* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.9.8/, 3.2.47/
@ 2013-07-02 13:21 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2013-07-02 13:21 UTC (permalink / raw
To: gentoo-commits
commit: 137d5284fb9ae3dfe988065ede8881bbf11876f7
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Jul 2 13:22:47 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Jul 2 13:22:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=137d5284
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.8}-201306302052
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.61-201306302051.patch} | 125 +++++++--
3.2.47/0000_README | 2 +-
...420_grsecurity-2.9.1-3.2.48-201306302051.patch} | 292 +++++++++++----------
3.9.8/0000_README | 2 +-
...4420_grsecurity-2.9.1-3.9.8-201306302052.patch} | 115 +++++++-
6 files changed, 367 insertions(+), 171 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 133e8f6..7480e7a 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201306302051.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306302051.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306302051.patch
index c67f417..d3ad7ec 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306272055.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306302051.patch
@@ -78102,7 +78102,7 @@ index 83fbd64..8353dce 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index feb2435..4f60348 100644
+index feb2435..04123c5 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,12 +56,34 @@
@@ -78411,7 +78411,21 @@ index feb2435..4f60348 100644
/* Set the new mm task size. We have to do that late because it may
* depend on TIF_32BIT which is only updated in flush_thread() on
-@@ -1090,14 +1165,14 @@ EXPORT_SYMBOL(setup_new_exec);
+@@ -1065,13 +1140,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ set_dumpable(current->mm, suid_dumpable);
+ }
+
+- /*
+- * Flush performance counters when crossing a
+- * security domain:
+- */
+- if (!get_dumpable(current->mm))
+- perf_event_exit_task(current);
+-
+ /* An exec changes our domain. We are no longer part of the thread
+ group */
+
+@@ -1090,14 +1158,14 @@ EXPORT_SYMBOL(setup_new_exec);
*/
int prepare_bprm_creds(struct linux_binprm *bprm)
{
@@ -78428,7 +78442,7 @@ index feb2435..4f60348 100644
return -ENOMEM;
}
-@@ -1105,7 +1180,7 @@ void free_bprm(struct linux_binprm *bprm)
+@@ -1105,7 +1173,7 @@ void free_bprm(struct linux_binprm *bprm)
{
free_arg_pages(bprm);
if (bprm->cred) {
@@ -78437,7 +78451,22 @@ index feb2435..4f60348 100644
abort_creds(bprm->cred);
}
/* If a binfmt changed the interp, free it. */
-@@ -1141,13 +1216,13 @@ void install_exec_creds(struct linux_binprm *bprm)
+@@ -1135,19 +1203,28 @@ void install_exec_creds(struct linux_binprm *bprm)
+
+ commit_creds(bprm->cred);
+ bprm->cred = NULL;
++
++ /*
++ * Disable monitoring for regular users
++ * when executing setuid binaries. Must
++ * wait until new credentials are committed
++ * by commit_creds() above
++ */
++ if (get_dumpable(current->mm) != SUID_DUMP_USER)
++ perf_event_exit_task(current);
+ /*
+ * cred_guard_mutex must be held at least to this point to prevent
+ * ptrace_attach() from altering our determination of the task's
* credentials; any time after this it may be unlocked.
