333.patch

commit bfebed58aa9c8a1f3196ce0bf19767a16d0bc835 Author: Brad Spengler <[email protected]> Date: Tue Apr 25 22:41:12 2017 -0400 16/34 time to blow out the candles Update size_overflow hash tables commit e0887f2ea8dabcf33f90286aa33c12a48a92dc17 Merge: 8ac6745 5e7a080 Author: Brad Spengler <[email protected]> Date: Tue Apr 25 22:08:55 2017 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/traps.c arch/x86/mm/init.c scripts/gcc-plugins/size_overflow_plugin/disable.data commit 5e7a080261fbc4b24d834505aee2680e8390cf20 Author: Brad Spengler <[email protected]> Date: Tue Apr 25 21:59:38 2017 -0400 Update to pax-linux-4.9.24-test7.patch: - fixed potential kmap or ioremap leaks when reading /dev/mem - fixed a regression in the 4.9 port of REFCOUNT error reporting on x86 that would cause unexpected code execution upon refcount errors, reported by Jann Horn <[email protected]> - fixed two false positive size overflow reports in binder, reported by alaviss (https://forums.grsecurity.net/viewtopic.php?f=3&t=4694) commit 8ac67450a6a11b974cb37940540fa194db9ff0b5 Author: Brad Spengler <[email protected]> Date: Tue Apr 25 17:36:00 2017 -0400 Fix the error message for an exec denied due to NNP disallowing a subject transition. Thanks to Andrew Flannery for the report! Signature-tree: 106a98a3f50a2f9648f5e69186fd4c4eb608c942
linux-scraping · Apr 26, 2017 · acb68e4 · acb68e4
1 parent 2821b0b
commit acb68e4
Show file tree

Hide file tree

Showing 8 changed files with 194 additions and 52 deletions.
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
@@ -209,9 +209,8 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str,
  }
 
 #ifdef CONFIG_PAX_REFCOUNT
- if (trapnr == X86_REFCOUNT_VECTOR) {
+ if (trapnr == X86_REFCOUNT_VECTOR)
  pax_report_refcount_error(regs, str);
- }
 #endif
 
  return 0;

diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
@@ -656,11 +656,13 @@ void __init init_mem_mapping(void)
  * devmem_is_allowed() checks to see if /dev/mem access to a certain address
  * is valid. The argument is a physical page number.
  *
- *
- * On x86, access has to be given to the first megabyte of ram because that area
- * contains BIOS code and data regions used by X and dosemu and similar apps.
- * Access has to be given to non-kernel-ram areas as well, these contain the PCI
- * mmio resources as well as potential bios/acpi data regions.
+ * On x86, access has to be given to the first megabyte of RAM because that
+ * area traditionally contains BIOS code and data regions used by X, dosemu,
+ * and similar apps. Since they map the entire memory range, the whole range
+ * must be allowed (for mapping), but any areas that would otherwise be
+ * disallowed are flagged as being "zero filled" instead of rejected.
+ * Access has to be given to non-kernel-ram areas as well, these contain the
+ * PCI mmio resources as well as potential bios/acpi data regions.
  */
 
 #ifdef CONFIG_GRKERNSEC_KMEM
@@ -686,15 +688,40 @@ int devmem_is_allowed(unsigned long pagenr)
  if (pagenr <= 256)
  return 0;
 #else
- if (pagenr < 256)
+ if (!pagenr)
+ return 1;
+#ifdef CONFIG_VM86
+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
  return 1;
 #endif
+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
+ return 1;
+#endif
+
+ if (page_is_ram(pagenr)) {
+ /*
+ * For disallowed memory regions in the low 1MB range,
+ * request that the page be shown as all zeros.
+ */
+ if (pagenr < 256)
+ return 2;
 
- if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
  return 0;
- if (!page_is_ram(pagenr))
- return 1;
- return 0;
+ }
+
+ /*
+ * This must follow RAM test, since System RAM is considered a
+ * restricted resource under CONFIG_STRICT_IOMEM.
+ */
+ if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) {
+ /* Low 1MB bypasses iomem restrictions. */
+ if (pagenr < 256)
+ return 1;
+
+ return 0;
+ }
+
+ return 1;
 }
 
 void free_init_pages(char *what, unsigned long begin, unsigned long end)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
@@ -65,6 +65,10 @@ static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
 #endif
 
