grsecurity-3.1-4.4.6-20160322174820160322

author: Anthony G. Basile <blueness@gentoo.org> 2016-03-23 09:33:42 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2016-03-23 09:33:42 -0400
commit: d25ba7fcc3a74ea61aee8447d872e1595c267eaa (patch)
tree: ee875c476fca550a44b2d3a4e98e8da9f69b8f4c
parent: grsecurity-3.1-4.4.5-201603142220 (diff)
download: hardened-patchset-d25ba7fcc3a74ea61aee8447d872e1595c267eaa.tar.gz
hardened-patchset-d25ba7fcc3a74ea61aee8447d872e1595c267eaa.tar.bz2
hardened-patchset-d25ba7fcc3a74ea61aee8447d872e1595c267eaa.zip
11 files changed, 67 insertions, 170 deletions
diff --git a/4.4.5/0000_README b/4.4.6/0000_README
index 6d51814..3c1a08c 100644
--- a/4.4.5/0000_README
+++ b/4.4.6/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.4.5-201603142220.patch
+Patch:	4420_grsecurity-3.1-4.4.6-201603221748.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.4.5/4420_grsecurity-3.1-4.4.5-201603142220.patch b/4.4.6/4420_grsecurity-3.1-4.4.6-201603221748.patch
index dac56bb..a0d7af9 100644
--- a/4.4.5/4420_grsecurity-3.1-4.4.5-201603142220.patch
+++ b/4.4.6/4420_grsecurity-3.1-4.4.6-201603221748.patch
@@ -448,22 +448,8 @@ index af70d15..ccd3786 100644
  modules_disabled:
  
  A toggle value indicating if modules are allowed to be loaded
-diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt
-index 3a4d681..b653641 100644
---- a/Documentation/virtual/kvm/mmu.txt
-+++ b/Documentation/virtual/kvm/mmu.txt
-@@ -358,7 +358,8 @@ In the first case there are two additional complications:
- - if CR4.SMEP is enabled: since we've turned the page into a kernel page,
-   the kernel may now execute it.  We handle this by also setting spte.nx.
-   If we get a user fetch or read fault, we'll change spte.u=1 and
--  spte.nx=gpte.nx back.
-+  spte.nx=gpte.nx back.  For this to work, KVM forces EFER.NX to 1 when
-+  shadow paging is in use.
- - if CR4.SMAP is disabled: since the page has been changed to a kernel
-   page, it can not be reused when CR4.SMAP is enabled. We set
-   CR4.SMAP && !CR0.WP into shadow page's role to avoid this case. Note,
 diff --git a/Makefile b/Makefile
-index d13322a..6eaab55 100644
+index 87d12b4..b9e0477 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3514,7 +3500,7 @@ index 78c02b3..c94109a 100644
  struct omap_device *omap_device_alloc(struct platform_device *pdev,
  				      struct omap_hwmod **ohs, int oh_cnt);
 diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
-index 48495ad8..9502fdd 100644
+index 8e0bd59..1d0b85e 100644
 --- a/arch/arm/mach-omap2/omap_hwmod.c
 +++ b/arch/arm/mach-omap2/omap_hwmod.c
 @@ -200,10 +200,10 @@ struct omap_hwmod_soc_ops {
@@ -5594,10 +5580,10 @@ index 4efe96a..60e8699 100644
  #define SMP_CACHE_BYTES	L1_CACHE_BYTES
  
 diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
-index 71683a8..54062ef 100644
+index db45961..6932668 100644
 --- a/arch/mips/Kconfig
 +++ b/arch/mips/Kconfig
-@@ -2641,6 +2641,7 @@ source "kernel/Kconfig.preempt"
+@@ -2642,6 +2642,7 @@ source "kernel/Kconfig.preempt"
  config KEXEC
  	bool "Kexec system call"
  	select KEXEC_CORE
@@ -29629,27 +29615,6 @@ index 4d30b86..94115f0 100644
  
