public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-patchset:master commit in: 4.3.4/
@ 2016-01-28  5:23 Anthony G. Basile
  0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2016-01-28  5:23 UTC (permalink / raw
  To: gentoo-commits

commit:     8f65a787591f7fdc93c18637c2d33210e0cd738d
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 28 05:31:20 2016 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Jan 28 05:31:20 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8f65a787

grsecurity-3.1-4.3.4-201601261954

 4.3.4/0000_README                                  |   2 +-
 ...> 4420_grsecurity-3.1-4.3.4-201601261954.patch} | 444 +++++++++++++++++++--
 4.3.4/4427_force_XATTR_PAX_tmpfs.patch             |   4 +-
 4.3.4/4450_grsec-kconfig-default-gids.patch        |  12 +-
 4.3.4/4465_selinux-avc_audit-log-curr_ip.patch     |   2 +-
 5 files changed, 411 insertions(+), 53 deletions(-)

diff --git a/4.3.4/0000_README b/4.3.4/0000_README
index f0bdee5..158f0b1 100644
--- a/4.3.4/0000_README
+++ b/4.3.4/0000_README
@@ -6,7 +6,7 @@ Patch:	1003_linux-4.3.4.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.3.4
 
-Patch:	4420_grsecurity-3.1-4.3.4-201601231215.patch
+Patch:	4420_grsecurity-3.1-4.3.4-201601261954.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch b/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch
similarity index 99%
rename from 4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch
rename to 4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch
index db01d7f..f866bc7 100644
--- a/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch
+++ b/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch
@@ -12575,7 +12575,7 @@ index ad8f795..2c7eec6 100644
  /*
   * Memory returned by kmalloc() may be used for DMA, so we must make
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 96d058a..b581500 100644
+index 96d058a..92a8d5b 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -36,14 +36,13 @@ config X86
@@ -12661,6 +12661,15 @@ index 96d058a..b581500 100644
  
  config ARCH_DMA_ADDR_T_64BIT
  	def_bool y
+@@ -1448,7 +1450,7 @@ config ARCH_PROC_KCORE_TEXT
+ 
+ config ILLEGAL_POINTER_VALUE
+        hex
+-       default 0 if X86_32
++       default 0xfffff000 if X86_32
+        default 0xdead000000000000 if X86_64
+ 
+ source "mm/Kconfig"
 @@ -1757,6 +1759,7 @@ source kernel/Kconfig.hz
  config KEXEC
  	bool "kexec system call"
@@ -19780,7 +19789,7 @@ index 55234d5..7e3c4bf 100644
  	atomic_t perf_rdpmc_allowed;	/* nonzero if rdpmc is allowed */
  } mm_context_t;
 diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 379cd36..25f4ba2 100644
+index 379cd36..8ef26be 100644
 --- a/arch/x86/include/asm/mmu_context.h
 +++ b/arch/x86/include/asm/mmu_context.h
 @@ -46,7 +46,7 @@ struct ldt_struct {
@@ -19792,7 +19801,31 @@ index 379cd36..25f4ba2 100644
  };
  
  /*
-@@ -98,26 +98,95 @@ static inline void load_mm_ldt(struct mm_struct *mm)
+@@ -58,6 +58,23 @@ void destroy_context(struct mm_struct *mm);
+ static inline int init_new_context(struct task_struct *tsk,
+ 				   struct mm_struct *mm)
+ {
++	if (tsk == current) {
++		mm->context.vdso = 0;
++
++#ifdef CONFIG_X86_32
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++		mm->context.user_cs_base = 0UL;
++		mm->context.user_cs_limit = ~0UL;
++
++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
++#endif
++
++#endif
++#endif
++
++	}
++
+ 	return 0;
+ }
+ static inline void destroy_context(struct mm_struct *mm) {}
+@@ -98,26 +115,95 @@ static inline void load_mm_ldt(struct mm_struct *mm)
  
  static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
  {
@@ -19888,7 +19921,7 @@ index 379cd36..25f4ba2 100644
  		trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
  
  		/* Stop flush ipis for the previous mm */
-@@ -142,9 +211,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+@@ -142,9 +228,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
  		if (unlikely(prev->context.ldt != next->context.ldt))
  			load_mm_ldt(next);
  #endif
@@ -19921,7 +19954,7 @@ index 379cd36..25f4ba2 100644
  		this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
  		BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
  
-@@ -161,13 +252,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+@@ -161,13 +269,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
  			 * tlb flush IPI delivery. We must reload CR3
  			 * to make sure to use no freed page tables.
  			 */
@@ -52619,6 +52652,86 @@ index ed00446..943fe2c 100644
  			break;
  		err = 0;
  		break;
+diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
+index b910cae..f55670b 100644
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -129,24 +129,27 @@ static int lookup_chan_dst(u16 call_id, __be32 d_addr)
+ 	return i < MAX_CALLID;
+ }
+ 
+-static int add_chan(struct pppox_sock *sock)
++static int add_chan(struct pppox_sock *sock,
++		    struct pptp_addr *sa)
+ {
+ 	static int call_id;
+ 
+ 	spin_lock(&chan_lock);
+-	if (!sock->proto.pptp.src_addr.call_id)	{
++	if (!sa->call_id)	{
+ 		call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, call_id + 1);
+ 		if (call_id == MAX_CALLID) {
+ 			call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, 1);
+ 			if (call_id == MAX_CALLID)
+ 				goto out_err;
+ 		}
+-		sock->proto.pptp.src_addr.call_id = call_id;
+-	} else if (test_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap))
++		sa->call_id = call_id;
++	} else if (test_bit(sa->call_id, callid_bitmap)) {
+ 		goto out_err;
++	}
+ 
+-	set_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap);
+-	rcu_assign_pointer(callid_sock[sock->proto.pptp.src_addr.call_id], sock);
++	sock->proto.pptp.src_addr = *sa;
++	set_bit(sa->call_id, callid_bitmap);
++	rcu_assign_pointer(callid_sock[sa->call_id], sock);
+ 	spin_unlock(&chan_lock);
+ 
+ 	return 0;
+@@ -415,7 +418,6 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
+ 	struct sock *sk = sock->sk;
+ 	struct sockaddr_pppox *sp = (struct sockaddr_pppox *) uservaddr;
+ 	struct pppox_sock *po = pppox_sk(sk);
+-	struct pptp_opt *opt = &po->proto.pptp;
+ 	int error = 0;
+ 
+ 	if (sockaddr_len < sizeof(struct sockaddr_pppox))
+@@ -423,10 +425,22 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
+ 
+ 	lock_sock(sk);
+ 
+-	opt->src_addr = sp->sa_addr.pptp;
+-	if (add_chan(po))
++	if (sk->sk_state & PPPOX_DEAD) {
++		error = -EALREADY;
++		goto out;
++	}
++
++	if (sk->sk_state & PPPOX_BOUND) {
++		error = -EBUSY;
++		goto out;
++	}
++
++	if (add_chan(po, &sp->sa_addr.pptp))
+ 		error = -EBUSY;
++	else
++		sk->sk_state |= PPPOX_BOUND;
+ 
++out:
+ 	release_sock(sk);
+ 	return error;
+ }
+@@ -497,7 +511,7 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ 	}
+ 
+ 	opt->dst_addr = sp->sa_addr.pptp;
+-	sk->sk_state = PPPOX_CONNECTED;
++	sk->sk_state |= PPPOX_CONNECTED;
+ 
+  end:
+ 	release_sock(sk);
 diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
 index 079f7ad..7e59810 100644
 --- a/drivers/net/slip/slhc.c
@@ -87041,10 +87154,10 @@ index 85f883d..db6eecc 100644
  
