From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.3/
Date: Sun, 11 Oct 2015 22:50:55 +0000 (UTC) [thread overview]
Message-ID: <1444604174.116b95f1a7590519be254e3128fefd92d8eaaefd.blueness@gentoo> (raw)
commit: 116b95f1a7590519be254e3128fefd92d8eaaefd
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 11 22:56:14 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 22:56:14 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=116b95f1
grsecurity-3.1-4.2.3-201510092347
4.2.3/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.3-201510092347.patch} | 252 +++++++++++++++++++--
2 files changed, 235 insertions(+), 19 deletions(-)
diff --git a/4.2.3/0000_README b/4.2.3/0000_README
index 08d9f55..1d05b9f 100644
--- a/4.2.3/0000_README
+++ b/4.2.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.3-201510072230.patch
+Patch: 4420_grsecurity-3.1-4.2.3-201510092347.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch
similarity index 99%
rename from 4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch
rename to 4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch
index b4b589d..5075ca5 100644
--- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch
+++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch
@@ -24915,7 +24915,7 @@ index eec40f5..4fee808 100644
#include <asm/processor.h>
#include <asm/fcntl.h>
diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index ce95676..da8c6ff 100644
+index ce95676..af5c012 100644
--- a/arch/x86/kernel/espfix_64.c
+++ b/arch/x86/kernel/espfix_64.c
@@ -41,6 +41,7 @@
@@ -24939,12 +24939,12 @@ index ce95676..da8c6ff 100644
static unsigned int page_random, slot_random;
-@@ -122,14 +125,25 @@ static void init_espfix_random(void)
+@@ -122,10 +125,19 @@ static void init_espfix_random(void)
void __init init_espfix_bsp(void)
{
pgd_t *pgd_p;
+ pud_t *pud_p;
-+ unsigned long addr, index = pgd_index(ESPFIX_BASE_ADDR);
++ unsigned long index = pgd_index(ESPFIX_BASE_ADDR);
/* Install the espfix pud into the kernel page directory */
- pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
@@ -24961,13 +24961,7 @@ index ce95676..da8c6ff 100644
/* Randomize the locations */
init_espfix_random();
-
-+ addr = espfix_base_addr(0);
-+
- /* The rest is the same as for any other processor */
- init_espfix_ap(0);
- }
-@@ -170,35 +184,39 @@ void init_espfix_ap(int cpu)
+@@ -170,35 +182,39 @@ void init_espfix_ap(int cpu)
pud_p = &espfix_pud_page[pud_index(addr)];
pud = *pud_p;
if (!pud_present(pud)) {
@@ -26887,6 +26881,80 @@ index c2bedae..25e7ab60 100644
.attr = {
.name = "data",
.mode = S_IRUGO,
+diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
+index 49487b4..a94a0d3 100644
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -29,7 +29,7 @@
+ #include <asm/x86_init.h>
+ #include <asm/reboot.h>
+
+-static int kvmclock = 1;
++static int kvmclock __read_only = 1;
+ static int msr_kvm_system_time = MSR_KVM_SYSTEM_TIME;
+ static int msr_kvm_wall_clock = MSR_KVM_WALL_CLOCK;
+
+@@ -41,7 +41,7 @@ static int parse_no_kvmclock(char *arg)
+ early_param("no-kvmclock", parse_no_kvmclock);
+
+ /* The hypervisor will put information about time periodically here */
+-static struct pvclock_vsyscall_time_info *hv_clock;
++static struct pvclock_vsyscall_time_info hv_clock[NR_CPUS] __page_aligned_bss;
+ static struct pvclock_wall_clock wall_clock;
+
+ /*
+@@ -132,7 +132,7 @@ bool kvm_check_and_clear_guest_paused(void)
+ struct pvclock_vcpu_time_info *src;
+ int cpu = smp_processor_id();
+
+- if (!hv_clock)
++ if (!kvmclock)
+ return ret;
+
+ src = &hv_clock[cpu].pvti;
+@@ -159,7 +159,7 @@ int kvm_register_clock(char *txt)
+ int low, high, ret;
+ struct pvclock_vcpu_time_info *src;
+
+- if (!hv_clock)
++ if (!kvmclock)
+ return 0;
+
+ src = &hv_clock[cpu].pvti;
+@@ -219,7 +219,6 @@ static void kvm_shutdown(void)
+ void __init kvmclock_init(void)
+ {
+ struct pvclock_vcpu_time_info *vcpu_time;
+- unsigned long mem;
+ int size, cpu;
+ u8 flags;
+
+@@ -237,15 +236,8 @@ void __init kvmclock_init(void)
+ printk(KERN_INFO "kvm-clock: Using msrs %x and %x",
+ msr_kvm_system_time, msr_kvm_wall_clock);
+
