grsecurity-3.1-4.7.2-20160831232620160831

2 files changed, 96 insertions, 35 deletions

diff --git a/4.7.2/0000_README b/4.7.2/0000_README
index 0fbc43d..cfaeba4 100644
--- a/4.7.2/0000_README
+++ b/4.7.2/0000_README
@@ -10,7 +10,7 @@ Patch:	1001_linux-4.7.2.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.7.2
 
-Patch:	4420_grsecurity-3.1-4.7.2-201608211829.patch
+Patch:	4420_grsecurity-3.1-4.7.2-201608312326.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.7.2/4420_grsecurity-3.1-4.7.2-201608211829.patch b/4.7.2/4420_grsecurity-3.1-4.7.2-201608312326.patch
index 6aabc5c..0653f29 100644
--- a/4.7.2/4420_grsecurity-3.1-4.7.2-201608211829.patch
+++ b/4.7.2/4420_grsecurity-3.1-4.7.2-201608312326.patch
@@ -23925,7 +23925,7 @@ index c3496619..3f3a7dc 100644
  asmlinkage void smp_deferred_error_interrupt(void);
  #endif
 diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
-index 2982387..a619e60c 100644
+index 2982387..8adcc96 100644
 --- a/arch/x86/include/asm/uaccess.h
 +++ b/arch/x86/include/asm/uaccess.h
 @@ -8,6 +8,7 @@
@@ -24401,7 +24401,7 @@ index 2982387..a619e60c 100644
 -		copy_from_user_overflow();
 -	else
 -		__copy_from_user_overflow(sz, n);
-+	if (likely(sz != (size_t)-1  && sz < n)) {
++	if (unlikely(sz != (size_t)-1  && sz < n)) {
 +		 if(__builtin_constant_p(n))
 +			copy_from_user_overflow();
 +		else
@@ -24431,7 +24431,7 @@ index 2982387..a619e60c 100644
 -		copy_to_user_overflow();
 -	else
 -		__copy_to_user_overflow(sz, n);
-+	if (likely(sz != (size_t)-1  && sz < n)) {
++	if (unlikely(sz != (size_t)-1  && sz < n)) {
 +		 if(__builtin_constant_p(n))
 +			copy_to_user_overflow();
 +		else
@@ -36980,7 +36980,7 @@ index 9c086c5..421e25b 100644
  	unsigned long uninitialized_var(pfn_align);
  	int i, nid;
 diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index 7a1f7bb..b245aea 100644
+index 7a1f7bb..62a6748 100644
 --- a/arch/x86/mm/pageattr.c
 +++ b/arch/x86/mm/pageattr.c
 @@ -258,7 +258,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -37015,7 +37015,7 @@ index 7a1f7bb..b245aea 100644
  #endif
  
 +#ifdef CONFIG_PAX_KERNEXEC
-+	if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)), __pa((unsigned long)&_sdata))) {
++	if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)) >> PAGE_SHIFT, __pa((unsigned long)&_sdata) >> PAGE_SHIFT)) {
 +		pgprot_val(forbidden) |= _PAGE_RW;
 +		pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
 +	}
@@ -95993,7 +95993,7 @@ index ae1b540..15cfacf 100644
  				fd_offset + ex.a_text);
  		if (error != N_DATADDR(ex))
 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index a7a28110..eddc1f5 100644
+index a7a28110..5e00fdb 100644
 --- a/fs/binfmt_elf.c
 +++ b/fs/binfmt_elf.c
 @@ -36,6 +36,7 @@
@@ -96605,7 +96605,15 @@ index a7a28110..eddc1f5 100644
  	if (elf_read_implies_exec(loc->elf_ex, executable_stack))
  		current->personality |= READ_IMPLIES_EXEC;
  