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..31f8fe4
+index 0000000..0841273
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1182 @@
+@@ -0,0 +1,1185 @@
 +#
 +# grecurity configuration
 +#
@@ -87068,6 +87181,9 @@ index 0000000..31f8fe4
 +	  you use the RBAC system, as it is still possible for an attacker to
 +	  modify the running kernel through other more obscure methods.
 +
++	  Enabling this feature will prevent the "cpupower" and "powertop" tools
++	  from working and excludes debugfs from being compiled into the kernel.
++
 +	  It is highly recommended that you say Y here if you meet all the
 +	  conditions above.
 +
@@ -104592,6 +104708,22 @@ index 6fb8016..2cf60e7 100644
  
  /* shm_mode upper byte flags */
  #define	SHM_DEST	01000	/* segment will be destroyed on last detach */
+diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
+index 50777b5..92d112a 100644
+--- a/include/linux/shmem_fs.h
++++ b/include/linux/shmem_fs.h
+@@ -15,10 +15,7 @@ struct shmem_inode_info {
+ 	unsigned int		seals;		/* shmem seals */
+ 	unsigned long		flags;
+ 	unsigned long		alloced;	/* data pages alloced to file */
+-	union {
+-		unsigned long	swapped;	/* subtotal assigned to swap */
+-		char		*symlink;	/* unswappable short symlink */
+-	};
++	unsigned long		swapped;	/* subtotal assigned to swap */
+ 	struct shared_policy	policy;		/* NUMA memory alloc policy */
+ 	struct list_head	swaplist;	/* chain of maybes on swap */
+ 	struct simple_xattrs	xattrs;		/* list of xattrs */
 diff --git a/include/linux/signal.h b/include/linux/signal.h
 index ab1e039..ad4229e 100644
 --- a/include/linux/signal.h
@@ -106575,6 +106707,49 @@ index 495c87e..5b327ff 100644
  
  
  /* Structure to track chunk fragments that have been acked, but peer
+diff --git a/include/net/snmp.h b/include/net/snmp.h
+index 35512ac..edbd85b 100644
+--- a/include/net/snmp.h
++++ b/include/net/snmp.h
+@@ -67,7 +67,7 @@ struct icmp_mib {
+ 
+ #define ICMPMSG_MIB_MAX	__ICMPMSG_MIB_MAX
+ struct icmpmsg_mib {
+-	atomic_long_t	mibs[ICMPMSG_MIB_MAX];
++	atomic_long_unchecked_t	mibs[ICMPMSG_MIB_MAX];
+ };
+ 
+ /* ICMP6 (IPv6-ICMP) */
+@@ -78,17 +78,17 @@ struct icmpv6_mib {
+ };
+ /* per device counters, (shared on all cpus) */
+ struct icmpv6_mib_device {
+-	atomic_long_t	mibs[ICMP6_MIB_MAX];
++	atomic_long_unchecked_t	mibs[ICMP6_MIB_MAX];
+ };
+ 
+ #define ICMP6MSG_MIB_MAX  __ICMP6MSG_MIB_MAX
+ /* per network ns counters */
+ struct icmpv6msg_mib {
+-	atomic_long_t	mibs[ICMP6MSG_MIB_MAX];
++	atomic_long_unchecked_t	mibs[ICMP6MSG_MIB_MAX];
+ };
+ /* per device counters, (shared on all cpus) */
+ struct icmpv6msg_mib_device {
+-	atomic_long_t	mibs[ICMP6MSG_MIB_MAX];
++	atomic_long_unchecked_t	mibs[ICMP6MSG_MIB_MAX];
+ };
+ 
+ 
+@@ -130,7 +130,7 @@ struct linux_xfrm_mib {
+ 			this_cpu_inc(mib->mibs[field])
+ 
+ #define SNMP_INC_STATS_ATOMIC_LONG(mib, field)	\
+-			atomic_long_inc(&mib->mibs[field])
++			atomic_long_inc_unchecked(&mib->mibs[field])
+ 
+ #define SNMP_INC_STATS(mib, field)	\
+ 			this_cpu_inc(mib->mibs[field])
 diff --git a/include/net/sock.h b/include/net/sock.h
 index bca709a..75776c9 100644
 --- a/include/net/sock.h
@@ -109116,7 +109291,7 @@ index ea95ee1..27177a8 100644
  		if (wo->wo_flags & __WNOTHREAD)
  			break;
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 2845623..4b46ab9 100644
+index 2845623..baaf316 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti)
@@ -109398,7 +109573,7 @@ index 2845623..4b46ab9 100644
  		}
  
