[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: d32dd7f3f7697ee461fd2faa0fd051877e411bc1 Author: Anthony G. Basile gentoo org> AuthorDate: Sat Jul 2 08:59:46 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Sat Jul 2 08:59:46 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=d32dd7f3 grsecurity-3.1-4.5.7-201606302132 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606302132.patch} | 416 - 4.5.7/4425_grsec_remove_EI_PAX.patch | 2 +- 4.5.7/4450_grsec-kconfig-default-gids.patch| 8 +- 4.5.7/4470_disable-compat_vdso.patch | 2 +- 4.5.7/4475_emutramp_default_on.patch | 4 +- 6 files changed, 252 insertions(+), 182 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 6531b4d..cd47bdd 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606292300.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606302132.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch index 4f4d48f..6f9feec 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch @@ -12658,7 +12658,7 @@ index 3ba5ff2..44bdacc 100644 config X86_MINIMUM_CPU_FAMILY int diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index 9b18ed9..9528749 100644 +index 9b18ed9..0fb0660 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -55,6 +55,7 @@ config X86_PTDUMP @@ -12669,16 +12669,15 @@ index 9b18ed9..9528749 100644 select X86_PTDUMP_CORE ---help--- Say Y here if you want to show the kernel pagetable layout in a -@@ -77,7 +78,7 @@ config EFI_PGT_DUMP +@@ -77,7 +78,6 @@ config EFI_PGT_DUMP config DEBUG_RODATA bool "Write protect kernel read-only data structures" default y - depends on DEBUG_KERNEL -+ depends on DEBUG_KERNEL && BROKEN ---help--- Mark the kernel read-only data as write-protected in the pagetables, in order to catch accidental (and incorrect) writes to such const -@@ -123,7 +124,7 @@ config DEBUG_WX +@@ -123,7 +123,7 @@ config DEBUG_WX config DEBUG_SET_MODULE_RONX bool "Set loadable kernel module data as NX and text as RO" @@ -12687,7 +12686,7 @@ index 9b18ed9..9528749 100644 ---help--- This option helps catch unintended modifications to loadable kernel module's text and read-only data. It also prevents execution -@@ -375,6 +376,7 @@ config X86_DEBUG_FPU +@@ -375,6 +375,7 @@ config X86_DEBUG_FPU config PUNIT_ATOM_DEBUG tristate "ATOM Punit debug driver" select DEBUG_FS @@ -27194,7 +27193,7 @@ index 2c0f340..76c1d24 100644 for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index 6bc9ae2..33997fe 100644 +index 6bc9ae2..51f7c58 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -27,6 +27,12 @@ @@ -27466,28 +27465,23 @@ index 6bc9ae2..33997fe 100644 pushl 16(%esp) pushl 24(%esp) pushl 32(%esp) -@@ -663,29 +755,34 @@ ENTRY(setup_once_ref) - /* - * BSS section - */ +@@ -660,11 +752,8 @@ ENTRY(initial_code) + ENTRY(setup_once_ref) + .long setup_once + +-/* +- * BSS section +- */ -__PAGE_ALIGNED_BSS - .align PAGE_SIZE ++__READ_ONLY ++ .balign PAGE_SIZE #ifdef CONFIG_X86_PAE -+.section .initial_pg_pmd,"a",@progbits initial_pg_pmd: .fill 1024*KPMDS,4,0 - #else -+.section .initial_page_table,"a",@progbits - ENTRY(initial_page_table) - .fill 1024,4,0 - #endif -+.section .initial_pg_fixmap,"a",@progbits - initial_pg_fixmap: - .fill 1024,4,0 -+.section .empty_zero_page,"a",@progbits +@@ -677,15 +766,18 @@ initial_pg_fixmap: ENTRY(empty_zero_page) .fill 4096,1,0 -+.section .swapper_pg_dir,"a",@progbits ENTRY(swapper_pg_dir) - .fill 1024,4,0 +#ifdef CONFIG_X86_PAE @@ -27503,21 +27497,24 @@ index 6bc9ae2..33997fe 100644 -__PAGE_ALIGNED_DATA - /* Page-aligned for the benefit of paravirt? */ - .align PAGE_SIZE -+.section .initial_page_table,"a",@progbits ++__READ_ONLY ++ .balign PAGE_SIZE ENTRY(initial_page_table) .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ # if KPMDS == 3 -@@ -704,12 +801,20 @@ ENTRY(initial_page_table) +@@ -703,13 +795,21 @@ ENTRY(initial_page_table)
