Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.45/, 2.6.32/, 3.9.4/
Date: Wed, 05 Jun 2013 20:08:19
Message-Id: 1370462899.7613b2514cbb5fd2e7956f2facabe3204b4449bc.blueness@gentoo
1 commit: 7613b2514cbb5fd2e7956f2facabe3204b4449bc
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jun 5 20:08:19 2013 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 5 20:08:19 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=7613b251
7
8 Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.4}-201306041949
9
10 ---
11 2.6.32/0000_README | 2 +-
12 ..._grsecurity-2.9.1-2.6.32.60-201306041946.patch} | 137 ++++++-
13 3.2.45/0000_README | 2 +-
14 ...420_grsecurity-2.9.1-3.2.46-201306041947.patch} | 390 ++++++++++++++++++--
15 3.9.4/0000_README | 2 +-
16 ...4420_grsecurity-2.9.1-3.9.4-201306041949.patch} | 396 +++++++++++++++++++--
17 6 files changed, 857 insertions(+), 72 deletions(-)
18
19 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
20 index 4edfd58..797feaa 100644
21 --- a/2.6.32/0000_README
22 +++ b/2.6.32/0000_README
23 @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
24 From: http://www.kernel.org
25 Desc: Linux 2.6.32.59
26
27 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch
28 +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch
29 From: http://www.grsecurity.net
30 Desc: hardened-sources base patch from upstream grsecurity
31
32
33 diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch
34 similarity index 99%
35 rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch
36 rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch
37 index eb29409..8e09bd0 100644
38 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch
39 +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch
40 @@ -3605,6 +3605,19 @@ index a27d2e2..18fd845 100644
41 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
42 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
43 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
44 +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
45 +index 994bcd9..f25247a 100644
46 +--- a/arch/parisc/kernel/drivers.c
47 ++++ b/arch/parisc/kernel/drivers.c
48 +@@ -393,7 +393,7 @@ EXPORT_SYMBOL(print_pci_hwpath);
49 + static void setup_bus_id(struct parisc_device *padev)
50 + {
51 + struct hardware_path path;
52 +- char name[20];
53 ++ char name[28];
54 + char *output = name;
55 + int i;
56 +
57 diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
58 index 2120746..8d70a5e 100644
59 --- a/arch/parisc/kernel/module.c
60 @@ -3708,6 +3721,20 @@ index 2120746..8d70a5e 100644
61
62 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
63 me->arch.unwind_section, table, end, gp);
64 +diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c
65 +index cb71f3d..306f0c0 100644
66 +--- a/arch/parisc/kernel/setup.c
67 ++++ b/arch/parisc/kernel/setup.c
68 +@@ -68,7 +68,8 @@ void __init setup_cmdline(char **cmdline_p)
69 + /* called from hpux boot loader */
70 + boot_command_line[0] = '\0';
71 + } else {
72 +- strcpy(boot_command_line, (char *)__va(boot_args[1]));
73 ++ strlcpy(boot_command_line, (char *)__va(boot_args[1]),
74 ++ COMMAND_LINE_SIZE);
75 +
76 + #ifdef CONFIG_BLK_DEV_INITRD
77 + if (boot_args[2] != 0) /* did palo pass us a ramdisk? */
78 diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c
79 index fb59852..32d43e7 100644
80 --- a/arch/parisc/kernel/signal32.c
81 @@ -47545,6 +47572,28 @@ index 0236f0d..c7327f1 100644
82 serio->dev.bus = &serio_bus;
83 serio->dev.release = serio_release_port;
84 if (serio->parent) {
85 +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
86 +index dc506ab..af04b54 100644
87 +--- a/drivers/isdn/capi/kcapi.c
88 ++++ b/drivers/isdn/capi/kcapi.c
89 +@@ -95,7 +95,7 @@ capi_ctr_put(struct capi_ctr *card)
90 +
91 + static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr)
92 + {
93 +- if (contr - 1 >= CAPI_MAXCONTR)
94 ++ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR)
95 + return NULL;
96 +
97 + return capi_cards[contr - 1];
98 +@@ -103,7 +103,7 @@ static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr)
99 +
100 + static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid)
101 + {
102 +- if (applid - 1 >= CAPI_MAXAPPL)
103 ++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
104 + return NULL;
105 +
106 + return capi_applications[applid - 1];
107 diff --git a/drivers/isdn/gigaset/common.c b/drivers/isdn/gigaset/common.c
108 index 33dcd8d..2783d25 100644
109 --- a/drivers/isdn/gigaset/common.c
110 @@ -82186,6 +82235,19 @@ index bfaef7b..e9d03ca 100644
111 }
112
113 void nfs_fattr_init(struct nfs_fattr *fattr)
114 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
115 +index 21c7190..22688d5 100644
116 +--- a/fs/nfs/nfs4proc.c
117 ++++ b/fs/nfs/nfs4proc.c
118 +@@ -915,7 +915,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
119 + struct nfs4_state *state = opendata->state;
120 + struct nfs_inode *nfsi = NFS_I(state->inode);
121 + struct nfs_delegation *delegation;
122 +- int open_mode = opendata->o_arg.open_flags & O_EXCL;
123 ++ int open_mode = opendata->o_arg.open_flags;
124 + fmode_t fmode = opendata->o_arg.fmode;
125 + nfs4_stateid stateid;
126 + int ret = -EAGAIN;
127 diff --git a/fs/nfsd/lockd.c b/fs/nfsd/lockd.c
128 index cc2f505..f6a236f 100644
129 --- a/fs/nfsd/lockd.c
130 @@ -84523,7 +84585,7 @@ index 7723401..30059a6 100644
131 error = -EFAULT;
132 else
133 diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c
134 -index d42c30c..4fd8718 100644
135 +index d42c30c..153b170 100644
136 --- a/fs/reiserfs/dir.c
137 +++ b/fs/reiserfs/dir.c
138 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent,
139 @@ -84535,6 +84597,15 @@ index d42c30c..4fd8718 100644
140 reiserfs_write_lock(inode->i_sb);
141
142 reiserfs_check_lock_depth(inode->i_sb, "readdir");
143 +@@ -187,6 +189,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent,
144 + next_pos = deh_offset(deh) + 1;
145 +
146 + if (item_moved(&tmp_ih, &path_to_entry)) {
147 ++ set_cpu_key_k_offset(&pos_key,
148 ++ next_pos);
149 + goto research;
150 + }
151 + } /* for */
152 diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
153 index 128d3f7c..8840d44 100644
154 --- a/fs/reiserfs/do_balan.c
155 @@ -84548,6 +84619,29 @@ index 128d3f7c..8840d44 100644
156 do_balance_starts(tb);
157
158 /* balance leaf returns 0 except if combining L R and S into
159 +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
160 +index d240c15..c38a41a 100644
161 +--- a/fs/reiserfs/inode.c
162 ++++ b/fs/reiserfs/inode.c
163 +@@ -1786,11 +1786,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
164 + TYPE_STAT_DATA, SD_SIZE, MAX_US_INT);
165 + memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE);
166 + args.dirid = le32_to_cpu(ih.ih_key.k_dir_id);
167 +- if (insert_inode_locked4(inode, args.objectid,
168 +- reiserfs_find_actor, &args) < 0) {
169 ++
170 ++ reiserfs_write_unlock(inode->i_sb);
171 ++ err = insert_inode_locked4(inode, args.objectid,
172 ++ reiserfs_find_actor, &args);
173 ++ reiserfs_write_lock(inode->i_sb);
174 ++ if (err) {
175 + err = -EINVAL;
176 + goto out_bad_inode;
177 + }
178 ++
179 + if (old_format_only(sb))
180 + /* not a perfect generation count, as object ids can be reused, but
181 + ** this is as good as reiserfs can do right now.
182 diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c
183 index 72cb1cc..d0e3181 100644
184 --- a/fs/reiserfs/item_ops.c
185 @@ -115872,7 +115966,7 @@ index 2dcf04d..4656638 100644
186 {
187 .ctl_name = NET_TCP_DMA_COPYBREAK,
188 diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
189 -index b9644d8..537313b 100644
190 +index b9644d8..8e66b8e 100644
191 --- a/net/ipv4/tcp.c
192 +++ b/net/ipv4/tcp.c
193 @@ -2084,6 +2084,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
194 @@ -115893,6 +115987,19 @@ index b9644d8..537313b 100644
195 if (get_user(len, optlen))
196 return -EFAULT;
197
198 +@@ -2826,7 +2830,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
199 +
200 + for (i = 0; i < shi->nr_frags; ++i) {
201 + const struct skb_frag_struct *f = &shi->frags[i];
202 +- sg_set_page(&sg, f->page, f->size, f->page_offset);
203 ++ unsigned int offset = f->page_offset;
204 ++ struct page *page = f->page + (offset >> PAGE_SHIFT);
205 ++
206 ++ sg_set_page(&sg, page, f->size,
207 ++ offset_in_page(offset));
208 + if (crypto_hash_update(desc, &sg, f->size))
209 + return 1;
210 + }
211 diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
212 index 1eba160b..c35d91f 100644
213 --- a/net/ipv4/tcp_illinois.c
214 @@ -116507,6 +116614,19 @@ index 093e9b2..f72cddb 100644
215 const unsigned short hnum,
216 const struct in6_addr *daddr,
217 const int dif)
218 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
219 +index 9ad5792..fa406b9 100644
220 +--- a/net/ipv6/ip6_output.c
221 ++++ b/net/ipv6/ip6_output.c
222 +@@ -1138,7 +1138,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
223 + if (WARN_ON(np->cork.opt))
224 + return -EINVAL;
225 +
226 +- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
227 ++ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
228 + if (unlikely(np->cork.opt == NULL))
229 + return -ENOBUFS;
230 +
231 diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
232 index 4f7aaf6..f7acf45 100644
233 --- a/net/ipv6/ipv6_sockglue.c
234 @@ -117047,6 +117167,19 @@ index 35a338b..62102d6 100644
235
236 /* Aborting, close connection! */
237 iriap_disconnect_request(self);
238 +diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
239 +index 7af2e74..143ae58 100644
240 +--- a/net/irda/irlap_frame.c
241 ++++ b/net/irda/irlap_frame.c
242 +@@ -543,7 +543,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self,
243 + /*
244 + * We now have some discovery info to deliver!