  		/*
-@@ -505,6 +584,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -505,6 +584,38 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
  		if (retval)
  			goto out;
  	}
@@ -109407,11 +109582,16 @@ index 2845623..4b46ab9 100644
 +	if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
 +		struct vm_area_struct *mpnt_m;
 +
-+		for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
++		for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next) {
++			if (mpnt->vm_flags & VM_DONTCOPY)
++				continue;
++
 +			BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
 +
-+			if (!mpnt->vm_mirror)
++			if (!mpnt->vm_mirror) {
++				mpnt_m = mpnt_m->vm_next;
 +				continue;
++			}
 +
 +			if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
 +				BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
@@ -109422,6 +109602,8 @@ index 2845623..4b46ab9 100644
 +				mpnt_m->vm_mirror->vm_mirror = mpnt_m;
 +				mpnt->vm_mirror->vm_mirror = mpnt;
 +			}
++
++			mpnt_m = mpnt_m->vm_next;
 +		}
 +		BUG_ON(mpnt_m);
 +	}
@@ -109430,7 +109612,7 @@ index 2845623..4b46ab9 100644
  	/* a new mm has just been created */
  	arch_dup_mmap(oldmm, mm);
  	retval = 0;
-@@ -514,14 +618,6 @@ out:
+@@ -514,14 +625,6 @@ out:
  	up_write(&oldmm->mmap_sem);
  	uprobe_end_dup_mmap();
  	return retval;
@@ -109445,7 +109627,7 @@ index 2845623..4b46ab9 100644
  }
  
  static inline int mm_alloc_pgd(struct mm_struct *mm)
-@@ -796,8 +892,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+@@ -796,8 +899,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
  		return ERR_PTR(err);
  
  	mm = get_task_mm(task);
@@ -109456,7 +109638,7 @@ index 2845623..4b46ab9 100644
  		mmput(mm);
  		mm = ERR_PTR(-EACCES);
  	}
-@@ -998,13 +1094,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
+@@ -998,13 +1101,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
  			spin_unlock(&fs->lock);
  			return -EAGAIN;
  		}
@@ -109478,7 +109660,7 @@ index 2845623..4b46ab9 100644
  	return 0;
  }
  
-@@ -1241,7 +1344,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
+@@ -1241,7 +1351,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
   * parts of the process environment (as per the clone
   * flags). The actual kick-off is left to the caller.
   */
@@ -109487,7 +109669,7 @@ index 2845623..4b46ab9 100644
  					unsigned long stack_start,
  					unsigned long stack_size,
  					int __user *child_tidptr,
-@@ -1313,6 +1416,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1313,6 +1423,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
  	DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
  #endif
  	retval = -EAGAIN;
@@ -109497,7 +109679,7 @@ index 2845623..4b46ab9 100644
  	if (atomic_read(&p->real_cred->user->processes) >=
  			task_rlimit(p, RLIMIT_NPROC)) {
  		if (p->real_cred->user != INIT_USER &&
-@@ -1572,6 +1678,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1572,6 +1685,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
  		goto bad_fork_cancel_cgroup;
  	}
  
@@ -109509,7 +109691,7 @@ index 2845623..4b46ab9 100644
  	if (likely(p->pid)) {
  		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
  
-@@ -1663,6 +1774,8 @@ bad_fork_cleanup_count:
+@@ -1663,6 +1781,8 @@ bad_fork_cleanup_count:
  bad_fork_free:
  	free_task(p);
  fork_out:
@@ -109518,7 +109700,7 @@ index 2845623..4b46ab9 100644
  	return ERR_PTR(retval);
  }
  
-@@ -1725,6 +1838,7 @@ long _do_fork(unsigned long clone_flags,
+@@ -1725,6 +1845,7 @@ long _do_fork(unsigned long clone_flags,
  
  	p = copy_process(clone_flags, stack_start, stack_size,
  			 child_tidptr, NULL, trace, tls);
@@ -109526,7 +109708,7 @@ index 2845623..4b46ab9 100644
  	/*
  	 * Do this prior waking up the new thread - the thread pointer
  	 * might get invalid after that point, if the thread exits quickly.
-@@ -1741,6 +1855,8 @@ long _do_fork(unsigned long clone_flags,
+@@ -1741,6 +1862,8 @@ long _do_fork(unsigned long clone_flags,
  		if (clone_flags & CLONE_PARENT_SETTID)
  			put_user(nr, parent_tidptr);
  
@@ -109535,7 +109717,7 @@ index 2845623..4b46ab9 100644
  		if (clone_flags & CLONE_VFORK) {
  			p->vfork_done = &vfork;
  			init_completion(&vfork);
-@@ -1873,7 +1989,7 @@ void __init proc_caches_init(void)
+@@ -1873,7 +1996,7 @@ void __init proc_caches_init(void)
  	mm_cachep = kmem_cache_create("mm_struct",
  			sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
  			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
@@ -109544,7 +109726,7 @@ index 2845623..4b46ab9 100644
  	mmap_init();
  	nsproxy_cache_init();
  }
-@@ -1921,7 +2037,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1921,7 +2044,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
  		return 0;
  
  	/* don't need lock here; in the worst case we'll do useless copy */
@@ -109553,7 +109735,7 @@ index 2845623..4b46ab9 100644
  		return 0;
  
  	*new_fsp = copy_fs_struct(fs);
-@@ -2034,7 +2150,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -2034,7 +2157,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
  			fs = current->fs;
  			spin_lock(&fs->lock);
  			current->fs = new_fs;
@@ -109563,7 +109745,7 @@ index 2845623..4b46ab9 100644
  				new_fs = NULL;
  			else
  				new_fs = fs;
-@@ -2098,7 +2215,7 @@ int unshare_files(struct files_struct **displaced)
+@@ -2098,7 +2222,7 @@ int unshare_files(struct files_struct **displaced)
  int sysctl_max_threads(struct ctl_table *table, int write,
  		       void __user *buffer, size_t *lenp, loff_t *ppos)
  {
@@ -119093,7 +119275,7 @@ index f5b5c1f..289c3dcb 100644
  
  /*
 diff --git a/mm/shmem.c b/mm/shmem.c
-index 48ce829..4c30cd3 100644
+index 48ce829..a5a01a2 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
 @@ -33,7 +33,7 @@
@@ -119114,7 +119296,17 @@ index 48ce829..4c30cd3 100644
  
