Grsec/PaX: 2.2.2-2.6.32.45-201108211939 2.2.2-2.6.39.4-20110821193920110821

author: Anthony G. Basile <blueness@gentoo.org> 2011-08-24 05:02:02 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2011-08-24 05:02:02 -0400
commit: 22102caf72a2ba344bc84da64f789414179259fa (patch)
tree: ffcf21e5b7d594dcfdac60956108b18ae9d756cb
parent: Grsec/PaX: 2.2.2-2.6.32.45-201108192305 + 2.2.2-2.6.39.4-201108192305 (diff)
download: hardened-patchset-22102caf72a2ba344bc84da64f789414179259fa.tar.gz
hardened-patchset-22102caf72a2ba344bc84da64f789414179259fa.tar.bz2
hardened-patchset-22102caf72a2ba344bc84da64f789414179259fa.zip
4 files changed, 272 insertions, 36 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index f4bf114..e5ee171 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -11,7 +11,7 @@ Patch:	1044_linux-2.6.32.45.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.39.45
 
-Patch:	4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch
index 26eb4f1..78cefe3 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch
@@ -1484,6 +1484,19 @@ diff -urNp linux-2.6.32.45/arch/mips/include/asm/page.h linux-2.6.32.45/arch/mip
    #else
       typedef struct { unsigned long long pte; } pte_t;
       #define pte_val(x)	((x).pte)
+diff -urNp linux-2.6.32.45/arch/mips/include/asm/reboot.h linux-2.6.32.45/arch/mips/include/asm/reboot.h
+--- linux-2.6.32.45/arch/mips/include/asm/reboot.h	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/mips/include/asm/reboot.h	2011-08-21 17:35:02.000000000 -0400
+@@ -9,7 +9,7 @@
+ #ifndef _ASM_REBOOT_H
+ #define _ASM_REBOOT_H
+ 
+-extern void (*_machine_restart)(char *command);
+-extern void (*_machine_halt)(void);
++extern void (*__noreturn _machine_restart)(char *command);
++extern void (*__noreturn _machine_halt)(void);
+ 
+ #endif /* _ASM_REBOOT_H */
 diff -urNp linux-2.6.32.45/arch/mips/include/asm/system.h linux-2.6.32.45/arch/mips/include/asm/system.h
 --- linux-2.6.32.45/arch/mips/include/asm/system.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/mips/include/asm/system.h	2011-04-17 15:56:45.000000000 -0400
@@ -1559,6 +1572,40 @@ diff -urNp linux-2.6.32.45/arch/mips/kernel/process.c linux-2.6.32.45/arch/mips/
 -
 -	return sp & ALMASK;
 -}
+diff -urNp linux-2.6.32.45/arch/mips/kernel/reset.c linux-2.6.32.45/arch/mips/kernel/reset.c
+--- linux-2.6.32.45/arch/mips/kernel/reset.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/mips/kernel/reset.c	2011-08-21 17:35:26.000000000 -0400
+@@ -19,8 +19,8 @@
+  * So handle all using function pointers to machine specific
+  * functions.
+  */
+-void (*_machine_restart)(char *command);
+-void (*_machine_halt)(void);
++void (*__noreturn _machine_restart)(char *command);
++void (*__noreturn _machine_halt)(void);
+ void (*pm_power_off)(void);
+ 
+ EXPORT_SYMBOL(pm_power_off);
+@@ -29,16 +29,19 @@ void machine_restart(char *command)
+ {
+ 	if (_machine_restart)
+ 		_machine_restart(command);
++	BUG();
+ }
+ 
+ void machine_halt(void)
+ {
+ 	if (_machine_halt)
+ 		_machine_halt();
++	BUG();
+ }
+ 
+ void machine_power_off(void)
+ {
+ 	if (pm_power_off)
+ 		pm_power_off();
++	BUG();
+ }
 diff -urNp linux-2.6.32.45/arch/mips/kernel/syscall.c linux-2.6.32.45/arch/mips/kernel/syscall.c
 --- linux-2.6.32.45/arch/mips/kernel/syscall.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/mips/kernel/syscall.c	2011-04-17 15:56:45.000000000 -0400
@@ -1596,6 +1643,18 @@ diff -urNp linux-2.6.32.45/arch/mips/kernel/syscall.c linux-2.6.32.45/arch/mips/
  			return addr;
  		addr = vmm->vm_end;
  		if (do_color_align)
+diff -urNp linux-2.6.32.45/arch/mips/Makefile linux-2.6.32.45/arch/mips/Makefile
+--- linux-2.6.32.45/arch/mips/Makefile	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/mips/Makefile	2011-08-21 19:26:52.000000000 -0400
+@@ -51,6 +51,8 @@ endif
+ cflags-y := -ffunction-sections
+ cflags-y += $(call cc-option, -mno-check-zero-division)
+ 
++cflags-y += -Wno-sign-compare -Wno-extra
++
+ ifdef CONFIG_32BIT
+ ld-emul			= $(32bit-emul)
+ vmlinux-32		= vmlinux
 diff -urNp linux-2.6.32.45/arch/mips/mm/fault.c linux-2.6.32.45/arch/mips/mm/fault.c
 --- linux-2.6.32.45/arch/mips/mm/fault.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/mips/mm/fault.c	2011-04-17 15:56:45.000000000 -0400
@@ -2146,7 +2205,7 @@ diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/page_64.h linux-2.6.32.45/ar
  
 diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/page.h linux-2.6.32.45/arch/powerpc/include/asm/page.h
 --- linux-2.6.32.45/arch/powerpc/include/asm/page.h	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/arch/powerpc/include/asm/page.h	2011-04-17 15:56:45.000000000 -0400
++++ linux-2.6.32.45/arch/powerpc/include/asm/page.h	2011-08-21 16:07:39.000000000 -0400
 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
   * and needs to be executable.  This means the whole heap ends
   * up being executable.
@@ -2205,6 +2264,18 @@ diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.45
  #define _PAGE_COHERENT	0x010	/* M: enforce memory coherence (SMP systems) */
  #define _PAGE_NO_CACHE	0x020	/* I: cache inhibit */
  #define _PAGE_WRITETHRU	0x040	/* W: cache write-through */
+diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h
+--- linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h	2011-08-21 15:53:58.000000000 -0400
+@@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p
+ 	} while(0)
+ 
+ struct task_struct;
+-extern unsigned long ptrace_get_reg(struct task_struct *task, int regno);
++extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno);
+ extern int ptrace_put_reg(struct task_struct *task, int regno,
+ 			  unsigned long data);
+ 
 diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/reg.h linux-2.6.32.45/arch/powerpc/include/asm/reg.h
 --- linux-2.6.32.45/arch/powerpc/include/asm/reg.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/powerpc/include/asm/reg.h	2011-04-17 15:56:45.000000000 -0400
@@ -2727,6 +2798,27 @@ diff -urNp linux-2.6.32.45/arch/powerpc/kernel/process.c linux-2.6.32.45/arch/po
 -
 -	return ret;
 -}
+diff -urNp linux-2.6.32.45/arch/powerpc/kernel/ptrace.c linux-2.6.32.45/arch/powerpc/kernel/ptrace.c
+--- linux-2.6.32.45/arch/powerpc/kernel/ptrace.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/powerpc/kernel/ptrace.c	2011-08-21 15:53:39.000000000 -0400
+@@ -86,7 +86,7 @@ static int set_user_trap(struct task_str
+ /*
+  * Get contents of register REGNO in task TASK.
+  */
+-unsigned long ptrace_get_reg(struct task_struct *task, int regno)
++unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno)
+ {
+ 	if (task->thread.regs == NULL)
+ 		return -EIO;
+@@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi
+ 
+ 		CHECK_FULL_REGS(child->thread.regs);
+ 		if (index < PT_FPR0) {
+-			tmp = ptrace_get_reg(child, (int) index);
++			tmp = ptrace_get_reg(child, index);
+ 		} else {
+ 			flush_fp_to_thread(child);
+ 			tmp = ((unsigned long *)child->thread.fpr)
 diff -urNp linux-2.6.32.45/arch/powerpc/kernel/signal_32.c linux-2.6.32.45/arch/powerpc/kernel/signal_32.c
 --- linux-2.6.32.45/arch/powerpc/kernel/signal_32.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/powerpc/kernel/signal_32.c	2011-04-17 15:56:45.000000000 -0400
@@ -2876,6 +2968,18 @@ diff -urNp linux-2.6.32.45/arch/powerpc/lib/usercopy_64.c linux-2.6.32.45/arch/p
 -EXPORT_SYMBOL(copy_to_user);
  EXPORT_SYMBOL(copy_in_user);
  
