rpms/kernel/F-9 kernel.spec, 1.895, 1.896 linux-2.6-execshield.patch, 1.91, 1.92

Kyle McMartin kyle at fedoraproject.org
Mon Jan 19 06:23:07 UTC 2009 

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3530

Modified Files:
	kernel.spec linux-2.6-execshield.patch 
Log Message:
* Mon Jan 19 2009 Kyle McMartin <kyle at redhat.com>
- execshield fixes: should no longer generate spurious handled GPFs,
  fixes randomization of executables. also some clean ups.



Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/kernel.spec,v
retrieving revision 1.895
retrieving revision 1.896
diff -u -r1.895 -r1.896
--- kernel.spec	14 Jan 2009 16:03:04 -0000	1.895
+++ kernel.spec	19 Jan 2009 06:22:36 -0000	1.896
@@ -1779,6 +1779,10 @@
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Mon Jan 19 2009 Kyle McMartin <kyle at redhat.com>
+- execshield fixes: should no longer generate spurious handled GPFs,
+  fixes randomization of executables. also some clean ups.
+
 * Wed Jan 14 2009 Hans de Goede <hdegoede at redhat.com>
 - Rebase gspca git patch and re-enable
 - Add gscpa-stv06xx (qc-usb replacement) driver from its own git tree

linux-2.6-execshield.patch:

Index: linux-2.6-execshield.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/linux-2.6-execshield.patch,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -r1.91 -r1.92
--- linux-2.6-execshield.patch	12 Jan 2009 19:54:17 -0000	1.91
+++ linux-2.6-execshield.patch	19 Jan 2009 06:22:37 -0000	1.92
@@ -1,5 +1,5 @@
 diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
-index e6b82b1..c314884 100644
+index e6b82b1..aea00b6 100644
 --- a/arch/x86/include/asm/desc.h
 +++ b/arch/x86/include/asm/desc.h
 @@ -6,6 +6,7 @@
@@ -20,7 +20,7 @@
  
  #define write_ldt_entry(dt, entry, desc)	\
  	native_write_ldt_entry(dt, entry, desc)
-@@ -381,6 +385,24 @@ static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
+@@ -381,6 +385,27 @@ static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
  	_set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
  }
  
@@ -37,8 +37,11 @@
 +	get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS] = (mm)->context.user_cs;
 +}
 +
++#define arch_add_exec_range	arch_add_exec_range
 +extern void arch_add_exec_range(struct mm_struct *mm, unsigned long limit);
++#define arch_remove_exec_range	arch_remove_exec_range
 +extern void arch_remove_exec_range(struct mm_struct *mm, unsigned long limit);
++#define arch_flush_exec_range	arch_flush_exec_range
 +extern void arch_flush_exec_range(struct mm_struct *mm);
 +#endif /* CONFIG_X86_32 */
 +
@@ -151,21 +154,31 @@
  	.load_idt = native_load_idt,
  	.store_gdt = native_store_gdt,
 diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
-index 0a1302f..ab96a10 100644
+index 0a1302f..7d5927e 100644
 --- a/arch/x86/kernel/process_32.c
 +++ b/arch/x86/kernel/process_32.c
-@@ -354,6 +354,10 @@ start_thread(struct pt_regs *regs, unsigned long new_ip, unsigned long new_sp)
+@@ -345,6 +345,8 @@ int copy_thread(int nr, unsigned long clone_flags, unsigned long sp,
+ void
+ start_thread(struct pt_regs *regs, unsigned long new_ip, unsigned long new_sp)
+ {
++	int cpu;
++
+ 	__asm__("movl %0, %%gs" :: "r"(0));
+ 	regs->fs		= 0;
+ 	set_fs(USER_DS);
+@@ -354,6 +356,11 @@ start_thread(struct pt_regs *regs, unsigned long new_ip, unsigned long new_sp)
  	regs->cs		= __USER_CS;
  	regs->ip		= new_ip;
  	regs->sp		= new_sp;
-+	preempt_disable();
-+	load_user_cs_desc(smp_processor_id(), current->mm);
-+	preempt_enable();
++
++	cpu = get_cpu();
++	load_user_cs_desc(cpu, current->mm);
++	put_cpu();
 +
  	/*
  	 * Free the old FP and other extended state
  	 */
-@@ -558,7 +562,8 @@ struct task_struct * __switch_to(struct task_struct *prev_p, struct task_struct
+@@ -558,7 +565,8 @@ struct task_struct * __switch_to(struct task_struct *prev_p, struct task_struct
  	/* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
  
