commit: de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Thu Oct 15 01:42:23 2015 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Thu Oct 15 01:42:23 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=de0f65da
grsecurity-3.1-4.2.3-201510130858 4.2.3/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.2.3-201510130858.patch} | 205 ++++++++++++++++++++- 2 files changed, 200 insertions(+), 7 deletions(-) diff --git a/4.2.3/0000_README b/4.2.3/0000_README index f4ca83e..4b76bbf 100644 --- a/4.2.3/0000_README +++ b/4.2.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.2.3-201510111839.patch +Patch: 4420_grsecurity-3.1-4.2.3-201510130858.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch similarity index 99% rename from 4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch rename to 4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch index 3eeb3c5..28448c3 100644 --- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch +++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch @@ -37144,6 +37144,20 @@ index d6e5ba3..2bb142c 100644 return ERR_PTR(-EINVAL); nr_pages += end - start; +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index d6283b3..9cc48d1d 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q) + blkg_destroy(blkg); + spin_unlock(&blkcg->lock); + } ++ ++ q->root_blkg = NULL; ++ q->root_rl.blkg = NULL; + } + + /* diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c index 0736729..2ec3b48 100644 --- a/block/blk-iopoll.c @@ -56284,7 +56298,7 @@ index 382d3fc..b16d625 100644 dlci->modem_rx = 0; diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index ee8bfac..9e4ed6f 100644 +index ee8bfac..95461a3 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -116,7 +116,7 @@ struct n_tty_data { @@ -56296,7 +56310,50 @@ index ee8bfac..9e4ed6f 100644 size_t line_start; /* protected by output lock */ -@@ -2579,6 +2579,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -343,8 +343,7 @@ static void n_tty_packet_mode_flush(struct tty_struct *tty) + spin_lock_irqsave(&tty->ctrl_lock, flags); + tty->ctrl_status |= TIOCPKT_FLUSHREAD; + spin_unlock_irqrestore(&tty->ctrl_lock, flags); +- if (waitqueue_active(&tty->link->read_wait)) +- wake_up_interruptible(&tty->link->read_wait); ++ wake_up_interruptible(&tty->link->read_wait); + } + } + +@@ -1382,8 +1381,7 @@ handle_newline: + put_tty_queue(c, ldata); + smp_store_release(&ldata->canon_head, ldata->read_head); + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- if (waitqueue_active(&tty->read_wait)) +- wake_up_interruptible_poll(&tty->read_wait, POLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, POLLIN); + return 0; + } + } +@@ -1667,8 +1665,7 @@ static void __receive_buf(struct tty_struct *tty, const unsigned char *cp, + + if ((read_cnt(ldata) >= ldata->minimum_to_wake) || L_EXTPROC(tty)) { + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- if (waitqueue_active(&tty->read_wait)) +- wake_up_interruptible_poll(&tty->read_wait, POLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, POLLIN); + } + } + +@@ -1887,10 +1884,8 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old) + } + + /* The termios change make the tty ready for I/O */ +- if (waitqueue_active(&tty->write_wait)) +- wake_up_interruptible(&tty->write_wait); +- if (waitqueue_active(&tty->read_wait)) +- wake_up_interruptible(&tty->read_wait); ++ wake_up_interruptible(&tty->write_wait); ++ wake_up_interruptible(&tty->read_wait); + } + + /** +@@ -2579,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -57058,11 +57115,147 @@ index b5b4278..bb9c7b0 100644 char c; if (get_user(c, buf)) +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 4cf263d..fd011fa 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -242,7 +242,10 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld) + atomic_inc(&buf->priority); + + mutex_lock(&buf->lock); +- while ((next = buf->head->next) != NULL) { ++ /* paired w/ release in __tty_buffer_request_room; ensures there are ++ * no pending memory accesses to the freed buffer ++ */ ++ while ((next = smp_load_acquire(&buf->head->next)) != NULL) { + tty_buffer_free(port, buf->head); + buf->head = next; + } +@@ -290,13 +293,15 @@ static int __tty_buffer_request_room(struct tty_port *port, size_t size, + if (n != NULL) { + n->flags = flags; + buf->tail = n; +- b->commit = b->used; +- /* paired w/ barrier in flush_to_ldisc(); ensures the ++ /* paired w/ acquire in flush_to_ldisc(); ensures ++ * flush_to_ldisc() sees buffer data. ++ */ ++ smp_store_release(&b->commit, b->used); ++ /* paired w/ acquire in flush_to_ldisc(); ensures the + * latest commit value can be read before the head is + * advanced to the next buffer + */ +- smp_wmb(); +- b->next = n; ++ smp_store_release(&b->next, n); + } else if (change) + size = 0; + else +@@ -394,7 +399,10 @@ void tty_schedule_flip(struct tty_port *port) + { + struct tty_bufhead *buf = &port->buf; + +- buf->tail->commit = buf->tail->used; ++ /* paired w/ acquire in flush_to_ldisc(); ensures ++ * flush_to_ldisc() sees buffer data. ++ */ ++ smp_store_release(&buf->tail->commit, buf->tail->used); + schedule_work(&buf->work); + } + EXPORT_SYMBOL(tty_schedule_flip); +@@ -469,7 +477,7 @@ static void flush_to_ldisc(struct work_struct *work) + struct tty_struct *tty; + struct tty_ldisc *disc; + +- tty = port->itty; ++ tty = READ_ONCE(port->itty); + if (tty == NULL) + return; + +@@ -488,13 +496,15 @@ static void flush_to_ldisc(struct work_struct *work) + if (atomic_read(&buf->priority)) + break; + +- next = head->next; +- /* paired w/ barrier in __tty_buffer_request_room(); ++ /* paired w/ release in __tty_buffer_request_room(); + * ensures commit value read is not stale if the head + * is advancing to the next buffer + */ +- smp_rmb(); +- count = head->commit - head->read; ++ next = smp_load_acquire(&head->next); ++ /* paired w/ release in __tty_buffer_request_room() or in ++ * tty_buffer_flush(); ensures we see the committed buffer data ++ */ ++ count = smp_load_acquire(&head->commit) - head->read; + if (!count) { + if (next == NULL) { + check_other_closed(tty); diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 57fc6ee..b83cc81 100644 +index 57fc6ee..62fa290 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -3501,7 +3501,7 @@ EXPORT_SYMBOL(tty_devnum); +@@ -2136,8 +2136,24 @@ retry_open: + if (!noctty && + current->signal->leader && + !current->signal->tty && +- tty->session == NULL) +- __proc_set_tty(tty); ++ tty->session == NULL) { ++ /* ++ * Don't let a process that only has write access to the tty ++ * obtain the privileges associated with having a tty as ++ * controlling terminal (being able to reopen it with full ++ * access through /dev/tty, being able to perform pushback). ++ * Many distributions set the group of all ttys to "tty" and ++ * grant write-only access to all terminals for setgid tty ++ * binaries, which should not imply full privileges on all ttys. ++ * ++ * This could theoretically break old code that performs open() ++ * on a write-only file descriptor. In that case, it might be ++ * necessary to also permit this if ++ * inode_permission(inode, MAY_READ) == 0. ++ */ ++ if (filp->f_mode & FMODE_READ) ++ __proc_set_tty(tty); ++ } + spin_unlock_irq(¤t->sighand->siglock); + read_unlock(&tasklist_lock); + tty_unlock(tty); +@@ -2426,7 +2442,7 @@ static int fionbio(struct file *file, int __user *p) + * Takes ->siglock() when updating signal->tty + */ + +-static int tiocsctty(struct tty_struct *tty, int arg) ++static int tiocsctty(struct tty_struct *tty, struct file *file, int arg) + { + int ret = 0; + +@@ -2460,6 +2476,13 @@ static int tiocsctty(struct tty_struct *tty, int arg) + goto unlock; + } + } ++ ++ /* See the comment in tty_open(). */ ++ if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto unlock; ++ } ++ + proc_set_tty(tty); + unlock: + read_unlock(&tasklist_lock); +@@ -2852,7 +2875,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + no_tty(); + return 0; + case TIOCSCTTY: +- return tiocsctty(tty, arg); ++ return tiocsctty(tty, file, arg); + case TIOCGPGRP: + return tiocgpgrp(tty, real_tty, p); + case TIOCSPGRP: +@@ -3501,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum); void tty_default_fops(struct file_operations *fops) { @@ -125541,7 +125734,7 @@ index c0a932d..817c587 100755 # Find all available archs find_all_archs() diff --git a/security/Kconfig b/security/Kconfig -index bf4ec46..20e8f1f 100644 +index bf4ec46..3303bc0 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -4,6 +4,981 @@ @@ -126376,7 +126569,7 @@ index bf4ec46..20e8f1f 100644 + +config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" -+ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) ++ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && !(X86_64 && GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) + depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN + select PAX_PER_CPU_PGD if X86_64 + help