  #define APIC_LVT_NUM			6
  /* 14 is the version for Xeon and Pentium 8.4.8*/
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index e7c2c14..8eb8a93 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -3754,13 +3754,15 @@ static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
- void
- reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu, struct kvm_mmu *context)
- {
-+	bool uses_nx = context->nx || context->base_role.smep_andnot_wp;
-+
- 	/*
- 	 * Passing "true" to the last argument is okay; it adds a check
- 	 * on bit 8 of the SPTEs which KVM doesn't use anyway.
- 	 */
- 	__reset_rsvds_bits_mask(vcpu, &context->shadow_zero_check,
- 				boot_cpu_data.x86_phys_bits,
--				context->shadow_root_level, context->nx,
-+				context->shadow_root_level, uses_nx,
- 				guest_cpuid_has_gbpages(vcpu), is_pse(vcpu),
- 				true);
- }
 diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
 index 7be8a25..7d71250 100644
 --- a/arch/x86/kvm/paging_tmpl.h
@@ -29700,7 +29665,7 @@ index 899c40f..a114588 100644
  	.disabled_by_bios = is_disabled,
  	.hardware_setup = svm_hardware_setup,
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 5fd846c..405597f 100644
+index 0958fa2..9fe3f1d 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
 @@ -1514,12 +1514,12 @@ static void vmcs_write64(unsigned long field, u64 value)
@@ -29718,7 +29683,7 @@ index 5fd846c..405597f 100644
  {
  	vmcs_writel(field, vmcs_readl(field) | mask);
  }
-@@ -1779,32 +1779,41 @@ static void reload_tss(void)
+@@ -1786,7 +1786,11 @@ static void reload_tss(void)
  	struct desc_struct *descs;
  
  	descs = (void *)gdt->address;
@@ -29730,72 +29695,7 @@ index 5fd846c..405597f 100644
  	load_TR_desc();
  }
  
- static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
- {
--	u64 guest_efer;
--	u64 ignore_bits;
-+	u64 guest_efer = vmx->vcpu.arch.efer;
-+	u64 ignore_bits = 0;
- 
--	guest_efer = vmx->vcpu.arch.efer;
-+	if (!enable_ept) {
-+		/*
-+		 * NX is needed to handle CR0.WP=1, CR4.SMEP=1.  Testing
-+		 * host CPUID is more efficient than testing guest CPUID
-+		 * or CR4.  Host SMEP is anyway a requirement for guest SMEP.
-+		 */
-+		if (boot_cpu_has(X86_FEATURE_SMEP))
-+			guest_efer |= EFER_NX;
-+		else if (!(guest_efer & EFER_NX))
-+			ignore_bits |= EFER_NX;
-+	}
- 
- 	/*
--	 * NX is emulated; LMA and LME handled by hardware; SCE meaningless
--	 * outside long mode
-+	 * LMA and LME handled by hardware; SCE meaningless outside long mode.
- 	 */
--	ignore_bits = EFER_NX | EFER_SCE;
-+	ignore_bits |= EFER_SCE;
- #ifdef CONFIG_X86_64
- 	ignore_bits |= EFER_LMA | EFER_LME;
- 	/* SCE is meaningful only in long mode on Intel */
- 	if (guest_efer & EFER_LMA)
- 		ignore_bits &= ~(u64)EFER_SCE;
- #endif
--	guest_efer &= ~ignore_bits;
--	guest_efer |= host_efer & ignore_bits;
--	vmx->guest_msrs[efer_offset].data = guest_efer;
--	vmx->guest_msrs[efer_offset].mask = ~ignore_bits;
- 
- 	clear_atomic_switch_msr(vmx, MSR_EFER);
- 
-@@ -1815,16 +1824,21 @@ static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
- 	 */
- 	if (cpu_has_load_ia32_efer ||
- 	    (enable_ept && ((vmx->vcpu.arch.efer ^ host_efer) & EFER_NX))) {
--		guest_efer = vmx->vcpu.arch.efer;
- 		if (!(guest_efer & EFER_LMA))
- 			guest_efer &= ~EFER_LME;
- 		if (guest_efer != host_efer)
- 			add_atomic_switch_msr(vmx, MSR_EFER,
- 					      guest_efer, host_efer);
- 		return false;
-+	} else {
-+		guest_efer &= ~ignore_bits;
-+		guest_efer |= host_efer & ignore_bits;
-+
-+		vmx->guest_msrs[efer_offset].data = guest_efer;
-+		vmx->guest_msrs[efer_offset].mask = ~ignore_bits;
-+
-+		return true;
- 	}
--
--	return true;
- }
- 
- static unsigned long segment_base(u16 selector)
-@@ -2061,6 +2075,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
+@@ -2078,6 +2082,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
  		vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
  		vmcs_writel(HOST_GDTR_BASE, gdt->address);   /* 22.2.4 */
  