 #ifdef CONFIG_STRICT_DEVMEM
+static inline int page_is_allowed(unsigned long pfn)
+{
+ return devmem_is_allowed(pfn);
+}
 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
 {
  u64 from = ((u64)pfn) << PAGE_SHIFT;
@@ -89,6 +93,10 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
  return 0;
 }
 #else
+static inline int page_is_allowed(unsigned long pfn)
+{
+ return 1;
+}
 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
 {
  return 1;
@@ -141,27 +149,36 @@ static ssize_t read_mem(struct file *file, char __user *buf,
 
  while (count > 0) {
  unsigned long remaining;
+ int allowed;
 
  sz = size_inside_page(p, count);
 
- if (!range_is_allowed(p >> PAGE_SHIFT, count)) {
+ allowed = page_is_allowed(p >> PAGE_SHIFT);
+ if (!allowed) {
  kfree(temp);
  return -EPERM;
  }
+ if (allowed == 2) {
+ /* Show zeros for restricted memory. */
+ remaining = clear_user(buf, sz);
+ } else {
+ /*
+ * On ia64 if a page has been mapped somewhere as
+ * uncached, then it must also be accessed uncached
+ * by the kernel or data corruption may occur.
+ */
+ ptr = xlate_dev_mem_ptr(p);
+ if (!ptr || probe_kernel_read(temp, ptr, sz)) {
+ if (ptr)
+ unxlate_dev_mem_ptr(p, ptr);
+ kfree(temp);
+ return -EFAULT;
+ }
 
- /*
- * On ia64 if a page has been mapped somewhere as uncached, then
- * it must also be accessed uncached by the kernel or data
- * corruption may occur.
- */
- ptr = xlate_dev_mem_ptr(p);
- if (!ptr || probe_kernel_read(temp, ptr, sz)) {
- kfree(temp);
- return -EFAULT;
+ remaining = copy_to_user(buf, temp, sz);
+ unxlate_dev_mem_ptr(p, ptr);
  }
 
- remaining = copy_to_user(buf, temp, sz);
- unxlate_dev_mem_ptr(p, ptr);
  if (remaining) {
  kfree(temp);
  return -EFAULT;
@@ -208,30 +225,36 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
 #endif
 
  while (count > 0) {
+ int allowed;
+
  sz = size_inside_page(p, count);
 
- if (!range_is_allowed(p >> PAGE_SHIFT, sz))
+ allowed = page_is_allowed(p >> PAGE_SHIFT);
+ if (!allowed)
  return -EPERM;
 
- /*
- * On ia64 if a page has been mapped somewhere as uncached, then
- * it must also be accessed uncached by the kernel or data
- * corruption may occur.
- */
- ptr = xlate_dev_mem_ptr(p);
- if (!ptr) {
- if (written)
- break;
- return -EFAULT;
- }
+ /* Skip actual writing when a page is marked as restricted. */
+ if (allowed == 1) {
+ /*
+ * On ia64 if a page has been mapped somewhere as
+ * uncached, then it must also be accessed uncached
+ * by the kernel or data corruption may occur.
+ */
+ ptr = xlate_dev_mem_ptr(p);
+ if (!ptr) {
+ if (written)
+ break;
+ return -EFAULT;
+ }
 
- copied = copy_from_user(ptr, buf, sz);
- unxlate_dev_mem_ptr(p, ptr);
- if (copied) {
- written += sz - copied;
- if (written)
- break;
- return -EFAULT;
+ copied = copy_from_user(ptr, buf, sz);
+ unxlate_dev_mem_ptr(p, ptr);
+ if (copied) {
+ written += sz - copied;
+ if (written)
+ break;
+ return -EFAULT;
+ }
  }
 
  buf += sz;

diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
@@ -1851,8 +1851,10 @@ gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
  !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
  if (unsafe_flags & LSM_UNSAFE_SHARE)
  gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
- else
+ else if (unsafe_flags & (LSM_UNSAFE_PTRACE_CAP | LSM_UNSAFE_PTRACE))
  gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
+ else
+ gr_log_fs_generic(GR_DONT_AUDIT, GR_NNP_EXEC_ACL_MSG, dentry, mnt);
  return -EACCES;
  }
 

diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
@@ -31,6 +31,7 @@
 #define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
 #define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
 #define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
+#define GR_NNP_EXEC_ACL_MSG "denied exec of %.950s due to NNP by "
 #define GR_EXEC_ACL_MSG "%s execution of %.950s by "
 #define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
 #define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"

diff --git a/scripts/gcc-plugins/size_overflow_plugin/disable.data b/scripts/gcc-plugins/size_overflow_plugin/disable.data
@@ -12471,3 +12471,4 @@ btrfs_get_token_16_fndecl_46639_fns btrfs_get_token_16 fndecl 0 46639 NULL
 btrfs_get_token_64_fndecl_54223_fns btrfs_get_token_64 fndecl 0 54223 NULL
 qdisc_tree_reduce_backlog_fndecl_3865_fields qdisc_tree_reduce_backlog fndecl 2 3865 NULL
 user_buffer_offset_binder_proc_17508_fields user_buffer_offset binder_proc 0 17508 NULL
+min_priority_binder_node_54207_fields min_priority binder_node 0 54207 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fields.data b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data
@@ -1607,6 +1607,7 @@ jffs2_security_setxattr_fndecl_6550_fields jffs2_security_setxattr fndecl 6 6550
 xlog_do_log_recovery_fndecl_6557_fields xlog_do_log_recovery fndecl 3 6557 NULL
 cxgbit_xmit_pdu_fndecl_6562_fields cxgbit_xmit_pdu fndecl 5 6562 NULL
 verity_verify_io_fndecl_6564_fields verity_verify_io fndecl 0 6564 NULL
+num_x_edt_ft5x06_ts_data_6566_fields num_x edt_ft5x06_ts_data 0 6566 NULL
 i915_gem_object_ggtt_pin_fndecl_6569_fields i915_gem_object_ggtt_pin fndecl 3-5 6569 NULL
 ath6kl_wmi_connect_cmd_fndecl_6571_fields ath6kl_wmi_connect_cmd fndecl 2 6571 NULL
 rts51x_write_mem_fndecl_6573_fields rts51x_write_mem fndecl 4 6573 NULL
@@ -3384,7 +3385,7 @@ retrans_out_tcp_sock_13559_fields retrans_out tcp_sock 0 13559 NULL nohasharray
 __devcgroup_inode_permission_fndecl_13559_fields __devcgroup_inode_permission fndecl 0 13559 &retrans_out_tcp_sock_13559_fields nohasharray
 iomap_apply_fndecl_13559_fields iomap_apply fndecl 0 13559 &__devcgroup_inode_permission_fndecl_13559_fields
 capture_periodsize_rme96_13564_fields capture_periodsize rme96 0 13564 NULL
-edt_ft5x06_ts_readwrite_fndecl_13570_fields edt_ft5x06_ts_readwrite fndecl 2-4 13570 NULL
+edt_ft5x06_ts_readwrite_fndecl_13570_fields edt_ft5x06_ts_readwrite fndecl 2-4-0 13570 NULL
 avc_tuner_dsd_dvb_t_fndecl_13571_fields avc_tuner_dsd_dvb_t fndecl 0 13571 NULL
 pitch_drm_mode_create_dumb_13574_fields pitch drm_mode_create_dumb 0 13574 NULL