245 + */
246 +- discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC);
247 ++ discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC);
248 + if (!discovery) {
249 + IRDA_WARNING("%s: unable to malloc!\n", __func__);
250 + return;
251 diff --git a/net/irda/irttp.c b/net/irda/irttp.c
252 index 9cb79f9..d35d057 100644
253 --- a/net/irda/irttp.c
254
255 diff --git a/3.2.45/0000_README b/3.2.45/0000_README
256 index 00f8a3a..4a59301 100644
257 --- a/3.2.45/0000_README
258 +++ b/3.2.45/0000_README
259 @@ -98,7 +98,7 @@ Patch: 1044_linux-3.2.45.patch
260 From: http://www.kernel.org
261 Desc: Linux 3.2.45
262
263 -Patch: 4420_grsecurity-2.9.1-3.2.46-201306011535.patch
264 +Patch: 4420_grsecurity-2.9.1-3.2.46-201306041947.patch
265 From: http://www.grsecurity.net
266 Desc: hardened-sources base patch from upstream grsecurity
267
268
269 diff --git a/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306011535.patch b/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306041947.patch
270 similarity index 99%
271 rename from 3.2.45/4420_grsecurity-2.9.1-3.2.46-201306011535.patch
272 rename to 3.2.45/4420_grsecurity-2.9.1-3.2.46-201306041947.patch
273 index 6555c18..bf3ae8a 100644
274 --- a/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306011535.patch
275 +++ b/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306041947.patch
276 @@ -3860,6 +3860,19 @@ index 5241698..91dcb12 100644
277 }
278 EXPORT_SYMBOL(purge_tlb_entries);
279
280 +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
281 +index 5709c5e..14285ca 100644
282 +--- a/arch/parisc/kernel/drivers.c
283 ++++ b/arch/parisc/kernel/drivers.c
284 +@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath);
285 + static void setup_bus_id(struct parisc_device *padev)
286 + {
287 + struct hardware_path path;
288 +- char name[20];
289 ++ char name[28];
290 + char *output = name;
291 + int i;
292 +
293 diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
294 index 5e34ccf..672bc9c 100644
295 --- a/arch/parisc/kernel/module.c
296 @@ -3963,6 +3976,20 @@ index 5e34ccf..672bc9c 100644
297
298 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
299 me->arch.unwind_section, table, end, gp);
300 +diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c
301 +index a3328c2..3b812eb 100644
302 +--- a/arch/parisc/kernel/setup.c
303 ++++ b/arch/parisc/kernel/setup.c
304 +@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p)
305 + /* called from hpux boot loader */
306 + boot_command_line[0] = '\0';
307 + } else {
308 +- strcpy(boot_command_line, (char *)__va(boot_args[1]));
309 ++ strlcpy(boot_command_line, (char *)__va(boot_args[1]),
310 ++ COMMAND_LINE_SIZE);
311 +
312 + #ifdef CONFIG_BLK_DEV_INITRD
313 + if (boot_args[2] != 0) /* did palo pass us a ramdisk? */
314 diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
315 index 7ea75d1..38ca97d 100644
316 --- a/arch/parisc/kernel/sys_parisc.c
317 @@ -36879,6 +36906,37 @@ index e44933d..9ba484a 100644
318 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
319 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
320 capimsg_setu16(skb->data, 16, len); /* Data length */
321 +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
322 +index 2b33b26..a9c638b 100644
323 +--- a/drivers/isdn/capi/kcapi.c
324 ++++ b/drivers/isdn/capi/kcapi.c
325 +@@ -93,7 +93,7 @@ capi_ctr_put(struct capi_ctr *ctr)
326 +
327 + static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr)
328 + {
329 +- if (contr - 1 >= CAPI_MAXCONTR)
330 ++ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR)
331 + return NULL;
332 +
333 + return capi_controller[contr - 1];
334 +@@ -103,7 +103,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid)
335 + {
336 + lockdep_assert_held(&capi_controller_lock);
337 +
338 +- if (applid - 1 >= CAPI_MAXAPPL)
339 ++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
340 + return NULL;
341 +
342 + return capi_applications[applid - 1];
343 +@@ -111,7 +111,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid)
344 +
345 + static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid)
346 + {
347 +- if (applid - 1 >= CAPI_MAXAPPL)
348 ++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
349 + return NULL;
350 +
351 + return rcu_dereference(capi_applications[applid - 1]);
352 diff --git a/drivers/isdn/gigaset/common.c b/drivers/isdn/gigaset/common.c
353 index db621db..825ea1a 100644
354 --- a/drivers/isdn/gigaset/common.c
355 @@ -53660,6 +53718,19 @@ index b78b5b6..c64d84f 100644
356 }
357
358 void nfs_fattr_init(struct nfs_fattr *fattr)
359 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
360 +index 5639efd..4531174 100644
361 +--- a/fs/nfs/nfs4proc.c
362 ++++ b/fs/nfs/nfs4proc.c
363 +@@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
364 + struct nfs4_state *state = opendata->state;
365 + struct nfs_inode *nfsi = NFS_I(state->inode);
366 + struct nfs_delegation *delegation;
367 +- int open_mode = opendata->o_arg.open_flags & O_EXCL;
368 ++ int open_mode = opendata->o_arg.open_flags;
369 + fmode_t fmode = opendata->o_arg.fmode;
370 + nfs4_stateid stateid;
371 + int ret = -EAGAIN;
372 diff --git a/fs/nfs/super.c b/fs/nfs/super.c
373 index 1943898..396c460 100644
374 --- a/fs/nfs/super.c
375 @@ -55971,6 +56042,19 @@ index 356f715..c918d38 100644
376 if (__put_user(d_off, &lastdirent->d_off))
377 error = -EFAULT;
378 else
379 +diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c
380 +index 133e935..77359db 100644
381 +--- a/fs/reiserfs/dir.c
382 ++++ b/fs/reiserfs/dir.c
383 +@@ -204,6 +204,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent,
384 + next_pos = deh_offset(deh) + 1;
385 +
386 + if (item_moved(&tmp_ih, &path_to_entry)) {
387 ++ set_cpu_key_k_offset(&pos_key,
388 ++ next_pos);
389 + goto research;
390 + }
391 + } /* for */
392 diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
393 index 60c0804..d814f98 100644
394 --- a/fs/reiserfs/do_balan.c
395 @@ -55984,6 +56068,29 @@ index 60c0804..d814f98 100644
396 do_balance_starts(tb);
397
398 /* balance leaf returns 0 except if combining L R and S into
399 +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
400 +index fe677c0..2a15fb2 100644
401 +--- a/fs/reiserfs/inode.c
402 ++++ b/fs/reiserfs/inode.c
403 +@@ -1816,11 +1816,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
404 + TYPE_STAT_DATA, SD_SIZE, MAX_US_INT);
405 + memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE);
406 + args.dirid = le32_to_cpu(ih.ih_key.k_dir_id);
407 +- if (insert_inode_locked4(inode, args.objectid,
408 +- reiserfs_find_actor, &args) < 0) {
409 ++
410 ++ reiserfs_write_unlock(inode->i_sb);
411 ++ err = insert_inode_locked4(inode, args.objectid,
412 ++ reiserfs_find_actor, &args);
413 ++ reiserfs_write_lock(inode->i_sb);
414 ++ if (err) {
415 + err = -EINVAL;
416 + goto out_bad_inode;
417 + }
418 ++
419 + if (old_format_only(sb))
420 + /* not a perfect generation count, as object ids can be reused, but
421 + ** this is as good as reiserfs can do right now.
