grsecurity-3.1-4.2.3-201510202025

2 files changed, 96 insertions, 75 deletions

diff --git a/4.2.3/0000_README b/4.2.3/0000_README
index d0e396e..08cde44 100644
--- a/4.2.3/0000_README
+++ b/4.2.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.2.3-201510200858.patch
+Patch:	4420_grsecurity-3.1-4.2.3-201510202025.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510200858.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510202025.patch
index 0d6eb57..87c4cb1 100644
--- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510200858.patch
+++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510202025.patch
@@ -51934,6 +51934,19 @@ index dab2513..4c4b65d 100644
  {
  	return msecs_to_jiffies((s->poll_timeout[2] << 16)
  				| (s->poll_timeout[1] << 8)
+diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
+index e508c65..fb0dbae 100644
+--- a/drivers/net/wireless/ath/ath10k/ce.c
++++ b/drivers/net/wireless/ath/ath10k/ce.c
+@@ -896,7 +896,7 @@ static int ath10k_ce_init_dest_ring(struct ath10k *ar,
+ 	return 0;
+ }
+ 
+-static struct ath10k_ce_ring *
++static struct ath10k_ce_ring * __intentional_overflow(-1)
+ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id,
+ 			 const struct ce_attr *attr)
+ {
 diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
 index 85bfa2a..3f6e72c 100644
 --- a/drivers/net/wireless/ath/ath10k/htc.c
@@ -57769,7 +57782,7 @@ index 2a3bbdf..91d72cf 100644
  		file->f_version = event_count;
  		return POLLIN | POLLRDNORM;
 diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
-index 986abde..80e8279 100644
+index 986abde..2af59b11 100644
 --- a/drivers/usb/core/devio.c
 +++ b/drivers/usb/core/devio.c
 @@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
@@ -57808,6 +57821,15 @@ index 986abde..80e8279 100644
  				if (copy_to_user(buf,
  				    dev->rawdescriptors[i] + (*ppos - pos),
  				    min(len, alloclen))) {
+@@ -1499,7 +1499,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
+ 		}
+ 	}
+ 	as->urb->dev = ps->dev;
+-	as->urb->pipe = (uurb->type << 30) |
++	as->urb->pipe = ((unsigned int)uurb->type << 30) |
+ 			__create_pipe(ps->dev, uurb->endpoint & 0xf) |
+ 			(uurb->endpoint & USB_DIR_IN);
+ 
 diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
 index cbcd092..e783f87 100644
 --- a/drivers/usb/core/hcd.c
@@ -77013,6 +77035,19 @@ index c711be8..23b8df9 100644
  	inode->i_op = &simple_dir_inode_operations;
  	inode->i_fop = &simple_dir_operations;
  
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 754fd6c..ed6acbe 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -538,7 +538,7 @@ static void close_connection(struct connection *con, bool and_other)
+ /* We only send shutdown messages to nodes that are not part of the cluster */
+ static void sctp_send_shutdown(sctp_assoc_t associd)
+ {
+-	static char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
++	char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
+ 	struct msghdr outmessage;
+ 	struct cmsghdr *cmsg;
+ 	struct sctp_sndrcvinfo *sinfo;
 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
 index 3c4db11..a43976f 100644
 --- a/fs/ecryptfs/inode.c
@@ -77040,7 +77075,7 @@ index e4141f2..d8263e8 100644
  		i += packet_length_size;
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff --git a/fs/exec.c b/fs/exec.c
-index 1977c2a..6371905 100644
+index 1977c2a..b6b953a 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,8 +56,20 @@
@@ -77536,7 +77571,7 @@ index 1977c2a..6371905 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1743,3 +1918,317 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
