diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/include/asm/domain.h linux-4.9.74-unofficial_grsec-nouderef/arch/arm/include/asm/domain.h --- linux-4.9.74-unofficial_grsec/arch/arm/include/asm/domain.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/include/asm/domain.h 2018-08-22 13:37:34.784751529 -0500 @@ -61,14 +61,8 @@ #define DOMAIN_MANAGER 1 #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF -#define DOMAIN_USERCLIENT 0 -#define DOMAIN_UDEREF 1 -#define DOMAIN_VECTORS DOMAIN_KERNEL -#else #define DOMAIN_USERCLIENT 1 #define DOMAIN_VECTORS DOMAIN_USER -#endif #endif #define DOMAIN_KERNELCLIENT 1 @@ -82,12 +76,6 @@ domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \ domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT)) -#elif defined(CONFIG_PAX_MEMORY_UDEREF) - /* DOMAIN_VECTORS is defined to DOMAIN_KERNEL */ -#define DACR_INIT \ - (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \ - domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ - domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT)) #else #define DACR_INIT \ (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \ @@ -148,7 +136,7 @@ static inline void set_domain(unsigned v set_domain(domain); \ } while (0) -#elif defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#elif defined(CONFIG_PAX_KERNEXEC) #define modify_domain(dom,type) \ do { \ struct thread_info *thread = current_thread_info(); \ diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/include/asm/pgtable.h linux-4.9.74-unofficial_grsec-nouderef/arch/arm/include/asm/pgtable.h --- linux-4.9.74-unofficial_grsec/arch/arm/include/asm/pgtable.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/include/asm/pgtable.h 2018-08-22 13:35:41.282586358 -0500 @@ -65,7 +65,7 @@ extern void __pgd_error(const char *file #define __HAVE_ARCH_PAX_OPEN_KERNEL #define __HAVE_ARCH_PAX_CLOSE_KERNEL -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC #include #include #include diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/include/asm/uaccess.h linux-4.9.74-unofficial_grsec-nouderef/arch/arm/include/asm/uaccess.h --- linux-4.9.74-unofficial_grsec/arch/arm/include/asm/uaccess.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/include/asm/uaccess.h 2018-08-22 13:34:52.717371464 -0500 @@ -82,25 +82,11 @@ static inline void set_fs(mm_segment_t f static inline void pax_open_userland(void) { -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (segment_eq(get_fs(), USER_DS)) { - BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF)); - modify_domain(DOMAIN_USER, DOMAIN_UDEREF); - } -#endif - } static inline void pax_close_userland(void) { -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (segment_eq(get_fs(), USER_DS)) { - BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS)); - modify_domain(DOMAIN_USER, DOMAIN_NOACCESS); - } -#endif - } /* diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/Kconfig linux-4.9.74-unofficial_grsec-nouderef/arch/arm/Kconfig --- linux-4.9.74-unofficial_grsec/arch/arm/Kconfig 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/Kconfig 2018-08-22 13:42:07.676340031 -0500 @@ -1691,7 +1691,7 @@ config HIGHPTE config CPU_SW_DOMAIN_PAN bool "Enable use of CPU domains to implement privileged no-access" depends on MMU && !ARM_LPAE - depends on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + depends on !PAX_KERNEXEC default y help Increase kernel security by ensuring that normal kernel accesses @@ -1768,7 +1768,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" - depends on MMU && !PAX_MEMORY_UDEREF + depends on MMU default y if CPU_FEROCEON help Implement faster copy_to_user and clear_user methods for CPU diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/kernel/entry-armv.S linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/entry-armv.S --- linux-4.9.74-unofficial_grsec/arch/arm/kernel/entry-armv.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/entry-armv.S 2018-08-22 14:57:35.756140241 -0500 @@ -51,7 +51,7 @@ .endm .macro pax_enter_kernel -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC @ make aligned space for saved DACR sub sp, sp, #8 @ save regs @@ -64,15 +64,9 @@ ldr r1, [r2, #TI_CPU_DOMAIN] @ store old DACR on stack str r1, [sp, #8] -#ifdef CONFIG_PAX_KERNEXEC @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3)) orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT)) -#endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - @ set current DOMAIN_USER to DOMAIN_NOACCESS - bic r1, r1, #(domain_val(DOMAIN_USER, 3)) -#endif @ write r1 to current_thread_info()->cpu_domain str r1, [r2, #TI_CPU_DOMAIN] @ write r1 to DACR @@ -85,50 +79,9 @@ .endm .macro pax_open_userland -#ifdef CONFIG_PAX_MEMORY_UDEREF - @ save regs - stmdb sp!, {r0, r1} - @ read DACR from cpu_domain into r1 - mov r0, sp - @ assume 8K pages, since we have to split the immediate in two - bic r0, r0, #(0x1fc0) - bic r0, r0, #(0x3f) - ldr r1, [r0, #TI_CPU_DOMAIN] - @ set current DOMAIN_USER to DOMAIN_CLIENT - bic r1, r1, #(domain_val(DOMAIN_USER, 3)) - orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF)) - @ write r1 to current_thread_info()->cpu_domain - str r1, [r0, #TI_CPU_DOMAIN] - @ write r1 to DACR - mcr p15, 0, r1, c3, c0, 0 - @ instruction sync - instr_sync - @ restore regs - ldmia sp!, {r0, r1} -#endif .endm .macro pax_close_userland -#ifdef CONFIG_PAX_MEMORY_UDEREF - @ save regs - stmdb sp!, {r0, r1} - @ read DACR from cpu_domain into r1 - mov r0, sp - @ assume 8K pages, since we have to split the immediate in two - bic r0, r0, #(0x1fc0) - bic r0, r0, #(0x3f) - ldr r1, [r0, #TI_CPU_DOMAIN] - @ set current DOMAIN_USER to DOMAIN_NOACCESS - bic r1, r1, #(domain_val(DOMAIN_USER, 3)) - @ write r1 to current_thread_info()->cpu_domain - str r1, [r0, #TI_CPU_DOMAIN] - @ write r1 to DACR - mcr p15, 0, r1, c3, c0, 0 - @ instruction sync - instr_sync - @ restore regs - ldmia sp!, {r0, r1} -#endif .endm .macro pabt_helper @@ -255,7 +208,7 @@ ENDPROC(__und_invalid) ldmia r0, {r3 - r5} add r7, sp, #S_SP - 4 @ here for interlock avoidance mov r6, #-1 @ "" "" "" "" -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC @ offset sp by 8 as done in pax_enter_kernel add r2, sp, #(SVC_REGS_SIZE + \stack_hole + 4) #else @@ -891,7 +844,7 @@ ENTRY(__switch_to) THUMB( str lr, [ip], #4 ) ldr r4, [r2, #TI_TP_VALUE] ldr r5, [r2, #TI_TP_VALUE + 4] -#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) mrc p15, 0, r6, c3, c0, 0 @ Get domain register str r6, [r1, #TI_CPU_DOMAIN] @ Save old domain register ldr r6, [r2, #TI_CPU_DOMAIN] @@ -902,7 +855,7 @@ ENTRY(__switch_to) ldr r8, =__stack_chk_guard ldr r7, [r7, #TSK_STACK_CANARY] #endif -#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) mcr p15, 0, r6, c3, c0, 0 @ Set domain register #endif mov r5, r0 diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/kernel/entry-common.S linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/entry-common.S --- linux-4.9.74-unofficial_grsec/arch/arm/kernel/entry-common.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/entry-common.S 2018-08-22 13:30:56.338192712 -0500 @@ -20,7 +20,7 @@ #include #else .macro arch_ret_to_user, tmp1, tmp2 -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC @ save regs stmdb sp!, {r1, r2} @ read DACR from cpu_domain into r1 @@ -29,16 +29,9 @@ bic r2, r2, #(0x1fc0) bic r2, r2, #(0x3f) ldr r1, [r2, #TI_CPU_DOMAIN] -#ifdef CONFIG_PAX_KERNEXEC @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3)) orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT)) -#endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - @ set current DOMAIN_USER to DOMAIN_UDEREF - bic r1, r1, #(domain_val(DOMAIN_USER, 3)) - orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF)) -#endif @ write r1 to current_thread_info()->cpu_domain str r1, [r2, #TI_CPU_DOMAIN] @ write r1 to DACR diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/kernel/entry-header.S linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/entry-header.S --- linux-4.9.74-unofficial_grsec/arch/arm/kernel/entry-header.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/entry-header.S 2018-08-22 13:29:45.810332849 -0500 @@ -197,7 +197,7 @@ .endm .macro pax_enter_kernel_user -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC @ save regs stmdb sp!, {r0, r1} @ read DACR from cpu_domain into r1 @@ -206,15 +206,9 @@ bic r0, r0, #(0x1fc0) bic r0, r0, #(0x3f) ldr r1, [r0, #TI_CPU_DOMAIN] -#ifdef CONFIG_PAX_MEMORY_UDEREF - @ set current DOMAIN_USER to DOMAIN_NOACCESS - bic r1, r1, #(domain_val(DOMAIN_USER, 3)) -#endif -#ifdef CONFIG_PAX_KERNEXEC @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3)) orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT)) -#endif @ write r1 to current_thread_info()->cpu_domain str r1, [r0, #TI_CPU_DOMAIN] @ write r1 to DACR @@ -227,7 +221,7 @@ .endm .macro pax_exit_kernel -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_PAX_KERNEXEC) @ save regs stmdb sp!, {r0, r1} @ read old DACR from stack into r1 diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/kernel/process.c linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/process.c --- linux-4.9.74-unofficial_grsec/arch/arm/kernel/process.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/kernel/process.c 2018-08-22 13:27:41.059349542 -0500 @@ -233,7 +233,7 @@ copy_thread(unsigned long clone_flags, u memset(&thread->cpu_context, 0, sizeof(struct cpu_context_save)); -#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) /* * Copy the initial value of the domain access control register * from the current thread: thread->addr_limit will have been diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/mm/fault.c linux-4.9.74-unofficial_grsec-nouderef/arch/arm/mm/fault.c --- linux-4.9.74-unofficial_grsec/arch/arm/mm/fault.