Grsec/PaX: 3.0-{3.2.58,3.14.3}-20140509233720140509

author: Anthony G. Basile <blueness@gentoo.org> 2014-05-10 12:28:55 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2014-05-10 12:28:55 -0400
commit: 080fcb7ea019d5794996859a1e45a83006b6bf41 (patch)
tree: 27fc5fee0a13347f0631b8bd65357472852d87b0
parent: Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405071928 (diff)
download: hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.tar.gz
hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.tar.bz2
hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.zip
4 files changed, 162 insertions, 10 deletions
diff --git a/3.14.3/0000_README b/3.14.3/0000_README
index 51d9a7e..108ad48 100644
--- a/3.14.3/0000_README
+++ b/3.14.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.3-201405071928.patch
+Patch:	4420_grsecurity-3.0-3.14.3-201405092337.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
index b5d0cff..4e0c19f 100644
--- a/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
+++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405092337.patch
@@ -7487,6 +7487,18 @@ index 4006964..fcb3cc2 100644
                  ret = __copy_from_user(to, from, n);
          else
                  copy_from_user_overflow();
+diff --git a/arch/parisc/include/uapi/asm/resource.h b/arch/parisc/include/uapi/asm/resource.h
+index 8b06343..090483c 100644
+--- a/arch/parisc/include/uapi/asm/resource.h
++++ b/arch/parisc/include/uapi/asm/resource.h
+@@ -1,7 +1,6 @@
+ #ifndef _ASM_PARISC_RESOURCE_H
+ #define _ASM_PARISC_RESOURCE_H
+ 
+-#define _STK_LIM_MAX	10 * _STK_LIM
+ #include <asm-generic/resource.h>
+ 
+ #endif
 diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
 index 50dfafc..b9fc230 100644
 --- a/arch/parisc/kernel/module.c
@@ -37847,6 +37859,44 @@ index d073305..4998fea 100644
  
  static struct asender_cmd asender_tbl[] = {
  	[P_PING]	    = { 0, got_Ping },
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 2023043..dab515c 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+ 	int ret;
+ 
+ 	while (ptr) {
+-		ret = copy_to_user(param, ptr, sizeof(*ptr));
++		struct floppy_raw_cmd cmd = *ptr;
++		cmd.next = NULL;
++		cmd.kernel_data = NULL;
++		ret = copy_to_user(param, &cmd, sizeof(cmd));
+ 		if (ret)
+ 			return -EFAULT;
+ 		param += sizeof(struct floppy_raw_cmd);
+@@ -3107,10 +3110,11 @@ loop:
+ 		return -ENOMEM;
+ 	*rcmd = ptr;
+ 	ret = copy_from_user(ptr, param, sizeof(*ptr));
+-	if (ret)
+-		return -EFAULT;
+ 	ptr->next = NULL;
+ 	ptr->buffer_length = 0;
++	ptr->kernel_data = NULL;
++	if (ret)
++		return -EFAULT;
+ 	param += sizeof(struct floppy_raw_cmd);
+ 	if (ptr->cmd_count > 33)
+ 			/* the command may now also take up the space
+@@ -3126,7 +3130,6 @@ loop:
+ 	for (i = 0; i < 16; i++)
+ 		ptr->reply[i] = 0;
+ 	ptr->resultcode = 0;
+-	ptr->kernel_data = NULL;
+ 
+ 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ 		if (ptr->length <= 0)
 diff --git a/drivers/block/loop.c b/drivers/block/loop.c
 index 66e8c3b..9b68dd9 100644
 --- a/drivers/block/loop.c
@@ -38115,10 +38165,18 @@ index a48e05b..6bac831 100644
  			kfree(usegment);
  			kfree(ksegment);
 diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
-index 1b19239..b87b143 100644
+index 1b19239..963967b 100644
 --- a/drivers/char/agp/frontend.c
 +++ b/drivers/char/agp/frontend.c
-@@ -819,7 +819,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
+@@ -731,6 +731,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv, void __user *arg)
+ 
+ 	agp_copy_info(agp_bridge, &kerninfo);
+ 
++	memset(&userinfo, 0, sizeof(userinfo));
+ 	userinfo.version.major = kerninfo.version.major;
+ 	userinfo.version.minor = kerninfo.version.minor;
+ 	userinfo.bridge_id = kerninfo.device->vendor |
+@@ -819,7 +820,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
  	if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
  		return -EFAULT;
  
