From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.3/
Date: Thu, 15 Oct 2015 01:36:53 +0000 (UTC) [thread overview]
Message-ID: <1444873343.de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7.blueness@gentoo> (raw)
commit: de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 15 01:42:23 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Oct 15 01:42:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=de0f65da
grsecurity-3.1-4.2.3-201510130858
4.2.3/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.2.3-201510130858.patch} | 205 ++++++++++++++++++++-
2 files changed, 200 insertions(+), 7 deletions(-)
diff --git a/4.2.3/0000_README b/4.2.3/0000_README
index f4ca83e..4b76bbf 100644
--- a/4.2.3/0000_README
+++ b/4.2.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.3-201510111839.patch
+Patch: 4420_grsecurity-3.1-4.2.3-201510130858.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch
similarity index 99%
rename from 4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch
rename to 4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch
index 3eeb3c5..28448c3 100644
--- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch
+++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch
@@ -37144,6 +37144,20 @@ index d6e5ba3..2bb142c 100644
return ERR_PTR(-EINVAL);
nr_pages += end - start;
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index d6283b3..9cc48d1d 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
+ blkg_destroy(blkg);
+ spin_unlock(&blkcg->lock);
+ }
++
++ q->root_blkg = NULL;
++ q->root_rl.blkg = NULL;
+ }
+
+ /*
diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
index 0736729..2ec3b48 100644
--- a/block/blk-iopoll.c
@@ -56284,7 +56298,7 @@ index 382d3fc..b16d625 100644
dlci->modem_rx = 0;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index ee8bfac..9e4ed6f 100644
+index ee8bfac..95461a3 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -116,7 +116,7 @@ struct n_tty_data {
@@ -56296,7 +56310,50 @@ index ee8bfac..9e4ed6f 100644
size_t line_start;
/* protected by output lock */
-@@ -2579,6 +2579,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -343,8 +343,7 @@ static void n_tty_packet_mode_flush(struct tty_struct *tty)
+ spin_lock_irqsave(&tty->ctrl_lock, flags);
+ tty->ctrl_status |= TIOCPKT_FLUSHREAD;
+ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
+- if (waitqueue_active(&tty->link->read_wait))
+- wake_up_interruptible(&tty->link->read_wait);
++ wake_up_interruptible(&tty->link->read_wait);
+ }
+ }
+
+@@ -1382,8 +1381,7 @@ handle_newline:
+ put_tty_queue(c, ldata);
+ smp_store_release(&ldata->canon_head, ldata->read_head);
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- if (waitqueue_active(&tty->read_wait))
+- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, POLLIN);
+ return 0;
+ }
+ }
+@@ -1667,8 +1665,7 @@ static void __receive_buf(struct tty_struct *tty, const unsigned char *cp,
+
+ if ((read_cnt(ldata) >= ldata->minimum_to_wake) || L_EXTPROC(tty)) {
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- if (waitqueue_active(&tty->read_wait))
+- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, POLLIN);
+ }
+ }
+
+@@ -1887,10 +1884,8 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
+ }
+
+ /* The termios change make the tty ready for I/O */
+- if (waitqueue_active(&tty->write_wait))
+- wake_up_interruptible(&tty->write_wait);
+- if (waitqueue_active(&tty->read_wait))
+- wake_up_interruptible(&tty->read_wait);
++ wake_up_interruptible(&tty->write_wait);
++ wake_up_interruptible(&tty->read_wait);
+ }
+
+ /**
+@@ -2579,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -57058,11 +57115,147 @@ index b5b4278..bb9c7b0 100644
char c;
if (get_user(c, buf))
+diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
+index 4cf263d..fd011fa 100644
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -242,7 +242,10 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
+ atomic_inc(&buf->priority);
+
+ mutex_lock(&buf->lock);
+- while ((next = buf->head->next) != NULL) {
++ /* paired w/ release in __tty_buffer_request_room; ensures there are
++ * no pending memory accesses to the freed buffer
++ */
++ while ((next = smp_load_acquire(&buf->head->next)) != NULL) {
+ tty_buffer_free(port, buf->head);
+ buf->head = next;
+ }
+@@ -290,13 +293,15 @@ static int __tty_buffer_request_room(struct tty_port *port, size_t size,
+ if (n != NULL) {
+ n->flags = flags;
+ buf->tail = n;
+- b->commit = b->used;
+- /* paired w/ barrier in flush_to_ldisc(); ensures the
++ /* paired w/ acquire in flush_to_ldisc(); ensures
++ * flush_to_ldisc() sees buffer data.
++ */
++ smp_store_release(&b->commit, b->used);
++ /* paired w/ acquire in flush_to_ldisc(); ensures the
+ * latest commit value can be read before the head is
+ * advanced to the next buffer
+ */
+- smp_wmb();
+- b->next = n;
++ smp_store_release(&b->next, n);
+ } else if (change)
+ size = 0;
+ else
+@@ -394,7 +399,10 @@ void tty_schedule_flip(struct tty_port *port)
+ {
+ struct tty_bufhead *buf = &port->buf;
+
+- buf->tail->commit = buf->tail->used;
++ /* paired w/ acquire in flush_to_ldisc(); ensures
++ * flush_to_ldisc() sees buffer data.
