Secure-linux patch

From: Ernst Jan Plugge (rmcat_private)
Date: Thu Nov 05 1998 - 00:55:42 PST

Next message: Ambrose Feinstein: "Re: Quake problem?"

Previous message: WatchGuard Rapid Response: "Regarding the reported DOS against the internal interface of a"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Now that Red Hat 5.2 is out, with a pre-2.0.36 kernel, people will find
that Solar Designer's secure-linux patch doesn't apply cleanly to the new
source tree. The following patch against the 2.0.35 version of the patch
will make it apply cleanly with the -p 1 option. The changes are trivial.

Please note that this is a patch against the patch -- it is NOT a full
version of the secure-linux patch. Solar Designer's patch can be found at
<http://www.false.com/security/linux/>.

The new patch will probably not apply cleanly to a stock pre-2.0.36
kernel, because of Red Hat's own kernel patches, although the difference
should be no more than a few line offsets.

Whether or not the new patch will apply cleanly to 2.0.36 when it is
officially released is not known. This small patch is just intended for
Red Hat 5.2 users wishing to do a quick upgrade or install new machines
without missing out on secure-linux's features.


Y.T.,

Ernst Jan Plugge - rmcat_private
Network Security Consultant
--

--- secure-linux-2.0.35.diff    Thu Jul 30 01:54:40 1998
+++ secure-linux-2.0.36.diff    Thu Nov  5 09:22:06 1998
@@ -1,9 +1,9 @@
 diff -urPX nopatch linux-2.0.35/Documentation/Configure.help linux/Documentation/Configure.help
 --- linux-2.0.35/Documentation/Configure.help  Sat Jul 18 22:46:27 1998
 +++ linux/Documentation/Configure.help Sat Jul 18 23:42:07 1998
-@@ -4593,6 +4593,75 @@
-   removed from the running kernel whenever you want), say M and read
-   Documentation/modules.txt. If unsure, say Y.
+@@ -4702,6 +4702,75 @@
+   rules require. If you have a PPro or later SMP and one or more CPU's
+   report a value of about 2-3 bogomips enable this.

 +Non-executable user stack area
 +CONFIG_SECURE_STACK
@@ -109,7 +109,7 @@
 diff -urPX nopatch linux-2.0.35/arch/i386/config.in linux/arch/i386/config.in
 --- linux-2.0.35/arch/i386/config.in   Mon May 13 08:17:23 1996
 +++ linux/arch/i386/config.in  Sat Jul 18 23:42:07 1998
-@@ -104,6 +104,21 @@
+@@ -110,6 +110,21 @@
  endmenu

  mainmenu_option next_comment
@@ -134,8 +134,8 @@
 diff -urPX nopatch linux-2.0.35/arch/i386/defconfig linux/arch/i386/defconfig
 --- linux-2.0.35/arch/i386/defconfig   Sat Jul 18 22:46:29 1998
 +++ linux/arch/i386/defconfig  Sat Jul 18 23:42:07 1998
-@@ -204,6 +204,16 @@
- # CONFIG_SOUND is not set
+@@ -501,6 +501,16 @@
+ # CONFIG_AEDSP16_MPU401 is not set

  #
 +# Security
@@ -300,15 +300,7 @@
                return;
        if (regs->cs & 3) {
                esp = regs->esp;
-@@ -192,12 +192,19 @@
- DO_ERROR(17, SIGSEGV, "alignment check", alignment_check, current)
- DO_ERROR(18, SIGSEGV, "reserved", reserved, current)
-
--/* signal_return is directly after ret_from_sys_call in entry.S */
-+/* divide_error is after ret_from_sys_call in entry.S */
- asmlinkage void ret_from_sys_call(void)       __asm__("ret_from_sys_call");
--asmlinkage void signal_return(void)   __asm__("signal_return");
-+asmlinkage void divide_error(void)    __asm__("divide_error");
+@@ -198,6 +198,13 @@

  asmlinkage void do_general_protection(struct pt_regs * regs, long error_code)
  {
@@ -322,18 +314,15 @@
        if (regs->eflags & VM_MASK) {
                handle_vm86_fault((struct vm86_regs *) regs, error_code);
                return;
-@@ -208,9 +215,9 @@
+@@ -208,7 +215,7 @@
         * barfage for 2.0 has been put into the too-hard basket but having
         * a user producing endless GPFs is unacceptable as well. - Paul G.
         */
 -      if ((regs->cs & 3) != 3) {
 +      if ((regs->cs & 3) < 2) {
                if (regs->eip >= (unsigned long)ret_from_sys_call &&
--                  regs->eip < (unsigned long)signal_return) {
-+                  regs->eip < (unsigned long)divide_error) {
+                   regs->eip < (unsigned long)divide_error) {
                        static int moancount = 0;
-                       if (moancount < 5) {
-                               printk(KERN_INFO "Ignoring GPF attempt from program \"%s\" (pid %d).\n",
 @@ -219,9 +226,111 @@
                        }
                        do_exit(SIGSEGV);
@@ -895,7 +884,7 @@

  /*
   * System setup and hardware bug flags..
-@@ -41,7 +43,17 @@
+@@ -88,7 +90,17 @@
   */
  #define TASK_SIZE     (0xC0000000UL)
  #define MAX_USER_ADDR TASK_SIZE
@@ -913,7 +902,7 @@

  /*
   * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
-@@ -136,14 +148,6 @@
+@@ -183,14 +195,6 @@
  #define alloc_kernel_stack()    __get_free_page(GFP_KERNEL)
  #define free_kernel_stack(page) free_page((page))

@@ -928,7 +917,7 @@
  /*
   * Return saved PC of a blocked thread.
   */
-@@ -153,3 +157,25 @@
+@@ -200,3 +204,25 @@
  }

  #endif /* __ASM_I386_PROCESSOR_H */

Next message: Ambrose Feinstein: "Re: Quake problem?"
Previous message: WatchGuard Rapid Response: "Regarding the reported DOS against the internal interface of a"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:13 PDT