  	__unlazy_fpu(prev_p);
@@ -175,7 +188,7 @@
  
  	/* we're going to use this soon, after a few expensive things */
  	if (next_p->fpu_counter > 5)
-@@ -731,3 +736,39 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
+@@ -731,3 +739,39 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
  	unsigned long range_end = mm->brk + 0x02000000;
  	return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
  }
@@ -185,9 +198,9 @@
 +	mm->context.exec_limit = limit;
 +	set_user_cs(&mm->context.user_cs, limit);
 +	if (mm == current->mm) {
-+		preempt_disable();
-+		load_user_cs_desc(smp_processor_id(), mm);
-+		preempt_enable();
++		int cpu = get_cpu();
++		load_user_cs_desc(cpu, mm);
++		put_cpu();
 +	}
 +}
 +
@@ -237,14 +250,25 @@
  	if (!cpu_isset(cpu, flush_cpumask))
  		goto out;
 diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 04d242a..bb52785 100644
+index 04d242a..e478f3b 100644
 --- a/arch/x86/kernel/traps.c
 +++ b/arch/x86/kernel/traps.c
-@@ -159,6 +159,63 @@ static int lazy_iobitmap_copy(void)
+@@ -159,6 +159,74 @@ static int lazy_iobitmap_copy(void)
  
  	return 0;
  }
 +
++static inline int
++__compare_user_cs_desc(const struct desc_struct * const desc1,
++	const struct desc_struct * const desc2)
++{
++	return ((desc1->limit0 != desc2->limit0) ||
++		(desc1->limit != desc2->limit) ||
++		(desc1->base0 != desc2->base0) ||
++		(desc1->base1 != desc2->base1) ||
++		(desc1->base2 != desc2->base2));
++}
++
 +/*
 + * lazy-check for CS validity on exec-shield binaries:
 + *
@@ -281,8 +305,7 @@
 +	desc1 = &current->mm->context.user_cs;
 +	desc2 = get_cpu_gdt_table(cpu) + GDT_ENTRY_DEFAULT_USER_CS;
 +
-+	if ((desc1->a & 0xff0000ff) != (desc2->a & 0xff0000ff) ||
-+	    desc1->b != desc2->b) {
++	if (__compare_user_cs_desc(desc1, desc2)) {
 +		/*
 +		 * The CS was not in sync - reload it and retry the
 +		 * instruction. If the instruction still faults then
@@ -290,9 +313,10 @@
 +		 */
 +		if (print_fatal_signals >= 2) {
 +			printk(KERN_ERR "#GPF fixup (%ld[seg:%lx]) at %08lx, CPU#%d.\n",
-+				error_code, error_code/8, regs->ip, smp_processor_id());
++				error_code, error_code/8, regs->ip, cpu);
 +			printk(KERN_ERR "exec_limit: %08lx, user_cs: %08x/%08x, CPU_cs: %08x/%08x.\n",
-+				current->mm->context.exec_limit, desc1->a, desc1->b, desc2->a, desc2->b);
++				current->mm->context.exec_limit,
++				desc1->a, desc1->b, desc2->a, desc2->b);
 +		}
 +		load_user_cs_desc(cpu, current->mm);
 +
@@ -304,7 +328,7 @@
  #endif
  
  static void __kprobes
-@@ -320,6 +377,29 @@ do_general_protection(struct pt_regs *regs, long error_code)
+@@ -320,6 +388,29 @@ do_general_protection(struct pt_regs *regs, long error_code)
  	if (!user_mode(regs))
  		goto gp_in_kernel;
  
@@ -322,7 +346,7 @@
 +
 +	if (print_fatal_signals) {
 +		printk(KERN_ERR "#GPF(%ld[seg:%lx]) at %08lx, CPU#%d.\n",
-+			error_code, error_code/8, regs->ip, smp_processor_id());
++			error_code, error_code/8, regs->ip, cpu);
 +		printk(KERN_ERR "exec_limit: %08lx, user_cs: %08x/%08x.\n",
 +			current->mm->context.exec_limit,
 +			current->mm->context.user_cs.a,
@@ -334,7 +358,7 @@
  	tsk->thread.error_code = error_code;
  	tsk->thread.trap_no = 13;
  
-@@ -931,19 +1011,37 @@ do_device_not_available(struct pt_regs *regs, long error)
+@@ -931,19 +1022,37 @@ do_device_not_available(struct pt_regs *regs, long error)
  }
  
