commit: ef4e6b9ae3aaf03c60f72e1e507df27fe3dce242 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Fri Nov 13 11:55:00 2015 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Fri Nov 13 11:55:00 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=ef4e6b9a
grsecurity-3.1-4.2.6-201511122040 4.2.6/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.2.6-201511122040.patch} | 247 ++++++++++++++++----- 2 files changed, 188 insertions(+), 61 deletions(-) diff --git a/4.2.6/0000_README b/4.2.6/0000_README index 235ce67..9993992 100644 --- a/4.2.6/0000_README +++ b/4.2.6/0000_README @@ -6,7 +6,7 @@ Patch: 1005_linux-4.2.6.patch From: http://www.kernel.org Desc: Linux 4.2.6 -Patch: 4420_grsecurity-3.1-4.2.6-201511092040.patch +Patch: 4420_grsecurity-3.1-4.2.6-201511122040.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.2.6/4420_grsecurity-3.1-4.2.6-201511092040.patch b/4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch similarity index 99% rename from 4.2.6/4420_grsecurity-3.1-4.2.6-201511092040.patch rename to 4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch index e91c83d..2f80639 100644 --- a/4.2.6/4420_grsecurity-3.1-4.2.6-201511092040.patch +++ b/4.2.6/4420_grsecurity-3.1-4.2.6-201511122040.patch @@ -23000,6 +23000,18 @@ index 0f457e6..5970c0a 100644 #define BIOS_END 0x00100000 #define BIOS_ROM_BASE 0xffe00000 +diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h +index b5d7640..8a4add8 100644 +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 0f15af4..501a76a 100644 --- a/arch/x86/kernel/Makefile @@ -29920,10 +29932,70 @@ index 0f67d7e..4b9fa11 100644 goto error; walker->ptep_user[walker->level - 1] = ptep_user; diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 2d32b67..2cd298b 100644 +index 2d32b67..06cac10 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -3586,7 +3586,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) +@@ -1106,6 +1106,8 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1641,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1760,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm) + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -1795,6 +1789,12 @@ static int ud_interception(struct vcpu_svm *svm) + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -3369,6 +3369,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +@@ -3586,7 +3587,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) int cpu = raw_smp_processor_id(); struct svm_cpu_data *sd = per_cpu(svm_data, cpu); @@ -29935,6 +30007,14 @@ index 2d32b67..2cd298b 100644 load_TR_desc(); } +@@ -3752,7 +3757,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) @@ -3982,6 +3986,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif @@ -29946,8 +30026,17 @@ index 2d32b67..2cd298b 100644 reload_tss(vcpu); local_irq_disable(); +@@ -4374,7 +4382,7 @@ static struct kvm_x86_ops svm_x86_ops = { + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index aa9e8229..ab09cc4 100644 +index aa9e8229..6223041 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -29965,6 +30054,15 @@ index aa9e8229..ab09cc4 100644 { vmcs_writel(field, vmcs_readl(field) | mask); } +@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu) + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) @@ -1705,7 +1705,11 @@ static void reload_tss(void) struct desc_struct *descs; @@ -30017,7 +30115,17 @@ index aa9e8229..ab09cc4 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -6097,11 +6108,17 @@ static __init int hardware_setup(void) +@@ -5118,6 +5129,9 @@ static int handle_exception(struct kvm_vcpu *vcpu) + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & +@@ -6097,11 +6111,17 @@ static __init int hardware_setup(void) * page upon invalidation. No need to do anything if not * using the APIC_ACCESS_ADDR VMCS field. */ @@ -30039,7 +30147,7 @@ index