*/
security_bprm_committed_creds(bprm);
@@ -78453,7 +78482,7 @@ index feb2435..4f60348 100644
* PTRACE_ATTACH
*/
int check_unsafe_exec(struct linux_binprm *bprm)
-@@ -1167,7 +1242,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1167,7 +1244,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -78462,7 +78491,7 @@ index feb2435..4f60348 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1354,6 +1429,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+@@ -1354,6 +1431,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
EXPORT_SYMBOL(search_binary_handler);
@@ -78484,7 +78513,7 @@ index feb2435..4f60348 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1362,11 +1452,35 @@ int do_execve(char * filename,
+@@ -1362,11 +1454,35 @@ int do_execve(char * filename,
char __user *__user *envp,
struct pt_regs * regs)
{
@@ -78520,7 +78549,7 @@ index feb2435..4f60348 100644
retval = unshare_files(&displaced);
if (retval)
-@@ -1392,12 +1506,27 @@ int do_execve(char * filename,
+@@ -1392,12 +1508,27 @@ int do_execve(char * filename,
if (IS_ERR(file))
goto out_unmark;
@@ -78548,7 +78577,7 @@ index feb2435..4f60348 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1414,25 +1543,66 @@ int do_execve(char * filename,
+@@ -1414,25 +1545,66 @@ int do_execve(char * filename,
if (retval < 0)
goto out;
@@ -78619,7 +78648,7 @@ index feb2435..4f60348 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1441,6 +1611,14 @@ int do_execve(char * filename,
+@@ -1441,6 +1613,14 @@ int do_execve(char * filename,
put_files_struct(displaced);
return retval;
@@ -78634,7 +78663,7 @@ index feb2435..4f60348 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1606,6 +1784,251 @@ out:
+@@ -1606,6 +1786,251 @@ out:
return ispipe;
}
@@ -78886,7 +78915,7 @@ index feb2435..4f60348 100644
static int zap_process(struct task_struct *start)
{
struct task_struct *t;
-@@ -1808,17 +2231,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -1808,17 +2233,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -78909,7 +78938,7 @@ index feb2435..4f60348 100644
pipe_unlock(pipe);
}
-@@ -1841,10 +2264,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1841,10 +2266,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
char **helper_argv = NULL;
int helper_argc = 0;
int dump_count = 0;
@@ -78924,7 +78953,7 @@ index feb2435..4f60348 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -1889,6 +2315,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1889,6 +2317,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
*/
clear_thread_flag(TIF_SIGPENDING);
@@ -78933,7 +78962,7 @@ index feb2435..4f60348 100644
/*
* lock_kernel() because format_corename() is controlled by sysctl, which
* uses lock_kernel()
-@@ -1923,7 +2351,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1923,7 +2353,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
goto fail_unlock;
}
@@ -78942,7 +78971,7 @@ index feb2435..4f60348 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -1987,7 +2415,7 @@ close_fail:
+@@ -1987,7 +2417,7 @@ close_fail:
filp_close(file, NULL);
fail_dropcount:
if (dump_count)
@@ -85081,6 +85110,70 @@ index c5081ad..342ea86 100644
if (!IS_ERR(page))
free_page((unsigned long)page);
}
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 552fb01..2cff69a 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -377,6 +377,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ */
+ return 0;
+
++ if (file->f_version == 0) {
++ /*
++ * The file was seek'ed, which means that @file->private_data
++ * is now invalid. This may also be just the first
++ * 'ubifs_readdir()' invocation, in which case
++ * @file->private_data is NULL, and the below code is
++ * basically a no-op.
++ */
++ kfree(file->private_data);
++ file->private_data = NULL;
++ }
++
++ /*
++ * 'generic_file_llseek()' unconditionally sets @file->f_version to
++ * zero, and we use this for detecting whether the file was seek'ed.
++ */
++ file->f_version = 1;
++
+ /* File positions 0 and 1 correspond to "." and ".." */
+ if (file->f_pos == 0) {
+ ubifs_assert(!file->private_data);
+@@ -451,6 +469,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ file->f_pos = key_hash_flash(c, &dent->key);
+ file->private_data = dent;
+ cond_resched();
++
++ if (file->f_version == 0)
++ /*
++ * The file was seek'ed meanwhile, lets return and start
++ * reading direntries from the new position on the next
++ * invocation.