@@ -29806,7 +29706,7 @@ index 5fd846c..405597f 100644
  		rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
  		vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
  
-@@ -2378,7 +2396,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
+@@ -2395,7 +2403,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
   * guest_tsc = (host_tsc * tsc multiplier) >> 48 + tsc_offset
   * -- Intel TSC Scaling for Virtualization White Paper, sec 1.3
   */
@@ -29815,7 +29715,7 @@ index 5fd846c..405597f 100644
  {
  	u64 host_tsc, tsc_offset;
  
-@@ -4609,7 +4627,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4626,7 +4634,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
  	unsigned long cr4;
  
  	vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS);  /* 22.2.3 */
@@ -29826,7 +29726,7 @@ index 5fd846c..405597f 100644
  
  	/* Save the most likely value for this task's CR4 in the VMCS. */
  	cr4 = cr4_read_shadow();
-@@ -4636,7 +4657,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
+@@ -4653,7 +4664,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
  	vmcs_writel(HOST_IDTR_BASE, dt.address);   /* 22.2.4 */
  	vmx->host_idt_base = dt.address;
  
@@ -29835,7 +29735,7 @@ index 5fd846c..405597f 100644
  
  	rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
  	vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -6186,11 +6207,17 @@ static __init int hardware_setup(void)
+@@ -6203,11 +6214,17 @@ static __init int hardware_setup(void)
  	 * page upon invalidation.  No need to do anything if not
  	 * using the APIC_ACCESS_ADDR VMCS field.
  	 */
@@ -29855,7 +29755,7 @@ index 5fd846c..405597f 100644
  
  	if (enable_ept && !cpu_has_vmx_ept_2m_page())
  		kvm_disable_largepages();
-@@ -6207,6 +6234,7 @@ static __init int hardware_setup(void)
+@@ -6224,6 +6241,7 @@ static __init int hardware_setup(void)
  		kvm_tsc_scaling_ratio_frac_bits = 48;
  	}
  
@@ -29863,7 +29763,7 @@ index 5fd846c..405597f 100644
  	if (enable_apicv)
  		kvm_x86_ops->update_cr8_intercept = NULL;
  	else {
-@@ -6215,6 +6243,7 @@ static __init int hardware_setup(void)
+@@ -6232,6 +6250,7 @@ static __init int hardware_setup(void)
  		kvm_x86_ops->deliver_posted_interrupt = NULL;
  		kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
  	}
@@ -29871,7 +29771,7 @@ index 5fd846c..405597f 100644
  
  	vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
  	vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
-@@ -6269,10 +6298,12 @@ static __init int hardware_setup(void)
+@@ -6286,10 +6305,12 @@ static __init int hardware_setup(void)
  		enable_pml = 0;
  