@@ -38127,7 +38185,7 @@ index 1b19239..b87b143 100644
  		return -EFAULT;
  
  	client = agp_find_client_by_pid(reserve.pid);
-@@ -849,7 +849,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
+@@ -849,7 +850,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
  		if (segment == NULL)
  			return -ENOMEM;
  
@@ -46235,6 +46293,19 @@ index 26f8635..c237839 100644
  	if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
  		if (copy_from_user(&ifr, argp, ifreq_len))
  			return -EFAULT;
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index d350d27..75d7d9d 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -768,7 +768,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
+ 	    skb_out->len > CDC_NCM_MIN_TX_PKT)
+ 		memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
+ 		       ctx->tx_max - skb_out->len);
+-	else if ((skb_out->len % dev->maxpacket) == 0)
++	else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0)
+ 		*skb_put(skb_out, 1) = 0;	/* force short packet */
+ 
+ 	/* set final frame length */
 diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
 index 660bd5e..ac59452 100644
 --- a/drivers/net/usb/hso.c
@@ -55838,6 +55909,19 @@ index 370b24c..ff0be7b 100644
  	---help---
  	  A.out (Assembler.OUTput) is a set of formats for libraries and
  	  executables used in the earliest versions of UNIX.  Linux used
+diff --git a/fs/affs/super.c b/fs/affs/super.c
+index d098731..9a5b19d 100644
+--- a/fs/affs/super.c
++++ b/fs/affs/super.c
+@@ -336,8 +336,6 @@ static int affs_fill_super(struct super_block *sb, void *data, int silent)
+ 				&blocksize,&sbi->s_prefix,
+ 				sbi->s_volume, &mount_flags)) {
+ 		printk(KERN_ERR "AFFS: Error parsing options\n");
+-		kfree(sbi->s_prefix);
+-		kfree(sbi);
+ 		return -EINVAL;
+ 	}
+ 	/* N.B. after this point s_prefix must be released */
 diff --git a/fs/afs/inode.c b/fs/afs/inode.c
 index ce25d75..dc09eeb 100644
 --- a/fs/afs/inode.c
@@ -55861,7 +55945,7 @@ index ce25d75..dc09eeb 100644
  			     &data);
  	if (!inode) {
 diff --git a/fs/aio.c b/fs/aio.c
-index 062a5f6..e5618e0 100644
+index 062a5f6..6ecefa2 100644
 --- a/fs/aio.c
 +++ b/fs/aio.c
 @@ -374,7 +374,7 @@ static int aio_setup_ring(struct kioctx *ctx)
@@ -55873,6 +55957,19 @@ index 062a5f6..e5618e0 100644
  		return -EINVAL;
  
  	file = aio_private_file(ctx, nr_pages);
+@@ -1285,10 +1285,8 @@ rw_common:
+ 						&iovec, compat)
+ 			: aio_setup_single_vector(req, rw, buf, &nr_segs,
+ 						  iovec);
+-		if (ret)
+-			return ret;
+-
+-		ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes);
++		if (!ret)
++			ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes);
+ 		if (ret < 0) {
+ 			if (iovec != &inline_vec)
+ 				kfree(iovec);
 diff --git a/fs/attr.c b/fs/attr.c
 index 5d4e59d..fd02418 100644
 --- a/fs/attr.c
@@ -62228,7 +62325,7 @@ index a80a741..7b96e1b 100644
  	}
  
 diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
-index 287a22c..a2a043a 100644
+index 287a22c..4e56e4e 100644
 --- a/fs/notify/fanotify/fanotify_user.c
 +++ b/fs/notify/fanotify/fanotify_user.c
 @@ -251,8 +251,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
@@ -62242,6 +62339,15 @@ index 287a22c..a2a043a 100644
  		goto out_close_fd;
  
  	ret = prepare_for_access_response(group, event, fd);
+@@ -742,6 +742,8 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
+ 	oevent->path.mnt = NULL;
+ 	oevent->path.dentry = NULL;
+ 
++	if (force_o_largefile())
++		event_f_flags |= O_LARGEFILE;
+ 	group->fanotify_data.f_flags = event_f_flags;
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ 	oevent->response = 0;
 diff --git a/fs/notify/notification.c b/fs/notify/notification.c
 index 1e58402..bb2d6f4 100644
 --- a/fs/notify/notification.c
diff --git a/3.2.58/0000_README b/3.2.58/0000_README
index f10476b..df97a0f 100644
--- a/3.2.58/0000_README
+++ b/3.2.58/0000_README
@@ -150,7 +150,7 @@ Patch:	1057_linux-3.2.58.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.58
 
-Patch:	4420_grsecurity-3.0-3.2.58-201405061705.patch
+Patch:	4420_grsecurity-3.0-3.2.58-201405092334.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
index fab7860..4f95c38 100644
--- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
+++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405092334.patch
@@ -34158,6 +34158,44 @@ index 13cbdd3..d374957 100644
  
  static struct asender_cmd *get_asender_cmd(int cmd)
  {
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 7a90d4a..6d0f3e1 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3060,7 +3060,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+ 	int ret;
+ 
+ 	while (ptr) {
+-		ret = copy_to_user(param, ptr, sizeof(*ptr));
++		struct floppy_raw_cmd cmd = *ptr;
++		cmd.next = NULL;
++		cmd.kernel_data = NULL;
++		ret = copy_to_user(param, &cmd, sizeof(cmd));
+ 		if (ret)
+ 			return -EFAULT;
+ 		param += sizeof(struct floppy_raw_cmd);
+@@ -3114,10 +3117,11 @@ loop:
+ 		return -ENOMEM;
+ 	*rcmd = ptr;
+ 	ret = copy_from_user(ptr, param, sizeof(*ptr));
+-	if (ret)
+-		return -EFAULT;
+ 	ptr->next = NULL;
+ 	ptr->buffer_length = 0;
++	ptr->kernel_data = NULL;
++	if (ret)
++		return -EFAULT;
+ 	param += sizeof(struct floppy_raw_cmd);
+ 	if (ptr->cmd_count > 33)
+ 			/* the command may now also take up the space
+@@ -3133,7 +3137,6 @@ loop:
+ 	for (i = 0; i < 16; i++)
+ 		ptr->reply[i] = 0;
+ 	ptr->resultcode = 0;
+-	ptr->kernel_data = NULL;
+ 
+ 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ 		if (ptr->length <= 0)
 diff --git a/drivers/block/loop.c b/drivers/block/loop.c
 index d659135..45fe633 100644
 --- a/drivers/block/loop.c
@@ -34367,10 +34405,18 @@ index a48e05b..6bac831 100644
  			kfree(usegment);
  			kfree(ksegment);
 diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
-index 2e04433..771f2cc 100644
+index 2e04433..3b8afe7 100644
 --- a/drivers/char/agp/frontend.c
 +++ b/drivers/char/agp/frontend.c
-@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
+@@ -729,6 +729,7 @@ static int agpioc_info_wrap(struct agp_file_private *priv, void __user *arg)
+ 
+ 	agp_copy_info(agp_bridge, &kerninfo);
+ 
++	memset(&userinfo, 0, sizeof(userinfo));
+ 	userinfo.version.major = kerninfo.version.major;
+ 	userinfo.version.minor = kerninfo.version.minor;
+ 	userinfo.bridge_id = kerninfo.device->vendor |
+@@ -817,7 +818,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
  	if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
  		return -EFAULT;
  
@@ -34379,7 +34425,7 @@ index 2e04433..771f2cc 100644
  		return -EFAULT;
  
  	client = agp_find_client_by_pid(reserve.pid);
-@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
+@@ -847,7 +848,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
  		if (segment == NULL)
  			return -ENOMEM;
author	Anthony G. Basile <blueness@gentoo.org>	2014-05-10 12:28:55 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2014-05-10 12:28:55 -0400
commit	080fcb7ea019d5794996859a1e45a83006b6bf41 (patch)
tree	27fc5fee0a13347f0631b8bd65357472852d87b0
parent	Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405071928 (diff)
download	hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.tar.gz hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.tar.bz2 hardened-patchset-080fcb7ea019d5794996859a1e45a83006b6bf41.zip