+- mem = memblock_alloc(size, PAGE_SIZE);
+- if (!mem)
+- return;
+- hv_clock = __va(mem);
+- memset(hv_clock, 0, size);
+-
+ if (kvm_register_clock("primary cpu clock")) {
+- hv_clock = NULL;
+- memblock_free(mem, size);
++ kvmclock = 0;
+ return;
+ }
+ pv_time_ops.sched_clock = kvm_clock_read;
+@@ -286,7 +278,7 @@ int __init kvm_setup_vsyscall_timeinfo(void)
+ struct pvclock_vcpu_time_info *vcpu_time;
+ unsigned int size;
+
+- if (!hv_clock)
++ if (!kvmclock)
+ return 0;
+
+ size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 2bcc052..864eb84 100644
--- a/arch/x86/kernel/ldt.c
@@ -33514,10 +33582,19 @@ index 81bf3d2..7ef25c2 100644
* XXX: batch / limit 'nr', to avoid large irq off latency
* needs some instrumenting to determine the common sizes used by
diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
-index eecb207a..ad42a30 100644
+index eecb207a..808343a 100644
--- a/arch/x86/mm/highmem_32.c
+++ b/arch/x86/mm/highmem_32.c
-@@ -45,7 +45,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
+@@ -35,6 +35,8 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
+ unsigned long vaddr;
+ int idx, type;
+
++ BUG_ON(pgprot_val(prot) & _PAGE_USER);
++
+ preempt_disable();
+ pagefault_disable();
+
+@@ -45,7 +47,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
idx = type + KM_TYPE_NR*smp_processor_id();
vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
BUG_ON(!pte_none(*(kmap_pte-idx)));
@@ -34682,7 +34759,7 @@ index 9f0614d..92ae64a 100644
p += get_opcode(p, &opcode);
for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index fb0a9dd..72a6e6f 100644
+index fb0a9dd..6fc86ab 100644
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
@@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd)
@@ -34970,6 +35047,55 @@ index fb0a9dd..72a6e6f 100644
pgd_dtor(pgd);
paravirt_pgd_free(mm, pgd);
_pgd_free(pgd);
+@@ -544,6 +616,40 @@ void __init reserve_top_address(unsigned long reserve)
+
+ int fixmaps_set;
+
++static void fix_user_fixmap(enum fixed_addresses idx, unsigned long address)
++{
++#ifdef CONFIG_X86_64
++ pgd_t *pgd;
++ pud_t *pud;
++ pmd_t *pmd;
++
++ switch (idx) {
++ default:
++ return;
++
++#ifdef CONFIG_X86_VSYSCALL_EMULATION
++ case VSYSCALL_PAGE:
++#endif
++#ifdef CONFIG_PARAVIRT_CLOCK
++ case PVCLOCK_FIXMAP_BEGIN ... PVCLOCK_FIXMAP_END:
++#endif
++ break;
++ }
++
++ pgd = pgd_offset_k(address);
++ if (!(pgd_val(*pgd) & _PAGE_USER))
++ set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
++
++ pud = pud_offset(pgd, address);
++ if (!(pud_val(*pud) & _PAGE_USER))
++ set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));
++
++ pmd = pmd_offset(pud, address);
++ if (!(pmd_val(*pmd) & _PAGE_USER))
++ set_pmd(pmd, __pmd(pmd_val(*pmd) | _PAGE_USER));
++#endif
++}
++
+ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
+ {
+ unsigned long address = __fix_to_virt(idx);
+@@ -554,6 +660,7 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
+ }
+ set_pte_vaddr(address, pte);
+ fixmaps_set++;
++ fix_user_fixmap(idx, address);
+ }
+
+ void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys,
diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index 90555bf..f5f1828 100644
--- a/arch/x86/mm/setup_nx.c
@@ -37079,6 +37205,33 @@ index 45e7d51..2967121 100644
if (!ret)
kobject_uevent(&pinst->kobj, KOBJ_ADD);
+diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
+index ea5815c..5880da6 100644
+--- a/crypto/scatterwalk.c
++++ b/crypto/scatterwalk.c
+@@ -109,14 +109,20 @@ void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg,
+ {
+ struct scatter_walk walk;
+ struct scatterlist tmp[2];
++ void *realbuf = buf;
+
+ if (!nbytes)
+ return;
+
+ sg = scatterwalk_ffwd(tmp, sg, start);
+
+- if (sg_page(sg) == virt_to_page(buf) &&
+- sg->offset == offset_in_page(buf))
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
++ if (object_starts_on_stack(buf))
++ realbuf = buf - current->stack + current->lowmem_stack;
++#endif
++
++ if (sg_page(sg) == virt_to_page(realbuf) &&
++ sg->offset == offset_in_page(realbuf))
+ return;
+
+ scatterwalk_start(&walk, sg);
diff --git a/crypto/zlib.c b/crypto/zlib.c
index d51a30a..fb1f8af 100644