  /*
   * shmem_fallocate communicates with shmem_fault or shmem_writepage via
-@@ -835,14 +835,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
+@@ -612,8 +612,7 @@ static void shmem_evict_inode(struct inode *inode)
+ 			list_del_init(&info->swaplist);
+ 			mutex_unlock(&shmem_swaplist_mutex);
+ 		}
+-	} else
+-		kfree(info->symlink);
++	}
+ 
+ 	simple_xattrs_free(&info->xattrs);
+ 	WARN_ON(inode->i_blocks);
+@@ -835,14 +834,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
  		list_add_tail(&info->swaplist, &shmem_swaplist);
  
  	if (add_to_swap_cache(page, swap, GFP_ATOMIC) == 0) {
@@ -119134,7 +119326,7 @@ index 48ce829..4c30cd3 100644
  		mutex_unlock(&shmem_swaplist_mutex);
  		BUG_ON(page_mapped(page));
  		swap_writepage(page, wbc);
-@@ -1070,7 +1070,7 @@ repeat:
+@@ -1070,7 +1069,7 @@ repeat:
  	if (sgp != SGP_WRITE && sgp != SGP_FALLOC &&
  	    ((loff_t)index << PAGE_CACHE_SHIFT) >= i_size_read(inode)) {
  		error = -EINVAL;
@@ -119143,7 +119335,7 @@ index 48ce829..4c30cd3 100644
  	}
  
  	if (page && sgp == SGP_WRITE)
-@@ -1238,11 +1238,15 @@ clear:
+@@ -1238,11 +1237,15 @@ clear:
  	/* Perhaps the file has been truncated since we checked */
  	if (sgp != SGP_WRITE && sgp != SGP_FALLOC &&
  	    ((loff_t)index << PAGE_CACHE_SHIFT) >= i_size_read(inode)) {
@@ -119163,7 +119355,7 @@ index 48ce829..4c30cd3 100644
  	}
  	*pagep = page;
  	return 0;
-@@ -1250,23 +1254,13 @@ clear:
+@@ -1250,23 +1253,13 @@ clear:
  	/*
  	 * Error recovery.
  	 */
@@ -119188,7 +119380,23 @@ index 48ce829..4c30cd3 100644
  		error = -EEXIST;
  unlock:
  	if (page) {
-@@ -2564,6 +2558,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
+@@ -2460,13 +2453,12 @@ static int shmem_symlink(struct inode *dir, struct dentry *dentry, const char *s
+ 	info = SHMEM_I(inode);
+ 	inode->i_size = len-1;
+ 	if (len <= SHORT_SYMLINK_LEN) {
+-		info->symlink = kmemdup(symname, len, GFP_KERNEL);
+-		if (!info->symlink) {
++		inode->i_link = kmemdup(symname, len, GFP_KERNEL);
++		if (!inode->i_link) {
+ 			iput(inode);
+ 			return -ENOMEM;
+ 		}
+ 		inode->i_op = &shmem_short_symlink_operations;
+-		inode->i_link = info->symlink;
+ 	} else {
+ 		error = shmem_getpage(inode, 0, &page, SGP_WRITE, NULL);
+ 		if (error) {
+@@ -2564,6 +2556,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
  static int shmem_xattr_validate(const char *name)
  {
  	struct { const char *prefix; size_t len; } arr[] = {
@@ -119200,7 +119408,7 @@ index 48ce829..4c30cd3 100644
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
  		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
  	};
-@@ -2619,6 +2618,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
+@@ -2619,6 +2616,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
  	if (err)
  		return err;
  
@@ -119216,7 +119424,7 @@ index 48ce829..4c30cd3 100644
  	return simple_xattr_set(&info->xattrs, name, value, size, flags);
  }
  
-@@ -3002,8 +3010,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
+@@ -3002,8 +3008,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
  	int err = -ENOMEM;
  
  	/* Round up to L1_CACHE_BYTES to resist false sharing */
@@ -119226,6 +119434,14 @@ index 48ce829..4c30cd3 100644
  	if (!sbinfo)
  		return -ENOMEM;
  
+@@ -3081,6 +3086,7 @@ static struct inode *shmem_alloc_inode(struct super_block *sb)
+ static void shmem_destroy_callback(struct rcu_head *head)
+ {
+ 	struct inode *inode = container_of(head, struct inode, i_rcu);
++	kfree(inode->i_link);
+ 	kmem_cache_free(shmem_inode_cachep, SHMEM_I(inode));
+ }
+ 
 diff --git a/mm/slab.c b/mm/slab.c
 index 4fcc5dd..8fb1a86 100644
 --- a/mm/slab.c
@@ -122824,6 +123040,18 @@ index 214d44a..dcb7f86 100644
  err_alloc:
  	return -ENOMEM;
  }
+diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
+index 416dfa0..6e41f17 100644
+--- a/net/ipv4/Kconfig
++++ b/net/ipv4/Kconfig
+@@ -353,6 +353,7 @@ config INET_ESP
+ 	select CRYPTO_CBC
+ 	select CRYPTO_SHA1
+ 	select CRYPTO_DES
++	select CRYPTO_ECHAINIV
+ 	---help---
+ 	  Support for IPsec ESP.
+ 
 diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
 index 4b16cf3..443b1d4 100644
 --- a/net/ipv4/af_inet.c
@@ -123430,6 +123658,44 @@ index e89094a..bd431045 100644
  }
  