422 diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
423 index 7a99811..a7c96c4 100644
424 --- a/fs/reiserfs/procfs.c
425 @@ -56009,6 +56116,45 @@ index 569498a..0886e50f 100644
426
427 MODULE_DESCRIPTION("ReiserFS journaled filesystem");
428 MODULE_AUTHOR("Hans Reiser <reiser@×××××××.com>");
429 +diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c
430 +index 04eecc4..33f74d0 100644
431 +--- a/fs/reiserfs/xattr.c
432 ++++ b/fs/reiserfs/xattr.c
433 +@@ -318,7 +318,19 @@ static int delete_one_xattr(struct dentry *dentry, void *data)
434 + static int chown_one_xattr(struct dentry *dentry, void *data)
435 + {
436 + struct iattr *attrs = data;
437 +- return reiserfs_setattr(dentry, attrs);
438 ++ int ia_valid = attrs->ia_valid;
439 ++ int err;
440 ++
441 ++ /*
442 ++ * We only want the ownership bits. Otherwise, we'll do
443 ++ * things like change a directory to a regular file if
444 ++ * ATTR_MODE is set.
445 ++ */
446 ++ attrs->ia_valid &= (ATTR_UID|ATTR_GID);
447 ++ err = reiserfs_setattr(dentry, attrs);
448 ++ attrs->ia_valid = ia_valid;
449 ++
450 ++ return err;
451 + }
452 +
453 + /* No i_mutex, but the inode is unconnected. */
454 +diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
455 +index 6da0396..fc338f3 100644
456 +--- a/fs/reiserfs/xattr_acl.c
457 ++++ b/fs/reiserfs/xattr_acl.c
458 +@@ -429,6 +429,9 @@ int reiserfs_acl_chmod(struct inode *inode)
459 + int depth;
460 + int error;
461 +
462 ++ if (IS_PRIVATE(inode))
463 ++ return 0;
464 ++
465 + if (S_ISLNK(inode->i_mode))
466 + return -EOPNOTSUPP;
467 +
468 diff --git a/fs/romfs/super.c b/fs/romfs/super.c
469 index 8b4089f..2575128 100644
470 --- a/fs/romfs/super.c
471 @@ -56723,7 +56869,7 @@ index d99a905..9f88202 100644
472 goto out_put;
473
474 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
475 -index 23ce927..e274cc1 100644
476 +index 23ce927..86fd3e8d 100644
477 --- a/fs/xfs/xfs_iops.c
478 +++ b/fs/xfs/xfs_iops.c
479 @@ -447,7 +447,7 @@ xfs_vn_put_link(
480 @@ -56735,6 +56881,81 @@ index 23ce927..e274cc1 100644
481
482 if (!IS_ERR(s))
483 kfree(s);
484 +@@ -507,6 +507,28 @@ xfs_vn_getattr(
485 + return 0;
486 + }
487 +
488 ++static void
489 ++xfs_setattr_mode(
490 ++ struct xfs_trans *tp,
491 ++ struct xfs_inode *ip,
492 ++ struct iattr *iattr)
493 ++{
494 ++ struct inode *inode = VFS_I(ip);
495 ++ umode_t mode = iattr->ia_mode;
496 ++
497 ++ ASSERT(tp);
498 ++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
499 ++
500 ++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
501 ++ mode &= ~S_ISGID;
502 ++
503 ++ ip->i_d.di_mode &= S_IFMT;
504 ++ ip->i_d.di_mode |= mode & ~S_IFMT;
505 ++
506 ++ inode->i_mode &= S_IFMT;
507 ++ inode->i_mode |= mode & ~S_IFMT;
508 ++}
509 ++
510 + int
511 + xfs_setattr_nonsize(
512 + struct xfs_inode *ip,
513 +@@ -658,18 +680,8 @@ xfs_setattr_nonsize(
514 + /*
515 + * Change file access modes.
516 + */
517 +- if (mask & ATTR_MODE) {
518 +- umode_t mode = iattr->ia_mode;
519 +-
520 +- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
521 +- mode &= ~S_ISGID;
522 +-
523 +- ip->i_d.di_mode &= S_IFMT;
524 +- ip->i_d.di_mode |= mode & ~S_IFMT;
525 +-
526 +- inode->i_mode &= S_IFMT;
527 +- inode->i_mode |= mode & ~S_IFMT;
528 +- }
529 ++ if (mask & ATTR_MODE)
530 ++ xfs_setattr_mode(tp, ip, iattr);
531 +
532 + /*
533 + * Change file access or modified times.
534 +@@ -768,9 +780,8 @@ xfs_setattr_size(
535 + return XFS_ERROR(error);
536 +
537 + ASSERT(S_ISREG(ip->i_d.di_mode));
538 +- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
539 +- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
540 +- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
541 ++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
542 ++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
543 +
544 + lock_flags = XFS_ILOCK_EXCL;
545 + if (!(flags & XFS_ATTR_NOLOCK))
546 +@@ -902,6 +913,12 @@ xfs_setattr_size(
547 + xfs_iflags_set(ip, XFS_ITRUNCATED);
548 + }
549 +
550 ++ /*
551 ++ * Change file access modes.
552 ++ */
553 ++ if (mask & ATTR_MODE)
554 ++ xfs_setattr_mode(tp, ip, iattr);
555 ++
556 + if (mask & ATTR_CTIME) {
557 + inode->i_ctime = iattr->ia_ctime;
558 + ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
559 diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
560 index 87323f1..dab9d00 100644
561 --- a/fs/xfs/xfs_rtalloc.c
562 @@ -56762,10 +56983,10 @@ index 8a89949..6776861 100644
563 xfs_init_zones(void)
564 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
565 new file mode 100644
566 -index 0000000..aef8e91
567 +index 0000000..15aaf25
568 --- /dev/null
569 +++ b/grsecurity/Kconfig
570 -@@ -0,0 +1,1031 @@
571 +@@ -0,0 +1,1053 @@
572 +#
573 +# grecurity configuration
574 +#
575 @@ -56851,6 +57072,25 @@ index 0000000..aef8e91
576 + If you're using KERNEXEC, it's recommended that you enable this option
577 + to supplement the hardening of the kernel.
578 +
579 ++config GRKERNSEC_PERF_HARDEN
580 ++ bool "Disable unprivileged PERF_EVENTS usage by default"
581 ++ default y if GRKERNSEC_CONFIG_AUTO
582 ++ depends on PERF_EVENTS
583 ++ help
584 ++ If you say Y here, the range of acceptable values for the
585 ++ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
586 ++ default to a new value: 3. When the sysctl is set to this value, no
587 ++ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
588 ++
589 ++ Though PERF_EVENTS can be used legitimately for performance monitoring
590 ++ and low-level application profiling, it is forced on regardless of
591 ++ configuration, has been at fault for several vulnerabilities, and
592 ++ creates new opportunities for side channels and other information leaks.
593 ++
594 ++ This feature puts PERF_EVENTS into a secure default state and permits
595 ++ the administrator to change out of it temporarily if unprivileged
596 ++ application profiling is needed.
597 ++
598 +config GRKERNSEC_RAND_THREADSTACK
599 + bool "Insert random gaps between thread stacks"
600 + default y if GRKERNSEC_CONFIG_AUTO
601 @@ -56961,6 +57201,9 @@ index 0000000..aef8e91
602 + useful protection against local kernel exploitation of overflows
603 + and arbitrary read/write vulnerabilities.
604 +
605 ++ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
606 ++ in addition to this feature.
