commit: 8faf11a689dd695f6cf54cabb0705ee146b7f878
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 4 15:23:14 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Apr 4 15:23:14 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=8faf11a6
Grsec/PaX: 3.0-{3.2.56,3.13.8}-201404031157
---
3.13.8/0000_README | 2 +-
... 4420_grsecurity-3.0-3.13.8-201404031157.patch} | 69 +++++++++++++++-
3.2.56/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.56-201404031155.patch} | 95 ++++++++++++++++++++--
4 files changed, 157 insertions(+), 11 deletions(-)
diff --git a/3.13.8/0000_README b/3.13.8/0000_README
index c7f2d48..261bc85 100644
--- a/3.13.8/0000_README
+++ b/3.13.8/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.13.8-201404011912.patch
+Patch: 4420_grsecurity-3.0-3.13.8-201404031157.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.13.8/4420_grsecurity-3.0-3.13.8-201404011912.patch
b/3.13.8/4420_grsecurity-3.0-3.13.8-201404031157.patch
similarity index 99%
rename from 3.13.8/4420_grsecurity-3.0-3.13.8-201404011912.patch
rename to 3.13.8/4420_grsecurity-3.0-3.13.8-201404031157.patch
index 9c4aaac..1ca327a 100644
--- a/3.13.8/4420_grsecurity-3.0-3.13.8-201404011912.patch
+++ b/3.13.8/4420_grsecurity-3.0-3.13.8-201404031157.patch
@@ -65163,10 +65163,10 @@ index 104455b..764c512 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..13b7885
+index 0000000..81a6826
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1155 @@
+@@ -0,0 +1,1160 @@
+#
+# grecurity configuration
+#
@@ -65647,6 +65647,11 @@ index 0000000..13b7885
+ encounter no software incompatibilities with the following options, it
+ is recommended that you enable each one.
+
++ Note that the chroot restrictions are not intended to apply to
"chroots"
++ to directories that are simple bind mounts of the global root
filesystem.
++ For several other reasons, a user shouldn't expect any significant
++ security by performing such a chroot.
++
+config GRKERNSEC_CHROOT_MOUNT
+ bool "Deny mounts"
+ default y if GRKERNSEC_CONFIG_AUTO
@@ -96923,10 +96928,66 @@ index 5b7d0e1..cb960fc 100644
}
EXPORT_SYMBOL(dev_load);
diff --git a/net/core/filter.c b/net/core/filter.c
-index ad30d62..c2757df 100644
+index ad30d62..821081f 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
-@@ -679,7 +679,7 @@ int sk_unattached_filter_create(struct sk_filter **pfp,
+@@ -126,7 +126,7 @@ unsigned int sk_run_filter(const struct sk_buff *skb,
+ void *ptr;
+ u32 A = 0; /* Accumulator */
+ u32 X = 0; /* Index Register */
+- u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
++ u32 mem[BPF_MEMWORDS] = {}; /* Scratch Memory Store */
+ u32 tmp;
+ int k;
+
+@@ -292,10 +292,10 @@ load_b:
+ X = K;
+ continue;
+ case BPF_S_LD_MEM:
+- A = mem[K];
++ A = mem[K&15];
+ continue;
+ case BPF_S_LDX_MEM:
+- X = mem[K];
++ X = mem[K&15];
+ continue;
+ case BPF_S_MISC_TAX:
+ X = A;
+@@ -308,10 +308,10 @@ load_b:
+ case BPF_S_RET_A:
+ return A;
+ case BPF_S_ST:
+- mem[K] = A;
++ mem[K&15] = A;
+ continue;
+ case BPF_S_STX:
+- mem[K] = X;
++ mem[K&15] = X;
+ continue;
+ case BPF_S_ANC_PROTOCOL:
+ A = ntohs(skb->protocol);
+@@ -391,9 +391,10 @@ load_b:
+ continue;
+ #endif
+ default:
+- WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
++ WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u
tf:%u k:%u\n",
+ fentry->code, fentry->jt,
+ fentry->jf, fentry->k);
++ BUG();
+ return 0;
+ }
+ }
+@@ -416,7 +417,7 @@ static int check_load_and_stores(struct sock_filter
*filter, int flen)
+ u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+ int pc, ret = 0;
+
+- BUILD_BUG_ON(BPF_MEMWORDS > 16);
++ BUILD_BUG_ON(BPF_MEMWORDS != 16);
+ masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+ if (!masks)
+ return -ENOMEM;
+@@ -679,7 +680,7 @@ int sk_unattached_filter_create(struct sk_filter **pfp,
fp = kmalloc(sk_filter_size(fprog->len), GFP_KERNEL);
if (!fp)
return -ENOMEM;
diff --git a/3.2.56/0000_README b/3.2.56/0000_README
index ce219c9..b2a75bc 100644
--- a/3.2.56/0000_README
+++ b/3.2.56/0000_README
@@ -142,7 +142,7 @@ Patch: 1055_linux-3.2.56.patch
From: http://www.kernel.org
Desc: Linux 3.2.56
-Patch: 4420_grsecurity-3.0-3.2.56-201404012135.patch
+Patch: 4420_grsecurity-3.0-3.2.56-201404031155.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.56/4420_grsecurity-3.0-3.2.56-201404012135.patch
b/3.2.56/4420_grsecurity-3.0-3.2.56-201404031155.patch
similarity index 99%
rename from 3.2.56/4420_grsecurity-3.0-3.2.56-201404012135.patch
rename to 3.2.56/4420_grsecurity-3.0-3.2.56-201404031155.patch
index 4f4f0f9..a7d359a 100644
--- a/3.2.56/4420_grsecurity-3.0-3.2.56-201404012135.patch
+++ b/3.2.56/4420_grsecurity-3.0-3.2.56-201404031155.patch
@@ -63410,10 +63410,10 @@ index 8a89949..6776861 100644
xfs_init_zones(void)
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..3dd4ae7
+index 0000000..d913d1e
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1141 @@
+@@ -0,0 +1,1146 @@
+#
+# grecurity configuration
+#
@@ -63880,6 +63880,11 @@ index 0000000..3dd4ae7
+ encounter no software incompatibilities with the following options, it
+ is recommended that you enable each one.
