- [2.4.2x, 2.6.x] don't recursively crash in die() on CHRP/PReP machines

[packages/kernel.git] / linux-2.4.21-ow1-stack.patch

diff -urPX nopatch linux-2.4.21/Documentation/Configure.help linux/Documentation/Configure.help
--- linux-2.4.21/Documentation/Configure.help   Fri Jun 13 14:51:29 2003
+++ linux/Documentation/Configure.help  Sun Jun 15 15:56:24 2003
@@ -26648,6 +26652,31 @@
 IPMI Watchdog Timer
 CONFIG_IPMI_WATCHDOG
   This enables the IPMI watchdog timer.
+
+Non-executable user stack area
+CONFIG_HARDEN_STACK
+  Most buffer overflow exploits are based on overwriting a function's
+  return address on the stack to point to some arbitrary code, which is
+  also put onto the stack. If the stack area is non-executable, buffer
+  overflow vulnerabilities become harder to exploit. However, a few
+  programs depend on the stack being executable, and might stop working
+  unless you also enable GCC trampolines autodetection and emulation
+  below, or enable the stack area execution permission for every such
+  program separately using chstk.c. If you don't know what all this is
+  about, or don't care about security that much, say N.
+
+Autodetect and emulate GCC trampolines
+CONFIG_HARDEN_STACK_SMART
+  GCC generates trampolines on the stack to correctly pass control to
+  nested functions when calling from outside. Normally, this requires
+  the stack being executable. When this option is enabled, the kernel
+  will trap faults resulting from trampoline calls, and will emulate the
+  trampolines. However, in some cases this autodetection can be fooled
+  in a buffer overflow exploit, so, if you've got no programs that use
+  GCC trampolines, it is more secure to disable this option. If you're
+  too lazy to find that out, answer Y. Note: if you're using glibc 2.0
+  (and not libc 5 or glibc 2.1+), you have to say Y here, or the system
+  won't even boot.
 
 #
 # A couple of things I keep forgetting:
diff -urPX nopatch linux-2.4.21/arch/i386/config.in linux/arch/i386/config.in
--- linux-2.4.21/arch/i386/config.in    Fri Jun 13 14:51:29 2003
+++ linux/arch/i386/config.in   Sun Jun 15 15:51:12 2003
@@ -467,6 +470,16 @@
 source drivers/usb/Config.in
 
 source net/bluetooth/Config.in
+
+mainmenu_option next_comment
+comment 'Security options'
+
+bool 'Non-executable user stack area' CONFIG_HARDEN_STACK
+if [ "$CONFIG_HARDEN_STACK" = "y" ]; then
+   bool '  Autodetect and emulate GCC trampolines' CONFIG_HARDEN_STACK_SMART
+fi
+
+endmenu
 
 mainmenu_option next_comment
 comment 'Kernel hacking'
diff -urPX nopatch linux-2.4.21/arch/i386/kernel/head.S linux/arch/i386/kernel/head.S
--- linux-2.4.21/arch/i386/kernel/head.S        Fri Jun 13 14:51:29 2003
+++ linux/arch/i386/kernel/head.S       Sun Jun 15 15:51:12 2003
@@ -433,7 +433,11 @@
        .quad 0x0000000000000000        /* not used */
        .quad 0x00cf9a000000ffff        /* 0x10 kernel 4GB code at 0x00000000 */
        .quad 0x00cf92000000ffff        /* 0x18 kernel 4GB data at 0x00000000 */
+#ifdef CONFIG_HARDEN_STACK
+       .quad 0x00cbfa000000f7ff        /* 0x23 user   3GB-8MB code at 0 */
+#else
        .quad 0x00cffa000000ffff        /* 0x23 user   4GB code at 0x00000000 */
+#endif
        .quad 0x00cff2000000ffff        /* 0x2b user   4GB data at 0x00000000 */
        .quad 0x0000000000000000        /* not used */
        .quad 0x0000000000000000        /* not used */
diff -urPX nopatch linux-2.4.21/arch/i386/kernel/signal.c linux/arch/i386/kernel/signal.c
--- linux-2.4.21/arch/i386/kernel/signal.c      Sat Aug  3 00:39:42 2002
+++ linux/arch/i386/kernel/signal.c     Sun Jun 15 15:51:12 2003
@@ -421,11 +421,15 @@
        if (ka->sa.sa_flags & SA_RESTORER) {
                err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
        } else {
+#ifdef CONFIG_HARDEN_STACK
+               err |= __put_user(MAGIC_SIGRETURN, &frame->pretcode);
+#else
                err |= __put_user(frame->retcode, &frame->pretcode);
                /* This is popl %eax ; movl $,%eax ; int $0x80 */
                err |= __put_user(0xb858, (short *)(frame->retcode+0));
                err |= __put_user(__NR_sigreturn, (int *)(frame->retcode+2));
                err |= __put_user(0x80cd, (short *)(frame->retcode+6));
+#endif
        }
 