  	if (!enable_pml) {
@@ -29884,7 +29784,7 @@ index 5fd846c..405597f 100644
  	}
  
  	kvm_set_posted_intr_wakeup_handler(wakeup_handler);
-@@ -8584,6 +8615,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8601,6 +8622,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  		"jmp 2f \n\t"
  		"1: " __ex(ASM_VMX_VMRESUME) "\n\t"
  		"2: "
@@ -29897,7 +29797,7 @@ index 5fd846c..405597f 100644
  		/* Save guest registers, load host registers, keep flags */
  		"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
  		"pop %0 \n\t"
-@@ -8636,6 +8673,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8653,6 +8680,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  #endif
  		[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
  		[wordsize]"i"(sizeof(ulong))
@@ -29909,7 +29809,7 @@ index 5fd846c..405597f 100644
  	      : "cc", "memory"
  #ifdef CONFIG_X86_64
  		, "rax", "rbx", "rdi", "rsi"
-@@ -8649,7 +8691,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8666,7 +8698,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  	if (debugctlmsr)
  		update_debugctlmsr(debugctlmsr);
  
@@ -29918,7 +29818,7 @@ index 5fd846c..405597f 100644
  	/*
  	 * The sysexit path does not restore ds/es, so we must set them to
  	 * a reasonable value ourselves.
-@@ -8658,8 +8700,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -8675,8 +8707,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  	 * may be executed in interrupt context, which saves and restore segments
  	 * around it, nullifying its effect.
  	 */
@@ -29939,7 +29839,7 @@ index 5fd846c..405597f 100644
  #endif
  
  	vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
-@@ -10741,7 +10793,7 @@ out:
+@@ -10758,7 +10800,7 @@ out:
  	return ret;
  }
  
@@ -34577,7 +34477,7 @@ index c3b3f65..5bfe5dc 100644
  	unsigned long uninitialized_var(pfn_align);
  	int i, nid;
 diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index db20ee9..a2bb098 100644
+index b599a78..4ac899d 100644
 --- a/arch/x86/mm/pageattr.c
 +++ b/arch/x86/mm/pageattr.c
 @@ -259,7 +259,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -34624,7 +34524,7 @@ index db20ee9..a2bb098 100644
  	prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
  
  	return prot;
-@@ -445,23 +454,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
+@@ -451,23 +460,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
  static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
  {
  	/* change init_mm */
@@ -34664,7 +34564,7 @@ index db20ee9..a2bb098 100644
  }
  
  static int
-@@ -698,6 +721,10 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address,
+@@ -704,6 +727,10 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address,
  	return 0;
  }
  
@@ -34675,7 +34575,7 @@ index db20ee9..a2bb098 100644
  static int split_large_page(struct cpa_data *cpa, pte_t *kpte,
  			    unsigned long address)
  {
-@@ -1141,6 +1168,9 @@ static int __cpa_process_fault(struct cpa_data *cpa, unsigned long vaddr,
+@@ -1147,6 +1174,9 @@ static int __cpa_process_fault(struct cpa_data *cpa, unsigned long vaddr,
  	}
  }
  
