Grsec/PaX: 3.0-{3.2.58,3.14.3}-20140509233720140509

2 files changed, 50 insertions, 4 deletions

diff --git a/3.2.58/0000_README b/3.2.58/0000_README
index f10476b..df97a0f 100644
--- a/3.2.58/0000_README
+++ b/3.2.58/0000_README
@@ -150,7 +150,7 @@ Patch:	1057_linux-3.2.58.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.58
 
-Patch:	4420_grsecurity-3.0-3.2.58-201405061705.patch
+Patch:	4420_grsecurity-3.0-3.2.58-201405092334.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
index fab7860..4f95c38 100644
--- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
+++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
@@ -34158,6 +34158,44 @@ index 13cbdd3..d374957 100644
  
  static struct asender_cmd *get_asender_cmd(int cmd)
  {
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 7a90d4a..6d0f3e1 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3060,7 +3060,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+ 	int ret;
+ 
+ 	while (ptr) {
+-		ret = copy_to_user(param, ptr, sizeof(*ptr));
++		struct floppy_raw_cmd cmd = *ptr;
++		cmd.next = NULL;
++		cmd.kernel_data = NULL;
++		ret = copy_to_user(param, &cmd, sizeof(cmd));
+ 		if (ret)
+ 			return -EFAULT;
+ 		param += sizeof(struct floppy_raw_cmd);
+@@ -3114,10 +3117,11 @@ loop:
+ 		return -ENOMEM;
+ 	*rcmd = ptr;
+ 	ret = copy_from_user(ptr, param, sizeof(*ptr));
+-	if (ret)
+-		return -EFAULT;
+ 	ptr->next = NULL;
+ 	ptr->buffer_length = 0;
++	ptr->kernel_data = NULL;
++	if (ret)
++		return -EFAULT;
+ 	param += sizeof(struct floppy_raw_cmd);
+ 	if (ptr->cmd_count > 33)
+ 			/* the command may now also take up the space
+@@ -3133,7 +3137,6 @@ loop:
+ 	for (i = 0; i < 16; i++)
+ 		ptr->reply[i] = 0;
+ 	ptr->resultcode = 0;
+-	ptr->kernel_data = NULL;
+ 
+ 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ 		if (ptr->length <= 0)
 diff --git a/drivers/block/loop.c b/drivers/block/loop.c
 index d659135..45fe633 100644
 --- a/drivers/block/loop.c
@@ -34367,10 +34405,18 @@ index a48e05b..6bac831 100644
  			kfree(usegment);
  			kfree(ksegment);
 diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
-index 2e04433..771f2cc 100644
+index 2e04433..3b8afe7 100644
 --- a/drivers/char/agp/frontend.c
 +++ b/drivers/char/agp/frontend.c
-@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
+@@ -729,6 +729,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv, void __user *arg)
+ 
+ 	agp_copy_info(agp_bridge, &kerninfo);
+ 
++	memset(&userinfo, 0, sizeof(userinfo));
+ 	userinfo.version.major = kerninfo.version.major;
+ 	userinfo.version.minor = kerninfo.version.minor;
+ 	userinfo.bridge_id = kerninfo.device->vendor |
+@@ -817,7 +818,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
  	if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
  		return -EFAULT;
  
@@ -34379,7 +34425,7 @@ index 2e04433..771f2cc 100644
  		return -EFAULT;
  
  	client = agp_find_client_by_pid(reserve.pid);
-@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
+@@ -847,7 +848,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
  		if (segment == NULL)
  			return -ENOMEM;