commit: 116b95f1a7590519be254e3128fefd92d8eaaefd Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Sun Oct 11 22:56:14 2015 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sun Oct 11 22:56:14 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=116b95f1
grsecurity-3.1-4.2.3-201510092347 4.2.3/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.2.3-201510092347.patch} | 252 +++++++++++++++++++-- 2 files changed, 235 insertions(+), 19 deletions(-) diff --git a/4.2.3/0000_README b/4.2.3/0000_README index 08d9f55..1d05b9f 100644 --- a/4.2.3/0000_README +++ b/4.2.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.2.3-201510072230.patch +Patch: 4420_grsecurity-3.1-4.2.3-201510092347.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch similarity index 99% rename from 4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch rename to 4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch index b4b589d..5075ca5 100644 --- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch +++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch @@ -24915,7 +24915,7 @@ index eec40f5..4fee808 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c -index ce95676..da8c6ff 100644 +index ce95676..af5c012 100644 --- a/arch/x86/kernel/espfix_64.c +++ b/arch/x86/kernel/espfix_64.c @@ -41,6 +41,7 @@ @@ -24939,12 +24939,12 @@ index ce95676..da8c6ff 100644 static unsigned int page_random, slot_random; -@@ -122,14 +125,25 @@ static void init_espfix_random(void) +@@ -122,10 +125,19 @@ static void init_espfix_random(void) void __init init_espfix_bsp(void) { pgd_t *pgd_p; + pud_t *pud_p; -+ unsigned long addr, index = pgd_index(ESPFIX_BASE_ADDR); ++ unsigned long index = pgd_index(ESPFIX_BASE_ADDR); /* Install the espfix pud into the kernel page directory */ - pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)]; @@ -24961,13 +24961,7 @@ index ce95676..da8c6ff 100644 /* Randomize the locations */ init_espfix_random(); - -+ addr = espfix_base_addr(0); -+ - /* The rest is the same as for any other processor */ - init_espfix_ap(0); - } -@@ -170,35 +184,39 @@ void init_espfix_ap(int cpu) +@@ -170,35 +182,39 @@ void init_espfix_ap(int cpu) pud_p = &espfix_pud_page[pud_index(addr)]; pud = *pud_p; if (!pud_present(pud)) { @@ -26887,6 +26881,80 @@ index c2bedae..25e7ab60 100644 .attr = { .name = "data", .mode = S_IRUGO, +diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c +index 49487b4..a94a0d3 100644 +--- a/arch/x86/kernel/kvmclock.c ++++ b/arch/x86/kernel/kvmclock.c +@@ -29,7 +29,7 @@ + #include <asm/x86_init.h> + #include <asm/reboot.h> + +-static int kvmclock = 1; ++static int kvmclock __read_only = 1; + static int msr_kvm_system_time = MSR_KVM_SYSTEM_TIME; + static int msr_kvm_wall_clock = MSR_KVM_WALL_CLOCK; + +@@ -41,7 +41,7 @@ static int parse_no_kvmclock(char *arg) + early_param("no-kvmclock", parse_no_kvmclock); + + /* The hypervisor will put information about time periodically here */ +-static struct pvclock_vsyscall_time_info *hv_clock; ++static struct pvclock_vsyscall_time_info hv_clock[NR_CPUS] __page_aligned_bss; + static struct pvclock_wall_clock wall_clock; + + /* +@@ -132,7 +132,7 @@ bool kvm_check_and_clear_guest_paused(void) + struct pvclock_vcpu_time_info *src; + int cpu = smp_processor_id(); + +- if (!hv_clock) ++ if (!kvmclock) + return ret; + + src = &hv_clock[cpu].pvti; +@@ -159,7 +159,7 @@ int kvm_register_clock(char *txt) + int low, high, ret; + struct pvclock_vcpu_time_info *src; + +- if (!hv_clock) ++ if (!kvmclock) + return 0; + + src = &hv_clock[cpu].pvti; +@@ -219,7 +219,6 @@ static void kvm_shutdown(void) + void __init kvmclock_init(void) + { + struct pvclock_vcpu_time_info *vcpu_time; +- unsigned long mem; + int size, cpu; + u8 flags; + +@@ -237,15 +236,8 @@ void __init kvmclock_init(void) + printk(KERN_INFO "kvm-clock: Using msrs %x and %x", + msr_kvm_system_time, msr_kvm_wall_clock); + +- mem = memblock_alloc(size, PAGE_SIZE); +- if (!mem) +- return; +- hv_clock = __va(mem); +- memset(hv_clock, 0, size); +- + if (kvm_register_clock("primary cpu clock")) { +- hv_clock = NULL; +- memblock_free(mem, size); ++ kvmclock = 0; + return; + } + pv_time_ops.sched_clock = kvm_clock_read; +@@ -286,7 +278,7 @@ int __init kvm_setup_vsyscall_timeinfo(void) + struct pvclock_vcpu_time_info *vcpu_time; + unsigned int size; + +- if (!hv_clock) ++ if (!kvmclock) + return 0; + + size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS); diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c index 2bcc052..864eb84 100644 --- a/arch/x86/kernel/ldt.c @@ -33514,10 +33582,19 @@ index 81bf3d2..7ef25c2 100644 * XXX: batch / limit 'nr', to avoid large irq off latency * needs some instrumenting to determine the common sizes used by diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c -index eecb207a..ad42a30 100644 +index eecb207a..808343a 100644 --- a/arch/x86/mm/highmem_32.c +++ b/arch/x86/mm/highmem_32.c -@@ -45,7 +45,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot) +@@ -35,6 +35,8 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot) + unsigned long vaddr; + int idx, type; + ++ BUG_ON(pgprot_val(prot) & _PAGE_USER); ++ + preempt_disable(); + pagefault_disable(); + +@@ -45,7 +47,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot) idx = type + KM_TYPE_NR*smp_processor_id(); vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx); BUG_ON(!pte_none(*(kmap_pte-idx))); @@ -34682,7 +34759,7 @@ index 9f0614d..92ae64a 100644 p += get_opcode(p, &opcode); for (i = 0; i < ARRAY_SIZE(imm_wop); i++) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index fb0a9dd..72a6e6f 100644 +index fb0a9dd..6fc86ab 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd) @@ -34970,6 +35047,55 @@ index fb0a9dd..72a6e6f 100644 pgd_dtor(pgd); paravirt_pgd_free(mm, pgd); _pgd_free(pgd); +@@ -544,6 +616,40 @@ void __init reserve_top_address(unsigned long reserve) + + int fixmaps_set; + ++static void fix_user_fixmap(enum fixed_addresses idx, unsigned long address) ++{ ++#ifdef CONFIG_X86_64 ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; ++ ++ switch (idx) { ++ default: ++ return; ++ ++#ifdef CONFIG_X86_VSYSCALL_EMULATION ++ case VSYSCALL_PAGE: ++#endif ++#ifdef CONFIG_PARAVIRT_CLOCK ++ case PVCLOCK_FIXMAP_BEGIN ... PVCLOCK_FIXMAP_END: ++#endif ++ break; ++ } ++ ++ pgd = pgd_offset_k(address); ++ if (!(pgd_val(*pgd) & _PAGE_USER)) ++ set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER)); ++ ++ pud = pud_offset(pgd, address); ++ if (!(pud_val(*pud) & _PAGE_USER)) ++ set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER)); ++ ++ pmd = pmd_offset(pud, address); ++ if (!(pmd_val(*pmd) & _PAGE_USER)) ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | _PAGE_USER)); ++#endif ++} ++ + void __native_set_fixmap(enum fixed_addresses idx, pte_t pte) + { + unsigned long address = __fix_to_virt(idx); +@@ -554,6 +660,7 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte) + } + set_pte_vaddr(address, pte); + fixmaps_set++; ++ fix_user_fixmap(idx, address); + } + + void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys, diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c index 90555bf..f5f1828 100644 --- a/arch/x86/mm/setup_nx.c @@ -37079,6 +37205,33 @@ index 45e7d51..2967121 100644 if (!ret) kobject_uevent(&pinst->kobj, KOBJ_ADD); +diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c +index ea5815c..5880da6 100644 +--- a/crypto/scatterwalk.c ++++ b/crypto/scatterwalk.c +@@ -109,14 +109,20 @@ void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg, + { + struct scatter_walk walk; + struct scatterlist tmp[2]; ++ void *realbuf = buf; + + if (!nbytes) + return; + + sg = scatterwalk_ffwd(tmp, sg, start); + +- if (sg_page(sg) == virt_to_page(buf) && +- sg->offset == offset_in_page(buf)) ++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW ++ if (object_starts_on_stack(buf)) ++ realbuf = buf - current->stack + current->lowmem_stack; ++#endif ++ ++ if (sg_page(sg) == virt_to_page(realbuf) && ++ sg->offset == offset_in_page(realbuf)) + return; + + scatterwalk_start(&walk, sg); diff --git a/crypto/zlib.c b/crypto/zlib.c index d51a30a..fb1f8af 100644 --- a/crypto/zlib.c @@ -50874,10 +51027,20 @@ index 487be20..f4c87bc 100644 err = 0; break; diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c -index 079f7ad..b2a2bfa7 100644 +index 079f7ad..7e59810 100644 --- a/drivers/net/slip/slhc.c +++ b/drivers/net/slip/slhc.c -@@ -487,7 +487,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) +@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots) + register struct cstate *ts; + struct slcompress *comp; + ++ if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256) ++ goto out_fail; ++ + comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); + if (! comp) + goto out_fail; +@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) register struct tcphdr *thp; register struct iphdr *ip; register struct cstate *cs; @@ -102842,6 +103005,18 @@ index e951453..0685f5b 100644 } #endif /* __NET_NET_NAMESPACE_H */ +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 37cd391..4023c4c 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -292,6 +292,7 @@ extern unsigned int nf_conntrack_hash_rnd; + void init_nf_conntrack_hash_rnd(void); + + struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags); ++void nf_ct_tmpl_free(struct nf_conn *tmpl); + + #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count) + #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count) diff --git a/include/net/netlink.h b/include/net/netlink.h index 2a5dbcc..8243656 100644 --- a/include/net/netlink.h @@ -121709,10 +121884,25 @@ index 45da11a..ef3e5dc 100644 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table), GFP_KERNEL); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c -index 3c20d02..b7e071a 100644 +index 3c20d02..b2c15f4 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c -@@ -1753,6 +1753,10 @@ void nf_conntrack_init_end(void) +@@ -320,12 +320,13 @@ out_free: + } + EXPORT_SYMBOL_GPL(nf_ct_tmpl_alloc); + +-static void nf_ct_tmpl_free(struct nf_conn *tmpl) ++void nf_ct_tmpl_free(struct nf_conn *tmpl) + { + nf_ct_ext_destroy(tmpl); + nf_ct_ext_free(tmpl); + kfree(tmpl); + } ++EXPORT_SYMBOL_GPL(nf_ct_tmpl_free); + + static void + destroy_conntrack(struct nf_conntrack *nfct) +@@ -1753,6 +1754,10 @@ void nf_conntrack_init_end(void) #define DYING_NULLS_VAL ((1<<30)+1) #define TEMPLATE_NULLS_VAL ((1<<30)+2) @@ -121723,7 +121913,7 @@ index 3c20d02..b7e071a 100644 int nf_conntrack_init_net(struct net *net) { int ret = -ENOMEM; -@@ -1777,7 +1781,11 @@ int nf_conntrack_init_net(struct net *net) +@@ -1777,7 +1782,11 @@ int nf_conntrack_init_net(struct net *net) if (!net->ct.stat) goto err_pcpu_lists; @@ -121854,6 +122044,19 @@ index c68c1e5..8b5d670 100644 mutex_unlock(&nf_sockopt_mutex); } EXPORT_SYMBOL(nf_unregister_sockopt); +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index d7f1685..d6ee8f8 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -378,7 +378,7 @@ static int __net_init synproxy_net_init(struct net *net) + err3: + free_percpu(snet->stats); + err2: +- nf_conntrack_free(ct); ++ nf_ct_tmpl_free(ct); + err1: + return err; + } diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 4670821..a6c3c47d 100644 --- a/net/netfilter/nfnetlink_log.c @@ -121896,6 +122099,19 @@ index 66def31..d64a66d 100644 } static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = { +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 43ddeee..f3377ce 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -233,7 +233,7 @@ out: + return 0; + + err3: +- nf_conntrack_free(ct); ++ nf_ct_tmpl_free(ct); + err2: + nf_ct_l3proto_module_put(par->family); + err1: diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 index 0000000..c566332