        if (err)
@@ -496,11 +500,15 @@
        if (ka->sa.sa_flags & SA_RESTORER) {
                err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
        } else {
+#ifdef CONFIG_HARDEN_STACK
+               err |= __put_user(MAGIC_RT_SIGRETURN, &frame->pretcode);
+#else
                err |= __put_user(frame->retcode, &frame->pretcode);
                /* This is movl $,%eax ; int $0x80 */
                err |= __put_user(0xb8, (char *)(frame->retcode+0));
                err |= __put_user(__NR_rt_sigreturn, (int *)(frame->retcode+1));
                err |= __put_user(0x80cd, (short *)(frame->retcode+5));
+#endif
        }
 
        if (err)
diff -urPX nopatch linux-2.4.21/arch/i386/kernel/traps.c linux/arch/i386/kernel/traps.c
--- linux-2.4.21/arch/i386/kernel/traps.c       Thu Nov 28 23:53:09 2002
+++ linux/arch/i386/kernel/traps.c      Sun Jun 15 16:29:52 2003
@@ -397,13 +397,202 @@
 DO_ERROR(12, SIGBUS,  "stack segment", stack_segment)
 DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, get_cr2())
 
+#if defined(CONFIG_HARDEN_STACK) && defined(CONFIG_HARDEN_STACK_SMART)
+/*
+ * These two functions aren't performance critical (trampolines are
+ * extremely rare and slow even without emulation).
+ */
+static unsigned long *get_reg(struct pt_regs *regs, unsigned char regnum)
+{
+       switch (regnum) {
+               case 0: return &regs->eax;
+               case 1: return &regs->ecx;
+               case 2: return &regs->edx;
+               case 3: return &regs->ebx;
+               case 4: return &regs->esp;
+               case 5: return &regs->ebp;
+               case 6: return &regs->esi;
+               case 7: return &regs->edi;
+       }
+
+       return NULL;
+}
+
+static unsigned long get_modrm(struct pt_regs *regs, int *err)
+{
+       unsigned char modrm, sib;
+       signed char rel8;
+       unsigned long rel32;
+       int size, regnum, scale;
+       unsigned long index, base, addr, value;
+
+       *err |= __get_user(modrm, (unsigned char *)(regs->eip + 1));
+       size = 2;
+       regnum = modrm & 7;
+       addr = *get_reg(regs, regnum);
+       if (regnum == 4 && (modrm & 0xC0) != 0xC0) {
+               *err |= __get_user(sib, (unsigned char *)(regs->eip + 2));
+               size = 3;
+               scale = sib >> 6;
+               index = *get_reg(regs, (sib >> 3) & 7);
+               base = *get_reg(regs, sib & 7);
+               addr = base + (index << scale);
+       }
+
+       switch (modrm & 0xC0) {
+       case 0x00:
+               if (regnum == 5) {
+                       *err |= __get_user(addr,
+                               (unsigned long *)(regs->eip + 2));
+                       size = 6;
+               }
+               *err |= get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0x40:
+               *err |= __get_user(rel8, (signed char *)(regs->eip + size));
+               size++;
+               addr += rel8;
+               *err |= get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0x80:
+               *err |= __get_user(rel32, (unsigned long *)(regs->eip + size));
+               size += 4;
+               addr += rel32;
+               *err |= get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0xC0:
+       default:
+               value = addr;
+       }
+
+       if (*err) return 0;
+       regs->eip += size;
+       return value;
+}
+#endif
+
 asmlinkage void do_general_protection(struct pt_regs * regs, long error_code)
 {
+#ifdef CONFIG_HARDEN_STACK
+       unsigned long addr;
+       unsigned char insn;
+#ifdef CONFIG_HARDEN_STACK_SMART
+       int err, count;
+#endif
+#endif
+
        if (regs->eflags & VM_MASK)
                goto gp_in_vm86;
 
