1 diff -urPX nopatch linux-2.4.22/Documentation/Configure.help linux-2.4.22-ow1/Documentation/Configure.help
2 --- linux-2.4.22/Documentation/Configure.help Mon Aug 25 15:44:39 2003
3 +++ linux-2.4.22-ow1/Documentation/Configure.help Thu Aug 28 06:23:03 2003
4 @@ -27486,6 +27490,31 @@
7 Quick & dirty crypto test module.
9 +Non-executable user stack area
11 + Most buffer overflow exploits are based on overwriting a function's
12 + return address on the stack to point to some arbitrary code, which is
13 + also put onto the stack. If the stack area is non-executable, buffer
14 + overflow vulnerabilities become harder to exploit. However, a few
15 + programs depend on the stack being executable, and might stop working
16 + unless you also enable GCC trampolines autodetection and emulation
17 + below, or enable the stack area execution permission for every such
18 + program separately using chstk.c. If you don't know what all this is
19 + about, or don't care about security that much, say N.
21 +Autodetect and emulate GCC trampolines
22 +CONFIG_HARDEN_STACK_SMART
23 + GCC generates trampolines on the stack to correctly pass control to
24 + nested functions when calling from outside. Normally, this requires
25 + the stack being executable. When this option is enabled, the kernel
26 + will trap faults resulting from trampoline calls, and will emulate the
27 + trampolines. However, in some cases this autodetection can be fooled
28 + in a buffer overflow exploit, so, if you've got no programs that use
29 + GCC trampolines, it is more secure to disable this option. If you're
30 + too lazy to find that out, answer Y. Note: if you're using glibc 2.0
31 + (and not libc 5 or glibc 2.1+), you have to say Y here, or the system
35 # A couple of things I keep forgetting:
36 diff -urPX nopatch linux-2.4.22/arch/i386/config.in linux-2.4.22-ow1/arch/i386/config.in
37 --- linux-2.4.22/arch/i386/config.in Mon Aug 25 15:44:39 2003
38 +++ linux-2.4.22-ow1/arch/i386/config.in Thu Aug 28 06:20:31 2003
40 source drivers/usb/Config.in
42 source net/bluetooth/Config.in
44 +mainmenu_option next_comment
45 +comment 'Security options'
47 +bool 'Non-executable user stack area' CONFIG_HARDEN_STACK
48 +if [ "$CONFIG_HARDEN_STACK" = "y" ]; then
49 + bool ' Autodetect and emulate GCC trampolines' CONFIG_HARDEN_STACK_SMART
54 mainmenu_option next_comment
55 comment 'Kernel hacking'
56 diff -urPX nopatch linux-2.4.22/arch/i386/kernel/head.S linux-2.4.22-ow1/arch/i386/kernel/head.S
57 --- linux-2.4.22/arch/i386/kernel/head.S Fri Jun 13 18:51:29 2003
58 +++ linux-2.4.22-ow1/arch/i386/kernel/head.S Thu Aug 28 06:20:31 2003
60 .quad 0x0000000000000000 /* not used */
61 .quad 0x00cf9a000000ffff /* 0x10 kernel 4GB code at 0x00000000 */
62 .quad 0x00cf92000000ffff /* 0x18 kernel 4GB data at 0x00000000 */