  static int ping_v4_seq_show(struct seq_file *seq, void *v)
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index 3abd9d7..c5e4052 100644
+--- a/net/ipv4/proc.c
++++ b/net/ipv4/proc.c
+@@ -333,7 +333,7 @@ static void icmpmsg_put(struct seq_file *seq)
+ 
+ 	count = 0;
+ 	for (i = 0; i < ICMPMSG_MIB_MAX; i++) {
+-		val = atomic_long_read(&net->mib.icmpmsg_statistics->mibs[i]);
++		val = atomic_long_read_unchecked(&net->mib.icmpmsg_statistics->mibs[i]);
+ 		if (val) {
+ 			type[count] = i;
+ 			vals[count++] = val;
+@@ -352,7 +352,7 @@ static void icmp_put(struct seq_file *seq)
+ {
+ 	int i;
+ 	struct net *net = seq->private;
+-	atomic_long_t *ptr = net->mib.icmpmsg_statistics->mibs;
++	atomic_long_unchecked_t *ptr = net->mib.icmpmsg_statistics->mibs;
+ 
+ 	seq_puts(seq, "\nIcmp: InMsgs InErrors InCsumErrors");
+ 	for (i = 0; icmpmibmap[i].name != NULL; i++)
+@@ -366,13 +366,13 @@ static void icmp_put(struct seq_file *seq)
+ 		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_CSUMERRORS));
+ 	for (i = 0; icmpmibmap[i].name != NULL; i++)
+ 		seq_printf(seq, " %lu",
+-			   atomic_long_read(ptr + icmpmibmap[i].index));
++			   atomic_long_read_unchecked(ptr + icmpmibmap[i].index));
+ 	seq_printf(seq, " %lu %lu",
+ 		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTMSGS),
+ 		snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTERRORS));
+ 	for (i = 0; icmpmibmap[i].name != NULL; i++)
+ 		seq_printf(seq, " %lu",
+-			   atomic_long_read(ptr + (icmpmibmap[i].index | 0x100)));
++			   atomic_long_read_unchecked(ptr + (icmpmibmap[i].index | 0x100)));
+ }
+ 
+ /*
 diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
 index 561cd4b..a32a155 100644
 --- a/net/ipv4/raw.c
@@ -123697,7 +123963,7 @@ index ade7737..70ed9be 100644
  		goto err_reg;
  
 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 0a2b61d..563a1d2 100644
+index 0a2b61d..e6e7d27 100644
 --- a/net/ipv4/tcp_input.c
 +++ b/net/ipv4/tcp_input.c
 @@ -786,7 +786,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
@@ -123709,7 +123975,17 @@ index 0a2b61d..563a1d2 100644
  						sk->sk_max_pacing_rate);
  }
  
-@@ -4647,7 +4647,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -2525,6 +2525,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
+ 	int newly_acked_sacked = prior_unsacked -
+ 				 (tp->packets_out - tp->sacked_out);
+ 
++	if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
++		return;
++
+ 	tp->prr_delivered += newly_acked_sacked;
+ 	if (delta < 0) {
+ 		u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
+@@ -4647,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
   * simplifies code)
   */
  static void
@@ -123718,7 +123994,7 @@ index 0a2b61d..563a1d2 100644
  	     struct sk_buff *head, struct sk_buff *tail,
  	     u32 start, u32 end)
  {
-@@ -5642,6 +5642,7 @@ discard:
+@@ -5642,6 +5645,7 @@ discard:
  	    tcp_paws_reject(&tp->rx_opt, 0))
  		goto discard_and_undo;
  
@@ -123726,7 +124002,7 @@ index 0a2b61d..563a1d2 100644
  	if (th->syn) {
  		/* We see SYN without ACK. It is attempt of
  		 * simultaneous connect with crossed SYNs.
-@@ -5693,6 +5694,7 @@ discard:
+@@ -5693,6 +5697,7 @@ discard:
  		goto discard;
  #endif
  	}
@@ -123734,7 +124010,7 @@ index 0a2b61d..563a1d2 100644
  	/* "fifth, if neither of the SYN or RST bits is set then
  	 * drop the segment and return."
  	 */
-@@ -5739,7 +5741,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5739,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
  			goto discard;
  
  		if (th->syn) {
@@ -123743,7 +124019,7 @@ index 0a2b61d..563a1d2 100644
  				goto discard;
  			if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
  				return 1;
-@@ -6069,7 +6071,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
+@@ -6069,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
  
  		kmemcheck_annotate_bitfield(ireq, flags);
  		ireq->opt = NULL;
@@ -124064,8 +124340,20 @@ index c10a9ee..c621a01 100644
  err_alloc:
  	return -ENOMEM;
  }
+diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
+index 983bb99..ebc39e1 100644
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -69,6 +69,7 @@ config INET6_ESP
+ 	select CRYPTO_CBC
+ 	select CRYPTO_SHA1
+ 	select CRYPTO_DES
++	select CRYPTO_ECHAINIV
+ 	---help---
+ 	  Support for IPsec ESP.
+ 
 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index ddd3511..9cad64b 100644
+index ddd3511..22c903e 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
 @@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
@@ -124138,6 +124426,24 @@ index ddd3511..9cad64b 100644
  	for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
  		idx = 0;
  		head = &net->dev_index_head[h];
+@@ -4688,7 +4695,7 @@ static inline size_t inet6_if_nlmsg_size(void)
+ 	       + nla_total_size(inet6_ifla6_size()); /* IFLA_PROTINFO */
+ }
+ 
+-static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_t *mib,
++static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_unchecked_t *mib,
+ 				      int items, int bytes)
+ {
+ 	int i;
+@@ -4698,7 +4705,7 @@ static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_t *mib,
+ 	/* Use put_unaligned() because stats may not be aligned for u64. */
+ 	put_unaligned(items, &stats[0]);
+ 	for (i = 1; i < items; i++)
+-		put_unaligned(atomic_long_read(&mib[i]), &stats[i]);
++		put_unaligned(atomic_long_read_unchecked(&mib[i]), &stats[i]);
+ 
+ 	memset(&stats[items], 0, pad);
+ }
 @@ -5146,7 +5153,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
  		rt_genid_bump_ipv6(net);
  		break;
@@ -124514,9 +124820,53 @@ index 263a516..692f738 100644
  	inet6_unregister_protosw(&pingv6_protosw);
  }
 diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
-index 679253d0..70b653c 100644
+index 679253d0..d85dd97 100644
 --- a/net/ipv6/proc.c
 +++ b/net/ipv6/proc.c
+@@ -151,7 +151,7 @@ static const struct snmp_mib snmp6_udplite6_list[] = {
+ 	SNMP_MIB_SENTINEL
+ };
+ 
+-static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib)
++static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_unchecked_t *smib)
+ {
+ 	char name[32];
+ 	int i;
+@@ -168,14 +168,14 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib)
+ 		snprintf(name, sizeof(name), "Icmp6%s%s",
+ 			i & 0x100 ? "Out" : "In", p);
+ 		seq_printf(seq, "%-32s\t%lu\n", name,
+-			   atomic_long_read(smib + i));
++			   atomic_long_read_unchecked(smib + i));
+ 	}
+ 
+ 	/* print by number (nonzero only) - ICMPMsgStat format */
+ 	for (i = 0; i < ICMP6MSG_MIB_MAX; i++) {
+ 		unsigned long val;
+ 
+-		val = atomic_long_read(smib + i);
++		val = atomic_long_read_unchecked(smib + i);
+ 		if (!val)
+ 			continue;
+ 		snprintf(name, sizeof(name), "Icmp6%sType%u",
+@@ -188,7 +188,7 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib)
+  * or shared one (smib != NULL)
+  */
+ static void snmp6_seq_show_item(struct seq_file *seq, void __percpu *pcpumib,
+-				atomic_long_t *smib,
++				atomic_long_unchecked_t *smib,
+ 				const struct snmp_mib *itemlist)
+ {
+ 	int i;
+@@ -197,7 +197,7 @@ static void snmp6_seq_show_item(struct seq_file *seq, void __percpu *pcpumib,
+ 	for (i = 0; itemlist[i].name; i++) {
+ 		val = pcpumib ?
+ 			snmp_fold_field(pcpumib, itemlist[i].entry) :
+-			atomic_long_read(smib + itemlist[i].entry);
++			atomic_long_read_unchecked(smib + itemlist[i].entry);
+ 		seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name, val);
+ 	}
+ }
 @@ -310,7 +310,7 @@ static int __net_init ipv6_proc_init_net(struct net *net)
  	if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops))
  		goto proc_snmp6_fail;
@@ -127806,7 +128156,7 @@ index 350cca3..a108fc5 100644
  	sub->evt.event = htohl(event, sub->swap);
  	sub->evt.found_lower = htohl(found_lower, sub->swap);
 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 0fc6dba..adadbef 100644
+index 0fc6dba..8355d2c 100644
 --- a/net/unix/af_unix.c
 +++ b/net/unix/af_unix.c
 @@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -128015,7 +128365,15 @@ index 0fc6dba..adadbef 100644
  	return max_level;
  }
  