++ */
++ return 0;
+ }
+
+ out:
+@@ -461,16 +487,14 @@ out:
+
+ kfree(file->private_data);
+ file->private_data = NULL;
++ /* 2 is a special value indicating that there are no more direntries */
+ file->f_pos = 2;
+ return 0;
+ }
+
+-/* If a directory is seeked, we have to free saved readdir() state */
+-static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int origin)
++static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence)
+ {
+- kfree(file->private_data);
+- file->private_data = NULL;
+- return generic_file_llseek(file, offset, origin);
++ return generic_file_llseek(file, offset, whence);
+ }
+
+ /* Free saved readdir() state when the directory is closed */
diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c
index 1e06853..b06d325 100644
--- a/fs/udf/balloc.c
diff --git a/3.2.47/0000_README b/3.2.47/0000_README
index 0779b50..94e84cf 100644
--- a/3.2.47/0000_README
+++ b/3.2.47/0000_README
@@ -106,7 +106,7 @@ Patch: 1046_linux-3.2.47.patch
From: http://www.kernel.org
Desc: Linux 3.2.47
-Patch: 4420_grsecurity-2.9.1-3.2.47-201306272056.patch
+Patch: 4420_grsecurity-2.9.1-3.2.48-201306302051.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306272056.patch b/3.2.47/4420_grsecurity-2.9.1-3.2.48-201306302051.patch
similarity index 99%
rename from 3.2.47/4420_grsecurity-2.9.1-3.2.47-201306272056.patch
rename to 3.2.47/4420_grsecurity-2.9.1-3.2.48-201306302051.patch
index 81b695e..6eccde6 100644
--- a/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306272056.patch
+++ b/3.2.47/4420_grsecurity-2.9.1-3.2.48-201306302051.patch
@@ -266,7 +266,7 @@ index 88fd7f5..b318a78 100644
==============================================================
diff --git a/Makefile b/Makefile
-index 40e2a11..8c31286 100644
+index 299e2eb..cb3e698 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1448,7 +1448,7 @@ index 75fe66b..2255c86 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
-index 1252a26..9dc17b5 100644
+index 1397408..c4f6969 100644
--- a/arch/arm/include/asm/cacheflush.h
+++ b/arch/arm/include/asm/cacheflush.h
@@ -108,7 +108,7 @@ struct cpu_cache_fns {
@@ -8673,7 +8673,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 9a42703..79a673e 100644
+index fb2e69d..9cd4eea 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -235,7 +235,7 @@ config X86_HT
@@ -22535,10 +22535,10 @@ index aac5ea7..266eda9 100644
vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index e82a53a..6b38ed8 100644
+index 57867e4..1d5ff81 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1342,8 +1342,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -1341,8 +1341,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -22549,7 +22549,7 @@ index e82a53a..6b38ed8 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2160,6 +2160,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2159,6 +2159,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -22558,7 +22558,7 @@ index e82a53a..6b38ed8 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -2335,15 +2337,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
+@@ -2334,15 +2336,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -22582,7 +22582,7 @@ index e82a53a..6b38ed8 100644
vcpu->arch.cpuid_nent = cpuid->nent;
kvm_apic_set_version(vcpu);
kvm_x86_ops->cpuid_update(vcpu);
-@@ -2358,15 +2365,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+@@ -2357,15 +2364,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -22605,7 +22605,7 @@ index e82a53a..6b38ed8 100644
return 0;
out:
-@@ -2741,7 +2752,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -2740,7 +2751,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -22614,7 +22614,7 @@ index e82a53a..6b38ed8 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -5183,7 +5194,7 @@ static void kvm_set_mmio_spte_mask(void)
+@@ -5182,7 +5193,7 @@ static void kvm_set_mmio_spte_mask(void)
kvm_mmu_set_mmio_spte_mask(mask);
}
@@ -39831,7 +39831,7 @@ index 49b549f..13d648c 100644
mac->phydev = phydev;
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index f698183..d08df42 100644
+index ed7a5a6..606fc45 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -704,17 +704,17 @@ struct rtl8169_private {
@@ -50146,7 +50146,7 @@ index 451b9b8..12e5a03 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index 312e297..699f362 100644
+index 312e297..6367442 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,12 +55,35 @@
@@ -50526,7 +50526,37 @@ index 312e297..699f362 100644
/* Set the new mm task size. We have to do that late because it may
* depend on TIF_32BIT which is only updated in flush_thread() on
-@@ -1266,7 +1342,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1159,13 +1235,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ set_dumpable(current->mm, suid_dumpable);
+ }
+
+- /*
+- * Flush performance counters when crossing a
+- * security domain:
+- */
+- if (!get_dumpable(current->mm))
+- perf_event_exit_task(current);
+-
+ /* An exec changes our domain. We are no longer part of the thread
+ group */
+
+@@ -1229,6 +1298,15 @@ void install_exec_creds(struct linux_binprm *bprm)
+
+ commit_creds(bprm->cred);
+ bprm->cred = NULL;
++
++ /*
++ * Disable monitoring for regular users
++ * when executing setuid binaries. Must
++ * wait until new credentials are committed
++ * by commit_creds() above
++ */
++ if (get_dumpable(current->mm) != SUID_DUMP_USER)
++ perf_event_exit_task(current);
+ /*
+ * cred_guard_mutex must be held at least to this point to prevent
+ * ptrace_attach() from altering our determination of the task's