 fd_do_prot_fill_fndecl_13583_fields fd_do_prot_fill fndecl 5-3 13583 NULL
@@ -5700,6 +5701,7 @@ snap_names_len_rbd_image_header_ondisk_22898_fields snap_names_len rbd_image_hea
 ima_post_read_file_fndecl_22903_fields ima_post_read_file fndecl 3 22903 NULL nohasharray
 lpfc_fcp_io_channel_init_fndecl_22903_fields lpfc_fcp_io_channel_init fndecl 2 22903 &ima_post_read_file_fndecl_22903_fields
 count_ioctl_gntdev_map_grant_ref_22904_fields count ioctl_gntdev_map_grant_ref 0 22904 NULL
+num_y_edt_ft5x06_ts_data_22905_fields num_y edt_ft5x06_ts_data 0 22905 NULL
 membase_phys_efx_nic_22907_fields membase_phys efx_nic 0 22907 NULL
 vmalloc_32_fndecl_22908_fields vmalloc_32 fndecl 1 22908 NULL
 cfg80211_report_obss_beacon_fndecl_22910_fields cfg80211_report_obss_beacon fndecl 3 22910 NULL
@@ -8488,6 +8490,7 @@ sis190_try_rx_copy_fndecl_33790_fields sis190_try_rx_copy fndecl 3 33790 NULL
 sd_write_data_fndecl_33792_fields sd_write_data fndecl 5 33792 NULL
 icv_truncbits_xfrm_algo_auth_info_33798_fields icv_truncbits xfrm_algo_auth_info 0 33798 NULL
 __ip_tun_to_nlattr_fndecl_33801_fields __ip_tun_to_nlattr fndecl 4 33801 NULL
+edt_ft5x06_register_read_fndecl_33803_fields edt_ft5x06_register_read fndecl 0 33803 NULL
 page_size_vmw_cmdbuf_alloc_info_33815_fields page_size vmw_cmdbuf_alloc_info 0 33815 NULL
 custom_length_iscsi_stats_33819_fields custom_length iscsi_stats 0 33819 NULL
 mult_usb_ep_33831_fields mult usb_ep 0 33831 NULL
@@ -13091,6 +13094,7 @@ rh_string_fndecl_52376_fields rh_string fndecl 0-4 52376 NULL
 bMaxBurst_usb_ss_ep_comp_descriptor_52382_fields bMaxBurst usb_ss_ep_comp_descriptor 0 52382 NULL
 ath6kl_wmi_set_ie_cmd_fndecl_52383_fields ath6kl_wmi_set_ie_cmd fndecl 6-2 52383 NULL nohasharray
 sg_pgoffset_sg_page_iter_52383_fields sg_pgoffset sg_page_iter 0 52383 &ath6kl_wmi_set_ie_cmd_fndecl_52383_fields
+raw_bufsize_edt_ft5x06_ts_data_52390_fields raw_bufsize edt_ft5x06_ts_data 0 52390 NULL
 jffs2_write_dirent_fndecl_52396_fields jffs2_write_dirent fndecl 5 52396 NULL
 u132_hcd_initial_input_recv_fndecl_52397_fields u132_hcd_initial_input_recv fndecl 4 52397 NULL
 srp_map_idb_fndecl_52402_fields srp_map_idb fndecl 0-5 52402 NULL
@@ -13549,8 +13553,7 @@ ipw2100_set_essid_fndecl_54200_fields ipw2100_set_essid fndecl 3 54200 NULL
 contexts_nouveau_fence_priv_54204_fields contexts nouveau_fence_priv 0 54204 NULL nohasharray
 ath6kl_interface_add_fndecl_54204_fields ath6kl_interface_add fndecl 5 54204 &contexts_nouveau_fence_priv_54204_fields
 ___ieee80211_stop_tx_ba_session_fndecl_54205_fields ___ieee80211_stop_tx_ba_session fndecl 2 54205 NULL
-min_priority_binder_node_54207_fields min_priority binder_node 0 54207 NULL nohasharray
-nframes_bcm_msg_head_54207_fields nframes bcm_msg_head 0 54207 &min_priority_binder_node_54207_fields
+nframes_bcm_msg_head_54207_fields nframes bcm_msg_head 0 54207 NULL
 alloced_ctxt_eager_bufs_54208_fields alloced ctxt_eager_bufs 0 54208 NULL
 __lock_page_killable_fndecl_54210_fields __lock_page_killable fndecl 0 54210 NULL nohasharray
 mxt_bootloader_write_fndecl_54210_fields mxt_bootloader_write fndecl 3 54210 &__lock_page_killable_fndecl_54210_fields