607 ++
608 +config GRKERNSEC_KERN_LOCKOUT
609 + bool "Active kernel exploit response"
610 + default y if GRKERNSEC_CONFIG_AUTO
611 @@ -70897,7 +71140,7 @@ index 45fc162..01a4068 100644
612 /**
613 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
614 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
615 -index 9b9b2aa..22f09dc 100644
616 +index 9b9b2aa..df3199e 100644
617 --- a/include/linux/perf_event.h
618 +++ b/include/linux/perf_event.h
619 @@ -748,8 +748,8 @@ struct perf_event {
620 @@ -70931,8 +71174,15 @@ index 9b9b2aa..22f09dc 100644
621 extern int sysctl_perf_event_mlock;
622 extern int sysctl_perf_event_sample_rate;
623
624 -@@ -1111,17 +1111,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
625 +@@ -1109,19 +1109,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
626 + void __user *buffer, size_t *lenp,
627 + loff_t *ppos);
628
629 ++static inline bool perf_paranoid_any(void)
630 ++{
631 ++ return sysctl_perf_event_legitimately_concerned > 2;
632 ++}
633 ++
634 static inline bool perf_paranoid_tracepoint_raw(void)
635 {
636 - return sysctl_perf_event_paranoid > -1;
637 @@ -70952,7 +71202,7 @@ index 9b9b2aa..22f09dc 100644
638 }
639
640 extern void perf_event_init(void);
641 -@@ -1199,7 +1199,7 @@ static inline void perf_restore_debug_store(void) { }
642 +@@ -1199,7 +1204,7 @@ static inline void perf_restore_debug_store(void) { }
643 */
644 #define perf_cpu_notifier(fn) \
645 do { \
646 @@ -74914,15 +75164,19 @@ index 63786e7..0780cac 100644
647 #ifdef CONFIG_MODULE_UNLOAD
648 {
649 diff --git a/kernel/events/core.c b/kernel/events/core.c
650 -index 9f21915..08e25b4 100644
651 +index 9f21915..840113c 100644
652 --- a/kernel/events/core.c
653 +++ b/kernel/events/core.c
654 -@@ -146,7 +146,11 @@ static struct srcu_struct pmus_srcu;
655 +@@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu;
656 + * 0 - disallow raw tracepoint access for unpriv
657 * 1 - disallow cpu events for unpriv
658 * 2 - disallow kernel profiling for unpriv
659 ++ * 3 - disallow all unpriv perf event use
660 */
661 -int sysctl_perf_event_paranoid __read_mostly = 1;
662 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
663 ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
664 ++int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
665 ++#elif CONFIG_GRKERNSEC_HIDESYM
666 +int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
667 +#else
668 +int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
669 @@ -74930,7 +75184,7 @@ index 9f21915..08e25b4 100644
670
671 /* Minimum for 512 kiB + 1 user control page */
672 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
673 -@@ -173,7 +177,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
674 +@@ -173,7 +180,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
675 return 0;
676 }
677
678 @@ -74939,7 +75193,7 @@ index 9f21915..08e25b4 100644
679
680 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
681 enum event_type_t event_type);
682 -@@ -2540,7 +2544,7 @@ static void __perf_event_read(void *info)
683 +@@ -2540,7 +2547,7 @@ static void __perf_event_read(void *info)
684
685 static inline u64 perf_event_count(struct perf_event *event)
686 {
687 @@ -74948,7 +75202,7 @@ index 9f21915..08e25b4 100644
688 }
689
690 static u64 perf_event_read(struct perf_event *event)
691 -@@ -3071,9 +3075,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
692 +@@ -3071,9 +3078,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
693 mutex_lock(&event->child_mutex);
694 total += perf_event_read(event);
695 *enabled += event->total_time_enabled +
696 @@ -74960,7 +75214,7 @@ index 9f21915..08e25b4 100644
697
698 list_for_each_entry(child, &event->child_list, child_list) {
699 total += perf_event_read(child);
700 -@@ -3482,10 +3486,10 @@ void perf_event_update_userpage(struct perf_event *event)
701 +@@ -3482,10 +3489,10 @@ void perf_event_update_userpage(struct perf_event *event)
702 userpg->offset -= local64_read(&event->hw.prev_count);
703
704 userpg->time_enabled = enabled +
705 @@ -74973,7 +75227,7 @@ index 9f21915..08e25b4 100644
706
707 barrier();
708 ++userpg->lock;
709 -@@ -3914,11 +3918,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
710 +@@ -3914,11 +3921,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
711 values[n++] = perf_event_count(event);
712 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
713 values[n++] = enabled +
714 @@ -74987,7 +75241,7 @@ index 9f21915..08e25b4 100644
715 }
716 if (read_format & PERF_FORMAT_ID)
717 values[n++] = primary_event_id(event);
718 -@@ -4569,12 +4573,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
719 +@@ -4569,12 +4576,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
720 * need to add enough zero bytes after the string to handle
721 * the 64bit alignment we do later.
722 */
723 @@ -75002,7 +75256,7 @@ index 9f21915..08e25b4 100644
724 if (IS_ERR(name)) {
725 name = strncpy(tmp, "//toolong", sizeof(tmp));
726 goto got_name;
727 -@@ -5931,7 +5935,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
728 +@@ -5931,7 +5938,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
729 event->parent = parent_event;
730
731 event->ns = get_pid_ns(current->nsproxy->pid_ns);
732 @@ -75011,7 +75265,19 @@ index 9f21915..08e25b4 100644
733
734 event->state = PERF_EVENT_STATE_INACTIVE;
735
736 -@@ -6451,10 +6455,10 @@ static void sync_child_event(struct perf_event *child_event,
737 +@@ -6164,6 +6171,11 @@ SYSCALL_DEFINE5(perf_event_open,
738 + if (flags & ~PERF_FLAG_ALL)
739 + return -EINVAL;
740 +
741 ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
742 ++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
743 ++ return -EACCES;
744 ++#endif
745 ++
746 + err = perf_copy_attr(attr_uptr, &attr);
747 + if (err)
748 + return err;
749 +@@ -6451,10 +6463,10 @@ static void sync_child_event(struct perf_event *child_event,
750 /*
751 * Add back the child's count to the parent's count:
752 */
753 @@ -78654,7 +78920,7 @@ index be5fa8b..a8c2090 100644
754 break;
755 }
756 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
757 -index ea7ec7f..b1c7c88 100644
758 +index ea7ec7f..a823e62 100644
759 --- a/kernel/sysctl.c
760 +++ b/kernel/sysctl.c
761 @@ -86,6 +86,13 @@
762 @@ -78779,7 +79045,7 @@ index ea7ec7f..b1c7c88 100644
763 {
764 .procname = "ngroups_max",
765 .data = &ngroups_max,
766 -@@ -957,8 +1002,8 @@ static struct ctl_table kern_table[] = {
767 +@@ -957,10 +1002,17 @@ static struct ctl_table kern_table[] = {
768 */
769 {
770 .procname = "perf_event_paranoid",
771 @@ -78788,9 +79054,19 @@ index ea7ec7f..b1c7c88 100644
772 + .data = &sysctl_perf_event_legitimately_concerned,
773 + .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
774 .mode = 0644,
775 - .proc_handler = proc_dointvec,
776 +- .proc_handler = proc_dointvec,
777 ++ /* go ahead, be a hero */
778 ++ .proc_handler = proc_dointvec_minmax_sysadmin,
779 ++ .extra1 = &zero,
780 ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
781 ++ .extra2 = &three,
782 ++#else
783 ++ .extra2 = &two,
784 ++#endif
785 },
786 -@@ -1216,6 +1261,13 @@ static struct ctl_table vm_table[] = {
787 + {
788 + .procname = "perf_event_mlock_kb",
789 +@@ -1216,6 +1268,13 @@ static struct ctl_table vm_table[] = {
790 .proc_handler = proc_dointvec_minmax,
791 .extra1 = &zero,
792 },
793 @@ -78804,7 +79080,7 @@ index ea7ec7f..b1c7c88 100644
794 #else
795 {
796 .procname = "nr_trim_pages",
797 -@@ -1499,7 +1551,7 @@ static struct ctl_table fs_table[] = {
798 +@@ -1499,7 +1558,7 @@ static struct ctl_table fs_table[] = {
799 .data = &suid_dumpable,
800 .maxlen = sizeof(int),
801 .mode = 0644,
802 @@ -78813,7 +79089,7 @@ index ea7ec7f..b1c7c88 100644
803 .extra1 = &zero,
804 .extra2 = &two,
805 },
806 -@@ -1720,6 +1772,17 @@ static int test_perm(int mode, int op)
807 +@@ -1720,6 +1779,17 @@ static int test_perm(int mode, int op)
808 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
809 {
810 int mode;
811 @@ -78831,7 +79107,7 @@ index ea7ec7f..b1c7c88 100644
812
813 if (root->permissions)
814 mode = root->permissions(root, current->nsproxy, table);
815 -@@ -1732,7 +1795,9 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
816 +@@ -1732,7 +1802,9 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
817 static void sysctl_set_parent(struct ctl_table *parent, struct ctl_table *table)
818 {
819 for (; table->procname; table++) {
820 @@ -78842,7 +79118,7 @@ index ea7ec7f..b1c7c88 100644
821 if (table->child)
822 sysctl_set_parent(table, table->child);
823 }
824 -@@ -1856,7 +1921,8 @@ struct ctl_table_header *__register_sysctl_paths(
825 +@@ -1856,7 +1928,8 @@ struct ctl_table_header *__register_sysctl_paths(
826 const struct ctl_path *path, struct ctl_table *table)
827 {
828 struct ctl_table_header *header;
