diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2014-05-10 12:28:55 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2014-05-10 12:28:55 -0400 |
commit | 080fcb7ea019d5794996859a1e45a83006b6bf41 (patch) | |
tree | 27fc5fee0a13347f0631b8bd65357472852d87b0 | |
parent | Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405071928 (diff) | |
download | hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.tar.gz hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.tar.bz2 hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.zip |
Grsec/PaX: 3.0-{3.2.58,3.14.3}-20140509233720140509
-rw-r--r-- | 3.14.3/0000_README | 2 | ||||
-rw-r--r-- | 3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch (renamed from 3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch) | 116 | ||||
-rw-r--r-- | 3.2.58/0000_README | 2 | ||||
-rw-r--r-- | 3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch (renamed from 3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch) | 52 |
4 files changed, 162 insertions, 10 deletions
diff --git a/3.14.3/0000_README b/3.14.3/0000_README index 51d9a7e..108ad48 100644 --- a/3.14.3/0000_README +++ b/3.14.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.3-201405071928.patch +Patch: 4420_grsecurity-3.0-3.14.3-201405092337.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch index b5d0cff..4e0c19f 100644 --- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch +++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch @@ -7487,6 +7487,18 @@ index 4006964..fcb3cc2 100644 ret = __copy_from_user(to, from, n); else copy_from_user_overflow(); +diff --git a/arch/parisc/include/uapi/asm/resource.h b/arch/parisc/include/uapi/asm/resource.h +index 8b06343..090483c 100644 +--- a/arch/parisc/include/uapi/asm/resource.h ++++ b/arch/parisc/include/uapi/asm/resource.h +@@ -1,7 +1,6 @@ + #ifndef _ASM_PARISC_RESOURCE_H + #define _ASM_PARISC_RESOURCE_H + +-#define _STK_LIM_MAX 10 * _STK_LIM + #include <asm-generic/resource.h> + + #endif diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c index 50dfafc..b9fc230 100644 --- a/arch/parisc/kernel/module.c @@ -37847,6 +37859,44 @@ index d073305..4998fea 100644 static struct asender_cmd asender_tbl[] = { [P_PING] = { 0, got_Ping }, +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 2023043..dab515c 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param, + int ret; + + while (ptr) { +- ret = copy_to_user(param, ptr, sizeof(*ptr)); ++ struct floppy_raw_cmd cmd = *ptr; ++ cmd.next = NULL; ++ cmd.kernel_data = NULL; ++ ret = copy_to_user(param, &cmd, sizeof(cmd)); + if (ret) + return -EFAULT; + param += sizeof(struct floppy_raw_cmd); +@@ -3107,10 +3110,11 @@ loop: + return -ENOMEM; + *rcmd = ptr; + ret = copy_from_user(ptr, param, sizeof(*ptr)); +- if (ret) +- return -EFAULT; + ptr->next = NULL; + ptr->buffer_length = 0; ++ ptr->kernel_data = NULL; ++ if (ret) ++ return -EFAULT; + param += sizeof(struct floppy_raw_cmd); + if (ptr->cmd_count > 33) + /* the command may now also take up the space +@@ -3126,7 +3130,6 @@ loop: + for (i = 0; i < 16; i++) + ptr->reply[i] = 0; + ptr->resultcode = 0; +- ptr->kernel_data = NULL; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { + if (ptr->length <= 0) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 66e8c3b..9b68dd9 100644 --- a/drivers/block/loop.c @@ -38115,10 +38165,18 @@ index a48e05b..6bac831 100644 kfree(usegment); kfree(ksegment); diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c -index 1b19239..b87b143 100644 +index 1b19239..963967b 100644 --- a/drivers/char/agp/frontend.c +++ b/drivers/char/agp/frontend.c -@@ -819,7 +819,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) +@@ -731,6 +731,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv, void __user *arg) + + agp_copy_info(agp_bridge, &kerninfo); + ++ memset(&userinfo, 0, sizeof(userinfo)); + userinfo.version.major = kerninfo.version.major; + userinfo.version.minor = kerninfo.version.minor; + userinfo.bridge_id = kerninfo.device->vendor | +@@ -819,7 +820,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) if (copy_from_user(&reserve, arg, sizeof(struct agp_region))) return -EFAULT; @@ -38127,7 +38185,7 @@ index 1b19239..b87b143 100644 return -EFAULT; client = agp_find_client_by_pid(reserve.pid); -@@ -849,7 +849,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) +@@ -849,7 +850,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) if (segment == NULL) return -ENOMEM; @@ -46235,6 +46293,19 @@ index 26f8635..c237839 100644 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) { if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index d350d27..75d7d9d 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -768,7 +768,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign) + skb_out->len > CDC_NCM_MIN_TX_PKT) + memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0, + ctx->tx_max - skb_out->len); +- else if ((skb_out->len % dev->maxpacket) == 0) ++ else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0) + *skb_put(skb_out, 1) = 0; /* force short packet */ + + /* set final frame length */ diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 660bd5e..ac59452 100644 --- a/drivers/net/usb/hso.c @@ -55838,6 +55909,19 @@ index 370b24c..ff0be7b 100644 ---help--- A.out (Assembler.OUTput) is a set of formats for libraries and executables used in the earliest versions of UNIX. Linux used +diff --git a/fs/affs/super.c b/fs/affs/super.c +index d098731..9a5b19d 100644 +--- a/fs/affs/super.c ++++ b/fs/affs/super.c +@@ -336,8 +336,6 @@ static int affs_fill_super(struct super_block *sb, void *data, int silent) + &blocksize,&sbi->s_prefix, + sbi->s_volume, &mount_flags)) { + printk(KERN_ERR "AFFS: Error parsing options\n"); +- kfree(sbi->s_prefix); +- kfree(sbi); + return -EINVAL; + } + /* N.B. after this point s_prefix must be released */ diff --git a/fs/afs/inode.c b/fs/afs/inode.c index ce25d75..dc09eeb 100644 --- a/fs/afs/inode.c @@ -55861,7 +55945,7 @@ index ce25d75..dc09eeb 100644 &data); if (!inode) { diff --git a/fs/aio.c b/fs/aio.c -index 062a5f6..e5618e0 100644 +index 062a5f6..6ecefa2 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -374,7 +374,7 @@ static int aio_setup_ring(struct kioctx *ctx) @@ -55873,6 +55957,19 @@ index 062a5f6..e5618e0 100644 return -EINVAL; file = aio_private_file(ctx, nr_pages); +@@ -1285,10 +1285,8 @@ rw_common: + &iovec, compat) + : aio_setup_single_vector(req, rw, buf, &nr_segs, + iovec); +- if (ret) +- return ret; +- +- ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes); ++ if (!ret) ++ ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes); + if (ret < 0) { + if (iovec != &inline_vec) + kfree(iovec); diff --git a/fs/attr.c b/fs/attr.c index 5d4e59d..fd02418 100644 --- a/fs/attr.c @@ -62228,7 +62325,7 @@ index a80a741..7b96e1b 100644 } diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 287a22c..a2a043a 100644 +index 287a22c..4e56e4e 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -251,8 +251,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, @@ -62242,6 +62339,15 @@ index 287a22c..a2a043a 100644 goto out_close_fd; ret = prepare_for_access_response(group, event, fd); +@@ -742,6 +742,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags) + oevent->path.mnt = NULL; + oevent->path.dentry = NULL; + ++ if (force_o_largefile()) ++ event_f_flags |= O_LARGEFILE; + group->fanotify_data.f_flags = event_f_flags; + #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS + oevent->response = 0; diff --git a/fs/notify/notification.c b/fs/notify/notification.c index 1e58402..bb2d6f4 100644 --- a/fs/notify/notification.c diff --git a/3.2.58/0000_README b/3.2.58/0000_README index f10476b..df97a0f 100644 --- a/3.2.58/0000_README +++ b/3.2.58/0000_README @@ -150,7 +150,7 @@ Patch: 1057_linux-3.2.58.patch From: http://www.kernel.org Desc: Linux 3.2.58 -Patch: 4420_grsecurity-3.0-3.2.58-201405061705.patch +Patch: 4420_grsecurity-3.0-3.2.58-201405092334.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch index fab7860..4f95c38 100644 --- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch +++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch @@ -34158,6 +34158,44 @@ index 13cbdd3..d374957 100644 static struct asender_cmd *get_asender_cmd(int cmd) { +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 7a90d4a..6d0f3e1 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3060,7 +3060,10 @@ static int raw_cmd_copyout(int cmd, void __user *param, + int ret; + + while (ptr) { +- ret = copy_to_user(param, ptr, sizeof(*ptr)); ++ struct floppy_raw_cmd cmd = *ptr; ++ cmd.next = NULL; ++ cmd.kernel_data = NULL; ++ ret = copy_to_user(param, &cmd, sizeof(cmd)); + if (ret) + return -EFAULT; + param += sizeof(struct floppy_raw_cmd); +@@ -3114,10 +3117,11 @@ loop: + return -ENOMEM; + *rcmd = ptr; + ret = copy_from_user(ptr, param, sizeof(*ptr)); +- if (ret) +- return -EFAULT; + ptr->next = NULL; + ptr->buffer_length = 0; ++ ptr->kernel_data = NULL; ++ if (ret) ++ return -EFAULT; + param += sizeof(struct floppy_raw_cmd); + if (ptr->cmd_count > 33) + /* the command may now also take up the space +@@ -3133,7 +3137,6 @@ loop: + for (i = 0; i < 16; i++) + ptr->reply[i] = 0; + ptr->resultcode = 0; +- ptr->kernel_data = NULL; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { + if (ptr->length <= 0) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index d659135..45fe633 100644 --- a/drivers/block/loop.c @@ -34367,10 +34405,18 @@ index a48e05b..6bac831 100644 kfree(usegment); kfree(ksegment); diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c -index 2e04433..771f2cc 100644 +index 2e04433..3b8afe7 100644 --- a/drivers/char/agp/frontend.c +++ b/drivers/char/agp/frontend.c -@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) +@@ -729,6 +729,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv, void __user *arg) + + agp_copy_info(agp_bridge, &kerninfo); + ++ memset(&userinfo, 0, sizeof(userinfo)); + userinfo.version.major = kerninfo.version.major; + userinfo.version.minor = kerninfo.version.minor; + userinfo.bridge_id = kerninfo.device->vendor | +@@ -817,7 +818,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) if (copy_from_user(&reserve, arg, sizeof(struct agp_region))) return -EFAULT; @@ -34379,7 +34425,7 @@ index 2e04433..771f2cc 100644 return -EFAULT; client = agp_find_client_by_pid(reserve.pid); -@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) +@@ -847,7 +848,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) if (segment == NULL) return -ENOMEM; |