From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EA3E7138A2F for ; Sun, 24 Aug 2014 14:46:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 660B8E0817; Sun, 24 Aug 2014 14:46:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F1C09E0817 for ; Sun, 24 Aug 2014 14:46:41 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5961F34004F for ; Sun, 24 Aug 2014 14:46:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7B98D3CDB for ; Sun, 24 Aug 2014 14:46:34 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1408891715.afb00ac527c9a3d645742ea4bf120f2d3bd2b23b.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.14.17/, 3.15.10/, 3.2.62/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 3.14.17/0000_README 3.14.17/4420_grsecurity-3.0-3.14.17-201408192019.patch 3.14.17/4420_grsecurity-3.0-3.14.17-201408212334.patch 3.14.17/4450_grsec-kconfig-default-gids.patch 3.15.10/0000_README 3.15.10/4420_grsecurity-3.0-3.15.10-201408192020.patch 3.15.10/4420_grsecurity-3.0-3.15.10-201408212335.patch 3.15.10/4450_grsec-kconfig-default-gids.patch 3.2.62/0000_README 3.2.62/4420_grsecurity-3.0-3.2.62-201408191950.patch 3.2.62/4420_grsecurity-3.0-3.2.62-201408212331.patch 3.2.62/4450_grsec-kconfig-default-gids.patch 3.2.62/4465_selinux-avc_audit-log-curr_ip.patch X-VCS-Directories: 3.14.17/ 3.15.10/ 3.2.62/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: afb00ac527c9a3d645742ea4bf120f2d3bd2b23b X-VCS-Branch: master Date: Sun, 24 Aug 2014 14:46:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: e75aec94-81dd-4ba6-9e22-e7548dcc209e X-Archives-Hash: caebe7bfbf39be3bd01cb158a0691d2a commit: afb00ac527c9a3d645742ea4bf120f2d3bd2b23b Author: Anthony G. Basile gentoo org> AuthorDate: Sun Aug 24 14:48:35 2014 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Sun Aug 24 14:48:35 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=afb00ac5 Grsec/PaX: 3.0-{3.2.62,3.14.17,3.15.10}-201408212335 --- 3.14.17/0000_README | 2 +- ...4420_grsecurity-3.0-3.14.17-201408212334.patch} | 426 ++++++++++++++++--- 3.14.17/4450_grsec-kconfig-default-gids.patch | 6 +- 3.15.10/0000_README | 2 +- ...4420_grsecurity-3.0-3.15.10-201408212335.patch} | 433 ++++++++++++++++--- 3.15.10/4450_grsec-kconfig-default-gids.patch | 6 +- 3.2.62/0000_README | 2 +- ... 4420_grsecurity-3.0-3.2.62-201408212331.patch} | 465 +++++++++++++++++---- 3.2.62/4450_grsec-kconfig-default-gids.patch | 6 +- 3.2.62/4465_selinux-avc_audit-log-curr_ip.patch | 2 +- 10 files changed, 1134 insertions(+), 216 deletions(-) diff --git a/3.14.17/0000_README b/3.14.17/0000_README index ce3685e..2ab1642 100644 --- a/3.14.17/0000_README +++ b/3.14.17/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.17-201408192019.patch +Patch: 4420_grsecurity-3.0-3.14.17-201408212334.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.17/4420_grsecurity-3.0-3.14.17-201408192019.patch b/3.14.17/4420_grsecurity-3.0-3.14.17-201408212334.patch similarity index 99% rename from 3.14.17/4420_grsecurity-3.0-3.14.17-201408192019.patch rename to 3.14.17/4420_grsecurity-3.0-3.14.17-201408212334.patch index 73749ef..bf6a578 100644 --- a/3.14.17/4420_grsecurity-3.0-3.14.17-201408192019.patch +++ b/3.14.17/4420_grsecurity-3.0-3.14.17-201408212334.patch @@ -38844,28 +38844,10 @@ index 8320abd..ec48108 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 429b75b..a7f4145 100644 +index 429b75b..de805d0 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -270,10 +270,17 @@ - /* - * Configuration information - */ -+#ifdef CONFIG_GRKERNSEC_RANDNET -+#define INPUT_POOL_SHIFT 14 -+#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) -+#define OUTPUT_POOL_SHIFT 12 -+#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#else - #define INPUT_POOL_SHIFT 12 - #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) - #define OUTPUT_POOL_SHIFT 10 - #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#endif - #define SEC_XFER_SIZE 512 - #define EXTRACT_SIZE 10 - -@@ -284,9 +291,6 @@ +@@ -284,9 +284,6 @@ /* * To allow fractional bits to be tracked, the entropy_count field is * denominated in units of 1/8th bits. @@ -38875,27 +38857,7 @@ index 429b75b..a7f4145 100644 */ #define ENTROPY_SHIFT 3 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT) -@@ -361,12 +365,19 @@ static struct poolinfo { - #define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5) - int tap1, tap2, tap3, tap4, tap5; - } poolinfo_table[] = { -+#ifdef CONFIG_GRKERNSEC_RANDNET -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */ -+ { S(512), 411, 308, 208, 104, 1 }, -+ /* x^128 + x^104 + x^76 + x^51 + x^25 + x + 1 -- 105 */ -+ { S(128), 104, 76, 51, 25, 1 }, -+#else - /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ - /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ - { S(128), 104, 76, 51, 25, 1 }, - /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ - /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ - { S(32), 26, 19, 14, 7, 1 }, -+#endif - #if 0 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ - { S(2048), 1638, 1231, 819, 411, 1 }, -@@ -433,9 +444,9 @@ struct entropy_store { +@@ -433,9 +430,9 @@ struct entropy_store { }; static void push_to_pool(struct work_struct *work); @@ -38908,7 +38870,7 @@ index 429b75b..a7f4145 100644 static struct entropy_store input_pool = { .poolinfo = &poolinfo_table[0], -@@ -524,8 +535,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -524,8 +521,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, input_rotate = (input_rotate + (i ? 7 : 14)) & 31; } @@ -38919,7 +38881,7 @@ index 429b75b..a7f4145 100644 smp_wmb(); if (out) -@@ -632,7 +643,7 @@ retry: +@@ -632,7 +629,7 @@ retry: /* The +2 corresponds to the /4 in the denominator */ do { @@ -38928,7 +38890,7 @@ index 429b75b..a7f4145 100644 unsigned int add = ((pool_size - entropy_count)*anfrac*3) >> s; -@@ -1151,7 +1162,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1151,7 +1148,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -38937,7 +38899,7 @@ index 429b75b..a7f4145 100644 ret = -EFAULT; break; } -@@ -1507,7 +1518,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1507,7 +1504,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include static int min_read_thresh = 8, min_write_thresh; @@ -38946,7 +38908,7 @@ index 429b75b..a7f4145 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1523,7 +1534,7 @@ static char sysctl_bootid[16]; +@@ -1523,7 +1520,7 @@ static char sysctl_bootid[16]; static int proc_do_uuid(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -38955,7 +38917,7 @@ index 429b75b..a7f4145 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; -@@ -1553,7 +1564,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, +@@ -1553,7 +1550,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, static int proc_do_entropy(ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -41703,6 +41665,19 @@ index 6866448..2ad2b34 100644 { /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { +diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c +index 1bdcccc..f745d2c 100644 +--- a/drivers/hid/hid-cherry.c ++++ b/drivers/hid/hid-cherry.c +@@ -28,7 +28,7 @@ + static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { ++ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { + hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n"); + rdesc[11] = rdesc[16] = 0xff; + rdesc[12] = rdesc[17] = 0x03; diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 7cd42ea..a367c48 100644 --- a/drivers/hid/hid-core.c @@ -41725,6 +41700,110 @@ index 7cd42ea..a367c48 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); +diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c +index e776963..b92bf01 100644 +--- a/drivers/hid/hid-kye.c ++++ b/drivers/hid/hid-kye.c +@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + * - change the button usage range to 4-7 for the extra + * buttons + */ +- if (*rsize >= 74 && ++ if (*rsize >= 75 && + rdesc[61] == 0x05 && rdesc[62] == 0x08 && + rdesc[63] == 0x19 && rdesc[64] == 0x08 && + rdesc[65] == 0x29 && rdesc[66] == 0x0f && +diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c +index 9fe9d4a..b8207e0 100644 +--- a/drivers/hid/hid-lg.c ++++ b/drivers/hid/hid-lg.c +@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc, + struct usb_device_descriptor *udesc; + __u16 bcdDevice, rev_maj, rev_min; + +- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 && ++ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 && + rdesc[84] == 0x8c && rdesc[85] == 0x02) { + hid_info(hdev, + "fixing up Logitech keyboard report descriptor\n"); + rdesc[84] = rdesc[89] = 0x4d; + rdesc[85] = rdesc[90] = 0x10; + } +- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 && ++ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 && + rdesc[32] == 0x81 && rdesc[33] == 0x06 && + rdesc[49] == 0x81 && rdesc[50] == 0x06) { + hid_info(hdev, +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index f45279c..0b14d32 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -237,13 +237,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, + return; + } + +- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || +- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { +- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n", +- __func__, dj_report->device_index); +- return; +- } +- + if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { + /* The device is already known. No need to reallocate it. */ + dbg_hid("%s: device is already known\n", __func__); +@@ -721,6 +714,12 @@ static int logi_dj_raw_event(struct hid_device *hdev, + * device (via hid_input_report() ) and return 1 so hid-core does not do + * anything else with it. + */ ++ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || ++ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { ++ dev_err(&hdev->dev, "%s: invalid device index:%d\n", ++ __func__, dj_report->device_index); ++ return false; ++ } + + spin_lock_irqsave(&djrcv_dev->lock, flags); + if (dj_report->report_id == REPORT_ID_DJ_SHORT) { +diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c +index 9e14c00..25daf28 100644 +--- a/drivers/hid/hid-monterey.c ++++ b/drivers/hid/hid-monterey.c +@@ -24,7 +24,7 @@ + static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { ++ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { + hid_info(hdev, "fixing up button/consumer in HID report descriptor\n"); + rdesc[30] = 0x0c; + } +diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c +index 736b250..6aca4f2 100644 +--- a/drivers/hid/hid-petalynx.c ++++ b/drivers/hid/hid-petalynx.c +@@ -25,7 +25,7 @@ + static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && ++ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && + rdesc[41] == 0x00 && rdesc[59] == 0x26 && + rdesc[60] == 0xf9 && rdesc[61] == 0x00) { + hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n"); +diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c +index 87fc91e..91072fa 100644 +--- a/drivers/hid/hid-sunplus.c ++++ b/drivers/hid/hid-sunplus.c +@@ -24,7 +24,7 @@ + static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && ++ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && + rdesc[106] == 0x03) { + hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n"); + rdesc[105] = rdesc[110] = 0x03; diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c index c13fb5b..55a3802 100644 --- a/drivers/hid/hid-wiimote-debug.c @@ -61813,6 +61892,185 @@ index e846a32..bb06bd0 100644 put_cpu_var(last_ino); return res; } +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 4a9e10e..a9daccb 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb) + return; + } + +-static int isofs_read_inode(struct inode *); ++static int isofs_read_inode(struct inode *, int relocated); + static int isofs_statfs (struct dentry *, struct kstatfs *); + + static struct kmem_cache *isofs_inode_cachep; +@@ -1258,7 +1258,7 @@ out_toomany: + goto out; + } + +-static int isofs_read_inode(struct inode *inode) ++static int isofs_read_inode(struct inode *inode, int relocated) + { + struct super_block *sb = inode->i_sb; + struct isofs_sb_info *sbi = ISOFS_SB(sb); +@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode) + */ + + if (!high_sierra) { +- parse_rock_ridge_inode(de, inode); ++ parse_rock_ridge_inode(de, inode, relocated); + /* if we want uid/gid set, override the rock ridge setting */ + if (sbi->s_uid_set) + inode->i_uid = sbi->s_uid; +@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data) + * offset that point to the underlying meta-data for the inode. The + * code below is otherwise similar to the iget() code in + * include/linux/fs.h */ +-struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset) ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated) + { + unsigned long hashval; + struct inode *inode; +@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb, + return ERR_PTR(-ENOMEM); + + if (inode->i_state & I_NEW) { +- ret = isofs_read_inode(inode); ++ ret = isofs_read_inode(inode, relocated); + if (ret < 0) { + iget_failed(inode); + inode = ERR_PTR(ret); +diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h +index 9916723..0ac4c1f 100644 +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -107,7 +107,7 @@ extern int iso_date(char *, int); + + struct inode; /* To make gcc happy */ + +-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *); ++extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated); + extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *); + extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *); + +@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int + extern struct buffer_head *isofs_bread(struct inode *, sector_t); + extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long); + +-extern struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset); ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated); ++ ++static inline struct inode *isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 0); ++} ++ ++static inline struct inode *isofs_iget_reloc(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 1); ++} + + /* Because the inode number is no longer relevant to finding the + * underlying meta-data for an inode, we are free to choose a more +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index c0bf424..f488bba 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -288,12 +288,16 @@ eio: + goto out; + } + ++#define RR_REGARD_XA 1 ++#define RR_RELOC_DE 2 ++ + static int + parse_rock_ridge_inode_internal(struct iso_directory_record *de, +- struct inode *inode, int regard_xa) ++ struct inode *inode, int flags) + { + int symlink_len = 0; + int cnt, sig; ++ unsigned int reloc_block; + struct inode *reloc; + struct rock_ridge *rr; + int rootflag; +@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de, + + init_rock_state(&rs, inode); + setup_rock_ridge(de, inode, &rs); +- if (regard_xa) { ++ if (flags & RR_REGARD_XA) { + rs.chr += 14; + rs.len -= 14; + if (rs.len < 0) +@@ -485,12 +489,22 @@ repeat: + "relocated directory\n"); + goto out; + case SIG('C', 'L'): +- ISOFS_I(inode)->i_first_extent = +- isonum_733(rr->u.CL.location); +- reloc = +- isofs_iget(inode->i_sb, +- ISOFS_I(inode)->i_first_extent, +- 0); ++ if (flags & RR_RELOC_DE) { ++ printk(KERN_ERR ++ "ISOFS: Recursive directory relocation " ++ "is not supported\n"); ++ goto eio; ++ } ++ reloc_block = isonum_733(rr->u.CL.location); ++ if (reloc_block == ISOFS_I(inode)->i_iget5_block && ++ ISOFS_I(inode)->i_iget5_offset == 0) { ++ printk(KERN_ERR ++ "ISOFS: Directory relocation points to " ++ "itself\n"); ++ goto eio; ++ } ++ ISOFS_I(inode)->i_first_extent = reloc_block; ++ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0); + if (IS_ERR(reloc)) { + ret = PTR_ERR(reloc); + goto out; +@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit) + return rpnt; + } + +-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) ++int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode, ++ int relocated) + { +- int result = parse_rock_ridge_inode_internal(de, inode, 0); ++ int flags = relocated ? RR_RELOC_DE : 0; ++ int result = parse_rock_ridge_inode_internal(de, inode, flags); + + /* + * if rockridge flag was reset and we didn't look for attributes +@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) + */ + if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1) + && (ISOFS_SB(inode->i_sb)->s_rock == 2)) { +- result = parse_rock_ridge_inode_internal(de, inode, 14); ++ result = parse_rock_ridge_inode_internal(de, inode, ++ flags | RR_REGARD_XA); + } + return result; + } diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index 4a6cf28..d3a29d3 100644 --- a/fs/jffs2/erase.c @@ -66162,10 +66420,10 @@ index 78e62cc..eec3706 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..bfd482c +index 0000000..27cec32 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1176 @@ +@@ -0,0 +1,1166 @@ +# +# grecurity configuration +# @@ -67098,16 +67356,6 @@ index 0000000..bfd482c +menu "Network Protections" +depends on GRKERNSEC + -+config GRKERNSEC_RANDNET -+ bool "Larger entropy pools" -+ default y if GRKERNSEC_CONFIG_AUTO -+ help -+ If you say Y here, the entropy pools used for many features of Linux -+ and grsecurity will be doubled in size. Since several grsecurity -+ features use additional randomness, it is recommended that you say Y -+ here. Saying Y here has a similar effect as modifying -+ /proc/sys/kernel/random/poolsize. -+ +config GRKERNSEC_BLACKHOLE + bool "TCP/UDP blackhole and LAST_ACK DoS prevention" + default y if GRKERNSEC_CONFIG_AUTO @@ -102180,10 +102428,18 @@ index b74aa07..d41926e 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 48a6a93..0b0496e 100644 +index 48a6a93..d2c096b 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1845,7 +1845,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -635,6 +635,7 @@ static void init_prb_bdqc(struct packet_sock *po, + p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov); + p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv; + ++ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv); + prb_init_ft_ops(p1, req_u); + prb_setup_retire_blk_timer(po, tx_ring); + prb_open_block(p1, pbd); +@@ -1845,7 +1846,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_packets++; @@ -102192,7 +102448,7 @@ index 48a6a93..0b0496e 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1854,7 +1854,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1854,7 +1855,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_drops++; @@ -102201,7 +102457,26 @@ index 48a6a93..0b0496e 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3449,7 +3449,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -1946,6 +1947,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if ((int)snaplen < 0) + snaplen = 0; + } ++ } else if (unlikely(macoff + snaplen > ++ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) { ++ u32 nval; ++ ++ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff; ++ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n", ++ snaplen, nval, macoff); ++ snaplen = nval; ++ if (unlikely((int)snaplen < 0)) { ++ snaplen = 0; ++ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len; ++ } + } + spin_lock(&sk->sk_receive_queue.lock); + h.raw = packet_current_rx_frame(po, skb, +@@ -3449,7 +3462,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -102210,7 +102485,7 @@ index 48a6a93..0b0496e 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3495,7 +3495,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3495,7 +3508,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -102219,6 +102494,29 @@ index 48a6a93..0b0496e 100644 return -EFAULT; return 0; } +@@ -3779,6 +3792,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) + goto out; ++ if (po->tp_version >= TPACKET_V3 && ++ (int)(req->tp_block_size - ++ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) ++ goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) + goto out; +diff --git a/net/packet/internal.h b/net/packet/internal.h +index eb9580a..cdddf6a 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -29,6 +29,7 @@ struct tpacket_kbdq_core { + char *pkblk_start; + char *pkblk_end; + int kblk_size; ++ unsigned int max_frame_len; + unsigned int knum_blocks; + uint64_t knxt_seq_num; + char *prev; diff --git a/net/phonet/pep.c b/net/phonet/pep.c index e774117..900b8b7 100644 --- a/net/phonet/pep.c diff --git a/3.14.17/4450_grsec-kconfig-default-gids.patch b/3.14.17/4450_grsec-kconfig-default-gids.patch index af218a8..0451e5a 100644 --- a/3.14.17/4450_grsec-kconfig-default-gids.patch +++ b/3.14.17/4450_grsec-kconfig-default-gids.patch @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -1013,7 +1013,7 @@ +@@ -1003,7 +1003,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1034,7 +1034,7 @@ +@@ -1024,7 +1024,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1052,7 +1052,7 @@ +@@ -1042,7 +1042,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.15.10/0000_README b/3.15.10/0000_README index 70556f5..53bdf83 100644 --- a/3.15.10/0000_README +++ b/3.15.10/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.15.10-201408192020.patch +Patch: 4420_grsecurity-3.0-3.15.10-201408212335.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.15.10/4420_grsecurity-3.0-3.15.10-201408192020.patch b/3.15.10/4420_grsecurity-3.0-3.15.10-201408212335.patch similarity index 99% rename from 3.15.10/4420_grsecurity-3.0-3.15.10-201408192020.patch rename to 3.15.10/4420_grsecurity-3.0-3.15.10-201408212335.patch index 08568e5..a41c140 100644 --- a/3.15.10/4420_grsecurity-3.0-3.15.10-201408192020.patch +++ b/3.15.10/4420_grsecurity-3.0-3.15.10-201408212335.patch @@ -38749,28 +38749,10 @@ index 8320abd..ec48108 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 18ec404..32033f3 100644 +index 18ec404..f2438cb 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -270,10 +270,17 @@ - /* - * Configuration information - */ -+#ifdef CONFIG_GRKERNSEC_RANDNET -+#define INPUT_POOL_SHIFT 14 -+#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) -+#define OUTPUT_POOL_SHIFT 12 -+#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#else - #define INPUT_POOL_SHIFT 12 - #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) - #define OUTPUT_POOL_SHIFT 10 - #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#endif - #define SEC_XFER_SIZE 512 - #define EXTRACT_SIZE 10 - -@@ -284,9 +291,6 @@ +@@ -284,9 +284,6 @@ /* * To allow fractional bits to be tracked, the entropy_count field is * denominated in units of 1/8th bits. @@ -38780,27 +38762,7 @@ index 18ec404..32033f3 100644 */ #define ENTROPY_SHIFT 3 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT) -@@ -361,12 +365,19 @@ static struct poolinfo { - #define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5) - int tap1, tap2, tap3, tap4, tap5; - } poolinfo_table[] = { -+#ifdef CONFIG_GRKERNSEC_RANDNET -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */ -+ { S(512), 411, 308, 208, 104, 1 }, -+ /* x^128 + x^104 + x^76 + x^51 + x^25 + x + 1 -- 105 */ -+ { S(128), 104, 76, 51, 25, 1 }, -+#else - /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ - /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ - { S(128), 104, 76, 51, 25, 1 }, - /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ - /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ - { S(32), 26, 19, 14, 7, 1 }, -+#endif - #if 0 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ - { S(2048), 1638, 1231, 819, 411, 1 }, -@@ -433,9 +444,9 @@ struct entropy_store { +@@ -433,9 +430,9 @@ struct entropy_store { }; static void push_to_pool(struct work_struct *work); @@ -38813,7 +38775,7 @@ index 18ec404..32033f3 100644 static struct entropy_store input_pool = { .poolinfo = &poolinfo_table[0], -@@ -524,8 +535,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -524,8 +521,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, input_rotate = (input_rotate + (i ? 7 : 14)) & 31; } @@ -38824,7 +38786,7 @@ index 18ec404..32033f3 100644 smp_wmb(); if (out) -@@ -632,7 +643,7 @@ retry: +@@ -632,7 +629,7 @@ retry: /* The +2 corresponds to the /4 in the denominator */ do { @@ -38833,7 +38795,7 @@ index 18ec404..32033f3 100644 unsigned int add = ((pool_size - entropy_count)*anfrac*3) >> s; -@@ -1176,7 +1187,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1176,7 +1173,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -38842,7 +38804,7 @@ index 18ec404..32033f3 100644 ret = -EFAULT; break; } -@@ -1566,7 +1577,7 @@ static char sysctl_bootid[16]; +@@ -1566,7 +1563,7 @@ static char sysctl_bootid[16]; static int proc_do_uuid(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -38851,7 +38813,7 @@ index 18ec404..32033f3 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; -@@ -1596,7 +1607,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, +@@ -1596,7 +1593,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, static int proc_do_entropy(ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -41503,6 +41465,19 @@ index 6866448..2ad2b34 100644 { /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { +diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c +index 1bdcccc..f745d2c 100644 +--- a/drivers/hid/hid-cherry.c ++++ b/drivers/hid/hid-cherry.c +@@ -28,7 +28,7 @@ + static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { ++ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { + hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n"); + rdesc[11] = rdesc[16] = 0xff; + rdesc[12] = rdesc[17] = 0x03; diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index a5c7927..025a2b4 100644 --- a/drivers/hid/hid-core.c @@ -41525,6 +41500,119 @@ index a5c7927..025a2b4 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); +diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c +index e776963..b92bf01 100644 +--- a/drivers/hid/hid-kye.c ++++ b/drivers/hid/hid-kye.c +@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + * - change the button usage range to 4-7 for the extra + * buttons + */ +- if (*rsize >= 74 && ++ if (*rsize >= 75 && + rdesc[61] == 0x05 && rdesc[62] == 0x08 && + rdesc[63] == 0x19 && rdesc[64] == 0x08 && + rdesc[65] == 0x29 && rdesc[66] == 0x0f && +diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c +index a976f48..f91ff14 100644 +--- a/drivers/hid/hid-lg.c ++++ b/drivers/hid/hid-lg.c +@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc, + struct usb_device_descriptor *udesc; + __u16 bcdDevice, rev_maj, rev_min; + +- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 && ++ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 && + rdesc[84] == 0x8c && rdesc[85] == 0x02) { + hid_info(hdev, + "fixing up Logitech keyboard report descriptor\n"); + rdesc[84] = rdesc[89] = 0x4d; + rdesc[85] = rdesc[90] = 0x10; + } +- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 && ++ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 && + rdesc[32] == 0x81 && rdesc[33] == 0x06 && + rdesc[49] == 0x81 && rdesc[50] == 0x06) { + hid_info(hdev, +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index 486dbde..b7ba829 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, + return; + } + +- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || +- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { +- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n", +- __func__, dj_report->device_index); +- return; +- } +- + if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { + /* The device is already known. No need to reallocate it. */ + dbg_hid("%s: device is already known\n", __func__); +@@ -557,7 +550,7 @@ static int logi_dj_ll_raw_request(struct hid_device *hid, + if (!out_buf) + return -ENOMEM; + +- if (count < DJREPORT_SHORT_LENGTH - 2) ++ if (count > DJREPORT_SHORT_LENGTH - 2) + count = DJREPORT_SHORT_LENGTH - 2; + + out_buf[0] = REPORT_ID_DJ_SHORT; +@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev, + * device (via hid_input_report() ) and return 1 so hid-core does not do + * anything else with it. + */ ++ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || ++ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { ++ dev_err(&hdev->dev, "%s: invalid device index:%d\n", ++ __func__, dj_report->device_index); ++ return false; ++ } + + spin_lock_irqsave(&djrcv_dev->lock, flags); + if (dj_report->report_id == REPORT_ID_DJ_SHORT) { +diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c +index 9e14c00..25daf28 100644 +--- a/drivers/hid/hid-monterey.c ++++ b/drivers/hid/hid-monterey.c +@@ -24,7 +24,7 @@ + static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { ++ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { + hid_info(hdev, "fixing up button/consumer in HID report descriptor\n"); + rdesc[30] = 0x0c; + } +diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c +index 736b250..6aca4f2 100644 +--- a/drivers/hid/hid-petalynx.c ++++ b/drivers/hid/hid-petalynx.c +@@ -25,7 +25,7 @@ + static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && ++ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && + rdesc[41] == 0x00 && rdesc[59] == 0x26 && + rdesc[60] == 0xf9 && rdesc[61] == 0x00) { + hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n"); +diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c +index 87fc91e..91072fa 100644 +--- a/drivers/hid/hid-sunplus.c ++++ b/drivers/hid/hid-sunplus.c +@@ -24,7 +24,7 @@ + static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && ++ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && + rdesc[106] == 0x03) { + hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n"); + rdesc[105] = rdesc[110] = 0x03; diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c index c13fb5b..55a3802 100644 --- a/drivers/hid/hid-wiimote-debug.c @@ -61657,6 +61745,185 @@ index d2fb2f2..a6444b0 100644 put_cpu_var(last_ino); return res; } +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 4556ce1..5ddaf86 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb) + return; + } + +-static int isofs_read_inode(struct inode *); ++static int isofs_read_inode(struct inode *, int relocated); + static int isofs_statfs (struct dentry *, struct kstatfs *); + + static struct kmem_cache *isofs_inode_cachep; +@@ -1259,7 +1259,7 @@ out_toomany: + goto out; + } + +-static int isofs_read_inode(struct inode *inode) ++static int isofs_read_inode(struct inode *inode, int relocated) + { + struct super_block *sb = inode->i_sb; + struct isofs_sb_info *sbi = ISOFS_SB(sb); +@@ -1404,7 +1404,7 @@ static int isofs_read_inode(struct inode *inode) + */ + + if (!high_sierra) { +- parse_rock_ridge_inode(de, inode); ++ parse_rock_ridge_inode(de, inode, relocated); + /* if we want uid/gid set, override the rock ridge setting */ + if (sbi->s_uid_set) + inode->i_uid = sbi->s_uid; +@@ -1483,9 +1483,10 @@ static int isofs_iget5_set(struct inode *ino, void *data) + * offset that point to the underlying meta-data for the inode. The + * code below is otherwise similar to the iget() code in + * include/linux/fs.h */ +-struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset) ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated) + { + unsigned long hashval; + struct inode *inode; +@@ -1507,7 +1508,7 @@ struct inode *isofs_iget(struct super_block *sb, + return ERR_PTR(-ENOMEM); + + if (inode->i_state & I_NEW) { +- ret = isofs_read_inode(inode); ++ ret = isofs_read_inode(inode, relocated); + if (ret < 0) { + iget_failed(inode); + inode = ERR_PTR(ret); +diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h +index 9916723..0ac4c1f 100644 +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -107,7 +107,7 @@ extern int iso_date(char *, int); + + struct inode; /* To make gcc happy */ + +-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *); ++extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated); + extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *); + extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *); + +@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int + extern struct buffer_head *isofs_bread(struct inode *, sector_t); + extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long); + +-extern struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset); ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated); ++ ++static inline struct inode *isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 0); ++} ++ ++static inline struct inode *isofs_iget_reloc(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 1); ++} + + /* Because the inode number is no longer relevant to finding the + * underlying meta-data for an inode, we are free to choose a more +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index c0bf424..f488bba 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -288,12 +288,16 @@ eio: + goto out; + } + ++#define RR_REGARD_XA 1 ++#define RR_RELOC_DE 2 ++ + static int + parse_rock_ridge_inode_internal(struct iso_directory_record *de, +- struct inode *inode, int regard_xa) ++ struct inode *inode, int flags) + { + int symlink_len = 0; + int cnt, sig; ++ unsigned int reloc_block; + struct inode *reloc; + struct rock_ridge *rr; + int rootflag; +@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de, + + init_rock_state(&rs, inode); + setup_rock_ridge(de, inode, &rs); +- if (regard_xa) { ++ if (flags & RR_REGARD_XA) { + rs.chr += 14; + rs.len -= 14; + if (rs.len < 0) +@@ -485,12 +489,22 @@ repeat: + "relocated directory\n"); + goto out; + case SIG('C', 'L'): +- ISOFS_I(inode)->i_first_extent = +- isonum_733(rr->u.CL.location); +- reloc = +- isofs_iget(inode->i_sb, +- ISOFS_I(inode)->i_first_extent, +- 0); ++ if (flags & RR_RELOC_DE) { ++ printk(KERN_ERR ++ "ISOFS: Recursive directory relocation " ++ "is not supported\n"); ++ goto eio; ++ } ++ reloc_block = isonum_733(rr->u.CL.location); ++ if (reloc_block == ISOFS_I(inode)->i_iget5_block && ++ ISOFS_I(inode)->i_iget5_offset == 0) { ++ printk(KERN_ERR ++ "ISOFS: Directory relocation points to " ++ "itself\n"); ++ goto eio; ++ } ++ ISOFS_I(inode)->i_first_extent = reloc_block; ++ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0); + if (IS_ERR(reloc)) { + ret = PTR_ERR(reloc); + goto out; +@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit) + return rpnt; + } + +-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) ++int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode, ++ int relocated) + { +- int result = parse_rock_ridge_inode_internal(de, inode, 0); ++ int flags = relocated ? RR_RELOC_DE : 0; ++ int result = parse_rock_ridge_inode_internal(de, inode, flags); + + /* + * if rockridge flag was reset and we didn't look for attributes +@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) + */ + if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1) + && (ISOFS_SB(inode->i_sb)->s_rock == 2)) { +- result = parse_rock_ridge_inode_internal(de, inode, 14); ++ result = parse_rock_ridge_inode_internal(de, inode, ++ flags | RR_REGARD_XA); + } + return result; + } diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index 4a6cf28..d3a29d3 100644 --- a/fs/jffs2/erase.c @@ -65987,10 +66254,10 @@ index 6152cbe..f0f9eaa 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..bfd482c +index 0000000..27cec32 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1176 @@ +@@ -0,0 +1,1166 @@ +# +# grecurity configuration +# @@ -66923,16 +67190,6 @@ index 0000000..bfd482c +menu "Network Protections" +depends on GRKERNSEC + -+config GRKERNSEC_RANDNET -+ bool "Larger entropy pools" -+ default y if GRKERNSEC_CONFIG_AUTO -+ help -+ If you say Y here, the entropy pools used for many features of Linux -+ and grsecurity will be doubled in size. Since several grsecurity -+ features use additional randomness, it is recommended that you say Y -+ here. Saying Y here has a similar effect as modifying -+ /proc/sys/kernel/random/poolsize. -+ +config GRKERNSEC_BLACKHOLE + bool "TCP/UDP blackhole and LAST_ACK DoS prevention" + default y if GRKERNSEC_CONFIG_AUTO @@ -102378,7 +102635,7 @@ index ede50d1..d2468e6 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index b85c67c..27c3368 100644 +index b85c67c..09705b7 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -275,7 +275,7 @@ static int packet_direct_xmit(struct sk_buff *skb) @@ -102390,7 +102647,15 @@ index b85c67c..27c3368 100644 kfree_skb(skb); return NET_XMIT_DROP; } -@@ -1845,7 +1845,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -636,6 +636,7 @@ static void init_prb_bdqc(struct packet_sock *po, + p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov); + p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv; + ++ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv); + prb_init_ft_ops(p1, req_u); + prb_setup_retire_blk_timer(po, tx_ring); + prb_open_block(p1, pbd); +@@ -1845,7 +1846,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_packets++; @@ -102399,7 +102664,7 @@ index b85c67c..27c3368 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk); -@@ -1854,7 +1854,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1854,7 +1855,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_drops++; @@ -102408,7 +102673,26 @@ index b85c67c..27c3368 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3459,7 +3459,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -1946,6 +1947,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if ((int)snaplen < 0) + snaplen = 0; + } ++ } else if (unlikely(macoff + snaplen > ++ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) { ++ u32 nval; ++ ++ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff; ++ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n", ++ snaplen, nval, macoff); ++ snaplen = nval; ++ if (unlikely((int)snaplen < 0)) { ++ snaplen = 0; ++ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len; ++ } + } + spin_lock(&sk->sk_receive_queue.lock); + h.raw = packet_current_rx_frame(po, skb, +@@ -3459,7 +3472,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -102417,7 +102701,7 @@ index b85c67c..27c3368 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3505,7 +3505,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3505,7 +3518,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -102426,6 +102710,29 @@ index b85c67c..27c3368 100644 return -EFAULT; return 0; } +@@ -3789,6 +3802,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) + goto out; ++ if (po->tp_version >= TPACKET_V3 && ++ (int)(req->tp_block_size - ++ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) ++ goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) + goto out; +diff --git a/net/packet/internal.h b/net/packet/internal.h +index eb9580a..cdddf6a 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -29,6 +29,7 @@ struct tpacket_kbdq_core { + char *pkblk_start; + char *pkblk_end; + int kblk_size; ++ unsigned int max_frame_len; + unsigned int knum_blocks; + uint64_t knxt_seq_num; + char *prev; diff --git a/net/phonet/pep.c b/net/phonet/pep.c index 70a547e..23477fe 100644 --- a/net/phonet/pep.c diff --git a/3.15.10/4450_grsec-kconfig-default-gids.patch b/3.15.10/4450_grsec-kconfig-default-gids.patch index af218a8..0451e5a 100644 --- a/3.15.10/4450_grsec-kconfig-default-gids.patch +++ b/3.15.10/4450_grsec-kconfig-default-gids.patch @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -1013,7 +1013,7 @@ +@@ -1003,7 +1003,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1034,7 +1034,7 @@ +@@ -1024,7 +1024,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1052,7 +1052,7 @@ +@@ -1042,7 +1042,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.2.62/0000_README b/3.2.62/0000_README index 9bf751a..67a218f 100644 --- a/3.2.62/0000_README +++ b/3.2.62/0000_README @@ -166,7 +166,7 @@ Patch: 1061_linux-3.2.62.patch From: http://www.kernel.org Desc: Linux 3.2.62 -Patch: 4420_grsecurity-3.0-3.2.62-201408191950.patch +Patch: 4420_grsecurity-3.0-3.2.62-201408212331.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.62/4420_grsecurity-3.0-3.2.62-201408191950.patch b/3.2.62/4420_grsecurity-3.0-3.2.62-201408212331.patch similarity index 99% rename from 3.2.62/4420_grsecurity-3.0-3.2.62-201408191950.patch rename to 3.2.62/4420_grsecurity-3.0-3.2.62-201408212331.patch index 0e00b6a..0039dfe 100644 --- a/3.2.62/4420_grsecurity-3.0-3.2.62-201408191950.patch +++ b/3.2.62/4420_grsecurity-3.0-3.2.62-201408212331.patch @@ -34960,7 +34960,7 @@ index da3cfee..a5a6606 100644 *ppos = i; diff --git a/drivers/char/random.c b/drivers/char/random.c -index c244f0e..59b5e6c 100644 +index c244f0e..a86bc96 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -255,10 +255,8 @@ @@ -34976,7 +34976,7 @@ index c244f0e..59b5e6c 100644 #include #include -@@ -266,129 +264,150 @@ +@@ -266,129 +264,135 @@ #include #include @@ -34990,17 +34990,10 @@ index c244f0e..59b5e6c 100644 -#define OUTPUT_POOL_WORDS 32 -#define SEC_XFER_SIZE 512 -#define EXTRACT_SIZE 10 -+#ifdef CONFIG_GRKERNSEC_RANDNET -+#define INPUT_POOL_SHIFT 14 -+#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) -+#define OUTPUT_POOL_SHIFT 12 -+#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#else +#define INPUT_POOL_SHIFT 12 +#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) +#define OUTPUT_POOL_SHIFT 10 +#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#endif +#define SEC_XFER_SIZE 512 +#define EXTRACT_SIZE 10 + @@ -35104,20 +35097,12 @@ index c244f0e..59b5e6c 100644 - { 128, 103, 76, 51, 25, 1 }, - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */ - { 32, 26, 20, 14, 7, 1 }, -+#ifdef CONFIG_GRKERNSEC_RANDNET -+ /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */ -+ { S(512), 411, 308, 208, 104, 1 }, -+ /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ -+ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ -+ { S(128), 104, 76, 51, 25, 1 }, -+#else + /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ + /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ + { S(128), 104, 76, 51, 25, 1 }, + /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ + /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ + { S(32), 26, 19, 14, 7, 1 }, -+#endif #if 0 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ - { 2048, 1638, 1231, 819, 411, 1 }, @@ -35205,7 +35190,7 @@ index c244f0e..59b5e6c 100644 /* * Static global variables */ -@@ -396,21 +415,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait); +@@ -396,21 +400,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait); static DECLARE_WAIT_QUEUE_HEAD(random_write_wait); static struct fasync_struct *fasync; @@ -35227,7 +35212,7 @@ index c244f0e..59b5e6c 100644 /********************************************************************** * * OS independent entropy store. Here are the functions which handle -@@ -421,31 +425,35 @@ module_param(debug, bool, 0644); +@@ -421,31 +410,35 @@ module_param(debug, bool, 0644); struct entropy_store; struct entropy_store { /* read-only data: */ @@ -35271,7 +35256,7 @@ index c244f0e..59b5e6c 100644 .pool = input_pool_data }; -@@ -454,16 +462,20 @@ static struct entropy_store blocking_pool = { +@@ -454,16 +447,20 @@ static struct entropy_store blocking_pool = { .name = "blocking", .limit = 1, .pull = &input_pool, @@ -35296,7 +35281,7 @@ index c244f0e..59b5e6c 100644 }; static __u32 const twist_table[8] = { -@@ -480,8 +492,8 @@ static __u32 const twist_table[8] = { +@@ -480,8 +477,8 @@ static __u32 const twist_table[8] = { * it's cheap to do so and helps slightly in the expected case where * the entropy is concentrated in the low-order bits. */ @@ -35307,7 +35292,7 @@ index c244f0e..59b5e6c 100644 { unsigned long i, j, tap1, tap2, tap3, tap4, tap5; int input_rotate; -@@ -501,7 +513,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -501,7 +498,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, /* mix one byte at a time to simplify size handling and churn faster */ while (nbytes--) { @@ -35316,7 +35301,7 @@ index c244f0e..59b5e6c 100644 i = (i - 1) & wordmask; /* XOR in the various taps */ -@@ -521,11 +533,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -521,11 +518,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, * rotation, so that successive passes spread the * input bits across the pool evenly. */ @@ -35331,7 +35316,7 @@ index c244f0e..59b5e6c 100644 smp_wmb(); if (out) -@@ -533,13 +545,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -533,13 +530,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, ((__u32 *)out)[j] = r->pool[(i - j) & wordmask]; } @@ -35355,7 +35340,7 @@ index c244f0e..59b5e6c 100644 spin_unlock_irqrestore(&r->lock, flags); } -@@ -556,58 +576,151 @@ struct fast_pool { +@@ -556,58 +561,151 @@ struct fast_pool { * collector. It's hardcoded for an 128 bit pool and assumes that any * locks that might be needed are taken by the caller. */ @@ -35532,7 +35517,7 @@ index c244f0e..59b5e6c 100644 /********************************************************************* * * Entropy input management -@@ -621,42 +734,7 @@ struct timer_rand_state { +@@ -621,42 +719,7 @@ struct timer_rand_state { unsigned dont_count_entropy:1; }; @@ -35576,7 +35561,7 @@ index c244f0e..59b5e6c 100644 /* * Add device- or boot-specific data to the input and nonblocking -@@ -669,15 +747,22 @@ static void set_timer_rand_state(unsigned int irq, +@@ -669,15 +732,22 @@ static void set_timer_rand_state(unsigned int irq, void add_device_randomness(const void *buf, unsigned int size) { unsigned long time = random_get_entropy() ^ jiffies; @@ -35604,7 +35589,7 @@ index c244f0e..59b5e6c 100644 /* * This function adds entropy to the entropy "pool" by using timing -@@ -691,6 +776,7 @@ static struct timer_rand_state input_timer_state; +@@ -691,6 +761,7 @@ static struct timer_rand_state input_timer_state; */ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) { @@ -35612,7 +35597,7 @@ index c244f0e..59b5e6c 100644 struct { long jiffies; unsigned cycles; -@@ -699,15 +785,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) +@@ -699,15 +770,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) long delta, delta2, delta3; preempt_disable(); @@ -35630,7 +35615,7 @@ index c244f0e..59b5e6c 100644 /* * Calculate number of bits of randomness we probably added. -@@ -741,10 +824,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) +@@ -741,10 +809,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) * Round down by 1 bit on general principles, * and limit entropy entimate to 12 bits. */ @@ -35642,7 +35627,7 @@ index c244f0e..59b5e6c 100644 preempt_enable(); } -@@ -757,10 +838,10 @@ void add_input_randomness(unsigned int type, unsigned int code, +@@ -757,10 +823,10 @@ void add_input_randomness(unsigned int type, unsigned int code, if (value == last_value) return; @@ -35654,7 +35639,7 @@ index c244f0e..59b5e6c 100644 } EXPORT_SYMBOL_GPL(add_input_randomness); -@@ -772,20 +853,21 @@ void add_interrupt_randomness(int irq, int irq_flags) +@@ -772,20 +838,21 @@ void add_interrupt_randomness(int irq, int irq_flags) struct fast_pool *fast_pool = &__get_cpu_var(irq_randomness); struct pt_regs *regs = get_irq_regs(); unsigned long now = jiffies; @@ -35687,7 +35672,7 @@ index c244f0e..59b5e6c 100644 return; fast_pool->last = now; -@@ -814,10 +896,8 @@ void add_disk_randomness(struct gendisk *disk) +@@ -814,10 +881,8 @@ void add_disk_randomness(struct gendisk *disk) if (!disk || !disk->random) return; /* first major is 1, so we get >= 0x200 here */ @@ -35699,7 +35684,7 @@ index c244f0e..59b5e6c 100644 } #endif -@@ -835,104 +915,141 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -835,104 +900,141 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, * from the primary pool to the secondary extraction pool. We make * sure we pull enough for a 'catastrophic reseed'. */ @@ -35904,7 +35889,7 @@ index c244f0e..59b5e6c 100644 spin_lock_irqsave(&r->lock, flags); for (i = 0; i < r->poolinfo->poolwords; i += 16) sha_transform(hash.w, (__u8 *)(r->pool + i), workspace); -@@ -966,27 +1083,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out) +@@ -966,27 +1068,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out) hash.w[1] ^= hash.w[4]; hash.w[2] ^= rol32(hash.w[2], 16); @@ -35959,7 +35944,7 @@ index c244f0e..59b5e6c 100644 xfer_secondary_pool(r, nbytes); nbytes = account(r, nbytes, min, reserved); -@@ -994,8 +1127,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -994,8 +1112,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, extract_buf(r, tmp); if (fips_enabled) { @@ -35968,7 +35953,7 @@ index c244f0e..59b5e6c 100644 spin_lock_irqsave(&r->lock, flags); if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) panic("Hardware RNG duplicated output!\n"); -@@ -1015,12 +1146,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -1015,12 +1131,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, return ret; } @@ -35986,7 +35971,7 @@ index c244f0e..59b5e6c 100644 xfer_secondary_pool(r, nbytes); nbytes = account(r, nbytes, 0, 0); -@@ -1036,7 +1172,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1036,7 +1157,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -35995,7 +35980,7 @@ index c244f0e..59b5e6c 100644 ret = -EFAULT; break; } -@@ -1055,11 +1191,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1055,11 +1176,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, /* * This function is the exported kernel interface. It returns some * number of good random numbers, suitable for key generation, seeding @@ -36018,7 +36003,7 @@ index c244f0e..59b5e6c 100644 extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0); } EXPORT_SYMBOL(get_random_bytes); -@@ -1078,6 +1223,7 @@ void get_random_bytes_arch(void *buf, int nbytes) +@@ -1078,6 +1208,7 @@ void get_random_bytes_arch(void *buf, int nbytes) { char *p = buf; @@ -36026,7 +36011,7 @@ index c244f0e..59b5e6c 100644 while (nbytes) { unsigned long v; int chunk = min(nbytes, (int)sizeof(unsigned long)); -@@ -1111,12 +1257,11 @@ static void init_std_data(struct entropy_store *r) +@@ -1111,12 +1242,11 @@ static void init_std_data(struct entropy_store *r) ktime_t now = ktime_get_real(); unsigned long rv; @@ -36042,7 +36027,7 @@ index c244f0e..59b5e6c 100644 mix_pool_bytes(r, &rv, sizeof(rv), NULL); } mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL); -@@ -1139,25 +1284,7 @@ static int rand_initialize(void) +@@ -1139,25 +1269,7 @@ static int rand_initialize(void) init_std_data(&nonblocking_pool); return 0; } @@ -36069,7 +36054,7 @@ index c244f0e..59b5e6c 100644 #ifdef CONFIG_BLOCK void rand_initialize_disk(struct gendisk *disk) -@@ -1169,71 +1296,60 @@ void rand_initialize_disk(struct gendisk *disk) +@@ -1169,71 +1281,60 @@ void rand_initialize_disk(struct gendisk *disk) * source. */ state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); @@ -36178,7 +36163,7 @@ index c244f0e..59b5e6c 100644 } static unsigned int -@@ -1244,9 +1360,9 @@ random_poll(struct file *file, poll_table * wait) +@@ -1244,9 +1345,9 @@ random_poll(struct file *file, poll_table * wait) poll_wait(file, &random_read_wait, wait); poll_wait(file, &random_write_wait, wait); mask = 0; @@ -36190,7 +36175,7 @@ index c244f0e..59b5e6c 100644 mask |= POLLOUT | POLLWRNORM; return mask; } -@@ -1297,7 +1413,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +@@ -1297,7 +1398,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) switch (cmd) { case RNDGETENTCNT: /* inherently racy, no point locking */ @@ -36200,7 +36185,7 @@ index c244f0e..59b5e6c 100644 return -EFAULT; return 0; case RNDADDTOENTCNT: -@@ -1305,7 +1422,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +@@ -1305,7 +1407,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) return -EPERM; if (get_user(ent_count, p)) return -EFAULT; @@ -36209,7 +36194,7 @@ index c244f0e..59b5e6c 100644 return 0; case RNDADDENTROPY: if (!capable(CAP_SYS_ADMIN)) -@@ -1320,14 +1437,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +@@ -1320,14 +1422,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) size); if (retval < 0) return retval; @@ -36232,7 +36217,7 @@ index c244f0e..59b5e6c 100644 return 0; default: return -EINVAL; -@@ -1387,23 +1509,23 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1387,23 +1494,23 @@ EXPORT_SYMBOL(generate_random_uuid); #include static int min_read_thresh = 8, min_write_thresh; @@ -36263,7 +36248,7 @@ index c244f0e..59b5e6c 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; -@@ -1427,8 +1549,26 @@ static int proc_do_uuid(ctl_table *table, int write, +@@ -1427,8 +1534,26 @@ static int proc_do_uuid(ctl_table *table, int write, return proc_dostring(&fake_table, write, buffer, lenp, ppos); } @@ -36291,7 +36276,7 @@ index c244f0e..59b5e6c 100644 { .procname = "poolsize", .data = &sysctl_poolsize, -@@ -1440,12 +1580,12 @@ ctl_table random_table[] = { +@@ -1440,12 +1565,12 @@ ctl_table random_table[] = { .procname = "entropy_avail", .maxlen = sizeof(int), .mode = 0444, @@ -36306,7 +36291,7 @@ index c244f0e..59b5e6c 100644 .