Free kernel stack inpage error software for linux

The Kernel-Machine Library is a freely available (released under the GPL) C++ library to promote the use and progress of kernel machines. It is both for academic use and for developing real world applications.
The Kernel-Machine Library draws heavily from features of modern C++ such as template meta-programming to achieve high performance while at the same time offering a comfortable interface.
It enables compile-time selection of specialised algorithms on the basis of data types: for example, the specific case of a SVM in combination with a linear kernel can be computed by a specialised efficient algorithm.
The Kernel-Machine Library has implementations for the following kernel machines and their cited algorithms:
- Support Vector Machine [1, 2, 3]
- Relevance Vector Machine [4]
- Kernel Recursive Least Squares [5]
- Adaptive Sparseness using Jeffreys Prior [6]
- Smooth Relevance Vector Machine [7]
Up till now, the focus has been on regression. The handling of classification and ranking problems is being added.

The Linux SMP kernel uses spinlocks to protect data structures from concurrent, potentially conflicting accesses. Linux Kernel Spinlock Metering is a kernel patch that allows you to build an i386, ia64, Alpha, Sparc64, or mips64 kernel that can perform simple "metering" (record-keeping) of spinlock usage. Also available is source for an associated new command, lockstat, that is used to instruct the kernel to turn this lock metering on or off, and to retrieve the metering data from the kernel and display it in a human-readable format.

Data displayed includes the number of lock attempts, per-spinlock per-caller, the number of those attempts that were immediately successful vs. those that required the attempting locker to wait for the current lock-holder to release; the mean and max hold-time, and the mean, max, and cumulative wait-time. Whenever possible, the locking caller and the spinlocks are identified by their symbolic names, not by their virtual addresses.

Various patch sets are available. Version 1.1.4 patches the 2.2.14 kernel and reflects a relatively old flavor of Lockmeter. Version 1.4.11 patches the 2.4.16, 2.4.17, 2.5.3, and 2.5.5 kernels, and the previous release v1.4.9 patches various other releases of the 2.4.x kernel. This version 1.4 supports i386, alpha, ia64, mips64, and sparc64. The most recent version 1.5 is available as a patch against the 2.4.18 and various 2.5.x kernels, and it additionally supports mips (32-bit mips). Each is approximately 22 KB in gziped size. (Patches against a few older kernel versions are also available in the old subdirectory.) After applying the appropriate patch, make oldconfig presents a new Kernel lock metering option in the Kernel hacking subsection -- although only if CONFIG_SMP (Symmetric multi-processing support) has been enabled. The spinlock metering code is compiled into the kernel only when this new option is turned on.

Compiling the spinlock metering code into the kernel does not materially affect the kernel size because the additional code is roughly compensated for by the shrinking effect of the normally in-line locking routines now becoming procedure calls. A metering-capable kernel (i.e., with the patch applied, but data collection turned off) is negligibly slower than a non-metering-capable kernel, though a metering-capable kernel does slow when the metering data collection is turned on using the lockstat command (typically 8% for a systime==25% workload). Care has been taken to minimize performance degradation, and further improvements are in progress.

The lockstat command must also be downloaded, compiled, and installed. lockstat is a privileged command that requires root access. It reads and writes to the node /proc/lockmeter to control the kernels metering as follows:

lockstat on enables the kernels metering data collection,
lockstat options displays the collected data, and
lockstat off disables the metering data collection.

Run lockstat with no arguments to see a verbose description of the command arguments and options.

When metering is enabled, count and time data is collected in malloced arrays that are private to each CPU, thereby avoiding costly cacheblock coherency operations that would otherwise be required if all CPUs updated the same count and time fields. The lockstat command accumulates and sorts the per-cpu data at display time.

Lockmetering attempts to provide both "cause" and "effect" information about spinlock usage. The "hold time" metering exposes which spinlocks are being held and for how long, identified by where they are held inside the kernel. The "wait-time" metering exposes the effects of these hold-times when multiple CPUs concurrently contend for the same lock.

Kernel Version Monitor is a Superkaramba theme that creates a widget displaying the current version information of the Linux kernel as put forth by the kernel.org RSS feed here: http://kernel.org/kdist/rss.xml . Kernel Version Monitor uses the Tux icon from the nuoveXT icon theme found at http://nuovext.pwsp.net

Kudos and thanks to Richard "Ricardo" Szlachta for his advice on refining the aesthetics of this theme.

This is my first Superkaramba theme and a work in progress. I would love to hear comments, opinions and suggestions in order to improve this theme.

libgpg-error package contains common error codes and error handling functions used by GnuPG, Libgcrypt, GPGME and more packages.

Installation:

Please read the file INSTALL!

Here is a quick summary:

1) Check that you have unmodified sources. You can find instructions how to verify the sources below. Dont skip this - it is an important step!

2) Unpack the archive. With GNU tar you can do it this way:

"tar xzvf libgpg-error-x.y.tar.gz"

3) "cd libgpg-error-x.y"

4) "./configure"

5) "make"

6) "make install"

Openwall Linux kernel patch is a collection of security-related features for the Linux kernel, all configurable via the new Security options configuration section. In addition to the new features, some versions of the patch contain various security fixes.
The number of such fixes changes from version to version, as some are becoming obsolete (such as because of the same problem getting fixed with a new kernel release), while other security issues are discovered.
Non-executable user stack area.
Most buffer overflow exploits are based on overwriting a functions return address on the stack to point to some arbitrary code, which is also put onto the stack. If the stack area is non-executable, buffer overflow vulnerabilities become harder to exploit.
Another way to exploit a buffer overflow is to point the return address to a function in libc, usually system(). This patch also changes the default address that shared libraries are mmap()ed at to make it always contain a zero byte. This makes it impossible to specify any more data (parameters to the function, or more copies of the return address when filling with a pattern), -- in many exploits that have to do with ASCIIZ strings.
However, note that this patch is by no means a complete solution, it just adds an extra layer of security. Many buffer overflow vulnerabilities will remain exploitable a more complicated way, and some will even remain unaffected by the patch. The reason for using such a patch is to protect against some of the buffer overflow vulnerabilities that are yet unknown.
Also, note that some buffer overflows can be used for denial of service attacks (usually in non-respawning daemons and network clients). A patch like this cannot do anything against that.
It is important that you fix vulnerabilities as soon as they become known, even if youre using the patch. The same applies to other features of the patch (discussed below) and their corresponding vulnerabilities.
Restricted links in /tmp.
Ive also added a link-in-+t restriction, originally for Linux 2.0 only, by Andrew Tridgell. Ive updated it to prevent from using a hard link in an attack instead, by not allowing regular users to create hard links to files they dont own, unless they could read and write the file (due to group permissions). This is usually the desired behavior anyway, since otherwise users couldnt remove such links theyve just created in a +t directory (unfortunately, this is still possible for group-writable files) and because of disk quotas.
Unfortunately, this may break existing applications.
Restricted FIFOs in /tmp.
In addition to restricting links, you might also want to restrict writes into untrusted FIFOs (named pipes), to make data spoofing attacks harder. Enabling this option disallows writing into FIFOs not owned by the user in +t directories, unless the owner is the same as that of the directory or the FIFO is opened without the O_CREAT flag.
Restricted /proc.
This was originally a patch by route that only changed the permissions on some directories in /proc, so you had to be root to access them. Then there were similar patches by others. I found them all quite unusable for my purposes, on a system where I wanted several admins to be able to see all the processes, etc, without having to su root (or use sudo) each time. So I had to create my own patch that I include here.
This option restricts the permissions on /proc so that non-root users can see their own processes only, and nothing about active network connections, unless theyre in a special group. This groups id is specified via the gid= mount option, and is 0 by default. (Note: if youre using identd, you will need to edit the inetd.conf line to run identd as this special group.) Also, this disables dmesg(8) for the users. You might want to use this on an ISP shell server where privacy is an issue. Note that these extra restrictions can be trivially bypassed with physical access (without having to reboot).
When using this part of the patch, most programs (ps, top, who) work as desired -- they only show the processes of this user (unless root or in the special group, or running with the relevant capabilities on 2.2+), and dont complain they cant access others. However, theres a known problem with w(1) in recent versions of procps, so you should apply the included patch to procps if this applies to you.
Enhancements:
- This revision adds a fix for the "parent process death signal" vulnerability in the Linux kernel.
- It also adds two security hardening features, both enabled by default: restricted access to VM86 mode (specific to 32-bit x86) and restricted zero page mappings (generic).