+
++ Note that the chroot restrictions are not intended to apply to
"chroots"
++ to directories that are simple bind mounts of the global root
filesystem.
++ For several other reasons, a user shouldn't expect any significant
++ security by performing such a chroot.
++
+config GRKERNSEC_CHROOT_MOUNT
+ bool "Deny mounts"
+ default y if GRKERNSEC_CONFIG_AUTO
@@ -97863,7 +97868,7 @@ index 2367246..4a0a677 100644
ret = -EFAULT;
goto out;
diff --git a/net/core/filter.c b/net/core/filter.c
-index 5dea452..d775edc 100644
+index 5dea452..e17caac 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -39,6 +39,7 @@
@@ -97874,7 +97879,42 @@ index 5dea452..d775edc 100644
/* No hurry in this branch */
static void *__load_pointer(const struct sk_buff *skb, int k, unsigned int
size)
-@@ -350,6 +351,11 @@ load_b:
+@@ -115,7 +116,7 @@ unsigned int sk_run_filter(const struct sk_buff *skb,
+ void *ptr;
+ u32 A = 0; /* Accumulator */
+ u32 X = 0; /* Index Register */
+- u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
++ u32 mem[BPF_MEMWORDS] = {}; /* Scratch Memory Store */
+ u32 tmp;
+ int k;
+
+@@ -266,10 +267,10 @@ load_b:
+ X = K;
+ continue;
+ case BPF_S_LD_MEM:
+- A = mem[K];
++ A = mem[K&15];
+ continue;
+ case BPF_S_LDX_MEM:
+- X = mem[K];
++ X = mem[K&15];
+ continue;
+ case BPF_S_MISC_TAX:
+ X = A;
+@@ -282,10 +283,10 @@ load_b:
+ case BPF_S_RET_A:
+ return A;
+ case BPF_S_ST:
+- mem[K] = A;
++ mem[K&15] = A;
+ continue;
+ case BPF_S_STX:
+- mem[K] = X;
++ mem[K&15] = X;
+ continue;
+ case BPF_S_ANC_PROTOCOL:
+ A = ntohs(skb->protocol);
+@@ -350,10 +351,16 @@ load_b:
A = 0;
continue;
}
@@ -97884,8 +97924,53 @@ index 5dea452..d775edc 100644
+ continue;
+#endif
default:
- WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
+- WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
++ WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u
tf:%u k:%u\n",
fentry->code, fentry->jt,
+ fentry->jf, fentry->k);
++ BUG();
+ return 0;
+ }
+ }
+@@ -376,7 +383,7 @@ static int check_load_and_stores(struct sock_filter
*filter, int flen)
+ u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+ int pc, ret = 0;
+
+- BUILD_BUG_ON(BPF_MEMWORDS > 16);
++ BUILD_BUG_ON(BPF_MEMWORDS != 16);
+ masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+ if (!masks)
+ return -ENOMEM;
+@@ -490,6 +497,7 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int
flen)
+ [BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X,
+ };
+ int pc;
++ bool anc_found;
+
+ if (flen == 0 || flen > BPF_MAXINSNS)
+ return -EINVAL;
+@@ -545,8 +553,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned
int flen)
+ case BPF_S_LD_W_ABS:
+ case BPF_S_LD_H_ABS:
+ case BPF_S_LD_B_ABS:
++ anc_found = false;
+ #define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE: \
+ code = BPF_S_ANC_##CODE; \
++ anc_found = true; \
+ break
+ switch (ftest->k) {
+ ANCILLARY(PROTOCOL);
+@@ -560,6 +570,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned
int flen)
+ ANCILLARY(RXHASH);
+ ANCILLARY(CPU);
+ }
++
++ /* ancillary operation unknown or unsupported */
++ if (anc_found == false && ftest->k >= SKF_AD_OFF)
++ return -EINVAL;
+ }
+ ftest->code = code;
+ }
diff --git a/net/core/flow.c b/net/core/flow.c
index e318c7e..168b1d0 100644
--- a/net/core/flow.c
