Grsec/PaX: 2.9.1-{2.6.32.59,3.2.28,3.5.2}-20120824194320120824

2 files changed, 76 insertions, 3 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 24bc841..9c19fa1 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch:	1058_linux-2.6.32.59.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch
index a4b7131..da02455 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch
@@ -55117,6 +55117,23 @@ index b38d3b7..b1cff23 100644
  	{ 				/* Sometime a Level-One switch card. */
  	  "Winbond W89c840",	CanHaveMII | HasBrokenTx | FDXOnNoMII},
  	{ "Winbond W89c840",	CanHaveMII | HasBrokenTx},
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 0f77aca..a69420d 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1121,9 +1121,11 @@ static long tun_chr_ioctl(struct file *file, unsigned int cmd,
+ 	int sndbuf;
+ 	int ret;
+ 
+-	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
++	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ 		if (copy_from_user(&ifr, argp, sizeof ifr))
+ 			return -EFAULT;
++	} else
++		memset(&ifr, 0, sizeof(ifr));
+ 
+ 	if (cmd == TUNGETFEATURES) {
+ 		/* Currently this just means: "what IFF flags are valid?".
 diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
 index f450bc9..2b747c8 100644
 --- a/drivers/net/usb/hso.c
@@ -72050,6 +72067,18 @@ index 6c75110..19d2c3c 100644
  		error = -EFAULT;
  
  	return error;
+diff --git a/fs/isofs/export.c b/fs/isofs/export.c
+index e81a305..caec670 100644
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry,
+ 	len = 3;
+ 	fh32[0] = ei->i_iget5_block;
+  	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
++	fh16[3] = 0;  /* avoid leaking uninitialized data */
+ 	fh32[2] = inode->i_generation;
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
+ 		struct inode *parent;
 diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
 index b0435dd..81ee0be 100644
 --- a/fs/jbd/checkpoint.c
@@ -75925,6 +75954,18 @@ index 9215700..bf1f68e 100644
  	u8 checksum = 0;
  	int i;
  	for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 21dad8c..b754151 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1331,6 +1331,7 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp,
+ 	*lenp = 3;
+ 	fid->udf.block = location.logicalBlockNum;
+ 	fid->udf.partref = location.partitionReferenceNum;
++	fid->udf.parent_partref = 0;
+ 	fid->udf.generation = inode->i_generation;
+ 
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
 diff --git a/fs/udf/super.c b/fs/udf/super.c
 index ee6b3af..ab17bcd 100644
 --- a/fs/udf/super.c
@@ -91431,6 +91472,18 @@ index 0000000..3891139
 +int do_syslog(int type, char __user *buf, int count, bool from_file);
 +
 +#endif /* _LINUX_SYSLOG_H */
+diff --git a/include/linux/tfrc.h b/include/linux/tfrc.h
+index 8a8462b..097fe78 100644
+--- a/include/linux/tfrc.h
++++ b/include/linux/tfrc.h
+@@ -50,6 +50,7 @@ struct tfrc_tx_info {
+ 	__u32 tfrctx_p;
+ 	__u32 tfrctx_rto;
+ 	__u32 tfrctx_ipi;
++	__u32 padding;
+ };
+ 
+ #endif /* _LINUX_TFRC_H_ */
 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
 index a8cc4e1..98d3b85 100644
 --- a/include/linux/thread_info.h
@@ -103710,6 +103763,18 @@ index facedd2..ab260b0 100644
  		rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
  						 optval, optlen);
  	return rc;
+diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
+index 34dcc79..ca75875 100644
+--- a/net/dccp/ccids/ccid3.c
++++ b/net/dccp/ccids/ccid3.c
+@@ -618,6 +618,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
+ 			return -EINVAL;
+ 		len = sizeof(hctx->ccid3hctx_tfrc);
+ 		val = &hctx->ccid3hctx_tfrc;
++		hctx->ccid3hctx_tfrc.padding = 0;
+ 		break;
+ 	default:
+ 		return -ENOPROTOOPT;
 diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
 index 2036568..c55883d 100644
 --- a/net/decnet/sysctl_net_decnet.c
@@ -107019,7 +107084,7 @@ index cb81ca3..e15d49a 100644
  					goto restart;
  				}
 diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index b95a2d6..85c4d78 100644
+index b95a2d6..53a422d 100644
 --- a/net/xfrm/xfrm_user.c
 +++ b/net/xfrm/xfrm_user.c
 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
@@ -107031,7 +107096,15 @@ index b95a2d6..85c4d78 100644
  	if (xp->xfrm_nr == 0)
  		return 0;
  
-@@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -1176,6 +1178,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+ 		struct xfrm_user_tmpl *up = &vec[i];
+ 		struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
+ 
++		memset(up, 0, sizeof(*up));
+ 		memcpy(&up->id, &kp->id, sizeof(up->id));
+ 		up->family = kp->encap_family;
+ 		memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
+@@ -1784,6 +1787,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
  	int err;
  	int n = 0;