+@@ -1266,7 +1344,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -50535,7 +50565,7 @@ index 312e297..699f362 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1461,6 +1537,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+@@ -1461,6 +1539,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
EXPORT_SYMBOL(search_binary_handler);
@@ -50567,7 +50597,7 @@ index 312e297..699f362 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1469,6 +1570,11 @@ static int do_execve_common(const char *filename,
+@@ -1469,6 +1572,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr envp,
struct pt_regs *regs)
{
@@ -50579,7 +50609,7 @@ index 312e297..699f362 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1476,6 +1582,8 @@ static int do_execve_common(const char *filename,
+@@ -1476,6 +1584,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -50588,7 +50618,7 @@ index 312e297..699f362 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1516,12 +1624,27 @@ static int do_execve_common(const char *filename,
+@@ -1516,12 +1626,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -50616,7 +50646,7 @@ index 312e297..699f362 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1538,24 +1661,65 @@ static int do_execve_common(const char *filename,
+@@ -1538,24 +1663,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -50686,7 +50716,7 @@ index 312e297..699f362 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1564,6 +1728,14 @@ static int do_execve_common(const char *filename,
+@@ -1564,6 +1730,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -50701,7 +50731,7 @@ index 312e297..699f362 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1637,7 +1809,7 @@ static int expand_corename(struct core_name *cn)
+@@ -1637,7 +1811,7 @@ static int expand_corename(struct core_name *cn)
{
char *old_corename = cn->corename;
@@ -50710,7 +50740,7 @@ index 312e297..699f362 100644
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
if (!cn->corename) {
-@@ -1734,7 +1906,7 @@ static int format_corename(struct core_name *cn, long signr)
+@@ -1734,7 +1908,7 @@ static int format_corename(struct core_name *cn, long signr)
int pid_in_pattern = 0;
int err = 0;
@@ -50719,7 +50749,7 @@ index 312e297..699f362 100644
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
-@@ -1831,6 +2003,280 @@ out:
+@@ -1831,6 +2005,280 @@ out:
return ispipe;
}
@@ -51000,7 +51030,7 @@ index 312e297..699f362 100644
static int zap_process(struct task_struct *start, int exit_code)
{
struct task_struct *t;
-@@ -2004,17 +2450,17 @@ static void coredump_finish(struct mm_struct *mm)
+@@ -2004,17 +2452,17 @@ static void coredump_finish(struct mm_struct *mm)
void set_dumpable(struct mm_struct *mm, int value)
{
switch (value) {
@@ -51021,7 +51051,7 @@ index 312e297..699f362 100644
set_bit(MMF_DUMP_SECURELY, &mm->flags);
smp_wmb();
set_bit(MMF_DUMPABLE, &mm->flags);
-@@ -2027,7 +2473,7 @@ static int __get_dumpable(unsigned long mm_flags)
+@@ -2027,7 +2475,7 @@ static int __get_dumpable(unsigned long mm_flags)
int ret;
ret = mm_flags & MMF_DUMPABLE_MASK;
@@ -51030,7 +51060,7 @@ index 312e297..699f362 100644
}
int get_dumpable(struct mm_struct *mm)
-@@ -2042,17 +2488,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2042,17 +2490,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -51053,7 +51083,7 @@ index 312e297..699f362 100644
pipe_unlock(pipe);
}
-@@ -2113,7 +2559,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2113,7 +2561,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
int retval = 0;
int flag = 0;
int ispipe;
@@ -51063,7 +51093,7 @@ index 312e297..699f362 100644
struct coredump_params cprm = {
.signr = signr,
.regs = regs,
-@@ -2128,6 +2575,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2128,6 +2577,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
audit_core_dumps(signr);
@@ -51073,7 +51103,7 @@ index 312e297..699f362 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -2138,14 +2588,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2138,14 +2590,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
if (!cred)
goto fail;
/*
@@ -51094,7 +51124,7 @@ index 312e297..699f362 100644
}
retval = coredump_wait(exit_code, &core_state);
-@@ -2195,7 +2647,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2195,7 +2649,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
}
cprm.limit = RLIM_INFINITY;
@@ -51103,7 +51133,7 @@ index 312e297..699f362 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -2222,9 +2674,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2222,9 +2676,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
} else {
struct inode *inode;
@@ -51123,7 +51153,7 @@ index 312e297..699f362 100644
cprm.file = filp_open(cn.corename,
O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
0600);
-@@ -2265,7 +2727,7 @@ close_fail:
+@@ -2265,7 +2729,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -51132,7 +51162,7 @@ index 312e297..699f362 100644
fail_unlock:
kfree(cn.corename);
fail_corename:
-@@ -2284,7 +2746,7 @@ fail:
+@@ -2284,7 +2748,7 @@ fail:
*/
int dump_write(struct file *file, const void *addr, int nr)
{
@@ -57248,6 +57278,70 @@ index bb55cdb..e9ebb8a 100644
{
if (sbi->s_bytesex == BYTESEX_PDP)
return PDP_swab((__force __u32)n);
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 6834920..6b0cc3e 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -372,6 +372,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ */
+ return 0;
+
++ if (file->f_version == 0) {
++ /*
++ * The file was seek'ed, which means that @file->private_data
++ * is now invalid. This may also be just the first
++ * 'ubifs_readdir()' invocation, in which case
++ * @file->private_data is NULL, and the below code is
++ * basically a no-op.