+diff -urNp linux-2.6.32.45/arch/powerpc/Makefile linux-2.6.32.45/arch/powerpc/Makefile
+--- linux-2.6.32.45/arch/powerpc/Makefile	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/powerpc/Makefile	2011-08-21 19:27:08.000000000 -0400
+@@ -74,6 +74,8 @@ KBUILD_AFLAGS	+= -Iarch/$(ARCH)
+ KBUILD_CFLAGS	+= -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
+ CPP		= $(CC) -E $(KBUILD_CFLAGS)
+ 
++cflags-y += -Wno-sign-compare -Wno-extra
++
+ CHECKFLAGS	+= -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__
+ 
+ ifeq ($(CONFIG_PPC64),y)
 diff -urNp linux-2.6.32.45/arch/powerpc/mm/fault.c linux-2.6.32.45/arch/powerpc/mm/fault.c
 --- linux-2.6.32.45/arch/powerpc/mm/fault.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/powerpc/mm/fault.c	2011-04-17 15:56:45.000000000 -0400
@@ -2983,6 +3087,18 @@ diff -urNp linux-2.6.32.45/arch/powerpc/mm/fault.c linux-2.6.32.45/arch/powerpc/
  		_exception(SIGSEGV, regs, code, address);
  		return 0;
  	}
+diff -urNp linux-2.6.32.45/arch/powerpc/mm/mem.c linux-2.6.32.45/arch/powerpc/mm/mem.c
+--- linux-2.6.32.45/arch/powerpc/mm/mem.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/arch/powerpc/mm/mem.c	2011-08-21 15:50:39.000000000 -0400
+@@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi
+ {
+ 	unsigned long lmb_next_region_start_pfn,
+ 		      lmb_region_max_pfn;
+-	int i;
++	unsigned int i;
+ 
+ 	for (i = 0; i < lmb.memory.cnt - 1; i++) {
+ 		lmb_region_max_pfn =
 diff -urNp linux-2.6.32.45/arch/powerpc/mm/mmap_64.c linux-2.6.32.45/arch/powerpc/mm/mmap_64.c
 --- linux-2.6.32.45/arch/powerpc/mm/mmap_64.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/arch/powerpc/mm/mmap_64.c	2011-04-17 15:56:45.000000000 -0400
@@ -24064,7 +24180,7 @@ diff -urNp linux-2.6.32.45/crypto/serpent.c linux-2.6.32.45/crypto/serpent.c
  	for (i = 0; i < keylen; ++i)
 diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/dontdiff
 --- linux-2.6.32.45/Documentation/dontdiff	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/Documentation/dontdiff	2011-05-18 20:09:36.000000000 -0400
++++ linux-2.6.32.45/Documentation/dontdiff	2011-08-21 18:59:02.000000000 -0400
 @@ -1,13 +1,16 @@
  *.a
  *.aux
@@ -24122,7 +24238,14 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/
  comp*.log
  compile.h*
  conf
-@@ -103,13 +117,14 @@ gen_crc32table
+@@ -97,19 +111,21 @@ elfconfig.h*
+ fixdep
+ fore200e_mkfirm
+ fore200e_pca_fw.c*
++gate.lds
+ gconf
+ gen-devlist
+ gen_crc32table
  gen_init_cpio
  genksyms
  *_gray256.c
@@ -24138,7 +24261,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/
  keywords.c
  ksym.c*
  ksym.h*
-@@ -133,7 +148,9 @@ mkboot
+@@ -133,7 +149,9 @@ mkboot
  mkbugboot
  mkcpustr
  mkdep
@@ -24148,7 +24271,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/
  mktables
  mktree
  modpost
-@@ -149,6 +166,7 @@ patches*
+@@ -149,6 +167,7 @@ patches*
  pca200e.bin
  pca200e_ecd.bin2
  piggy.gz
@@ -24156,7 +24279,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/
  piggyback
  pnmtologo
  ppc_defs.h*
-@@ -157,12 +175,15 @@ qconf
+@@ -157,12 +176,15 @@ qconf
  raid6altivec*.c
  raid6int*.c
  raid6tables.c
@@ -24172,7 +24295,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/
  sm_tbl*
  split-include
  syscalltab.h
-@@ -186,14 +207,20 @@ version.h*
+@@ -186,14 +208,20 @@ version.h*
  vmlinux
  vmlinux-*
  vmlinux.aout
@@ -56645,8 +56768,8 @@ diff -urNp linux-2.6.32.45/grsecurity/Kconfig linux-2.6.32.45/grsecurity/Kconfig
 +endmenu
 diff -urNp linux-2.6.32.45/grsecurity/Makefile linux-2.6.32.45/grsecurity/Makefile
 --- linux-2.6.32.45/grsecurity/Makefile	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.45/grsecurity/Makefile	2011-08-17 19:02:41.000000000 -0400
-@@ -0,0 +1,33 @@
++++ linux-2.6.32.45/grsecurity/Makefile	2011-08-21 18:54:34.000000000 -0400
+@@ -0,0 +1,34 @@
 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
 +# during 2001-2009 it has been completely redesigned by Brad Spengler
 +# into an RBAC system
@@ -56665,7 +56788,8 @@ diff -urNp linux-2.6.32.45/grsecurity/Makefile linux-2.6.32.45/grsecurity/Makefi
 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
 +
 +ifdef CONFIG_NET
-+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o grsec_sock.o
++obj-y += grsec_sock.o
++obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
 +endif
 +
 +ifndef CONFIG_GRKERNSEC
@@ -56993,6 +57117,23 @@ diff -urNp linux-2.6.32.45/include/asm-generic/atomic-long.h linux-2.6.32.45/inc
 +#endif
 +
  #endif  /*  _ASM_GENERIC_ATOMIC_LONG_H  */
+diff -urNp linux-2.6.32.45/include/asm-generic/bug.h linux-2.6.32.45/include/asm-generic/bug.h
+--- linux-2.6.32.45/include/asm-generic/bug.h	2011-07-13 17:23:04.000000000 -0400
++++ linux-2.6.32.45/include/asm-generic/bug.h	2011-08-21 17:56:07.000000000 -0400
+@@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha
+ 
+ #else /* !CONFIG_BUG */
+ #ifndef HAVE_ARCH_BUG
+-#define BUG() do {} while(0)
++#define BUG() do { for (;;) ; } while(0)
+ #endif
+ 
+ #ifndef HAVE_ARCH_BUG_ON
+-#define BUG_ON(condition) do { if (condition) ; } while(0)
++#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0)
+ #endif
+ 
+ #ifndef HAVE_ARCH_WARN_ON
 diff -urNp linux-2.6.32.45/include/asm-generic/cache.h linux-2.6.32.45/include/asm-generic/cache.h
 --- linux-2.6.32.45/include/asm-generic/cache.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/include/asm-generic/cache.h	2011-07-06 19:53:33.000000000 -0400
@@ -57117,6 +57258,18 @@ diff -urNp linux-2.6.32.45/include/asm-generic/dma-mapping-common.h linux-2.6.32
  