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 69430df88d9fcc4b3ad98e37688ac7d1dd4e7c6e Author: Anthony G. Basile gentoo org> AuthorDate: Thu Jun 30 13:21:52 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Thu Jun 30 13:21:52 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=69430df8 grsecurity-3.1-4.5.7-201606292300 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606292300.patch} | 322 +++-- 2 files changed, 295 insertions(+), 29 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index b74e534..6531b4d 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606282216.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606292300.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch index 01f7898..4f4d48f 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch @@ -49321,7 +49321,7 @@ index 6a27eb2..349ed23 100644 }; diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c -index c43318d..2574fc5 100644 +index c43318d..24bfd03 100644 --- a/drivers/hwmon/dell-smm-hwmon.c +++ b/drivers/hwmon/dell-smm-hwmon.c @@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = { @@ -49329,7 +49329,7 @@ index c43318d..2574fc5 100644 }; -static struct dmi_system_id i8k_dmi_table[] __initdata = { -+static struct dmi_system_id i8k_dmi_table[] __initconst = { ++static const struct dmi_system_id i8k_dmi_table[] __initconst = { { .ident = "Dell Inspiron", .matches = { @@ -49338,7 +49338,7 @@ index c43318d..2574fc5 100644 MODULE_DEVICE_TABLE(dmi, i8k_dmi_table); -static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = { -+static struct dmi_system_id i8k_blacklist_dmi_table[] __initconst = { ++static const struct dmi_system_id i8k_blacklist_dmi_table[] __initconst = { { /* * CPU fan speed going up and down on Dell Studio XPS 8000 @@ -58553,6 +58553,19 @@ index 556a2df..e771329 100644 { spin_lock(_gxx_spin); sbc_gxx_page(map, adr); +diff --git a/drivers/mtd/nand/brcmnand/brcmnand.h b/drivers/mtd/nand/brcmnand/brcmnand.h +index ef5eabb..2b61d03 100644 +--- a/drivers/mtd/nand/brcmnand/brcmnand.h b/drivers/mtd/nand/brcmnand/brcmnand.h +@@ -24,7 +24,7 @@ struct brcmnand_soc { + bool (*ctlrdy_ack)(struct brcmnand_soc *soc); + void (*ctlrdy_set_enabled)(struct brcmnand_soc *soc, bool en); + void (*prepare_data_bus)(struct brcmnand_soc *soc, bool prepare); +-}; ++} __no_const; + + static inline void brcmnand_soc_data_bus_prepare(struct brcmnand_soc *soc) + { diff --git a/drivers/mtd/nand/cafe_nand.c b/drivers/mtd/nand/cafe_nand.c index aa1a616..a47a33d 100644 --- a/drivers/mtd/nand/cafe_nand.c @@ -62716,6 +62729,18 @@ index f9db2ce..6cd460c 100644 return ring_first(r); } +diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c +index a400288..0c59bcd 100644 +--- a/drivers/net/loopback.c b/drivers/net/loopback.c +@@ -217,6 +217,6 @@ out: + } + + /* Registered in net/core/dev.c */ +-struct pernet_operations __net_initdata loopback_net_ops = { ++struct pernet_operations __net_initconst loopback_net_ops = { +.init = loopback_net_init, + }; diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 94e6888..c5c3f55 100644 --- a/drivers/net/macvlan.c @@ -114042,7 +114067,7 @@ index f8595e8..e0d13cbd 100644 seq_putc(m, '\n'); diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c -index 350984a..0fb02a9 100644 +index 350984a..a78a18c 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -23,9 +23,27 @@ @@ -114107,6 +114132,15 @@ index 350984a..0fb02a9 100644 err = -ENXIO; net = get_proc_net(inode); if (net == NULL) +@@ -220,7 +251,7 @@ static __net_exit void proc_net_ns_exit(struct net *net) + kfree(net->proc_net); + } + +-static struct pernet_operations __net_initdata proc_net_ns_ops = { ++static struct pernet_operations __net_initconst proc_net_ns_ops = { + .init = proc_net_ns_init, + .exit = proc_net_ns_exit, + }; diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index fe5b6e6..cd2913c 100644 --- a/fs/proc/proc_sysctl.c @@ -132854,7 +132888,7 @@ index 25ef630..fc83c44 100644 struct iovec; struct kvec; diff --git
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 9efc134b4d978753db4dd108ac3fb9e5b8f0a52b Author: Anthony G. Basile gentoo org> AuthorDate: Thu Jun 30 13:12:16 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Thu Jun 30 13:12:16 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=9efc134b grsecurity-3.1-4.5.7-201606282216 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606282216.patch} | 680 - 2 files changed, 524 insertions(+), 158 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index bdf9f5e..b74e534 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606280009.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606282216.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch index f3179f6..01f7898 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch @@ -8554,6 +8554,37 @@ index 523673d..4aeef3b 100644 : "="(tmp) : "r"(>lock) : "cr0", "xer", "memory"); +diff --git a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h +index e40010a..d3c3d6b 100644 +--- a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h +@@ -15,17 +15,17 @@ + #define __HAVE_ARCH_MEMCMP + #define __HAVE_ARCH_MEMCHR + +-extern char * strcpy(char *,const char *); +-extern char * strncpy(char *,const char *, __kernel_size_t); ++extern char * strcpy(char *,const char *) __nocapture(2); ++extern char * strncpy(char *,const char *, __kernel_size_t) __nocapture(2); + extern __kernel_size_t strlen(const char *); +-extern int strcmp(const char *,const char *); +-extern int strncmp(const char *, const char *, __kernel_size_t); +-extern char * strcat(char *, const char *); ++extern int strcmp(const char *,const char *) __nocapture(1, 2); ++extern int strncmp(const char *, const char *, __kernel_size_t) __nocapture(1, 2); ++extern char * strcat(char *, const char *) __nocapture(2); + extern void * memset(void *,int,__kernel_size_t); +-extern void * memcpy(void *,const void *,__kernel_size_t); +-extern void * memmove(void *,const void *,__kernel_size_t); +-extern int memcmp(const void *,const void *,__kernel_size_t); +-extern void * memchr(const void *,int,__kernel_size_t); ++extern void * memcpy(void *,const void *,__kernel_size_t) __nocapture(2); ++extern void * memmove(void *,const void *,__kernel_size_t) __nocapture(2); ++extern int memcmp(const void *,const void *,__kernel_size_t) __nocapture(1, 2); ++extern void * memchr(const void *,int,__kernel_size_t) __nocapture(1); + + #endif /* __KERNEL__ */ + diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h index 7efee4a..48d47cc 100644 --- a/arch/powerpc/include/asm/thread_info.h @@ -12410,7 +12441,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 3bf45a0..25ca7da 100644 +index 3bf45a0..b08241b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -38,14 +38,13 @@ config X86 @@ -12446,7 +12477,23 @@ index 3bf45a0..25ca7da 100644 select HAVE_GENERIC_DMA_COHERENTif X86_32 select HAVE_HW_BREAKPOINT select HAVE_IDE -@@ -290,7 +290,7 @@ config X86_64_SMP +@@ -184,11 +184,13 @@ config MMU + def_bool y + + config ARCH_MMAP_RND_BITS_MIN +- default 28 if 64BIT ++ default 28 if 64BIT && !PAX_PER_CPU_PGD ++ default 27 if 64BIT && PAX_PER_CPU_PGD + default 8 + + config ARCH_MMAP_RND_BITS_MAX +- default 32 if 64BIT ++ default 32 if 64BIT && !PAX_PER_CPU_PGD ++ default 27 if 64BIT && PAX_PER_CPU_PGD + default 16 + + config ARCH_MMAP_RND_COMPAT_BITS_MIN +@@ -290,7 +292,7 @@ config X86_64_SMP config X86_32_LAZY_GS def_bool y @@ -12455,7 +12502,7 @@ index 3bf45a0..25ca7da 100644 config ARCH_HWEIGHT_CFLAGS string -@@ -674,6 +674,7 @@ config SCHED_OMIT_FRAME_POINTER +@@ -674,6 +676,7 @@ config SCHED_OMIT_FRAME_POINTER menuconfig HYPERVISOR_GUEST bool "Linux guest support" @@ -12463,7 +12510,7 @@ index 3bf45a0..25ca7da 100644 ---help--- Say Y here to enable options for running Linux under various hyper- visors. This option enables basic hypervisor detection and platform -@@ -1073,6 +1074,7 @@ config VM86 +@@ -1073,6
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: fe9cd0792773d512df74e504d2ef92946d02f6da Author: Anthony G. Basile gentoo org> AuthorDate: Tue Jun 28 11:24:47 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Tue Jun 28 11:24:47 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=fe9cd079 grsecurity-3.1-4.5.7-201606280009 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606280009.patch} | 32 -- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index b74a9dd..bdf9f5e 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606262019.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606280009.