        if (!(regs->xcs & 3))
                goto gp_in_kernel;
+
+#ifdef CONFIG_HARDEN_STACK
+       if ((regs->xcs & 0xFFFF) != __USER_CS ||
+           __get_user(insn, (unsigned char *)regs->eip))
+               goto gp_in_user;
+
+/* Check if it was a return instruction */
+       if (insn == 0xC3) {
+               if (get_user(addr, (unsigned long *)regs->esp))
+                       goto gp_in_user;
+
+/* Check if it was return from a signal handler */
+               if ((addr & 0xFFFFFFFE) == MAGIC_SIGRETURN) {
+/* Call sys_sigreturn() or sys_rt_sigreturn() to restore the context */
+                       regs->esp += 8;
+                       __asm__("movl %3,%%esi\n\t"
+                               "subl %1,%%esp\n\t"
+                               "movl %2,%%ecx\n\t"
+                               "movl %%esp,%%edi\n\t"
+                               "rep; movsl\n\t"
+                               "testl $1,%4\n\t"
+                               "jnz 1f\n\t"
+                               "call sys_sigreturn\n\t"
+                               "leal %3,%%edi\n\t"
+                               "jmp 2f\n\t"
+                               "1:\n\t"
+                               "call sys_rt_sigreturn\n\t"
+                               "leal %3,%%edi\n\t"
+                               "2:\n\t"
+                               "addl %1,%%edi\n\t"
+                               "movl %%esp,%%esi\n\t"
+                               "movl %2,%%ecx\n\t"
+                               "movl (%%edi),%%edi\n\t"
+                               "rep; movsl\n\t"
+                               "movl %%esi,%%esp"
+                       :
+/* %eax is returned separately */
+                       "=a" (regs->eax)
+                       :
+                       "i" (sizeof(*regs)),
+                       "i" (sizeof(*regs) >> 2),
+                       "m" (regs),
+                       "r" (addr)
+                       :
+                       "cx", "dx", "si", "di", "cc", "memory");
+                       return;
+               }
+
+/*
+ * Check if we're returning to the stack area, which is only likely to happen
+ * when attempting to exploit a buffer overflow.
+ */
+               if (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)
+                       security_alert("return onto stack running as "
+                               "UID %d, EUID %d, process %s:%d",
+                               "returns onto stack",
+                               current->uid, current->euid,
+                               current->comm, current->pid);
+       }
+
+#ifdef CONFIG_HARDEN_STACK_SMART
+/* Check if it could have been a trampoline call */
+       else
+       if (insn == 0xFF &&
+           !__get_user(insn, (unsigned char *)(regs->eip + 1)) &&
+           (insn & 0x38) == 0x10 && insn != 0xD4) {    /* call mod r/m */
+/* First, emulate the call */
+               err = 0;
+               addr = get_modrm(regs, &err);
+               if (!err) {
+                       regs->esp -= 4;
+                       err = put_user(regs->eip, (unsigned long *)regs->esp);
+                       regs->eip = addr;
+               }
+/* Then, start emulating the trampoline itself */
+               count = 0;
+               while (!err && !__get_user(insn, (unsigned char *)regs->eip++))
+               if ((insn & 0xF8) == 0xB8) {            /* movl imm32,%reg */
+/* We only have 8 GP registers, no reason to initialize one twice */
+                       if (count++ >= 8) break;
+                       err |= __get_user(addr, (unsigned long *)regs->eip);
+                       regs->eip += 4;
+                       *get_reg(regs, insn & 7) = addr;
+               } else
+               if (insn == 0xFF) {
+                       err |= __get_user(insn, (unsigned char *)regs->eip);
+                       if ((insn & 0xF8) == 0xE0) {    /* jmp *%reg */
+                               regs->eip = *get_reg(regs, insn & 7);
+                               if (err) break; else return;
+                       }
+                       break;
+               } else
+               if (insn == 0xE9) {                     /* jmp rel32 */
+                       err |= __get_user(addr, (unsigned long *)regs->eip);
+                       if (err) break;
+                       regs->eip += 4 + addr;
+                       return;
+               } else
+                       break;
+       }
+#endif
+
+gp_in_user:
+#endif
 