-@@ -2765,9 +2814,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2301,6 +2350,7 @@ again:
+ 
+ 			if (signal_pending(current)) {
+ 				err = sock_intr_errno(timeo);
++				scm_destroy(&scm);
+ 				goto out;
+ 			}
+ 
+@@ -2765,9 +2815,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
  		seq_puts(seq, "Num       RefCount Protocol Flags    Type St "
  			 "Inode Path\n");
  	else {
@@ -128030,7 +128388,7 @@ index 0fc6dba..adadbef 100644
  
  		seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
  			s,
-@@ -2792,10 +2845,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2792,10 +2846,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
  				seq_putc(seq, '@');
  				i++;
  			}

diff --git a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch
index 22c9273..d03130d 100644
--- a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch
@@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive emerge.
 diff -Naur a/mm/shmem.c b/mm/shmem.c
 --- a/mm/shmem.c	2013-06-11 21:00:18.000000000 -0400
 +++ b/mm/shmem.c	2013-06-11 21:08:18.000000000 -0400
-@@ -2558,11 +2558,7 @@
+@@ -2556,11 +2556,7 @@
  static int shmem_xattr_validate(const char *name)
  {
  	struct { const char *prefix; size_t len; } arr[] = {
@@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
  		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
  	};
-@@ -2618,14 +2614,12 @@
+@@ -2616,14 +2612,12 @@
  	if (err)
  		return err;
  

diff --git a/4.3.4/4450_grsec-kconfig-default-gids.patch b/4.3.4/4450_grsec-kconfig-default-gids.patch
index 9524b1f..c56ca90 100644
--- a/4.3.4/4450_grsec-kconfig-default-gids.patch
+++ b/4.3.4/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -694,7 +694,7 @@
+@@ -697,7 +697,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -925,7 +925,7 @@
+@@ -928,7 +928,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -934,7 +934,7 @@
+@@ -937,7 +937,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -1019,7 +1019,7 @@
+@@ -1022,7 +1022,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -1040,7 +1040,7 @@
+@@ -1043,7 +1043,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -1058,7 +1058,7 @@
+@@ -1061,7 +1061,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER

diff --git a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch
index 28f2163..d2e466f 100644
--- a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1153,6 +1153,27 @@
+@@ -1156,6 +1156,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] proj/hardened-patchset:master commit in: 4.3.4/
@ 2016-01-30 12:29 Anthony G. Basile
  0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2016-01-30 12:29 UTC (permalink / raw
  To: gentoo-commits

commit:     92b230adb84942fe6bf8d05cc6012ce0f98050a7
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 30 12:37:58 2016 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 12:37:58 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=92b230ad

grsecurity-3.1-4.3.4-201601292206

 4.3.4/0000_README                                  |   2 +-
 ...> 4420_grsecurity-3.1-4.3.4-201601292206.patch} | 204 ++++++++++++++++++---
 2 files changed, 179 insertions(+), 27 deletions(-)

diff --git a/4.3.4/0000_README b/4.3.4/0000_README
index 158f0b1..ce73e44 100644
--- a/4.3.4/0000_README
+++ b/4.3.4/0000_README
@@ -6,7 +6,7 @@ Patch:	1003_linux-4.3.4.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.3.4
 
-Patch:	4420_grsecurity-3.1-4.3.4-201601261954.patch
+Patch:	4420_grsecurity-3.1-4.3.4-201601292206.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch b/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch
similarity index 99%
rename from 4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch
rename to 4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch
index f866bc7..92cf754 100644
--- a/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch
+++ b/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch
@@ -75860,14 +75860,17 @@ index 155f842..89922d8 100644
  
  	file = aio_private_file(ctx, nr_pages);
 diff --git a/fs/attr.c b/fs/attr.c
-index 6530ced..4a827e2 100644
+index 6530ced..559e5e6 100644
 --- a/fs/attr.c
 +++ b/fs/attr.c
-@@ -102,6 +102,7 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
+@@ -102,6 +102,10 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
  		unsigned long limit;
  