++ */
++ kfree(file->private_data);
++ file->private_data = NULL;
++ }
++
++ /*
++ * 'generic_file_llseek()' unconditionally sets @file->f_version to
++ * zero, and we use this for detecting whether the file was seek'ed.
++ */
++ file->f_version = 1;
++
+ /* File positions 0 and 1 correspond to "." and ".." */
+ if (file->f_pos == 0) {
+ ubifs_assert(!file->private_data);
+@@ -446,6 +464,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ file->f_pos = key_hash_flash(c, &dent->key);
+ file->private_data = dent;
+ cond_resched();
++
++ if (file->f_version == 0)
++ /*
++ * The file was seek'ed meanwhile, lets return and start
++ * reading direntries from the new position on the next
++ * invocation.
++ */
++ return 0;
+ }
+
+ out:
+@@ -456,16 +482,14 @@ out:
+
+ kfree(file->private_data);
+ file->private_data = NULL;
++ /* 2 is a special value indicating that there are no more direntries */
+ file->f_pos = 2;
+ return 0;
+ }
+
+-/* If a directory is seeked, we have to free saved readdir() state */
+-static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int origin)
++static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence)
+ {
+- kfree(file->private_data);
+- file->private_data = NULL;
+- return generic_file_llseek(file, offset, origin);
++ return generic_file_llseek(file, offset, whence);
+ }
+
+ /* Free saved readdir() state when the directory is closed */
diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
index 9228950..bbad895 100644
--- a/fs/ubifs/io.c
@@ -87232,7 +87326,7 @@ index f78f898..d7aa843 100644
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
diff --git a/net/compat.c b/net/compat.c
-index 6def90e..ffd9b82 100644
+index 8c979cc..5800e81 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -87362,7 +87456,7 @@ index 6def90e..ffd9b82 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
-@@ -790,7 +790,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -799,7 +799,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
@@ -88377,7 +88471,7 @@ index 8f441b2..a56d38e 100644
return -ENOMEM;
}
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index d55110e..7e0739d 100644
+index 5f28fab..ebd7a97 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -118,7 +118,7 @@
@@ -88898,24 +88992,6 @@ index 5485077..7e37374 100644
hdr = register_sysctl_paths(net_ipv4_ctl_path, ipv4_table);
if (hdr == NULL)
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index fe381c2..ec8b4b7e 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3037,8 +3037,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
-
- for (i = 0; i < shi->nr_frags; ++i) {
- const struct skb_frag_struct *f = &shi->frags[i];
-- struct page *page = skb_frag_page(f);
-- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
-+ unsigned int offset = f->page_offset;
-+ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
-+
-+ sg_set_page(&sg, page, skb_frag_size(f),
-+ offset_in_page(offset));
- if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
- return 1;
- }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 872b41d..54a02f1 100644
--- a/net/ipv4/tcp_input.c
@@ -89293,7 +89369,7 @@ index 5a65eea..bd913a1 100644
int udp4_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index d84033b..a15645a 100644
+index d603caa..dca1994 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2151,7 +2151,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
@@ -89366,7 +89442,7 @@ index 1567fb1..29af910 100644
dst = NULL;
}
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 3ccd9b2..7a0f168 100644
+index 6aadaa8..7a0f168 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -909,11 +909,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
@@ -89388,15 +89464,6 @@ index 3ccd9b2..7a0f168 100644
/* Yes, checking route validity in not connected
* case is not very simple. Take into account,
* that we do not support routing by source, TOS,
-@@ -1233,7 +1239,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
- if (WARN_ON(np->cork.opt))
- return -EINVAL;
-
-- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
-+ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
- if (unlikely(np->cork.opt == NULL))
- return -ENOBUFS;
-
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index b204df8..8f274f4 100644
--- a/net/ipv6/ipv6_sockglue.c
@@ -90056,33 +90123,6 @@ index 93a41a0..d4b4edb 100644
NLA_PUT_U32(skb, L2TP_ATTR_CONN_ID, tunnel->tunnel_id);
NLA_PUT_U32(skb, L2TP_ATTR_SESSION_ID, session->session_id);
-diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