aa9e8229..ab09cc4 100644 if (enable_ept && !cpu_has_vmx_ept_2m_page()) kvm_disable_largepages(); -@@ -6112,14 +6129,16 @@ static __init int hardware_setup(void) +@@ -6112,14 +6132,16 @@ static __init int hardware_setup(void) if (!cpu_has_vmx_apicv()) enable_apicv = 0; @@ -30061,7 +30169,7 @@ index aa9e8229..ab09cc4 100644 vmx_disable_intercept_for_msr(MSR_FS_BASE, false); vmx_disable_intercept_for_msr(MSR_GS_BASE, false); -@@ -6174,10 +6193,12 @@ static __init int hardware_setup(void) +@@ -6174,10 +6196,12 @@ static __init int hardware_setup(void) enable_pml = 0; if (!enable_pml) { @@ -30078,7 +30186,7 @@ index aa9e8229..ab09cc4 100644 } return alloc_kvm_area(); -@@ -8380,6 +8401,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8380,6 +8404,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp 2f \n\t" "1: " __ex(ASM_VMX_VMRESUME) "\n\t" "2: " @@ -30091,7 +30199,7 @@ index aa9e8229..ab09cc4 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" "pop %0 \n\t" -@@ -8432,6 +8459,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8432,6 +8462,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -30103,7 +30211,7 @@ index aa9e8229..ab09cc4 100644 : "cc", "memory" #ifdef CONFIG_X86_64 , "rax", "rbx", "rdi", "rsi" -@@ -8445,7 +8477,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8445,7 +8480,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) if (debugctlmsr) update_debugctlmsr(debugctlmsr); @@ -30112,7 +30220,7 @@ index aa9e8229..ab09cc4 100644 /* * The sysexit path does not restore ds/es, so we must set them to * a reasonable value ourselves. -@@ -8454,8 +8486,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -8454,8 +8489,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) * may be executed in interrupt context, which saves and restore segments * around it, nullifying its effect. */ @@ -51133,7 +51241,7 @@ index 332bb8a..e6adcd1 100644 u32 entry_offset, dump, no_entries, buf_offset = 0; int i, k, ops_cnt, ops_index, dump_size = 0; diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index f790f61..f1faafe 100644 +index f790f61..cb663ef8 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -788,22 +788,22 @@ struct rtl8169_private { @@ -51163,6 +51271,16 @@ index f790f61..f1faafe 100644 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv); int (*get_settings)(struct net_device *, struct ethtool_cmd *); +@@ -7361,6 +7361,9 @@ process_pkt: + + rtl8169_rx_vlan_tag(desc, skb); + ++ if (skb->pkt_type == PACKET_MULTICAST) ++ dev->stats.multicast++; ++ + napi_gro_receive(&tp->napi, skb); + + u64_stats_update_begin(&tp->rx_stats.syncp); diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c index ad62615..a4c124d 100644 --- a/drivers/net/ethernet/sfc/ptp.c @@ -74473,7 +74591,7 @@ index 4c55668..eeae150 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 6b65996..17bd3c4 100644 +index 6b65996..be797cf 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -35,6 +35,7 @@ @@ -75007,6 +75125,32 @@ index 6b65996..17bd3c4 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { +@@ -759,16 +1127,16 @@ static int load_elf_binary(struct linux_binprm *bprm) + */ + would_dump(bprm, interpreter); + +- retval = kernel_read(interpreter, 0, bprm->buf, +- BINPRM_BUF_SIZE); +- if (retval != BINPRM_BUF_SIZE) { +- if (retval >= 0) +- retval = -EIO; +- goto out_free_dentry; +- } +- + /* Get the exec headers */ +- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); ++ retval = kernel_read(interpreter, 0, ++ (void *)&loc->interp_elf_ex, ++ sizeof(loc->interp_elf_ex)); ++ if (retval != sizeof(loc->interp_elf_ex)) { ++ if (retval >= 0) ++ retval = -EIO; ++ goto out_free_dentry; ++ } ++ + break; + } + elf_ppnt++; @@ -840,6 +1208,77 @@ static int load_elf_binary(struct linux_binprm *bprm) /* Do this immediately, since STACK_TOP as used in setup_arg_pages may depend on the personality. */ @@ -75549,50 +75693,6 @@ index b823fac..c5155de 100644 if (ret) { btrfs_end_transaction(trans, root); goto out; -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index b54e630..a1c76da 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -5632,6 +5632,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx) - char *name_ptr; - int name_len; - int is_curr = 0; /* ctx->pos points to the current index? */ -+ bool emitted; - - /* FIXME, use a real flag for deciding about the key type */ - if (root->fs_info->tree_root == root) -@@ -5660,6 +5661,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx) - if (ret < 0) - goto err; - -+ emitted = false; - while (1) { - leaf = path->nodes[0]; - slot = path->slots[0]; -@@ -5739,6 +5741,7 @@ skip: - - if (over) - goto nopos; -+ emitted = true; - di_len = btrfs_dir_name_len(leaf, di) + - btrfs_dir_data_len(leaf, di) + sizeof(*di); - di_cur += di_len; -@@ -5756,6 +5759,15 @@ next: - goto nopos; - } - -+ /* -+ * If we haven't emitted any dir entry, we must not touch ctx->pos as -+ * it was was set to the termination value in previous call. We assume -+ * that "." and ".." were emitted if we reach this point and set the -+ * termination value as well for an empty directory. -+ */ -+ if (ctx->pos > 2 && !emitted) -+ goto nopos; -+ - /* Reached end of directory/root. Bump pos past the last item. */ - ctx->pos++; - diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c index cd7ef34..1e31ae3 100644 --- a/fs/btrfs/super.c @@ -76886,10 +76986,24 @@ index e3b44ca..e0d94f1 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index c711be8..23b8df9 100644 +index c711be8..79cf56b 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -402,6 +402,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size); +@@ -271,8 +271,12 @@ static struct dentry *start_creating(const char *name, struct dentry *parent) + dput(dentry); + dentry = ERR_PTR(-EEXIST); + } +- if (IS_ERR(dentry)) ++ ++ if (IS_ERR(dentry)) { + mutex_unlock(&d_inode(parent)->i_mutex); ++ simple_release_fs(&debugfs_mount, &debugfs_mount_count); ++ } ++ + return dentry; + } + +@@ -402,6 +406,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size); * If debugfs is not enabled in the kernel, the value -%ENODEV will be * returned. */ @@ -76900,7 +77014,7 @@ index c711be8..23b8df9 100644 struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) { struct dentry *dentry = start_creating(name, parent); -@@ -414,7 +418,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) +@@ -414,7 +422,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) if (unlikely(!inode)) return failed_creating(dentry); @@ -120073,6 +120187,19 @@ index 45cb16a..cef4ecd 100644 if (!cn->procdir) { pr_err("Unable to proc dir entry\n"); return -ENOMEM; +diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c +index 657d230..b3ca21b 100644 +--- a/net/ipv4/netfilter/nf_nat_pptp.c ++++ b/net/ipv4/netfilter/nf_nat_pptp.c +@@ -45,7 +45,7 @@ static void pptp_nat_expected(struct nf_conn *ct, + struct net *net = nf_ct_net(ct); + const struct nf_conn *master = ct->master; + struct nf_conntrack_expect *other_exp; +- struct nf_conntrack_tuple t; ++ struct nf_conntrack_tuple t = {}; + const struct nf_ct_pptp_master *ct_pptp_info; + const struct nf_nat_pptp *nat_pptp_info; + struct nf_nat_range range; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index 05ff44b..da00000 100644 --- a/net/ipv4/ping.c @@ -124844,7 +124971,7 @@ index b304068..462d24e 100644 if (*p != INT_CONF) { fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianness? %#x\n", diff --git a/scripts/dtc/checks.c b/scripts/dtc/checks.c -index e81a8c7..a615ad7 100644 +index e81a8c74..a615ad7 100644 --- a/scripts/dtc/checks.c +++ b/scripts/dtc/checks.c @@ -277,7 +277,7 @@ NODE_ERROR(duplicate_property_names, NULL);