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/mm/fault.c 2018-08-22 14:59:18.641477020 -0500 @@ -139,17 +139,6 @@ __do_kernel_fault(struct mm_struct *mm, if (fixup_exception(regs)) return; -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (addr < TASK_SIZE) { - if (current->signal->curr_ip) - printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), - from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); - else - printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current), - from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); - } -#endif - #ifdef CONFIG_PAX_KERNEXEC if ((fsr & FSR_WRITE) && (((unsigned long)_stext <= addr && addr < init_mm.end_code) || @@ -610,18 +599,6 @@ do_DataAbort(unsigned long addr, unsigne const struct fsr_info *inf = fsr_info + fsr_fs(fsr); struct siginfo info; -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (addr < TASK_SIZE && is_domain_fault(fsr)) { - if (current->signal->curr_ip) - printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), - from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); - else - printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current), - from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); - goto die; - } -#endif - if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs)) return; @@ -724,7 +701,7 @@ do_PrefetchAbort(unsigned long addr, uns } } -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) { if (current->signal->curr_ip) printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), diff -puriN linux-4.9.74-unofficial_grsec/arch/arm/mm/Kconfig linux-4.9.74-unofficial_grsec-nouderef/arch/arm/mm/Kconfig --- linux-4.9.74-unofficial_grsec/arch/arm/mm/Kconfig 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/arm/mm/Kconfig 2018-08-22 13:41:27.141995298 -0500 @@ -446,7 +446,7 @@ config CPU_32v5 config CPU_32v6 bool - select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC select TLS_REG_EMUL if !CPU_32v6K && !MMU config CPU_32v6K @@ -604,7 +604,7 @@ config CPU_CP15_MPU config CPU_USE_DOMAINS bool - depends on !ARM_LPAE && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + depends on !ARM_LPAE && !PAX_KERNEXEC help This option enables or disables the use of domain switching via the set_fs() function. @@ -844,7 +844,7 @@ config KUSER_HELPERS config VDSO bool "Enable VDSO for acceleration of some system calls" - depends on AEABI && MMU && CPU_V7 && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + depends on AEABI && MMU && CPU_V7 && !PAX_KERNEXEC default y if ARM_ARCH_TIMER select GENERIC_TIME_VSYSCALL help diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/entry/entry_32.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/entry/entry_32.S --- linux-4.9.74-unofficial_grsec/arch/x86/entry/entry_32.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/entry/entry_32.S 2018-08-22 13:25:50.840131320 -0500 @@ -152,11 +152,7 @@ #ifdef CONFIG_CC_STACKPROTECTOR movl $(__KERNEL_STACK_CANARY), \reg -#elif defined(CONFIG_PAX_MEMORY_UDEREF) - movl $(__USER_DS), \reg -#else xorl \reg, \reg -#endif movl \reg, %gs .endm @@ -321,7 +317,7 @@ ENDPROC(pax_erase_kstack) .endm .macro SAVE_ALL pt_regs_ax=%eax -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) __SAVE_ALL \pt_regs_ax, __KERNEL_DS pax_enter_kernel #else diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/entry/entry_64_compat.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/entry/entry_64_compat.S --- linux-4.9.74-unofficial_grsec/arch/x86/entry/entry_64_compat.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/entry/entry_64_compat.S 2018-08-22 13:19:56.355861818 -0500 @@ -22,15 +22,9 @@ .macro pax_enter_kernel_user pax_set_fptr_mask -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_direct_call pax_enter_kernel_user -#endif .endm .macro pax_exit_kernel_user -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_direct_call pax_exit_kernel_user -#endif #ifdef CONFIG_PAX_RANDKSTACK pushq %rax pushq %r11 diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/entry/entry_64.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/entry/entry_64.S --- linux-4.9.74-unofficial_grsec/arch/x86/entry/entry_64.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/entry/entry_64.S 2018-08-22 15:01:52.109996091 -0500 @@ -73,18 +73,18 @@ ENDPROC(native_usergs_sysret64) .macro pax_enter_kernel pax_set_fptr_mask -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC pax_direct_call pax_enter_kernel #endif .endm .macro pax_exit_kernel -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC pax_direct_call pax_exit_kernel #endif .endm -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC ENTRY(pax_enter_kernel) pushq %rdi @@ -102,25 +102,6 @@ ENTRY(pax_enter_kernel) 1: #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID - GET_CR3_INTO_RDI - cmp $0,%dil - jnz 112f - mov $__KERNEL_DS,%edi - mov %edi,%ss - jmp 111f -112: cmp $1,%dil - jz 113f - ud2 -113: sub $4097,%rdi - bts $63,%rdi - SET_RDI_INTO_CR3 - mov $__UDEREF_KERNEL_DS,%edi - mov %edi,%ss -111: -#endif - #ifdef CONFIG_PARAVIRT PV_RESTORE_REGS(CLBR_RDI) #endif @@ -153,23 +134,6 @@ ENTRY(pax_exit_kernel) 1: #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID - mov %ss,%edi - cmp $__UDEREF_KERNEL_DS,%edi - jnz 111f - GET_CR3_INTO_RDI - cmp $0,%dil - jz 112f - ud2 -112: add $4097,%rdi - bts $63,%rdi - SET_RDI_INTO_CR3 - mov $__KERNEL_DS,%edi - mov %edi,%ss -111: -#endif - #ifdef CONFIG_PARAVIRT PV_RESTORE_REGS(CLBR_RDI); #endif @@ -192,15 +156,9 @@ ENDPROC(pax_exit_kernel) .macro pax_enter_kernel_user pax_set_fptr_mask -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_direct_call pax_enter_kernel_user -#endif .endm .macro pax_exit_kernel_user -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_direct_call pax_exit_kernel_user -#endif #ifdef CONFIG_PAX_RANDKSTACK pushq %rax pushq %r11 @@ -210,131 +168,6 @@ ENDPROC(pax_exit_kernel) #endif .endm -#ifdef CONFIG_PAX_MEMORY_UDEREF -ENTRY(pax_enter_kernel_user) -GLOBAL(patch_pax_enter_kernel_user) - pushq %rdi - pushq %rbx - -#ifdef CONFIG_PARAVIRT - PV_SAVE_REGS(CLBR_RDI) -#endif - - ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID - GET_CR3_INTO_RDI - cmp $1,%dil - jnz 4f - sub $4097,%rdi - bts $63,%rdi - SET_RDI_INTO_CR3 - jmp 3f -111: - - GET_CR3_INTO_RDI - mov %rdi,%rbx - add $__START_KERNEL_map,%rbx - sub phys_base(%rip),%rbx - -#ifdef CONFIG_PARAVIRT - pushq %rdi - i = 0 - .rept USER_PGD_PTRS - mov i*8(%rbx),%rsi - mov $0,%sil - lea i*8(%rbx),%rdi - pax_indirect_call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched), pv_mmu_ops.set_pgd_batched - i = i + 1 - .endr - popq %rdi -#else - i = 0 - .rept USER_PGD_PTRS - movb $0,i*8(%rbx) - i = i + 1 - .endr -#endif - - SET_RDI_INTO_CR3 - -#ifdef CONFIG_PAX_KERNEXEC - GET_CR0_INTO_RDI - bts $X86_CR0_WP_BIT,%rdi - SET_RDI_INTO_CR0 -#endif - -3: - -#ifdef CONFIG_PARAVIRT - PV_RESTORE_REGS(CLBR_RDI) -#endif - - popq %rbx - popq %rdi - pax_ret pax_enter_kernel_user -4: ud2 -ENDPROC(pax_enter_kernel_user) - -ENTRY(pax_exit_kernel_user) -GLOBAL(patch_pax_exit_kernel_user) - pushq %rdi - pushq %rbx - -#ifdef CONFIG_PARAVIRT - PV_SAVE_REGS(CLBR_RDI) -#endif - - GET_CR3_INTO_RDI - ALTERNATIVE "jmp 1f", "", X86_FEATURE_PCID - cmp $0,%dil - jnz 3f - add $4097,%rdi - bts $63,%rdi - SET_RDI_INTO_CR3 - jmp 2f -1: - - mov %rdi,%rbx - -#ifdef CONFIG_PAX_KERNEXEC - GET_CR0_INTO_RDI - btr $X86_CR0_WP_BIT,%rdi - jnc 3f - SET_RDI_INTO_CR0 -#endif - - add $__START_KERNEL_map,%rbx - sub phys_base(%rip),%rbx - -#ifdef CONFIG_PARAVIRT - i = 0 - .rept USER_PGD_PTRS - mov i*8(%rbx),%rsi - mov $0x67,%sil - lea i*8(%rbx),%rdi - pax_indirect_call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched), pv_mmu_ops.set_pgd_batched - i = i + 1 - .endr -#else - i = 0 - .rept USER_PGD_PTRS - movb $0x67,i*8(%rbx) - i = i + 1 - .endr -#endif - -2: - -#ifdef CONFIG_PARAVIRT - PV_RESTORE_REGS(CLBR_RDI) -#endif - - popq %rbx - popq %rdi - pax_ret pax_exit_kernel_user -3: ud2 -ENDPROC(pax_exit_kernel_user) -#endif - .macro pax_enter_kernel_nmi pax_set_fptr_mask @@ -347,19 +180,6 @@ ENDPROC(pax_exit_kernel_user) 110: #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID - GET_CR3_INTO_RDI - cmp $0,%dil - jz 111f - sub $4097,%rdi - or $4,%ebx - bts $63,%rdi - SET_RDI_INTO_CR3 - mov $__UDEREF_KERNEL_DS,%edi - mov %edi,%ss -111: -#endif .endm .macro pax_exit_kernel_nmi @@ -372,18 +192,6 @@ ENDPROC(pax_exit_kernel_user) 110: #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID - btr $2,%ebx - jnc 111f - GET_CR3_INTO_RDI - add $4097,%rdi - bts $63,%rdi - SET_RDI_INTO_CR3 - mov $__KERNEL_DS,%edi - mov %edi,%ss -111: -#endif .endm .macro pax_erase_kstack @@ -900,11 +708,7 @@ ENDPROC(irq_entries_start) */ SWAPGS -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_enter_kernel_user -#else pax_enter_kernel -#endif /* * We need to tell lockdep that IRQs are off. We can't do this until @@ -1511,12 +1315,6 @@ ENTRY(paranoid_entry) SWAPGS xorl %ebx, %ebx 1: -#ifdef CONFIG_PAX_MEMORY_UDEREF - testb $3, CS+8(%rsp) - jz 1f - pax_enter_kernel_user - jmp 2f -#endif 1: pax_enter_kernel 2: pax_ret paranoid_entry @@ -1554,11 +1352,7 @@ ENTRY(paranoid_exit) TRACE_IRQS_OFF_DEBUG testl $1, %ebx /* swapgs needed? */ jnz paranoid_exit_no_swapgs -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_exit_kernel_user -#else pax_exit_kernel -#endif TRACE_IRQS_IRETQ SWAPGS_UNSAFE_STACK jmp paranoid_exit_restore @@ -1591,11 +1385,7 @@ ENTRY(error_entry) */ SWAPGS -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_enter_kernel_user -#else pax_enter_kernel -#endif .Lerror_entry_from_usermode_after_swapgs: /* @@ -1649,11 +1439,7 @@ ENTRY(error_entry) */ SWAPGS -#ifdef CONFIG_PAX_MEMORY_UDEREF - pax_enter_kernel_user -#else pax_enter_kernel -#endif /* * Pretend that the exception came from user mode: set up pt_regs @@ -1779,7 +1565,7 @@ ENTRY(nmi) pushq %r14 /* pt_regs->r14 */ pushq %r15 /* pt_regs->r15 */ -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC xorl %ebx, %ebx #endif @@ -1804,7 +1590,7 @@ ENTRY(nmi) */ SWAPGS -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC movq RBX(%rsp), %rbx #endif diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/cpufeatures.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/cpufeatures.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/cpufeatures.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/cpufeatures.h 2018-08-22 13:19:11.581585623 -0500 @@ -206,8 +206,6 @@ #define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */ #define X86_FEATURE_XENPV ( 8*32+16) /* "" Xen paravirtual guest */ -#define X86_FEATURE_PCIDUDEREF ( 8*32+30) /* PaX PCID based UDEREF */ -#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */ /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ #define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/mmu_context.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/mmu_context.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/mmu_context.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/mmu_context.h 2018-08-22 13:18:01.211723202 -0500 @@ -117,19 +117,6 @@ static inline void load_mm_ldt(struct mm static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) { -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (!(static_cpu_has(X86_FEATURE_PCIDUDEREF))) { - unsigned int i; - pgd_t *pgd; - - pax_open_kernel(); - pgd = get_cpu_pgd(smp_processor_id(), kernel); - for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) - set_pgd_batched(pgd+i, native_make_pgd(0)); - pax_close_kernel(); - } -#endif - if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/module.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/module.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/module.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/module.h 2018-08-22 13:16:28.920215159 -0500 @@ -66,18 +66,12 @@ #define MODULE_PAX_KERNEXEC "" #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF -#define MODULE_PAX_UDEREF "UDEREF " -#else -#define MODULE_PAX_UDEREF "" -#endif - #ifdef CONFIG_PAX_RAP #define MODULE_PAX_RAP "RAP " #else #define MODULE_PAX_RAP "" #endif -#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_RAP +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_RAP #endif /* _ASM_X86_MODULE_H */ diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/pgtable.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/pgtable.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/pgtable.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/pgtable.h 2018-08-22 14:20:47.237842586 -0500 @@ -542,15 +542,6 @@ pte_t *populate_extra_pte(unsigned long #ifndef __ASSEMBLY__ -#ifdef CONFIG_PAX_PER_CPU_PGD -extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD]; -enum cpu_pgd_type {kernel = 0, user = 1}; -static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type) -{ - return cpu_pgd[cpu][type]; -} -#endif - #include #include #include @@ -798,10 +789,6 @@ static inline int pgd_none(pgd_t pgd) */ #define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) -#ifdef CONFIG_PAX_PER_CPU_PGD -#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address)) -#endif - /* * a shortcut which implies the use of the kernel's pgd, instead * of a process's @@ -818,16 +805,7 @@ static inline int pgd_none(pgd_t pgd) #define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT #define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT)) -#ifdef CONFIG_PAX_MEMORY_UDEREF -#ifdef __ASSEMBLY__ -#define pax_user_shadow_base pax_user_shadow_base(%rip) -#else -extern unsigned long pax_user_shadow_base; -extern pgdval_t clone_pgd_mask; -#endif -#else #define pax_user_shadow_base (0UL) -#endif #endif @@ -1010,15 +988,7 @@ static inline void clone_pgd_range(pgd_t pax_close_kernel(); } -#ifdef CONFIG_PAX_PER_CPU_PGD -extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src); -#endif - -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src); -#else static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {} -#endif #define PTE_SHIFT ilog2(PTRS_PER_PTE) static inline int page_level_shift(enum pg_level level) Los ficheros binarios linux-4.9.74-unofficial_grsec/arch/x86/include/asm/.pgtable.h.swp y linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/.pgtable.h.swp son distintos diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/segment.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/segment.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/segment.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/segment.h 2018-08-22 13:13:15.447342784 -0500 @@ -203,8 +203,6 @@ /* Abused to load per CPU data from limit */ #define GDT_ENTRY_PER_CPU 15 -#define GDT_ENTRY_UDEREF_KERNEL_DS 16 - /* * Number of entries in the GDT table: */ @@ -220,7 +218,6 @@ #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8) #define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8) #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8) -#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8) #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8 + 3) #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3) #define __USER32_DS __USER_DS diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/smap.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/smap.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/smap.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/smap.h 2018-08-22 13:12:23.643180233 -0500 @@ -25,17 +25,8 @@ #include -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define ASM_PAX_OPEN_USERLAND \ - ALTERNATIVE "", "pax_direct_call __pax_open_userland", X86_FEATURE_STRONGUDEREF - -#define ASM_PAX_CLOSE_USERLAND \ - ALTERNATIVE "", "pax_direct_call __pax_close_userland", X86_FEATURE_STRONGUDEREF - -#else #define ASM_PAX_OPEN_USERLAND #define ASM_PAX_CLOSE_USERLAND -#endif #ifdef CONFIG_X86_SMAP @@ -66,13 +57,6 @@ extern void __pax_open_userland(void); static __always_inline unsigned long pax_open_userland(void) { -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - asm volatile(ALTERNATIVE("", PAX_DIRECT_CALL("%P[open]"), X86_FEATURE_STRONGUDEREF) - : - : [open] "i" (__pax_open_userland) - : "memory", "rax"); -#endif - return 0; } @@ -80,13 +64,6 @@ extern void __pax_close_userland(void); static __always_inline unsigned long pax_close_userland(void) { -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - asm volatile(ALTERNATIVE("", PAX_DIRECT_CALL("%P[close]"), X86_FEATURE_STRONGUDEREF) - : - : [close] "i" (__pax_close_userland) - : "memory", "rax"); -#endif - return 0; } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/stackprotector.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/stackprotector.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/stackprotector.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/stackprotector.h 2018-08-22 13:09:54.035598742 -0500 @@ -114,7 +114,7 @@ static inline void setup_stack_canary_se static inline void load_stack_canary_segment(void) { -#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_X86_32 asm volatile ("mov %0, %%gs" : : "r" (0)); #endif } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/tlbflush.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/tlbflush.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/tlbflush.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/tlbflush.h 2018-08-22 13:08:16.676172634 -0500 @@ -144,17 +144,6 @@ static inline void __native_flush_tlb(vo return; } -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) { - unsigned int cpu = raw_get_cpu(); - - native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); - native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); - raw_put_cpu_no_resched(); - return; - } -#endif - /* * If current->mm == NULL then we borrow a mm which may change during a * task switch and therefore we must not be preempted while we write CR3 @@ -207,37 +196,10 @@ static inline void __native_flush_tlb_si if (static_cpu_has(X86_FEATURE_INVPCID)) { unsigned long pcid = PCID_KERNEL; -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) { - if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) { - if (addr < TASK_SIZE_MAX) - invpcid_flush_one(pcid, addr + pax_user_shadow_base); - else - invpcid_flush_one(pcid, addr); - } - - pcid = PCID_USER; - } -#endif - invpcid_flush_one(pcid, addr); return; } -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) { - unsigned int cpu = raw_get_cpu(); - - native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); - asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); - native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); - raw_put_cpu_no_resched(); - - if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX) - addr += pax_user_shadow_base; - } -#endif - asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/uaccess_64.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/uaccess_64.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/uaccess_64.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/uaccess_64.h 2018-08-22 13:04:12.702116661 -0500 @@ -61,11 +61,6 @@ unsigned long __copy_from_user_nocheck(v check_object_size(dst, size, false); -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (!access_ok_noprefault(VERIFY_READ, src, size)) - return size; -#endif - if (unlikely(sz != (size_t)-1 && sz < size)) { if(__builtin_constant_p(size)) __bad_copy_user(); @@ -145,11 +140,6 @@ unsigned long __copy_to_user_nocheck(voi check_object_size(src, size, true); -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (!access_ok_noprefault(VERIFY_WRITE, dst, size)) - return size; -#endif - if (unlikely(sz != (size_t)-1 && sz < size)) { if(__builtin_constant_p(size)) __bad_copy_user(); @@ -230,13 +220,6 @@ unsigned long __copy_in_user(void __user if (size > INT_MAX) return size; -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (!access_ok_noprefault(VERIFY_READ, src, size)) - return size; - if (!access_ok_noprefault(VERIFY_WRITE, dst, size)) - return size; -#endif - if (!