  	BUG_ON(!valid_dma_direction(dir));
  	if (ops->sync_sg_for_device)
+diff -urNp linux-2.6.32.45/include/asm-generic/emergency-restart.h linux-2.6.32.45/include/asm-generic/emergency-restart.h
+--- linux-2.6.32.45/include/asm-generic/emergency-restart.h	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/include/asm-generic/emergency-restart.h	2011-08-21 19:17:17.000000000 -0400
+@@ -1,7 +1,7 @@
+ #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
+ #define _ASM_GENERIC_EMERGENCY_RESTART_H
+ 
+-static inline void machine_emergency_restart(void)
++static inline __noreturn void machine_emergency_restart(void)
+ {
+ 	machine_restart(NULL);
+ }
 diff -urNp linux-2.6.32.45/include/asm-generic/futex.h linux-2.6.32.45/include/asm-generic/futex.h
 --- linux-2.6.32.45/include/asm-generic/futex.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/include/asm-generic/futex.h	2011-04-17 15:56:46.000000000 -0400
@@ -60528,8 +60681,16 @@ diff -urNp linux-2.6.32.45/include/linux/shm.h linux-2.6.32.45/include/linux/shm
  /* shm_mode upper byte flags */
 diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/skbuff.h
 --- linux-2.6.32.45/include/linux/skbuff.h	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/include/linux/skbuff.h	2011-07-06 19:53:33.000000000 -0400
-@@ -544,7 +544,7 @@ static inline union skb_shared_tx *skb_t
++++ linux-2.6.32.45/include/linux/skbuff.h	2011-08-21 15:27:56.000000000 -0400
+@@ -14,6 +14,7 @@
+ #ifndef _LINUX_SKBUFF_H
+ #define _LINUX_SKBUFF_H
+ 
++#include <linux/const.h>
+ #include <linux/kernel.h>
+ #include <linux/kmemcheck.h>
+ #include <linux/compiler.h>
+@@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t
   */
  static inline int skb_queue_empty(const struct sk_buff_head *list)
  {
@@ -60538,7 +60699,7 @@ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/
  }
  
