[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: d32dd7f3f7697ee461fd2faa0fd051877e411bc1 Author: Anthony G. Basile gentoo org> AuthorDate: Sat Jul 2 08:59:46 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Sat Jul 2 08:59:46 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=d32dd7f3 grsecurity-3.1-4.5.7-201606302132 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606302132.patch} | 416 - 4.5.7/4425_grsec_remove_EI_PAX.patch | 2 +- 4.5.7/4450_grsec-kconfig-default-gids.patch| 8 +- 4.5.7/4470_disable-compat_vdso.patch | 2 +- 4.5.7/4475_emutramp_default_on.patch | 4 +- 6 files changed, 252 insertions(+), 182 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 6531b4d..cd47bdd 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606292300.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606302132.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch index 4f4d48f..6f9feec 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch @@ -12658,7 +12658,7 @@ index 3ba5ff2..44bdacc 100644 config X86_MINIMUM_CPU_FAMILY int diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index 9b18ed9..9528749 100644 +index 9b18ed9..0fb0660 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -55,6 +55,7 @@ config X86_PTDUMP @@ -12669,16 +12669,15 @@ index 9b18ed9..9528749 100644 select X86_PTDUMP_CORE ---help--- Say Y here if you want to show the kernel pagetable layout in a -@@ -77,7 +78,7 @@ config EFI_PGT_DUMP +@@ -77,7 +78,6 @@ config EFI_PGT_DUMP config DEBUG_RODATA bool "Write protect kernel read-only data structures" default y - depends on DEBUG_KERNEL -+ depends on DEBUG_KERNEL && BROKEN ---help--- Mark the kernel read-only data as write-protected in the pagetables, in order to catch accidental (and incorrect) writes to such const -@@ -123,7 +124,7 @@ config DEBUG_WX +@@ -123,7 +123,7 @@ config DEBUG_WX config DEBUG_SET_MODULE_RONX bool "Set loadable kernel module data as NX and text as RO" @@ -12687,7 +12686,7 @@ index 9b18ed9..9528749 100644 ---help--- This option helps catch unintended modifications to loadable kernel module's text and read-only data. It also prevents execution -@@ -375,6 +376,7 @@ config X86_DEBUG_FPU +@@ -375,6 +375,7 @@ config X86_DEBUG_FPU config PUNIT_ATOM_DEBUG tristate "ATOM Punit debug driver" select DEBUG_FS @@ -27194,7 +27193,7 @@ index 2c0f340..76c1d24 100644 for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index 6bc9ae2..33997fe 100644 +index 6bc9ae2..51f7c58 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -27,6 +27,12 @@ @@ -27466,28 +27465,23 @@ index 6bc9ae2..33997fe 100644 pushl 16(%esp) pushl 24(%esp) pushl 32(%esp) -@@ -663,29 +755,34 @@ ENTRY(setup_once_ref) - /* - * BSS section - */ +@@ -660,11 +752,8 @@ ENTRY(initial_code) + ENTRY(setup_once_ref) + .long setup_once + +-/* +- * BSS section +- */ -__PAGE_ALIGNED_BSS - .align PAGE_SIZE ++__READ_ONLY ++ .balign PAGE_SIZE #ifdef CONFIG_X86_PAE -+.section .initial_pg_pmd,"a",@progbits initial_pg_pmd: .fill 1024*KPMDS,4,0 - #else -+.section .initial_page_table,"a",@progbits - ENTRY(initial_page_table) - .fill 1024,4,0 - #endif -+.section .initial_pg_fixmap,"a",@progbits - initial_pg_fixmap: - .fill 1024,4,0 -+.section .empty_zero_page,"a",@progbits +@@ -677,15 +766,18 @@ initial_pg_fixmap: ENTRY(empty_zero_page) .fill 4096,1,0 -+.section .swapper_pg_dir,"a",@progbits ENTRY(swapper_pg_dir) - .fill 1024,4,0 +#ifdef CONFIG_X86_PAE @@ -27503,21 +27497,24 @@ index 6bc9ae2..33997fe 100644 -__PAGE_ALIGNED_DATA - /* Page-aligned for the benefit of paravirt? */ - .align PAGE_SIZE -+.section .initial_page_table,"a",@progbits ++__READ_ONLY ++ .balign PAGE_SIZE ENTRY(initial_page_table) .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ # if KPMDS == 3 -@@ -704,12 +801,20 @@ ENTRY(initial_page_table) +@@ -703,13 +795,21 @@ ENTRY(initial_page_table)