-index 6f60175..74410e6 100644
---- a/net/l2tp/l2tp_ppp.c
-+++ b/net/l2tp/l2tp_ppp.c
-@@ -350,19 +350,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
- skb_put(skb, 2);
-
- /* Copy user data into skb */
-- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
-+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
-+ total_len);
- if (error < 0) {
- kfree_skb(skb);
- goto error_put_sess_tun;
- }
-- skb_put(skb, total_len);
-
- l2tp_xmit_skb(session, skb, session->hdr_len);
-
- sock_put(ps->tunnel_sock);
- sock_put(sk);
-
-- return error;
-+ return total_len;
-
- error_put_sess_tun:
- sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 73495f1..ad51356 100644
--- a/net/mac80211/ieee80211_i.h
@@ -90873,7 +90913,7 @@ index 3df7c5a..8f324b0 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 5a70215..070be35 100644
+index a2ac2c3..070be35 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1670,7 +1670,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -90913,22 +90953,7 @@ index 5a70215..070be35 100644
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
-@@ -2820,12 +2822,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
- return -EOPNOTSUPP;
-
- uaddr->sa_family = AF_PACKET;
-+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
- rcu_read_lock();
- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
- if (dev)
-- strncpy(uaddr->sa_data, dev->name, 14);
-- else
-- memset(uaddr->sa_data, 0, 14);
-+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
- rcu_read_unlock();
- *uaddr_len = sizeof(*uaddr);
-
-@@ -3262,7 +3263,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3261,7 +3263,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -90937,7 +90962,7 @@ index 5a70215..070be35 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3312,7 +3313,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3311,7 +3313,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
if (put_user(len, optlen))
return -EFAULT;
@@ -91617,7 +91642,7 @@ index 9032d50..49eb875 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 5e0d86e..f09fd13 100644
+index ba0108f..f09fd13 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2157,11 +2157,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -91635,20 +91660,7 @@ index 5e0d86e..f09fd13 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -3929,6 +3931,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
-
- /* Release our hold on the endpoint. */
- sp = sctp_sk(sk);
-+ /* This could happen during socket init, thus we bail out
-+ * early, since the rest of the below is not setup either.
-+ */
-+ if (sp->ep == NULL)
-+ return;
-+
- if (sp->do_auto_asconf) {
- sp->do_auto_asconf = 0;
- list_del(&sp->auto_asconf_list);
-@@ -4141,13 +4149,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4147,13 +4149,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -91666,7 +91678,7 @@ index 5e0d86e..f09fd13 100644
return -EFAULT;
return 0;
}
-@@ -4165,6 +4176,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4171,6 +4176,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -91675,7 +91687,7 @@ index 5e0d86e..f09fd13 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4173,7 +4186,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4179,7 +4186,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -91685,7 +91697,7 @@ index 5e0d86e..f09fd13 100644
return -EFAULT;
return 0;
}
-@@ -4537,12 +4551,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4543,12 +4551,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -91702,7 +91714,7 @@ index 5e0d86e..f09fd13 100644
return -EFAULT;
return 0;
}
-@@ -4583,6 +4600,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4589,6 +4600,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -91765,7 +91777,7 @@ index 8da4481..d02565e 100644
+ (rtt >> sctp_rto_alpha);
} else {
diff --git a/net/socket.c b/net/socket.c
-index 68879db..a5288e9 100644
+index cf546a3..f7c6c75 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -91936,7 +91948,7 @@ index 68879db..a5288e9 100644
int err, err2;
int fput_needed;
-@@ -1950,7 +2012,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -1950,7 +2012,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
@@ -91945,7 +91957,7 @@ index 68879db..a5288e9 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2090,7 +2152,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2101,7 +2163,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, iov_size, total_len, len;
/* kernel mode address */