829 @@ -78852,7 +79128,7 @@ index ea7ec7f..b1c7c88 100644
830 unsigned int n, npath;
831 struct ctl_table_set *set;
832
833 -@@ -1877,7 +1943,7 @@ struct ctl_table_header *__register_sysctl_paths(
834 +@@ -1877,7 +1950,7 @@ struct ctl_table_header *__register_sysctl_paths(
835 if (!header)
836 return NULL;
837
838 @@ -78861,7 +79137,7 @@ index ea7ec7f..b1c7c88 100644
839
840 /* Now connect the dots */
841 prevp = &header->ctl_table;
842 -@@ -2124,6 +2190,16 @@ int proc_dostring(struct ctl_table *table, int write,
843 +@@ -2124,6 +2197,16 @@ int proc_dostring(struct ctl_table *table, int write,
844 buffer, lenp, ppos);
845 }
846
847 @@ -78878,7 +79154,7 @@ index ea7ec7f..b1c7c88 100644
848 static size_t proc_skip_spaces(char **buf)
849 {
850 size_t ret;
851 -@@ -2229,6 +2305,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
852 +@@ -2229,6 +2312,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
853 len = strlen(tmp);
854 if (len > *size)
855 len = *size;
856 @@ -78887,7 +79163,7 @@ index ea7ec7f..b1c7c88 100644
857 if (copy_to_user(*buf, tmp, len))
858 return -EFAULT;
859 *size -= len;
860 -@@ -2393,7 +2471,7 @@ int proc_dointvec(struct ctl_table *table, int write,
861 +@@ -2393,7 +2478,7 @@ int proc_dointvec(struct ctl_table *table, int write,
862 static int proc_taint(struct ctl_table *table, int write,
863 void __user *buffer, size_t *lenp, loff_t *ppos)
864 {
865 @@ -78896,7 +79172,7 @@ index ea7ec7f..b1c7c88 100644
866 unsigned long tmptaint = get_taint();
867 int err;
868
869 -@@ -2421,7 +2499,6 @@ static int proc_taint(struct ctl_table *table, int write,
870 +@@ -2421,7 +2506,6 @@ static int proc_taint(struct ctl_table *table, int write,
871 return err;
872 }
873
874 @@ -78904,7 +79180,7 @@ index ea7ec7f..b1c7c88 100644
875 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
876 void __user *buffer, size_t *lenp, loff_t *ppos)
877 {
878 -@@ -2430,7 +2507,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
879 +@@ -2430,7 +2514,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
880
881 return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
882 }
883 @@ -78912,7 +79188,7 @@ index ea7ec7f..b1c7c88 100644
884
885 struct do_proc_dointvec_minmax_conv_param {
886 int *min;
887 -@@ -2488,6 +2564,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
888 +@@ -2488,6 +2571,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
889 do_proc_dointvec_minmax_conv, &param);
890 }
891
892 @@ -78947,7 +79223,7 @@ index ea7ec7f..b1c7c88 100644
893 static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write,
894 void __user *buffer,
895 size_t *lenp, loff_t *ppos,
896 -@@ -2545,8 +2649,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
897 +@@ -2545,8 +2656,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
898 *i = val;
899 } else {
900 val = convdiv * (*i) / convmul;
901 @@ -78960,7 +79236,7 @@ index ea7ec7f..b1c7c88 100644
902 err = proc_put_long(&buffer, &left, val, false);
903 if (err)
904 break;
905 -@@ -2941,6 +3048,12 @@ int proc_dostring(struct ctl_table *table, int write,
906 +@@ -2941,6 +3055,12 @@ int proc_dostring(struct ctl_table *table, int write,
907 return -ENOSYS;
908 }
909
910 @@ -78973,7 +79249,7 @@ index ea7ec7f..b1c7c88 100644
911 int proc_dointvec(struct ctl_table *table, int write,
912 void __user *buffer, size_t *lenp, loff_t *ppos)
913 {
914 -@@ -2997,6 +3110,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
915 +@@ -2997,6 +3117,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
916 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
917 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
918 EXPORT_SYMBOL(proc_dostring);
919 @@ -87943,6 +88219,24 @@ index 5485077..7e37374 100644
920
921 hdr = register_sysctl_paths(net_ipv4_ctl_path, ipv4_table);
922 if (hdr == NULL)
923 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
924 +index fe381c2..ec8b4b7e 100644
925 +--- a/net/ipv4/tcp.c
926 ++++ b/net/ipv4/tcp.c
927 +@@ -3037,8 +3037,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
928 +
929 + for (i = 0; i < shi->nr_frags; ++i) {
930 + const struct skb_frag_struct *f = &shi->frags[i];
931 +- struct page *page = skb_frag_page(f);
932 +- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
933 ++ unsigned int offset = f->page_offset;
934 ++ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
935 ++
936 ++ sg_set_page(&sg, page, skb_frag_size(f),
937 ++ offset_in_page(offset));
938 + if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
939 + return 1;
940 + }
941 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
942 index 872b41d..54a02f1 100644
943 --- a/net/ipv4/tcp_input.c
944 @@ -88392,6 +88686,19 @@ index 1567fb1..29af910 100644
945 __sk_dst_reset(sk);
946 dst = NULL;
947 }
948 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
949 +index 3ccd9b2..6aadaa8 100644
950 +--- a/net/ipv6/ip6_output.c
951 ++++ b/net/ipv6/ip6_output.c
952 +@@ -1233,7 +1233,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
953 + if (WARN_ON(np->cork.opt))
954 + return -EINVAL;
955 +
956 +- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
957 ++ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
958 + if (unlikely(np->cork.opt == NULL))
959 + return -ENOBUFS;
960 +
961 diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
962 index b204df8..8f274f4 100644
963 --- a/net/ipv6/ipv6_sockglue.c
964 @@ -88926,6 +89233,19 @@ index e71e85b..29340a9 100644
965
966 /* Aborting, close connection! */
967 iriap_disconnect_request(self);
968 +diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
969 +index 8c00416..9ea0c93 100644
970 +--- a/net/irda/irlap_frame.c
971 ++++ b/net/irda/irlap_frame.c
972 +@@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self,
973 + /*
974 + * We now have some discovery info to deliver!
975 + */
976 +- discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC);
977 ++ discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC);
978 + if (!discovery) {
979 + IRDA_WARNING("%s: unable to malloc!\n", __func__);
980 + return;
981 diff --git a/net/irda/irttp.c b/net/irda/irttp.c
982 index 32e3bb0..a4e5eb8 100644
983 --- a/net/irda/irttp.c
984
985 diff --git a/3.9.4/0000_README b/3.9.4/0000_README
986 index 1cbe9a3..517433d 100644
987 --- a/3.9.4/0000_README
988 +++ b/3.9.4/0000_README
989 @@ -2,7 +2,7 @@ README
990 -----------------------------------------------------------------------------
991 Individual Patch Descriptions:
992 -----------------------------------------------------------------------------
993 -Patch: 4420_grsecurity-2.9.1-3.9.4-201306011536.patch
994 +Patch: 4420_grsecurity-2.9.1-3.9.4-201306041949.patch
995 From: http://www.grsecurity.net
996 Desc: hardened-sources base patch from upstream grsecurity
997
998
999 diff --git a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306011536.patch b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch
1000 similarity index 99%
1001 rename from 3.9.4/4420_grsecurity-2.9.1-3.9.4-201306011536.patch
1002 rename to 3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch
1003 index 9a1a55c..55d122a 100644
1004 --- a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306011536.patch
1005 +++ b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch
1006 @@ -5763,6 +5763,19 @@ index e0a8235..ce2f1e1 100644
1007 ret = __copy_from_user(to, from, n);
1008 else
1009 copy_from_user_overflow();
1010 +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
1011 +index 5709c5e..14285ca 100644
1012 +--- a/arch/parisc/kernel/drivers.c
1013 ++++ b/arch/parisc/kernel/drivers.c
1014 +@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath);
1015 + static void setup_bus_id(struct parisc_device *padev)
1016 + {
1017 + struct hardware_path path;
1018 +- char name[20];
1019 ++ char name[28];
1020 + char *output = name;
1021 + int i;
1022 +
1023 diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
1024 index 2a625fb..9908930 100644
1025 --- a/arch/parisc/kernel/module.c
1026 @@ -5866,6 +5879,20 @@ index 2a625fb..9908930 100644
1027
1028 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1029 me->arch.unwind_section, table, end, gp);
1030 +diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c
1031 +index a3328c2..3b812eb 100644
1032 +--- a/arch/parisc/kernel/setup.c
1033 ++++ b/arch/parisc/kernel/setup.c
1034 +@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p)
1035 + /* called from hpux boot loader */
1036 + boot_command_line[0] = '\0';
1037 + } else {
1038 +- strcpy(boot_command_line, (char *)__va(boot_args[1]));
1039 ++ strlcpy(boot_command_line, (char *)__va(boot_args[1]),
1040 ++ COMMAND_LINE_SIZE);
1041 +
1042 + #ifdef CONFIG_BLK_DEV_INITRD
1043 + if (boot_args[2] != 0) /* did palo pass us a ramdisk? */
1044 diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