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 69430df88d9fcc4b3ad98e37688ac7d1dd4e7c6e
Author: Anthony G. Basile gentoo org>
AuthorDate: Thu Jun 30 13:21:52 2016 +
Commit: Anthony G. Basile gentoo org>
CommitDate: Thu Jun 30 13:21:52 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=69430df8
grsecurity-3.1-4.5.7-201606292300
4.5.7/_README | 2 +-
...> 4420_grsecurity-3.1-4.5.7-201606292300.patch} | 322 +++--
2 files changed, 295 insertions(+), 29 deletions(-)
diff --git a/4.5.7/_README b/4.5.7/_README
index b74e534..6531b4d 100644
--- a/4.5.7/_README
+++ b/4.5.7/_README
@@ -2,7 +2,7 @@ README
-
Individual Patch Descriptions:
-
-Patch: 4420_grsecurity-3.1-4.5.7-201606282216.patch
+Patch: 4420_grsecurity-3.1-4.5.7-201606292300.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
b/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch
similarity index 99%
rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch
index 01f7898..4f4d48f 100644
--- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
+++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch
@@ -49321,7 +49321,7 @@ index 6a27eb2..349ed23 100644
};
diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
-index c43318d..2574fc5 100644
+index c43318d..24bfd03 100644
--- a/drivers/hwmon/dell-smm-hwmon.c
+++ b/drivers/hwmon/dell-smm-hwmon.c
@@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = {
@@ -49329,7 +49329,7 @@ index c43318d..2574fc5 100644
};
-static struct dmi_system_id i8k_dmi_table[] __initdata = {
-+static struct dmi_system_id i8k_dmi_table[] __initconst = {
++static const struct dmi_system_id i8k_dmi_table[] __initconst = {
{
.ident = "Dell Inspiron",
.matches = {
@@ -49338,7 +49338,7 @@ index c43318d..2574fc5 100644
MODULE_DEVICE_TABLE(dmi, i8k_dmi_table);
-static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = {
-+static struct dmi_system_id i8k_blacklist_dmi_table[] __initconst = {
++static const struct dmi_system_id i8k_blacklist_dmi_table[] __initconst = {
{
/*
* CPU fan speed going up and down on Dell Studio XPS 8000
@@ -58553,6 +58553,19 @@ index 556a2df..e771329 100644
{
spin_lock(_gxx_spin);
sbc_gxx_page(map, adr);
+diff --git a/drivers/mtd/nand/brcmnand/brcmnand.h
b/drivers/mtd/nand/brcmnand/brcmnand.h
+index ef5eabb..2b61d03 100644
+--- a/drivers/mtd/nand/brcmnand/brcmnand.h
b/drivers/mtd/nand/brcmnand/brcmnand.h
+@@ -24,7 +24,7 @@ struct brcmnand_soc {
+ bool (*ctlrdy_ack)(struct brcmnand_soc *soc);
+ void (*ctlrdy_set_enabled)(struct brcmnand_soc *soc, bool en);
+ void (*prepare_data_bus)(struct brcmnand_soc *soc, bool prepare);
+-};
++} __no_const;
+
+ static inline void brcmnand_soc_data_bus_prepare(struct brcmnand_soc *soc)
+ {
diff --git a/drivers/mtd/nand/cafe_nand.c b/drivers/mtd/nand/cafe_nand.c
index aa1a616..a47a33d 100644
--- a/drivers/mtd/nand/cafe_nand.c
@@ -62716,6 +62729,18 @@ index f9db2ce..6cd460c 100644
return ring_first(r);
}
+diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
+index a400288..0c59bcd 100644
+--- a/drivers/net/loopback.c
b/drivers/net/loopback.c
+@@ -217,6 +217,6 @@ out:
+ }
+
+ /* Registered in net/core/dev.c */
+-struct pernet_operations __net_initdata loopback_net_ops = {
++struct pernet_operations __net_initconst loopback_net_ops = {
+.init = loopback_net_init,
+ };
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 94e6888..c5c3f55 100644
--- a/drivers/net/macvlan.c
@@ -114042,7 +114067,7 @@ index f8595e8..e0d13cbd 100644
seq_putc(m, '\n');
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index 350984a..0fb02a9 100644
+index 350984a..a78a18c 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -23,9 +23,27 @@
@@ -114107,6 +114132,15 @@ index 350984a..0fb02a9 100644
err = -ENXIO;
net = get_proc_net(inode);
if (net == NULL)
+@@ -220,7 +251,7 @@ static __net_exit void proc_net_ns_exit(struct net *net)
+ kfree(net->proc_net);
+ }
+
+-static struct pernet_operations __net_initdata proc_net_ns_ops = {
++static struct pernet_operations __net_initconst proc_net_ns_ops = {
+ .init = proc_net_ns_init,
+ .exit = proc_net_ns_exit,
+ };
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index fe5b6e6..cd2913c 100644
--- a/fs/proc/proc_sysctl.c
@@ -132854,7 +132888,7 @@ index 25ef630..fc83c44 100644
struct iovec;
struct kvec;
diff --git
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 9efc134b4d978753db4dd108ac3fb9e5b8f0a52b Author: Anthony G. Basile gentoo org> AuthorDate: Thu Jun 30 13:12:16 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Thu Jun 30 13:12:16 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=9efc134b grsecurity-3.1-4.5.7-201606282216 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606282216.patch} | 680 - 2 files changed, 524 insertions(+), 158 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index bdf9f5e..b74e534 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606280009.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606282216.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch index f3179f6..01f7898 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch @@ -8554,6 +8554,37 @@ index 523673d..4aeef3b 100644 : "="(tmp) : "r"(>lock) : "cr0", "xer", "memory"); +diff --git a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h +index e40010a..d3c3d6b 100644 +--- a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h +@@ -15,17 +15,17 @@ + #define __HAVE_ARCH_MEMCMP + #define __HAVE_ARCH_MEMCHR + +-extern char * strcpy(char *,const char *); +-extern char * strncpy(char *,const char *, __kernel_size_t); ++extern char * strcpy(char *,const char *) __nocapture(2); ++extern char * strncpy(char *,const char *, __kernel_size_t) __nocapture(2); + extern __kernel_size_t strlen(const char *); +-extern int strcmp(const char *,const char *); +-extern int strncmp(const char *, const char *, __kernel_size_t); +-extern char * strcat(char *, const char *); ++extern int strcmp(const char *,const char *) __nocapture(1, 2); ++extern int strncmp(const char *, const char *, __kernel_size_t) __nocapture(1, 2); ++extern char * strcat(char *, const char *) __nocapture(2); + extern void * memset(void *,int,__kernel_size_t); +-extern void * memcpy(void *,const void *,__kernel_size_t); +-extern void * memmove(void *,const void *,__kernel_size_t); +-extern int memcmp(const void *,const void *,__kernel_size_t); +-extern void * memchr(const void *,int,__kernel_size_t); ++extern void * memcpy(void *,const void *,__kernel_size_t) __nocapture(2); ++extern void * memmove(void *,const void *,__kernel_size_t) __nocapture(2); ++extern int memcmp(const void *,const void *,__kernel_size_t) __nocapture(1, 2); ++extern void * memchr(const void *,int,__kernel_size_t) __nocapture(1); + + #endif /* __KERNEL__ */ + diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h index 7efee4a..48d47cc 100644 --- a/arch/powerpc/include/asm/thread_info.h @@ -12410,7 +12441,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 3bf45a0..25ca7da 100644 +index 3bf45a0..b08241b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -38,14 +38,13 @@ config X86 @@ -12446,7 +12477,23 @@ index 3bf45a0..25ca7da 100644 select HAVE_GENERIC_DMA_COHERENTif X86_32 select HAVE_HW_BREAKPOINT select HAVE_IDE -@@ -290,7 +290,7 @@ config X86_64_SMP +@@ -184,11 +184,13 @@ config MMU + def_bool y + + config ARCH_MMAP_RND_BITS_MIN +- default 28 if 64BIT ++ default 28 if 64BIT && !PAX_PER_CPU_PGD ++ default 27 if 64BIT && PAX_PER_CPU_PGD + default 8 + + config ARCH_MMAP_RND_BITS_MAX +- default 32 if 64BIT ++ default 32 if 64BIT && !PAX_PER_CPU_PGD ++ default 27 if 64BIT && PAX_PER_CPU_PGD + default 16 + + config ARCH_MMAP_RND_COMPAT_BITS_MIN +@@ -290,7 +292,7 @@ config X86_64_SMP config X86_32_LAZY_GS def_bool y @@ -12455,7 +12502,7 @@ index 3bf45a0..25ca7da 100644 config ARCH_HWEIGHT_CFLAGS string -@@ -674,6 +674,7 @@ config SCHED_OMIT_FRAME_POINTER +@@ -674,6 +676,7 @@ config SCHED_OMIT_FRAME_POINTER menuconfig HYPERVISOR_GUEST bool "Linux guest support" @@ -12463,7 +12510,7 @@ index 3bf45a0..25ca7da 100644 ---help--- Say Y here to enable options for running Linux under various hyper- visors. This option enables basic hypervisor detection and platform -@@ -1073,6 +1074,7 @@ config VM86 +@@ -1073,6
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: fe9cd0792773d512df74e504d2ef92946d02f6da
Author: Anthony G. Basile gentoo org>
AuthorDate: Tue Jun 28 11:24:47 2016 +
Commit: Anthony G. Basile gentoo org>
CommitDate: Tue Jun 28 11:24:47 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=fe9cd079
grsecurity-3.1-4.5.7-201606280009
4.5.7/_README | 2 +-
...> 4420_grsecurity-3.1-4.5.7-201606280009.patch} | 32 --
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/4.5.7/_README b/4.5.7/_README
index b74a9dd..bdf9f5e 100644
--- a/4.5.7/_README
+++ b/4.5.7/_README
@@ -2,7 +2,7 @@ README
-
Individual Patch Descriptions:
-
-Patch: 4420_grsecurity-3.1-4.5.7-201606262019.patch
+Patch: 4420_grsecurity-3.1-4.5.7-201606280009.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch
b/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch
similarity index 99%
rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch
rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch
index 3d3b9d3..f3179f6 100644
--- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch
+++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch
@@ -98058,7 +98058,7 @@ index e4141f2..d8263e8 100644
i += packet_length_size;
if (copy_to_user([i], msg_ctx->msg, msg_ctx->msg_size))
diff --git a/fs/exec.c b/fs/exec.c
-index dcd4ac7..f651515 100644
+index dcd4ac7..7a1a7dc 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,8 +56,20 @@
@@ -98572,7 +98572,7 @@ index dcd4ac7..f651515 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1749,3 +1930,319 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
+@@ -1749,3 +1930,316 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
argv, envp, flags);
}
#endif
@@ -98719,10 +98719,7 @@ index dcd4ac7..f651515 100644
+ printk(KERN_EMERG "PAX: refcount overflow detected in: %s:%d,
uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
+ from_kuid_munged(_user_ns, current_uid()),
from_kuid_munged(_user_ns, current_euid()));
+ print_symbol(KERN_EMERG "PAX: refcount overflow occured at: %s\n",
instruction_pointer(regs));
-+ preempt_disable();
-+ show_regs(regs);
-+ preempt_enable();
-+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
++ BUG();
+}
+#endif
+
@@ -139266,7 +139263,7 @@ index c112abb..49d919f 100644
if (wo->wo_flags & __WNOTHREAD)
break;
diff --git a/kernel/fork.c b/kernel/fork.c
-index 2e391c7..4af22a9 100644
+index 2e391c7..87a5bfe 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -188,12 +188,55 @@ static void free_thread_info(struct thread_info *ti)
@@ -139655,7 +139652,7 @@ index 2e391c7..4af22a9 100644
if (atomic_read(>real_cred->user->processes) >=
task_rlimit(p, RLIMIT_NPROC)) {
if (p->real_cred->user != INIT_USER &&
-@@ -1568,6 +1681,11 @@ static struct task_struct *copy_process(unsigned long
clone_flags,
+@@ -1568,6 +1681,16 @@ static struct task_struct *copy_process(unsigned long
clone_flags,
goto bad_fork_cancel_cgroup;
}
@@ -139664,10 +139661,15 @@ index 2e391c7..4af22a9 100644
+ */
+ gr_copy_label(p);
+
++#ifdef CONFIG_GRKERNSEC_SETXID
++ if (p->delayed_cred)
++ get_cred(p->delayed_cred);
++#endif
++
if (likely(p->pid)) {
ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
-@@ -1657,6 +1775,8 @@ bad_fork_cleanup_count:
+@@ -1657,6 +1780,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -139676,7 +139678,7 @@ index 2e391c7..4af22a9 100644
return ERR_PTR(retval);
}
-@@ -1719,6 +1839,7 @@ long _do_fork(unsigned long clone_flags,
+@@ -1719,6 +1844,7 @@ long _do_fork(unsigned long clone_flags,
p = copy_process(clone_flags, stack_start, stack_size,
child_tidptr, NULL, trace, tls);
@@ -139684,7 +139686,7 @@ index 2e391c7..4af22a9 100644
/*
* Do this prior waking up the new thread - the thread pointer
* might get invalid after that point, if the thread exits quickly.
-@@ -1735,6 +1856,8 @@ long _do_fork(unsigned long clone_flags,
+@@ -1735,6 +1861,8 @@ long _do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -139693,7 +139695,7 @@ index 2e391c7..4af22a9 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done =
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 8bf1f839085fc6cb7cde16cc44895e8203618936 Author: Anthony G. Basile gentoo org> AuthorDate: Mon Jun 27 10:28:23 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Mon Jun 27 10:28:23 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8bf1f839 grsecurity-3.1-4.5.7-201606262019 4.5.7/_README |2 +- ...> 4420_grsecurity-3.1-4.5.7-201606262019.patch} | 1079 +++- 2 files changed, 848 insertions(+), 233 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 068b4c9..b74a9dd 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606202152.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606262019.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch index 5ac1e8a..3d3b9d3 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch @@ -1,3 +1,15 @@ +diff --git a/.gitignore b/.gitignore +index fd3a355..c47e86a 100644 +--- a/.gitignore b/.gitignore +@@ -37,6 +37,7 @@ modules.builtin + Module.symvers + *.dwo + *.su ++*.c.[012]*.* + + # + # Top-level generic files diff --git a/Documentation/dontdiff b/Documentation/dontdiff index 8ea834f..1462492 100644 --- a/Documentation/dontdiff @@ -408,7 +420,7 @@ index a93b414..f50a50b 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 90e4bd9..44d0d41 100644 +index 90e4bd9..66ce952 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -422,16 +434,7 @@ index 90e4bd9..44d0d41 100644 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1) HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \ -@@ -417,6 +419,8 @@ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE - export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL - export KBUILD_ARFLAGS - -+export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS -+ - # When compiling out-of-tree modules, put MODVERDIR in the module - # tree rather than in the kernel tree. The kernel tree might - # even be read-only. -@@ -547,7 +551,7 @@ ifeq ($(KBUILD_EXTMOD),) +@@ -547,7 +549,7 @@ ifeq ($(KBUILD_EXTMOD),) # in parallel PHONY += scripts scripts: scripts_basic include/config/auto.conf include/config/tristate.conf \ @@ -440,23 +443,16 @@ index 90e4bd9..44d0d41 100644 $(Q)$(MAKE) $(build)=$(@) # Objects we will link into vmlinux / subdirs we need to visit -@@ -622,6 +626,15 @@ endif +@@ -622,6 +624,8 @@ endif # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) -+PHONY += gcc-plugins -+gcc-plugins: scripts_basic -+ifdef CONFIG_GCC_PLUGINS -+ $(Q)$(MAKE) $(build)=scripts/gcc-plugins -+endif -+ @: -+ +include scripts/Makefile.gcc-plugins + ifdef CONFIG_READABLE_ASM # Disable optimizations that make assembler listings hard to read. # reorder blocks reorders the control in the function -@@ -715,7 +728,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) +@@ -715,7 +719,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) else KBUILD_CFLAGS += -g endif @@ -465,7 +461,7 @@ index 90e4bd9..44d0d41 100644 endif ifdef CONFIG_DEBUG_INFO_DWARF4 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,) -@@ -887,7 +900,7 @@ export mod_sign_cmd +@@ -887,7 +891,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -474,7 +470,7 @@ index 90e4bd9..44d0d41 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -990,7 +1003,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -990,7 +994,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -483,7 +479,7 @@ index 90e4bd9..44d0d41 100644 $(Q)$(MAKE) $(build)=. # All the preparing.. -@@ -1185,7 +1198,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ +@@ -1185,7 +1189,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.pem signing_key.priv signing_key.x509 \
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 4bff175b49380f941e6d1434a6ab0fb250b2e280 Author: Anthony G. Basile gentoo org> AuthorDate: Tue Jun 21 10:21:03 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Tue Jun 21 10:21:03 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=4bff175b grsecurity-3.1-4.5.7-201606202152 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606202152.patch} | 23 +++--- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 7dd453b..068b4c9 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606142010.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606202152.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch index b46e7cf..5ac1e8a 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch @@ -115435,7 +115435,7 @@ index ec0e239..ab85b22 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 000..f172760 +index 000..821601d --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,1205 @@ @@ -115582,14 +115582,14 @@ index 000..f172760 +config GRKERNSEC_KSTACKOVERFLOW + bool "Prevent kernel stack overflows" + default y if GRKERNSEC_CONFIG_AUTO -+ depends on !IA64 && 64BIT ++ depends on X86_64 + help +If you say Y here, the kernel's process stacks will be allocated +with vmalloc instead of the kernel's default allocator. This +introduces guard pages that in combination with the alloca checking -+of the STACKLEAK feature prevents all forms of kernel process stack -+overflow abuse. Note that this is different from kernel stack -+buffer overflows. ++of the STACKLEAK feature and removal of thread_info from the kernel ++stack prevents all forms of kernel process stack overflow abuse. ++ Note that this is different from kernel stack buffer overflows. + +config GRKERNSEC_BRUTE + bool "Deter exploit bruteforcing" @@ -156888,7 +156888,7 @@ index f2280f7..c0a006f 100644 struct irlap_cb *self = (struct irlap_cb *) data; diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index fc3598a..03a184e 100644 +index fc3598a..03a184e3 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -685,10 +685,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv) @@ -211999,7 +211999,7 @@ index 5105c2c..a5010e6 100644 extern struct key_type key_type_request_key_auth; extern struct key *request_key_auth_new(struct key *target, diff --git a/security/keys/key.c b/security/keys/key.c -index 09ef276..ab2894f 100644 +index 09ef276..357db79 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -283,7 +283,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, @@ -212011,6 +212011,15 @@ index 09ef276..ab2894f 100644 key->index_key.type = type; key->user = user; key->quotalen = quotalen; +@@ -582,7 +582,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, >index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ @@ -1077,7 +1077,9 @@ int register_key_type(struct key_type *ktype) struct key_type *p; int ret;