+@@ -1743,3 +1918,324 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
  				  argv, envp, flags);
  }
  #endif
@@ -77841,11 +77876,18 @@ index 1977c2a..6371905 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
++
++#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
++static DEFINE_RATELIMIT_STATE(size_overflow_ratelimit, 15 * HZ, 3);
++#endif
++
 +void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
 +{
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
-+	printk_ratelimited(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
-+	dump_stack();
++	if (__ratelimit(&size_overflow_ratelimit)) {
++		printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
++		dump_stack();
++	}
 +#else
 +	printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
 +	dump_stack();
@@ -119212,18 +119254,21 @@ index 0861018..1fd388b 100644
  
  	if (1) {
 diff --git a/net/core/scm.c b/net/core/scm.c
-index 3b6899b..cf36238 100644
+index 3b6899b..20d20e7 100644
 --- a/net/core/scm.c
 +++ b/net/core/scm.c
-@@ -209,7 +209,7 @@ EXPORT_SYMBOL(__scm_send);
+@@ -209,9 +209,9 @@ EXPORT_SYMBOL(__scm_send);
  int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
  {
  	struct cmsghdr __user *cm
 -		= (__force struct cmsghdr __user *)msg->msg_control;
 +		= (struct cmsghdr __force_user *)msg->msg_control;
  	struct cmsghdr cmhdr;
- 	int cmlen = CMSG_LEN(len);
+-	int cmlen = CMSG_LEN(len);
++	size_t cmlen = CMSG_LEN(len);
  	int err;
+ 
+ 	if (MSG_CMSG_COMPAT & msg->msg_flags)
 @@ -232,7 +232,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
  	err = -EFAULT;
  	if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
@@ -119251,6 +119296,24 @@ index 3b6899b..cf36238 100644
  	     i++, cmfptr++)
  	{
  		struct socket *sock;
+@@ -297,7 +297,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
+ 
+ 	if (i > 0)
+ 	{
+-		int cmlen = CMSG_LEN(i*sizeof(int));
++		size_t cmlen = CMSG_LEN(i*sizeof(int));
+ 		err = put_user(SOL_SOCKET, &cm->cmsg_level);
+ 		if (!err)
+ 			err = put_user(SCM_RIGHTS, &cm->cmsg_type);
+@@ -305,6 +305,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
+ 			err = put_user(cmlen, &cm->cmsg_len);
+ 		if (!err) {
+ 			cmlen = CMSG_SPACE(i*sizeof(int));
++			if (msg->msg_controllen < cmlen)
++				cmlen = msg->msg_controllen;
+ 			msg->msg_control += cmlen;
+ 			msg->msg_controllen -= cmlen;
+ 		}
 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
 index 7b84330..e0f5a86 100644
 --- a/net/core/skbuff.c
@@ -132439,10 +132502,10 @@ index 0000000..4c7f7c6
 +targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h
 diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
 new file mode 100644
-index 0000000..675f934
+index 0000000..3baef37
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
-@@ -0,0 +1,12396 @@
+@@ -0,0 +1,12398 @@
 +disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
 +disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
 +disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -143960,7 +144023,8 @@ index 0000000..675f934
 +disable_so_time_to_send_netem_skb_cb_60711 time_to_send netem_skb_cb 0 60711 NULL nohasharray
 +disable_so_ref_div_atom_clock_dividers_60711 ref_div atom_clock_dividers 0 60711 &disable_so_time_to_send_netem_skb_cb_60711
 +disable_so_dev_sof_uvc_clock_sample_60716 dev_sof uvc_clock_sample 0 60716 NULL
-+disable_so_addr_reg_musb_qh_60718 addr_reg musb_qh 0 60718 NULL
++disable_so_addr_reg_musb_qh_60718 addr_reg musb_qh 0 60718 NULL nohasharray
++enable_so_acpi_ex_do_math_op_fndecl_60718 acpi_ex_do_math_op fndecl 0-3-2 60718 &disable_so_addr_reg_musb_qh_60718
 +disable_so_reg_clock_sx150x_789_pri_60721 reg_clock sx150x_789_pri 0 60721 NULL
 +disable_so___parse_nl_addr_fndecl_60734 __parse_nl_addr fndecl 0 60734 NULL
 +disable_so_frequency_zl10036_state_60737 frequency zl10036_state 0 60737 NULL
@@ -144839,6 +144903,7 @@ index 0000000..675f934
 +disable_so_si_pt_regs_65527 si pt_regs 0 65527 NULL
 +enable_so_rts_threshold_wiphy_15170 rts_threshold wiphy 0 15170 NULL
 +enable_so_value_iw_param_65472 value iw_param 0 65472 NULL
++enable_so_value_acpi_object_integer_44755 value acpi_object_integer 0 44755 NULL
 diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh
 new file mode 100644
 index 0000000..be9724d
@@ -145372,10 +145437,10 @@ index 0000000..37e2e91
 +#endif
 diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c
 new file mode 100644
-index 0000000..72d6a8f
+index 0000000..3f67add
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c
-@@ -0,0 +1,985 @@
+@@ -0,0 +1,941 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -146317,50 +146382,6 @@ index 0000000..72d6a8f
 +	so_stmt = get_dup_stmt(visited, stmt);
 +	create_up_and_down_cast(visited, so_stmt, lhs_type, gimple_assign_rhs1(so_stmt));
 +}
-+
-+bool is_intentional_truncation(gassign *assign)
-+{
-+	enum machine_mode lhs_mode, def_rhs_mode;
-+	gimple def_stmt;
-+	const_tree decl, rhs, def_rhs, def_def_rhs, lhs;
-+
-+	if (gimple_num_ops(assign) != 2)
-+		return false;
-+
-+	lhs = gimple_assign_lhs(assign);
-+	if (VAR_P(lhs))
-+		return false;
-+
-+	// structure field write
-+	decl = get_ref_field(lhs);
-+	if (TREE_CODE(decl) != FIELD_DECL)
-+		return false;
-+
-+	rhs = gimple_assign_rhs1(assign);
-+	def_stmt = get_def_stmt(rhs);
-+	if (!def_stmt || !gimple_assign_cast_p(def_stmt))
-+		return false;
-+
-+	lhs_mode = TYPE_MODE(TREE_TYPE(rhs));
-+	def_rhs = gimple_assign_rhs1(def_stmt);
-+	def_rhs_mode = TYPE_MODE(TREE_TYPE(def_rhs));
-+	// cast from 16 to 8
-+	if (def_rhs_mode != HImode || lhs_mode != QImode)
-+		return false;
-+
-+	def_stmt = get_def_stmt(def_rhs);
-+	if (!def_stmt || !is_gimple_assign(def_stmt) || gimple_num_ops(def_stmt) != 2)
-+		return false;
-+
-+	def_def_rhs = gimple_assign_rhs1(def_stmt);
-+	// structure field read
-+#if BUILDING_GCC_VERSION == 4005
-+	return TREE_CODE(def_def_rhs) == INDIRECT_REF;
-+#else
-+	return TREE_CODE(def_def_rhs) == MEM_REF;
-+#endif
-+}
-+
 diff --git a/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c b/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c
 new file mode 100644
 index 0000000..5622b51
@@ -146506,10 +146527,10 @@ index 0000000..5622b51
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h b/tools/gcc/size_overflow_plugin/size_overflow.h
 new file mode 100644
-index 0000000..1efcc60
+index 0000000..2d733e1
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow.h
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,322 @@
 +#ifndef SIZE_OVERFLOW_H
 +#define SIZE_OVERFLOW_H
 +
@@ -146713,7 +146734,6 @@ index 0000000..1efcc60
 +extern bool is_a_neg_overflow(const gassign *stmt, const_tree rhs);
 +extern enum intentional_overflow_type add_mul_intentional_overflow(const gassign *stmt);
 +extern void unsigned_signed_cast_intentional_overflow(struct visited *visited, gassign *stmt);
-+extern bool is_intentional_truncation(gassign *assign);
 +
 +
 +// insert_size_overflow_asm.c
@@ -147035,10 +147055,10 @@ index 0000000..ab2d25a
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..ba470a6
+index 0000000..d372a51
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,20761 @@
+@@ -0,0 +1,20759 @@
 +enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
 +enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
 +enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
@@ -161256,7 +161276,6 @@ index 0000000..ba470a6
 +enable_so_ext4_journalled_write_end_fndecl_44742 ext4_journalled_write_end fndecl 5-3 44742 NULL
 +enable_so_erst_clearer_fndecl_44743 erst_clearer fndecl 2 44743 NULL
 +enable_so_max_phy_id_vardecl_x86_pkg_temp_thermal_c_44750 max_phy_id vardecl_x86_pkg_temp_thermal.c 0 44750 NULL
-+enable_so_value_acpi_object_integer_44755 value acpi_object_integer 0 44755 NULL
 +enable_so_dev_sectors_mddev_44756 dev_sectors mddev 0 44756 NULL
 +enable_so_brd_probe_fndecl_44758 brd_probe fndecl 1 44758 NULL
 +enable_so_set_ssp_fndecl_44760 set_ssp fndecl 4 44760 NULL
@@ -166285,8 +166304,7 @@ index 0000000..ba470a6
 +enable_so_usbdev_read_fndecl_60713 usbdev_read fndecl 3 60713 NULL
 +enable_so_pwr_missing_bcns_cnt_read_fndecl_60714 pwr_missing_bcns_cnt_read fndecl 3 60714 NULL
 +enable_so_sock_sendmsg_fndecl_60718 sock_sendmsg fndecl 0 60718 NULL nohasharray
-+enable_so_v9fs_xattr_user_set_fndecl_60718 v9fs_xattr_user_set fndecl 4 60718 &enable_so_sock_sendmsg_fndecl_60718 nohasharray
-+enable_so_acpi_ex_do_math_op_fndecl_60718 acpi_ex_do_math_op fndecl 0-3-2 60718 &enable_so_v9fs_xattr_user_set_fndecl_60718
++enable_so_v9fs_xattr_user_set_fndecl_60718 v9fs_xattr_user_set fndecl 4 60718 &enable_so_sock_sendmsg_fndecl_60718
 +enable_so_HighPriorityCredit_mpt3sas_facts_60721 HighPriorityCredit mpt3sas_facts 0 60721 NULL
 +enable_so_reserved_pebs_ubi_volume_60725 reserved_pebs ubi_volume 0 60725 NULL
 +enable_so_c2_pseudo_change_mtu_fndecl_60734 c2_pseudo_change_mtu fndecl 2 60734 NULL
@@ -169642,7 +169660,7 @@ index 0000000..6075e8f
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 new file mode 100644
-index 0000000..8838f04
+index 0000000..2fef709
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 @@ -0,0 +1,318 @@
@@ -169677,7 +169695,7 @@ index 0000000..8838f04
 +tree size_overflow_type_TI;
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20151020",
++	.version	= "20151021",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -170324,10 +170342,10 @@ index 0000000..317cd6c
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform.c b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
 new file mode 100644
-index 0000000..ee7633e
+index 0000000..0395a48
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
-@@ -0,0 +1,742 @@
+@@ -0,0 +1,739 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -170876,9 +170894,6 @@ index 0000000..ee7633e
 +	if (mark != MARK_NO)
 +		return head;
 +
-+	if (is_intentional_truncation(assign))
-+		return head;
-+
 +	rhs1 = gimple_assign_rhs1(assign);
 +	head = search_interesting_stmt(head, next_node, assign, rhs1, 0);
 +
@@ -171072,10 +171087,10 @@ index 0000000..ee7633e
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
 new file mode 100644
-index 0000000..e7a17f5
+index 0000000..4ac2d6e
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
-@@ -0,0 +1,1004 @@
+@@ -0,0 +1,1010 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -171747,6 +171762,12 @@ index 0000000..e7a17f5
 +	if (handle_unsigned_neg_or_bit_not(visited, expand_from, stmt))
 +		return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
 +
++	// skip lhs check on HI -> QI cast
++	if (rhs_mode == HImode && lhs_mode == QImode) {
++		pointer_set_insert(visited->no_cast_check, stmt);
++		return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
++	}
++
 +	// skip lhs check on signed SI -> HI cast or signed SI -> QI cast
 +	if (rhs_mode == SImode && !TYPE_UNSIGNED(rhs_type) && (lhs_mode == HImode || lhs_mode == QImode))
 +		return create_assign(visited, stmt, lhs, AFTER_STMT);