        current->thread.error_code = error_code;
        current->thread.trap_no = 13;
diff -urPX nopatch linux-2.4.21/arch/ia64/ia32/sys_ia32.c linux/arch/ia64/ia32/sys_ia32.c
--- linux-2.4.21/arch/ia64/ia32/sys_ia32.c      Fri Jun 13 14:51:29 2003
+++ linux/arch/ia64/ia32/sys_ia32.c     Sun Jun 15 17:21:08 2003
@@ -109,6 +109,8 @@
                        *ap++ = (char *) A(addr);
                arg += sizeof(unsigned int);
                n++;
+               if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
+                       return -E2BIG;
        } while (addr);
        return n - 1;
 }
diff -urPX nopatch linux-2.4.21/arch/mips64/kernel/linux32.c linux/arch/mips64/kernel/linux32.c
--- linux-2.4.21/arch/mips64/kernel/linux32.c   Thu Nov 28 23:53:10 2002
+++ linux/arch/mips64/kernel/linux32.c  Sun Jun 15 17:23:00 2003
@@ -434,6 +450,8 @@
                                return ret;
                arg += sizeof(unsigned int);
                n++;
+               if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
+                       return -E2BIG;
        } while (ptr);
 
        return n - 1;
diff -urPX nopatch linux-2.4.21/arch/x86_64/ia32/sys_ia32.c linux/arch/x86_64/ia32/sys_ia32.c
--- linux-2.4.21/arch/x86_64/ia32/sys_ia32.c    Fri Jun 13 14:51:32 2003
+++ linux/arch/x86_64/ia32/sys_ia32.c   Sun Jun 15 17:23:47 2003
@@ -2120,7 +2120,7 @@
                        dst[cnt] = (char *)(u64)val; 
                cnt++;
                src += 4;
-               if (cnt >= (MAX_ARG_PAGES*PAGE_SIZE)/sizeof(void*))
+               if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
                        return -E2BIG; 
        } while(val); 
        if (dst)
diff -urPX nopatch linux-2.4.21/drivers/char/agp/agpgart_be.c linux/drivers/char/agp/agpgart_be.c
--- linux-2.4.21/drivers/char/agp/agpgart_be.c  Fri Jun 13 14:51:32 2003
+++ linux/drivers/char/agp/agpgart_be.c Sun Jun 15 15:51:12 2003
@@ -577,7 +577,7 @@
        for (page = virt_to_page(table); page <= virt_to_page(table_end); page++)
                SetPageReserved(page);
 
-       agp_bridge.gatt_table_real = (unsigned long *) table;
+       agp_bridge.gatt_table_real = (u32 *) table;
        agp_gatt_table = (void *)table;
 #ifdef CONFIG_X86
        err = change_page_attr(virt_to_page(table), 1<<page_order, PAGE_KERNEL_NOCACHE);
diff -urPX nopatch linux-2.4.21/drivers/scsi/st.c linux/drivers/scsi/st.c
--- linux-2.4.21/drivers/scsi/st.c      Thu Nov 28 23:53:14 2002
+++ linux/drivers/scsi/st.c     Sun Jun 15 15:51:12 2003
@@ -1628,7 +1628,7 @@
                                                if (transfer < 0) {
                                                        if (STps->drv_block >= 0)
                                                                STps->drv_block += 1;
-                                                       return (-ENOMEM);
+                                                       return (-EIO);
                                                }
                                                (STp->buffer)->buffer_bytes = bytes - transfer;
                                        } else {
diff -urPX nopatch linux-2.4.21/fs/binfmt_aout.c linux/fs/binfmt_aout.c
--- linux-2.4.21/fs/binfmt_aout.c       Sat Nov  3 01:39:20 2001
+++ linux/fs/binfmt_aout.c      Sun Jun 15 15:51:12 2003
@@ -4,6 +4,7 @@
  *  Copyright (C) 1991, 1992, 1996  Linus Torvalds
  */
 
+#include <linux/config.h>
 #include <linux/module.h>
 
 #include <linux/sched.h>
@@ -307,6 +308,9 @@
        current->mm->mmap = NULL;
        compute_creds(bprm);
        current->flags &= ~PF_FORKNOEXEC;
+#ifdef CONFIG_HARDEN_STACK
+       if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC;
+#endif
 #ifdef __sparc__
        if (N_MAGIC(ex) == NMAGIC) {
                loff_t pos = fd_offset;
diff -urPX nopatch linux-2.4.21/fs/binfmt_elf.c linux/fs/binfmt_elf.c
--- linux-2.4.21/fs/binfmt_elf.c        Sat Aug  3 00:39:45 2002
+++ linux/fs/binfmt_elf.c       Sun Jun 15 15:51:12 2003
@@ -9,6 +9,7 @@
  * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
  */
 
