diff options
author | 2013-03-26 08:20:28 -0400 | |
---|---|---|
committer | 2013-03-26 08:20:28 -0400 | |
commit | eb7ca051b5fb2f7e3cb0d6af38eff0a1a83d391f (patch) | |
tree | 4fc9e5e0e4756ae939d212ace3a7ddc8140eee74 /2.6.32 | |
parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.4}-201303231310 (diff) | |
download | hardened-patchset-eb7ca051b5fb2f7e3cb0d6af38eff0a1a83d391f.tar.gz hardened-patchset-eb7ca051b5fb2f7e3cb0d6af38eff0a1a83d391f.tar.bz2 hardened-patchset-eb7ca051b5fb2f7e3cb0d6af38eff0a1a83d391f.zip |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.41,3.8.4}-20130325203120130325
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303252031.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303231306.patch) | 214 |
2 files changed, 211 insertions, 5 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index aebc8a8..ad0b750 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_ +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201303252031.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303231306.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303252031.patch index 27c8ee1..0b5fc75 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303231306.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303252031.patch @@ -76861,6 +76861,123 @@ index a6c8c6f..5cf8517 100644 set_fs(old_fs); kunmap(page); if (ret != len) +diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c +index 20692fb..3b41113 100644 +--- a/fs/cifs/asn1.c ++++ b/fs/cifs/asn1.c +@@ -492,17 +492,13 @@ compare_oid(unsigned long *oid1, unsigned int oid1len, + + int + decode_negTokenInit(unsigned char *security_blob, int length, +- enum securityEnum *secType) ++ struct TCP_Server_Info *server) + { + struct asn1_ctx ctx; + unsigned char *end; + unsigned char *sequence_end; + unsigned long *oid = NULL; + unsigned int cls, con, tag, oidlen, rc; +- bool use_ntlmssp = false; +- bool use_kerberos = false; +- bool use_kerberosu2u = false; +- bool use_mskerberos = false; + + /* cifs_dump_mem(" Received SecBlob ", security_blob, length); */ + +@@ -604,20 +600,17 @@ decode_negTokenInit(unsigned char *security_blob, int length, + *(oid + 1), *(oid + 2), *(oid + 3))); + + if (compare_oid(oid, oidlen, MSKRB5_OID, +- MSKRB5_OID_LEN) && +- !use_mskerberos) +- use_mskerberos = true; ++ MSKRB5_OID_LEN)) ++ server->sec_mskerberos = true; + else if (compare_oid(oid, oidlen, KRB5U2U_OID, +- KRB5U2U_OID_LEN) && +- !use_kerberosu2u) +- use_kerberosu2u = true; ++ KRB5U2U_OID_LEN)) ++ server->sec_kerberosu2u = true; + else if (compare_oid(oid, oidlen, KRB5_OID, +- KRB5_OID_LEN) && +- !use_kerberos) +- use_kerberos = true; ++ KRB5_OID_LEN)) ++ server->sec_kerberos = true; + else if (compare_oid(oid, oidlen, NTLMSSP_OID, + NTLMSSP_OID_LEN)) +- use_ntlmssp = true; ++ server->sec_ntlmssp = true; + + kfree(oid); + } +@@ -626,60 +619,10 @@ decode_negTokenInit(unsigned char *security_blob, int length, + } + } + +- /* mechlistMIC */ +- if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { +- /* Check if we have reached the end of the blob, but with +- no mechListMic (e.g. NTLMSSP instead of KRB5) */ +- if (ctx.error == ASN1_ERR_DEC_EMPTY) +- goto decode_negtoken_exit; +- cFYI(1, ("Error decoding last part negTokenInit exit3")); +- return 0; +- } else if ((cls != ASN1_CTX) || (con != ASN1_CON)) { +- /* tag = 3 indicating mechListMIC */ +- cFYI(1, ("Exit 4 cls = %d con = %d tag = %d end = %p (%d)", +- cls, con, tag, end, *end)); +- return 0; +- } +- +- /* sequence */ +- if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { +- cFYI(1, ("Error decoding last part negTokenInit exit5")); +- return 0; +- } else if ((cls != ASN1_UNI) || (con != ASN1_CON) +- || (tag != ASN1_SEQ)) { +- cFYI(1, ("cls = %d con = %d tag = %d end = %p (%d)", +- cls, con, tag, end, *end)); +- } +- +- /* sequence of */ +- if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { +- cFYI(1, ("Error decoding last part negTokenInit exit 7")); +- return 0; +- } else if ((cls != ASN1_CTX) || (con != ASN1_CON)) { +- cFYI(1, ("Exit 8 cls = %d con = %d tag = %d end = %p (%d)", +- cls, con, tag, end, *end)); +- return 0; +- } +- +- /* general string */ +- if (asn1_header_decode(&ctx, &end, &cls, &con, &tag) == 0) { +- cFYI(1, ("Error decoding last part negTokenInit exit9")); +- return 0; +- } else if ((cls != ASN1_UNI) || (con != ASN1_PRI) +- || (tag != ASN1_GENSTR)) { +- cFYI(1, ("Exit10 cls = %d con = %d tag = %d end = %p (%d)", +- cls, con, tag, end, *end)); +- return 0; +- } +- cFYI(1, ("Need to call asn1_octets_decode() function for %s", +- ctx.pointer)); /* is this UTF-8 or ASCII? */ +-decode_negtoken_exit: +- if (use_kerberos) +- *secType = Kerberos; +- else if (use_mskerberos) +- *secType = MSKerberos; +- else if (use_ntlmssp) +- *secType = RawNTLMSSP; +- ++ /* ++ * We currently ignore anything at the end of the SPNEGO blob after ++ * the mechTypes have been parsed, since none of that info is ++ * used at the moment. ++ */ + return 1; + } diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index 42cec2a..2aba466 100644 --- a/fs/cifs/cifs_debug.c @@ -76972,6 +77089,22 @@ index 42cec2a..2aba466 100644 } } } +diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c +index 8ec7736..691f70a 100644 +--- a/fs/cifs/cifs_spnego.c ++++ b/fs/cifs/cifs_spnego.c +@@ -132,9 +132,9 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo) + dp = description + strlen(description); + + /* for now, only sec=krb5 and sec=mskrb5 are valid */ +- if (server->secType == Kerberos) ++ if (server->sec_kerberos) + sprintf(dp, ";sec=krb5"); +- else if (server->secType == MSKerberos) ++ else if (server->sec_mskerberos) + sprintf(dp, ";sec=mskrb5"); + else + goto out; diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 1445407..68cb0dc 100644 --- a/fs/cifs/cifsfs.c @@ -77006,10 +77139,30 @@ index 1445407..68cb0dc 100644 atomic_set(&midCount, 0); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h -index e29581e..1c22bab 100644 +index e29581e..cb1cb71 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h -@@ -252,28 +252,28 @@ struct cifsTconInfo { +@@ -86,7 +86,6 @@ enum securityEnum { + RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */ + /* NTLMSSP, */ /* can use rawNTLMSSP instead of NTLMSSP via SPNEGO */ + Kerberos, /* Kerberos via SPNEGO */ +- MSKerberos, /* MS Kerberos via SPNEGO */ + }; + + enum protocolEnum { +@@ -183,6 +182,11 @@ struct TCP_Server_Info { + struct mac_key mac_signing_key; + char ntlmv2_hash[16]; + unsigned long lstrp; /* when we got last response from this server */ ++ /* extended security flavors that server supports */ ++ bool sec_kerberos; /* supports plain Kerberos */ ++ bool sec_mskerberos; /* supports legacy MS Kerberos */ ++ bool sec_kerberosu2u; /* supports U2U Kerberos */ ++ bool sec_ntlmssp; /* supports NTLMSSP */ + }; + + /* +@@ -252,28 +256,28 @@ struct cifsTconInfo { __u16 Flags; /* optional support bits */ enum statusEnum tidStatus; #ifdef CONFIG_CIFS_STATS @@ -77060,7 +77213,7 @@ index e29581e..1c22bab 100644 #ifdef CONFIG_CIFS_STATS2 unsigned long long time_writes; unsigned long long time_reads; -@@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const struct cifs_sb_info *cifs_sb) +@@ -414,7 +418,7 @@ static inline char CIFS_DIR_SEP(const struct cifs_sb_info *cifs_sb) } #ifdef CONFIG_CIFS_STATS @@ -77069,7 +77222,7 @@ index e29581e..1c22bab 100644 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon, unsigned int bytes) -@@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; +@@ -701,8 +705,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; /* Various Debug counters */ GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */ #ifdef CONFIG_CIFS_STATS2 @@ -77080,6 +77233,46 @@ index e29581e..1c22bab 100644 #endif GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; +diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h +index 76d9f64..ff7f42f 100644 +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -73,7 +73,7 @@ extern struct cifsFileInfo *find_readable_file(struct cifsInodeInfo *); + extern unsigned int smbCalcSize(struct smb_hdr *ptr); + extern unsigned int smbCalcSize_LE(struct smb_hdr *ptr); + extern int decode_negTokenInit(unsigned char *security_blob, int length, +- enum securityEnum *secType); ++ struct TCP_Server_Info *server); + extern int cifs_convert_address(char *src, void *dst); + extern int map_smb_to_linux_error(struct smb_hdr *smb, int logErr); + extern void header_assemble(struct smb_hdr *, char /* command */ , +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 665b128..a8642cb 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -596,13 +596,19 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) + server->secType = RawNTLMSSP; + } else { + rc = decode_negTokenInit(pSMBr->u.extended_response. +- SecurityBlob, +- count - 16, +- &server->secType); ++ SecurityBlob, count - 16, ++ server); + if (rc == 1) + rc = 0; + else + rc = -EINVAL; ++ ++ if (server->sec_kerberos || server->sec_mskerberos) ++ server->secType = Kerberos; ++ else if (server->sec_ntlmssp) ++ server->secType = RawNTLMSSP; ++ else ++ rc = -EOPNOTSUPP; + } + } else + server->capabilities &= ~CAP_EXTENDED_SECURITY; diff --git a/fs/cifs/link.c b/fs/cifs/link.c index fc1e048..28b3441 100644 --- a/fs/cifs/link.c @@ -77140,6 +77333,19 @@ index f5618f8..fd7b4d0 100644 } dentry = d_alloc(parent, name); +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index 20ae71b..77b3c35 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -736,7 +736,7 @@ ssetup_ntlmssp_authenticate: + unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); + } else + ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); +- } else if (type == Kerberos || type == MSKerberos) { ++ } else if (type == Kerberos) { + #ifdef CONFIG_CIFS_UPCALL + struct cifs_spnego_msg *msg; + spnego_key = cifs_get_spnego_key(ses); diff --git a/fs/coda/cache.c b/fs/coda/cache.c index a5bf577..6d19845 100644 --- a/fs/coda/cache.c |