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: df5765ccf2fcc59e11b068e559e0528356afe44f
Author: Anthony G. Basile gentoo org>
AuthorDate: Wed Jun 15 18:56:10 2016 +
Commit: Anthony G. Basile gentoo org>
CommitDate: Wed Jun 15 18:56:10 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=df5765cc
grsecurity-3.1-4.5.7-201606142010
4.5.7/_README |2 +-
...> 4420_grsecurity-3.1-4.5.7-201606142010.patch} | 1324
2 files changed, 1056 insertions(+), 270 deletions(-)
diff --git a/4.5.7/_README b/4.5.7/_README
index 67f12a7..7dd453b 100644
--- a/4.5.7/_README
+++ b/4.5.7/_README
@@ -2,7 +2,7 @@ README
-
Individual Patch Descriptions:
-
-Patch: 4420_grsecurity-3.1-4.5.7-201606080852.patch
+Patch: 4420_grsecurity-3.1-4.5.7-201606142010.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606080852.patch
b/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch
similarity index 99%
rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606080852.patch
rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch
index 65f5e28..b46e7cf 100644
--- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606080852.patch
+++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch
@@ -3631,6 +3631,68 @@ index 549f6d3..909a9dc 100644
default y if ARM_ARCH_TIMER
select GENERIC_TIME_VSYSCALL
help
+diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
+index 7d5f4c7..c6a0816 100644
+--- a/arch/arm/mm/alignment.c
b/arch/arm/mm/alignment.c
+@@ -778,6 +778,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct
pt_regs *regs)
+ u16 tinstr = 0;
+ int isize = 4;
+ int thumb2_32b = 0;
++ bool is_user_mode = user_mode(regs);
+
+ if (interrupts_enabled(regs))
+ local_irq_enable();
+@@ -786,14 +787,24 @@ do_alignment(unsigned long addr, unsigned int fsr,
struct pt_regs *regs)
+
+ if (thumb_mode(regs)) {
+ u16 *ptr = (u16 *)(instrptr & ~1);
+- fault = probe_kernel_address(ptr, tinstr);
++ if (is_user_mode) {
++ pax_open_userland();
++ fault = probe_kernel_address(ptr, tinstr);
++ pax_close_userland();
++ } else
++ fault = probe_kernel_address(ptr, tinstr);
+ tinstr = __mem_to_opcode_thumb16(tinstr);
+ if (!fault) {
+ if (cpu_architecture() >= CPU_ARCH_ARMv7 &&
+ IS_T32(tinstr)) {
+ /* Thumb-2 32-bit */
+ u16 tinst2 = 0;
+- fault = probe_kernel_address(ptr + 1, tinst2);
++ if (is_user_mode) {
++ pax_open_userland();
++ fault = probe_kernel_address(ptr + 1,
tinst2);
++ pax_close_userland();
++ } else
++ fault = probe_kernel_address(ptr + 1,
tinst2);
+ tinst2 = __mem_to_opcode_thumb16(tinst2);
+ instr = __opcode_thumb32_compose(tinstr,
tinst2);
+ thumb2_32b = 1;
+@@ -803,7 +814,12 @@ do_alignment(unsigned long addr, unsigned int fsr, struct
pt_regs *regs)
+ }
+ }
+ } else {
+- fault = probe_kernel_address((void *)instrptr, instr);
++ if (is_user_mode) {
++ pax_open_userland();
++ fault = probe_kernel_address((void *)instrptr, instr);
++ pax_close_userland();
++ } else
++ fault = probe_kernel_address((void *)instrptr, instr);
+ instr = __mem_to_opcode_arm(instr);
+ }
+
+@@ -812,7 +828,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct
pt_regs *regs)
+ goto bad_or_fault;
+ }
+
+- if (user_mode(regs))
++ if (is_user_mode)
+ goto user;
+
+ ai_sys += 1;
diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
index 9f9d542..5189649 100644
--- a/arch/arm/mm/cache-l2x0.c
@@ -97446,6 +97508,123 @@ index 8580831..36166e5 100644
retval = sysfs_create_mount_point(kernel_kobj, "debug");
if (retval)
return retval;
+diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
+index feef8a9..f024040 100644
+--- a/fs/ecryptfs/file.c
b/fs/ecryptfs/file.c
+@@ -112,7 +112,6 @@ static int ecryptfs_readdir(struct file *file, struct
dir_context *ctx)
+ .sb =