+#include <linux/config.h>
 #include <linux/module.h>
 
 #include <linux/fs.h>
@@ -73,7 +76,10 @@
 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
 
+#ifndef CONFIG_HARDEN_STACK
+static
+#endif
-static struct linux_binfmt elf_format = {
+struct linux_binfmt elf_format = {
        NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
 };
 
@@ -599,6 +625,9 @@
        current->mm->end_code = 0;
        current->mm->mmap = NULL;
        current->flags &= ~PF_FORKNOEXEC;
+#ifdef CONFIG_HARDEN_STACK
+       if (elf_ex.e_flags & EF_STACKEXEC) current->flags |= PF_STACKEXEC;
+#endif
        elf_entry = (unsigned long) elf_ex.e_entry;
 
        /* Do this so that we can load the interpreter, if need be.  We will
diff -urPX nopatch linux-2.4.21/fs/exec.c linux/fs/exec.c
--- linux-2.4.21/fs/exec.c      Fri Jun 13 14:51:37 2003
+++ linux/fs/exec.c     Sun Jun 15 16:48:25 2003
@@ -590,6 +594,10 @@
        }
        current->comm[i] = '\0';
 
+#ifdef CONFIG_HARDEN_STACK
+       current->flags &= ~PF_STACKEXEC;
+#endif
+
        flush_thread();
 
        de_thread(current);
@@ -725,6 +733,8 @@
                    || atomic_read(&current->fs->count) > 1
                    || atomic_read(&current->files->count) > 1
                    || atomic_read(&current->sig->count) > 1) {
+                       /* XXX: should fail rather than execute with no raised
+                        * effective privileges */
                        if(!capable(CAP_SETUID)) {
                                bprm->e_uid = current->uid;
                                bprm->e_gid = current->gid;
diff -urPX nopatch linux-2.4.21/include/asm-i386/a.out.h linux/include/asm-i386/a.out.h
--- linux-2.4.21/include/asm-i386/a.out.h       Fri Jun 16 18:33:06 1995
+++ linux/include/asm-i386/a.out.h      Sun Jun 15 15:51:12 2003
@@ -19,7 +19,16 @@
 
 #ifdef __KERNEL__
 
+#include <linux/config.h>
+
+#ifdef CONFIG_HARDEN_STACK
+#define STACK_TOP ( \
+       (current->flags & PF_STACKEXEC) \
+       ? TASK_SIZE - _STK_LIM \
+       : TASK_SIZE )
+#else
 #define STACK_TOP      TASK_SIZE
+#endif
 
 #endif
 
diff -urPX nopatch linux-2.4.21/include/asm-i386/processor.h linux/include/asm-i386/processor.h
--- linux-2.4.21/include/asm-i386/processor.h   Fri Jun 13 14:51:38 2003
+++ linux/include/asm-i386/processor.h  Sun Jun 15 15:51:12 2003
@@ -272,10 +272,28 @@
  */
 #define TASK_SIZE      (PAGE_OFFSET)
 
+/*
+ * Magic addresses to return to the kernel from signal handlers. These two
+ * should be beyond user code segment limit, adjacent, and MAGIC_SIGRETURN
+ * should be even.
+ */
+#define MAGIC_SIGRETURN                (PAGE_OFFSET + 0xDE0000)
+#define MAGIC_RT_SIGRETURN     (PAGE_OFFSET + 0xDE0001)
+
 /* This decides where the kernel will search for a free chunk of vm
  * space during mmap's.
  */
+#if defined(CONFIG_HARDEN_STACK) && defined(CONFIG_BINFMT_ELF)
+extern struct linux_binfmt elf_format;
+#define TASK_UNMAPPED_BASE(size) ( \
+       current->binfmt == &elf_format && \
+       !(current->flags & PF_STACKEXEC) && \
+       (size) < 0x00ef0000UL \
+       ? 0x00110000UL \
+       : TASK_SIZE / 3 )
+#else
 #define TASK_UNMAPPED_BASE     (TASK_SIZE / 3)
+#endif
 
 /*
  * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
diff -urPX nopatch linux-2.4.21/include/linux/a.out.h linux/include/linux/a.out.h
--- linux-2.4.21/include/linux/a.out.h  Thu Nov 22 19:46:18 2001
+++ linux/include/linux/a.out.h Sun Jun 15 15:51:12 2003
@@ -37,6 +37,9 @@
   M_MIPS2 = 152                /* MIPS R6000/R4000 binary */
 };
 