-@@ -919,8 +1358,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -851,6 +1290,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ 		current->flags |= PF_RANDOMIZE;
+ 
+ 	setup_new_exec(bprm);
++	install_exec_creds(bprm);
+ 
+ 	/* Do this so that we can load the interpreter, if need be.  We will
+ 	   change some of these later */
+@@ -919,8 +1359,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
  			if (current->flags & PF_RANDOMIZE)
  				load_bias += arch_mmap_rnd();
  			load_bias = ELF_PAGESTART(load_bias);
@@ -96629,7 +96637,7 @@ index a7a28110..eddc1f5 100644
  			if (!total_size) {
  				retval = -EINVAL;
  				goto out_free_dentry;
-@@ -956,9 +1408,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -956,9 +1409,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
  		 * allowed task size. Note that p_filesz must always be
  		 * <= p_memsz so it is only necessary to check p_memsz.
  		 */
@@ -96642,7 +96650,7 @@ index a7a28110..eddc1f5 100644
  			/* set_brk can never work. Avoid overflows. */
  			retval = -EINVAL;
  			goto out_free_dentry;
-@@ -994,16 +1446,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -994,16 +1447,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
  	if (retval)
  		goto out_free_dentry;
  	if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -96691,6 +96699,14 @@ index a7a28110..eddc1f5 100644
  					    load_bias, interp_elf_phdata);
  		if (!IS_ERR((void *)elf_entry)) {
  			/*
+@@ -1042,7 +1522,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ 		goto out;
+ #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
+ 
+-	install_exec_creds(bprm);
+ 	retval = create_elf_tables(bprm, &loc->elf_ex,
+ 			  load_addr, interp_load_addr);
+ 	if (retval < 0)
 @@ -1054,6 +1533,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
  	current->mm->end_data = end_data;
  	current->mm->start_stack = bprm->p;
@@ -98766,7 +98782,7 @@ index 281b768..f39dcdf 100644
  		return 0;
  	while (nr) {
 diff --git a/fs/dcache.c b/fs/dcache.c
-index 1ed81bb..85b5276 100644
+index 1ed81bb..3d8fde8 100644
 --- a/fs/dcache.c
 +++ b/fs/dcache.c
 @@ -339,8 +339,9 @@ static inline void dentry_rcuwalk_invalidate(struct dentry *dentry)
@@ -98850,7 +98866,16 @@ index 1ed81bb..85b5276 100644
  	return 0;
  }
  
-@@ -824,7 +827,7 @@ repeat:
+@@ -795,8 +798,6 @@ void dput(struct dentry *dentry)
+ 		return;
+ 
+ repeat:
+-	might_sleep();
+-
+ 	rcu_read_lock();
+ 	if (likely(fast_dput(dentry))) {
+ 		rcu_read_unlock();
+@@ -824,7 +825,7 @@ repeat:
  		dentry->d_flags |= DCACHE_REFERENCED;
  	dentry_lru_add(dentry);
  
@@ -98859,7 +98884,7 @@ index 1ed81bb..85b5276 100644
  	spin_unlock(&dentry->d_lock);
  	return;
  
-@@ -841,7 +844,7 @@ EXPORT_SYMBOL(dput);
+@@ -841,7 +842,7 @@ EXPORT_SYMBOL(dput);
  /* This must be called with d_lock held */
  static inline void __dget_dlock(struct dentry *dentry)
  {
@@ -98868,7 +98893,7 @@ index 1ed81bb..85b5276 100644
  }
  
  static inline void __dget(struct dentry *dentry)
-@@ -882,8 +885,8 @@ repeat:
+@@ -882,8 +883,8 @@ repeat:
  		goto repeat;
  	}
  	rcu_read_unlock();
@@ -98879,7 +98904,7 @@ index 1ed81bb..85b5276 100644
  	spin_unlock(&ret->d_lock);
  	return ret;
  }
-@@ -961,9 +964,9 @@ restart:
+@@ -961,9 +962,9 @@ restart:
  	spin_lock(&inode->i_lock);
  	hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
  		spin_lock(&dentry->d_lock);
@@ -98891,7 +98916,7 @@ index 1ed81bb..85b5276 100644
  				__dentry_kill(dentry);
  				dput(parent);
  				goto restart;
-@@ -998,7 +1001,7 @@ static void shrink_dentry_list(struct list_head *list)
+@@ -998,7 +999,7 @@ static void shrink_dentry_list(struct list_head *list)
  		 * We found an inuse dentry which was not removed from
  		 * the LRU because of laziness during lookup. Do not free it.
  		 */
@@ -98900,7 +98925,7 @@ index 1ed81bb..85b5276 100644
  			spin_unlock(&dentry->d_lock);
  			if (parent)
  				spin_unlock(&parent->d_lock);
-@@ -1036,8 +1039,8 @@ static void shrink_dentry_list(struct list_head *list)
+@@ -1036,8 +1037,8 @@ static void shrink_dentry_list(struct list_head *list)
  		dentry = parent;
  		while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) {
  			parent = lock_parent(dentry);
@@ -98911,7 +98936,7 @@ index 1ed81bb..85b5276 100644
  				spin_unlock(&dentry->d_lock);
  				if (parent)
  					spin_unlock(&parent->d_lock);
-@@ -1077,7 +1080,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
+@@ -1077,7 +1078,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
  	 * counts, just remove them from the LRU. Otherwise give them
  	 * another pass through the LRU.
  	 */
@@ -98920,7 +98945,7 @@ index 1ed81bb..85b5276 100644
  		d_lru_isolate(lru, dentry);
  		spin_unlock(&dentry->d_lock);
  		return LRU_REMOVED;
-@@ -1414,7 +1417,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
+@@ -1414,7 +1415,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
  	} else {
  		if (dentry->d_flags & DCACHE_LRU_LIST)
  			d_lru_del(dentry);
@@ -98929,7 +98954,7 @@ index 1ed81bb..85b5276 100644
  			d_shrink_add(dentry, &data->dispose);
  			data->found++;
  		}
-@@ -1462,7 +1465,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
+@@ -1462,7 +1463,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
  		return D_WALK_CONTINUE;
  