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, -@@ -1454,7 +1594,7 @@ ctl_table random_table[] = { +@@ -1454,7 +1579,7 @@ ctl_table random_table[] = { }, { .procname = "write_wakeup_threshold", @@ -36315,7 +36300,7 @@ index c244f0e..59b5e6c 100644 .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, -@@ -1462,6 +1602,13 @@ ctl_table random_table[] = { +@@ -1462,6 +1587,13 @@ ctl_table random_table[] = { .extra2 = &max_write_thresh, }, { @@ -36329,7 +36314,7 @@ index c244f0e..59b5e6c 100644 .procname = "boot_id", .data = &sysctl_bootid, .maxlen = 16, -@@ -1492,7 +1639,7 @@ int random_int_secret_init(void) +@@ -1492,7 +1624,7 @@ int random_int_secret_init(void) * value is not cryptographically secure but for several uses the cost of * depleting entropy is too high */ @@ -36338,7 +36323,7 @@ index c244f0e..59b5e6c 100644 unsigned int get_random_int(void) { __u32 *hash; -@@ -1510,6 +1657,7 @@ unsigned int get_random_int(void) +@@ -1510,6 +1642,7 @@ unsigned int get_random_int(void) return ret; } @@ -39126,6 +39111,19 @@ index 8a8725c2..afed796 100644 else { marker = list_first_entry(&queue->head, struct vmw_marker, head); +diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c +index 888ece6..f870bb3 100644 +--- a/drivers/hid/hid-cherry.c ++++ b/drivers/hid/hid-cherry.c +@@ -29,7 +29,7 @@ + static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { ++ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { + hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n"); + rdesc[11] = rdesc[16] = 0xff; + rdesc[12] = rdesc[17] = 0x03; diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 64d79d2..6c83020 100644 --- a/drivers/hid/hid-core.c @@ -39148,6 +39146,84 @@ index 64d79d2..6c83020 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); +diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c +index f2ba9ef..25dfb5f 100644 +--- a/drivers/hid/hid-kye.c ++++ b/drivers/hid/hid-kye.c +@@ -26,7 +26,7 @@ + static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 74 && ++ if (*rsize >= 75 && + rdesc[61] == 0x05 && rdesc[62] == 0x08 && + rdesc[63] == 0x19 && rdesc[64] == 0x08 && + rdesc[65] == 0x29 && rdesc[66] == 0x0f && +diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c +index e7a7bd1..3ad6cd4 100644 +--- a/drivers/hid/hid-lg.c ++++ b/drivers/hid/hid-lg.c +@@ -111,14 +111,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc, + { + unsigned long quirks = (unsigned long)hid_get_drvdata(hdev); + +- if ((quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 && ++ if ((quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 && + rdesc[84] == 0x8c && rdesc[85] == 0x02) { + hid_info(hdev, + "fixing up Logitech keyboard report descriptor\n"); + rdesc[84] = rdesc[89] = 0x4d; + rdesc[85] = rdesc[90] = 0x10; + } +- if ((quirks & LG_RDESC_REL_ABS) && *rsize >= 50 && ++ if ((quirks & LG_RDESC_REL_ABS) && *rsize >= 51 && + rdesc[32] == 0x81 && rdesc[33] == 0x06 && + rdesc[49] == 0x81 && rdesc[50] == 0x06) { + hid_info(hdev, +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index 828a0dd..6efc0ea 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -230,13 +230,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, + return; + } + +- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || +- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { +- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n", +- __func__, dj_report->device_index); +- return; +- } +- + if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { + /* The device is already known. No need to reallocate it. */ + dbg_hid("%s: device is already known\n", __func__); +@@ -713,6 +706,12 @@ static int logi_dj_raw_event(struct hid_device *hdev, + * device (via hid_input_report() ) and return 1 so hid-core does not do + * anything else with it. + */ ++ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || ++ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { ++ dev_err(&hdev->dev, "%s: invalid device index:%d\n", ++ __func__, dj_report->device_index); ++ return false; ++ } + + spin_lock_irqsave(&djrcv_dev->lock, flags); + if (dj_report->report_id == REPORT_ID_DJ_SHORT) { +diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c +index dedf757..eb0271e 100644 +--- a/drivers/hid/hid-monterey.c ++++ b/drivers/hid/hid-monterey.c +@@ -25,7 +25,7 @@ + static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { ++ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { + hid_info(hdev, "fixing up button/consumer in HID report descriptor\n"); + rdesc[30] = 0x0c; + } diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index a605ba1..fb91952 100644 --- a/drivers/hid/hid-multitouch.c @@ -39170,6 +39246,32 @@ index a605ba1..fb91952 100644 } /* we have handled the hidinput part, now remains hiddev */ +diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c +index f1ea3ff..99f317a 100644 +--- a/drivers/hid/hid-petalynx.c ++++ b/drivers/hid/hid-petalynx.c +@@ -26,7 +26,7 @@ + static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && ++ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && + rdesc[41] == 0x00 && rdesc[59] == 0x26 && + rdesc[60] == 0xf9 && rdesc[61] == 0x00) { + hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n"); +diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c +index d484a00..3d6ae7b 100644 +--- a/drivers/hid/hid-sunplus.c ++++ b/drivers/hid/hid-sunplus.c +@@ -25,7 +25,7 @@ + static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && ++ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && + rdesc[106] == 0x03) { + hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n"); + rdesc[105] = rdesc[110] = 0x03; diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index 4ef02b2..8a96831 100644 --- a/drivers/hid/usbhid/hiddev.c @@ -60322,10 +60424,60 @@ index e2d3633..da449b7 100644 spin_unlock(&inode->i_lock); } diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c -index a5f25a7..8ac9cc8 100644 +index a5f25a7..e2f03bf 100644 --- a/fs/isofs/inode.c +++ b/fs/isofs/inode.c -@@ -1539,6 +1539,8 @@ static struct file_system_type iso9660_fs_type = { +@@ -68,7 +68,7 @@ static void isofs_put_super(struct super_block *sb) + return; + } + +-static int isofs_read_inode(struct inode *); ++static int isofs_read_inode(struct inode *, int relocated); + static int isofs_statfs (struct dentry *, struct kstatfs *); + + static struct kmem_cache *isofs_inode_cachep; +@@ -1263,7 +1263,7 @@ out_toomany: + goto out; + } + +-static int isofs_read_inode(struct inode *inode) ++static int isofs_read_inode(struct inode *inode, int relocated) + { + struct super_block *sb = inode->i_sb; + struct isofs_sb_info *sbi = ISOFS_SB(sb); +@@ -1408,7 +1408,7 @@ static int isofs_read_inode(struct inode *inode) + */ + + if (!high_sierra) { +- parse_rock_ridge_inode(de, inode); ++ parse_rock_ridge_inode(de, inode, relocated); + /* if we want uid/gid set, override the rock ridge setting */ + if (sbi->s_uid_set) + inode->i_uid = sbi->s_uid; +@@ -1487,9 +1487,10 @@ static int isofs_iget5_set(struct inode *ino, void *data) + * offset that point to the underlying meta-data for the inode. The + * code below is otherwise similar to the iget() code in + * include/linux/fs.h */ +-struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset) ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated) + { + unsigned long hashval; + struct inode *inode; +@@ -1511,7 +1512,7 @@ struct inode *isofs_iget(struct super_block *sb, + return ERR_PTR(-ENOMEM); + + if (inode->i_state & I_NEW) { +- ret = isofs_read_inode(inode); ++ ret = isofs_read_inode(inode, relocated); + if (ret < 0) { + iget_failed(inode); + inode = ERR_PTR(ret); +@@ -1539,6 +1540,8 @@ static struct file_system_type iso9660_fs_type = { .kill_sb = kill_block_super, .fs_flags = FS_REQUIRES_DEV, }; @@ -60334,12 +60486,137 @@ index a5f25a7..8ac9cc8 100644 static int __init init_iso9660_fs(void) { -@@ -1576,5 +1578,3 @@ static void __exit exit_iso9660_fs(void) +@@ -1576,5 +1579,3 @@ static void __exit exit_iso9660_fs(void) module_init(init_iso9660_fs) module_exit(exit_iso9660_fs) MODULE_LICENSE("GPL"); -/* Actual filesystem name is iso9660, as requested in filesystems.c */ -MODULE_ALIAS("iso9660"); +diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h +index 7d33de8..f9c9793 100644 +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -107,7 +107,7 @@ extern int iso_date(char *, int); + + struct inode; /* To make gcc happy */ + +-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *); ++extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated); + extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *); + extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *); + +@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, struct namei + extern struct buffer_head *isofs_bread(struct inode *, sector_t); + extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long); + +-extern struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset); ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated); ++ ++static inline struct inode *isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 0); ++} ++ ++static inline struct inode *isofs_iget_reloc(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 1); ++} + + /* Because the inode number is no longer relevant to finding the + * underlying meta-data for an inode, we are free to choose a more +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index 70e79d0..ee62cc0 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -288,12 +288,16 @@ eio: + goto out; + } + ++#define RR_REGARD_XA 1 ++#define RR_RELOC_DE 2 ++ + static int + parse_rock_ridge_inode_internal(struct iso_directory_record *de, +- struct inode *inode, int regard_xa) ++ struct inode *inode, int flags) + { + int symlink_len = 0; + int cnt, sig; ++ unsigned int reloc_block; + struct inode *reloc; + struct rock_ridge *rr; + int rootflag; +@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de, + + init_rock_state(&rs, inode); + setup_rock_ridge(de, inode, &rs); +- if (regard_xa) { ++ if (flags & RR_REGARD_XA) { + rs.chr += 14; + rs.len -= 14; + if (rs.len < 0) +@@ -485,12 +489,22 @@ repeat: + "relocated directory\n"); + goto out; + case SIG('C', 'L'): +- ISOFS_I(inode)->i_first_extent = +- isonum_733(rr->u.CL.location); +- reloc = +- isofs_iget(inode->i_sb, +- ISOFS_I(inode)->i_first_extent, +- 0); ++ if (flags & RR_RELOC_DE) { ++ printk(KERN_ERR ++ "ISOFS: Recursive directory relocation " ++ "is not supported\n"); ++ goto eio; ++ } ++ reloc_block = isonum_733(rr->u.CL.location); ++ if (reloc_block == ISOFS_I(inode)->i_iget5_block && ++ ISOFS_I(inode)->i_iget5_offset == 0) { ++ printk(KERN_ERR ++ "ISOFS: Directory relocation points to " ++ "itself\n"); ++ goto eio; ++ } ++ ISOFS_I(inode)->i_first_extent = reloc_block; ++ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0); + if (IS_ERR(reloc)) { + ret = PTR_ERR(reloc); + goto out; +@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit) + return rpnt; + } + +-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) ++int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode, ++ int relocated) + { +- int result = parse_rock_ridge_inode_internal(de, inode, 0); ++ int flags = relocated ? RR_RELOC_DE : 0; ++ int result = parse_rock_ridge_inode_internal(de, inode, flags); + + /* + * if rockridge flag was reset and we didn't look for attributes +@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) + */ + if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1) + && (ISOFS_SB(inode->i_sb)->s_rock == 2)) { +- result = parse_rock_ridge_inode_internal(de, inode, 14); ++ result = parse_rock_ridge_inode_internal(de, inode, ++ flags | RR_REGARD_XA); + } + return result; + } diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index e513f19..2ab1351 100644 --- a/fs/jffs2/erase.c @@ -65123,10 +65400,10 @@ index 8a89949..6776861 100644 xfs_init_zones(void) diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..155d9f5 +index 0000000..5200d7b --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1162 @@ +@@ -0,0 +1,1152 @@ +# +# grecurity configuration +# @@ -66045,16 +66322,6 @@ index 0000000..155d9f5 +menu "Network Protections" +depends on GRKERNSEC + -+config GRKERNSEC_RANDNET -+ bool "Larger entropy pools" -+ default y if GRKERNSEC_CONFIG_AUTO -+ help -+ If you say Y here, the entropy pools used for many features of Linux -+ and grsecurity will be doubled in size. Since several grsecurity -+ features use additional randomness, it is recommended that you say Y -+ here. Saying Y here has a similar effect as modifying -+ /proc/sys/kernel/random/poolsize. -+ +config GRKERNSEC_BLACKHOLE + bool "TCP/UDP blackhole and LAST_ACK DoS prevention" + default y if GRKERNSEC_CONFIG_AUTO @@ -104538,10 +104805,26 @@ index b4d889b..bb33240 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 4f19bf2..5770069 100644 +index 4f19bf2..e3a2b51 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1678,7 +1678,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -195,6 +195,7 @@ struct tpacket_kbdq_core { + char *pkblk_start; + char *pkblk_end; + int kblk_size; ++ unsigned int max_frame_len; + unsigned int knum_blocks; + uint64_t knxt_seq_num; + char *prev; +@@ -616,6 +617,7 @@ static void init_prb_bdqc(struct packet_sock *po, + p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov); + p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv; + ++ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv); + prb_init_ft_ops(p1, req_u); + prb_setup_retire_blk_timer(po, tx_ring); + prb_open_block(p1, pbd); +@@ -1678,7 +1680,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_packets++; @@ -104550,7 +104833,7 @@ index 4f19bf2..5770069 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1687,7 +1687,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1687,7 +1689,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_drops++; @@ -104559,7 +104842,26 @@ index 4f19bf2..5770069 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -2623,6 +2623,7 @@ out: +@@ -1778,6 +1780,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if ((int)snaplen < 0) + snaplen = 0; + } ++ } else if (unlikely(macoff + snaplen > ++ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) { ++ u32 nval; ++ ++ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff; ++ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n", ++ snaplen, nval, macoff); ++ snaplen = nval; ++ if (unlikely((int)snaplen < 0)) { ++ snaplen = 0; ++ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len; ++ } + } + spin_lock(&sk->sk_receive_queue.lock); + h.raw = packet_current_rx_frame(po, skb, +@@ -2623,6 +2637,7 @@ out: static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) { @@ -104567,7 +104869,7 @@ index 4f19bf2..5770069 100644 struct sock_exterr_skb *serr; struct sk_buff *skb, *skb2; int copied, err; -@@ -2644,8 +2645,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) +@@ -2644,8 +2659,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -104578,7 +104880,7 @@ index 4f19bf2..5770069 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -3273,7 +3275,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3273,7 +3289,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -104587,7 +104889,7 @@ index 4f19bf2..5770069 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3323,7 +3325,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3323,7 +3339,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, if (put_user(len, optlen)) return -EFAULT; @@ -104600,6 +104902,17 @@ index 4f19bf2..5770069 100644 return -EFAULT; return 0; } +@@ -3614,6 +3634,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) + goto out; ++ if (po->tp_version >= TPACKET_V3 && ++ (int)(req->tp_block_size - ++ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) ++ goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) + goto out; diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c index d65f699..855d175 100644 --- a/net/phonet/af_phonet.c diff --git a/3.2.62/4450_grsec-kconfig-default-gids.patch b/3.2.62/4450_grsec-kconfig-default-gids.patch index e3c7c72..363dc64 100644 --- a/3.2.62/4450_grsec-kconfig-default-gids.patch +++ b/3.2.62/4450_grsec-kconfig-default-gids.patch @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -999,7 +999,7 @@ +@@ -989,7 +989,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1020,7 +1020,7 @@ +@@ -1010,7 +1010,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1038,7 +1038,7 @@ +@@ -1028,7 +1028,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.2.62/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.62/4465_selinux-avc_audit-log-curr_ip.patch index 035fe2d..3b873e1 100644 --- a/3.2.62/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.62/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1133,6 +1133,27 @@ +@@ -1123,6 +1123,27 @@ menu "Logging Options" depends on GRKERNSEC