+/* Constants for the N_FLAGS field */
+#define F_STACKEXEC    1       /* Executable stack area forced */
+
 #if !defined (N_MAGIC)
 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
 #endif
diff -urPX nopatch linux-2.4.21/include/linux/binfmts.h linux/include/linux/binfmts.h
--- linux-2.4.21/include/linux/binfmts.h        Thu Nov 22 19:46:19 2001
+++ linux/include/linux/binfmts.h       Sun Jun 15 15:51:12 2003
@@ -1,6 +1,7 @@
 #ifndef _LINUX_BINFMTS_H
 #define _LINUX_BINFMTS_H
 
+#include <linux/config.h>
 #include <linux/ptrace.h>
 #include <linux/capability.h>
 
diff -urPX nopatch linux-2.4.21/include/linux/elf.h linux/include/linux/elf.h
--- linux-2.4.21/include/linux/elf.h    Thu Nov 28 23:53:15 2002
+++ linux/include/linux/elf.h   Sun Jun 15 15:51:12 2003
@@ -255,6 +255,8 @@
 #define R_MIPS_LOVENDOR                100
 #define R_MIPS_HIVENDOR                127
 
+/* Constants for the e_flags field */
+#define EF_STACKEXEC   1       /* Executable stack area forced */
 
 /*
  * Sparc ELF relocation types
diff -urPX nopatch linux-2.4.21/include/linux/kernel.h linux/include/linux/kernel.h
--- linux-2.4.21/include/linux/kernel.h Thu Nov 28 23:53:15 2002
+++ linux/include/linux/kernel.h        Sun Jun 15 15:51:12 2003
@@ -71,14 +71,17 @@
 extern long long simple_strtoll(const char *,char **,unsigned int);
 extern int sprintf(char * buf, const char * fmt, ...)
        __attribute__ ((format (printf, 2, 3)));
-extern int vsprintf(char *buf, const char *, va_list);
+extern int vsprintf(char *buf, const char *, va_list)
+       __attribute__ ((format (printf, 2, 0)));
 extern int snprintf(char * buf, size_t size, const char * fmt, ...)
        __attribute__ ((format (printf, 3, 4)));
-extern int vsnprintf(char *buf, size_t size, const char *fmt, va_list args);
+extern int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
+       __attribute__ ((format (printf, 3, 0)));
 
 extern int sscanf(const char *, const char *, ...)
-       __attribute__ ((format (scanf,2,3)));
-extern int vsscanf(const char *, const char *, va_list);
+       __attribute__ ((format (scanf, 2, 3)));
+extern int vsscanf(const char *, const char *, va_list)
+       __attribute__ ((format (scanf, 2, 0)));
 
 extern int get_option(char **str, int *pint);
 extern char *get_options(char *str, int nints, int *ints);
@@ -170,6 +173,26 @@
        ({ type __x = (x); type __y = (y); __x < __y ? __x: __y; })
 #define max_t(type,x,y) \
        ({ type __x = (x); type __y = (y); __x > __y ? __x: __y; })
+
+#define security_alert(normal_msg, flood_msg, args...) \
+({ \
+       static unsigned long warning_time = 0, no_flood_yet = 0; \
+       static spinlock_t security_alert_lock = SPIN_LOCK_UNLOCKED; \
+\
+       spin_lock(&security_alert_lock); \
+\
+/* Make sure at least one minute passed since the last warning logged */ \
+       if (!warning_time || jiffies - warning_time > 60 * HZ) { \
+               warning_time = jiffies; no_flood_yet = 1; \
+               printk(KERN_ALERT "Security: " normal_msg "\n", ## args); \
+       } else if (no_flood_yet) { \
+               warning_time = jiffies; no_flood_yet = 0; \
+               printk(KERN_ALERT "Security: more " flood_msg \
+                       ", logging disabled for a minute\n"); \
+       } \
+\
+       spin_unlock(&security_alert_lock); \
+})
 
 extern void __out_of_line_bug(int line) ATTRIB_NORET;
 #define out_of_line_bug() __out_of_line_bug(__LINE__)
diff -urPX nopatch linux-2.4.21/include/linux/sched.h linux/include/linux/sched.h
--- linux-2.4.21/include/linux/sched.h  Fri Jun 13 14:51:39 2003
+++ linux/include/linux/sched.h Sun Jun 15 15:51:12 2003
@@ -435,6 +435,8 @@
 
