commit: 5aca1e28bedeb8f51a52cfc922e0749f75809504 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Tue Jan 19 00:20:58 2016 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Tue Jan 19 00:20:58 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=5aca1e28
grsecurity-3.1-4.3.3-201601171913 4.3.3/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.3.3-201601171913.patch} | 211 +++++++++++++-------- 2 files changed, 135 insertions(+), 78 deletions(-) diff --git a/4.3.3/0000_README b/4.3.3/0000_README index 8ff755f..737c59b 100644 --- a/4.3.3/0000_README +++ b/4.3.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.3.3-201601161757.patch +Patch: 4420_grsecurity-3.1-4.3.3-201601171913.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201601161757.patch b/4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch similarity index 99% rename from 4.3.3/4420_grsecurity-3.1-4.3.3-201601161757.patch rename to 4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch index 15482a1..c47605c 100644 --- a/4.3.3/4420_grsecurity-3.1-4.3.3-201601161757.patch +++ b/4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch @@ -42417,24 +42417,58 @@ index 6068d82..7ecd87c 100644 static const struct vga_switcheroo_client_ops amdgpu_switcheroo_ops = { diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -index b190c2a..d1b18c2 100644 +index b190c2a..67a7707 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -@@ -544,8 +544,12 @@ static int __init amdgpu_init(void) +@@ -471,7 +471,7 @@ static struct drm_driver kms_driver = { + .driver_features = + DRIVER_USE_AGP | + DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED | DRIVER_GEM | +- DRIVER_PRIME | DRIVER_RENDER, ++ DRIVER_PRIME | DRIVER_RENDER | DRIVER_MODESET, + .dev_priv_size = 0, + .load = amdgpu_driver_load_kms, + .open = amdgpu_driver_open_kms, +@@ -522,9 +522,6 @@ static struct drm_driver kms_driver = { + .patchlevel = KMS_DRIVER_PATCHLEVEL, + }; + +-static struct drm_driver *driver; +-static struct pci_driver *pdriver; +- + static struct pci_driver amdgpu_kms_pci_driver = { + .name = DRIVER_NAME, + .id_table = pciidlist, +@@ -542,22 +539,23 @@ static int __init amdgpu_init(void) + } + #endif DRM_INFO("amdgpu kernel modesetting enabled.\n"); - driver = &kms_driver; - pdriver = &amdgpu_kms_pci_driver; +- driver = &kms_driver; +- pdriver = &amdgpu_kms_pci_driver; - driver->driver_features |= DRIVER_MODESET; - driver->num_ioctls = amdgpu_max_kms_ioctl; + + pax_open_kernel(); -+ *(u32 *)&driver->driver_features |= DRIVER_MODESET; -+ *(int *)&driver->num_ioctls = amdgpu_max_kms_ioctl; ++ *(int *)&kms_driver.num_ioctls = amdgpu_max_kms_ioctl; + pax_close_kernel(); + amdgpu_register_atpx_handler(); amdgpu_amdkfd_init(); + + /* let modprobe override vga console setting */ +- return drm_pci_init(driver, pdriver); ++ return drm_pci_init(&kms_driver, &amdgpu_kms_pci_driver); + } + + static void __exit amdgpu_exit(void) + { + amdgpu_amdkfd_fini(); +- drm_pci_exit(driver, pdriver); ++ drm_pci_exit(&kms_driver, &amdgpu_kms_pci_driver); + amdgpu_unregister_atpx_handler(); + } + diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c index 5d11e79..04cc53e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c @@ -43160,7 +43194,7 @@ index d93e737..edb8a4a 100644 int retcode = -EINVAL; char