1045 index 5dfd248..64914ac 100644
1046 --- a/arch/parisc/kernel/sys_parisc.c
1047 @@ -31951,7 +31978,7 @@ index f9b983a..887b9d8 100644
1048 return 0;
1049 }
1050 diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
1051 -index 77a7480..05cde58 100644
1052 +index 77a7480d..05cde58 100644
1053 --- a/drivers/atm/ambassador.c
1054 +++ b/drivers/atm/ambassador.c
1055 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
1056 @@ -37505,6 +37532,37 @@ index 89562a8..218999b 100644
1057 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
1058 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
1059 capimsg_setu16(skb->data, 16, len); /* Data length */
1060 +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
1061 +index 9b1b274..c123709 100644
1062 +--- a/drivers/isdn/capi/kcapi.c
1063 ++++ b/drivers/isdn/capi/kcapi.c
1064 +@@ -93,7 +93,7 @@ capi_ctr_put(struct capi_ctr *ctr)
1065 +
1066 + static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr)
1067 + {
1068 +- if (contr - 1 >= CAPI_MAXCONTR)
1069 ++ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR)
1070 + return NULL;
1071 +
1072 + return capi_controller[contr - 1];
1073 +@@ -103,7 +103,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid)
1074 + {
1075 + lockdep_assert_held(&capi_controller_lock);
1076 +
1077 +- if (applid - 1 >= CAPI_MAXAPPL)
1078 ++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
1079 + return NULL;
1080 +
1081 + return capi_applications[applid - 1];
1082 +@@ -111,7 +111,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid)
1083 +
1084 + static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid)
1085 + {
1086 +- if (applid - 1 >= CAPI_MAXAPPL)
1087 ++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
1088 + return NULL;
1089 +
1090 + return rcu_dereference(capi_applications[applid - 1]);
1091 diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c
1092 index e2b5396..c5486dc 100644
1093 --- a/drivers/isdn/gigaset/interface.c
1094 @@ -53758,6 +53816,19 @@ index 1f94167..79c4ce4 100644
1095 }
1096
1097 void nfs_fattr_init(struct nfs_fattr *fattr)
1098 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
1099 +index 0086401..261e9b9 100644
1100 +--- a/fs/nfs/nfs4proc.c
1101 ++++ b/fs/nfs/nfs4proc.c
1102 +@@ -1022,7 +1022,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
1103 + struct nfs4_state *state = opendata->state;
1104 + struct nfs_inode *nfsi = NFS_I(state->inode);
1105 + struct nfs_delegation *delegation;
1106 +- int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC);
1107 ++ int open_mode = opendata->o_arg.open_flags;
1108 + fmode_t fmode = opendata->o_arg.fmode;
1109 + nfs4_stateid stateid;
1110 + int ret = -EAGAIN;
1111 diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
1112 index d401d01..10b3e62 100644
1113 --- a/fs/nfsd/nfs4proc.c
1114 @@ -55856,6 +55927,19 @@ index fee38e0..12fdf47 100644
1115 if (__put_user(d_off, &lastdirent->d_off))
1116 error = -EFAULT;
1117 else
1118 +diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c
1119 +index 66c53b6..6c2d136 100644
1120 +--- a/fs/reiserfs/dir.c
1121 ++++ b/fs/reiserfs/dir.c
1122 +@@ -204,6 +204,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent,
1123 + next_pos = deh_offset(deh) + 1;
1124 +
1125 + if (item_moved(&tmp_ih, &path_to_entry)) {
1126 ++ set_cpu_key_k_offset(&pos_key,
1127 ++ next_pos);
1128 + goto research;
1129 + }
1130 + } /* for */
1131 diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
1132 index 2b7882b..1c5ef48 100644
1133 --- a/fs/reiserfs/do_balan.c
1134 @@ -55869,6 +55953,29 @@ index 2b7882b..1c5ef48 100644
1135 do_balance_starts(tb);
1136
1137 /* balance leaf returns 0 except if combining L R and S into
1138 +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
1139 +index ea5061f..c3a9de6 100644
1140 +--- a/fs/reiserfs/inode.c
1141 ++++ b/fs/reiserfs/inode.c
1142 +@@ -1810,11 +1810,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
1143 + TYPE_STAT_DATA, SD_SIZE, MAX_US_INT);
1144 + memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE);
1145 + args.dirid = le32_to_cpu(ih.ih_key.k_dir_id);
1146 +- if (insert_inode_locked4(inode, args.objectid,
1147 +- reiserfs_find_actor, &args) < 0) {
1148 ++
1149 ++ reiserfs_write_unlock(inode->i_sb);
1150 ++ err = insert_inode_locked4(inode, args.objectid,
1151 ++ reiserfs_find_actor, &args);
1152 ++ reiserfs_write_lock(inode->i_sb);
1153 ++ if (err) {
1154 + err = -EINVAL;
1155 + goto out_bad_inode;
1156 + }
1157 ++
1158 + if (old_format_only(sb))
1159 + /* not a perfect generation count, as object ids can be reused, but
1160 + ** this is as good as reiserfs can do right now.
1161 diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
1162 index 9cc0740a..46bf953 100644
1163 --- a/fs/reiserfs/procfs.c
1164 @@ -55904,6 +56011,45 @@ index 157e474..65a6114 100644
1165 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
1166 #define __fs_changed(gen,s) (gen != get_generation (s))
1167 #define fs_changed(gen,s) \
1168 +diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c
1169 +index 4cce1d9..821bcf7 100644
1170 +--- a/fs/reiserfs/xattr.c
1171 ++++ b/fs/reiserfs/xattr.c
1172 +@@ -318,7 +318,19 @@ static int delete_one_xattr(struct dentry *dentry, void *data)
1173 + static int chown_one_xattr(struct dentry *dentry, void *data)
1174 + {
1175 + struct iattr *attrs = data;
1176 +- return reiserfs_setattr(dentry, attrs);
1177 ++ int ia_valid = attrs->ia_valid;
1178 ++ int err;
1179 ++
1180 ++ /*
1181 ++ * We only want the ownership bits. Otherwise, we'll do
1182 ++ * things like change a directory to a regular file if
1183 ++ * ATTR_MODE is set.
1184 ++ */
1185 ++ attrs->ia_valid &= (ATTR_UID|ATTR_GID);
1186 ++ err = reiserfs_setattr(dentry, attrs);
1187 ++ attrs->ia_valid = ia_valid;
1188 ++
1189 ++ return err;
1190 + }
1191 +
1192 + /* No i_mutex, but the inode is unconnected. */
1193 +diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
1194 +index d7c01ef..6c8767f 100644
1195 +--- a/fs/reiserfs/xattr_acl.c
1196 ++++ b/fs/reiserfs/xattr_acl.c
1197 +@@ -443,6 +443,9 @@ int reiserfs_acl_chmod(struct inode *inode)
1198 + int depth;
1199 + int error;
1200 +
1201 ++ if (IS_PRIVATE(inode))
1202 ++ return 0;
1203 ++
1204 + if (S_ISLNK(inode->i_mode))
1205 + return -EOPNOTSUPP;
1206 +
1207 diff --git a/fs/select.c b/fs/select.c
1208 index 8c1c96c..a0f9b6d 100644
1209 --- a/fs/select.c
1210 @@ -56526,7 +56672,7 @@ index d681e34..2a3f5ab 100644
1211 goto out_put;
1212
1213 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
1214 -index d82efaa..0904a8e 100644
1215 +index d82efaa..60100c7 100644
1216 --- a/fs/xfs/xfs_iops.c
1217 +++ b/fs/xfs/xfs_iops.c
1218 @@ -395,7 +395,7 @@ xfs_vn_put_link(
1219 @@ -56538,12 +56684,87 @@ index d82efaa..0904a8e 100644
1220
1221 if (!IS_ERR(s))
1222 kfree(s);
1223 +@@ -455,6 +455,28 @@ xfs_vn_getattr(
1224 + return 0;
1225 + }
1226 +
1227 ++static void
1228 ++xfs_setattr_mode(
1229 ++ struct xfs_trans *tp,
1230 ++ struct xfs_inode *ip,
1231 ++ struct iattr *iattr)
1232 ++{
1233 ++ struct inode *inode = VFS_I(ip);
1234 ++ umode_t mode = iattr->ia_mode;
1235 ++
1236 ++ ASSERT(tp);
1237 ++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
1238 ++
1239 ++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
1240 ++ mode &= ~S_ISGID;
1241 ++
1242 ++ ip->i_d.di_mode &= S_IFMT;
1243 ++ ip->i_d.di_mode |= mode & ~S_IFMT;
1244 ++
1245 ++ inode->i_mode &= S_IFMT;
1246 ++ inode->i_mode |= mode & ~S_IFMT;
1247 ++}
1248 ++
1249 + int
1250 + xfs_setattr_nonsize(
1251 + struct xfs_inode *ip,
1252 +@@ -606,18 +628,8 @@ xfs_setattr_nonsize(
1253 + /*
1254 + * Change file access modes.
1255 + */
1256 +- if (mask & ATTR_MODE) {
1257 +- umode_t mode = iattr->ia_mode;
1258 +-
1259 +- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
1260 +- mode &= ~S_ISGID;
1261 +-
1262 +- ip->i_d.di_mode &= S_IFMT;
1263 +- ip->i_d.di_mode |= mode & ~S_IFMT;
1264 +-
1265 +- inode->i_mode &= S_IFMT;
1266 +- inode->i_mode |= mode & ~S_IFMT;
1267 +- }
1268 ++ if (mask & ATTR_MODE)
1269 ++ xfs_setattr_mode(tp, ip, iattr);
1270 +
1271 + /*
1272 + * Change file access or modified times.
1273 +@@ -714,9 +726,8 @@ xfs_setattr_size(
1274 + return XFS_ERROR(error);
1275 +
1276 + ASSERT(S_ISREG(ip->i_d.di_mode));
1277 +- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
1278 +- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
1279 +- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
1280 ++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
1281 ++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
1282 +
1283 + if (!(flags & XFS_ATTR_NOLOCK)) {
1284 + lock_flags |= XFS_IOLOCK_EXCL;
1285 +@@ -860,6 +871,12 @@ xfs_setattr_size(
1286 + xfs_inode_clear_eofblocks_tag(ip);
1287 + }
1288 +
1289 ++ /*
1290 ++ * Change file access modes.