63 +#ifdef CONFIG_HARDEN_STACK
64 + .quad 0x00cbfa000000f7ff /* 0x23 user 3GB-8MB code at 0 */
66 .quad 0x00cffa000000ffff /* 0x23 user 4GB code at 0x00000000 */
68 .quad 0x00cff2000000ffff /* 0x2b user 4GB data at 0x00000000 */
69 .quad 0x0000000000000000 /* not used */
70 .quad 0x0000000000000000 /* not used */
71 diff -urPX nopatch linux-2.4.22/arch/i386/kernel/signal.c linux-2.4.22-ow1/arch/i386/kernel/signal.c
72 --- linux-2.4.22/arch/i386/kernel/signal.c Sat Aug 3 04:39:42 2002
73 +++ linux-2.4.22-ow1/arch/i386/kernel/signal.c Thu Aug 28 06:20:31 2003
75 if (ka->sa.sa_flags & SA_RESTORER) {
76 err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
78 +#ifdef CONFIG_HARDEN_STACK
79 + err |= __put_user(MAGIC_SIGRETURN, &frame->pretcode);
81 err |= __put_user(frame->retcode, &frame->pretcode);
82 /* This is popl %eax ; movl $,%eax ; int $0x80 */
83 err |= __put_user(0xb858, (short *)(frame->retcode+0));
84 err |= __put_user(__NR_sigreturn, (int *)(frame->retcode+2));
85 err |= __put_user(0x80cd, (short *)(frame->retcode+6));
91 if (ka->sa.sa_flags & SA_RESTORER) {
92 err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
94 +#ifdef CONFIG_HARDEN_STACK
95 + err |= __put_user(MAGIC_RT_SIGRETURN, &frame->pretcode);
97 err |= __put_user(frame->retcode, &frame->pretcode);
98 /* This is movl $,%eax ; int $0x80 */
99 err |= __put_user(0xb8, (char *)(frame->retcode+0));
100 err |= __put_user(__NR_rt_sigreturn, (int *)(frame->retcode+1));
101 err |= __put_user(0x80cd, (short *)(frame->retcode+5));
106 diff -urPX nopatch linux-2.4.22/arch/i386/kernel/traps.c linux-2.4.22-ow1/arch/i386/kernel/traps.c
107 --- linux-2.4.22/arch/i386/kernel/traps.c Fri Nov 29 02:53:09 2002
108 +++ linux-2.4.22-ow1/arch/i386/kernel/traps.c Thu Aug 28 06:20:31 2003
109 @@ -397,13 +397,202 @@
110 DO_ERROR(12, SIGBUS, "stack segment", stack_segment)
111 DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, get_cr2())
113 +#if defined(CONFIG_HARDEN_STACK) && defined(CONFIG_HARDEN_STACK_SMART)
115 + * These two functions aren't performance critical (trampolines are
116 + * extremely rare and slow even without emulation).
118 +static unsigned long *get_reg(struct pt_regs *regs, unsigned char regnum)
121 + case 0: return ®s->eax;
122 + case 1: return ®s->ecx;
123 + case 2: return ®s->edx;
124 + case 3: return ®s->ebx;
125 + case 4: return ®s->esp;
126 + case 5: return ®s->ebp;
127 + case 6: return ®s->esi;
128 + case 7: return ®s->edi;
134 +static unsigned long get_modrm(struct pt_regs *regs, int *err)
136 + unsigned char modrm, sib;
138 + unsigned long rel32;
139 + int size, regnum, scale;
140 + unsigned long index, base, addr, value;
142 + *err |= __get_user(modrm, (unsigned char *)(regs->eip + 1));
144 + regnum = modrm & 7;
145 + addr = *get_reg(regs, regnum);
146 + if (regnum == 4 && (modrm & 0xC0) != 0xC0) {