stack_kdata[128]; diff --git a/drivers/gpu/drm/drm_pci.c b/drivers/gpu/drm/drm_pci.c -index 1b1bd42..0e49027 100644 +index 1b1bd42..2d28e80 100644 --- a/drivers/gpu/drm/drm_pci.c +++ b/drivers/gpu/drm/drm_pci.c @@ -305,7 +305,7 @@ int drm_get_pci_dev(struct pci_dev *pdev, const struct pci_device_id *ent, @@ -43172,16 +43206,19 @@ index 1b1bd42..0e49027 100644 return 0; -@@ -340,7 +340,7 @@ int drm_pci_init(struct drm_driver *driver, struct pci_driver *pdriver) +@@ -340,7 +340,10 @@ int drm_pci_init(struct drm_driver *driver, struct pci_driver *pdriver) return pci_register_driver(pdriver); /* If not using KMS, fall back to stealth mode manual scanning. */ - INIT_LIST_HEAD(&driver->legacy_dev_list); ++ pax_open_kernel(); + INIT_LIST_HEAD((struct list_head *)&driver->legacy_dev_list); ++ pax_close_kernel(); ++ for (i = 0; pdriver->id_table[i].vendor != 0; i++) { pid = &pdriver->id_table[i]; -@@ -446,7 +446,7 @@ void drm_pci_exit(struct drm_driver *driver, struct pci_driver *pdriver) +@@ -446,7 +449,7 @@ void drm_pci_exit(struct drm_driver *driver, struct pci_driver *pdriver) } else { list_for_each_entry_safe(dev, tmp, &driver->legacy_dev_list, legacy_dev_list) { @@ -43226,18 +43263,14 @@ index d4813e0..6c1ab4d 100644 pipeconf_reg = PIPECCONF; dspcntr_reg = DSPCCNTR; diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c -index 92e7e57..f59f5d3 100644 +index 92e7e57..5d74ff5 100644 --- a/drivers/gpu/drm/gma500/psb_drv.c +++ b/drivers/gpu/drm/gma500/psb_drv.c -@@ -376,7 +376,10 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags) +@@ -376,7 +376,6 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags) dev->vblank_disable_allowed = true; dev->max_vblank_count = 0xffffff; /* only 24 bits of frame count */ - dev->driver->get_vblank_counter = psb_get_vblank_counter; -+ -+ pax_open_kernel(); -+ *(void **)&dev->driver->get_vblank_counter = psb_get_vblank_counter; -+ pax_close_kernel(); psb_modeset_init(dev); psb_fbdev_init(dev); @@ -43315,48 +43348,47 @@ index ab37d11..5cbacc7 100644 -int i915_max_ioctl = ARRAY_SIZE(i915_ioctls); +const int i915_max_ioctl = ARRAY_SIZE(i915_ioctls); diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c -index ab64d68..e6be8e5 100644 +index ab64d68..b74a68e 100644 --- a/drivers/gpu/drm/i915/i915_drv.c +++ b/drivers/gpu/drm/i915/i915_drv.c -@@ -1697,25 +1697,27 @@ static struct pci_driver i915_pci_driver = { +@@ -40,7 +40,7 @@ + #include <linux/pm_runtime.h> + #include <drm/drm_crtc_helper.h> + +-static struct drm_driver driver; ++static drm_driver_no_const driver; + + #define GEN_DEFAULT_PIPEOFFSETS \ + .pipe_offsets = { PIPE_A_OFFSET, PIPE_B_OFFSET, \ +@@ -1643,7 +1643,7 @@ static const struct file_operations i915_driver_fops = { + .llseek = noop_llseek, + }; + +-static struct drm_driver driver = { ++static drm_driver_no_const driver __read_only = { + /* Don't use MTRRs here; the Xserver or userspace app should + * deal with them for Intel hardware. + */ +@@ -1697,6 +1697,7 @@ static struct pci_driver i915_pci_driver = { static int __init i915_init(void) { -- driver.num_ioctls = i915_max_ioctl; + pax_open_kernel(); -+ *(int *)&driver.num_ioctls = i915_max_ioctl; + driver.num_ioctls = i915_max_ioctl; /* - * Enable KMS by default, unless explicitly overriden by - * either the i915.modeset prarameter or by the - * vga_text_mode_force boot option. - */ -- driver.driver_features |= DRIVER_MODESET; -+ *(u32 *)&driver.driver_features |= DRIVER_MODESET; - - if (i915.modeset == 0) -- driver.driver_features &= ~DRIVER_MODESET; -+ *(u32 *)&driver.driver_features &= ~DRIVER_MODESET; - - #ifdef CONFIG_VGA_CONSOLE - if (vgacon_text_force() && i915.modeset == -1) -- driver.driver_features &= ~DRIVER_MODESET; -+ *(u32 *)&driver.driver_features &= ~DRIVER_MODESET; - #endif +@@ -1716,6 +1717,7 @@ static int __init i915_init(void) if (!(driver.driver_features & DRIVER_MODESET)) { -- driver.get_vblank_timestamp = NULL; -+ *(void **)&driver.get_vblank_timestamp = NULL; + driver.get_vblank_timestamp = NULL; + pax_close_kernel(); /* Silently fail loading to not upset userspace. */ DRM_DEBUG_DRIVER("KMS and UMS disabled.\n"); return 0; -@@ -1727,7 +1729,8 @@ static int __init i915_init(void) - * a single CRTC will actually work. +@@ -1728,6 +1730,7 @@ static int __init i915_init(void) */ if (driver.driver_features & DRIVER_MODESET) -- driver.driver_features |= DRIVER_ATOMIC; -+ *(u32 *)&driver.driver_features |= DRIVER_ATOMIC; + driver.driver_features |= DRIVER_ATOMIC; + pax_close_kernel(); return drm_pci_init(&driver, &i915_pci_driver); @@ -43833,17 +43865,20 @@ index 4dca65a..3486961 100644 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry }) diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c -index ccefb64..a19593d 100644 +index ccefb64..10c4d33 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c -@@ -76,7 +76,6 @@ MODULE_PARM_DESC(runpm, "disable (0), force enable (1), optimus only default (-1 +@@ -76,9 +76,8 @@ MODULE_PARM_DESC(runpm, "disable (0), force enable (1), optimus only default (-1 int nouveau_runtime_pm = -1; module_param_named(runpm, nouveau_runtime_pm, int, 0400); -static struct drm_driver driver_stub; static struct drm_driver driver_pci; - static struct drm_driver driver_platform; +-static struct drm_driver driver_platform; ++static drm_driver_no_const driver_platform __read_only; + static u64 + nouveau_pci_name(struct pci_dev *pdev) @@ -917,7 +916,7 @@ nouveau_driver_fops = { }; @@ -43869,10 +43904,9 @@ index ccefb64..a19593d 100644 - driver_pci = driver_stub; - driver_pci.set_busid = drm_pci_set_busid; - driver_platform = driver_stub; -- driver_platform.set_busid = drm_platform_set_busid; + pax_open_kernel(); -+ memcpy((void *)&driver_platform, &driver_pci, sizeof driver_pci); -+ *(void **)&driver_platform.set_busid = drm_platform_set_busid; ++ driver_platform = driver_pci; + driver_platform.set_busid = drm_platform_set_busid; + pax_close_kernel(); nouveau_display_options(); @@ -44404,7 +44438,7 @@ index f3f562f..0c099bb 100644 static const struct vga_switcheroo_client_ops radeon_switcheroo_ops = { diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c -index 5751446..f39a861 100644 +index 5751446..2ec7c5d 100644 --- a/drivers/gpu/drm/radeon/radeon_drv.c +++ b/drivers/gpu/drm/radeon/radeon_drv.c @@ -130,7 +130,7 @@ extern int radeon_get_crtc_scanoutpos(struct drm_device *dev, int crtc, @@ -44416,7 +44450,16 @@ index 5751446..f39a861 100644 int radeon_mmap(struct file *filp, struct vm_area_struct *vma); int radeon_mode_dumb_mmap(struct drm_file *filp, struct drm_device *dev, -@@ -650,8 +650,12 @@ static int __init radeon_init(void) +@@ -566,7 +566,7 @@ static struct drm_driver kms_driver = { + .driver_features = + DRIVER_USE_AGP | + DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED | DRIVER_GEM | +- DRIVER_PRIME | DRIVER_RENDER, ++ DRIVER_PRIME | DRIVER_RENDER | DRIVER_MODESET, + .load = radeon_driver_load_kms, + .open = radeon_driver_open_kms, + .preclose = radeon_driver_preclose_kms, +@@ -650,8 +650,11 @@ static int __init radeon_init(void) DRM_INFO("radeon kernel modesetting enabled.