  /**
-@@ -557,7 +557,7 @@ static inline int skb_queue_empty(const 
+@@ -557,7 +558,7 @@ static inline int skb_queue_empty(const 
  static inline bool skb_queue_is_last(const struct sk_buff_head *list,
  				     const struct sk_buff *skb)
  {
@@ -60547,7 +60708,7 @@ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/
  }
  
  /**
-@@ -570,7 +570,7 @@ static inline bool skb_queue_is_last(con
+@@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con
  static inline bool skb_queue_is_first(const struct sk_buff_head *list,
  				      const struct sk_buff *skb)
  {
@@ -60556,7 +60717,7 @@ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/
  }
  
  /**
-@@ -1367,7 +1367,7 @@ static inline int skb_network_offset(con
+@@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con
   * headroom, you should not reduce this.
   */
  #ifndef NET_SKB_PAD
@@ -61369,7 +61530,16 @@ diff -urNp linux-2.6.32.45/include/net/neighbour.h linux-2.6.32.45/include/net/n
  struct pneigh_entry
 diff -urNp linux-2.6.32.45/include/net/netlink.h linux-2.6.32.45/include/net/netlink.h
 --- linux-2.6.32.45/include/net/netlink.h	2011-07-13 17:23:04.000000000 -0400
-+++ linux-2.6.32.45/include/net/netlink.h	2011-07-13 17:23:19.000000000 -0400
++++ linux-2.6.32.45/include/net/netlink.h	2011-08-21 18:08:11.000000000 -0400
+@@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct 
+ {
+ 	return (remaining >= (int) sizeof(struct nlmsghdr) &&
+ 		nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
+-		nlh->nlmsg_len <= remaining);
++		nlh->nlmsg_len <= (unsigned int)remaining);
+ }
+ 
+ /**
 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
  static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
  {
@@ -61429,7 +61599,7 @@ diff -urNp linux-2.6.32.45/include/net/secure_seq.h linux-2.6.32.45/include/net/
  #endif /* _NET_SECURE_SEQ */
 diff -urNp linux-2.6.32.45/include/net/sock.h linux-2.6.32.45/include/net/sock.h
 --- linux-2.6.32.45/include/net/sock.h	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/include/net/sock.h	2011-05-04 17:56:28.000000000 -0400
++++ linux-2.6.32.45/include/net/sock.h	2011-08-21 17:24:37.000000000 -0400
 @@ -272,7 +272,7 @@ struct sock {
  	rwlock_t		sk_callback_lock;
  	int			sk_err,
@@ -61439,6 +61609,15 @@ diff -urNp linux-2.6.32.45/include/net/sock.h linux-2.6.32.45/include/net/sock.h
  	unsigned short		sk_ack_backlog;
  	unsigned short		sk_max_ack_backlog;
  	__u32			sk_priority;
+@@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea
+ extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
+ extern int sock_prot_inuse_get(struct net *net, struct proto *proto);
+ #else
+-static void inline sock_prot_inuse_add(struct net *net, struct proto *prot,
++static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
+ 		int inc)
+ {
+ }
 diff -urNp linux-2.6.32.45/include/net/tcp.h linux-2.6.32.45/include/net/tcp.h
 --- linux-2.6.32.45/include/net/tcp.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/include/net/tcp.h	2011-04-17 15:56:46.000000000 -0400
@@ -64600,7 +64779,7 @@ diff -urNp linux-2.6.32.45/kernel/perf_event.c linux-2.6.32.45/kernel/perf_event
  	/*
 diff -urNp linux-2.6.32.45/kernel/pid.c linux-2.6.32.45/kernel/pid.c
 --- linux-2.6.32.45/kernel/pid.c	2011-04-22 19:16:29.000000000 -0400
-+++ linux-2.6.32.45/kernel/pid.c	2011-07-14 19:15:33.000000000 -0400
++++ linux-2.6.32.45/kernel/pid.c	2011-08-21 19:11:29.000000000 -0400
 @@ -33,6 +33,7 @@
  #include <linux/rculist.h>
  #include <linux/bootmem.h>
@@ -64634,14 +64813,12 @@ diff -urNp linux-2.6.32.45/kernel/pid.c linux-2.6.32.45/kernel/pid.c
  }
  
  struct task_struct *find_task_by_vpid(pid_t vnr)
-@@ -391,6 +399,13 @@ struct task_struct *find_task_by_vpid(pi
+@@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi
  	return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
  }
  
 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
 +{
-+	struct task_struct *task;
-+	
 +	return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
 +}
 +
@@ -65486,8 +65663,20 @@ diff -urNp linux-2.6.32.45/kernel/rtmutex-tester.c linux-2.6.32.45/kernel/rtmute
  	case RTTEST_LOCKBKL:
 diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
 --- linux-2.6.32.45/kernel/sched.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/kernel/sched.c	2011-05-22 23:02:06.000000000 -0400
-@@ -5043,7 +5043,7 @@ out:
++++ linux-2.6.32.45/kernel/sched.c	2011-08-21 19:29:25.000000000 -0400
+@@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct
+ {
+ 	unsigned long flags;
+ 	struct rq *rq;
+-	int cpu = get_cpu();
+ 
+ #ifdef CONFIG_SMP
++	int cpu = get_cpu();
++
+ 	rq = task_rq_lock(p, &flags);
+ 	p->state = TASK_WAKING;
+ 
+@@ -5043,7 +5044,7 @@ out:
   * In CONFIG_NO_HZ case, the idle load balance owner will do the
   * rebalancing for all the cpus for whom scheduler ticks are stopped.
   */
@@ -65496,7 +65685,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  {
  	int this_cpu = smp_processor_id();
  	struct rq *this_rq = cpu_rq(this_cpu);
-@@ -5700,6 +5700,8 @@ asmlinkage void __sched schedule(void)
+@@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void)
  	struct rq *rq;
  	int cpu;
  
@@ -65505,7 +65694,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  need_resched:
  	preempt_disable();
  	cpu = smp_processor_id();
-@@ -5770,7 +5772,7 @@ EXPORT_SYMBOL(schedule);
+@@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule);
   * Look out! "owner" is an entirely speculative pointer
   * access and not reliable.
   */
@@ -65514,7 +65703,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  {
  	unsigned int cpu;
  	struct rq *rq;
-@@ -5784,10 +5786,10 @@ int mutex_spin_on_owner(struct mutex *lo
+@@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo
  	 * DEBUG_PAGEALLOC could have unmapped it if
  	 * the mutex owner just released it and exited.
  	 */
@@ -65527,7 +65716,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  #endif
  
  	/*
-@@ -5816,7 +5818,7 @@ int mutex_spin_on_owner(struct mutex *lo
+@@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo
  		/*
  		 * Is that owner really running on that cpu?
  		 */
@@ -65536,7 +65725,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  			return 0;
  
  		cpu_relax();
-@@ -6359,6 +6361,8 @@ int can_nice(const struct task_struct *p
+@@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p
  	/* convert nice value [19,-20] to rlimit style value [1,40] */
  	int nice_rlim = 20 - nice;
  
@@ -65545,7 +65734,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  	return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
  		capable(CAP_SYS_NICE));
  }
-@@ -6392,7 +6396,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment)
  	if (nice > 19)
  		nice = 19;
  
@@ -65555,7 +65744,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c
  		return -EPERM;
  
  	retval = security_task_setnice(current, nice);
-@@ -8774,7 +8779,7 @@ static void init_sched_groups_power(int 
+@@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int 
  	long power;
  	int weight;
  
@@ -66970,7 +67159,7 @@ diff -urNp linux-2.6.32.45/localversion-grsec linux-2.6.32.45/localversion-grsec
 +-grsec
 diff -urNp linux-2.6.32.45/Makefile linux-2.6.32.45/Makefile
 --- linux-2.6.32.45/Makefile	2011-08-16 20:37:25.000000000 -0400
-+++ linux-2.6.32.45/Makefile	2011-08-16 20:42:28.000000000 -0400
++++ linux-2.6.32.45/Makefile	2011-08-21 19:35:55.000000000 -0400
 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
  
  HOSTCC       = gcc
@@ -71623,6 +71812,29 @@ diff -urNp linux-2.6.32.45/net/ipv4/netfilter/arp_tables.c linux-2.6.32.45/net/i
  		info.valid_hooks = t->valid_hooks;
  		memcpy(info.hook_entry, private->hook_entry,
  		       sizeof(info.hook_entry));
+diff -urNp linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c
+--- linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c	2011-08-21 18:42:53.000000000 -0400
+@@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
+ 
+ 	if (v->data_len < sizeof(*user_iph))
+ 		return 0;
++	if (v->data_len > 65535)
++		return -EMSGSIZE;
++
+ 	diff = v->data_len - e->skb->len;
+ 	if (diff < 0) {
+ 		if (pskb_trim(e->skb, v->data_len))
+@@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex)
+ static inline void
+ __ipq_rcv_skb(struct sk_buff *skb)
+ {
+-	int status, type, pid, flags, nlmsglen, skblen;
++	int status, type, pid, flags;
++	unsigned int nlmsglen, skblen;
+ 	struct nlmsghdr *nlh;
+ 
+ 	skblen = skb->len;
 diff -urNp linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c
 --- linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c	2011-04-17 17:00:52.000000000 -0400
 +++ linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c	2011-04-17 17:04:18.000000000 -0400
@@ -72142,6 +72354,29 @@ diff -urNp linux-2.6.32.45/net/ipv6/ipv6_sockglue.c linux-2.6.32.45/net/ipv6/ipv
  	if (ip6_mroute_opt(optname))
  		return ip6_mroute_getsockopt(sk, optname, optval, optlen);
  
+diff -urNp linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c
+--- linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c	2011-08-21 18:43:32.000000000 -0400
+@@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
+ 
+ 	if (v->data_len < sizeof(*user_iph))
+ 		return 0;
++	if (v->data_len > 65535)
++		return -EMSGSIZE;
++
+ 	diff = v->data_len - e->skb->len;
+ 	if (diff < 0) {
+ 		if (pskb_trim(e->skb, v->data_len))
+@@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex)
+ static inline void
+ __ipq_rcv_skb(struct sk_buff *skb)
+ {
+-	int status, type, pid, flags, nlmsglen, skblen;
++	int status, type, pid, flags;
++	unsigned int nlmsglen, skblen;
+ 	struct nlmsghdr *nlh;
+ 
+ 	skblen = skb->len;
 diff -urNp linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c
 --- linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c	2011-04-17 17:00:52.000000000 -0400
 +++ linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c	2011-04-17 17:04:18.000000000 -0400
diff --git a/2.6.39/0000_README b/2.6.39/0000_README
index 38058ed..3af2064 100644
--- a/2.6.39/0000_README
+++ b/2.6.39/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch
+Patch:	4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch
index 6d92b4a..9fd74be 100644
--- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch
+++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch
@@ -51118,8 +51118,8 @@ diff -urNp linux-2.6.39.4/grsecurity/Kconfig linux-2.6.39.4/grsecurity/Kconfig
 +endmenu
 diff -urNp linux-2.6.39.4/grsecurity/Makefile linux-2.6.39.4/grsecurity/Makefile
 --- linux-2.6.39.4/grsecurity/Makefile	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.39.4/grsecurity/Makefile	2011-08-17 19:03:10.000000000 -0400
-@@ -0,0 +1,33 @@
++++ linux-2.6.39.4/grsecurity/Makefile	2011-08-21 18:54:57.000000000 -0400
+@@ -0,0 +1,34 @@
 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
 +# during 2001-2009 it has been completely redesigned by Brad Spengler
 +# into an RBAC system
@@ -51138,7 +51138,8 @@ diff -urNp linux-2.6.39.4/grsecurity/Makefile linux-2.6.39.4/grsecurity/Makefile
 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
 +
 +ifdef CONFIG_NET
-+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o grsec_sock.o
++obj-y += grsec_sock.o
++obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
 +endif
 +
 +ifndef CONFIG_GRKERNSEC
author	Anthony G. Basile <blueness@gentoo.org>	2011-08-24 05:02:02 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2011-08-24 05:02:02 -0400
commit	22102caf72a2ba344bc84da64f789414179259fa (patch)
tree	ffcf21e5b7d594dcfdac60956108b18ae9d756cb
parent	Grsec/PaX: 2.2.2-2.6.32.45-201108192305 + 2.2.2-2.6.39.4-201108192305 (diff)
download	hardened-patchset-22102caf72a2ba344bc84da64f789414179259fa.tar.gz hardened-patchset-22102caf72a2ba344bc84da64f789414179259fa.tar.bz2 hardened-patchset-22102caf72a2ba344bc84da64f789414179259fa.zip