  #ifdef CONFIG_X86_32
@@ -702,7 +726,7 @@
  		.procname	= "core_uses_pid",
  		.data		= &core_uses_pid,
 diff --git a/mm/mmap.c b/mm/mmap.c
-index d4855a6..0850042 100644
+index d4855a6..ac07ab7 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -27,6 +27,7 @@
@@ -790,7 +814,7 @@
  	if (file && file->f_op && file->f_op->get_unmapped_area)
  		get_area = file->f_op->get_unmapped_area;
  	addr = get_area(file, addr, len, pgoff, flags);
-@@ -1460,8 +1484,74 @@ get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
+@@ -1460,8 +1484,76 @@ get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
  
  	return arch_rebalance_pgtables(addr, len);
  }
@@ -798,7 +822,8 @@
 +
 +#define SHLIB_BASE	0x00110000
 +
-+unsigned long arch_get_unmapped_exec_area(struct file *filp, unsigned long addr0,
++unsigned long
++arch_get_unmapped_exec_area(struct file *filp, unsigned long addr0,
 +		unsigned long len0, unsigned long pgoff, unsigned long flags)
 +{
 +	unsigned long addr = addr0, len = len0;
@@ -812,9 +837,10 @@
 +	if (flags & MAP_FIXED)
 +		return addr;
 +
-+	if (!addr) {
++	if (!addr)
 +		addr = randomize_range(SHLIB_BASE, 0x01000000, len);
-+	} else {
++
++	if (addr) {
 +		addr = PAGE_ALIGN(addr);
 +		vma = find_vma(mm, addr);
 +		if (TASK_SIZE - len >= addr &&
@@ -866,7 +892,7 @@
  
  /* Look up the first VMA which satisfies  addr < vm_end,  NULL if none. */
  struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long addr)
-@@ -1536,6 +1626,14 @@ out:
+@@ -1536,6 +1628,14 @@ out:
  	return prev ? prev->vm_next : vma;
  }
  
@@ -881,7 +907,7 @@
  /*
   * Verify that the stack growth is acceptable and
   * update accounting. This is shared with both the
-@@ -1552,7 +1650,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+@@ -1552,7 +1652,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
  		return -ENOMEM;
  
  	/* Stack limit test */
@@ -890,7 +916,7 @@
  		return -ENOMEM;
  
  	/* mlock limit tests */
-@@ -1862,10 +1960,14 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1862,10 +1962,14 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	if (new->vm_ops && new->vm_ops->open)
  		new->vm_ops->open(new);
  
@@ -907,7 +933,7 @@
  		vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
  
  	return 0;
-@@ -2109,6 +2211,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2109,6 +2213,7 @@ void exit_mmap(struct mm_struct *mm)
  	vm_unacct_memory(nr_accounted);
  	free_pgtables(tlb, vma, FIRST_USER_ADDRESS, 0);
  	tlb_finish_mmu(tlb, 0, end);
@@ -916,26 +942,25 @@
  	/*
  	 * Walk the list again, actually closing and freeing it,
 diff --git a/mm/mprotect.c b/mm/mprotect.c
-index fded06f..cdfcbd2 100644
+index fded06f..a2cf942 100644
 --- a/mm/mprotect.c
 +++ b/mm/mprotect.c
-@@ -24,8 +24,15 @@
+@@ -24,9 +24,14 @@
  #include <linux/mmu_notifier.h>
  #include <asm/uaccess.h>
  #include <asm/pgtable.h>
 +#include <asm/pgalloc.h>
  #include <asm/cacheflush.h>
  #include <asm/tlbflush.h>
-+#ifdef CONFIG_X86
-+#include <asm/desc.h>
-+#endif
+ 
 +#ifndef arch_remove_exec_range
 +#define arch_remove_exec_range(mm, limit)      do { ; } while (0)
 +#endif
- 
++
  #ifndef pgprot_modify
  static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
-@@ -140,7 +147,7 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
+ {
+@@ -140,7 +145,7 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
  	struct mm_struct *mm = vma->vm_mm;
  	unsigned long oldflags = vma->vm_flags;
  	long nrpages = (end - start) >> PAGE_SHIFT;
@@ -944,7 +969,7 @@
  	pgoff_t pgoff;
  	int error;
  	int dirty_accountable = 0;
-@@ -204,6 +211,9 @@ success:
+@@ -204,6 +209,9 @@ success:
  		dirty_accountable = 1;
  	}

More information about the fedora-extras-commits mailing list