@@ -91954,7 +91966,7 @@ index 68879db..a5288e9 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2120,7 +2182,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2131,7 +2193,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
* kernel msghdr to use the kernel address space)
*/
@@ -91963,7 +91975,7 @@ index 68879db..a5288e9 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov,
-@@ -2749,7 +2811,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2772,7 +2834,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
}
ifr = compat_alloc_user_space(buf_size);
@@ -91972,7 +91984,7 @@ index 68879db..a5288e9 100644
if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
return -EFAULT;
-@@ -2773,12 +2835,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2796,12 +2858,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
offsetof(struct ethtool_rxnfc, fs.ring_cookie));
if (copy_in_user(rxnfc, compat_rxnfc,
@@ -91989,7 +92001,7 @@ index 68879db..a5288e9 100644
copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
sizeof(rxnfc->rule_cnt)))
return -EFAULT;
-@@ -2790,12 +2852,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2813,12 +2875,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
if (convert_out) {
if (copy_in_user(compat_rxnfc, rxnfc,
@@ -92006,7 +92018,7 @@ index 68879db..a5288e9 100644
copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
sizeof(rxnfc->rule_cnt)))
return -EFAULT;
-@@ -2865,7 +2927,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2888,7 +2950,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -92015,7 +92027,7 @@ index 68879db..a5288e9 100644
set_fs(old_fs);
return err;
-@@ -2974,7 +3036,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -2997,7 +3059,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -92024,7 +92036,7 @@ index 68879db..a5288e9 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3079,7 +3141,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3102,7 +3164,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -92033,7 +92045,7 @@ index 68879db..a5288e9 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3319,8 +3381,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3342,8 +3404,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -92044,7 +92056,7 @@ index 68879db..a5288e9 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3340,7 +3402,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3363,7 +3425,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
diff --git a/3.9.8/0000_README b/3.9.8/0000_README
index 8c126eb..1e4e620 100644
--- a/3.9.8/0000_README
+++ b/3.9.8/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.9.8-201306272057.patch
+Patch: 4420_grsecurity-2.9.1-3.9.8-201306302052.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.9.8/4420_grsecurity-2.9.1-3.9.8-201306272057.patch b/3.9.8/4420_grsecurity-2.9.1-3.9.8-201306302052.patch
similarity index 99%
rename from 3.9.8/4420_grsecurity-2.9.1-3.9.8-201306272057.patch
rename to 3.9.8/4420_grsecurity-2.9.1-3.9.8-201306302052.patch
index 3efd0e4..9c80933 100644
--- a/3.9.8/4420_grsecurity-2.9.1-3.9.8-201306272057.patch
+++ b/3.9.8/4420_grsecurity-2.9.1-3.9.8-201306302052.patch
@@ -2312,7 +2312,7 @@ index 60d3b73..d27ee09 100644
EXPORT_SYMBOL(__get_user_1);
EXPORT_SYMBOL(__get_user_2);
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
-index 0f82098..3dbd3ee 100644
+index 0f82098..fb3d3d5 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -47,6 +47,87 @@
@@ -2484,7 +2484,7 @@ index 0f82098..3dbd3ee 100644
THUMB( str sp, [ip], #4 )
THUMB( str lr, [ip], #4 )
-#ifdef CONFIG_CPU_USE_DOMAINS
-+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
ldr r6, [r2, #TI_CPU_DOMAIN]
#endif
set_tls r3, r4, r5
@@ -2493,7 +2493,7 @@ index 0f82098..3dbd3ee 100644
ldr r7, [r7, #TSK_STACK_CANARY]
#endif
-#ifdef CONFIG_CPU_USE_DOMAINS
-+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
mcr p15, 0, r6, c3, c0, 0 @ Set domain register
#endif
mov r5, r0
@@ -50560,7 +50560,7 @@ index 6a16053..2155147 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 6d56ff2..3bc6638 100644
+index 6d56ff2..f65b4ca 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,8 +55,20 @@
@@ -50862,7 +50862,37 @@ index 6d56ff2..3bc6638 100644
set_fs(old_fs);
return result;
}
-@@ -1250,7 +1325,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1136,13 +1211,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ set_dumpable(current->mm, suid_dumpable);
+ }
+
+- /*
+- * Flush performance counters when crossing a
+- * security domain:
+- */
+- if (!get_dumpable(current->mm))
+- perf_event_exit_task(current);
+-