@@ -34685,7 +34585,7 @@ index db20ee9..a2bb098 100644
  static int __change_page_attr(struct cpa_data *cpa, int primary)
  {
  	unsigned long address;
-@@ -1199,7 +1229,9 @@ repeat:
+@@ -1205,7 +1235,9 @@ repeat:
  		 * Do we really change anything ?
  		 */
  		if (pte_val(old_pte) != pte_val(new_pte)) {
@@ -44054,7 +43954,7 @@ index b928c17..e5d9400 100644
  	if (regcomp
  	    (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index d690df5..4aaaead 100644
+index c566993..0bf8fae 100644
 --- a/drivers/gpu/drm/radeon/radeon_device.c
 +++ b/drivers/gpu/drm/radeon/radeon_device.c
 @@ -1253,7 +1253,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
@@ -54128,7 +54028,7 @@ index 29ae58e..305baa0 100644
  		case WLAN_CIPHER_SUITE_TKIP:
  			iwl_mvm_tkip_sc_to_seq(&sc->tkip.tsc, &seq);
 diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c
-index c652a66..1f75da8 100644
+index 6743edf..22a86c5 100644
 --- a/drivers/net/wireless/iwlwifi/mvm/tx.c
 +++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
 @@ -284,7 +284,7 @@ static void iwl_mvm_set_tx_cmd_crypto(struct iwl_mvm *mvm,
@@ -84903,10 +84803,10 @@ index eff6319..d8a12987 100644
  	if (res < 0) {
  		free_page((unsigned long) buf);
 diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index b29036a..dcce79c 100644
+index 05ac9a9..c60faca 100644
 --- a/fs/overlayfs/inode.c
 +++ b/fs/overlayfs/inode.c
-@@ -356,6 +356,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
+@@ -358,6 +358,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
  	if (d_is_dir(dentry))
  		return d_backing_inode(dentry);
  
@@ -84917,10 +84817,10 @@ index b29036a..dcce79c 100644
  	if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
  		err = ovl_want_write(dentry);
 diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index f42c940..e5ae48a 100644
+index 000b2ed..0be081d 100644
 --- a/fs/overlayfs/super.c
 +++ b/fs/overlayfs/super.c
-@@ -173,7 +173,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
+@@ -175,7 +175,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
  {
  	struct ovl_entry *oe = dentry->d_fsdata;
  
@@ -84929,7 +84829,7 @@ index f42c940..e5ae48a 100644
  }
  
  int ovl_want_write(struct dentry *dentry)
-@@ -881,8 +881,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
+@@ -884,8 +884,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
  
  static int ovl_fill_super(struct super_block *sb, void *data, int silent)
  {
@@ -87858,10 +87758,10 @@ index 8d974c4..b82f6ec 100644
  {
  	if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
 diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
-index 5031170..472208c 100644
+index 66cdb44..2eb05e1 100644
 --- a/fs/userfaultfd.c
 +++ b/fs/userfaultfd.c
-@@ -426,7 +426,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
+@@ -432,7 +432,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
  	struct userfaultfd_wake_range range = { .len = 0, };
  	unsigned long new_flags;
  
@@ -100351,22 +100251,6 @@ index 576e463..28fd926 100644
  
  extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
  
-diff --git a/include/linux/bio.h b/include/linux/bio.h
-index 79cfaee..fbe47bc 100644
---- a/include/linux/bio.h
-+++ b/include/linux/bio.h
-@@ -320,11 +320,6 @@ static inline void bio_get_last_bvec(struct bio *bio, struct bio_vec *bv)
- 	struct bvec_iter iter = bio->bi_iter;
- 	int idx;
- 
--	if (!bio_flagged(bio, BIO_CLONED)) {
--		*bv = bio->bi_io_vec[bio->bi_vcnt - 1];
--		return;
--	}
--
- 	if (unlikely(!bio_multiple_segments(bio))) {
- 		*bv = bio_iovec(bio);
- 		return;
 diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
 index 9653fdb..b3d3a17 100644
 --- a/include/linux/bitmap.h
@@ -126560,6 +126444,19 @@ index 9da3287..87089a6 100644
  	icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
  