  	/* root with refcount 1 is fine */
@@ -98938,7 +98963,7 @@ index 1ed81bb..85b5276 100644
  		return D_WALK_CONTINUE;
  
  	printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
-@@ -1471,7 +1474,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
+@@ -1471,7 +1472,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
  		       dentry->d_inode ?
  		       dentry->d_inode->i_ino : 0UL,
  		       dentry,
@@ -98947,7 +98972,7 @@ index 1ed81bb..85b5276 100644
  		       dentry->d_sb->s_type->name,
  		       dentry->d_sb->s_id);
  	WARN_ON(1);
-@@ -1616,7 +1619,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1616,7 +1617,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
  		dname = dentry->d_iname;
  	} else if (name->len > DNAME_INLINE_LEN-1) {
  		size_t size = offsetof(struct external_name, name[1]);
@@ -98956,7 +98981,7 @@ index 1ed81bb..85b5276 100644
  						  GFP_KERNEL_ACCOUNT);
  		if (!p) {
  			kmem_cache_free(dentry_cache, dentry); 
-@@ -1640,7 +1643,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1640,7 +1641,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
  	smp_wmb();
  	dentry->d_name.name = dname;
  
@@ -98965,7 +98990,7 @@ index 1ed81bb..85b5276 100644
  	dentry->d_flags = 0;
  	spin_lock_init(&dentry->d_lock);
  	seqcount_init(&dentry->d_seq);
-@@ -1649,6 +1652,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
+@@ -1649,6 +1650,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
  	dentry->d_sb = sb;
  	dentry->d_op = NULL;
  	dentry->d_fsdata = NULL;
@@ -98975,7 +99000,7 @@ index 1ed81bb..85b5276 100644
  	INIT_HLIST_BL_NODE(&dentry->d_hash);
  	INIT_LIST_HEAD(&dentry->d_lru);
  	INIT_LIST_HEAD(&dentry->d_subdirs);
-@@ -2314,7 +2320,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
+@@ -2314,7 +2318,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
  				goto next;
  		}
  
@@ -98984,7 +99009,7 @@ index 1ed81bb..85b5276 100644
  		found = dentry;
  		spin_unlock(&dentry->d_lock);
  		break;
-@@ -2382,7 +2388,7 @@ again:
+@@ -2382,7 +2386,7 @@ again:
  	spin_lock(&dentry->d_lock);
  	inode = dentry->d_inode;
  	isdir = S_ISDIR(inode->i_mode);
@@ -98993,7 +99018,7 @@ index 1ed81bb..85b5276 100644
  		if (!spin_trylock(&inode->i_lock)) {
  			spin_unlock(&dentry->d_lock);
  			cpu_relax();
-@@ -3601,7 +3607,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
+@@ -3601,7 +3605,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
  
  		if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
  			dentry->d_flags |= DCACHE_GENOCIDE;
@@ -99002,7 +99027,7 @@ index 1ed81bb..85b5276 100644
  		}
  	}
  	return D_WALK_CONTINUE;
-@@ -3709,7 +3715,8 @@ void __init vfs_caches_init_early(void)
+@@ -3709,7 +3713,8 @@ void __init vfs_caches_init_early(void)
  void __init vfs_caches_init(void)
  {
  	names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -158510,7 +158535,7 @@ index f2280f7..c0a006f 100644
  	struct irlap_cb *self = (struct irlap_cb *) data;
  
 diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
-index fc3598a..03a184e3 100644
+index fc3598a..6c1fb65 100644
 --- a/net/iucv/af_iucv.c
 +++ b/net/iucv/af_iucv.c
 @@ -685,10 +685,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv)
@@ -158526,6 +158551,27 @@ index fc3598a..03a184e3 100644
  	}
  	memcpy(iucv->src_name, name, 8);
  }
+@@ -1326,7 +1326,7 @@ static int iucv_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ 	unsigned int copied, rlen;
+ 	struct sk_buff *skb, *rskb, *cskb;
+ 	int err = 0;
+-	u32 offset;
++	u32 offset, class;
+ 
+ 	if ((sk->sk_state == IUCV_DISCONN) &&
+ 	    skb_queue_empty(&iucv->backlog_skb_q) &&
+@@ -1370,9 +1370,8 @@ static int iucv_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ 	/* create control message to store iucv msg target class:
+ 	 * get the trgcls from the control buffer of the skb due to
+ 	 * fragmentation of original iucv message. */
+-	err = put_cmsg(msg, SOL_IUCV, SCM_IUCV_TRGCLS,
+-		       sizeof(IUCV_SKB_CB(skb)->class),
+-		       (void *)&IUCV_SKB_CB(skb)->class);
++	class = IUCV_SKB_CB(skb)->class;
++	err = put_cmsg(msg, SOL_IUCV, SCM_IUCV_TRGCLS, sizeof(class), &class);
+ 	if (err) {
+ 		if (!(flags & MSG_PEEK))
+ 			skb_queue_head(&sk->sk_receive_queue, skb);
 diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
 index 7eaa000..2fa7f35 100644
 --- a/net/iucv/iucv.c
@@ -160079,7 +160125,7 @@ index 11de55e..f25e448 100644
  	return 0;
  }
 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 627f898c..13afbf6 100644
+index 627f898c..32d06cc 100644
 --- a/net/netlink/af_netlink.c
 +++ b/net/netlink/af_netlink.c
 @@ -287,7 +287,7 @@ static void netlink_overrun(struct sock *sk)
@@ -160091,7 +160137,22 @@ index 627f898c..13afbf6 100644
  }
  
  static void netlink_rcv_wake(struct sock *sk)
-@@ -2150,7 +2150,9 @@ errout_skb:
+@@ -1703,11 +1703,12 @@ static void netlink_cmsg_recv_pktinfo(struct msghdr *msg, struct sk_buff *skb)
+ static void netlink_cmsg_listen_all_nsid(struct sock *sk, struct msghdr *msg,
+ 					 struct sk_buff *skb)
+ {
++	int nsid = NETLINK_CB(skb).nsid;
++
+ 	if (!NETLINK_CB(skb).nsid_is_set)
+ 		return;
+ 
+-	put_cmsg(msg, SOL_NETLINK, NETLINK_LISTEN_ALL_NSID, sizeof(int),
+-		 &NETLINK_CB(skb).nsid);
++	put_cmsg(msg, SOL_NETLINK, NETLINK_LISTEN_ALL_NSID, sizeof(nsid), &nsid);
+ }
+ 
+ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+@@ -2150,7 +2151,9 @@ errout_skb:
  
  int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
  			 const struct nlmsghdr *nlh,
@@ -160102,7 +160163,7 @@ index 627f898c..13afbf6 100644
  {
  	struct netlink_callback *cb;
  	struct sock *sk;
-@@ -2173,7 +2175,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+@@ -2173,7 +2176,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
  		goto error_unlock;
  	}
  	/* add reference of module which cb->dump belongs to */
@@ -160111,7 +160172,7 @@ index 627f898c..13afbf6 100644
  		ret = -EPROTONOSUPPORT;
  		goto error_unlock;
  	}
-@@ -2184,8 +2186,8 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+@@ -2184,8 +2187,8 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
  	cb->dump = control->dump;
  	cb->done = control->done;
  	cb->nlh = nlh;
@@ -160122,7 +160183,7 @@ index 627f898c..13afbf6 100644
  	cb->min_dump_alloc = control->min_dump_alloc;
  	cb->skb = skb;
  
-@@ -2452,7 +2454,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -2452,7 +2455,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
  			   sk_wmem_alloc_get(s),
  			   nlk->cb_running,
  			   atomic_read(&s->sk_refcnt),
@@ -160131,7 +160192,7 @@ index 627f898c..13afbf6 100644
  			   sock_i_ino(s)
  			);
  
-@@ -2559,7 +2561,7 @@ static void __init netlink_add_usersock_entry(void)
+@@ -2559,7 +2562,7 @@ static void __init netlink_add_usersock_entry(void)
  	netlink_table_ungrab();
  }