++ */
++ smp_store_release(&buf->tail->commit, buf->tail->used);
+ schedule_work(&buf->work);
+ }
+ EXPORT_SYMBOL(tty_schedule_flip);
+@@ -469,7 +477,7 @@ static void flush_to_ldisc(struct work_struct *work)
+ struct tty_struct *tty;
+ struct tty_ldisc *disc;
+
+- tty = port->itty;
++ tty = READ_ONCE(port->itty);
+ if (tty == NULL)
+ return;
+
+@@ -488,13 +496,15 @@ static void flush_to_ldisc(struct work_struct *work)
+ if (atomic_read(&buf->priority))
+ break;
+
+- next = head->next;
+- /* paired w/ barrier in __tty_buffer_request_room();
++ /* paired w/ release in __tty_buffer_request_room();
+ * ensures commit value read is not stale if the head
+ * is advancing to the next buffer
+ */
+- smp_rmb();
+- count = head->commit - head->read;
++ next = smp_load_acquire(&head->next);
++ /* paired w/ release in __tty_buffer_request_room() or in
++ * tty_buffer_flush(); ensures we see the committed buffer data
++ */
++ count = smp_load_acquire(&head->commit) - head->read;
+ if (!count) {
+ if (next == NULL) {
+ check_other_closed(tty);
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 57fc6ee..b83cc81 100644
+index 57fc6ee..62fa290 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
-@@ -3501,7 +3501,7 @@ EXPORT_SYMBOL(tty_devnum);
+@@ -2136,8 +2136,24 @@ retry_open:
+ if (!noctty &&
+ current->signal->leader &&
+ !current->signal->tty &&
+- tty->session == NULL)
+- __proc_set_tty(tty);
++ tty->session == NULL) {
++ /*
++ * Don't let a process that only has write access to the tty
++ * obtain the privileges associated with having a tty as
++ * controlling terminal (being able to reopen it with full
++ * access through /dev/tty, being able to perform pushback).
++ * Many distributions set the group of all ttys to "tty" and
++ * grant write-only access to all terminals for setgid tty
++ * binaries, which should not imply full privileges on all ttys.
++ *
++ * This could theoretically break old code that performs open()
++ * on a write-only file descriptor. In that case, it might be
++ * necessary to also permit this if
++ * inode_permission(inode, MAY_READ) == 0.
++ */
++ if (filp->f_mode & FMODE_READ)
++ __proc_set_tty(tty);
++ }
+ spin_unlock_irq(¤t->sighand->siglock);
+ read_unlock(&tasklist_lock);
+ tty_unlock(tty);
+@@ -2426,7 +2442,7 @@ static int fionbio(struct file *file, int __user *p)
+ * Takes ->siglock() when updating signal->tty
+ */
+
+-static int tiocsctty(struct tty_struct *tty, int arg)
++static int tiocsctty(struct tty_struct *tty, struct file *file, int arg)
+ {
+ int ret = 0;
+
+@@ -2460,6 +2476,13 @@ static int tiocsctty(struct tty_struct *tty, int arg)
+ goto unlock;
+ }
+ }
++
++ /* See the comment in tty_open(). */
++ if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) {
++ ret = -EPERM;
++ goto unlock;
++ }
++
+ proc_set_tty(tty);
+ unlock:
+ read_unlock(&tasklist_lock);
+@@ -2852,7 +2875,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ no_tty();
+ return 0;
+ case TIOCSCTTY:
+- return tiocsctty(tty, arg);
++ return tiocsctty(tty, file, arg);
+ case TIOCGPGRP:
+ return tiocgpgrp(tty, real_tty, p);
+ case TIOCSPGRP:
+@@ -3501,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum);
void tty_default_fops(struct file_operations *fops)
{
@@ -125541,7 +125734,7 @@ index c0a932d..817c587 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index bf4ec46..20e8f1f 100644
+index bf4ec46..3303bc0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,6 +4,981 @@
@@ -126376,7 +126569,7 @@ index bf4ec46..20e8f1f 100644
+
+config PAX_MEMORY_UDEREF
+ bool "Prevent invalid userland pointer dereference"
-+ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
++ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && !(X86_64 && GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
+ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN
+ select PAX_PER_CPU_PGD if X86_64
+ help
next reply other threads:[~2015-10-15 1:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-15 1:36 Anthony G. Basile [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-10-21 8:24 [gentoo-commits] proj/hardened-patchset:master commit in: 4.2.3/ Anthony G. Basile
2015-10-20 21:33 Anthony G. Basile
2015-10-17 22:14 Anthony G. Basile
2015-10-17 9:00 Anthony G. Basile
2015-10-12 23:56 Anthony G. Basile
2015-10-11 22:50 Anthony G. Basile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1444873343.de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7.blueness@gentoo \
--to=blueness@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox