Grsec/PaX: 2.9.1-{2.6.32.59,3.2.24,3.4.6}-201208011848

6 files changed, 84 insertions, 3 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 3010d85..ae80b1d 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch:	1058_linux-2.6.32.59.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch
index a17194d..4d11792 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch
@@ -105356,6 +105356,33 @@ index 30b3189..e2e4b55 100644
  		goto out;
  	}
  
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 8df3477..797ae6d 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1298,6 +1298,10 @@ err_proto:
+ #define UNCONFIRMED_NULLS_VAL	((1<<30)+0)
+ #define DYING_NULLS_VAL		((1<<30)+1)
+ 
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
++#endif
++
+ static int nf_conntrack_init_net(struct net *net)
+ {
+ 	int ret;
+@@ -1311,7 +1315,11 @@ static int nf_conntrack_init_net(struct net *net)
+ 		goto err_stat;
+ 	}
+ 
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return(&conntrack_cache_id));
++#else
+ 	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
++#endif
+ 	if (!net->ct.slabname) {
+ 		ret = -ENOMEM;
+ 		goto err_slabname;
 diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
 index d521718..d0fd7a1 100644
 --- a/net/netfilter/nf_conntrack_netlink.c
diff --git a/3.2.24/0000_README b/3.2.24/0000_README
index e45dbd8..5b9308c 100644
--- a/3.2.24/0000_README
+++ b/3.2.24/0000_README
@@ -14,7 +14,7 @@ Patch:	1023_linux-3.2.24.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.24
 
-Patch:	4420_grsecurity-2.9.1-3.2.24-201207311909.patch
+Patch:	4420_grsecurity-2.9.1-3.2.24-201208011849.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201208011849.patch
index 4c10305..c4edc06 100644
--- a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch
+++ b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201208011849.patch
@@ -78633,6 +78633,33 @@ index aa2d720..d8aa111 100644
  		goto out;
  	}
  
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 1d15193..1062656 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1485,6 +1485,10 @@ err_proto:
+ #define UNCONFIRMED_NULLS_VAL	((1<<30)+0)
+ #define DYING_NULLS_VAL		((1<<30)+1)
+ 
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
++#endif
++
+ static int nf_conntrack_init_net(struct net *net)
+ {
+ 	int ret;
+@@ -1498,7 +1502,11 @@ static int nf_conntrack_init_net(struct net *net)
+ 		goto err_stat;
+ 	}
+ 
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return(&conntrack_cache_id));
++#else
+ 	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
++#endif
+ 	if (!net->ct.slabname) {
+ 		ret = -ENOMEM;
+ 		goto err_slabname;
 diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
 index 66b2c54..c7884e3 100644
 --- a/net/netfilter/nfnetlink_log.c
diff --git a/3.4.6/0000_README b/3.4.6/0000_README
index 14b45fc..2236f0c 100644
--- a/3.4.6/0000_README
+++ b/3.4.6/0000_README
@@ -6,7 +6,7 @@ Patch:	1005_linux-3.4.6.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.4.6
 
-Patch:	4420_grsecurity-2.9.1-3.4.7-201207311909.patch
+Patch:	4420_grsecurity-2.9.1-3.4.7-201208011850.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201208011850.patch
index 9da1ccd..23880cf 100644
--- a/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch
+++ b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201208011850.patch
@@ -76824,6 +76824,33 @@ index 7fd66de..e6fb361 100644
  		goto out;
  	}
  
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 729f157..08edc6c 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1538,6 +1538,10 @@ err_proto:
+ #define UNCONFIRMED_NULLS_VAL	((1<<30)+0)
+ #define DYING_NULLS_VAL		((1<<30)+1)
+ 
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
++#endif
++
+ static int nf_conntrack_init_net(struct net *net)
+ {
+ 	int ret;
+@@ -1551,7 +1555,11 @@ static int nf_conntrack_init_net(struct net *net)
+ 		goto err_stat;
+ 	}
+ 
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return(&conntrack_cache_id));
++#else
+ 	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
++#endif
+ 	if (!net->ct.slabname) {
+ 		ret = -ENOMEM;
+ 		goto err_slabname;
 diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
 index 66b2c54..c7884e3 100644
 --- a/net/netfilter/nfnetlink_log.c