commit: 080fcb7ea019d5794996859a1e45a83006b6bf41
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat May 10 16:28:55 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat May 10 16:28:55 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=080fcb7e
Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405092337
---
3.14.3/0000_README | 2 +-
... 4420_grsecurity-3.0-3.14.3-201405092337.patch} | 116 ++++++++++++++++++++-
3.2.58/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.58-201405092334.patch} | 52 ++++++++-
4 files changed, 162 insertions(+), 10 deletions(-)
diff --git a/3.14.3/0000_README b/3.14.3/0000_README
index 51d9a7e..108ad48 100644
--- a/3.14.3/0000_README
+++ b/3.14.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.3-201405071928.patch
+Patch: 4420_grsecurity-3.0-3.14.3-201405092337.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
b/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
similarity index 99%
rename from 3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
rename to 3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
index b5d0cff..4e0c19f 100644
--- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
+++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
@@ -7487,6 +7487,18 @@ index 4006964..fcb3cc2 100644
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
+diff --git a/arch/parisc/include/uapi/asm/resource.h
b/arch/parisc/include/uapi/asm/resource.h
+index 8b06343..090483c 100644
+--- a/arch/parisc/include/uapi/asm/resource.h
++++ b/arch/parisc/include/uapi/asm/resource.h
+@@ -1,7 +1,6 @@
+ #ifndef _ASM_PARISC_RESOURCE_H
+ #define _ASM_PARISC_RESOURCE_H
+
+-#define _STK_LIM_MAX 10 * _STK_LIM
+ #include <asm-generic/resource.h>
+
+ #endif
diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
index 50dfafc..b9fc230 100644
--- a/arch/parisc/kernel/module.c
@@ -37847,6 +37859,44 @@ index d073305..4998fea 100644
static struct asender_cmd asender_tbl[] = {
[P_PING] = { 0, got_Ping },
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 2023043..dab515c 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+ int ret;
+
+ while (ptr) {
+- ret = copy_to_user(param, ptr, sizeof(*ptr));
++ struct floppy_raw_cmd cmd = *ptr;
++ cmd.next = NULL;
++ cmd.kernel_data = NULL;
++ ret = copy_to_user(param, &cmd, sizeof(cmd));
+ if (ret)
+ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+@@ -3107,10 +3110,11 @@ loop:
+ return -ENOMEM;
+ *rcmd = ptr;
+ ret = copy_from_user(ptr, param, sizeof(*ptr));
+- if (ret)
+- return -EFAULT;
+ ptr->next = NULL;
+ ptr->buffer_length = 0;
++ ptr->kernel_data = NULL;
++ if (ret)
++ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+ if (ptr->cmd_count > 33)
+ /* the command may now also take up the space
+@@ -3126,7 +3130,6 @@ loop:
+ for (i = 0; i < 16; i++)
+ ptr->reply[i] = 0;
+ ptr->resultcode = 0;
+- ptr->kernel_data = NULL;
+
+ if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ if (ptr->length <= 0)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 66e8c3b..9b68dd9 100644
--- a/drivers/block/loop.c
@@ -38115,10 +38165,18 @@ index a48e05b..6bac831 100644
kfree(usegment);
kfree(ksegment);
diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
-index 1b19239..b87b143 100644
+index 1b19239..963967b 100644
--- a/drivers/char/agp/frontend.c
+++ b/drivers/char/agp/frontend.c
-@@ -819,7 +819,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
+@@ -731,6 +731,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv,
void __user *arg)
+
+ agp_copy_info(agp_bridge, &kerninfo);
+
++ memset(&userinfo, 0, sizeof(userinfo));
+ userinfo.version.major = kerninfo.version.major;
+ userinfo.version.minor = kerninfo.version.minor;
+ userinfo.bridge_id = kerninfo.device->vendor |
+@@ -819,7 +820,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
return -EFAULT;
@@ -38127,7 +38185,7 @@ index 1b19239..b87b143 100644
return -EFAULT;
client = agp_find_client_by_pid(reserve.pid);
-@@ -849,7 +849,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
+@@ -849,7 +850,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
if (segment == NULL)
return -ENOMEM;
@@ -46235,6 +46293,19 @@ index 26f8635..c237839 100644
if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
if (copy_from_user(&ifr, argp, ifreq_len))
return -EFAULT;
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index d350d27..75d7d9d 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -768,7 +768,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff
*skb, __le32 sign)
+ skb_out->len > CDC_NCM_MIN_TX_PKT)
+ memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
+ ctx->tx_max - skb_out->len);
+- else if ((skb_out->len % dev->maxpacket) == 0)
++ else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket)
== 0)
+ *skb_put(skb_out, 1) = 0; /* force short packet */
+
+ /* set final frame length */
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 660bd5e..ac59452 100644
--- a/drivers/net/usb/hso.c
@@ -55838,6 +55909,19 @@ index 370b24c..ff0be7b 100644
---help---
A.out (Assembler.OUTput) is a set of formats for libraries and
executables used in the earliest versions of UNIX. Linux used
+diff --git a/fs/affs/super.c b/fs/affs/super.c
+index d098731..9a5b19d 100644
+--- a/fs/affs/super.c
++++ b/fs/affs/super.c
+@@ -336,8 +336,6 @@ static int affs_fill_super(struct super_block *sb, void
*data, int silent)
+ &blocksize,&sbi->s_prefix,
+ sbi->s_volume, &mount_flags)) {
+ printk(KERN_ERR "AFFS: Error parsing options\n");
+- kfree(sbi->s_prefix);
+- kfree(sbi);
+ return -EINVAL;
+ }
+ /* N.B. after this point s_prefix must be released */
diff --git a/fs/afs/inode.c b/fs/afs/inode.c
index ce25d75..dc09eeb 100644
--- a/fs/afs/inode.c
@@ -55861,7 +55945,7 @@ index ce25d75..dc09eeb 100644
&data);
if (!inode) {
diff --git a/fs/aio.c b/fs/aio.c
-index 062a5f6..e5618e0 100644
+index 062a5f6..6ecefa2 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -374,7 +374,7 @@ static int aio_setup_ring(struct kioctx *ctx)
@@ -55873,6 +55957,19 @@ index 062a5f6..e5618e0 100644
return -EINVAL;
file = aio_private_file(ctx, nr_pages);
+@@ -1285,10 +1285,8 @@ rw_common:
+ &iovec, compat)
+ : aio_setup_single_vector(req, rw, buf, &nr_segs,
+ iovec);
+- if (ret)
+- return ret;
+-
+- ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes);
++ if (!ret)
++ ret = rw_verify_area(rw, file, &req->ki_pos,
req->ki_nbytes);
+ if (ret < 0) {
+ if (iovec != &inline_vec)
+ kfree(iovec);
diff --git a/fs/attr.c b/fs/attr.c
index 5d4e59d..fd02418 100644
--- a/fs/attr.c
@@ -62228,7 +62325,7 @@ index a80a741..7b96e1b 100644
}
diff --git a/fs/notify/fanotify/fanotify_user.c
b/fs/notify/fanotify/fanotify_user.c
-index 287a22c..a2a043a 100644
+index 287a22c..4e56e4e 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -251,8 +251,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group
*group,
@@ -62242,6 +62339,15 @@ index 287a22c..a2a043a 100644
goto out_close_fd;
ret = prepare_for_access_response(group, event, fd);
+@@ -742,6 +742,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags,
unsigned int, event_f_flags)
+ oevent->path.mnt = NULL;
+ oevent->path.dentry = NULL;
+
++ if (force_o_largefile())
++ event_f_flags |= O_LARGEFILE;
+ group->fanotify_data.f_flags = event_f_flags;
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ oevent->response = 0;
diff --git a/fs/notify/notification.c b/fs/notify/notification.c
index 1e58402..bb2d6f4 100644
--- a/fs/notify/notification.c
diff --git a/3.2.58/0000_README b/3.2.58/0000_README
index f10476b..df97a0f 100644
--- a/3.2.58/0000_README
+++ b/3.2.58/0000_README
@@ -150,7 +150,7 @@ Patch: 1057_linux-3.2.58.patch
From: http://www.kernel.org
Desc: Linux 3.2.58
-Patch: 4420_grsecurity-3.0-3.2.58-201405061705.patch
+Patch: 4420_grsecurity-3.0-3.2.58-201405092334.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
similarity index 99%
rename from 3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
rename to 3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
index fab7860..4f95c38 100644
--- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
+++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
@@ -34158,6 +34158,44 @@ index 13cbdd3..d374957 100644
static struct asender_cmd *get_asender_cmd(int cmd)
{
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 7a90d4a..6d0f3e1 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3060,7 +3060,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+ int ret;
+
+ while (ptr) {
+- ret = copy_to_user(param, ptr, sizeof(*ptr));
++ struct floppy_raw_cmd cmd = *ptr;
++ cmd.next = NULL;
++ cmd.kernel_data = NULL;
++ ret = copy_to_user(param, &cmd, sizeof(cmd));
+ if (ret)
+ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+@@ -3114,10 +3117,11 @@ loop:
+ return -ENOMEM;
+ *rcmd = ptr;
+ ret = copy_from_user(ptr, param, sizeof(*ptr));
+- if (ret)
+- return -EFAULT;
+ ptr->next = NULL;
+ ptr->buffer_length = 0;
++ ptr->kernel_data = NULL;
++ if (ret)
++ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+ if (ptr->cmd_count > 33)
+ /* the command may now also take up the space
+@@ -3133,7 +3137,6 @@ loop:
+ for (i = 0; i < 16; i++)
+ ptr->reply[i] = 0;
+ ptr->resultcode = 0;
+- ptr->kernel_data = NULL;
+
+ if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ if (ptr->length <= 0)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index d659135..45fe633 100644
--- a/drivers/block/loop.c
@@ -34367,10 +34405,18 @@ index a48e05b..6bac831 100644
kfree(usegment);
kfree(ksegment);
diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
-index 2e04433..771f2cc 100644
+index 2e04433..3b8afe7 100644
--- a/drivers/char/agp/frontend.c
+++ b/drivers/char/agp/frontend.c
-@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
+@@ -729,6 +729,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv,
void __user *arg)
+
+ agp_copy_info(agp_bridge, &kerninfo);
+
++ memset(&userinfo, 0, sizeof(userinfo));
+ userinfo.version.major = kerninfo.version.major;
+ userinfo.version.minor = kerninfo.version.minor;
+ userinfo.bridge_id = kerninfo.device->vendor |
+@@ -817,7 +818,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
return -EFAULT;
@@ -34379,7 +34425,7 @@ index 2e04433..771f2cc 100644
return -EFAULT;
client = agp_find_client_by_pid(reserve.pid);
-@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
+@@ -847,7 +848,7 @@ static int agpioc_reserve_wrap(struct agp_file_private
*priv, void __user *arg)
if (segment == NULL)
return -ENOMEM;