1291 ++ */
1292 ++ if (mask & ATTR_MODE)
1293 ++ xfs_setattr_mode(tp, ip, iattr);
1294 ++
1295 + if (mask & ATTR_CTIME) {
1296 + inode->i_ctime = iattr->ia_ctime;
1297 + ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
1298 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
1299 new file mode 100644
1300 -index 0000000..7174794
1301 +index 0000000..ba9c5e3
1302 --- /dev/null
1303 +++ b/grsecurity/Kconfig
1304 -@@ -0,0 +1,1031 @@
1305 +@@ -0,0 +1,1053 @@
1306 +#
1307 +# grecurity configuration
1308 +#
1309 @@ -56629,6 +56850,25 @@ index 0000000..7174794
1310 + If you're using KERNEXEC, it's recommended that you enable this option
1311 + to supplement the hardening of the kernel.
1312 +
1313 ++config GRKERNSEC_PERF_HARDEN
1314 ++ bool "Disable unprivileged PERF_EVENTS usage by default"
1315 ++ default y if GRKERNSEC_CONFIG_AUTO
1316 ++ depends on PERF_EVENTS
1317 ++ help
1318 ++ If you say Y here, the range of acceptable values for the
1319 ++ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
1320 ++ default to a new value: 3. When the sysctl is set to this value, no
1321 ++ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
1322 ++
1323 ++ Though PERF_EVENTS can be used legitimately for performance monitoring
1324 ++ and low-level application profiling, it is forced on regardless of
1325 ++ configuration, has been at fault for several vulnerabilities, and
1326 ++ creates new opportunities for side channels and other information leaks.
1327 ++
1328 ++ This feature puts PERF_EVENTS into a secure default state and permits
1329 ++ the administrator to change out of it temporarily if unprivileged
1330 ++ application profiling is needed.
1331 ++
1332 +config GRKERNSEC_RAND_THREADSTACK
1333 + bool "Insert random gaps between thread stacks"
1334 + default y if GRKERNSEC_CONFIG_AUTO
1335 @@ -56739,6 +56979,9 @@ index 0000000..7174794
1336 + useful protection against local kernel exploitation of overflows
1337 + and arbitrary read/write vulnerabilities.
1338 +
1339 ++ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
1340 ++ in addition to this feature.
1341 ++
1342 +config GRKERNSEC_KERN_LOCKOUT
1343 + bool "Active kernel exploit response"
1344 + default y if GRKERNSEC_CONFIG_AUTO
1345 @@ -70441,7 +70684,7 @@ index 45fc162..01a4068 100644
1346 /**
1347 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
1348 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
1349 -index 1d795df..727aa7b 100644
1350 +index 1d795df..b0a6449 100644
1351 --- a/include/linux/perf_event.h
1352 +++ b/include/linux/perf_event.h
1353 @@ -333,8 +333,8 @@ struct perf_event {
1354 @@ -70475,8 +70718,15 @@ index 1d795df..727aa7b 100644
1355 extern int sysctl_perf_event_mlock;
1356 extern int sysctl_perf_event_sample_rate;
1357
1358 -@@ -714,17 +714,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
1359 +@@ -712,19 +712,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
1360 + void __user *buffer, size_t *lenp,
1361 + loff_t *ppos);
1362
1363 ++static inline bool perf_paranoid_any(void)
1364 ++{
1365 ++ return sysctl_perf_event_legitimately_concerned > 2;
1366 ++}
1367 ++
1368 static inline bool perf_paranoid_tracepoint_raw(void)
1369 {
1370 - return sysctl_perf_event_paranoid > -1;
1371 @@ -70496,7 +70746,7 @@ index 1d795df..727aa7b 100644
1372 }
1373
1374 extern void perf_event_init(void);
1375 -@@ -812,7 +812,7 @@ static inline void perf_restore_debug_store(void) { }
1376 +@@ -812,7 +817,7 @@ static inline void perf_restore_debug_store(void) { }
1377 */
1378 #define perf_cpu_notifier(fn) \
1379 do { \
1380 @@ -70505,7 +70755,7 @@ index 1d795df..727aa7b 100644
1381 { .notifier_call = fn, .priority = CPU_PRI_PERF }; \
1382 unsigned long cpu = smp_processor_id(); \
1383 unsigned long flags; \
1384 -@@ -831,7 +831,7 @@ do { \
1385 +@@ -831,7 +836,7 @@ do { \
1386 struct perf_pmu_events_attr {
1387 struct device_attribute attr;
1388 u64 id;
1389 @@ -74632,15 +74882,19 @@ index 00eb8f7..d7e3244 100644
1390 #ifdef CONFIG_MODULE_UNLOAD
1391 {
1392 diff --git a/kernel/events/core.c b/kernel/events/core.c
1393 -index 9fcb094..fd68c54 100644
1394 +index 9fcb094..8370228 100644
1395 --- a/kernel/events/core.c
1396 +++ b/kernel/events/core.c
1397 -@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu;
1398 +@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
1399 + * 0 - disallow raw tracepoint access for unpriv
1400 * 1 - disallow cpu events for unpriv
1401 * 2 - disallow kernel profiling for unpriv
1402 ++ * 3 - disallow all unpriv perf event use
1403 */
1404 -int sysctl_perf_event_paranoid __read_mostly = 1;
1405 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
1406 ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
1407 ++int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
1408 ++#elif CONFIG_GRKERNSEC_HIDESYM
1409 +int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
1410 +#else
1411 +int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
1412 @@ -74648,7 +74902,7 @@ index 9fcb094..fd68c54 100644
1413
1414 /* Minimum for 512 kiB + 1 user control page */
1415 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
1416 -@@ -182,7 +186,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
1417 +@@ -182,7 +189,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
1418 return 0;
1419 }
1420
1421 @@ -74657,7 +74911,7 @@ index 9fcb094..fd68c54 100644
1422
1423 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
1424 enum event_type_t event_type);
1425 -@@ -2677,7 +2681,7 @@ static void __perf_event_read(void *info)
1426 +@@ -2677,7 +2684,7 @@ static void __perf_event_read(void *info)
1427
1428 static inline u64 perf_event_count(struct perf_event *event)
1429 {
1430 @@ -74666,7 +74920,7 @@ index 9fcb094..fd68c54 100644
1431 }
1432
1433 static u64 perf_event_read(struct perf_event *event)
1434 -@@ -3007,9 +3011,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
1435 +@@ -3007,9 +3014,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
1436 mutex_lock(&event->child_mutex);
1437 total += perf_event_read(event);
1438 *enabled += event->total_time_enabled +
1439 @@ -74678,7 +74932,7 @@ index 9fcb094..fd68c54 100644
1440
1441 list_for_each_entry(child, &event->child_list, child_list) {
1442 total += perf_event_read(child);
1443 -@@ -3412,10 +3416,10 @@ void perf_event_update_userpage(struct perf_event *event)
1444 +@@ -3412,10 +3419,10 @@ void perf_event_update_userpage(struct perf_event *event)
1445 userpg->offset -= local64_read(&event->hw.prev_count);
1446
1447 userpg->time_enabled = enabled +
1448 @@ -74691,7 +74945,7 @@ index 9fcb094..fd68c54 100644
1449
1450 arch_perf_update_userpage(userpg, now);
1451
1452 -@@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
1453 +@@ -3886,7 +3893,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
1454
1455 /* Data. */
1456 sp = perf_user_stack_pointer(regs);
1457 @@ -74700,7 +74954,7 @@ index 9fcb094..fd68c54 100644
1458 dyn_size = dump_size - rem;
1459
1460 perf_output_skip(handle, rem);
1461 -@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
1462 +@@ -3974,11 +3981,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
1463 values[n++] = perf_event_count(event);
1464 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
1465 values[n++] = enabled +
1466 @@ -74714,7 +74968,7 @@ index 9fcb094..fd68c54 100644
1467 }
1468 if (read_format & PERF_FORMAT_ID)
1469 values[n++] = primary_event_id(event);
1470 -@@ -4726,12 +4730,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
1471 +@@ -4726,12 +4733,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
1472 * need to add enough zero bytes after the string to handle
1473 * the 64bit alignment we do later.
1474 */
1475 @@ -74729,7 +74983,7 @@ index 9fcb094..fd68c54 100644
1476 if (IS_ERR(name)) {
1477 name = strncpy(tmp, "//toolong", sizeof(tmp));
1478 goto got_name;
1479 -@@ -6167,7 +6171,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
1480 +@@ -6167,7 +6174,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
1481 event->parent = parent_event;
1482
1483 event->ns = get_pid_ns(task_active_pid_ns(current));
1484 @@ -74738,7 +74992,19 @@ index 9fcb094..fd68c54 100644
1485
1486 event->state = PERF_EVENT_STATE_INACTIVE;
1487
1488 -@@ -6795,10 +6799,10 @@ static void sync_child_event(struct perf_event *child_event,
1489 +@@ -6463,6 +6470,11 @@ SYSCALL_DEFINE5(perf_event_open,
1490 + if (flags & ~PERF_FLAG_ALL)
1491 + return -EINVAL;
1492 +
1493 ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
1494 ++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
1495 ++ return -EACCES;
1496 ++#endif
1497 ++
1498 + err = perf_copy_attr(attr_uptr, &attr);
1499 + if (err)
1500 + return err;
1501 +@@ -6795,10 +6807,10 @@ static void sync_child_event(struct perf_event *child_event,
1502 /*
1503 * Add back the child's count to the parent's count:
1504 */
1505 @@ -78585,7 +78851,7 @@ index 0da73cf..5c2af3c 100644
1506 if (!retval) {
1507 if (old_rlim)
1508 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
1509 -index afc1dc6..5e28bbf 100644
1510 +index afc1dc6..fb0671d 100644
1511 --- a/kernel/sysctl.c
1512 +++ b/kernel/sysctl.c
1513 @@ -93,7 +93,6 @@
1514 @@ -78691,7 +78957,7 @@ index afc1dc6..5e28bbf 100644
1515 {
1516 .procname = "ngroups_max",
1517 .data = &ngroups_max,
1518 -@@ -1026,8 +1059,8 @@ static struct ctl_table kern_table[] = {
1519 +@@ -1026,10 +1059,17 @@ static struct ctl_table kern_table[] = {
1520 */
1521 {
1522 .procname = "perf_event_paranoid",
1523 @@ -78700,9 +78966,19 @@ index afc1dc6..5e28bbf 100644
1524 + .data = &sysctl_perf_event_legitimately_concerned,
1525 + .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
1526 .mode = 0644,
1527 - .proc_handler = proc_dointvec,
1528 +- .proc_handler = proc_dointvec,
1529 ++ /* go ahead, be a hero */
1530 ++ .proc_handler = proc_dointvec_minmax_sysadmin,
1531 ++ .extra1 = &zero,
1532 ++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
1533 ++ .extra2 = &three,
1534 ++#else
1535 ++ .extra2 = &two,
1536 ++#endif
1537 },
1538 -@@ -1283,6 +1316,13 @@ static struct ctl_table vm_table[] = {
1539 + {
1540 + .procname = "perf_event_mlock_kb",
1541 +@@ -1283,6 +1323,13 @@ static struct ctl_table vm_table[] = {
1542 .proc_handler = proc_dointvec_minmax,
1543 .extra1 = &zero,
1544 },
1545 @@ -78716,7 +78992,7 @@ index afc1dc6..5e28bbf 100644
1546 #else
1547 {
1548 .procname = "nr_trim_pages",
1549 -@@ -1733,6 +1773,16 @@ int proc_dostring(struct ctl_table *table, int write,
1550 +@@ -1733,6 +1780,16 @@ int proc_dostring(struct ctl_table *table, int write,
1551 buffer, lenp, ppos);
1552 }
1553
1554 @@ -78733,7 +79009,7 @@ index afc1dc6..5e28bbf 100644
1555 static size_t proc_skip_spaces(char **buf)
1556 {
1557 size_t ret;
1558 -@@ -1838,6 +1888,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
1559 +@@ -1838,6 +1895,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
1560 len = strlen(tmp);
1561 if (len > *size)
1562 len = *size;
1563 @@ -78742,7 +79018,7 @@ index afc1dc6..5e28bbf 100644
1564 if (copy_to_user(*buf, tmp, len))
1565 return -EFAULT;
1566 *size -= len;
1567 -@@ -2002,7 +2054,7 @@ int proc_dointvec(struct ctl_table *table, int write,
1568 +@@ -2002,7 +2061,7 @@ int proc_dointvec(struct ctl_table *table, int write,
1569 static int proc_taint(struct ctl_table *table, int write,
1570 void __user *buffer, size_t *lenp, loff_t *ppos)
1571 {
1572 @@ -78751,7 +79027,7 @@ index afc1dc6..5e28bbf 100644
1573 unsigned long tmptaint = get_taint();
1574 int err;
1575
1576 -@@ -2030,7 +2082,6 @@ static int proc_taint(struct ctl_table *table, int write,
1577 +@@ -2030,7 +2089,6 @@ static int proc_taint(struct ctl_table *table, int write,
1578 return err;
1579 }
1580
1581 @@ -78759,7 +79035,7 @@ index afc1dc6..5e28bbf 100644
1582 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1583 void __user *buffer, size_t *lenp, loff_t *ppos)
1584 {
1585 -@@ -2039,7 +2090,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1586 +@@ -2039,7 +2097,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
1587
1588 return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
1589 }
1590 @@ -78767,7 +79043,7 @@ index afc1dc6..5e28bbf 100644
1591
1592 struct do_proc_dointvec_minmax_conv_param {
1593 int *min;
1594 -@@ -2186,8 +2236,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
1595 +@@ -2186,8 +2243,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
1596 *i = val;
1597 } else {
1598 val = convdiv * (*i) / convmul;
1599 @@ -78780,7 +79056,7 @@ index afc1dc6..5e28bbf 100644
1600 err = proc_put_long(&buffer, &left, val, false);
1601 if (err)
1602 break;
1603 -@@ -2579,6 +2632,12 @@ int proc_dostring(struct ctl_table *table, int write,
1604 +@@ -2579,6 +2639,12 @@ int proc_dostring(struct ctl_table *table, int write,
1605 return -ENOSYS;
1606 }
1607
1608 @@ -78793,7 +79069,7 @@ index afc1dc6..5e28bbf 100644
1609 int proc_dointvec(struct ctl_table *table, int write,
1610 void __user *buffer, size_t *lenp, loff_t *ppos)
1611 {
1612 -@@ -2635,5 +2694,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
1613 +@@ -2635,5 +2701,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
1614 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
1615 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
1616 EXPORT_SYMBOL(proc_dostring);
1617 @@ -87120,6 +87396,24 @@ index 960fd29..d55bf64 100644
1618
1619 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table);
1620 if (hdr == NULL)
1621 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
1622 +index e220207..cdeb839 100644
1623 +--- a/net/ipv4/tcp.c
1624 ++++ b/net/ipv4/tcp.c
1625 +@@ -3383,8 +3383,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
1626 +
1627 + for (i = 0; i < shi->nr_frags; ++i) {
1628 + const struct skb_frag_struct *f = &shi->frags[i];
1629 +- struct page *page = skb_frag_page(f);
1630 +- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
1631 ++ unsigned int offset = f->page_offset;
1632 ++ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
1633 ++
1634 ++ sg_set_page(&sg, page, skb_frag_size(f),
1635 ++ offset_in_page(offset));
1636 + if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
1637 + return 1;
1638 + }
1639 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
1640 index 13b9c08..d33a8d0 100644
1641 --- a/net/ipv4/tcp_input.c
1642 @@ -87527,6 +87821,19 @@ index 95d13c7..791fe2f 100644
1643 .kind = "ip6gretap",
1644 .maxtype = IFLA_GRE_MAX,
1645 .policy = ip6gre_policy,
1646 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
1647 +index 155eccf..851fdae 100644
1648 +--- a/net/ipv6/ip6_output.c
1649 ++++ b/net/ipv6/ip6_output.c
1650 +@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
1651 + if (WARN_ON(np->cork.opt))
1652 + return -EINVAL;
1653 +
1654 +- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
1655 ++ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
1656 + if (unlikely(np->cork.opt == NULL))
1657 + return -ENOBUFS;
1658 +
1659 diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
1660 index fff83cb..82d49dd 100644
1661 --- a/net/ipv6/ip6_tunnel.c
1662 @@ -88061,6 +88368,19 @@ index 362ba47..66196f4 100644
1663 seq_printf(m, "Max data size: %d\n", self->max_data_size);
1664 seq_printf(m, "Max header size: %d\n", self->max_header_size);
1665
1666 +diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
1667 +index 8c00416..9ea0c93 100644
1668 +--- a/net/irda/irlap_frame.c
1669 ++++ b/net/irda/irlap_frame.c
1670 +@@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self,
1671 + /*
1672 + * We now have some discovery info to deliver!
1673 + */
1674 +- discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC);
1675 ++ discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC);
1676 + if (!discovery) {
1677 + IRDA_WARNING("%s: unable to malloc!\n", __func__);
1678 + return;
1679 diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
1680 index 206ce6d..cfb27cd 100644
1681 --- a/net/iucv/af_iucv.c
1682 @@ -90413,6 +90733,18 @@ index c8717c1..08539f5 100644
1683 err = handler(dev, info, (union iwreq_data *) iwp, extra);
1684
1685 iwp->length += essid_compat;
1686 +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
1687 +index bcfda89..0cf003d 100644
1688 +--- a/net/xfrm/xfrm_output.c
1689 ++++ b/net/xfrm/xfrm_output.c
1690 +@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
1691 +
1692 + if (unlikely(x->km.state != XFRM_STATE_VALID)) {
1693 + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
1694 ++ err = -EINVAL;
1695 + goto error;
1696 + }
1697 +
1698 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
1699 index 167c67d..3f2ae427 100644
1700 --- a/net/xfrm/xfrm_policy.c
Report Message
Find on MARC Find on Google Groups