__builtin_constant_p(size)) return copy_user_generic((__force_kernel void *)____m(dst), (__force_kernel const void *)____m(src), size); @@ -320,11 +303,6 @@ __copy_from_user_nocache(void *dst, cons check_object_size(dst, size, false); -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (!access_ok_noprefault(VERIFY_READ, src, size)) - return size; -#endif - return __copy_user_nocache(dst, src, size, 1); } @@ -339,11 +317,6 @@ __copy_from_user_inatomic_nocache(void * check_object_size(dst, size, false); -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (!access_ok_noprefault(VERIFY_READ, src, size)) - return size; -#endif - return __copy_user_nocache(dst, src, size, 0); } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/include/asm/uaccess.h linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/uaccess.h --- linux-4.9.74-unofficial_grsec/arch/x86/include/asm/uaccess.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/include/asm/uaccess.h 2018-08-22 13:06:18.300086277 -0500 @@ -33,12 +33,7 @@ #define get_ds() (KERNEL_DS) #define get_fs() (current->thread.addr_limit) -#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) -void __set_fs(mm_segment_t x); -void set_fs(mm_segment_t x); -#else #define set_fs(x) (current->thread.addr_limit = (x)) -#endif #define segment_eq(a, b) ((a).seg == (b).seg) @@ -133,15 +128,9 @@ extern int __get_user_bad(void); #define __uaccess_begin() pax_open_userland(); stac() #define __uaccess_end() clac(); pax_close_userland() -#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define __copyuser_seg "gs;" -#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n" -#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n" -#else #define __copyuser_seg #define __COPYUSER_SET_ES #define __COPYUSER_RESTORE_ES -#endif /* * This is a type: either (un)signed int, if the argument fits into @@ -462,17 +451,7 @@ do { \ /* FIXME: this hack is definitely wrong -AK */ struct __large_struct { unsigned long buf[100]; }; -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define ____m(x) \ -({ \ - unsigned long ____x = (unsigned long)(x); \ - if (____x < pax_user_shadow_base) \ - ____x += pax_user_shadow_base; \ - (typeof(x))____x; \ -}) -#else #define ____m(x) (x) -#endif #define __m(x) (*(struct __large_struct __user *)____m(x)) /* @@ -535,12 +514,8 @@ do { \ * On error, the variable @x is set to zero. */ -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define __get_user(x, ptr) get_user((x), (ptr)) -#else #define __get_user(x, ptr) \ __get_user_nocheck((x), (ptr), sizeof(*(ptr))) -#endif /** * __put_user: - Write a simple value into user space, with less checking. @@ -563,12 +538,8 @@ do { \ * Returns zero on success, or -EFAULT on error. */ -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define __put_user(x, ptr) put_user((x), (ptr)) -#else #define __put_user(x, ptr) \ __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr))) -#endif #define __get_user_unaligned __get_user #define __put_user_unaligned __put_user diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/Kconfig linux-4.9.74-unofficial_grsec-nouderef/arch/x86/Kconfig --- linux-4.9.74-unofficial_grsec/arch/x86/Kconfig 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/Kconfig 2018-08-22 14:27:11.221635205 -0500 @@ -93,7 +93,7 @@ config X86 select HAVE_ARCH_WITHIN_STACK_FRAMES select HAVE_EBPF_JIT if X86_64 select HAVE_ARCH_VMAP_STACK if X86_64 - select HAVE_CC_STACKPROTECTOR if X86_64 || !PAX_MEMORY_UDEREF + select HAVE_CC_STACKPROTECTOR if X86_64 select HAVE_CMPXCHG_DOUBLE select HAVE_CMPXCHG_LOCAL select HAVE_CONTEXT_TRACKING if X86_64 @@ -190,13 +190,11 @@ config MMU def_bool y config ARCH_MMAP_RND_BITS_MIN - default 28 if 64BIT && !PAX_PER_CPU_PGD - default 27 if 64BIT && PAX_PER_CPU_PGD + default 28 if 64BIT default 8 config ARCH_MMAP_RND_BITS_MAX - default 32 if 64BIT && !PAX_PER_CPU_PGD - default 27 if 64BIT && PAX_PER_CPU_PGD + default 32 if 64BIT default 16 config ARCH_MMAP_RND_COMPAT_BITS_MIN @@ -298,7 +296,7 @@ config X86_64_SMP config X86_32_LAZY_GS def_bool y - depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF + depends on X86_32 && !CC_STACKPROTECTOR config ARCH_SUPPORTS_UPROBES def_bool y @@ -2101,7 +2099,7 @@ config COMPAT_VDSO def_bool n prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)" depends on X86_32 || IA32_EMULATION - depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC ---help--- Certain buggy versions of glibc will crash if they are presented with a 32-bit vDSO that is not mapped at the address diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/asm-offsets.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/asm-offsets.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/asm-offsets.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/asm-offsets.c 2018-08-22 13:00:38.745575410 -0500 @@ -81,14 +81,6 @@ void common(void) { OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0); #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3); - OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3); -#ifdef CONFIG_X86_64 - OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched); -#endif -#endif - #endif BLANK(); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/cpu/common.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/cpu/common.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/cpu/common.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/cpu/common.c 2018-08-22 13:02:47.578492748 -0500 @@ -256,53 +256,6 @@ static __always_inline void setup_smap(s } } -#ifdef CONFIG_PAX_MEMORY_UDEREF -#ifdef CONFIG_X86_64 -static bool uderef_enabled __read_only = true; -unsigned long pax_user_shadow_base __read_only; -EXPORT_SYMBOL(pax_user_shadow_base); -extern char patch_pax_enter_kernel_user[]; -extern char patch_pax_exit_kernel_user[]; - -static int __init setup_pax_weakuderef(char *str) -{ - if (uderef_enabled) - pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; - return 1; -} -__setup("pax_weakuderef", setup_pax_weakuderef); -#endif - -static int __init setup_pax_nouderef(char *str) -{ -#ifdef CONFIG_X86_32 - unsigned int cpu; - struct desc_struct *gdt; - - for (cpu = 0; cpu < nr_cpu_ids; cpu++) { - gdt = get_cpu_gdt_table(cpu); - gdt[GDT_ENTRY_KERNEL_DS].type = 3; - gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; - gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf; - gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf; - } - loadsegment(ds, __KERNEL_DS); - loadsegment(es, __KERNEL_DS); - loadsegment(ss, __KERNEL_DS); -#else - memcpy(patch_pax_enter_kernel_user, (unsigned char []){0xc3}, 1); - memcpy(patch_pax_exit_kernel_user, (unsigned char []){0xc3}, 1); - clone_pgd_mask = ~(pgdval_t)0UL; - pax_user_shadow_base = 0UL; - setup_clear_cpu_cap(X86_FEATURE_PCIDUDEREF); - uderef_enabled = false; -#endif - - return 0; -} -early_param("pax_nouderef", setup_pax_nouderef); -#endif - #ifdef CONFIG_X86_64 static __init int setup_disable_pcid(char *arg) { @@ -317,11 +270,6 @@ static __init int setup_disable_pcid(cha setup_clear_cpu_cap(X86_FEATURE_PCID); setup_clear_cpu_cap(X86_FEATURE_INVPCID); -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (uderef_enabled) - pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; -#endif - pr_info("nopcid: PCID feature disabled\n"); return 1; } @@ -356,32 +304,6 @@ static void setup_pcid(struct cpuinfo_x8 if (cpu_has(c, X86_FEATURE_INVPCID)) printk("PAX: INVPCID detected\n"); -#ifdef CONFIG_PAX_MEMORY_UDEREF - if (!uderef_enabled) { - printk("PAX: UDEREF disabled\n"); - return; - } - - if (!cpu_has(c, X86_FEATURE_PCID)) { - pax_open_kernel(); - pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; - pax_close_kernel(); - printk("PAX: slow and weak UDEREF enabled\n"); - return; - } - - set_cpu_cap(c, X86_FEATURE_PCIDUDEREF); - - pax_open_kernel(); - clone_pgd_mask = ~(pgdval_t)0UL; - pax_close_kernel(); - if (pax_user_shadow_base) - printk("PAX: weak UDEREF enabled\n"); - else { - set_cpu_cap(c, X86_FEATURE_STRONGUDEREF); - printk("PAX: strong UDEREF enabled\n"); - } -#endif #endif } @@ -1150,7 +1072,7 @@ static void identify_cpu(struct cpuinfo_ if (!(__supported_pte_mask & _PAGE_NX)) clear_cpu_cap(c, X86_FEATURE_PSE); #endif -#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) clear_cpu_cap(c, X86_FEATURE_SEP); #endif #endif diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/espfix_64.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/espfix_64.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/espfix_64.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/espfix_64.c 2018-08-22 14:18:08.337411318 -0500 @@ -134,11 +134,6 @@ void __init init_espfix_bsp(void) paravirt_alloc_pud(&init_mm, __pa(pud_p) >> PAGE_SHIFT); set_pgd(pgd_p, __pgd(PGTABLE_PROT | __pa(pud_p))); -#ifdef CONFIG_PAX_PER_CPU_PGD - clone_pgd_range(get_cpu_pgd(0, kernel) + index, swapper_pg_dir + index, 1); - clone_pgd_range(get_cpu_pgd(0, user) + index, swapper_pg_dir + index, 1); -#endif - /* Randomize the locations */ init_espfix_random(); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/head_32.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/head_32.S --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/head_32.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/head_32.S 2018-08-22 14:15:16.603187541 -0500 @@ -150,17 +150,6 @@ ENTRY(startup_32) orb %al,GDT_ENTRY_PERCPU * 8 + 6(%edi) #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - movl $NR_CPUS,%ecx - movl $pa(cpu_gdt_table),%edi -1: - movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi) - movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi) - movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi) - addl $PAGE_SIZE_asm,%edi - loop 1b -#endif - #ifdef CONFIG_PAX_KERNEXEC movl $pa(boot_gdt),%edi movl $__LOAD_PHYSICAL_ADDR,%eax @@ -550,11 +539,7 @@ is486: #ifdef CONFIG_CC_STACKPROTECTOR movl $(__KERNEL_STACK_CANARY),%eax -#elif defined(CONFIG_PAX_MEMORY_UDEREF) - movl $(__USER_DS),%eax -#else xorl %eax,%eax -#endif movl %eax,%gs xorl %eax,%eax # Clear LDT @@ -798,14 +783,6 @@ ENTRY(initial_page_table) # endif .balign PAGE_SIZE /* needs to be page-sized too */ -# ifdef CONFIG_PAX_PER_CPU_PGD -ENTRY(cpu_pgd) - .rept 2*NR_CPUS - .fill PTRS_PER_PGD,8,0 - .endr -EXPORT_SYMBOL(cpu_pgd) -# endif - #endif .data diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/head_64.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/head_64.S --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/head_64.