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch index 3d3b9d3..f3179f6 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch @@ -98058,7 +98058,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user([i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index dcd4ac7..f651515 100644 +index dcd4ac7..7a1a7dc 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,8 +56,20 @@ @@ -98572,7 +98572,7 @@ index dcd4ac7..f651515 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1749,3 +1930,319 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd, +@@ -1749,3 +1930,316 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd, argv, envp, flags); } #endif @@ -98719,10 +98719,7 @@ index dcd4ac7..f651515 100644 + printk(KERN_EMERG "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), + from_kuid_munged(_user_ns, current_uid()), from_kuid_munged(_user_ns, current_euid())); + print_symbol(KERN_EMERG "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); -+ preempt_disable(); -+ show_regs(regs); -+ preempt_enable(); -+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current); ++ BUG(); +} +#endif + @@ -139266,7 +139263,7 @@ index c112abb..49d919f 100644 if (wo->wo_flags & __WNOTHREAD) break; diff --git a/kernel/fork.c b/kernel/fork.c -index 2e391c7..4af22a9 100644 +index 2e391c7..87a5bfe 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -188,12 +188,55 @@ static void free_thread_info(struct thread_info *ti) @@ -139655,7 +139652,7 @@ index 2e391c7..4af22a9 100644 if (atomic_read(>real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (p->real_cred->user != INIT_USER && -@@ -1568,6 +1681,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1568,6 +1681,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_cancel_cgroup; } @@ -139664,10 +139661,15 @@ index 2e391c7..4af22a9 100644 + */ + gr_copy_label(p); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (p->delayed_cred) ++ get_cred(p->delayed_cred); ++#endif ++ if (likely(p->pid)) { ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); -@@ -1657,6 +1775,8 @@ bad_fork_cleanup_count: +@@ -1657,6 +1780,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -139676,7 +139678,7 @@ index 2e391c7..4af22a9 100644 return ERR_PTR(retval); } -@@ -1719,6 +1839,7 @@ long _do_fork(unsigned long clone_flags, +@@ -1719,6 +1844,7 @@ long _do_fork(unsigned long clone_flags, p = copy_process(clone_flags, stack_start, stack_size, child_tidptr, NULL, trace, tls); @@ -139684,7 +139686,7 @@ index 2e391c7..4af22a9 100644 /* * Do this prior waking up the new thread - the thread pointer * might get invalid after that point, if the thread exits quickly. -@@ -1735,6 +1856,8 @@ long _do_fork(unsigned long clone_flags, +@@ -1735,6 +1861,8 @@ long _do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -139693,7 +139695,7 @@ index 2e391c7..4af22a9 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done =
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 8bf1f839085fc6cb7cde16cc44895e8203618936 Author: Anthony G. Basile gentoo org> AuthorDate: Mon Jun 27 10:28:23 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Mon Jun 27 10:28:23 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8bf1f839 grsecurity-3.1-4.5.7-201606262019 4.5.7/_README |2 +- ...> 4420_grsecurity-3.1-4.5.7-201606262019.patch} | 1079 +++- 2 files changed, 848 insertions(+), 233 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 068b4c9..b74a9dd 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606202152.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606262019.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch index 5ac1e8a..3d3b9d3 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch @@ -1,3 +1,15 @@ +diff --git a/.gitignore b/.gitignore +index fd3a355..c47e86a 100644 +--- a/.gitignore b/.gitignore +@@ -37,6 +37,7 @@ modules.builtin + Module.symvers + *.dwo + *.su ++*.c.[012]*.* + + # + # Top-level generic files diff --git a/Documentation/dontdiff b/Documentation/dontdiff index 8ea834f..1462492 100644 --- a/Documentation/dontdiff @@ -408,7 +420,7 @@ index a93b414..f50a50b 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 90e4bd9..44d0d41 100644 +index 90e4bd9..66ce952 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -422,16 +434,7 @@ index 90e4bd9..44d0d41 100644 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1) HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \ -@@ -417,6 +419,8 @@ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE - export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL - export KBUILD_ARFLAGS - -+export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS -+ - # When compiling out-of-tree modules, put MODVERDIR in the module - # tree rather than in the kernel tree. The kernel tree might - # even be read-only. -@@ -547,7 +551,7 @@ ifeq ($(KBUILD_EXTMOD),) +@@ -547,7 +549,7 @@ ifeq ($(KBUILD_EXTMOD),) # in parallel PHONY += scripts scripts: scripts_basic include/config/auto.conf include/config/tristate.conf \ @@ -440,23 +443,16 @@ index 90e4bd9..44d0d41 100644 $(Q)$(MAKE) $(build)=$(@) # Objects we will link into vmlinux / subdirs we need to visit -@@ -622,6 +626,15 @@ endif +@@ -622,6 +624,8 @@ endif # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) -+PHONY += gcc-plugins -+gcc-plugins: scripts_basic -+ifdef CONFIG_GCC_PLUGINS -+ $(Q)$(MAKE) $(build)=scripts/gcc-plugins -+endif -+ @: -+ +include scripts/Makefile.gcc-plugins + ifdef CONFIG_READABLE_ASM # Disable optimizations that make assembler listings hard to read. # reorder blocks reorders the control in the function -@@ -715,7 +728,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) +@@ -715,7 +719,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) else KBUILD_CFLAGS += -g endif @@ -465,7 +461,7 @@ index 90e4bd9..44d0d41 100644 endif ifdef CONFIG_DEBUG_INFO_DWARF4 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,) -@@ -887,7 +900,7 @@ export mod_sign_cmd +@@ -887,7 +891,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -474,7 +470,7 @@ index 90e4bd9..44d0d41 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -990,7 +1003,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -990,7 +994,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -483,7 +479,7 @@ index 90e4bd9..44d0d41 100644 $(Q)$(MAKE) $(build)=. # All the preparing.. -@@ -1185,7 +1198,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ +@@ -1185,7 +1189,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.pem signing_key.priv signing_key.x509 \
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: 4bff175b49380f941e6d1434a6ab0fb250b2e280 Author: Anthony G. Basile gentoo org> AuthorDate: Tue Jun 21 10:21:03 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Tue Jun 21 10:21:03 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=4bff175b grsecurity-3.1-4.5.7-201606202152 4.5.7/_README | 2 +- ...> 4420_grsecurity-3.1-4.5.7-201606202152.patch} | 23 +++--- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 7dd453b..068b4c9 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606142010.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606202152.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch index b46e7cf..5ac1e8a 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch @@ -115435,7 +115435,7 @@ index ec0e239..ab85b22 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 000..f172760 +index 000..821601d --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,1205 @@ @@ -115582,14 +115582,14 @@ index 000..f172760 +config GRKERNSEC_KSTACKOVERFLOW + bool "Prevent kernel stack overflows" + default y if GRKERNSEC_CONFIG_AUTO -+ depends on !IA64 && 64BIT ++ depends on X86_64 + help +If you say Y here, the kernel's process stacks will be allocated +with vmalloc instead of the kernel's default allocator. This +introduces guard pages that in combination with the alloca checking -+of the STACKLEAK feature prevents all forms of kernel process stack -+overflow abuse. Note that this is different from kernel stack -+buffer overflows. ++of the STACKLEAK feature and removal of thread_info from the kernel ++stack prevents all forms of kernel process stack overflow abuse. ++ Note that this is different from kernel stack buffer overflows. + +config GRKERNSEC_BRUTE + bool "Deter exploit bruteforcing" @@ -156888,7 +156888,7 @@ index f2280f7..c0a006f 100644 struct irlap_cb *self = (struct irlap_cb *) data; diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index fc3598a..03a184e 100644 +index fc3598a..03a184e3 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -685,10 +685,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv) @@ -211999,7 +211999,7 @@ index 5105c2c..a5010e6 100644 extern struct key_type key_type_request_key_auth; extern struct key *request_key_auth_new(struct key *target, diff --git a/security/keys/key.c b/security/keys/key.c -index 09ef276..ab2894f 100644 +index 09ef276..357db79 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -283,7 +283,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, @@ -212011,6 +212011,15 @@ index 09ef276..ab2894f 100644 key->index_key.type = type; key->user = user; key->quotalen = quotalen; +@@ -582,7 +582,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, >index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ @@ -1077,7 +1077,9 @@ int register_key_type(struct key_type *ktype) struct key_type *p; int ret;
[gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
commit: df5765ccf2fcc59e11b068e559e0528356afe44f Author: Anthony G. Basile gentoo org> AuthorDate: Wed Jun 15 18:56:10 2016 + Commit: Anthony G. Basile gentoo org> CommitDate: Wed Jun 15 18:56:10 2016 + URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=df5765cc grsecurity-3.1-4.5.7-201606142010 4.5.7/_README |2 +- ...> 4420_grsecurity-3.1-4.5.7-201606142010.patch} | 1324 2 files changed, 1056 insertions(+), 270 deletions(-) diff --git a/4.5.7/_README b/4.5.7/_README index 67f12a7..7dd453b 100644 --- a/4.5.7/_README +++ b/4.5.7/_README @@ -2,7 +2,7 @@ README - Individual Patch Descriptions: - -Patch: 4420_grsecurity-3.1-4.5.7-201606080852.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606142010.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606080852.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch similarity index 99% rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606080852.patch rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch index 65f5e28..b46e7cf 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606080852.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606142010.patch @@ -3631,6 +3631,68 @@ index 549f6d3..909a9dc 100644 default y if ARM_ARCH_TIMER select GENERIC_TIME_VSYSCALL help +diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +index 7d5f4c7..c6a0816 100644 +--- a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +@@ -778,6 +778,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + u16 tinstr = 0; + int isize = 4; + int thumb2_32b = 0; ++ bool is_user_mode = user_mode(regs); + + if (interrupts_enabled(regs)) + local_irq_enable(); +@@ -786,14 +787,24 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + + if (thumb_mode(regs)) { + u16 *ptr = (u16 *)(instrptr & ~1); +- fault = probe_kernel_address(ptr, tinstr); ++ if (is_user_mode) { ++ pax_open_userland(); ++ fault = probe_kernel_address(ptr, tinstr); ++ pax_close_userland(); ++ } else ++ fault = probe_kernel_address(ptr, tinstr); + tinstr = __mem_to_opcode_thumb16(tinstr); + if (!fault) { + if (cpu_architecture() >= CPU_ARCH_ARMv7 && + IS_T32(tinstr)) { + /* Thumb-2 32-bit */ + u16 tinst2 = 0; +- fault = probe_kernel_address(ptr + 1, tinst2); ++ if (is_user_mode) { ++ pax_open_userland(); ++ fault = probe_kernel_address(ptr + 1, tinst2); ++ pax_close_userland(); ++ } else ++ fault = probe_kernel_address(ptr + 1, tinst2); + tinst2 = __mem_to_opcode_thumb16(tinst2); + instr = __opcode_thumb32_compose(tinstr, tinst2); + thumb2_32b = 1; +@@ -803,7 +814,12 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + } + } + } else { +- fault = probe_kernel_address((void *)instrptr, instr); ++ if (is_user_mode) { ++ pax_open_userland(); ++ fault = probe_kernel_address((void *)instrptr, instr); ++ pax_close_userland(); ++ } else ++ fault = probe_kernel_address((void *)instrptr, instr); + instr = __mem_to_opcode_arm(instr); + } + +@@ -812,7 +828,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + goto bad_or_fault; + } + +- if (user_mode(regs)) ++ if (is_user_mode) + goto user; + + ai_sys += 1; diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c index 9f9d542..5189649 100644 --- a/arch/arm/mm/cache-l2x0.c @@ -97446,6 +97508,123 @@ index 8580831..36166e5 100644 retval = sysfs_create_mount_point(kernel_kobj, "debug"); if (retval) return retval; +diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c +index feef8a9..f024040 100644 +--- a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c +@@ -112,7 +112,6 @@ static int ecryptfs_readdir(struct file *file, struct dir_context *ctx) + .sb =