summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2011-06-29 10:37:32 -0400
committerAnthony G. Basile <blueness@gentoo.org>2011-06-29 10:37:43 -0400
commit7013e899f6294835d95a1c3e309412c990bad2aa (patch)
treeea974b12f1218046c7e3c3658ef426f8338b8860
parentUpdate Grsec/PaX (diff)
downloadhardened-patchset-7013e899f6294835d95a1c3e309412c990bad2aa.tar.gz
hardened-patchset-7013e899f6294835d95a1c3e309412c990bad2aa.tar.bz2
hardened-patchset-7013e899f6294835d95a1c3e309412c990bad2aa.zip
Update Grsec/PaX and address bug #36601920110628
2.2.2-2.6.32.42-201106281648 2.2.2-2.6.39.2-201106281648
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch)32
-rw-r--r--2.6.32/4437-grsec-kconfig-proc-user.patch26
-rw-r--r--2.6.39/0000_README2
-rw-r--r--2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch (renamed from 2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch)33
-rw-r--r--2.6.39/4437-grsec-kconfig-proc-user.patch26
6 files changed, 76 insertions, 45 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 35d3570..03320de 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
+Patch: 4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
index 12c6656..d0d2a83 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
@@ -27407,27 +27407,6 @@ diff -urNp linux-2.6.32.42/drivers/char/vt_ioctl.c linux-2.6.32.42/drivers/char/
if (!perm) {
ret = -EPERM;
goto reterr;
-diff -urNp linux-2.6.32.42/drivers/connector/Kconfig linux-2.6.32.42/drivers/connector/Kconfig
---- linux-2.6.32.42/drivers/connector/Kconfig 2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.42/drivers/connector/Kconfig 2011-06-20 17:54:56.000000000 -0400
-@@ -1,7 +1,7 @@
-
- menuconfig CONNECTOR
- tristate "Connector - unified userspace <-> kernelspace linker"
-- depends on NET
-+ depends on NET && !GRKERNSEC
- ---help---
- This is unified userspace <-> kernelspace connector working on top
- of the netlink socket protocol.
-@@ -13,7 +13,7 @@ if CONNECTOR
-
- config PROC_EVENTS
- boolean "Report process events to userspace"
-- depends on CONNECTOR=y
-+ depends on CONNECTOR=y && !GRKERNSEC
- default y
- ---help---
- Provide a connector that reports process events to userspace. Send
diff -urNp linux-2.6.32.42/drivers/cpufreq/cpufreq.c linux-2.6.32.42/drivers/cpufreq/cpufreq.c
--- linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
+++ linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
@@ -67135,7 +67114,7 @@ diff -urNp linux-2.6.32.42/net/atm/resources.c linux-2.6.32.42/net/atm/resources
}
diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l2cap.c
--- linux-2.6.32.42/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-12 06:34:08.000000000 -0400
++++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400
@@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
err = -ENOTCONN;
break;
@@ -67145,6 +67124,15 @@ diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l
cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+@@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
diff -urNp linux-2.6.32.42/net/bluetooth/rfcomm/sock.c linux-2.6.32.42/net/bluetooth/rfcomm/sock.c
--- linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
+++ linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
new file mode 100644
index 0000000..de044fb
--- /dev/null
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
@@ -0,0 +1,26 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
+in a different way to avoid bug #366019. This patch should eventually go upstream.
+
+diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
++++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
+@@ -670,7 +670,7 @@
+
+ config GRKERNSEC_PROC_USER
+ bool "Restrict /proc to user only"
+- depends on GRKERNSEC_PROC
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
+ help
+ If you say Y here, non-root users will only be able to view their own
+ processes, and restricts them from viewing network-related information,
+@@ -678,7 +678,7 @@
+
+ config GRKERNSEC_PROC_USERGROUP
+ bool "Allow special group"
+- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++ depends on GRKERNSEC_PROC
+ help
+ If you say Y here, you will be able to select a group that will be
+ able to view all processes and network-related information. If you've
diff --git a/2.6.39/0000_README b/2.6.39/0000_README
index 339b393..b6b1a96 100644
--- a/2.6.39/0000_README
+++ b/2.6.39/0000_README
@@ -3,7 +3,7 @@ README
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
+Patch: 4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
index 9451ea7..8495f8b 100644
--- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
+++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
@@ -28599,27 +28599,6 @@ diff -urNp linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.3
.get_configuration = fifo_icap_get_configuration,
.set_configuration = fifo_icap_set_configuration,
.get_status = fifo_icap_get_status,
-diff -urNp linux-2.6.39.2/drivers/connector/Kconfig linux-2.6.39.2/drivers/connector/Kconfig
---- linux-2.6.39.2/drivers/connector/Kconfig 2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.2/drivers/connector/Kconfig 2011-06-20 17:54:16.000000000 -0400
-@@ -1,7 +1,7 @@
-
- menuconfig CONNECTOR
- tristate "Connector - unified userspace <-> kernelspace linker"
-- depends on NET
-+ depends on NET && !GRKERNSEC
- ---help---
- This is unified userspace <-> kernelspace connector working on top
- of the netlink socket protocol.
-@@ -13,7 +13,7 @@ if CONNECTOR
-
- config PROC_EVENTS
- boolean "Report process events to userspace"
-- depends on CONNECTOR=y
-+ depends on CONNECTOR=y && !GRKERNSEC
- default y
- ---help---
- Provide a connector that reports process events to userspace. Send
diff -urNp linux-2.6.39.2/drivers/crypto/hifn_795x.c linux-2.6.39.2/drivers/crypto/hifn_795x.c
--- linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
+++ linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
@@ -75786,6 +75765,18 @@ diff -urNp linux-2.6.39.2/net/batman-adv/unicast.c linux-2.6.39.2/net/batman-adv
frag1->seqno = htons(seqno - 1);
frag2->seqno = htons(seqno);
+diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_core.c linux-2.6.39.2/net/bluetooth/l2cap_core.c
+--- linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400
+@@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_sock.c linux-2.6.39.2/net/bluetooth/l2cap_sock.c
--- linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
+++ linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
diff --git a/2.6.39/4437-grsec-kconfig-proc-user.patch b/2.6.39/4437-grsec-kconfig-proc-user.patch
new file mode 100644
index 0000000..372507c
--- /dev/null
+++ b/2.6.39/4437-grsec-kconfig-proc-user.patch
@@ -0,0 +1,26 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
+in a different way to avoid bug #366019. This patch should eventually go upstream.
+
+diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
++++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
+@@ -670,7 +670,7 @@
+
+ config GRKERNSEC_PROC_USER
+ bool "Restrict /proc to user only"
+- depends on GRKERNSEC_PROC
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
+ help
+ If you say Y here, non-root users will only be able to view their own
+ processes, and restricts them from viewing network-related information,
+@@ -678,7 +678,7 @@
+
+ config GRKERNSEC_PROC_USERGROUP
+ bool "Allow special group"
+- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++ depends on GRKERNSEC_PROC
+ help
+ If you say Y here, you will be able to select a group that will be
+ able to view all processes and network-related information. If you've