\n"); driver = &kms_driver; pdriver = &radeon_kms_pci_driver; @@ -44424,14 +44467,13 @@ index 5751446..f39a861 100644 - driver->num_ioctls = radeon_max_kms_ioctl; + + pax_open_kernel(); -+ *(u32 *)&driver->driver_features |= DRIVER_MODESET; + *(int *)&driver->num_ioctls = radeon_max_kms_ioctl; + pax_close_kernel(); + radeon_register_atpx_handler(); } else { -@@ -659,8 +663,11 @@ static int __init radeon_init(void) +@@ -659,8 +662,10 @@ static int __init radeon_init(void) DRM_INFO("radeon userspace modesetting enabled.\n"); driver = &driver_old; pdriver = &radeon_pci_driver; @@ -44439,7 +44481,6 @@ index 5751446..f39a861 100644 - driver->num_ioctls = radeon_max_ioctl; + + pax_open_kernel(); -+ *(u32 *)&driver->driver_features &= ~DRIVER_MODESET; + *(int *)&driver->num_ioctls = radeon_max_ioctl; + pax_close_kernel(); #else @@ -52677,6 +52718,20 @@ index 976aa97..c1efed2 100644 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) { if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 079069a..a11e690 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -108,7 +108,8 @@ int asix_rx_fixup_internal(struct usbnet *dev, struct sk_buff *skb, + } + + if (rx->size > skb->len - offset) { +- remaining = rx->size - (skb->len - offset); ++ remaining = skb->len - offset; ++ remaining = rx->size - remaining; + rx->size = skb->len - offset; + } + diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 111d907..1ee643e 100644 --- a/drivers/net/usb/hso.c @@ -78448,7 +78503,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index b06623a..122301f 100644 +index b06623a..10a5c14 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,8 +56,20 @@ @@ -78494,7 +78549,7 @@ index b06623a..122301f 100644 static DEFINE_RWLOCK(binfmt_lock); +extern int gr_process_kernel_exec_ban(void); -+extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm); ++extern int gr_process_sugid_exec_ban(const struct linux_binprm *bprm); + void __register_binfmt(struct linux_binfmt * fmt, int insert) { @@ -78874,7 +78929,7 @@ index b06623a..122301f 100644 + current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024; +#endif + -+ if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) { ++ if (gr_process_kernel_exec_ban() || gr_process_sugid_exec_ban(bprm)) { + retval = -EPERM; + goto out_fail; + } @@ -96383,10 +96438,10 @@ index 0000000..304c518 +} diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c new file mode 100644 -index 0000000..1e6f893 +index 0000000..528fd00 --- /dev/null +++ b/grsecurity/grsec_sig.c -@@ -0,0 +1,243 @@ +@@ -0,0 +1,244 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/fs.h> @@ -96496,10 +96551,10 @@ index 0000000..1e6f893 + user = find_user(uid); + if (user == NULL) + goto unlock; -+ user->suid_banned = 1; -+ user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME; -+ if (user->suid_ban_expires == ~0UL) -+ user->suid_ban_expires--; ++ user->sugid_banned = 1; ++ user->sugid_ban_expires = get_seconds() + GR_USER_BAN_TIME; ++ if (user->sugid_ban_expires == ~0UL) ++ user->sugid_ban_expires--; + + /* only kill other threads of the same binary, from the same user */ + do_each_thread(tsk2, tsk) { @@ -96585,11 +96640,11 @@ index 0000000..1e6f893 +} + +#ifdef CONFIG_GRKERNSEC_BRUTE -+static bool suid_ban_expired(struct user_struct *user) ++static bool sugid_ban_expired(struct user_struct *user) +{ -+ if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) { -+ user->suid_banned = 0; -+ user->suid_ban_expires = 0; ++ if (user->sugid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->sugid_ban_expires)) { ++ user->sugid_banned = 0; ++ user->sugid_ban_expires = 0; + free_uid(user); + return true; + } @@ -96616,15 +96671,16 @@ index 0000000..1e6f893 + return 0; +} + -+int gr_process_suid_exec_ban(const struct linux_binprm *bprm) ++int gr_process_sugid_exec_ban(const struct linux_binprm *bprm) +{ +#ifdef CONFIG_GRKERNSEC_BRUTE + struct user_struct *user = current->cred->user; -+ if (unlikely(user->suid_banned)) { -+ if (suid_ban_expired(user)) ++ if (unlikely(user->sugid_banned)) { ++ if (sugid_ban_expired(user)) + return 0; -+ /* disallow execution of suid binaries only */ -+ else if (!uid_eq(bprm->cred->euid, current->cred->uid)) ++ /* disallow execution of suid/sgid binaries only */ ++ else if (!uid_eq(bprm->cred->euid, current->cred->uid) || ++ !gid_eq(bprm->cred->egid, current->cred->gid)) + return -EPERM; + } +#endif @@ -98230,7 +98286,7 @@ index c9fe145..9fb2337 100644 struct crypto_instance { struct crypto_alg alg; diff --git a/include/drm/drmP.h b/include/drm/drmP.h -index 8b5ce7c..a0ee191 100644 +index 8b5ce7c..89c5676 100644 --- a/include/drm/drmP.h +++ b/include/drm/drmP.h @@ -59,6 +59,7 @@ @@ -98268,16 +98324,17 @@ index 8b5ce7c..a0ee191 100644 /** * Creates a driver or general drm_ioctl_desc array entry for the given -@@ -630,7 +633,7 @@ struct drm_driver { +@@ -630,7 +633,8 @@ struct drm_driver { /* List of devices hanging off this driver with stealth attach. */ struct list_head legacy_dev_list; -}; +} __do_const; ++typedef struct drm_driver __no_const drm_driver_no_const; enum drm_minor_type { DRM_MINOR_LEGACY, -@@ -648,7 +651,8 @@ struct drm_info_list { +@@ -648,7 +652,8 @@ struct drm_info_list { int (*show)(struct seq_file*, void*); /** show callback */ u32 driver_features; /**< Required driver features for this entry */ void *data; @@ -98287,7 +98344,7 @@ index 8b5ce7c..a0ee191 100644 /** * debugfs node structure. This structure represents a debugfs file. -@@ -735,7 +739,7 @@ struct drm_device { +@@ -735,7 +740,7 @@ struct drm_device { /** \name Usage Counters */ /*@{ */ @@ -103310,7 +103367,7 @@ index 556ec1e..38c19c9 100644 /* diff --git a/include/linux/sched.h b/include/linux/sched.h -index b7b9501..46d7e52 100644 +index b7b9501..ab1a134 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -7,7 +7,7 @@ @@ -103392,8 +103449,8 @@ index b7b9501..46d7e52 100644 + unsigned char kernel_banned; +#endif +#ifdef CONFIG_GRKERNSEC_BRUTE -+ unsigned char suid_banned; -+ unsigned long suid_ban_expires; ++ unsigned char sugid_banned; ++ unsigned long sugid_ban_expires; +#endif + /* Hash table maintenance information */