+ /* An exec changes our domain. We are no longer part of the thread
+ group */
+
+@@ -1206,6 +1274,15 @@ void install_exec_creds(struct linux_binprm *bprm)
+
+ commit_creds(bprm->cred);
+ bprm->cred = NULL;
++
++ /*
++ * Disable monitoring for regular users
++ * when executing setuid binaries. Must
++ * wait until new credentials are committed
++ * by commit_creds() above
++ */
++ if (get_dumpable(current->mm) != SUID_DUMP_USER)
++ perf_event_exit_task(current);
+ /*
+ * cred_guard_mutex must be held at least to this point to prevent
+ * ptrace_attach() from altering our determination of the task's
+@@ -1250,7 +1327,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -50871,7 +50901,7 @@ index 6d56ff2..3bc6638 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1450,6 +1525,31 @@ int search_binary_handler(struct linux_binprm *bprm)
+@@ -1450,6 +1527,31 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
@@ -50903,7 +50933,7 @@ index 6d56ff2..3bc6638 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1457,6 +1557,11 @@ static int do_execve_common(const char *filename,
+@@ -1457,6 +1559,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@@ -50915,7 +50945,7 @@ index 6d56ff2..3bc6638 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1464,6 +1569,8 @@ static int do_execve_common(const char *filename,
+@@ -1464,6 +1571,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -50924,7 +50954,7 @@ index 6d56ff2..3bc6638 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1504,12 +1611,27 @@ static int do_execve_common(const char *filename,
+@@ -1504,12 +1613,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -50952,7 +50982,7 @@ index 6d56ff2..3bc6638 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1526,24 +1648,65 @@ static int do_execve_common(const char *filename,
+@@ -1526,24 +1650,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -51022,7 +51052,7 @@ index 6d56ff2..3bc6638 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1552,6 +1715,14 @@ static int do_execve_common(const char *filename,
+@@ -1552,6 +1717,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -51037,7 +51067,7 @@ index 6d56ff2..3bc6638 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1700,3 +1871,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1700,3 +1873,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
@@ -56758,6 +56788,67 @@ index 69d4889..a810bd4 100644
{
if (sbi->s_bytesex == BYTESEX_PDP)
return PDP_swab((__force __u32)n);
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index de08c92f..732cd63 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -364,6 +364,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ */
+ return 0;
+
++ if (file->f_version == 0) {
++ /*
++ * The file was seek'ed, which means that @file->private_data
++ * is now invalid. This may also be just the first
++ * 'ubifs_readdir()' invocation, in which case
++ * @file->private_data is NULL, and the below code is
++ * basically a no-op.
++ */
++ kfree(file->private_data);
++ file->private_data = NULL;
++ }
++
++ /*
++ * 'generic_file_llseek()' unconditionally sets @file->f_version to
++ * zero, and we use this for detecting whether the file was seek'ed.
++ */
++ file->f_version = 1;
++
+ /* File positions 0 and 1 correspond to "." and ".." */
+ if (file->f_pos == 0) {
+ ubifs_assert(!file->private_data);
+@@ -438,6 +456,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ file->f_pos = key_hash_flash(c, &dent->key);
+ file->private_data = dent;
+ cond_resched();
++
++ if (file->f_version == 0)
++ /*
++ * The file was seek'ed meanwhile, lets return and start
++ * reading direntries from the new position on the next
++ * invocation.
++ */
++ return 0;
+ }
+
+ out:
+@@ -448,15 +474,13 @@ out:
+
+ kfree(file->private_data);
+ file->private_data = NULL;
++ /* 2 is a special value indicating that there are no more direntries */
+ file->f_pos = 2;
+ return 0;
+ }
+
+-/* If a directory is seeked, we have to free saved readdir() state */
+ static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence)
+ {
+- kfree(file->private_data);
+- file->private_data = NULL;
+ return generic_file_llseek(file, offset, whence);
+ }
+
diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
index e18b988..f1d4ad0f 100644
--- a/fs/ubifs/io.c
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-07-02 13:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-02 13:21 [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.9.8/, 3.2.47/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox