diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2012-12-28 14:52:06 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2012-12-28 14:52:06 -0500 |
| commit | 1e65ecc2a2356479967ba18ffb5adddd6b948cd7 (patch) | |
| tree | 32b0d8abfddf52106f560b497302b7a0876b3cfe | |
| parent | Grsec/PaX: 2.9.1-3.7.1-201212171734 (diff) | |
| download | hardened-patchset-1e65ecc2a2356479967ba18ffb5adddd6b948cd7.tar.gz hardened-patchset-1e65ecc2a2356479967ba18ffb5adddd6b948cd7.tar.bz2 hardened-patchset-1e65ecc2a2356479967ba18ffb5adddd6b948cd7.zip | |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.35,3.7.1}-20121227195320121227
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch) | 440 | ||||
| -rw-r--r-- | 3.2.35/0000_README | 6 | ||||
| -rw-r--r-- | 3.2.35/4420_grsecurity-2.9.1-3.2.35-201212271951.patch (renamed from 3.2.35/4420_grsecurity-2.9.1-3.2.35-201212151420.patch) | 425 | ||||
| -rw-r--r-- | 3.2.35/4425_grsec_remove_EI_PAX.patch | 19 | ||||
| -rw-r--r-- | 3.7.1/0000_README | 6 | ||||
| -rw-r--r-- | 3.7.1/4420_grsecurity-2.9.1-3.7.1-201212271953.patch (renamed from 3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch) | 284 |
7 files changed, 1104 insertions, 78 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 118ed93..bfc0147 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch index 182c7b6..ebf3a53 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch @@ -229,6 +229,22 @@ index 14c7fb0..0f7d099 100644 pcbit= [HW,ISDN] pcd. [PARIDE] +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index fbe427a..195ff43 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -479,6 +479,11 @@ tcp_dma_copybreak - INTEGER + and CONFIG_NET_DMA is enabled. + Default: 4096 + ++tcp_challenge_ack_limit - INTEGER ++ Limits number of Challenge ACK sent per second, as recommended ++ in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) ++ Default: 100 ++ + UDP variables: + + udp_mem - vector of 3 INTEGERs: min, pressure, max diff --git a/MAINTAINERS b/MAINTAINERS index 334258c..1e8f4ff 100644 --- a/MAINTAINERS @@ -42636,7 +42652,7 @@ index 62f282e..e45c45c 100644 cdev_init(&ptmx_cdev, &ptmx_fops); if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) || diff --git a/drivers/char/random.c b/drivers/char/random.c -index 446b20a..8657325 100644 +index 446b20a..d0e60f5 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -269,8 +269,13 @@ @@ -42671,7 +42687,15 @@ index 446b20a..8657325 100644 #if 0 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ { 2048, 1638, 1231, 819, 411, 1 }, -@@ -524,8 +536,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -434,6 +446,7 @@ struct entropy_store { + int entropy_count; + int entropy_total; + unsigned int initialized:1; ++ bool last_data_init; + __u8 last_data[EXTRACT_SIZE]; + }; + +@@ -524,8 +537,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, input_rotate += i ? 7 : 14; } @@ -42682,7 +42706,7 @@ index 446b20a..8657325 100644 smp_wmb(); if (out) -@@ -784,6 +796,17 @@ void add_disk_randomness(struct gendisk *disk) +@@ -784,6 +797,17 @@ void add_disk_randomness(struct gendisk *disk) } #endif @@ -42700,7 +42724,36 @@ index 446b20a..8657325 100644 /********************************************************************* * * Entropy extraction routines -@@ -1015,7 +1038,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -942,6 +966,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + ssize_t ret = 0, i; + __u8 tmp[EXTRACT_SIZE]; + ++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ ++ if (fips_enabled && !r->last_data_init) ++ nbytes += EXTRACT_SIZE; ++ + xfer_secondary_pool(r, nbytes); + nbytes = account(r, nbytes, min, reserved); + +@@ -951,6 +979,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + if (fips_enabled) { + unsigned long flags; + ++ ++ /* prime last_data value if need be, per fips 140-2 */ ++ if (!r->last_data_init) { ++ spin_lock_irqsave(&r->lock, flags); ++ memcpy(r->last_data, tmp, EXTRACT_SIZE); ++ r->last_data_init = true; ++ nbytes -= EXTRACT_SIZE; ++ spin_unlock_irqrestore(&r->lock, flags); ++ extract_buf(r, tmp); ++ } ++ + spin_lock_irqsave(&r->lock, flags); + if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) + panic("Hardware RNG duplicated output!\n"); +@@ -1015,7 +1054,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, */ void get_random_bytes(void *buf, int nbytes) { @@ -42723,7 +42776,15 @@ index 446b20a..8657325 100644 } EXPORT_SYMBOL(get_random_bytes); -@@ -1322,7 +1359,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1068,6 +1121,7 @@ static void init_std_data(struct entropy_store *r) + + r->entropy_count = 0; + r->entropy_total = 0; ++ r->last_data_init = false; + mix_pool_bytes(r, &now, sizeof(now), NULL); + for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { + if (!arch_get_random_long(&rv)) +@@ -1322,7 +1376,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -42732,7 +42793,7 @@ index 446b20a..8657325 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1397,6 +1434,7 @@ static int uuid_strategy(ctl_table *table, +@@ -1397,6 +1451,7 @@ static int uuid_strategy(ctl_table *table, } static int sysctl_poolsize = INPUT_POOL_WORDS * 32; @@ -42740,7 +42801,7 @@ index 446b20a..8657325 100644 ctl_table random_table[] = { { .ctl_name = RANDOM_POOLSIZE, -@@ -1472,7 +1510,7 @@ late_initcall(random_int_secret_init); +@@ -1472,7 +1527,7 @@ late_initcall(random_int_secret_init); * value is not cryptographically secure but for several uses the cost of * depleting entropy is too high */ @@ -74396,7 +74457,7 @@ index b4ea829..e63ef18 100644 } diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c -index 136a0d6..cdff021 100644 +index 136a0d6..3330341 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c @@ -60,7 +60,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes) @@ -74425,7 +74486,7 @@ index 136a0d6..cdff021 100644 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type)) +#ifdef CONFIG_GRKERNSEC_HIDESYM + /* this name does get written to userland via autofs4_write() */ -+ qstr.len = sprintf(name, "%08lx", atomic_inc_return_unchecked(&autofs_dummy_name_id)); ++ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id)); +#else qstr.len = sprintf(name, "%p", dentry); +#endif @@ -77839,6 +77900,18 @@ index 2a60541..7439d61 100644 sb->s_dirt = 1; } } +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index efe6363..f9e1b6e 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2179,6 +2179,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd, + index = logical >> (PAGE_CACHE_SHIFT - inode->i_blkbits); + end = (logical + blk_cnt - 1) >> + (PAGE_CACHE_SHIFT - inode->i_blkbits); ++ pagevec_init(&pvec, 0); + while (index <= end) { + nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE); + if (nr_pages == 0) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 42bac1b..0aab9d8 100644 --- a/fs/ext4/mballoc.c @@ -80110,7 +80183,7 @@ index ec88ff3..b843a82 100644 cache->c_bucket_bits = bucket_bits; #ifdef MB_CACHE_INDEXES_COUNT diff --git a/fs/namei.c b/fs/namei.c -index b0afbd4..78b0f63 100644 +index b0afbd4..2b96439 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask, @@ -80240,7 +80313,7 @@ index b0afbd4..78b0f63 100644 + if (unlikely(name[0] == '.')) { + if (len < 2 || (len == 2 && name[1] == '.')) -+ return ERR_PTR(-EACCES); ++ return -EACCES; + } + hash = init_name_hash(); @@ -82917,6 +82990,19 @@ index 8f5c05d..c99c76d 100644 } seq_putc(m, '\n'); +diff --git a/fs/read_write.c b/fs/read_write.c +index b7f4a1f..d40066d 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -860,6 +860,8 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, + if (retval > 0) { + add_rchar(current, retval); + add_wchar(current, retval); ++ fsnotify_access(in_file->f_path.dentry); ++ fsnotify_modify(out_file->f_path.dentry); + } + + inc_syscr(current); diff --git a/fs/readdir.c b/fs/readdir.c index 7723401..30059a6 100644 --- a/fs/readdir.c @@ -83952,7 +84038,7 @@ index e89734e..5e84d8d 100644 return 0; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..5012f34 +index 0000000..7efd211 --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,946 @@ @@ -84603,7 +84689,7 @@ index 0000000..5012f34 + default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, non-root users will not be able to use dmesg(8) -+ to view up to the last 4kb of messages in the kernel's log buffer. ++ to view the contents of the kernel's circular log buffer. + The kernel's log buffer often contains kernel addresses and other + identifying information useful to an attacker in fingerprinting a + system for a targeted exploit. @@ -98283,6 +98369,34 @@ index 5171639..7cf4235 100644 /** create a directory */ struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root, +diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h +index 6b202b1..f451772 100644 +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -362,7 +362,7 @@ static inline int PageCompound(struct page *page) + * pages on the LRU and/or pagecache. + */ + TESTPAGEFLAG(Compound, compound) +-__PAGEFLAG(Head, compound) ++__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound) + + /* + * PG_reclaim is used in combination with PG_compound to mark the +@@ -374,8 +374,14 @@ __PAGEFLAG(Head, compound) + * PG_compound & PG_reclaim => Tail page + * PG_compound & ~PG_reclaim => Head page + */ ++#define PG_head_mask ((1L << PG_compound)) + #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim)) + ++static inline int PageHead(struct page *page) ++{ ++ return ((page->flags & PG_head_tail_mask) == PG_head_mask); ++} ++ + static inline int PageTail(struct page *page) + { + return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask); diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h index 3c62ed4..8924c7c 100644 --- a/include/linux/pagemap.h @@ -98464,7 +98578,7 @@ index 7456d7d..6c1cfc9 100644 static inline int ptrace_reparented(struct task_struct *child) { diff --git a/include/linux/random.h b/include/linux/random.h -index 1864957..e98160a 100644 +index 1864957..b2ba8bf 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -49,6 +49,10 @@ extern void add_input_randomness(unsigned int type, unsigned int code, @@ -98478,7 +98592,7 @@ index 1864957..e98160a 100644 extern void get_random_bytes(void *buf, int nbytes); extern void get_random_bytes_arch(void *buf, int nbytes); void generate_random_uuid(unsigned char uuid_out[16]); -@@ -76,6 +80,24 @@ static inline int arch_get_random_int(unsigned int *v) +@@ -76,6 +80,11 @@ static inline int arch_get_random_int(unsigned int *v) } #endif @@ -98487,19 +98601,6 @@ index 1864957..e98160a 100644 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0); +} + -+#ifdef CONFIG_ARCH_RANDOM -+# include <asm/archrandom.h> -+#else -+static inline int arch_get_random_long(unsigned long *v) -+{ -+ return 0; -+} -+static inline int arch_get_random_int(unsigned int *v) -+{ -+ return 0; -+} -+#endif -+ #endif /* __KERNEL___ */ #endif /* _LINUX_RANDOM_H */ @@ -99331,6 +99432,27 @@ index 5ad70a6..108e1dc 100644 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node); #ifdef CONFIG_KMEMTRACE +diff --git a/include/linux/snmp.h b/include/linux/snmp.h +index 0f953fe..05d45da 100644 +--- a/include/linux/snmp.h ++++ b/include/linux/snmp.h +@@ -208,7 +208,6 @@ enum + LINUX_MIB_TCPDSACKOFOSENT, /* TCPDSACKOfoSent */ + LINUX_MIB_TCPDSACKRECV, /* TCPDSACKRecv */ + LINUX_MIB_TCPDSACKOFORECV, /* TCPDSACKOfoRecv */ +- LINUX_MIB_TCPABORTONSYN, /* TCPAbortOnSyn */ + LINUX_MIB_TCPABORTONDATA, /* TCPAbortOnData */ + LINUX_MIB_TCPABORTONCLOSE, /* TCPAbortOnClose */ + LINUX_MIB_TCPABORTONMEMORY, /* TCPAbortOnMemory */ +@@ -225,6 +224,8 @@ enum + LINUX_MIB_SACKSHIFTED, + LINUX_MIB_SACKMERGED, + LINUX_MIB_SACKSHIFTFALLBACK, ++ LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */ ++ LINUX_MIB_TCPSYNCHALLENGE, /* TCPSYNChallenge */ + __LINUX_MIB_MAX + }; + diff --git a/include/linux/sonet.h b/include/linux/sonet.h index 67ad11f..0bbd8af 100644 --- a/include/linux/sonet.h @@ -100299,10 +100421,18 @@ index 78adf52..32bb160 100644 static inline struct page *sk_stream_alloc_page(struct sock *sk) { diff --git a/include/net/tcp.h b/include/net/tcp.h -index 6cfe18b..a0d06df 100644 +index 6cfe18b..24c05d6 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h -@@ -483,7 +483,7 @@ extern void tcp_retransmit_timer(struct sock *sk); +@@ -237,6 +237,7 @@ extern int sysctl_tcp_base_mss; + extern int sysctl_tcp_workaround_signed_windows; + extern int sysctl_tcp_slow_start_after_idle; + extern int sysctl_tcp_max_ssthresh; ++extern int sysctl_tcp_challenge_ack_limit; + + extern atomic_t tcp_memory_allocated; + extern struct percpu_counter tcp_sockets_allocated; +@@ -483,7 +484,7 @@ extern void tcp_retransmit_timer(struct sock *sk); extern void tcp_xmit_retransmit_queue(struct sock *); extern void tcp_simple_retransmit(struct sock *); extern int tcp_trim_head(struct sock *, struct sk_buff *, u32); @@ -100311,7 +100441,7 @@ index 6cfe18b..a0d06df 100644 extern void tcp_send_probe0(struct sock *); extern void tcp_send_partial(struct sock *); -@@ -632,8 +632,8 @@ struct tcp_skb_cb { +@@ -632,8 +633,8 @@ struct tcp_skb_cb { struct inet6_skb_parm h6; #endif } header; /* For incoming frames */ @@ -100322,7 +100452,7 @@ index 6cfe18b..a0d06df 100644 __u32 when; /* used to compute rtt's */ __u8 flags; /* TCP header flags. */ -@@ -658,7 +658,7 @@ struct tcp_skb_cb { +@@ -658,7 +659,7 @@ struct tcp_skb_cb { #define TCPCB_EVER_RETRANS 0x80 /* Ever retransmitted frame */ #define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS) @@ -100331,7 +100461,7 @@ index 6cfe18b..a0d06df 100644 }; #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) -@@ -1444,8 +1444,8 @@ enum tcp_seq_states { +@@ -1444,8 +1445,8 @@ enum tcp_seq_states { struct tcp_seq_afinfo { char *name; sa_family_t family; @@ -104383,10 +104513,10 @@ index fce7198..4f23a7e 100644 { struct pid *pid; diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c -index 5c9dc22..d271117 100644 +index 5c9dc22..7652dca 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c -@@ -6,6 +6,7 @@ +@@ -6,9 +6,11 @@ #include <linux/posix-timers.h> #include <linux/errno.h> #include <linux/math64.h> @@ -104394,7 +104524,20 @@ index 5c9dc22..d271117 100644 #include <asm/uaccess.h> #include <linux/kernel_stat.h> #include <trace/events/timer.h> -@@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(struct restart_block *restart_block) ++#include <linux/random.h> + + /* + * Called after updating RLIMIT_CPU to set timer expiration if necessary. +@@ -516,6 +518,8 @@ static void cleanup_timers(struct list_head *head, + */ + void posix_cpu_timers_exit(struct task_struct *tsk) + { ++ add_device_randomness((const void*) &tsk->se.sum_exec_runtime, ++ sizeof(unsigned long long)); + cleanup_timers(tsk->cpu_timers, + tsk->utime, tsk->stime, tsk->se.sum_exec_runtime); + +@@ -1697,7 +1701,7 @@ static long thread_cpu_nsleep_restart(struct restart_block *restart_block) static __init int init_posix_cpu_timers(void) { @@ -104403,7 +104546,7 @@ index 5c9dc22..d271117 100644 .clock_getres = process_cpu_clock_getres, .clock_get = process_cpu_clock_get, .clock_set = do_posix_clock_nosettime, -@@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(void) +@@ -1705,7 +1709,7 @@ static __init int init_posix_cpu_timers(void) .nsleep = process_cpu_nsleep, .nsleep_restart = process_cpu_nsleep_restart, }; @@ -112912,6 +113055,27 @@ index 0606db1..2f32531 100644 break; case IPT_SO_GET_ENTRIES: +diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c +index f25542c..5a0b902 100644 +--- a/net/ipv4/proc.c ++++ b/net/ipv4/proc.c +@@ -232,7 +232,6 @@ static const struct snmp_mib snmp4_net_list[] = { + SNMP_MIB_ITEM("TCPDSACKOfoSent", LINUX_MIB_TCPDSACKOFOSENT), + SNMP_MIB_ITEM("TCPDSACKRecv", LINUX_MIB_TCPDSACKRECV), + SNMP_MIB_ITEM("TCPDSACKOfoRecv", LINUX_MIB_TCPDSACKOFORECV), +- SNMP_MIB_ITEM("TCPAbortOnSyn", LINUX_MIB_TCPABORTONSYN), + SNMP_MIB_ITEM("TCPAbortOnData", LINUX_MIB_TCPABORTONDATA), + SNMP_MIB_ITEM("TCPAbortOnClose", LINUX_MIB_TCPABORTONCLOSE), + SNMP_MIB_ITEM("TCPAbortOnMemory", LINUX_MIB_TCPABORTONMEMORY), +@@ -249,6 +248,8 @@ static const struct snmp_mib snmp4_net_list[] = { + SNMP_MIB_ITEM("TCPSackShifted", LINUX_MIB_SACKSHIFTED), + SNMP_MIB_ITEM("TCPSackMerged", LINUX_MIB_SACKMERGED), + SNMP_MIB_ITEM("TCPSackShiftFallback", LINUX_MIB_SACKSHIFTFALLBACK), ++ SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK), ++ SNMP_MIB_ITEM("TCPSYNChallenge", LINUX_MIB_TCPSYNCHALLENGE), + SNMP_MIB_SENTINEL + }; + diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index ab996f9..3da5f96 100644 --- a/net/ipv4/raw.c @@ -113017,6 +113181,24 @@ index 58f141b..b759702 100644 (int) ((num_physpages ^ (num_physpages>>8)) ^ (jiffies ^ (jiffies >> 7)))); +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 2dcf04d..4656638 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -638,6 +638,13 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec + }, ++ { ++ .procname = "tcp_challenge_ack_limit", ++ .data = &sysctl_tcp_challenge_ack_limit, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec ++ }, + #ifdef CONFIG_NET_DMA + { + .ctl_name = NET_TCP_DMA_COPYBREAK, diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index b9644d8..537313b 100644 --- a/net/ipv4/tcp.c @@ -113061,10 +113243,61 @@ index 1eba160b..c35d91f 100644 } } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index db755c4..04481e4 100644 +index db755c4..fbca78e 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4528,7 +4528,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -82,6 +82,9 @@ int sysctl_tcp_dsack __read_mostly = 1; + int sysctl_tcp_app_win __read_mostly = 31; + int sysctl_tcp_adv_win_scale __read_mostly = 2; + ++/* rfc5961 challenge ack rate limiting */ ++int sysctl_tcp_challenge_ack_limit = 100; ++ + int sysctl_tcp_stdurg __read_mostly; + int sysctl_tcp_rfc1337 __read_mostly; + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; +@@ -3564,6 +3567,24 @@ static int tcp_process_frto(struct sock *sk, int flag) + return 0; + } + ++/* RFC 5961 7 [ACK Throttling] */ ++static void tcp_send_challenge_ack(struct sock *sk) ++{ ++ /* unprotected vars, we dont care of overwrites */ ++ static u32 challenge_timestamp; ++ static unsigned int challenge_count; ++ u32 now = jiffies / HZ; ++ ++ if (now != challenge_timestamp) { ++ challenge_timestamp = now; ++ challenge_count = 0; ++ } ++ if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { ++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); ++ tcp_send_ack(sk); ++ } ++} ++ + /* This routine deals with incoming acks, but not outgoing ones. */ + static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag) + { +@@ -3580,8 +3601,14 @@ static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag) + /* If the ack is older than previous acks + * then we can probably ignore it. + */ +- if (before(ack, prior_snd_una)) ++ if (before(ack, prior_snd_una)) { ++ /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */ ++ if (before(ack, prior_snd_una - tp->max_window)) { ++ tcp_send_challenge_ack(sk); ++ return -1; ++ } + goto old_ack; ++ } + + /* If the ack includes data we haven't sent yet, discard + * this segment (RFC793 Section 3.9). +@@ -4528,7 +4555,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -113073,7 +113306,105 @@ index db755c4..04481e4 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5634,7 +5634,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5069,8 +5096,8 @@ out: + /* Does PAWS and seqno based validation of an incoming segment, flags will + * play significant role here. + */ +-static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, +- struct tcphdr *th, int syn_inerr) ++static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, ++ const struct tcphdr *th, int syn_inerr) + { + struct tcp_sock *tp = tcp_sk(sk); + +@@ -5100,7 +5127,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + + /* Step 2: check RST bit */ + if (th->rst) { +- tcp_reset(sk); ++ /* RFC 5961 3.2 : ++ * If sequence number exactly matches RCV.NXT, then ++ * RESET the connection ++ * else ++ * Send a challenge ACK ++ */ ++ if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt) ++ tcp_reset(sk); ++ else ++ tcp_send_challenge_ack(sk); + goto discard; + } + +@@ -5111,20 +5147,22 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + + /* step 3: check security and precedence [ignored] */ + +- /* step 4: Check for a SYN in window. */ +- if (th->syn && !before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) { ++ /* step 4: Check for a SYN ++ * RFC 5691 4.2 : Send a challenge ack ++ */ ++ if (th->syn) { + if (syn_inerr) + TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS); +- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN); +- tcp_reset(sk); +- return -1; ++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNCHALLENGE); ++ tcp_send_challenge_ack(sk); ++ goto discard; + } + +- return 1; ++ return true; + + discard: + __kfree_skb(skb); +- return 0; ++ return false; + } + + /* +@@ -5154,7 +5192,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, + struct tcphdr *th, unsigned len) + { + struct tcp_sock *tp = tcp_sk(sk); +- int res; + + /* + * Header prediction. +@@ -5330,16 +5367,18 @@ slow_path: + if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if (!th->ack) ++ goto discard; ++ + /* + * Standard slow path. + */ + +- res = tcp_validate_incoming(sk, skb, th, 1); +- if (res <= 0) +- return -res; ++ if (!tcp_validate_incoming(sk, skb, th, 1)) ++ return 0; + + step5: +- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) ++ if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) + goto discard; + + tcp_rcv_rtt_measure_ts(sk, skb); +@@ -5618,7 +5657,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + struct tcp_sock *tp = tcp_sk(sk); + struct inet_connection_sock *icsk = inet_csk(sk); + int queued = 0; +- int res; + + tp->rx_opt.saw_tstamp = 0; + +@@ -5634,7 +5672,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -113082,6 +113413,35 @@ index db755c4..04481e4 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; +@@ -5673,12 +5711,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + return 0; + } + +- res = tcp_validate_incoming(sk, skb, th, 0); +- if (res <= 0) +- return -res; ++ if (!th->ack) ++ goto discard; ++ ++ if (!tcp_validate_incoming(sk, skb, th, 0)) ++ return 0; + + /* step 5: check the ACK field */ +- if (th->ack) { ++ if (true) { + int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; + + switch (sk->sk_state) { +@@ -5789,8 +5829,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + } + break; + } +- } else +- goto discard; ++ } + + /* step 6: check the URG bit */ + tcp_urg(sk, skb, th); diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 6a4e832..7eb316b 100644 --- a/net/ipv4/tcp_ipv4.c diff --git a/3.2.35/0000_README b/3.2.35/0000_README index 293283e..a99f868 100644 --- a/3.2.35/0000_README +++ b/3.2.35/0000_README @@ -58,10 +58,14 @@ Patch: 1034_linux-3.2.35.patch From: http://www.kernel.org Desc: Linux 3.2.35 -Patch: 4420_grsecurity-2.9.1-3.2.35-201212151420.patch +Patch: 4420_grsecurity-2.9.1-3.2.35-201212271951.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity +Patch: 4425_grsec_remove_EI_PAX.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Remove EI_PAX option and force off + Patch: 4430_grsec-remove-localversion-grsec.patch From: Kerin Millar <kerframil@gmail.com> Desc: Removes grsecurity's localversion-grsec file diff --git a/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212151420.patch b/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212271951.patch index 865521c..7f795bd 100644 --- a/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212151420.patch +++ b/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212271951.patch @@ -221,6 +221,22 @@ index 81c287f..8c5ad74 100644 pcbit= [HW,ISDN] pcd. [PARIDE] +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index a4399f5..3b979c6 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -524,6 +524,11 @@ tcp_thin_dupack - BOOLEAN + Documentation/networking/tcp-thin.txt + Default: 0 + ++tcp_challenge_ack_limit - INTEGER ++ Limits number of Challenge ACK sent per second, as recommended ++ in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) ++ Default: 100 ++ + UDP variables: + + udp_mem - vector of 3 INTEGERs: min, pressure, max diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt index 88fd7f5..b318a78 100644 --- a/Documentation/sysctl/fs.txt @@ -30430,7 +30446,7 @@ index da3cfee..a5a6606 100644 *ppos = i; diff --git a/drivers/char/random.c b/drivers/char/random.c -index 8ae9235..1f76227 100644 +index 8ae9235..0cbaf55 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -269,8 +269,13 @@ @@ -30465,7 +30481,15 @@ index 8ae9235..1f76227 100644 #if 0 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ { 2048, 1638, 1231, 819, 411, 1 }, -@@ -524,8 +536,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -434,6 +446,7 @@ struct entropy_store { + int entropy_count; + int entropy_total; + unsigned int initialized:1; ++ bool last_data_init; + __u8 last_data[EXTRACT_SIZE]; + }; + +@@ -524,8 +537,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in, input_rotate += i ? 7 : 14; } @@ -30476,7 +30500,7 @@ index 8ae9235..1f76227 100644 smp_wmb(); if (out) -@@ -821,6 +833,17 @@ void add_disk_randomness(struct gendisk *disk) +@@ -821,6 +834,17 @@ void add_disk_randomness(struct gendisk *disk) } #endif @@ -30494,7 +30518,36 @@ index 8ae9235..1f76227 100644 /********************************************************************* * * Entropy extraction routines -@@ -1028,7 +1051,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -979,6 +1003,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + ssize_t ret = 0, i; + __u8 tmp[EXTRACT_SIZE]; + ++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ ++ if (fips_enabled && !r->last_data_init) ++ nbytes += EXTRACT_SIZE; ++ + xfer_secondary_pool(r, nbytes); + nbytes = account(r, nbytes, min, reserved); + +@@ -988,6 +1016,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + if (fips_enabled) { + unsigned long flags; + ++ ++ /* prime last_data value if need be, per fips 140-2 */ ++ if (!r->last_data_init) { ++ spin_lock_irqsave(&r->lock, flags); ++ memcpy(r->last_data, tmp, EXTRACT_SIZE); ++ r->last_data_init = true; ++ nbytes -= EXTRACT_SIZE; ++ spin_unlock_irqrestore(&r->lock, flags); ++ extract_buf(r, tmp); ++ } ++ + spin_lock_irqsave(&r->lock, flags); + if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) + panic("Hardware RNG duplicated output!\n"); +@@ -1028,7 +1067,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -30503,7 +30556,15 @@ index 8ae9235..1f76227 100644 ret = -EFAULT; break; } -@@ -1379,7 +1402,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1105,6 +1144,7 @@ static void init_std_data(struct entropy_store *r) + + r->entropy_count = 0; + r->entropy_total = 0; ++ r->last_data_init = false; + mix_pool_bytes(r, &now, sizeof(now), NULL); + for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { + if (!arch_get_random_long(&rv)) +@@ -1379,7 +1419,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -43589,7 +43650,7 @@ index b8f55c4..4c2b80c 100644 goto out_sig; if (offset > inode->i_sb->s_maxbytes) diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c -index e1fbdee..87eb5fc 100644 +index e1fbdee..69291a4 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c @@ -60,7 +60,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes) @@ -43618,7 +43679,7 @@ index e1fbdee..87eb5fc 100644 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type)) +#ifdef CONFIG_GRKERNSEC_HIDESYM + /* this name does get written to userland via autofs4_write() */ -+ qstr.len = sprintf(name, "%08lx", atomic_inc_return_unchecked(&autofs_dummy_name_id)); ++ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id)); +#else qstr.len = sprintf(name, "%p", dentry); +#endif @@ -46631,6 +46692,18 @@ index 8cb184c..09ff6c4 100644 atomic_t s_lock_busy; /* locality groups */ +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index bac2330..8424dda 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1422,6 +1422,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd) + + index = mpd->first_page; + end = mpd->next_page - 1; ++ pagevec_init(&pvec, 0); + while (index <= end) { + nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE); + if (nr_pages == 0) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 1d07c12..9965aec 100644 --- a/fs/ext4/mballoc.c @@ -46748,6 +46821,18 @@ index 1d07c12..9965aec 100644 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); return 0; +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index f8d5fce..c411c11 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3163,7 +3163,6 @@ int ext4_calculate_overhead(struct super_block *sb) + ext4_fsblk_t overhead = 0; + char *buf = (char *) get_zeroed_page(GFP_KERNEL); + +- memset(buf, 0, PAGE_SIZE); + if (!buf) + return -ENOMEM; + diff --git a/fs/fcntl.c b/fs/fcntl.c index 22764c7..86372c9 100644 --- a/fs/fcntl.c @@ -51213,6 +51298,19 @@ index d67908b..d13f6a6 100644 "a_genl_family, 0, QUOTA_NL_C_WARNING); if (!msg_head) { printk(KERN_ERR +diff --git a/fs/read_write.c b/fs/read_write.c +index 5ad4248..492b277 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -956,6 +956,8 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, + if (retval > 0) { + add_rchar(current, retval); + add_wchar(current, retval); ++ fsnotify_access(in_file); ++ fsnotify_modify(out_file); + } + + inc_syscr(current); diff --git a/fs/readdir.c b/fs/readdir.c index 356f715..c918d38 100644 --- a/fs/readdir.c @@ -51873,7 +51971,7 @@ index 87323f1..dab9d00 100644 ip = issum ? mp->m_rsumip : mp->m_rbmip; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..b0d5e22 +index 0000000..70183d8 --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,964 @@ @@ -52542,7 +52640,7 @@ index 0000000..b0d5e22 + default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, non-root users will not be able to use dmesg(8) -+ to view up to the last 4kb of messages in the kernel's log buffer. ++ to view the contents of the kernel's circular log buffer. + The kernel's log buffer often contains kernel addresses and other + identifying information useful to an attacker in fingerprinting a + system for a targeted exploit. @@ -65365,6 +65463,34 @@ index 4633b2f..988bc08 100644 atomic_t reorder_objects; atomic_t refcnt; unsigned int max_seq_nr; +diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h +index e90a673..8d9b903 100644 +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -360,7 +360,7 @@ static inline void ClearPageCompound(struct page *page) + * pages on the LRU and/or pagecache. + */ + TESTPAGEFLAG(Compound, compound) +-__PAGEFLAG(Head, compound) ++__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound) + + /* + * PG_reclaim is used in combination with PG_compound to mark the +@@ -372,8 +372,14 @@ __PAGEFLAG(Head, compound) + * PG_compound & PG_reclaim => Tail page + * PG_compound & ~PG_reclaim => Head page + */ ++#define PG_head_mask ((1L << PG_compound)) + #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim)) + ++static inline int PageHead(struct page *page) ++{ ++ return ((page->flags & PG_head_tail_mask) == PG_head_mask); ++} ++ + static inline int PageTail(struct page *page) + { + return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask); diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index b669be6..8335421 100644 --- a/include/linux/perf_event.h @@ -66329,6 +66455,27 @@ index a32bcfd..c3991fb 100644 static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) { if (__builtin_constant_p(size) && +diff --git a/include/linux/snmp.h b/include/linux/snmp.h +index e16557a..64f5ca7 100644 +--- a/include/linux/snmp.h ++++ b/include/linux/snmp.h +@@ -209,7 +209,6 @@ enum + LINUX_MIB_TCPDSACKOFOSENT, /* TCPDSACKOfoSent */ + LINUX_MIB_TCPDSACKRECV, /* TCPDSACKRecv */ + LINUX_MIB_TCPDSACKOFORECV, /* TCPDSACKOfoRecv */ +- LINUX_MIB_TCPABORTONSYN, /* TCPAbortOnSyn */ + LINUX_MIB_TCPABORTONDATA, /* TCPAbortOnData */ + LINUX_MIB_TCPABORTONCLOSE, /* TCPAbortOnClose */ + LINUX_MIB_TCPABORTONMEMORY, /* TCPAbortOnMemory */ +@@ -233,6 +232,8 @@ enum + LINUX_MIB_TCPTIMEWAITOVERFLOW, /* TCPTimeWaitOverflow */ + LINUX_MIB_TCPREQQFULLDOCOOKIES, /* TCPReqQFullDoCookies */ + LINUX_MIB_TCPREQQFULLDROP, /* TCPReqQFullDrop */ ++ LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */ ++ LINUX_MIB_TCPSYNCHALLENGE, /* TCPSYNChallenge */ + __LINUX_MIB_MAX + }; + diff --git a/include/linux/sonet.h b/include/linux/sonet.h index de8832d..0147b46 100644 --- a/include/linux/sonet.h @@ -67144,10 +67291,18 @@ index ddf523c..1f06685 100644 static inline struct page *sk_stream_alloc_page(struct sock *sk) { diff --git a/include/net/tcp.h b/include/net/tcp.h -index bb18c4d..27c458f 100644 +index bb18c4d..3a158c4 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h -@@ -469,7 +469,7 @@ extern void tcp_retransmit_timer(struct sock *sk); +@@ -251,6 +251,7 @@ extern int sysctl_tcp_max_ssthresh; + extern int sysctl_tcp_cookie_size; + extern int sysctl_tcp_thin_linear_timeouts; + extern int sysctl_tcp_thin_dupack; ++extern int sysctl_tcp_challenge_ack_limit; + + extern atomic_long_t tcp_memory_allocated; + extern struct percpu_counter tcp_sockets_allocated; +@@ -469,7 +470,7 @@ extern void tcp_retransmit_timer(struct sock *sk); extern void tcp_xmit_retransmit_queue(struct sock *); extern void tcp_simple_retransmit(struct sock *); extern int tcp_trim_head(struct sock *, struct sk_buff *, u32); @@ -67156,7 +67311,7 @@ index bb18c4d..27c458f 100644 extern void tcp_send_probe0(struct sock *); extern void tcp_send_partial(struct sock *); -@@ -632,8 +632,8 @@ struct tcp_skb_cb { +@@ -632,8 +633,8 @@ struct tcp_skb_cb { struct inet6_skb_parm h6; #endif } header; /* For incoming frames */ @@ -67167,7 +67322,7 @@ index bb18c4d..27c458f 100644 __u32 when; /* used to compute rtt's */ __u8 tcp_flags; /* TCP header flags. (tcp[13]) */ __u8 sacked; /* State flags for SACK/FACK. */ -@@ -646,7 +646,7 @@ struct tcp_skb_cb { +@@ -646,7 +647,7 @@ struct tcp_skb_cb { #define TCPCB_EVER_RETRANS 0x80 /* Ever retransmitted frame */ #define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS) @@ -67176,7 +67331,7 @@ index bb18c4d..27c458f 100644 }; #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) -@@ -1409,7 +1409,7 @@ struct tcp_seq_afinfo { +@@ -1409,7 +1410,7 @@ struct tcp_seq_afinfo { char *name; sa_family_t family; const struct file_operations *seq_fops; @@ -70752,10 +70907,10 @@ index fa5f722..0c93e57 100644 { struct pid *pid; diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c -index e7cb76d..75eceb3 100644 +index e7cb76d..f396a93 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c -@@ -6,6 +6,7 @@ +@@ -6,9 +6,11 @@ #include <linux/posix-timers.h> #include <linux/errno.h> #include <linux/math64.h> @@ -70763,7 +70918,20 @@ index e7cb76d..75eceb3 100644 #include <asm/uaccess.h> #include <linux/kernel_stat.h> #include <trace/events/timer.h> -@@ -1606,14 +1607,14 @@ struct k_clock clock_posix_cpu = { ++#include <linux/random.h> + + /* + * Called after updating RLIMIT_CPU to run cpu timer and update +@@ -511,6 +513,8 @@ static void cleanup_timers(struct list_head *head, + */ + void posix_cpu_timers_exit(struct task_struct *tsk) + { ++ add_device_randomness((const void*) &tsk->se.sum_exec_runtime, ++ sizeof(unsigned long long)); + cleanup_timers(tsk->cpu_timers, + tsk->utime, tsk->stime, tsk->se.sum_exec_runtime); + +@@ -1606,14 +1610,14 @@ struct k_clock clock_posix_cpu = { static __init int init_posix_cpu_timers(void) { @@ -79824,6 +79992,27 @@ index 43d4c3b..1914409 100644 } static int ping_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c +index 466ea8b..f7fdbe9 100644 +--- a/net/ipv4/proc.c ++++ b/net/ipv4/proc.c +@@ -233,7 +233,6 @@ static const struct snmp_mib snmp4_net_list[] = { + SNMP_MIB_ITEM("TCPDSACKOfoSent", LINUX_MIB_TCPDSACKOFOSENT), + SNMP_MIB_ITEM("TCPDSACKRecv", LINUX_MIB_TCPDSACKRECV), + SNMP_MIB_ITEM("TCPDSACKOfoRecv", LINUX_MIB_TCPDSACKOFORECV), +- SNMP_MIB_ITEM("TCPAbortOnSyn", LINUX_MIB_TCPABORTONSYN), + SNMP_MIB_ITEM("TCPAbortOnData", LINUX_MIB_TCPABORTONDATA), + SNMP_MIB_ITEM("TCPAbortOnClose", LINUX_MIB_TCPABORTONCLOSE), + SNMP_MIB_ITEM("TCPAbortOnMemory", LINUX_MIB_TCPABORTONMEMORY), +@@ -257,6 +256,8 @@ static const struct snmp_mib snmp4_net_list[] = { + SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW), + SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES), + SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP), ++ SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK), ++ SNMP_MIB_ITEM("TCPSYNChallenge", LINUX_MIB_TCPSYNCHALLENGE), + SNMP_MIB_SENTINEL + }; + diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index e1d4f30..d7a97b3 100644 --- a/net/ipv4/raw.c @@ -79916,11 +80105,80 @@ index 94cdbc5..0cb0063 100644 if (peer->tcp_ts_stamp) { ts = peer->tcp_ts; tsage = get_seconds() - peer->tcp_ts_stamp; +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 69fd720..5485077 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -552,6 +552,13 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec + }, ++ { ++ .procname = "tcp_challenge_ack_limit", ++ .data = &sysctl_tcp_challenge_ack_limit, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec ++ }, + #ifdef CONFIG_NET_DMA + { + .procname = "tcp_dma_copybreak", diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index a08a621..a1ca37e 100644 +index a08a621..92b6be7 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4700,7 +4700,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -86,6 +86,9 @@ int sysctl_tcp_app_win __read_mostly = 31; + int sysctl_tcp_adv_win_scale __read_mostly = 1; + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); + ++/* rfc5961 challenge ack rate limiting */ ++int sysctl_tcp_challenge_ack_limit = 100; ++ + int sysctl_tcp_stdurg __read_mostly; + int sysctl_tcp_rfc1337 __read_mostly; + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; +@@ -3700,6 +3703,24 @@ static int tcp_process_frto(struct sock *sk, int flag) + return 0; + } + ++/* RFC 5961 7 [ACK Throttling] */ ++static void tcp_send_challenge_ack(struct sock *sk) ++{ ++ /* unprotected vars, we dont care of overwrites */ ++ static u32 challenge_timestamp; ++ static unsigned int challenge_count; ++ u32 now = jiffies / HZ; ++ ++ if (now != challenge_timestamp) { ++ challenge_timestamp = now; ++ challenge_count = 0; ++ } ++ if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { ++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); ++ tcp_send_ack(sk); ++ } ++} ++ + /* This routine deals with incoming acks, but not outgoing ones. */ + static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + { +@@ -3718,8 +3739,14 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + /* If the ack is older than previous acks + * then we can probably ignore it. + */ +- if (before(ack, prior_snd_una)) ++ if (before(ack, prior_snd_una)) { ++ /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */ ++ if (before(ack, prior_snd_una - tp->max_window)) { ++ tcp_send_challenge_ack(sk); ++ return -1; ++ } + goto old_ack; ++ } + + /* If the ack includes data we haven't sent yet, discard + * this segment (RFC793 Section 3.9). +@@ -4700,7 +4727,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -79929,7 +80187,105 @@ index a08a621..a1ca37e 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5838,7 +5838,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5243,8 +5270,8 @@ out: + /* Does PAWS and seqno based validation of an incoming segment, flags will + * play significant role here. + */ +-static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, +- const struct tcphdr *th, int syn_inerr) ++static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, ++ const struct tcphdr *th, int syn_inerr) + { + const u8 *hash_location; + struct tcp_sock *tp = tcp_sk(sk); +@@ -5276,7 +5303,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + + /* Step 2: check RST bit */ + if (th->rst) { +- tcp_reset(sk); ++ /* RFC 5961 3.2 : ++ * If sequence number exactly matches RCV.NXT, then ++ * RESET the connection ++ * else ++ * Send a challenge ACK ++ */ ++ if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt) ++ tcp_reset(sk); ++ else ++ tcp_send_challenge_ack(sk); + goto discard; + } + +@@ -5287,20 +5323,22 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + + /* step 3: check security and precedence [ignored] */ + +- /* step 4: Check for a SYN in window. */ +- if (th->syn && !before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) { ++ /* step 4: Check for a SYN ++ * RFC 5691 4.2 : Send a challenge ack ++ */ ++ if (th->syn) { + if (syn_inerr) + TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS); +- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN); +- tcp_reset(sk); +- return -1; ++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNCHALLENGE); ++ tcp_send_challenge_ack(sk); ++ goto discard; + } + +- return 1; ++ return true; + + discard: + __kfree_skb(skb); +- return 0; ++ return false; + } + + /* +@@ -5330,7 +5368,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, + const struct tcphdr *th, unsigned int len) + { + struct tcp_sock *tp = tcp_sk(sk); +- int res; + + /* + * Header prediction. +@@ -5506,16 +5543,18 @@ slow_path: + if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if (!th->ack) ++ goto discard; ++ + /* + * Standard slow path. + */ + +- res = tcp_validate_incoming(sk, skb, th, 1); +- if (res <= 0) +- return -res; ++ if (!tcp_validate_incoming(sk, skb, th, 1)) ++ return 0; + + step5: +- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) ++ if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) + goto discard; + + tcp_rcv_rtt_measure_ts(sk, skb); +@@ -5822,7 +5861,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + struct tcp_sock *tp = tcp_sk(sk); + struct inet_connection_sock *icsk = inet_csk(sk); + int queued = 0; +- int res; + + tp->rx_opt.saw_tstamp = 0; + +@@ -5838,7 +5876,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -79938,6 +80294,35 @@ index a08a621..a1ca37e 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; +@@ -5877,12 +5915,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + return 0; + } + +- res = tcp_validate_incoming(sk, skb, th, 0); +- if (res <= 0) +- return -res; ++ if (!th->ack) ++ goto discard; ++ ++ if (!tcp_validate_incoming(sk, skb, th, 0)) ++ return 0; + + /* step 5: check the ACK field */ +- if (th->ack) { ++ if (true) { + int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; + + switch (sk->sk_state) { +@@ -5987,8 +6027,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + } + break; + } +- } else +- goto discard; ++ } + + /* step 6: check the URG bit */ + tcp_urg(sk, skb, th); diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 58c09a0..b62df0b 100644 --- a/net/ipv4/tcp_ipv4.c diff --git a/3.2.35/4425_grsec_remove_EI_PAX.patch b/3.2.35/4425_grsec_remove_EI_PAX.patch new file mode 100644 index 0000000..97e6951 --- /dev/null +++ b/3.2.35/4425_grsec_remove_EI_PAX.patch @@ -0,0 +1,19 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +Deprecate EI_PAX. + +X-Gentoo-Bug: 445600 +X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 + +diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig +--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 ++++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 +@@ -263,7 +263,7 @@ + + config PAX_EI_PAX + bool 'Use legacy ELF header marking' +- default y if GRKERNSEC_CONFIG_AUTO ++ depends on BROKEN + help + Enabling this option will allow you to control PaX features on + a per executable basis via the 'chpax' utility available at diff --git a/3.7.1/0000_README b/3.7.1/0000_README index 84caa16..a6b83fa 100644 --- a/3.7.1/0000_README +++ b/3.7.1/0000_README @@ -2,10 +2,14 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.7.1-201212171734.patch +Patch: 4420_grsecurity-2.9.1-3.7.1-201212271953.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity +Patch: 4425_grsec_remove_EI_PAX.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Remove EI_PAX option and force off + Patch: 4430_grsec-remove-localversion-grsec.patch From: Kerin Millar <kerframil@gmail.com> Desc: Removes grsecurity's localversion-grsec file diff --git a/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch b/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212271953.patch index 18a4557..269fc82 100644 --- a/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch +++ b/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212271953.patch @@ -1535,7 +1535,7 @@ index 943504f..bf8d667 100644 #endif /* CONFIG_ARM_LPAE */ diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h -index 8477b4c..c651b08 100644 +index 8477b4c..801a6a9 100644 --- a/arch/arm/include/asm/thread_info.h +++ b/arch/arm/include/asm/thread_info.h @@ -151,6 +151,12 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, @@ -1559,7 +1559,7 @@ index 8477b4c..c651b08 100644 /* Checks for any syscall work in entry-common.S */ -#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT) -+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT \ ++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT | \ + _TIF_GRSEC_SETXID) /* @@ -5056,6 +5056,62 @@ index afeb710..d1d1289 100644 bottomup: /* +diff --git a/arch/sparc/crypto/aes_asm.S b/arch/sparc/crypto/aes_asm.S +index 23f6cbb..1cda8aa 100644 +--- a/arch/sparc/crypto/aes_asm.S ++++ b/arch/sparc/crypto/aes_asm.S +@@ -1024,7 +1024,11 @@ ENTRY(aes_sparc64_ecb_encrypt_256) + add %o2, 0x20, %o2 + brlz,pt %o3, 11f + nop +-10: ldx [%o1 + 0x00], %g3 ++10: ldd [%o0 + 0xd0], %f56 ++ ldd [%o0 + 0xd8], %f58 ++ ldd [%o0 + 0xe0], %f60 ++ ldd [%o0 + 0xe8], %f62 ++ ldx [%o1 + 0x00], %g3 + ldx [%o1 + 0x08], %g7 + xor %g1, %g3, %g3 + xor %g2, %g7, %g7 +@@ -1128,9 +1132,9 @@ ENTRY(aes_sparc64_ecb_decrypt_256) + /* %o0=&key[key_len], %o1=input, %o2=output, %o3=len */ + ldx [%o0 - 0x10], %g1 + subcc %o3, 0x10, %o3 ++ ldx [%o0 - 0x08], %g2 + be 10f +- ldx [%o0 - 0x08], %g2 +- sub %o0, 0xf0, %o0 ++ sub %o0, 0xf0, %o0 + 1: ldx [%o1 + 0x00], %g3 + ldx [%o1 + 0x08], %g7 + ldx [%o1 + 0x10], %o4 +@@ -1154,7 +1158,11 @@ ENTRY(aes_sparc64_ecb_decrypt_256) + add %o2, 0x20, %o2 + brlz,pt %o3, 11f + nop +-10: ldx [%o1 + 0x00], %g3 ++10: ldd [%o0 + 0x18], %f56 ++ ldd [%o0 + 0x10], %f58 ++ ldd [%o0 + 0x08], %f60 ++ ldd [%o0 + 0x00], %f62 ++ ldx [%o1 + 0x00], %g3 + ldx [%o1 + 0x08], %g7 + xor %g1, %g3, %g3 + xor %g2, %g7, %g7 +@@ -1511,11 +1519,11 @@ ENTRY(aes_sparc64_ctr_crypt_256) + add %o2, 0x20, %o2 + brlz,pt %o3, 11f + nop +- ldd [%o0 + 0xd0], %f56 ++10: ldd [%o0 + 0xd0], %f56 + ldd [%o0 + 0xd8], %f58 + ldd [%o0 + 0xe0], %f60 + ldd [%o0 + 0xe8], %f62 +-10: xor %g1, %g3, %o5 ++ xor %g1, %g3, %o5 + MOVXTOD_O5_F0 + xor %g2, %g7, %o5 + MOVXTOD_O5_F2 diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h index be56a24..443328f 100644 --- a/arch/sparc/include/asm/atomic_64.h @@ -30260,7 +30316,7 @@ index 21721d2..4e98777 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index b86eae9..4192a7a 100644 +index b86eae9..3f539ae 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -272,8 +272,13 @@ @@ -30295,7 +30351,15 @@ index b86eae9..4192a7a 100644 #if 0 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ { 2048, 1638, 1231, 819, 411, 1 }, -@@ -527,8 +539,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -437,6 +449,7 @@ struct entropy_store { + int entropy_count; + int entropy_total; + unsigned int initialized:1; ++ bool last_data_init; + __u8 last_data[EXTRACT_SIZE]; + }; + +@@ -527,8 +540,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, input_rotate += i ? 7 : 14; } @@ -30306,7 +30370,7 @@ index b86eae9..4192a7a 100644 smp_wmb(); if (out) -@@ -799,6 +811,17 @@ void add_disk_randomness(struct gendisk *disk) +@@ -799,6 +812,17 @@ void add_disk_randomness(struct gendisk *disk) } #endif @@ -30324,7 +30388,36 @@ index b86eae9..4192a7a 100644 /********************************************************************* * * Entropy extraction routines -@@ -1008,7 +1031,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -957,6 +981,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + ssize_t ret = 0, i; + __u8 tmp[EXTRACT_SIZE]; + ++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ ++ if (fips_enabled && !r->last_data_init) ++ nbytes += EXTRACT_SIZE; ++ + trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_); + xfer_secondary_pool(r, nbytes); + nbytes = account(r, nbytes, min, reserved); +@@ -967,6 +995,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, + if (fips_enabled) { + unsigned long flags; + ++ ++ /* prime last_data value if need be, per fips 140-2 */ ++ if (!r->last_data_init) { ++ spin_lock_irqsave(&r->lock, flags); ++ memcpy(r->last_data, tmp, EXTRACT_SIZE); ++ r->last_data_init = true; ++ nbytes -= EXTRACT_SIZE; ++ spin_unlock_irqrestore(&r->lock, flags); ++ extract_buf(r, tmp); ++ } ++ + spin_lock_irqsave(&r->lock, flags); + if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) + panic("Hardware RNG duplicated output!\n"); +@@ -1008,7 +1047,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -30333,7 +30426,15 @@ index b86eae9..4192a7a 100644 ret = -EFAULT; break; } -@@ -1342,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1086,6 +1125,7 @@ static void init_std_data(struct entropy_store *r) + + r->entropy_count = 0; + r->entropy_total = 0; ++ r->last_data_init = false; + mix_pool_bytes(r, &now, sizeof(now), NULL); + for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { + if (!arch_get_random_long(&rv)) +@@ -1342,7 +1382,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -42680,7 +42781,7 @@ index cce7df5..eaa2731 100644 goto out_sig; if (offset > inode->i_sb->s_maxbytes) diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c -index dce436e..378404b 100644 +index dce436e..55e670d 100644 --- a/fs/autofs4/waitq.c +++ b/fs/autofs4/waitq.c @@ -61,7 +61,7 @@ static int autofs4_write(struct autofs_sb_info *sbi, @@ -42709,7 +42810,7 @@ index dce436e..378404b 100644 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type)) +#ifdef CONFIG_GRKERNSEC_HIDESYM + /* this name does get written to userland via autofs4_write() */ -+ qstr.len = sprintf(name, "%08lx", atomic_inc_return_unchecked(&autofs_dummy_name_id)); ++ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id)); +#else qstr.len = sprintf(name, "%p", dentry); +#endif @@ -45676,6 +45777,38 @@ index 3c20de1..6ff2460 100644 atomic_t s_lock_busy; /* locality groups */ +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 3a100e7..c7efa88 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -762,7 +762,6 @@ got: + + BUFFER_TRACE(block_bitmap_bh, "dirty block bitmap"); + err = ext4_handle_dirty_metadata(handle, NULL, block_bitmap_bh); +- brelse(block_bitmap_bh); + + /* recheck and clear flag under lock if we still need to */ + ext4_lock_group(sb, group); +@@ -775,6 +774,7 @@ got: + ext4_group_desc_csum_set(sb, group, gdp); + } + ext4_unlock_group(sb, group); ++ brelse(block_bitmap_bh); + + if (err) + goto fail; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index b3c243b..772c318 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1503,6 +1503,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd) + + index = mpd->first_page; + end = mpd->next_page - 1; ++ pagevec_init(&pvec, 0); + while (index <= end) { + nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE); + if (nr_pages == 0) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 526e553..3f2de85 100644 --- a/fs/ext4/mballoc.c @@ -45793,6 +45926,18 @@ index 526e553..3f2de85 100644 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); return 0; +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 80928f7..c3f2b1f 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3202,7 +3202,6 @@ int ext4_calculate_overhead(struct super_block *sb) + ext4_fsblk_t overhead = 0; + char *buf = (char *) get_zeroed_page(GFP_KERNEL); + +- memset(buf, 0, PAGE_SIZE); + if (!buf) + return -ENOMEM; + diff --git a/fs/fcntl.c b/fs/fcntl.c index 71a600a..20d87b1 100644 --- a/fs/fcntl.c @@ -49958,6 +50103,19 @@ index 16e8abb..2dcf914 100644 "a_genl_family, 0, QUOTA_NL_C_WARNING); if (!msg_head) { printk(KERN_ERR +diff --git a/fs/read_write.c b/fs/read_write.c +index d065348..8e2b43d 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -935,6 +935,8 @@ ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, size_t count, + if (retval > 0) { + add_rchar(current, retval); + add_wchar(current, retval); ++ fsnotify_access(in.file); ++ fsnotify_modify(out.file); + } + + inc_syscr(current); diff --git a/fs/readdir.c b/fs/readdir.c index 5e69ef5..e5d9099 100644 --- a/fs/readdir.c @@ -50601,7 +50759,7 @@ index 4e00cf0..3374374 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..10c36fb +index 0000000..3900064 --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,964 @@ @@ -51270,7 +51428,7 @@ index 0000000..10c36fb + default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, non-root users will not be able to use dmesg(8) -+ to view up to the last 4kb of messages in the kernel's log buffer. ++ to view the contents of the kernel's circular log buffer. + The kernel's log buffer often contains kernel addresses and other + identifying information useful to an attacker in fingerprinting a + system for a targeted exploit. @@ -63738,6 +63896,34 @@ index a4c5624..79d6d88 100644 /** create a directory */ struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root, +diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h +index b5d1384..70473da 100644 +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -362,7 +362,7 @@ static inline void ClearPageCompound(struct page *page) + * pages on the LRU and/or pagecache. + */ + TESTPAGEFLAG(Compound, compound) +-__PAGEFLAG(Head, compound) ++__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound) + + /* + * PG_reclaim is used in combination with PG_compound to mark the +@@ -374,8 +374,14 @@ __PAGEFLAG(Head, compound) + * PG_compound & PG_reclaim => Tail page + * PG_compound & ~PG_reclaim => Head page + */ ++#define PG_head_mask ((1L << PG_compound)) + #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim)) + ++static inline int PageHead(struct page *page) ++{ ++ return ((page->flags & PG_head_tail_mask) == PG_head_mask); ++} ++ + static inline int PageTail(struct page *page) + { + return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask); diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 6bfb2faa..1204767 100644 --- a/include/linux/perf_event.h @@ -69147,10 +69333,10 @@ index aebd4f5..1693c13 100644 { struct pid *pid; diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c -index 125cb67..a4d1c30 100644 +index 125cb67..2e5c8ad 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c -@@ -6,6 +6,7 @@ +@@ -6,9 +6,11 @@ #include <linux/posix-timers.h> #include <linux/errno.h> #include <linux/math64.h> @@ -69158,7 +69344,20 @@ index 125cb67..a4d1c30 100644 #include <asm/uaccess.h> #include <linux/kernel_stat.h> #include <trace/events/timer.h> -@@ -1578,14 +1579,14 @@ struct k_clock clock_posix_cpu = { ++#include <linux/random.h> + + /* + * Called after updating RLIMIT_CPU to run cpu timer and update +@@ -494,6 +496,8 @@ static void cleanup_timers(struct list_head *head, + */ + void posix_cpu_timers_exit(struct task_struct *tsk) + { ++ add_device_randomness((const void*) &tsk->se.sum_exec_runtime, ++ sizeof(unsigned long long)); + cleanup_timers(tsk->cpu_timers, + tsk->utime, tsk->stime, tsk->se.sum_exec_runtime); + +@@ -1578,14 +1582,14 @@ struct k_clock clock_posix_cpu = { static __init int init_posix_cpu_timers(void) { @@ -77590,7 +77789,7 @@ index df25142..e92a82a 100644 sizeof(net->ipv4.dev_addr_genid)); return 0; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 181fc82..57da08d 100644 +index 181fc82..f211869 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4704,7 +4704,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, @@ -77602,6 +77801,61 @@ index 181fc82..57da08d 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { +@@ -5536,6 +5536,9 @@ slow_path: + if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if (!th->ack) ++ goto discard; ++ + /* + * Standard slow path. + */ +@@ -5544,7 +5547,7 @@ slow_path: + return 0; + + step5: +- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) ++ if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) + goto discard; + + /* ts_recent update must be made after we are sure that the packet +@@ -5930,7 +5933,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + goto discard; + + if (th->syn) { +- if (th->fin) ++ if (th->fin || th->urg || th->psh) + goto discard; + if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) + return 1; +@@ -5977,11 +5980,15 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (tcp_check_req(sk, skb, req, NULL, true) == NULL) + goto discard; + } ++ ++ if (!th->ack) ++ goto discard; ++ + if (!tcp_validate_incoming(sk, skb, th, 0)) + return 0; + + /* step 5: check the ACK field */ +- if (th->ack) { ++ if (true) { + int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; + + switch (sk->sk_state) { +@@ -6131,8 +6138,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + } + break; + } +- } else +- goto discard; ++ } + + /* ts_recent update must be made after we are sure that the packet + * is in window. diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 0c4a643..e584990 100644 --- a/net/ipv4/tcp_ipv4.c |