  		limit = rlimit(RLIMIT_FSIZE);
-+		gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
++		if (offset > ULONG_MAX)
++			gr_learn_resource(current, RLIMIT_FSIZE, ULONG_MAX, 1);
++		else if (offset > 0)
++			gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
  		if (limit != RLIM_INFINITY && offset > limit)
  			goto out_sig;
  		if (offset > inode->i_sb->s_maxbytes)
@@ -77631,7 +77634,7 @@ index b406a32..243eb1c 100644
  GLOBAL_EXTERN atomic_t smBufAllocCount;
  GLOBAL_EXTERN atomic_t midCount;
 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
-index 62203c3..93267bf 100644
+index 62203c3..fa2d9b3 100644
 --- a/fs/cifs/file.c
 +++ b/fs/cifs/file.c
 @@ -2054,10 +2054,14 @@ static int cifs_writepages(struct address_space *mapping,
@@ -77652,6 +77655,15 @@ index 62203c3..93267bf 100644
  		scanned = true;
  	}
  	server = cifs_sb_master_tcon(cifs_sb)->ses->server;
+@@ -2531,7 +2535,7 @@ cifs_write_from_iter(loff_t offset, size_t len, struct iov_iter *from,
+ 		wdata->pid = pid;
+ 		wdata->bytes = cur_len;
+ 		wdata->pagesz = PAGE_SIZE;
+-		wdata->tailsz = cur_len - ((nr_pages - 1) * PAGE_SIZE);
++		wdata->tailsz = cur_len - nr_pages * PAGE_SIZE + PAGE_SIZE;
+ 		wdata->credits = credits;
+ 
+ 		if (!wdata->cfile->invalidHandle ||
 diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
 index 8442b8b..ea6986f 100644
 --- a/fs/cifs/misc.c
@@ -82037,6 +82049,19 @@ index ebb5e37..beae05b 100644
  			do_wakeup = 1;
  	}
  
+diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
+index cf4ab89..5a00960 100644
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -781,7 +781,7 @@ static void calc_max_reserv(struct gfs2_inode *ip, loff_t *len,
+ {
+ 	loff_t max = *len;
+ 	const struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
+-	unsigned int tmp, max_data = max_blocks - 3 * (sdp->sd_max_height - 1);
++	unsigned int tmp, max_data = max_blocks - 3 * sdp->sd_max_height + 3;
+ 
+ 	for (tmp = max_data; tmp > sdp->sd_diptrs;) {
+ 		tmp = DIV_ROUND_UP(tmp, sdp->sd_inptrs);
 diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
 index 9bd1244..b8c82d9 100644
 --- a/fs/gfs2/glock.c
@@ -112918,6 +112943,46 @@ index 6d2a119..ac24f34 100644
  