147 + *err |= __get_user(sib, (unsigned char *)(regs->eip + 2));
150 + index = *get_reg(regs, (sib >> 3) & 7);
151 + base = *get_reg(regs, sib & 7);
152 + addr = base + (index << scale);
155 + switch (modrm & 0xC0) {
158 + *err |= __get_user(addr,
159 + (unsigned long *)(regs->eip + 2));
162 + *err |= get_user(value, (unsigned long *)addr);
166 + *err |= __get_user(rel8, (signed char *)(regs->eip + size));
169 + *err |= get_user(value, (unsigned long *)addr);
173 + *err |= __get_user(rel32, (unsigned long *)(regs->eip + size));
176 + *err |= get_user(value, (unsigned long *)addr);
184 + if (*err) return 0;
190 asmlinkage void do_general_protection(struct pt_regs * regs, long error_code)
192 +#ifdef CONFIG_HARDEN_STACK
193 + unsigned long addr;
194 + unsigned char insn;
195 +#ifdef CONFIG_HARDEN_STACK_SMART
200 if (regs->eflags & VM_MASK)
203 if (!(regs->xcs & 3))
206 +#ifdef CONFIG_HARDEN_STACK
207 + if ((regs->xcs & 0xFFFF) != __USER_CS ||
208 + __get_user(insn, (unsigned char *)regs->eip))
211 +/* Check if it was a return instruction */
212 + if (insn == 0xC3) {
213 + if (get_user(addr, (unsigned long *)regs->esp))
216 +/* Check if it was return from a signal handler */
217 + if ((addr & 0xFFFFFFFE) == MAGIC_SIGRETURN) {
218 +/* Call sys_sigreturn() or sys_rt_sigreturn() to restore the context */
220 + __asm__("movl %3,%%esi\n\t"
221 + "subl %1,%%esp\n\t"
222 + "movl %2,%%ecx\n\t"
223 + "movl %%esp,%%edi\n\t"
227 + "call sys_sigreturn\n\t"
228 + "leal %3,%%edi\n\t"
231 + "call sys_rt_sigreturn\n\t"
232 + "leal %3,%%edi\n\t"
234 + "addl %1,%%edi\n\t"
235 + "movl %%esp,%%esi\n\t"
236 + "movl %2,%%ecx\n\t"
237 + "movl (%%edi),%%edi\n\t"
241 +/* %eax is returned separately */
244 + "i" (sizeof(*regs)),
245 + "i" (sizeof(*regs) >> 2),
249 + "cx", "dx", "si", "di", "cc", "memory");
254 + * Check if we're returning to the stack area, which is only likely to happen
255 + * when attempting to exploit a buffer overflow.
257 + if (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)
258 + security_alert("return onto stack running as "
259 + "UID %d, EUID %d, process %s:%d",
260 + "returns onto stack",
261 + current->uid, current->euid,
262 + current->comm, current->pid);
265 +#ifdef CONFIG_HARDEN_STACK_SMART
266 +/* Check if it could have been a trampoline call */
268 + if (insn == 0xFF &&
269 + !__get_user(insn, (unsigned char *)(regs->eip + 1)) &&
270 + (insn & 0x38) == 0x10 && insn != 0xD4) { /* call mod r/m */
271 +/* First, emulate the call */
273 + addr = get_modrm(regs, &err);
276 + err = put_user(regs->eip, (unsigned long *)regs->esp);
279 +/* Then, start emulating the trampoline itself */
281 + while (!err && !__get_user(insn, (unsigned char *)regs->eip++))
282 + if ((insn & 0xF8) == 0xB8) { /* movl imm32,%reg */
283 +/* We only have 8 GP registers, no reason to initialize one twice */
284 + if (count++ >= 8) break;
285 + err |= __get_user(addr, (unsigned long *)regs->eip);
287 + *get_reg(regs, insn & 7) = addr;
289 + if (insn == 0xFF) {
290 + err |= __get_user(insn, (unsigned char *)regs->eip);
291 + if ((insn & 0xF8) == 0xE0) { /* jmp *%reg */
292 + regs->eip = *get_reg(regs, insn & 7);
293 + if (err) break; else return;
297 + if (insn == 0xE9) { /* jmp rel32 */
298 + err |= __get_user(addr, (unsigned long *)regs->eip);
300 + regs->eip += 4 + addr;
310 current->thread.error_code = error_code;
311 current->thread.trap_no = 13;
312 diff -urPX nopatch linux-2.4.22/arch/ia64/ia32/sys_ia32.c linux-2.4.22-ow1/arch/ia64/ia32/sys_ia32.c
313 --- linux-2.4.22/arch/ia64/ia32/sys_ia32.c Mon Aug 25 15:44:39 2003
314 +++ linux-2.4.22-ow1/arch/ia64/ia32/sys_ia32.c Thu Aug 28 06:20:31 2003
316 *ap++ = (char *) A(addr);
317 arg += sizeof(unsigned int);
319 + if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
324 diff -urPX nopatch linux-2.4.22/arch/mips64/kernel/linux32.c linux-2.4.22-ow1/arch/mips64/kernel/linux32.c
325 --- linux-2.4.22/arch/mips64/kernel/linux32.c Mon Aug 25 15:44:40 2003
326 +++ linux-2.4.22-ow1/arch/mips64/kernel/linux32.c Thu Aug 28 06:32:24 2003
328 *ap++ = (char *) A(addr);
329 arg += sizeof(unsigned int);
331 + if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
336 diff -urPX nopatch linux-2.4.22/arch/x86_64/ia32/sys_ia32.c linux-2.4.22-ow1/arch/x86_64/ia32/sys_ia32.c
337 --- linux-2.4.22/arch/x86_64/ia32/sys_ia32.c Mon Aug 25 15:44:40 2003
338 +++ linux-2.4.22-ow1/arch/x86_64/ia32/sys_ia32.c Thu Aug 28 06:20:31 2003
339 @@ -2135,7 +2135,7 @@
340 dst[cnt] = (char *)(u64)val;
343 - if (cnt >= (MAX_ARG_PAGES*PAGE_SIZE)/sizeof(void*))
344 + if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
348 diff -urPX nopatch linux-2.4.22/drivers/scsi/st.c linux-2.4.22-ow1/drivers/scsi/st.c
349 --- linux-2.4.22/drivers/scsi/st.c Mon Aug 25 15:44:42 2003
350 +++ linux-2.4.22-ow1/drivers/scsi/st.c Thu Aug 28 06:44:05 2003
351 @@ -1639,7 +1639,7 @@
352 if (STps->drv_block >= 0)
353 STps->drv_block += 1;
354 (STp->buffer)->buffer_bytes = 0;
358 (STp->buffer)->buffer_bytes = bytes - transfer;
360 diff -urPX nopatch linux-2.4.22/fs/binfmt_aout.c linux-2.4.22-ow1/fs/binfmt_aout.c
361 --- linux-2.4.22/fs/binfmt_aout.c Sat Nov 3 04:39:20 2001
362 +++ linux-2.4.22-ow1/fs/binfmt_aout.c Thu Aug 28 06:20:52 2003
364 * Copyright (C) 1991, 1992, 1996 Linus Torvalds
367 +#include <linux/config.h>
368 #include <linux/module.h>
370 #include <linux/sched.h>
372 current->mm->mmap = NULL;
374 current->flags &= ~PF_FORKNOEXEC;
375 +#ifdef CONFIG_HARDEN_STACK
376 + if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC;
379 if (N_MAGIC(ex) == NMAGIC) {
380 loff_t pos = fd_offset;
381 diff -urPX nopatch linux-2.4.22/fs/binfmt_elf.c linux-2.4.22-ow1/fs/binfmt_elf.c
382 --- linux-2.4.22/fs/binfmt_elf.c Mon Aug 25 15:44:43 2003
383 +++ linux-2.4.22-ow1/fs/binfmt_elf.c Thu Aug 28 06:46:34 2003
385 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
388 +#include <linux/config.h>
389 #include <linux/module.h>
391 #include <linux/fs.h>
393 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
394 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
396 -static struct linux_binfmt elf_format = {
397 - NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
398 +#ifndef CONFIG_HARDEN_STACK
401 +struct linux_binfmt elf_format = {
402 + NULL, THIS_MODULE, load_elf_binary,
403 +#ifdef CONFIG_BINFMT_ELF_AOUT
408 + elf_core_dump, ELF_EXEC_PAGESIZE
411 #define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE)
413 current->mm->end_code = 0;
414 current->mm->mmap = NULL;
415 current->flags &= ~PF_FORKNOEXEC;
416 +#ifdef CONFIG_HARDEN_STACK
417 + if (elf_ex.e_flags & EF_STACKEXEC) current->flags |= PF_STACKEXEC;
419 elf_entry = (unsigned long) elf_ex.e_entry;
421 /* Do this so that we can load the interpreter, if need be. We will
422 diff -urPX nopatch linux-2.4.22/fs/exec.c linux-2.4.22-ow1/fs/exec.c
423 --- linux-2.4.22/fs/exec.c Mon Aug 25 15:44:43 2003
424 +++ linux-2.4.22-ow1/fs/exec.c Thu Aug 28 06:20:52 2003
427 current->comm[i] = '\0';
429 +#ifdef CONFIG_HARDEN_STACK
430 + current->flags &= ~PF_STACKEXEC;
437 || atomic_read(¤t->fs->count) > 1
438 || atomic_read(¤t->files->count) > 1
439 || atomic_read(¤t->sig->count) > 1) {
440 + /* XXX: should fail rather than execute with no raised
441 + * effective privileges */
442 if(!capable(CAP_SETUID)) {
443 bprm->e_uid = current->uid;
444 bprm->e_gid = current->gid;
445 diff -urPX nopatch linux-2.4.22/include/asm-i386/a.out.h linux-2.4.22-ow1/include/asm-i386/a.out.h
446 --- linux-2.4.22/include/asm-i386/a.out.h Fri Jun 16 22:33:06 1995
447 +++ linux-2.4.22-ow1/include/asm-i386/a.out.h Thu Aug 28 06:20:52 2003
452 +#include <linux/config.h>
454 +#ifdef CONFIG_HARDEN_STACK
455 +#define STACK_TOP ( \
456 + (current->flags & PF_STACKEXEC) \
457 + ? TASK_SIZE - _STK_LIM \
460 #define STACK_TOP TASK_SIZE
465 diff -urPX nopatch linux-2.4.22/include/asm-i386/processor.h linux-2.4.22-ow1/include/asm-i386/processor.h
466 --- linux-2.4.22/include/asm-i386/processor.h Mon Aug 25 15:44:43 2003
467 +++ linux-2.4.22-ow1/include/asm-i386/processor.h Thu Aug 28 06:20:52 2003
468 @@ -261,10 +261,28 @@
470 #define TASK_SIZE (PAGE_OFFSET)
473 + * Magic addresses to return to the kernel from signal handlers. These two
474 + * should be beyond user code segment limit, adjacent, and MAGIC_SIGRETURN
477 +#define MAGIC_SIGRETURN (PAGE_OFFSET + 0xDE0000)
478 +#define MAGIC_RT_SIGRETURN (PAGE_OFFSET + 0xDE0001)
480 /* This decides where the kernel will search for a free chunk of vm
481 * space during mmap's.
483 +#if defined(CONFIG_HARDEN_STACK) && defined(CONFIG_BINFMT_ELF)
484 +extern struct linux_binfmt elf_format;
485 +#define TASK_UNMAPPED_BASE(size) ( \
486 + current->binfmt == &elf_format && \
487 + !(current->flags & PF_STACKEXEC) && \
488 + (size) < 0x00ef0000UL \
492 #define TASK_UNMAPPED_BASE (TASK_SIZE / 3)
496 * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
497 diff -urPX nopatch linux-2.4.22/include/linux/a.out.h linux-2.4.22-ow1/include/linux/a.out.h
498 --- linux-2.4.22/include/linux/a.out.h Thu Nov 22 22:46:18 2001
499 +++ linux-2.4.22-ow1/include/linux/a.out.h Thu Aug 28 06:20:52 2003
501 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
504 +/* Constants for the N_FLAGS field */
505 +#define F_STACKEXEC 1 /* Executable stack area forced */
507 #if !defined (N_MAGIC)
508 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
510 diff -urPX nopatch linux-2.4.22/include/linux/binfmts.h linux-2.4.22-ow1/include/linux/binfmts.h
511 --- linux-2.4.22/include/linux/binfmts.h Thu Nov 22 22:46:19 2001
512 +++ linux-2.4.22-ow1/include/linux/binfmts.h Thu Aug 28 06:20:52 2003
514 #ifndef _LINUX_BINFMTS_H
515 #define _LINUX_BINFMTS_H
517 +#include <linux/config.h>
518 #include <linux/ptrace.h>
519 #include <linux/capability.h>
521 diff -urPX nopatch linux-2.4.22/include/linux/elf.h linux-2.4.22-ow1/include/linux/elf.h
522 --- linux-2.4.22/include/linux/elf.h Fri Nov 29 02:53:15 2002
523 +++ linux-2.4.22-ow1/include/linux/elf.h Thu Aug 28 06:20:52 2003
525 #define R_MIPS_LOVENDOR 100
526 #define R_MIPS_HIVENDOR 127
528 +/* Constants for the e_flags field */
529 +#define EF_STACKEXEC 1 /* Executable stack area forced */
532 * Sparc ELF relocation types
533 diff -urPX nopatch linux-2.4.22/include/linux/kernel.h linux-2.4.22-ow1/include/linux/kernel.h
534 --- linux-2.4.22/include/linux/kernel.h Fri Nov 29 02:53:15 2002
535 +++ linux-2.4.22-ow1/include/linux/kernel.h Thu Aug 28 06:20:52 2003
537 extern long long simple_strtoll(const char *,char **,unsigned int);
538 extern int sprintf(char * buf, const char * fmt, ...)
539 __attribute__ ((format (printf, 2, 3)));
540 -extern int vsprintf(char *buf, const char *, va_list);
541 +extern int vsprintf(char *buf, const char *, va_list)
542 + __attribute__ ((format (printf, 2, 0)));
543 extern int snprintf(char * buf, size_t size, const char * fmt, ...)
544 __attribute__ ((format (printf, 3, 4)));
545 -extern int vsnprintf(char *buf, size_t size, const char *fmt, va_list args);
546 +extern int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
547 + __attribute__ ((format (printf, 3, 0)));
549 extern int sscanf(const char *, const char *, ...)
550 - __attribute__ ((format (scanf,2,3)));
551 -extern int vsscanf(const char *, const char *, va_list);
552 + __attribute__ ((format (scanf, 2, 3)));
553 +extern int vsscanf(const char *, const char *, va_list)
554 + __attribute__ ((format (scanf, 2, 0)));
556 extern int get_option(char **str, int *pint);
557 extern char *get_options(char *str, int nints, int *ints);
559 ({ type __x = (x); type __y = (y); __x < __y ? __x: __y; })
560 #define max_t(type,x,y) \
561 ({ type __x = (x); type __y = (y); __x > __y ? __x: __y; })
563 +#define security_alert(normal_msg, flood_msg, args...) \
565 + static unsigned long warning_time = 0, no_flood_yet = 0; \
566 + static spinlock_t security_alert_lock = SPIN_LOCK_UNLOCKED; \
568 + spin_lock(&security_alert_lock); \
570 +/* Make sure at least one minute passed since the last warning logged */ \
571 + if (!warning_time || jiffies - warning_time > 60 * HZ) { \
572 + warning_time = jiffies; no_flood_yet = 1; \
573 + printk(KERN_ALERT "Security: " normal_msg "\n", ## args); \
574 + } else if (no_flood_yet) { \
575 + warning_time = jiffies; no_flood_yet = 0; \
576 + printk(KERN_ALERT "Security: more " flood_msg \
577 + ", logging disabled for a minute\n"); \
580 + spin_unlock(&security_alert_lock); \
583 extern void __out_of_line_bug(int line) ATTRIB_NORET;
584 #define out_of_line_bug() __out_of_line_bug(__LINE__)
585 diff -urPX nopatch linux-2.4.22/include/linux/sched.h linux-2.4.22-ow1/include/linux/sched.h
586 --- linux-2.4.22/include/linux/sched.h Fri Jun 13 18:51:39 2003
587 +++ linux-2.4.22-ow1/include/linux/sched.h Thu Aug 28 06:20:52 2003
590 #define PF_USEDFPU 0x00100000 /* task used FPU this quantum (SMP) */
592 +#define PF_STACKEXEC 0x01000000 /* Executable stack area forced */
597 diff -urPX nopatch linux-2.4.22/kernel/sysctl.c linux-2.4.22-ow1/kernel/sysctl.c
598 --- linux-2.4.22/kernel/sysctl.c Mon Aug 25 15:44:44 2003
599 +++ linux-2.4.22-ow1/kernel/sysctl.c Thu Aug 28 06:20:52 2003
602 if (!oldlenp || get_user(old_len, oldlenp))
604 + /* XXX: insufficient for SMP, but should be redundant anyway */
605 + if ((ssize_t)old_len < 0)
608 tmp = &root_table_header.ctl_entry;
610 diff -urPX nopatch linux-2.4.22/mm/mmap.c linux-2.4.22-ow1/mm/mmap.c
611 --- linux-2.4.22/mm/mmap.c Fri Jun 13 18:51:39 2003
612 +++ linux-2.4.22-ow1/mm/mmap.c Thu Aug 28 06:20:52 2003
617 +#include <linux/config.h>
618 #include <linux/slab.h>
619 #include <linux/shm.h>
620 #include <linux/mman.h>
622 (!vma || addr + len <= vma->vm_start))
625 +#if defined(CONFIG_HARDEN_STACK) && defined(CONFIG_BINFMT_ELF)
626 + addr = PAGE_ALIGN(TASK_UNMAPPED_BASE(len));
628 addr = PAGE_ALIGN(TASK_UNMAPPED_BASE);
631 for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
632 /* At this point: (!vma || addr < vma->vm_end). */
633 diff -urPX nopatch linux-2.4.22/mm/swapfile.c linux-2.4.22-ow1/mm/swapfile.c
634 --- linux-2.4.22/mm/swapfile.c Mon Aug 25 15:44:44 2003
635 +++ linux-2.4.22-ow1/mm/swapfile.c Thu Aug 28 06:20:52 2003
637 for (type = swap_list.head; type >= 0; type = swap_info[type].next) {
638 p = swap_info + type;
639 if ((p->flags & SWP_WRITEOK) == SWP_WRITEOK) {
640 - if (p->swap_file == nd.dentry)
642 + if (p->swap_file == nd.dentry ||
643 + (S_ISBLK(nd.dentry->d_inode->i_mode) &&
644 + p->swap_device == nd.dentry->d_inode->i_rdev))
649 diff -urPX nopatch linux-2.4.22/net/socket.c linux-2.4.22-ow1/net/socket.c
650 --- linux-2.4.22/net/socket.c Mon Aug 25 15:44:44 2003
651 +++ linux-2.4.22-ow1/net/socket.c Thu Aug 28 06:20:52 2003
652 @@ -1305,10 +1305,18 @@
653 asmlinkage long sys_getsockopt(int fd, int level, int optname, char *optval, int *optlen)
659 if ((sock = sockfd_lookup(fd, &err))!=NULL)
661 + /* XXX: insufficient for SMP, but should be redundant anyway */
662 + if (get_user(len, optlen))
668 if (level == SOL_SOCKET)
669 err=sock_getsockopt(sock,level,optname,optval,optlen);