 #define PF_USEDFPU     0x00100000      /* task used FPU this quantum (SMP) */
 
+#define PF_STACKEXEC   0x01000000      /* Executable stack area forced */
+
 /*
  * Ptrace flags
  */
diff -urPX nopatch linux-2.4.21/kernel/sysctl.c linux/kernel/sysctl.c
--- linux-2.4.21/kernel/sysctl.c        Fri Jun 13 14:51:39 2003
+++ linux/kernel/sysctl.c       Sun Jun 15 15:51:12 2003
@@ -344,6 +344,9 @@
                int old_len;
                if (!oldlenp || get_user(old_len, oldlenp))
                        return -EFAULT;
+               /* XXX: insufficient for SMP, but should be redundant anyway */
+               if ((ssize_t)old_len < 0)
+                       return -EINVAL;
        }
        tmp = &root_table_header.ctl_entry;
        do {
@@ -466,7 +469,8 @@
         * zero, proceed with automatic r/w */
        if (table->data && table->maxlen) {
                if (oldval && oldlenp) {
-                       get_user(len, oldlenp);
+                       if (get_user(len, oldlenp))
+                               return -EFAULT;
                        if (len) {
                                if (len > table->maxlen)
                                        len = table->maxlen;
@@ -1368,7 +1372,8 @@
 
                for (i = 0; i < length; i++) {
                        int value;
-                       get_user(value, vec + i);
+                       if (get_user(value, vec + i))
+                               return -EFAULT;
                        if (min && value < min[i])
                                return -EINVAL;
                        if (max && value > max[i])
diff -urPX nopatch linux-2.4.21/mm/mmap.c linux/mm/mmap.c
--- linux-2.4.21/mm/mmap.c      Fri Jun 13 14:51:39 2003
+++ linux/mm/mmap.c     Sun Jun 15 15:51:12 2003
@@ -3,6 +3,7 @@
  *
  * Written by obz.
  */
+#include <linux/config.h>
 #include <linux/slab.h>
 #include <linux/shm.h>
 #include <linux/mman.h>
@@ -626,7 +627,11 @@
                    (!vma || addr + len <= vma->vm_start))
                        return addr;
        }
+#if defined(CONFIG_HARDEN_STACK) && defined(CONFIG_BINFMT_ELF)
+       addr = PAGE_ALIGN(TASK_UNMAPPED_BASE(len));
+#else
        addr = PAGE_ALIGN(TASK_UNMAPPED_BASE);
+#endif
 
        for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
                /* At this point:  (!vma || addr < vma->vm_end). */
diff -urPX nopatch linux-2.4.21/mm/swapfile.c linux/mm/swapfile.c
--- linux-2.4.21/mm/swapfile.c  Fri Jun 13 14:51:39 2003
+++ linux/mm/swapfile.c Sun Jun 15 15:51:12 2003
@@ -725,8 +725,10 @@
        for (type = swap_list.head; type >= 0; type = swap_info[type].next) {
                p = swap_info + type;
                if ((p->flags & SWP_WRITEOK) == SWP_WRITEOK) {
-                       if (p->swap_file == nd.dentry)
-                         break;
+                       if (p->swap_file == nd.dentry ||
+                           (S_ISBLK(nd.dentry->d_inode->i_mode) &&
+                           p->swap_device == nd.dentry->d_inode->i_rdev))
+                               break;
                }
                prev = type;
        }
diff -urPX nopatch linux-2.4.21/net/socket.c linux/net/socket.c
--- linux-2.4.21/net/socket.c   Fri Jun 13 14:51:39 2003
+++ linux/net/socket.c  Sun Jun 15 15:51:12 2003
@@ -1305,10 +1305,18 @@
 asmlinkage long sys_getsockopt(int fd, int level, int optname, char *optval, int *optlen)
 {
        int err;
+       int len;
        struct socket *sock;
 
        if ((sock = sockfd_lookup(fd, &err))!=NULL)
        {
+               /* XXX: insufficient for SMP, but should be redundant anyway */
+               if (get_user(len, optlen))
+                       err = -EFAULT;
+               else
+               if (len < 0)
+                       err = -EINVAL;
+               else
                if (level == SOL_SOCKET)
                        err=sock_getsockopt(sock,level,optname,optval,optlen);
                else