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/head_64.S 2018-08-22 14:15:57.123532491 -0500 @@ -486,14 +486,6 @@ NEXT_PAGE(init_level4_pgt) /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE -#ifdef CONFIG_PAX_PER_CPU_PGD -NEXT_PAGE(cpu_pgd) - .rept 2*NR_CPUS - .fill 512,8,0 - .endr -EXPORT_SYMBOL(cpu_pgd) -#endif - NEXT_PAGE(level3_ident_pgt) .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE #ifdef CONFIG_XEN @@ -593,11 +585,7 @@ ENTRY(cpu_gdt_table) .quad 0x0000f40000000000 /* node/CPU stored in limit */ /* asm/segment.h:GDT_ENTRIES must match this */ -#ifdef CONFIG_PAX_MEMORY_UDEREF - .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */ -#else .quad 0x0 /* unused */ -#endif /* zero the remaining page */ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0 diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/irq_32.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/irq_32.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/irq_32.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/irq_32.c 2018-08-22 12:57:16.210849543 -0500 @@ -92,10 +92,6 @@ static inline int execute_on_irq_stack(i prev_esp = (u32 *)irqstk; *prev_esp = current_stack_pointer(); -#ifdef CONFIG_PAX_MEMORY_UDEREF - __set_fs(MAKE_MM_SEG(0)); -#endif - if (unlikely(overflow)) call_on_stack(print_stack_overflow, isp); @@ -107,10 +103,6 @@ static inline int execute_on_irq_stack(i "D" (desc->handle_irq) : "memory", "cc", "ecx"); -#ifdef CONFIG_PAX_MEMORY_UDEREF - __set_fs(current->thread.addr_limit); -#endif - return 1; } @@ -140,16 +132,7 @@ void do_softirq_own_stack(void) prev_esp = (u32 *)irqstk; *prev_esp = current_stack_pointer(); -#ifdef CONFIG_PAX_MEMORY_UDEREF - __set_fs(MAKE_MM_SEG(0)); -#endif - call_on_stack(__do_softirq, isp); - -#ifdef CONFIG_PAX_MEMORY_UDEREF - __set_fs(current->thread.addr_limit); -#endif - } bool handle_irq(struct irq_desc *desc, struct pt_regs *regs) diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/paravirt_patch_64.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/paravirt_patch_64.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/paravirt_patch_64.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/paravirt_patch_64.c 2018-08-22 18:47:53.911941577 -0500 @@ -10,9 +10,7 @@ DEF_NATIVE(pv_mmu_ops, read_cr2, "movq % DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax"); DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3"); -#ifndef CONFIG_PAX_MEMORY_UDEREF DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)"); -#endif DEF_NATIVE(pv_cpu_ops, clts, "clts"); DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd"); @@ -64,9 +62,7 @@ unsigned native_patch(u8 type, u16 clobb PATCH_SITE(pv_mmu_ops, write_cr3); PATCH_SITE(pv_cpu_ops, clts); -#ifndef CONFIG_PAX_MEMORY_UDEREF PATCH_SITE(pv_mmu_ops, flush_tlb_single); -#endif PATCH_SITE(pv_cpu_ops, wbinvd); #if defined(CONFIG_PARAVIRT_SPINLOCKS) diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/process_32.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/process_32.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/process_32.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/process_32.c 2018-08-22 12:52:19.286649539 -0500 @@ -250,10 +250,6 @@ __switch_to(struct task_struct *prev_p, */ lazy_save_gs(prev->gs); -#ifdef CONFIG_PAX_MEMORY_UDEREF - __set_fs(next_p->thread.addr_limit); -#endif - /* * Load the per-thread Thread-Local Storage descriptor. */ diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/process_64.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/process_64.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/process_64.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/process_64.c 2018-08-22 12:30:12.349100445 -0500 @@ -280,7 +280,6 @@ int copy_thread_tls(unsigned long clone_ savesegment(es, p->thread.es); savesegment(ds, p->thread.ds); savesegment(ss, p->thread.ss); - BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS); memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); if (unlikely(p->flags & PF_KTHREAD)) { diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/process.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/process.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/process.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/process.c 2018-08-22 12:53:28.725527006 -0500 @@ -150,7 +150,7 @@ void flush_thread(void) { struct task_struct *tsk = current; -#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF) +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) loadsegment(gs, 0); #endif flush_ptrace_hw_breakpoint(tsk); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/reboot.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/reboot.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/reboot.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/reboot.c 2018-08-22 12:25:54.706265424 -0500 @@ -84,7 +84,7 @@ static int __init set_bios_reboot(const void __noreturn machine_real_restart(unsigned int type) { -#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)) +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) struct desc_struct *gdt; #endif @@ -120,24 +120,15 @@ void __noreturn machine_real_restart(uns /* Jump to the identity-mapped low memory code */ #ifdef CONFIG_X86_32 -#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#ifdef CONFIG_PAX_KERNEXEC gdt = get_cpu_gdt_table(smp_processor_id()); pax_open_kernel(); -#ifdef CONFIG_PAX_MEMORY_UDEREF - gdt[GDT_ENTRY_KERNEL_DS].type = 3; - gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; - loadsegment(ds, __KERNEL_DS); - loadsegment(es, __KERNEL_DS); - loadsegment(ss, __KERNEL_DS); -#endif -#ifdef CONFIG_PAX_KERNEXEC gdt[GDT_ENTRY_KERNEL_CS].base0 = 0; gdt[GDT_ENTRY_KERNEL_CS].base1 = 0; gdt[GDT_ENTRY_KERNEL_CS].base2 = 0; gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff; gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf; gdt[GDT_ENTRY_KERNEL_CS].g = 1; -#endif pax_close_kernel(); #endif diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kernel/smpboot.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/smpboot.c --- linux-4.9.74-unofficial_grsec/arch/x86/kernel/smpboot.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kernel/smpboot.c 2018-08-22 14:16:58.375542307 -0500 @@ -220,11 +220,7 @@ static void notrace start_secondary(void barrier(); /* switch away from the initial page table */ -#ifdef CONFIG_PAX_PER_CPU_PGD - load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); -#else load_cr3(swapper_pg_dir); -#endif __flush_tlb_all(); /* @@ -1103,15 +1099,6 @@ int native_cpu_up(unsigned int cpu, stru common_cpu_up(cpu, tidle); -#ifdef CONFIG_PAX_PER_CPU_PGD - clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY, - swapper_pg_dir + KERNEL_PGD_BOUNDARY, - KERNEL_PGD_PTRS); - clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY, - swapper_pg_dir + KERNEL_PGD_BOUNDARY, - KERNEL_PGD_PTRS); -#endif - err = do_boot_cpu(apicid, cpu, tidle); if (err) { pr_err("do_boot_cpu failed(%d) to wakeup CPU#%u\n", err, cpu); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kvm/svm.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kvm/svm.c --- linux-4.9.74-unofficial_grsec/arch/x86/kvm/svm.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kvm/svm.c 2018-08-22 12:20:10.995821754 -0500 @@ -4911,10 +4911,6 @@ static void svm_vcpu_run(struct kvm_vcpu #endif #endif -#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) - __set_fs(current->thread.addr_limit); -#endif - reload_tss(vcpu); local_irq_disable(); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/kvm/vmx.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kvm/vmx.c --- linux-4.9.74-unofficial_grsec/arch/x86/kvm/vmx.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/kvm/vmx.c 2018-08-22 14:14:29.584947628 -0500 @@ -2272,10 +2272,6 @@ static void vmx_vcpu_load(struct kvm_vcp vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */ vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */ -#ifdef CONFIG_PAX_PER_CPU_PGD - vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ -#endif - rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp); vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */ @@ -4880,9 +4876,7 @@ static void vmx_set_constant_host_state( vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */ -#ifndef CONFIG_PAX_PER_CPU_PGD vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ -#endif /* Save the most likely value for this task's CR4 in the VMCS. */ cr4 = cr4_read_shadow(); @@ -9057,10 +9051,6 @@ static void __noclone vmx_vcpu_run(struc loadsegment(fs, __KERNEL_PERCPU); #endif -#ifdef CONFIG_PAX_MEMORY_UDEREF - __set_fs(current->thread.addr_limit); -#endif - #endif vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/lib/checksum_32.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/checksum_32.S --- linux-4.9.74-unofficial_grsec/arch/x86/lib/checksum_32.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/checksum_32.S 2018-08-22 12:17:48.348127764 -0500 @@ -287,19 +287,8 @@ unsigned int csum_partial_copy_generic ( ENTRY(csum_partial_copy_generic_to_user) -#ifdef CONFIG_PAX_MEMORY_UDEREF - pushl %gs - popl %es - jmp csum_partial_copy_generic -#endif - ENTRY(csum_partial_copy_generic_from_user) -#ifdef CONFIG_PAX_MEMORY_UDEREF - pushl %gs - popl %ds -#endif - ENTRY(csum_partial_copy_generic) subl $4,%esp pushl %edi @@ -413,13 +402,6 @@ DST( movb %cl, %es:(%edi) ) .previous -#ifdef CONFIG_PAX_MEMORY_UDEREF - pushl %ss - popl %ds - pushl %ss - popl %es -#endif - popl %ebx popl %esi popl %edi @@ -447,19 +429,8 @@ ENDPROC(csum_partial_copy_generic_to_use ENTRY(csum_partial_copy_generic_to_user) -#ifdef CONFIG_PAX_MEMORY_UDEREF - pushl %gs - popl %es - jmp csum_partial_copy_generic -#endif - ENTRY(csum_partial_copy_generic_from_user) -#ifdef CONFIG_PAX_MEMORY_UDEREF - pushl %gs - popl %ds -#endif - ENTRY(csum_partial_copy_generic) pushl %ebx pushl %edi @@ -523,13 +494,6 @@ DST( movb %dl, %es:(%edi) ) jmp 7b .previous -#ifdef CONFIG_PAX_MEMORY_UDEREF - pushl %ss - popl %ds - pushl %ss - popl %es -#endif - popl %esi popl %edi popl %ebx diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/lib/copy_user_64.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/copy_user_64.S --- linux-4.9.74-unofficial_grsec/arch/x86/lib/copy_user_64.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/copy_user_64.S 2018-08-22 12:12:35.316188140 -0500 @@ -242,14 +242,6 @@ EXPORT_SYMBOL(copy_user_enhanced_fast_st ENTRY(__copy_user_nocache) FRAME_BEGIN -#ifdef CONFIG_PAX_MEMORY_UDEREF - mov pax_user_shadow_base,%rcx - cmp %rcx,%rsi - jae 1f - add %rcx,%rsi -1: -#endif - ASM_USER_ACCESS_BEGIN /* If size is less than 8 bytes, go to 4-byte copy */ diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/lib/getuser.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/getuser.S --- linux-4.9.74-unofficial_grsec/arch/x86/lib/getuser.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/getuser.S 2018-08-22 12:10:27.801249504 -0500 @@ -38,31 +38,16 @@ #include #include -#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define __copyuser_seg gs; -#else #define __copyuser_seg -#endif .text ENTRY(__get_user_1) FRAME_BEGIN -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_DX - cmp %_ASM_DX,%_ASM_AX - jae 1234f - add %_ASM_DX,%_ASM_AX -1234: -#endif - -#endif - ASM_USER_ACCESS_BEGIN 1: __copyuser_seg movzbl (%_ASM_AX),%edx ASM_USER_ACCESS_END @@ -76,22 +61,11 @@ ENTRY(__get_user_2) FRAME_BEGIN add $1,%_ASM_AX -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) jc bad_get_user mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_DX - cmp %_ASM_DX,%_ASM_AX - jae 1234f - add %_ASM_DX,%_ASM_AX -1234: -#endif - -#endif - ASM_USER_ACCESS_BEGIN 2: __copyuser_seg movzwl -1(%_ASM_AX),%edx ASM_USER_ACCESS_END @@ -105,22 +79,11 @@ ENTRY(__get_user_4) FRAME_BEGIN add $3,%_ASM_AX -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) jc bad_get_user mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_DX - cmp %_ASM_DX,%_ASM_AX - jae 1234f - add %_ASM_DX,%_ASM_AX -1234: -#endif - -#endif - ASM_USER_ACCESS_BEGIN 3: __copyuser_seg movl -3(%_ASM_AX),%edx ASM_USER_ACCESS_END @@ -140,14 +103,6 @@ ENTRY(__get_user_8) cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user -#ifdef CONFIG_PAX_MEMORY_UDEREF - mov pax_user_shadow_base,%_ASM_DX - cmp %_ASM_DX,%_ASM_AX - jae 1234f - add %_ASM_DX,%_ASM_AX -1234: -#endif - ASM_USER_ACCESS_BEGIN 4: movq -7(%_ASM_AX),%rdx ASM_USER_ACCESS_END Los ficheros binarios linux-4.9.74-unofficial_grsec/arch/x86/lib/.getuser.S.swp y linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/.getuser.S.swp son distintos diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/lib/putuser.S linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/putuser.S --- linux-4.9.74-unofficial_grsec/arch/x86/lib/putuser.S 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/putuser.S 2018-08-22 12:06:18.935272602 -0500 @@ -33,37 +33,17 @@ * as they get called from within inline assembly. */ -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define _DEST %_ASM_CX,%_ASM_BX -#else #define _DEST %_ASM_CX -#endif - -#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) -#define __copyuser_seg gs; -#else #define __copyuser_seg -#endif .text ENTRY(__put_user_1) FRAME_BEGIN -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) mov PER_CPU_VAR(current_task), %_ASM_BX cmp TASK_addr_limit(%_ASM_BX),%_ASM_CX jae bad_put_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_BX - cmp %_ASM_BX,%_ASM_CX - jb 1234f - xor %ebx,%ebx -1234: -#endif - -#endif - ASM_USER_ACCESS_BEGIN 1: __copyuser_seg movb %al,(_DEST) ASM_USER_ACCESS_END @@ -76,22 +56,12 @@ EXPORT_SYMBOL(__put_user_1) ENTRY(__put_user_2) FRAME_BEGIN -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) mov PER_CPU_VAR(current_task), %_ASM_BX mov TASK_addr_limit(%_ASM_BX),%_ASM_BX sub $1,%_ASM_BX cmp %_ASM_BX,%_ASM_CX jae bad_put_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_BX - cmp %_ASM_BX,%_ASM_CX - jb 1234f - xor %ebx,%ebx -1234: -#endif - -#endif ASM_USER_ACCESS_BEGIN 2: __copyuser_seg movw %ax,(_DEST) @@ -105,23 +75,12 @@ EXPORT_SYMBOL(__put_user_2) ENTRY(__put_user_4) FRAME_BEGIN -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) mov PER_CPU_VAR(current_task), %_ASM_BX mov TASK_addr_limit(%_ASM_BX),%_ASM_BX sub $3,%_ASM_BX cmp %_ASM_BX,%_ASM_CX jae bad_put_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_BX - cmp %_ASM_BX,%_ASM_CX - jb 1234f - xor %ebx,%ebx -1234: -#endif - -#endif - ASM_USER_ACCESS_BEGIN 3: __copyuser_seg movl %eax,(_DEST) ASM_USER_ACCESS_END @@ -134,23 +93,12 @@ EXPORT_SYMBOL(__put_user_4) ENTRY(__put_user_8) FRAME_BEGIN -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) mov PER_CPU_VAR(current_task), %_ASM_BX mov TASK_addr_limit(%_ASM_BX),%_ASM_BX sub $7,%_ASM_BX cmp %_ASM_BX,%_ASM_CX jae bad_put_user -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - mov pax_user_shadow_base,%_ASM_BX - cmp %_ASM_BX,%_ASM_CX - jb 1234f - xor %ebx,%ebx -1234: -#endif - -#endif - ASM_USER_ACCESS_BEGIN 4: __copyuser_seg mov %_ASM_AX,(_DEST) #ifdef CONFIG_X86_32 diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/lib/usercopy_32.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/usercopy_32.c --- linux-4.9.74-unofficial_grsec/arch/x86/lib/usercopy_32.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/lib/usercopy_32.c 2018-08-22 11:58:24.131948152 -0500 @@ -752,29 +752,4 @@ unsigned long __copy_from_user_ll_nocach } EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero); -#ifdef CONFIG_PAX_MEMORY_UDEREF -void __set_fs(mm_segment_t x) -{ - switch (x.seg) { - case 0: - loadsegment(gs, 0); - break; - case TASK_SIZE_MAX: - loadsegment(gs, __USER_DS); - break; - case -1UL: - loadsegment(gs, __KERNEL_DS); - break; - default: - BUG(); - } -} -EXPORT_SYMBOL(__set_fs); -void set_fs(mm_segment_t x) -{ - current->thread.addr_limit = x; - __set_fs(x); -} -EXPORT_SYMBOL(set_fs); -#endif diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/fault.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/fault.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/fault.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/fault.c 2018-08-22 18:58:49.874164784 -0500 @@ -27,10 +27,6 @@ #include /* vma_pkey() */ #include -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -#include -#endif - #define CREATE_TRACE_POINTS #include @@ -337,24 +333,10 @@ void vmalloc_sync_all(void) address >= TASK_SIZE_MAX && address < FIXADDR_TOP; address += PMD_SIZE) { -#ifdef CONFIG_PAX_PER_CPU_PGD - unsigned long cpu; -#else struct page *page; -#endif spin_lock(&pgd_lock); -#ifdef CONFIG_PAX_PER_CPU_PGD - for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { - pgd_t *pgd = get_cpu_pgd(cpu, user); - pmd_t *ret; - - ret = vmalloc_sync_one(pgd, address); - if (!ret) - break; - pgd = get_cpu_pgd(cpu, kernel); -#else list_for_each_entry(page, &pgd_list, lru) { pgd_t *pgd; spinlock_t *pgt_lock; @@ -365,13 +347,10 @@ void vmalloc_sync_all(void) spin_lock(pgt_lock); pgd = page_address(page); -#endif ret = vmalloc_sync_one(pgd, address); -#ifndef CONFIG_PAX_PER_CPU_PGD spin_unlock(pgt_lock); -#endif if (!ret) break; @@ -405,12 +384,6 @@ static noinline int vmalloc_fault(unsign * an interrupt in the middle of a task switch.. */ pgd_paddr = read_cr3(); - -#ifdef CONFIG_PAX_PER_CPU_PGD - BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK)); - vmalloc_sync_one(__va(pgd_paddr + PTRS_PER_PGD * sizeof(pgd_t)), address); -#endif - pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); if (!pmd_k) return -1; @@ -510,24 +483,11 @@ static noinline int vmalloc_fault(unsign * happen within a race in page table update. In the later * case just flush: */ + pgd = (pgd_t *)__va(read_cr3()) + pgd_index(address); pgd_ref = pgd_offset_k(address); if (pgd_none(*pgd_ref)) return -1; -#ifdef CONFIG_PAX_PER_CPU_PGD - BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK)); - pgd = pgd_offset_cpu(smp_processor_id(), user, address); - if (pgd_none(*pgd)) { - set_pgd(pgd, *pgd_ref); - arch_flush_lazy_mmu_mode(); - } else { - BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); - } - pgd = pgd_offset_cpu(smp_processor_id(), kernel, address); -#else - pgd = (pgd_t *)__va(read_cr3()) + pgd_index(address); -#endif - if (pgd_none(*pgd)) { set_pgd(pgd, *pgd_ref); arch_flush_lazy_mmu_mode(); @@ -1440,22 +1400,6 @@ __do_page_fault(struct pt_regs *regs, un tsk = current; mm = tsk->mm; -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (!user_mode(regs) && address < 2 * pax_user_shadow_base) { - if (!search_exception_tables(regs->ip)) { - printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n"); - bad_area_nosemaphore(regs, error_code, address, NULL); - return; - } - if (address < pax_user_shadow_base) { - printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n"); - printk(KERN_EMERG "PAX: faulting IP: %pS\n", (void *)regs->ip); - show_trace_log_lvl(current, regs, (void *)regs->sp, KERN_EMERG); - } else - address -= pax_user_shadow_base; - } -#endif - /* * Detect and handle instructions that would cause a page fault for * both a tracked kernel page and a userspace page. Los ficheros binarios linux-4.9.74-unofficial_grsec/arch/x86/mm/.fault.c.swp y linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/.fault.c.swp son distintos diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/init_64.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/init_64.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/init_64.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/init_64.c 2018-08-22 14:10:45.415571462 -0500 @@ -99,11 +99,7 @@ void sync_global_pgds(unsigned long star for (addr = start; addr <= end; addr = ALIGN(addr + 1, PGDIR_SIZE)) { const pgd_t *pgd_ref = pgd_offset_k(addr); -#ifdef CONFIG_PAX_PER_CPU_PGD - unsigned long cpu; -#else struct page *page; -#endif /* * When it is called after memory hot remove, pgd_none() @@ -114,25 +110,6 @@ void sync_global_pgds(unsigned long star continue; spin_lock(&pgd_lock); - -#ifdef CONFIG_PAX_PER_CPU_PGD - for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { - pgd_t *pgd = pgd_offset_cpu(cpu, user, addr); - - if (!pgd_none(*pgd_ref) && !pgd_none(*pgd)) - BUG_ON(pgd_page_vaddr(*pgd) - != pgd_page_vaddr(*pgd_ref)); - - if (removed) { - if (pgd_none(*pgd_ref) && !pgd_none(*pgd)) - pgd_clear(pgd); - } else { - if (pgd_none(*pgd)) - set_pgd(pgd, *pgd_ref); - } - - pgd = pgd_offset_cpu(cpu, kernel, addr); -#else list_for_each_entry(page, &pgd_list, lru) { pgd_t *pgd; spinlock_t *pgt_lock; @@ -141,7 +118,6 @@ void sync_global_pgds(unsigned long star /* the pgt_lock only for Xen */ pgt_lock = &pgd_page_get_mm(page)->page_table_lock; spin_lock(pgt_lock); -#endif if (!pgd_none(*pgd_ref) && !pgd_none(*pgd)) BUG_ON(pgd_page_vaddr(*pgd) @@ -155,10 +131,7 @@ void sync_global_pgds(unsigned long star set_pgd(pgd, *pgd_ref); } -#ifndef CONFIG_PAX_PER_CPU_PGD spin_unlock(pgt_lock); -#endif - } spin_unlock(&pgd_lock); } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/init.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/init.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/init.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/init.c 2018-08-22 14:12:24.351972101 -0500 @@ -635,17 +635,7 @@ void __init init_mem_mapping(void) early_ioremap_page_table_range_init(); #endif -#ifdef CONFIG_PAX_PER_CPU_PGD - clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY, - swapper_pg_dir + KERNEL_PGD_BOUNDARY, - KERNEL_PGD_PTRS); - clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY, - swapper_pg_dir + KERNEL_PGD_BOUNDARY, - KERNEL_PGD_PTRS); - load_cr3(get_cpu_pgd(0, kernel)); -#else load_cr3(swapper_pg_dir); -#endif __flush_tlb_all(); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/Makefile linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/Makefile --- linux-4.9.74-unofficial_grsec/arch/x86/mm/Makefile 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/Makefile 2018-08-22 14:30:57.325980058 -0500 @@ -40,6 +40,4 @@ obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o quote:=" -obj-$(CONFIG_X86_64) += uderef_64.o -CFLAGS_uderef_64.o := -fcall-saved-rax -fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11 diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/pageattr.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/pageattr.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/pageattr.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/pageattr.c 2018-08-22 14:07:27.840765409 -0500 @@ -470,19 +470,10 @@ static void __set_pmd_pte(pte_t *kpte, u #ifdef CONFIG_X86_32 if (!SHARED_KERNEL_PMD) { -#ifdef CONFIG_PAX_PER_CPU_PGD - unsigned long cpu; -#else struct page *page; -#endif -#ifdef CONFIG_PAX_PER_CPU_PGD - for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { - pgd_t *pgd = get_cpu_pgd(cpu, kernel); -#else list_for_each_entry(page, &pgd_list, lru) { pgd_t *pgd = (pgd_t *)page_address(page); -#endif pud_t *pud; pmd_t *pmd; diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/pgtable.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/pgtable.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/pgtable.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/pgtable.c 2018-08-22 14:04:49.012332993 -0500 @@ -98,45 +98,6 @@ static inline void pgd_list_del(pgd_t *p list_del(&page->lru); } -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT; - -void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) -{ - unsigned int count = USER_PGD_PTRS; - - if (!pax_user_shadow_base) - return; - - while (count--) - *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER); -} -#endif - -#ifdef CONFIG_PAX_PER_CPU_PGD -void __clone_user_pgds(pgd_t *dst, const pgd_t *src) -{ - unsigned int count = USER_PGD_PTRS; - - while (count--) { - pgd_t pgd; - -#ifdef CONFIG_X86_64 - pgd = __pgd(pgd_val(*src++) | _PAGE_USER); -#else - pgd = *src++; -#endif - -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - pgd = __pgd(pgd_val(pgd) & clone_pgd_mask); -#endif - - *dst++ = pgd; - } - -} -#endif - #ifdef CONFIG_X86_64 #define pxd_t pud_t #define pyd_t pgd_t @@ -163,10 +124,6 @@ void __clone_user_pgds(pgd_t *dst, const #define mm_dec_nr_pxds(mm) mm_dec_nr_pmds(mm) #endif -#ifdef CONFIG_PAX_PER_CPU_PGD -static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {} -static inline void pgd_dtor(pgd_t *pgd) {} -#else static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm) { BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm)); @@ -207,7 +164,6 @@ static void pgd_dtor(pgd_t *pgd) pgd_list_del(pgd); spin_unlock(&pgd_lock); } -#endif /* * List of all pgd's needed for non-PAE so it can invalidate entries @@ -250,8 +206,6 @@ void pud_populate(struct mm_struct *mm, */ flush_tlb_mm(mm); } -#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD) -#define PREALLOCATED_PXDS USER_PGD_PTRS #else /* !CONFIG_X86_PAE */ /* No need to prepopulate any pagetable entries in non-PAE modes. */ @@ -621,18 +575,6 @@ static void fix_user_fixmap(enum fixed_a pgd = pgd_offset_k(address); if (!(pgd_val(*pgd) & _PAGE_USER)) { -#ifdef CONFIG_PAX_PER_CPU_PGD - unsigned int cpu; - pgd_t *pgd_cpu; - - for_each_possible_cpu(cpu) { - pgd_cpu = pgd_offset_cpu(cpu, kernel, address); - set_pgd(pgd_cpu, __pgd(pgd_val(*pgd_cpu) | _PAGE_USER)); - - pgd_cpu = pgd_offset_cpu(cpu, user, address); - set_pgd(pgd_cpu, __pgd(pgd_val(*pgd_cpu) | _PAGE_USER)); - } -#endif set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER)); } diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/tlb.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/tlb.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/tlb.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/tlb.c 2018-08-22 18:39:40.268041462 -0500 @@ -46,9 +46,7 @@ void leave_mm(int cpu) if (cpumask_test_cpu(cpu, mm_cpumask(active_mm))) { cpumask_clear_cpu(cpu, mm_cpumask(active_mm)); -#ifndef CONFIG_PAX_PER_CPU_PGD load_cr3(swapper_pg_dir); -#endif /* * This gets called in the idle path where RCU @@ -64,42 +62,6 @@ EXPORT_SYMBOL_GPL(leave_mm); static void pax_switch_mm(struct mm_struct *next, unsigned int cpu) { -#ifdef CONFIG_PAX_PER_CPU_PGD - pax_open_kernel(); - -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) - __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); - else -#endif - - __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); - - __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); - - pax_close_kernel(); - - BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); - -#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) - if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) { - if (static_cpu_has(X86_FEATURE_INVPCID)) { - invpcid_flush_single_context(PCID_USER); - if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) - invpcid_flush_single_context(PCID_KERNEL); - } else { - write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); - if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) - write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); - else - write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); - } - } else -#endif - - load_cr3(get_cpu_pgd(cpu, kernel)); -#endif - } void switch_mm(struct mm_struct *prev, struct mm_struct *next, @@ -173,11 +135,7 @@ void switch_mm_irqs_off(struct mm_struct * ordering guarantee we need. * */ -#ifdef CONFIG_PAX_PER_CPU_PGD - pax_switch_mm(next, cpu); -#else load_cr3(next->pgd); -#endif trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); @@ -245,10 +203,8 @@ void switch_mm_irqs_off(struct mm_struct * fills with respect to the mm_cpumask write. */ -#ifndef CONFIG_PAX_PER_CPU_PGD load_cr3(next->pgd); trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); -#endif load_mm_cr4(next); load_mm_ldt(next); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/mm/uderef_64.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/uderef_64.c --- linux-4.9.74-unofficial_grsec/arch/x86/mm/uderef_64.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/mm/uderef_64.c 1969-12-31 18:00:00.000000000 -0600 @@ -1,38 +0,0 @@ -#include -#include -#include -#include - -#ifdef CONFIG_PAX_MEMORY_UDEREF -/* PaX: due to the special call convention these functions must - * - remain leaf functions under all configurations, - * - never be called directly, only dereferenced from the wrappers. - */ -void __used __pax_open_userland(void) -{ - unsigned int cpu; - - if (unlikely(!segment_eq(get_fs(), USER_DS))) - return; - - cpu = raw_get_cpu(); - BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL); - write_cr3(__pa_nodebug(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); - raw_put_cpu_no_resched(); -} -EXPORT_SYMBOL(__pax_open_userland); - -void __used __pax_close_userland(void) -{ - unsigned int cpu; - - if (unlikely(!segment_eq(get_fs(), USER_DS))) - return; - - cpu = raw_get_cpu(); - BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER); - write_cr3(__pa_nodebug(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); - raw_put_cpu_no_resched(); -} -EXPORT_SYMBOL(__pax_close_userland); -#endif diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/platform/efi/efi_32.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/platform/efi/efi_32.c --- linux-4.9.74-unofficial_grsec/arch/x86/platform/efi/efi_32.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/platform/efi/efi_32.c 2018-08-22 13:55:24.952451449 -0500 @@ -68,11 +68,7 @@ pgd_t * __init efi_call_phys_prolog(void #endif /* Current pgd is swapper_pg_dir, we'll restore it later: */ -#ifdef CONFIG_PAX_PER_CPU_PGD - save_pgd = get_cpu_pgd(smp_processor_id(), kernel); -#else save_pgd = swapper_pg_dir; -#endif load_cr3(initial_page_table); __flush_tlb_all(); diff -puriN linux-4.9.74-unofficial_grsec/arch/x86/platform/efi/efi_64.c linux-4.9.74-unofficial_grsec-nouderef/arch/x86/platform/efi/efi_64.c --- linux-4.9.74-unofficial_grsec/arch/x86/platform/efi/efi_64.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/arch/x86/platform/efi/efi_64.c 2018-08-22 13:54:41.161159377 -0500 @@ -94,10 +94,6 @@ pgd_t * __init efi_call_phys_prolog(void set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); } -#ifdef CONFIG_PAX_PER_CPU_PGD - load_cr3(swapper_pg_dir); -#endif - out: __flush_tlb_all(); @@ -125,10 +121,6 @@ void __init efi_call_phys_epilog(pgd_t * kfree(save_pgd); -#ifdef CONFIG_PAX_PER_CPU_PGD - load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); -#endif - __flush_tlb_all(); early_code_mapping_set_exec(0); } @@ -266,9 +258,6 @@ int __init efi_setup_page_tables(unsigne pgd_t pe = __pgd(pgd_val(*pgd_offset_k(addr)) & ~_PAGE_NX); pr_alert("PAX: Disabling NX protection for low memory map. Try booting without \"efi=old_map\"\n"); -#ifdef CONFIG_PAX_PER_CPU_PGD - set_pgd(pgd_offset_cpu(0, kernel, addr), pe); -#endif set_pgd(pgd_offset_k(addr), pe); } diff -puriN linux-4.9.74-unofficial_grsec/Documentation/kernel-parameters.txt linux-4.9.74-unofficial_grsec-nouderef/Documentation/kernel-parameters.txt --- linux-4.9.74-unofficial_grsec/Documentation/kernel-parameters.txt 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/Documentation/kernel-parameters.txt 2018-08-22 13:39:41.557702149 -0500 @@ -2983,11 +2983,6 @@ bytes respectively. Such letter suffixes the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. - pax_nouderef [X86] disables UDEREF. Most likely needed under certain - virtualization environments that don't cope well with the - expand down segment used by UDEREF on X86-32 or the frequent - page table updates on X86-64. - pax_sanitize_slab= Format: { 0 | 1 | off | fast | full } Options '0' and '1' are only provided for backward @@ -3009,9 +3004,6 @@ bytes respectively. Such letter suffixes violations while disabling killing of the violating task. - pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF - when the processor supports PCID. - pcbit= [HW,ISDN] pcd. [PARIDE] diff -puriN linux-4.9.74-unofficial_grsec/drivers/lguest/x86/core.c linux-4.9.74-unofficial_grsec-nouderef/drivers/lguest/x86/core.c --- linux-4.9.74-unofficial_grsec/drivers/lguest/x86/core.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/drivers/lguest/x86/core.c 2018-08-22 13:53:24.386400498 -0500 @@ -101,11 +101,7 @@ static void copy_in_guest_info(struct lg /* Save the current Host top-level page directory. */ -#ifdef CONFIG_PAX_PER_CPU_PGD - pages->state.host_cr3 = read_cr3(); -#else pages->state.host_cr3 = __pa(current->mm->pgd); -#endif /* * Set up the Guest's page tables to see this CPU's pages (and no diff -puriN linux-4.9.74-unofficial_grsec/grsecurity/Kconfig linux-4.9.74-unofficial_grsec-nouderef/grsecurity/Kconfig --- linux-4.9.74-unofficial_grsec/grsecurity/Kconfig 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/grsecurity/Kconfig 2018-08-22 13:48:08.656504511 -0500 @@ -266,11 +266,10 @@ config GRKERNSEC_KERN_LOCKOUT depends on X86 || ARM || PPC || SPARC help If you say Y here, when a PaX alert is triggered due to suspicious - activity in the kernel (from KERNEXEC/UDEREF/USERCOPY) - or an OOPS occurs due to bad memory accesses, instead of just - terminating the offending process (and potentially allowing - a subsequent exploit from the same user), we will take one of two - actions: + activity in the kernel (from KERNEXEC/USERCOPY) or an OOPS occurs + due to bad memory accesses, instead of just terminating the offending + process (and potentially allowing a subsequent exploit from the same user), + we will take one of two actions: If the user was root, we will panic the system If the user was non-root, we will log the attempt, terminate all processes owned by the user, then prevent them from creating diff -puriN linux-4.9.74-unofficial_grsec/include/asm-generic/uaccess.h linux-4.9.74-unofficial_grsec-nouderef/include/asm-generic/uaccess.h --- linux-4.9.74-unofficial_grsec/include/asm-generic/uaccess.h 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/include/asm-generic/uaccess.h 2018-08-22 11:07:09.021659548 -0500 @@ -349,19 +349,11 @@ clear_user(void __user *to, unsigned lon } #ifndef __HAVE_ARCH_PAX_OPEN_USERLAND -#ifdef CONFIG_PAX_MEMORY_UDEREF -#error UDEREF requires pax_open_userland -#else static inline unsigned long pax_open_userland(void) { return 0; } #endif -#endif #ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND -#ifdef CONFIG_PAX_MEMORY_UDEREF -#error UDEREF requires pax_close_userland -#else static inline unsigned long pax_close_userland(void) { return 0; } #endif -#endif #endif /* __ASM_GENERIC_UACCESS_H */ diff -puriN linux-4.9.74-unofficial_grsec/localversion-unofficial_grsec linux-4.9.74-unofficial_grsec-nouderef/localversion-unofficial_grsec --- linux-4.9.74-unofficial_grsec/localversion-unofficial_grsec 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/localversion-unofficial_grsec 2018-08-22 14:34:01.590001305 -0500 @@ -1 +1 @@ --unofficial+grsec +-unofficial+grsec-nouderef diff -puriN linux-4.9.74-unofficial_grsec/mm/memory.c linux-4.9.74-unofficial_grsec-nouderef/mm/memory.c --- linux-4.9.74-unofficial_grsec/mm/memory.c 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/mm/memory.c 2018-08-22 13:51:10.768560518 -0500 @@ -427,7 +427,6 @@ static inline void free_pmd_range(struct free_pte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end); -#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD) start &= PUD_MASK; if (start < floor) return; @@ -443,7 +442,6 @@ static inline void free_pmd_range(struct pud_clear(pud); pmd_free_tlb(tlb, pmd, start); mm_dec_nr_pmds(tlb->mm); -#endif } static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, @@ -463,7 +461,6 @@ static inline void free_pud_range(struct free_pmd_range(tlb, pud, addr, next, floor, ceiling); } while (pud++, addr = next, addr != end); -#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD) start &= PGDIR_MASK; if (start < floor) return; @@ -478,7 +475,6 @@ static inline void free_pud_range(struct pud = pud_offset(pgd, start); pgd_clear(pgd); pud_free_tlb(tlb, pud, start); -#endif } diff -puriN linux-4.9.74-unofficial_grsec/security/Kconfig linux-4.9.74-unofficial_grsec-nouderef/security/Kconfig --- linux-4.9.74-unofficial_grsec/security/Kconfig 2018-01-03 03:50:22.000000000 -0600 +++ linux-4.9.74-unofficial_grsec-nouderef/security/Kconfig 2018-08-22 14:28:55.897943039 -0500 @@ -9,14 +9,10 @@ menu "Grsecurity" config ARCH_TRACK_EXEC_LIMIT bool -config PAX_PER_CPU_PGD - bool - config TASK_SIZE_MAX_SHIFT int depends on X86_64 - default 47 if !PAX_PER_CPU_PGD - default 42 if PAX_PER_CPU_PGD + default 47 config PAX_ENABLE_PAE bool @@ -182,18 +178,16 @@ config GRKERNSEC_CONFIG_PRIORITY_PERF bool "Performance" help Choose this option if performance is of highest priority for this deployment - of grsecurity. Features like UDEREF on a 64bit kernel, kernel stack clearing, - clearing of structures intended for userland, and freed memory sanitizing will - be disabled. + of grsecurity. Features like kernel stack clearing, clearing of structures + intended for userland, and freed memory sanitizing will be disabled. config GRKERNSEC_CONFIG_PRIORITY_SECURITY bool "Security" help Choose this option if security is of highest priority for this deployment of - grsecurity. UDEREF, kernel stack clearing, clearing of structures intended - for userland, and freed memory sanitizing will be enabled for this kernel. - In a worst-case scenario, these features can introduce a 20% performance hit - (UDEREF on x64 contributing half of this hit). + grsecurity. kernel stack clearing, clearing of structures intended for + userland, and freed memory sanitizing will be enabled for this kernel. + In a worst-case scenario, these features can introduce a 20% performance hit. endchoice @@ -582,7 +576,6 @@ config PAX_KERNEXEC bool "Enforce non-executable kernel pages" default y if GRKERNSEC_CONFIG_AUTO && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM)) depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) select ARM_KERNMEM_PERMS if ARM help This is the kernel land equivalent of PAGEEXEC and MPROTECT, @@ -612,7 +605,7 @@ choice kernel memory. This is achieved via compile time instrumentation of all code pointer dereferences (indirect calls and function returns). - While there are alternative mechanisms (SMEP, UDEREF) that can achieve + While there are alternative mechanisms (SMEP) that can achieve the same or even more, they also have their own drawbacks in terms of performance impact and/or being processor dependent so this feature offers a choice by having a low performance impact and being processor @@ -845,31 +838,6 @@ config PAX_MEMORY_STRUCTLEAK i.e., gcc 4.5 or newer. You may need to install the supporting headers explicitly in addition to the normal gcc package. -config PAX_MEMORY_UDEREF - bool "Prevent invalid userland pointer dereference" - default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && !(X86_64 && GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) - depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN - select PAX_PER_CPU_PGD if X86_64 - help - By saying Y here the kernel will be prevented from dereferencing - userland pointers in contexts where the kernel expects only kernel - pointers. This is both a useful runtime debugging feature and a - security measure that prevents exploiting a class of kernel bugs. - - The tradeoff is that some virtualization solutions may experience - a huge slowdown and therefore you should not enable this feature - for kernels meant to run in such environments. Whether a given VM - solution is affected or not is best determined by simply trying it - out, the performance impact will be obvious right on boot as this - mechanism engages from very early on. A good rule of thumb is that - VMs running on CPUs without hardware virtualization support (i.e., - the majority of IA-32 CPUs) will likely experience the slowdown. - - On X86_64 the kernel will make use of PCID support when available - (Intel's Westmere, Sandy Bridge, etc) for better security (default) - or performance impact. Pass pax_weakuderef on the kernel command - line to choose the latter. - config PAX_REFCOUNT bool "Prevent various kernel object reference counter overflows" default y if GRKERNSEC_CONFIG_AUTO