  static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
  {
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 5bd4779..6bf906d 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -316,24 +316,24 @@ static inline void seccomp_sync_threads(void)
+ 		put_seccomp_filter(thread);
+ 		smp_store_release(&thread->seccomp.filter,
+ 				  caller->seccomp.filter);
++
++		/*
++		 * Don't let an unprivileged task work around
++		 * the no_new_privs restriction by creating
++		 * a thread that sets it up, enters seccomp,
++		 * then dies.
++		 */
++		if (task_no_new_privs(caller))
++			task_set_no_new_privs(thread);
++
+ 		/*
+ 		 * Opt the other thread into seccomp if needed.
+ 		 * As threads are considered to be trust-realm
+ 		 * equivalent (see ptrace_may_access), it is safe to
+ 		 * allow one thread to transition the other.
+ 		 */
+-		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) {
+-			/*
+-			 * Don't let an unprivileged task work around
+-			 * the no_new_privs restriction by creating
+-			 * a thread that sets it up, enters seccomp,
+-			 * then dies.
+-			 */
+-			if (task_no_new_privs(caller))
+-				task_set_no_new_privs(thread);
+-
++		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
+ 			seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
+-		}
+ 	}
+ }
+ 
 diff --git a/kernel/signal.c b/kernel/signal.c
 index 0f6bbbe..4791c7d 100644
 --- a/kernel/signal.c
@@ -150284,10 +150349,10 @@ index 0000000..cc20d48
 +#endif
 diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c
 new file mode 100644
-index 0000000..7d9135d
+index 0000000..bd18a67
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c
-@@ -0,0 +1,1032 @@
+@@ -0,0 +1,1116 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -150495,9 +150560,6 @@ index 0000000..7d9135d
 +	switch (TREE_CODE(node)) {
 +	case COMPONENT_REF:
 +		cur_decl = search_field_decl(node);
-+		// !!! temporarily ignore bitfield types
-+		if (DECL_BIT_FIELD_TYPE(cur_decl))
-+			return MARK_YES;
 +		if (is_turn_off_intentional_attr(cur_decl))
 +			return MARK_TURN_OFF;
 +		if (is_end_intentional_intentional_attr(cur_decl))
@@ -150526,9 +150588,6 @@ index 0000000..7d9135d
 +		break;
 +	}
 +	case FIELD_DECL:
-+		// !!! temporarily ignore bitfield types
-+		if (DECL_BIT_FIELD_TYPE(node))
-+			return MARK_YES;
 +	case VAR_DECL:
 +		if (is_end_intentional_intentional_attr(node))
 +			return MARK_END_INTENTIONAL;
@@ -151320,6 +151379,96 @@ index 0000000..7d9135d
 +	add_rhs2 = gimple_assign_rhs2(add_stmt);
 +	return check_add_stmt(add_rhs2);
 +}
++
++/* True:
++ * _25 = (<unnamed-unsigned:1>) _24;
++ * r_5(D)->stereo = _25;
++ */
++bool is_bitfield_unnamed_cast(const_tree decl, gassign *assign)
++{
++	const_tree rhs, type;
++	gimple def_stmt;
++
++	if (TREE_CODE(decl) != FIELD_DECL)
++		return false;
++	if (!DECL_BIT_FIELD_TYPE(decl))
++		return false;
++	if (gimple_num_ops(assign) != 2)
++		return false;
++
++	rhs = gimple_assign_rhs1(assign);
++	if (is_gimple_constant(rhs))
++		return false;
++	type = TREE_TYPE(rhs);
++	if (TREE_CODE(type) == BOOLEAN_TYPE)
++		return false;
++
++	def_stmt = get_def_stmt(rhs);
++	if (!gimple_assign_cast_p(def_stmt))
++		return false;
++	return TYPE_PRECISION(type) < CHAR_TYPE_SIZE;
++}
++
++static bool is_mult_const(const_tree lhs)
++{
++	const_gimple def_stmt;
++	const_tree rhs1, rhs2;
++
++	def_stmt = get_def_stmt(lhs);
++	if (!def_stmt || gimple_assign_rhs_code(def_stmt) != MULT_EXPR)
++		return false;
++
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	rhs2 = gimple_assign_rhs2(def_stmt);
++	if (is_gimple_constant(rhs1))
++		return !is_lt_signed_type_max(rhs1);
++	else if (is_gimple_constant(rhs2))
++		return !is_lt_signed_type_max(rhs2);
++	return false;
++}
++
++/* True:
++ * fs/cifs/file.c cifs_write_from_iter()
++ * u32 = u64 - (u64 - constant) * constant
++ * wdata->tailsz = cur_len - (nr_pages - 1) * PAGE_SIZE;
++ *
++ * _51 = _50 * 4294963200;
++ * _52 = _49 + _51;
++ * _53 = _52 + 4096;
++ */
++
++bool uconst_neg_intentional_overflow(struct visited *visited, const gassign *stmt)
++{
++	const_gimple def_stmt;
++	const_tree noconst_rhs;
++	tree rhs1, rhs2;
++
++	// _53 = _52 + const;
++	if (gimple_assign_rhs_code(stmt) != PLUS_EXPR)
++		return false;
++	rhs1 = gimple_assign_rhs1(stmt);
++	rhs2 = gimple_assign_rhs2(stmt);
++	if (is_gimple_constant(rhs1))
++		noconst_rhs = rhs2;
++	else if (is_gimple_constant(rhs2))
++		noconst_rhs = rhs1;
++	else
++		return false;
++	def_stmt = get_def_stmt(noconst_rhs);
++
++	// _52 = _49 + _51;
++	if (!def_stmt)
++		return false;
++	if (gimple_assign_rhs_code(def_stmt) != PLUS_EXPR)
++		return false;
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	rhs2 = gimple_assign_rhs2(def_stmt);
++	if (is_gimple_constant(rhs1) || is_gimple_constant(rhs2))
++		return false;
++
++	// _51 = _50 * gt signed type max;
++	return is_mult_const(rhs1) || is_mult_const(rhs2);
++}
 diff --git a/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c b/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c
 new file mode 100644
 index 0000000..5622b51
@@ -151465,10 +151614,10 @@ index 0000000..5622b51
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h b/tools/gcc/size_overflow_plugin/size_overflow.h
 new file mode 100644
-index 0000000..5fd6c28
+index 0000000..ee57a00
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow.h
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,325 @@
 +#ifndef SIZE_OVERFLOW_H
 +#define SIZE_OVERFLOW_H
 +
@@ -151673,6 +151822,8 @@ index 0000000..5fd6c28
 +extern enum intentional_overflow_type add_mul_intentional_overflow(const gassign *stmt);
 +extern void unsigned_signed_cast_intentional_overflow(struct visited *visited, gassign *stmt);
 +extern bool neg_short_add_intentional_overflow(gassign *stmt);
++extern bool is_bitfield_unnamed_cast(const_tree decl, gassign *assign);
++extern bool uconst_neg_intentional_overflow(struct visited *visited, const gassign *stmt);
 +
 +
 +// insert_size_overflow_asm.c
@@ -175586,12 +175737,12 @@ index 0000000..6075e8f
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 new file mode 100644
-index 0000000..f1cc040
+index 0000000..f50c635
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 @@ -0,0 +1,318 @@
 +/*
-+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
++ * Copyright 2011-2016 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
 + *
 + * Homepage:
@@ -175621,7 +175772,7 @@ index 0000000..f1cc040
 +tree size_overflow_type_TI;
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20151201",
++	.version	= "20160128",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -176268,10 +176419,10 @@ index 0000000..317cd6c
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform.c b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
 new file mode 100644
-index 0000000..8f42c7e
+index 0000000..f9de78e
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
-@@ -0,0 +1,749 @@
+@@ -0,0 +1,745 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -176457,9 +176608,6 @@ index 0000000..8f42c7e
 +
 +	if (skip_types(orig_node))
 +		return head;
-+	// !!! temporarily ignore bitfield types
-+	if (orig_code == FIELD_DECL && DECL_BIT_FIELD_TYPE(orig_node))
-+		return head;
 +
 +	// find a defining marked caller argument or struct field for arg
 +	if (check_intentional_size_overflow_asm_and_attribute(orig_node) != MARK_NO)
@@ -176818,8 +176966,7 @@ index 0000000..8f42c7e
 +	if (DECL_NAME(decl) == NULL_TREE)
 +		return head;
 +
-+	// !!! temporarily ignore bitfield types
-+	if (TREE_CODE(decl) == FIELD_DECL && DECL_BIT_FIELD_TYPE(decl))
++	if (is_bitfield_unnamed_cast(decl, assign))
 +		return head;
 +
 +	next_node = get_interesting_function_next_node(decl, 0);
@@ -177023,10 +177170,10 @@ index 0000000..8f42c7e
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
 new file mode 100644
-index 0000000..8a30b3b
+index 0000000..2ab3b9e
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
-@@ -0,0 +1,1010 @@
+@@ -0,0 +1,1015 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -177945,6 +178092,11 @@ index 0000000..8a30b3b
 +	if (TREE_CODE_CLASS(gimple_assign_rhs_code(def_stmt)) == tcc_comparison)
 +		return handle_comparison_code_class(visited, expand_from, def_stmt, new_rhs1, new_rhs2);
 +
++	if (uconst_neg_intentional_overflow(visited, def_stmt)) {
++		inform(gimple_location(def_stmt), "%s: gcc intentional overflow", __func__);
++		gcc_unreachable();
++	}
++
 +	return dup_assign(visited, def_stmt, lhs, new_rhs1, new_rhs2, NULL_TREE);
 +}
 +


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-01-30 12:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-30 12:29 [gentoo-commits] proj/hardened-patchset:master commit in: 4.3.4/ Anthony G. Basile
  -- strict thread matches above, loose matches on Subject: below --
2016-01-28  5:23 Anthony G. Basile

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox