diff -u linux-2.4.37/Documentation/Configure.help linux-2.4.37-new/Documentation/Configure.help --- linux-2.4.37/Documentation/Configure.help 2009-03-29 01:28:36.000000000 -0400 +++ linux-2.4.37-new/Documentation/Configure.help 2009-03-29 12:26:51.000000000 -0400 @@ -24027,6 +24027,14 @@ kernel and symbol information. This option is useful if you want to run identd as a non-root user. +Harden kernel heap management +CONFIG_GRKERNSEC_KHEAP + If you say Y here, the kernel heap management routines will be + modified to provide greater resilience against kernel heap + exploitation. Specifically, this option prevents allocated + shared memory IPC structures from being targeted by the only public + technique for reliable kernel heap exploitation. + Remove addresses from /proc/pid/[maps|stat] CONFIG_GRKERNSEC_PROC_MEMMAP If you say Y here, the /proc//maps and /proc//stat files will diff -u linux-2.4.37/grsecurity/Config.in linux-2.4.37-new/grsecurity/Config.in --- linux-2.4.37/grsecurity/Config.in 2009-03-29 01:28:36.000000000 -0400 +++ linux-2.4.37-new/grsecurity/Config.in 2009-03-29 12:21:22.000000000 -0400 @@ -63,6 +63,7 @@ define_bool CONFIG_GRKERNSEC_RANDNET y define_bool CONFIG_GRKERNSEC_DMESG y define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +define_bool CONFIG_GRKERNSEC_KHEAP y if [ "$CONFIG_MODULES" != "n" ]; then define_bool CONFIG_GRKERNSEC_MODSTOP y fi @@ -101,6 +102,7 @@ define_int CONFIG_GRKERNSEC_FLOODTIME 10 define_int CONFIG_GRKERNSEC_FLOODBURST 4 +define_bool CONFIG_GRKERNSEC_KHEAP y define_bool CONFIG_GRKERNSEC_PROC_MEMMAP y define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL y define_bool CONFIG_GRKERNSEC_LINK y @@ -139,6 +141,7 @@ if [ "$CONFIG_MODULES" != "n" ]; then define_bool CONFIG_GRKERNSEC_MODSTOP y fi +define_bool CONFIG_GRKERNSEC_KHEAP y define_bool CONFIG_GRKERNSEC_LINK y define_bool CONFIG_GRKERNSEC_FIFO y define_bool CONFIG_GRKERNSEC_EXECVE y @@ -307,6 +310,7 @@ if [ "$CONFIG_X86" = "y" -a "$CONFIG_X86_64" != "y" ]; then bool 'Prevent invalid userland pointer dereference' CONFIG_PAX_MEMORY_UDEREF fi +bool 'Harden kernel heap management' CONFIG_GRKERNSEC_KHEAP bool 'Deny writing to /dev/kmem, /dev/mem, and /dev/port' CONFIG_GRKERNSEC_KMEM if [ "$CONFIG_X86" = "y" ]; then bool 'Disable privileged I/O' CONFIG_GRKERNSEC_IO diff -u linux-2.4.37/ipc/shm.c linux-2.4.37-new/ipc/shm.c --- linux-2.4.37/ipc/shm.c 2009-03-29 01:28:36.000000000 -0400 +++ linux-2.4.37-new/ipc/shm.c 2009-03-29 12:00:02.000000000 -0400 @@ -82,8 +82,19 @@ static int shm_tot; /* total number of shared memory pages */ +#ifdef CONFIG_GRKERNSEC_KHEAP +static kmem_cache_t *shm_cachep; +#endif + void __init shm_init (void) { +#ifdef CONFIG_GRKERNSEC_KHEAP + shm_cachep = kmem_cache_create("shm_cache", sizeof(struct shmid_kernel), + 0, 0, NULL, NULL); + if (!shm_cachep) + panic("cannot create shm slab cache"); +#endif + ipc_init_ids(&shm_ids, 1); #ifdef CONFIG_PROC_FS create_proc_read_entry("sysvipc/shm", 0, 0, sysvipc_shm_read_proc, NULL); @@ -94,6 +105,7 @@ { if (ipc_checkid(&shm_ids,&s->shm_perm,id)) return -EIDRM; + return 0; } @@ -141,7 +153,13 @@ shm_unlock(shp->id); shmem_lock(shp->shm_file, 0); fput (shp->shm_file); + +#ifdef CONFIG_GRKERNSEC_KHEAP + kmem_cache_free(shm_cachep, shp); +#else kfree (shp); +#endif + } /* @@ -217,7 +235,12 @@ if (shm_tot + numpages >= shm_ctlall) return -ENOSPC; +#ifdef CONFIG_GRKERNSEC_KHEAP + shp = (struct shmid_kernel *) kmem_cache_alloc(shm_cachep, SLAB_USER); +#else shp = (struct shmid_kernel *) kmalloc (sizeof (*shp), GFP_USER); +#endif + if (!shp) return -ENOMEM; sprintf (name, "SYSV%08x", key); @@ -252,7 +275,11 @@ no_id: fput(file); no_file: +#ifdef CONFIG_GRKERNSEC_KHEAP + kmem_cache_free(shm_cachep, shp); +#else kfree(shp); +#endif return error; }