  	kfree_skb(skb);
+diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
+index 4e34410..232827a 100644
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -19,7 +19,7 @@
+  * The IP header and mutable extension headers will be moved forward to make
+  * space for the encapsulation header.
+  */
+-static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
++static int __intentional_overflow(0) xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ 	struct ipv6hdr *iph;
+ 	u8 *prevhdr;
 diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
 index c074771..45ded9b 100644
 --- a/net/ipv6/xfrm6_policy.c
@@ -126940,7 +126837,7 @@ index 7961e7d..eea148f 100644
  				(u8)(pn >> 40), (u8)(pn >> 32), (u8)(pn >> 24),
  				(u8)(pn >> 16), (u8)(pn >> 8), (u8)pn);
 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 5322b4c..ed9ecbe 100644
+index 6837a46..f8aaf7d 100644
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
 @@ -30,6 +30,7 @@
@@ -130211,10 +130108,10 @@ index dc9c792..3089de0 100644
 +	.process_negotiate = vmci_transport_notify_pkt_process_negotiate,
  };
 diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
-index c8717c1..08539f5 100644
+index b50ee5d..ccf70ab 100644
 --- a/net/wireless/wext-core.c
 +++ b/net/wireless/wext-core.c
-@@ -748,8 +748,7 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
+@@ -778,8 +778,7 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
  		 */
  
  		/* Support for very large requests */
@@ -130224,7 +130121,7 @@ index c8717c1..08539f5 100644
  			/* Allow userspace to GET more than max so
  			 * we can support any size GET requests.
  			 * There is still a limit : -ENOMEM.
-@@ -788,22 +787,6 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
+@@ -818,22 +817,6 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
  		}
  	}
  
@@ -180450,7 +180347,7 @@ index 0a578fe..b81f62d 100644
  })
  
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 484079e..70365d0 100644
+index 7338e30..5adab9c 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -90,12 +90,17 @@ LIST_HEAD(vm_list);
@@ -180502,7 +180399,7 @@ index 484079e..70365d0 100644
  }
  EXPORT_SYMBOL_GPL(kvm_clear_guest_page);
  
-@@ -2233,7 +2246,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
+@@ -2236,7 +2249,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
  	return 0;
  }
  
@@ -180511,7 +180408,7 @@ index 484079e..70365d0 100644
  	.release        = kvm_vcpu_release,
  	.unlocked_ioctl = kvm_vcpu_ioctl,
  #ifdef CONFIG_KVM_COMPAT
-@@ -2949,7 +2962,7 @@ out:
+@@ -2952,7 +2965,7 @@ out:
  }
  #endif
  
@@ -180520,7 +180417,7 @@ index 484079e..70365d0 100644
  	.release        = kvm_vm_release,
  	.unlocked_ioctl = kvm_vm_ioctl,
  #ifdef CONFIG_KVM_COMPAT
-@@ -3020,7 +3033,7 @@ out:
+@@ -3023,7 +3036,7 @@ out:
  	return r;
  }
  
@@ -180529,7 +180426,7 @@ index 484079e..70365d0 100644
  	.unlocked_ioctl = kvm_dev_ioctl,
  	.compat_ioctl   = kvm_dev_ioctl,
  	.llseek		= noop_llseek,
-@@ -3046,7 +3059,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -3049,7 +3062,7 @@ static void hardware_enable_nolock(void *junk)
  
  	if (r) {
  		cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -180538,7 +180435,7 @@ index 484079e..70365d0 100644
  		pr_info("kvm: enabling virtualization on CPU%d failed\n", cpu);
  	}
  }
-@@ -3101,10 +3114,10 @@ static int hardware_enable_all(void)
+@@ -3104,10 +3117,10 @@ static int hardware_enable_all(void)
  
  	kvm_usage_count++;
  	if (kvm_usage_count == 1) {
@@ -180551,7 +180448,7 @@ index 484079e..70365d0 100644
  			hardware_disable_all_nolock();
  			r = -EBUSY;
  		}
-@@ -3568,7 +3581,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3571,7 +3584,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (!vcpu_align)
  		vcpu_align = __alignof__(struct kvm_vcpu);
  	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
@@ -180560,7 +180457,7 @@ index 484079e..70365d0 100644
  	if (!kvm_vcpu_cache) {
  		r = -ENOMEM;
  		goto out_free_3;
-@@ -3578,9 +3591,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3581,9 +3594,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (r)
  		goto out_free;
  
@@ -180572,7 +180469,7 @@ index 484079e..70365d0 100644
  
  	r = misc_register(&kvm_dev);
  	if (r) {
-@@ -3590,9 +3605,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3593,9 +3608,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  
  	register_syscore_ops(&kvm_syscore_ops);
  
diff --git a/4.4.5/4425_grsec_remove_EI_PAX.patch b/4.4.6/4425_grsec_remove_EI_PAX.patch
index 2a1aa6c..2a1aa6c 100644
--- a/4.4.5/4425_grsec_remove_EI_PAX.patch
+++ b/4.4.6/4425_grsec_remove_EI_PAX.patch
diff --git a/4.4.5/4427_force_XATTR_PAX_tmpfs.patch b/4.4.6/4427_force_XATTR_PAX_tmpfs.patch
index f6aea64..f6aea64 100644
--- a/4.4.5/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.4.6/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.4.5/4430_grsec-remove-localversion-grsec.patch b/4.4.6/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.4.5/4430_grsec-remove-localversion-grsec.patch
+++ b/4.4.6/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.4.5/4435_grsec-mute-warnings.patch b/4.4.6/4435_grsec-mute-warnings.patch
index b7564e4..b7564e4 100644
--- a/4.4.5/4435_grsec-mute-warnings.patch
+++ b/4.4.6/4435_grsec-mute-warnings.patch
diff --git a/4.4.5/4440_grsec-remove-protected-paths.patch b/4.4.6/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.4.5/4440_grsec-remove-protected-paths.patch
+++ b/4.4.6/4440_grsec-remove-protected-paths.patch
diff --git a/4.4.5/4450_grsec-kconfig-default-gids.patch b/4.4.6/4450_grsec-kconfig-default-gids.patch
index 77f9706..79a866b 100644
--- a/4.4.5/4450_grsec-kconfig-default-gids.patch
+++ b/4.4.6/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -697,7 +697,7 @@
+@@ -699,7 +699,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -946,7 +946,7 @@
+@@ -948,7 +948,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -955,7 +955,7 @@
+@@ -957,7 +957,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -1040,7 +1040,7 @@
+@@ -1042,7 +1042,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -1061,7 +1061,7 @@
+@@ -1063,7 +1063,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -1079,7 +1079,7 @@
+@@ -1081,7 +1081,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/4.4.5/4465_selinux-avc_audit-log-curr_ip.patch b/4.4.6/4465_selinux-avc_audit-log-curr_ip.patch
index f1c4923..7248385 100644
--- a/4.4.5/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.4.6/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1174,6 +1174,27 @@
+@@ -1176,6 +1176,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/4.4.5/4470_disable-compat_vdso.patch b/4.4.6/4470_disable-compat_vdso.patch
index 281aad9..281aad9 100644
--- a/4.4.5/4470_disable-compat_vdso.patch
+++ b/4.4.6/4470_disable-compat_vdso.patch
diff --git a/4.4.5/4475_emutramp_default_on.patch b/4.4.6/4475_emutramp_default_on.patch
index afd6019..afd6019 100644
--- a/4.4.5/4475_emutramp_default_on.patch
+++ b/4.4.6/4475_emutramp_default_on.patch
author	Anthony G. Basile <blueness@gentoo.org>	2016-03-23 09:33:42 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2016-03-23 09:33:42 -0400
commit	d25ba7fcc3a74ea61aee8447d872e1595c267eaa (patch)
tree	ee875c476fca550a44b2d3a4e98e8da9f69b8f4c
parent	grsecurity-3.1-4.4.5-201603142220 (diff)
download	hardened-patchset-d25ba7fcc3a74ea61aee8447d872e1595c267eaa.tar.gz hardened-patchset-d25ba7fcc3a74ea61aee8447d872e1595c267eaa.tar.bz2 hardened-patchset-d25ba7fcc3a74ea61aee8447d872e1595c267eaa.zip