--- a/crypto/zlib.c
@@ -50874,10 +51027,20 @@ index 487be20..f4c87bc 100644
err = 0;
break;
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
-index 079f7ad..b2a2bfa7 100644
+index 079f7ad..7e59810 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
-@@ -487,7 +487,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
+@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots)
+ register struct cstate *ts;
+ struct slcompress *comp;
+
++ if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256)
++ goto out_fail;
++
+ comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
+ if (! comp)
+ goto out_fail;
+@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
register struct tcphdr *thp;
register struct iphdr *ip;
register struct cstate *cs;
@@ -102842,6 +103005,18 @@ index e951453..0685f5b 100644
}
#endif /* __NET_NET_NAMESPACE_H */
+diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
+index 37cd391..4023c4c 100644
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -292,6 +292,7 @@ extern unsigned int nf_conntrack_hash_rnd;
+ void init_nf_conntrack_hash_rnd(void);
+
+ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags);
++void nf_ct_tmpl_free(struct nf_conn *tmpl);
+
+ #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
+ #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 2a5dbcc..8243656 100644
--- a/include/net/netlink.h
@@ -121709,10 +121884,25 @@ index 45da11a..ef3e5dc 100644
table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
GFP_KERNEL);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 3c20d02..b7e071a 100644
+index 3c20d02..b2c15f4 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
-@@ -1753,6 +1753,10 @@ void nf_conntrack_init_end(void)
+@@ -320,12 +320,13 @@ out_free:
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_tmpl_alloc);
+
+-static void nf_ct_tmpl_free(struct nf_conn *tmpl)
++void nf_ct_tmpl_free(struct nf_conn *tmpl)
+ {
+ nf_ct_ext_destroy(tmpl);
+ nf_ct_ext_free(tmpl);
+ kfree(tmpl);
+ }
++EXPORT_SYMBOL_GPL(nf_ct_tmpl_free);
+
+ static void
+ destroy_conntrack(struct nf_conntrack *nfct)
+@@ -1753,6 +1754,10 @@ void nf_conntrack_init_end(void)
#define DYING_NULLS_VAL ((1<<30)+1)
#define TEMPLATE_NULLS_VAL ((1<<30)+2)
@@ -121723,7 +121913,7 @@ index 3c20d02..b7e071a 100644
int nf_conntrack_init_net(struct net *net)
{
int ret = -ENOMEM;
-@@ -1777,7 +1781,11 @@ int nf_conntrack_init_net(struct net *net)
+@@ -1777,7 +1782,11 @@ int nf_conntrack_init_net(struct net *net)
if (!net->ct.stat)
goto err_pcpu_lists;
@@ -121854,6 +122044,19 @@ index c68c1e5..8b5d670 100644
mutex_unlock(&nf_sockopt_mutex);
}
EXPORT_SYMBOL(nf_unregister_sockopt);
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index d7f1685..d6ee8f8 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -378,7 +378,7 @@ static int __net_init synproxy_net_init(struct net *net)
+ err3:
+ free_percpu(snet->stats);
+ err2:
+- nf_conntrack_free(ct);
++ nf_ct_tmpl_free(ct);
+ err1:
+ return err;
+ }
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4670821..a6c3c47d 100644
--- a/net/netfilter/nfnetlink_log.c
@@ -121896,6 +122099,19 @@ index 66def31..d64a66d 100644
}
static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 43ddeee..f3377ce 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -233,7 +233,7 @@ out:
+ return 0;
+
+ err3:
+- nf_conntrack_free(ct);
++ nf_ct_tmpl_free(ct);
+ err2:
+ nf_ct_l3proto_module_put(par->family);
+ err1:
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
index 0000000..c566332
next reply other threads:[~2015-10-11 22:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-11 22:50 Anthony G. Basile [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-10-12 23:56 [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.3/ Anthony G. Basile
2015-10-15 1:36 Anthony G. Basile
2015-10-17 9:00 Anthony G. Basile
2015-10-17 22:14 Anthony G. Basile
2015-10-20 21:33 Anthony G. Basile
2015-10-21 8:24 Anthony G. Basile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1444604174.116b95f1a7590519be254e3128fefd92d8eaaefd.blueness@gentoo \
--to=blueness@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox