1 |
commit: 7613b2514cbb5fd2e7956f2facabe3204b4449bc |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Jun 5 20:08:19 2013 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 5 20:08:19 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=7613b251 |
7 |
|
8 |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.4}-201306041949 |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 2 +- |
12 |
..._grsecurity-2.9.1-2.6.32.60-201306041946.patch} | 137 ++++++- |
13 |
3.2.45/0000_README | 2 +- |
14 |
...420_grsecurity-2.9.1-3.2.46-201306041947.patch} | 390 ++++++++++++++++++-- |
15 |
3.9.4/0000_README | 2 +- |
16 |
...4420_grsecurity-2.9.1-3.9.4-201306041949.patch} | 396 +++++++++++++++++++-- |
17 |
6 files changed, 857 insertions(+), 72 deletions(-) |
18 |
|
19 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
20 |
index 4edfd58..797feaa 100644 |
21 |
--- a/2.6.32/0000_README |
22 |
+++ b/2.6.32/0000_README |
23 |
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch |
24 |
From: http://www.kernel.org |
25 |
Desc: Linux 2.6.32.59 |
26 |
|
27 |
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch |
28 |
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch |
29 |
From: http://www.grsecurity.net |
30 |
Desc: hardened-sources base patch from upstream grsecurity |
31 |
|
32 |
|
33 |
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch |
34 |
similarity index 99% |
35 |
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch |
36 |
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch |
37 |
index eb29409..8e09bd0 100644 |
38 |
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306011535.patch |
39 |
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201306041946.patch |
40 |
@@ -3605,6 +3605,19 @@ index a27d2e2..18fd845 100644 |
41 |
#define PAGE_KERNEL __pgprot(_PAGE_KERNEL) |
42 |
#define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE) |
43 |
#define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE) |
44 |
+diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c |
45 |
+index 994bcd9..f25247a 100644 |
46 |
+--- a/arch/parisc/kernel/drivers.c |
47 |
++++ b/arch/parisc/kernel/drivers.c |
48 |
+@@ -393,7 +393,7 @@ EXPORT_SYMBOL(print_pci_hwpath); |
49 |
+ static void setup_bus_id(struct parisc_device *padev) |
50 |
+ { |
51 |
+ struct hardware_path path; |
52 |
+- char name[20]; |
53 |
++ char name[28]; |
54 |
+ char *output = name; |
55 |
+ int i; |
56 |
+ |
57 |
diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c |
58 |
index 2120746..8d70a5e 100644 |
59 |
--- a/arch/parisc/kernel/module.c |
60 |
@@ -3708,6 +3721,20 @@ index 2120746..8d70a5e 100644 |
61 |
|
62 |
DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", |
63 |
me->arch.unwind_section, table, end, gp); |
64 |
+diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c |
65 |
+index cb71f3d..306f0c0 100644 |
66 |
+--- a/arch/parisc/kernel/setup.c |
67 |
++++ b/arch/parisc/kernel/setup.c |
68 |
+@@ -68,7 +68,8 @@ void __init setup_cmdline(char **cmdline_p) |
69 |
+ /* called from hpux boot loader */ |
70 |
+ boot_command_line[0] = '\0'; |
71 |
+ } else { |
72 |
+- strcpy(boot_command_line, (char *)__va(boot_args[1])); |
73 |
++ strlcpy(boot_command_line, (char *)__va(boot_args[1]), |
74 |
++ COMMAND_LINE_SIZE); |
75 |
+ |
76 |
+ #ifdef CONFIG_BLK_DEV_INITRD |
77 |
+ if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ |
78 |
diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c |
79 |
index fb59852..32d43e7 100644 |
80 |
--- a/arch/parisc/kernel/signal32.c |
81 |
@@ -47545,6 +47572,28 @@ index 0236f0d..c7327f1 100644 |
82 |
serio->dev.bus = &serio_bus; |
83 |
serio->dev.release = serio_release_port; |
84 |
if (serio->parent) { |
85 |
+diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c |
86 |
+index dc506ab..af04b54 100644 |
87 |
+--- a/drivers/isdn/capi/kcapi.c |
88 |
++++ b/drivers/isdn/capi/kcapi.c |
89 |
+@@ -95,7 +95,7 @@ capi_ctr_put(struct capi_ctr *card) |
90 |
+ |
91 |
+ static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr) |
92 |
+ { |
93 |
+- if (contr - 1 >= CAPI_MAXCONTR) |
94 |
++ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR) |
95 |
+ return NULL; |
96 |
+ |
97 |
+ return capi_cards[contr - 1]; |
98 |
+@@ -103,7 +103,7 @@ static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr) |
99 |
+ |
100 |
+ static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid) |
101 |
+ { |
102 |
+- if (applid - 1 >= CAPI_MAXAPPL) |
103 |
++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) |
104 |
+ return NULL; |
105 |
+ |
106 |
+ return capi_applications[applid - 1]; |
107 |
diff --git a/drivers/isdn/gigaset/common.c b/drivers/isdn/gigaset/common.c |
108 |
index 33dcd8d..2783d25 100644 |
109 |
--- a/drivers/isdn/gigaset/common.c |
110 |
@@ -82186,6 +82235,19 @@ index bfaef7b..e9d03ca 100644 |
111 |
} |
112 |
|
113 |
void nfs_fattr_init(struct nfs_fattr *fattr) |
114 |
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c |
115 |
+index 21c7190..22688d5 100644 |
116 |
+--- a/fs/nfs/nfs4proc.c |
117 |
++++ b/fs/nfs/nfs4proc.c |
118 |
+@@ -915,7 +915,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) |
119 |
+ struct nfs4_state *state = opendata->state; |
120 |
+ struct nfs_inode *nfsi = NFS_I(state->inode); |
121 |
+ struct nfs_delegation *delegation; |
122 |
+- int open_mode = opendata->o_arg.open_flags & O_EXCL; |
123 |
++ int open_mode = opendata->o_arg.open_flags; |
124 |
+ fmode_t fmode = opendata->o_arg.fmode; |
125 |
+ nfs4_stateid stateid; |
126 |
+ int ret = -EAGAIN; |
127 |
diff --git a/fs/nfsd/lockd.c b/fs/nfsd/lockd.c |
128 |
index cc2f505..f6a236f 100644 |
129 |
--- a/fs/nfsd/lockd.c |
130 |
@@ -84523,7 +84585,7 @@ index 7723401..30059a6 100644 |
131 |
error = -EFAULT; |
132 |
else |
133 |
diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c |
134 |
-index d42c30c..4fd8718 100644 |
135 |
+index d42c30c..153b170 100644 |
136 |
--- a/fs/reiserfs/dir.c |
137 |
+++ b/fs/reiserfs/dir.c |
138 |
@@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent, |
139 |
@@ -84535,6 +84597,15 @@ index d42c30c..4fd8718 100644 |
140 |
reiserfs_write_lock(inode->i_sb); |
141 |
|
142 |
reiserfs_check_lock_depth(inode->i_sb, "readdir"); |
143 |
+@@ -187,6 +189,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent, |
144 |
+ next_pos = deh_offset(deh) + 1; |
145 |
+ |
146 |
+ if (item_moved(&tmp_ih, &path_to_entry)) { |
147 |
++ set_cpu_key_k_offset(&pos_key, |
148 |
++ next_pos); |
149 |
+ goto research; |
150 |
+ } |
151 |
+ } /* for */ |
152 |
diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c |
153 |
index 128d3f7c..8840d44 100644 |
154 |
--- a/fs/reiserfs/do_balan.c |
155 |
@@ -84548,6 +84619,29 @@ index 128d3f7c..8840d44 100644 |
156 |
do_balance_starts(tb); |
157 |
|
158 |
/* balance leaf returns 0 except if combining L R and S into |
159 |
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c |
160 |
+index d240c15..c38a41a 100644 |
161 |
+--- a/fs/reiserfs/inode.c |
162 |
++++ b/fs/reiserfs/inode.c |
163 |
+@@ -1786,11 +1786,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, |
164 |
+ TYPE_STAT_DATA, SD_SIZE, MAX_US_INT); |
165 |
+ memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE); |
166 |
+ args.dirid = le32_to_cpu(ih.ih_key.k_dir_id); |
167 |
+- if (insert_inode_locked4(inode, args.objectid, |
168 |
+- reiserfs_find_actor, &args) < 0) { |
169 |
++ |
170 |
++ reiserfs_write_unlock(inode->i_sb); |
171 |
++ err = insert_inode_locked4(inode, args.objectid, |
172 |
++ reiserfs_find_actor, &args); |
173 |
++ reiserfs_write_lock(inode->i_sb); |
174 |
++ if (err) { |
175 |
+ err = -EINVAL; |
176 |
+ goto out_bad_inode; |
177 |
+ } |
178 |
++ |
179 |
+ if (old_format_only(sb)) |
180 |
+ /* not a perfect generation count, as object ids can be reused, but |
181 |
+ ** this is as good as reiserfs can do right now. |
182 |
diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c |
183 |
index 72cb1cc..d0e3181 100644 |
184 |
--- a/fs/reiserfs/item_ops.c |
185 |
@@ -115872,7 +115966,7 @@ index 2dcf04d..4656638 100644 |
186 |
{ |
187 |
.ctl_name = NET_TCP_DMA_COPYBREAK, |
188 |
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
189 |
-index b9644d8..537313b 100644 |
190 |
+index b9644d8..8e66b8e 100644 |
191 |
--- a/net/ipv4/tcp.c |
192 |
+++ b/net/ipv4/tcp.c |
193 |
@@ -2084,6 +2084,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, |
194 |
@@ -115893,6 +115987,19 @@ index b9644d8..537313b 100644 |
195 |
if (get_user(len, optlen)) |
196 |
return -EFAULT; |
197 |
|
198 |
+@@ -2826,7 +2830,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp, |
199 |
+ |
200 |
+ for (i = 0; i < shi->nr_frags; ++i) { |
201 |
+ const struct skb_frag_struct *f = &shi->frags[i]; |
202 |
+- sg_set_page(&sg, f->page, f->size, f->page_offset); |
203 |
++ unsigned int offset = f->page_offset; |
204 |
++ struct page *page = f->page + (offset >> PAGE_SHIFT); |
205 |
++ |
206 |
++ sg_set_page(&sg, page, f->size, |
207 |
++ offset_in_page(offset)); |
208 |
+ if (crypto_hash_update(desc, &sg, f->size)) |
209 |
+ return 1; |
210 |
+ } |
211 |
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c |
212 |
index 1eba160b..c35d91f 100644 |
213 |
--- a/net/ipv4/tcp_illinois.c |
214 |
@@ -116507,6 +116614,19 @@ index 093e9b2..f72cddb 100644 |
215 |
const unsigned short hnum, |
216 |
const struct in6_addr *daddr, |
217 |
const int dif) |
218 |
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c |
219 |
+index 9ad5792..fa406b9 100644 |
220 |
+--- a/net/ipv6/ip6_output.c |
221 |
++++ b/net/ipv6/ip6_output.c |
222 |
+@@ -1138,7 +1138,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, |
223 |
+ if (WARN_ON(np->cork.opt)) |
224 |
+ return -EINVAL; |
225 |
+ |
226 |
+- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); |
227 |
++ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); |
228 |
+ if (unlikely(np->cork.opt == NULL)) |
229 |
+ return -ENOBUFS; |
230 |
+ |
231 |
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c |
232 |
index 4f7aaf6..f7acf45 100644 |
233 |
--- a/net/ipv6/ipv6_sockglue.c |
234 |
@@ -117047,6 +117167,19 @@ index 35a338b..62102d6 100644 |
235 |
|
236 |
/* Aborting, close connection! */ |
237 |
iriap_disconnect_request(self); |
238 |
+diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c |
239 |
+index 7af2e74..143ae58 100644 |
240 |
+--- a/net/irda/irlap_frame.c |
241 |
++++ b/net/irda/irlap_frame.c |
242 |
+@@ -543,7 +543,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self, |
243 |
+ /* |
244 |
+ * We now have some discovery info to deliver! |
245 |
+ */ |
246 |
+- discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC); |
247 |
++ discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC); |
248 |
+ if (!discovery) { |
249 |
+ IRDA_WARNING("%s: unable to malloc!\n", __func__); |
250 |
+ return; |
251 |
diff --git a/net/irda/irttp.c b/net/irda/irttp.c |
252 |
index 9cb79f9..d35d057 100644 |
253 |
--- a/net/irda/irttp.c |
254 |
|
255 |
diff --git a/3.2.45/0000_README b/3.2.45/0000_README |
256 |
index 00f8a3a..4a59301 100644 |
257 |
--- a/3.2.45/0000_README |
258 |
+++ b/3.2.45/0000_README |
259 |
@@ -98,7 +98,7 @@ Patch: 1044_linux-3.2.45.patch |
260 |
From: http://www.kernel.org |
261 |
Desc: Linux 3.2.45 |
262 |
|
263 |
-Patch: 4420_grsecurity-2.9.1-3.2.46-201306011535.patch |
264 |
+Patch: 4420_grsecurity-2.9.1-3.2.46-201306041947.patch |
265 |
From: http://www.grsecurity.net |
266 |
Desc: hardened-sources base patch from upstream grsecurity |
267 |
|
268 |
|
269 |
diff --git a/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306011535.patch b/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306041947.patch |
270 |
similarity index 99% |
271 |
rename from 3.2.45/4420_grsecurity-2.9.1-3.2.46-201306011535.patch |
272 |
rename to 3.2.45/4420_grsecurity-2.9.1-3.2.46-201306041947.patch |
273 |
index 6555c18..bf3ae8a 100644 |
274 |
--- a/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306011535.patch |
275 |
+++ b/3.2.45/4420_grsecurity-2.9.1-3.2.46-201306041947.patch |
276 |
@@ -3860,6 +3860,19 @@ index 5241698..91dcb12 100644 |
277 |
} |
278 |
EXPORT_SYMBOL(purge_tlb_entries); |
279 |
|
280 |
+diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c |
281 |
+index 5709c5e..14285ca 100644 |
282 |
+--- a/arch/parisc/kernel/drivers.c |
283 |
++++ b/arch/parisc/kernel/drivers.c |
284 |
+@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath); |
285 |
+ static void setup_bus_id(struct parisc_device *padev) |
286 |
+ { |
287 |
+ struct hardware_path path; |
288 |
+- char name[20]; |
289 |
++ char name[28]; |
290 |
+ char *output = name; |
291 |
+ int i; |
292 |
+ |
293 |
diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c |
294 |
index 5e34ccf..672bc9c 100644 |
295 |
--- a/arch/parisc/kernel/module.c |
296 |
@@ -3963,6 +3976,20 @@ index 5e34ccf..672bc9c 100644 |
297 |
|
298 |
DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", |
299 |
me->arch.unwind_section, table, end, gp); |
300 |
+diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c |
301 |
+index a3328c2..3b812eb 100644 |
302 |
+--- a/arch/parisc/kernel/setup.c |
303 |
++++ b/arch/parisc/kernel/setup.c |
304 |
+@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p) |
305 |
+ /* called from hpux boot loader */ |
306 |
+ boot_command_line[0] = '\0'; |
307 |
+ } else { |
308 |
+- strcpy(boot_command_line, (char *)__va(boot_args[1])); |
309 |
++ strlcpy(boot_command_line, (char *)__va(boot_args[1]), |
310 |
++ COMMAND_LINE_SIZE); |
311 |
+ |
312 |
+ #ifdef CONFIG_BLK_DEV_INITRD |
313 |
+ if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ |
314 |
diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c |
315 |
index 7ea75d1..38ca97d 100644 |
316 |
--- a/arch/parisc/kernel/sys_parisc.c |
317 |
@@ -36879,6 +36906,37 @@ index e44933d..9ba484a 100644 |
318 |
capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */ |
319 |
capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */ |
320 |
capimsg_setu16(skb->data, 16, len); /* Data length */ |
321 |
+diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c |
322 |
+index 2b33b26..a9c638b 100644 |
323 |
+--- a/drivers/isdn/capi/kcapi.c |
324 |
++++ b/drivers/isdn/capi/kcapi.c |
325 |
+@@ -93,7 +93,7 @@ capi_ctr_put(struct capi_ctr *ctr) |
326 |
+ |
327 |
+ static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr) |
328 |
+ { |
329 |
+- if (contr - 1 >= CAPI_MAXCONTR) |
330 |
++ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR) |
331 |
+ return NULL; |
332 |
+ |
333 |
+ return capi_controller[contr - 1]; |
334 |
+@@ -103,7 +103,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid) |
335 |
+ { |
336 |
+ lockdep_assert_held(&capi_controller_lock); |
337 |
+ |
338 |
+- if (applid - 1 >= CAPI_MAXAPPL) |
339 |
++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) |
340 |
+ return NULL; |
341 |
+ |
342 |
+ return capi_applications[applid - 1]; |
343 |
+@@ -111,7 +111,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid) |
344 |
+ |
345 |
+ static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid) |
346 |
+ { |
347 |
+- if (applid - 1 >= CAPI_MAXAPPL) |
348 |
++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) |
349 |
+ return NULL; |
350 |
+ |
351 |
+ return rcu_dereference(capi_applications[applid - 1]); |
352 |
diff --git a/drivers/isdn/gigaset/common.c b/drivers/isdn/gigaset/common.c |
353 |
index db621db..825ea1a 100644 |
354 |
--- a/drivers/isdn/gigaset/common.c |
355 |
@@ -53660,6 +53718,19 @@ index b78b5b6..c64d84f 100644 |
356 |
} |
357 |
|
358 |
void nfs_fattr_init(struct nfs_fattr *fattr) |
359 |
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c |
360 |
+index 5639efd..4531174 100644 |
361 |
+--- a/fs/nfs/nfs4proc.c |
362 |
++++ b/fs/nfs/nfs4proc.c |
363 |
+@@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) |
364 |
+ struct nfs4_state *state = opendata->state; |
365 |
+ struct nfs_inode *nfsi = NFS_I(state->inode); |
366 |
+ struct nfs_delegation *delegation; |
367 |
+- int open_mode = opendata->o_arg.open_flags & O_EXCL; |
368 |
++ int open_mode = opendata->o_arg.open_flags; |
369 |
+ fmode_t fmode = opendata->o_arg.fmode; |
370 |
+ nfs4_stateid stateid; |
371 |
+ int ret = -EAGAIN; |
372 |
diff --git a/fs/nfs/super.c b/fs/nfs/super.c |
373 |
index 1943898..396c460 100644 |
374 |
--- a/fs/nfs/super.c |
375 |
@@ -55971,6 +56042,19 @@ index 356f715..c918d38 100644 |
376 |
if (__put_user(d_off, &lastdirent->d_off)) |
377 |
error = -EFAULT; |
378 |
else |
379 |
+diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c |
380 |
+index 133e935..77359db 100644 |
381 |
+--- a/fs/reiserfs/dir.c |
382 |
++++ b/fs/reiserfs/dir.c |
383 |
+@@ -204,6 +204,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent, |
384 |
+ next_pos = deh_offset(deh) + 1; |
385 |
+ |
386 |
+ if (item_moved(&tmp_ih, &path_to_entry)) { |
387 |
++ set_cpu_key_k_offset(&pos_key, |
388 |
++ next_pos); |
389 |
+ goto research; |
390 |
+ } |
391 |
+ } /* for */ |
392 |
diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c |
393 |
index 60c0804..d814f98 100644 |
394 |
--- a/fs/reiserfs/do_balan.c |
395 |
@@ -55984,6 +56068,29 @@ index 60c0804..d814f98 100644 |
396 |
do_balance_starts(tb); |
397 |
|
398 |
/* balance leaf returns 0 except if combining L R and S into |
399 |
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c |
400 |
+index fe677c0..2a15fb2 100644 |
401 |
+--- a/fs/reiserfs/inode.c |
402 |
++++ b/fs/reiserfs/inode.c |
403 |
+@@ -1816,11 +1816,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, |
404 |
+ TYPE_STAT_DATA, SD_SIZE, MAX_US_INT); |
405 |
+ memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE); |
406 |
+ args.dirid = le32_to_cpu(ih.ih_key.k_dir_id); |
407 |
+- if (insert_inode_locked4(inode, args.objectid, |
408 |
+- reiserfs_find_actor, &args) < 0) { |
409 |
++ |
410 |
++ reiserfs_write_unlock(inode->i_sb); |
411 |
++ err = insert_inode_locked4(inode, args.objectid, |
412 |
++ reiserfs_find_actor, &args); |
413 |
++ reiserfs_write_lock(inode->i_sb); |
414 |
++ if (err) { |
415 |
+ err = -EINVAL; |
416 |
+ goto out_bad_inode; |
417 |
+ } |
418 |
++ |
419 |
+ if (old_format_only(sb)) |
420 |
+ /* not a perfect generation count, as object ids can be reused, but |
421 |
+ ** this is as good as reiserfs can do right now. |
422 |
diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c |
423 |
index 7a99811..a7c96c4 100644 |
424 |
--- a/fs/reiserfs/procfs.c |
425 |
@@ -56009,6 +56116,45 @@ index 569498a..0886e50f 100644 |
426 |
|
427 |
MODULE_DESCRIPTION("ReiserFS journaled filesystem"); |
428 |
MODULE_AUTHOR("Hans Reiser <reiser@×××××××.com>"); |
429 |
+diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c |
430 |
+index 04eecc4..33f74d0 100644 |
431 |
+--- a/fs/reiserfs/xattr.c |
432 |
++++ b/fs/reiserfs/xattr.c |
433 |
+@@ -318,7 +318,19 @@ static int delete_one_xattr(struct dentry *dentry, void *data) |
434 |
+ static int chown_one_xattr(struct dentry *dentry, void *data) |
435 |
+ { |
436 |
+ struct iattr *attrs = data; |
437 |
+- return reiserfs_setattr(dentry, attrs); |
438 |
++ int ia_valid = attrs->ia_valid; |
439 |
++ int err; |
440 |
++ |
441 |
++ /* |
442 |
++ * We only want the ownership bits. Otherwise, we'll do |
443 |
++ * things like change a directory to a regular file if |
444 |
++ * ATTR_MODE is set. |
445 |
++ */ |
446 |
++ attrs->ia_valid &= (ATTR_UID|ATTR_GID); |
447 |
++ err = reiserfs_setattr(dentry, attrs); |
448 |
++ attrs->ia_valid = ia_valid; |
449 |
++ |
450 |
++ return err; |
451 |
+ } |
452 |
+ |
453 |
+ /* No i_mutex, but the inode is unconnected. */ |
454 |
+diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c |
455 |
+index 6da0396..fc338f3 100644 |
456 |
+--- a/fs/reiserfs/xattr_acl.c |
457 |
++++ b/fs/reiserfs/xattr_acl.c |
458 |
+@@ -429,6 +429,9 @@ int reiserfs_acl_chmod(struct inode *inode) |
459 |
+ int depth; |
460 |
+ int error; |
461 |
+ |
462 |
++ if (IS_PRIVATE(inode)) |
463 |
++ return 0; |
464 |
++ |
465 |
+ if (S_ISLNK(inode->i_mode)) |
466 |
+ return -EOPNOTSUPP; |
467 |
+ |
468 |
diff --git a/fs/romfs/super.c b/fs/romfs/super.c |
469 |
index 8b4089f..2575128 100644 |
470 |
--- a/fs/romfs/super.c |
471 |
@@ -56723,7 +56869,7 @@ index d99a905..9f88202 100644 |
472 |
goto out_put; |
473 |
|
474 |
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c |
475 |
-index 23ce927..e274cc1 100644 |
476 |
+index 23ce927..86fd3e8d 100644 |
477 |
--- a/fs/xfs/xfs_iops.c |
478 |
+++ b/fs/xfs/xfs_iops.c |
479 |
@@ -447,7 +447,7 @@ xfs_vn_put_link( |
480 |
@@ -56735,6 +56881,81 @@ index 23ce927..e274cc1 100644 |
481 |
|
482 |
if (!IS_ERR(s)) |
483 |
kfree(s); |
484 |
+@@ -507,6 +507,28 @@ xfs_vn_getattr( |
485 |
+ return 0; |
486 |
+ } |
487 |
+ |
488 |
++static void |
489 |
++xfs_setattr_mode( |
490 |
++ struct xfs_trans *tp, |
491 |
++ struct xfs_inode *ip, |
492 |
++ struct iattr *iattr) |
493 |
++{ |
494 |
++ struct inode *inode = VFS_I(ip); |
495 |
++ umode_t mode = iattr->ia_mode; |
496 |
++ |
497 |
++ ASSERT(tp); |
498 |
++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); |
499 |
++ |
500 |
++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) |
501 |
++ mode &= ~S_ISGID; |
502 |
++ |
503 |
++ ip->i_d.di_mode &= S_IFMT; |
504 |
++ ip->i_d.di_mode |= mode & ~S_IFMT; |
505 |
++ |
506 |
++ inode->i_mode &= S_IFMT; |
507 |
++ inode->i_mode |= mode & ~S_IFMT; |
508 |
++} |
509 |
++ |
510 |
+ int |
511 |
+ xfs_setattr_nonsize( |
512 |
+ struct xfs_inode *ip, |
513 |
+@@ -658,18 +680,8 @@ xfs_setattr_nonsize( |
514 |
+ /* |
515 |
+ * Change file access modes. |
516 |
+ */ |
517 |
+- if (mask & ATTR_MODE) { |
518 |
+- umode_t mode = iattr->ia_mode; |
519 |
+- |
520 |
+- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) |
521 |
+- mode &= ~S_ISGID; |
522 |
+- |
523 |
+- ip->i_d.di_mode &= S_IFMT; |
524 |
+- ip->i_d.di_mode |= mode & ~S_IFMT; |
525 |
+- |
526 |
+- inode->i_mode &= S_IFMT; |
527 |
+- inode->i_mode |= mode & ~S_IFMT; |
528 |
+- } |
529 |
++ if (mask & ATTR_MODE) |
530 |
++ xfs_setattr_mode(tp, ip, iattr); |
531 |
+ |
532 |
+ /* |
533 |
+ * Change file access or modified times. |
534 |
+@@ -768,9 +780,8 @@ xfs_setattr_size( |
535 |
+ return XFS_ERROR(error); |
536 |
+ |
537 |
+ ASSERT(S_ISREG(ip->i_d.di_mode)); |
538 |
+- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| |
539 |
+- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID| |
540 |
+- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); |
541 |
++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| |
542 |
++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); |
543 |
+ |
544 |
+ lock_flags = XFS_ILOCK_EXCL; |
545 |
+ if (!(flags & XFS_ATTR_NOLOCK)) |
546 |
+@@ -902,6 +913,12 @@ xfs_setattr_size( |
547 |
+ xfs_iflags_set(ip, XFS_ITRUNCATED); |
548 |
+ } |
549 |
+ |
550 |
++ /* |
551 |
++ * Change file access modes. |
552 |
++ */ |
553 |
++ if (mask & ATTR_MODE) |
554 |
++ xfs_setattr_mode(tp, ip, iattr); |
555 |
++ |
556 |
+ if (mask & ATTR_CTIME) { |
557 |
+ inode->i_ctime = iattr->ia_ctime; |
558 |
+ ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec; |
559 |
diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c |
560 |
index 87323f1..dab9d00 100644 |
561 |
--- a/fs/xfs/xfs_rtalloc.c |
562 |
@@ -56762,10 +56983,10 @@ index 8a89949..6776861 100644 |
563 |
xfs_init_zones(void) |
564 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
565 |
new file mode 100644 |
566 |
-index 0000000..aef8e91 |
567 |
+index 0000000..15aaf25 |
568 |
--- /dev/null |
569 |
+++ b/grsecurity/Kconfig |
570 |
-@@ -0,0 +1,1031 @@ |
571 |
+@@ -0,0 +1,1053 @@ |
572 |
+# |
573 |
+# grecurity configuration |
574 |
+# |
575 |
@@ -56851,6 +57072,25 @@ index 0000000..aef8e91 |
576 |
+ If you're using KERNEXEC, it's recommended that you enable this option |
577 |
+ to supplement the hardening of the kernel. |
578 |
+ |
579 |
++config GRKERNSEC_PERF_HARDEN |
580 |
++ bool "Disable unprivileged PERF_EVENTS usage by default" |
581 |
++ default y if GRKERNSEC_CONFIG_AUTO |
582 |
++ depends on PERF_EVENTS |
583 |
++ help |
584 |
++ If you say Y here, the range of acceptable values for the |
585 |
++ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and |
586 |
++ default to a new value: 3. When the sysctl is set to this value, no |
587 |
++ unprivileged use of the PERF_EVENTS syscall interface will be permitted. |
588 |
++ |
589 |
++ Though PERF_EVENTS can be used legitimately for performance monitoring |
590 |
++ and low-level application profiling, it is forced on regardless of |
591 |
++ configuration, has been at fault for several vulnerabilities, and |
592 |
++ creates new opportunities for side channels and other information leaks. |
593 |
++ |
594 |
++ This feature puts PERF_EVENTS into a secure default state and permits |
595 |
++ the administrator to change out of it temporarily if unprivileged |
596 |
++ application profiling is needed. |
597 |
++ |
598 |
+config GRKERNSEC_RAND_THREADSTACK |
599 |
+ bool "Insert random gaps between thread stacks" |
600 |
+ default y if GRKERNSEC_CONFIG_AUTO |
601 |
@@ -56961,6 +57201,9 @@ index 0000000..aef8e91 |
602 |
+ useful protection against local kernel exploitation of overflows |
603 |
+ and arbitrary read/write vulnerabilities. |
604 |
+ |
605 |
++ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN |
606 |
++ in addition to this feature. |
607 |
++ |
608 |
+config GRKERNSEC_KERN_LOCKOUT |
609 |
+ bool "Active kernel exploit response" |
610 |
+ default y if GRKERNSEC_CONFIG_AUTO |
611 |
@@ -70897,7 +71140,7 @@ index 45fc162..01a4068 100644 |
612 |
/** |
613 |
* struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot |
614 |
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h |
615 |
-index 9b9b2aa..22f09dc 100644 |
616 |
+index 9b9b2aa..df3199e 100644 |
617 |
--- a/include/linux/perf_event.h |
618 |
+++ b/include/linux/perf_event.h |
619 |
@@ -748,8 +748,8 @@ struct perf_event { |
620 |
@@ -70931,8 +71174,15 @@ index 9b9b2aa..22f09dc 100644 |
621 |
extern int sysctl_perf_event_mlock; |
622 |
extern int sysctl_perf_event_sample_rate; |
623 |
|
624 |
-@@ -1111,17 +1111,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, |
625 |
+@@ -1109,19 +1109,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, |
626 |
+ void __user *buffer, size_t *lenp, |
627 |
+ loff_t *ppos); |
628 |
|
629 |
++static inline bool perf_paranoid_any(void) |
630 |
++{ |
631 |
++ return sysctl_perf_event_legitimately_concerned > 2; |
632 |
++} |
633 |
++ |
634 |
static inline bool perf_paranoid_tracepoint_raw(void) |
635 |
{ |
636 |
- return sysctl_perf_event_paranoid > -1; |
637 |
@@ -70952,7 +71202,7 @@ index 9b9b2aa..22f09dc 100644 |
638 |
} |
639 |
|
640 |
extern void perf_event_init(void); |
641 |
-@@ -1199,7 +1199,7 @@ static inline void perf_restore_debug_store(void) { } |
642 |
+@@ -1199,7 +1204,7 @@ static inline void perf_restore_debug_store(void) { } |
643 |
*/ |
644 |
#define perf_cpu_notifier(fn) \ |
645 |
do { \ |
646 |
@@ -74914,15 +75164,19 @@ index 63786e7..0780cac 100644 |
647 |
#ifdef CONFIG_MODULE_UNLOAD |
648 |
{ |
649 |
diff --git a/kernel/events/core.c b/kernel/events/core.c |
650 |
-index 9f21915..08e25b4 100644 |
651 |
+index 9f21915..840113c 100644 |
652 |
--- a/kernel/events/core.c |
653 |
+++ b/kernel/events/core.c |
654 |
-@@ -146,7 +146,11 @@ static struct srcu_struct pmus_srcu; |
655 |
+@@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu; |
656 |
+ * 0 - disallow raw tracepoint access for unpriv |
657 |
* 1 - disallow cpu events for unpriv |
658 |
* 2 - disallow kernel profiling for unpriv |
659 |
++ * 3 - disallow all unpriv perf event use |
660 |
*/ |
661 |
-int sysctl_perf_event_paranoid __read_mostly = 1; |
662 |
-+#ifdef CONFIG_GRKERNSEC_HIDESYM |
663 |
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
664 |
++int sysctl_perf_event_legitimately_concerned __read_mostly = 3; |
665 |
++#elif CONFIG_GRKERNSEC_HIDESYM |
666 |
+int sysctl_perf_event_legitimately_concerned __read_mostly = 2; |
667 |
+#else |
668 |
+int sysctl_perf_event_legitimately_concerned __read_mostly = 1; |
669 |
@@ -74930,7 +75184,7 @@ index 9f21915..08e25b4 100644 |
670 |
|
671 |
/* Minimum for 512 kiB + 1 user control page */ |
672 |
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ |
673 |
-@@ -173,7 +177,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write, |
674 |
+@@ -173,7 +180,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write, |
675 |
return 0; |
676 |
} |
677 |
|
678 |
@@ -74939,7 +75193,7 @@ index 9f21915..08e25b4 100644 |
679 |
|
680 |
static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, |
681 |
enum event_type_t event_type); |
682 |
-@@ -2540,7 +2544,7 @@ static void __perf_event_read(void *info) |
683 |
+@@ -2540,7 +2547,7 @@ static void __perf_event_read(void *info) |
684 |
|
685 |
static inline u64 perf_event_count(struct perf_event *event) |
686 |
{ |
687 |
@@ -74948,7 +75202,7 @@ index 9f21915..08e25b4 100644 |
688 |
} |
689 |
|
690 |
static u64 perf_event_read(struct perf_event *event) |
691 |
-@@ -3071,9 +3075,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) |
692 |
+@@ -3071,9 +3078,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) |
693 |
mutex_lock(&event->child_mutex); |
694 |
total += perf_event_read(event); |
695 |
*enabled += event->total_time_enabled + |
696 |
@@ -74960,7 +75214,7 @@ index 9f21915..08e25b4 100644 |
697 |
|
698 |
list_for_each_entry(child, &event->child_list, child_list) { |
699 |
total += perf_event_read(child); |
700 |
-@@ -3482,10 +3486,10 @@ void perf_event_update_userpage(struct perf_event *event) |
701 |
+@@ -3482,10 +3489,10 @@ void perf_event_update_userpage(struct perf_event *event) |
702 |
userpg->offset -= local64_read(&event->hw.prev_count); |
703 |
|
704 |
userpg->time_enabled = enabled + |
705 |
@@ -74973,7 +75227,7 @@ index 9f21915..08e25b4 100644 |
706 |
|
707 |
barrier(); |
708 |
++userpg->lock; |
709 |
-@@ -3914,11 +3918,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
710 |
+@@ -3914,11 +3921,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
711 |
values[n++] = perf_event_count(event); |
712 |
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { |
713 |
values[n++] = enabled + |
714 |
@@ -74987,7 +75241,7 @@ index 9f21915..08e25b4 100644 |
715 |
} |
716 |
if (read_format & PERF_FORMAT_ID) |
717 |
values[n++] = primary_event_id(event); |
718 |
-@@ -4569,12 +4573,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) |
719 |
+@@ -4569,12 +4576,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) |
720 |
* need to add enough zero bytes after the string to handle |
721 |
* the 64bit alignment we do later. |
722 |
*/ |
723 |
@@ -75002,7 +75256,7 @@ index 9f21915..08e25b4 100644 |
724 |
if (IS_ERR(name)) { |
725 |
name = strncpy(tmp, "//toolong", sizeof(tmp)); |
726 |
goto got_name; |
727 |
-@@ -5931,7 +5935,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, |
728 |
+@@ -5931,7 +5938,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, |
729 |
event->parent = parent_event; |
730 |
|
731 |
event->ns = get_pid_ns(current->nsproxy->pid_ns); |
732 |
@@ -75011,7 +75265,19 @@ index 9f21915..08e25b4 100644 |
733 |
|
734 |
event->state = PERF_EVENT_STATE_INACTIVE; |
735 |
|
736 |
-@@ -6451,10 +6455,10 @@ static void sync_child_event(struct perf_event *child_event, |
737 |
+@@ -6164,6 +6171,11 @@ SYSCALL_DEFINE5(perf_event_open, |
738 |
+ if (flags & ~PERF_FLAG_ALL) |
739 |
+ return -EINVAL; |
740 |
+ |
741 |
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
742 |
++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) |
743 |
++ return -EACCES; |
744 |
++#endif |
745 |
++ |
746 |
+ err = perf_copy_attr(attr_uptr, &attr); |
747 |
+ if (err) |
748 |
+ return err; |
749 |
+@@ -6451,10 +6463,10 @@ static void sync_child_event(struct perf_event *child_event, |
750 |
/* |
751 |
* Add back the child's count to the parent's count: |
752 |
*/ |
753 |
@@ -78654,7 +78920,7 @@ index be5fa8b..a8c2090 100644 |
754 |
break; |
755 |
} |
756 |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
757 |
-index ea7ec7f..b1c7c88 100644 |
758 |
+index ea7ec7f..a823e62 100644 |
759 |
--- a/kernel/sysctl.c |
760 |
+++ b/kernel/sysctl.c |
761 |
@@ -86,6 +86,13 @@ |
762 |
@@ -78779,7 +79045,7 @@ index ea7ec7f..b1c7c88 100644 |
763 |
{ |
764 |
.procname = "ngroups_max", |
765 |
.data = &ngroups_max, |
766 |
-@@ -957,8 +1002,8 @@ static struct ctl_table kern_table[] = { |
767 |
+@@ -957,10 +1002,17 @@ static struct ctl_table kern_table[] = { |
768 |
*/ |
769 |
{ |
770 |
.procname = "perf_event_paranoid", |
771 |
@@ -78788,9 +79054,19 @@ index ea7ec7f..b1c7c88 100644 |
772 |
+ .data = &sysctl_perf_event_legitimately_concerned, |
773 |
+ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned), |
774 |
.mode = 0644, |
775 |
- .proc_handler = proc_dointvec, |
776 |
+- .proc_handler = proc_dointvec, |
777 |
++ /* go ahead, be a hero */ |
778 |
++ .proc_handler = proc_dointvec_minmax_sysadmin, |
779 |
++ .extra1 = &zero, |
780 |
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
781 |
++ .extra2 = &three, |
782 |
++#else |
783 |
++ .extra2 = &two, |
784 |
++#endif |
785 |
}, |
786 |
-@@ -1216,6 +1261,13 @@ static struct ctl_table vm_table[] = { |
787 |
+ { |
788 |
+ .procname = "perf_event_mlock_kb", |
789 |
+@@ -1216,6 +1268,13 @@ static struct ctl_table vm_table[] = { |
790 |
.proc_handler = proc_dointvec_minmax, |
791 |
.extra1 = &zero, |
792 |
}, |
793 |
@@ -78804,7 +79080,7 @@ index ea7ec7f..b1c7c88 100644 |
794 |
#else |
795 |
{ |
796 |
.procname = "nr_trim_pages", |
797 |
-@@ -1499,7 +1551,7 @@ static struct ctl_table fs_table[] = { |
798 |
+@@ -1499,7 +1558,7 @@ static struct ctl_table fs_table[] = { |
799 |
.data = &suid_dumpable, |
800 |
.maxlen = sizeof(int), |
801 |
.mode = 0644, |
802 |
@@ -78813,7 +79089,7 @@ index ea7ec7f..b1c7c88 100644 |
803 |
.extra1 = &zero, |
804 |
.extra2 = &two, |
805 |
}, |
806 |
-@@ -1720,6 +1772,17 @@ static int test_perm(int mode, int op) |
807 |
+@@ -1720,6 +1779,17 @@ static int test_perm(int mode, int op) |
808 |
int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) |
809 |
{ |
810 |
int mode; |
811 |
@@ -78831,7 +79107,7 @@ index ea7ec7f..b1c7c88 100644 |
812 |
|
813 |
if (root->permissions) |
814 |
mode = root->permissions(root, current->nsproxy, table); |
815 |
-@@ -1732,7 +1795,9 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) |
816 |
+@@ -1732,7 +1802,9 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) |
817 |
static void sysctl_set_parent(struct ctl_table *parent, struct ctl_table *table) |
818 |
{ |
819 |
for (; table->procname; table++) { |
820 |
@@ -78842,7 +79118,7 @@ index ea7ec7f..b1c7c88 100644 |
821 |
if (table->child) |
822 |
sysctl_set_parent(table, table->child); |
823 |
} |
824 |
-@@ -1856,7 +1921,8 @@ struct ctl_table_header *__register_sysctl_paths( |
825 |
+@@ -1856,7 +1928,8 @@ struct ctl_table_header *__register_sysctl_paths( |
826 |
const struct ctl_path *path, struct ctl_table *table) |
827 |
{ |
828 |
struct ctl_table_header *header; |
829 |
@@ -78852,7 +79128,7 @@ index ea7ec7f..b1c7c88 100644 |
830 |
unsigned int n, npath; |
831 |
struct ctl_table_set *set; |
832 |
|
833 |
-@@ -1877,7 +1943,7 @@ struct ctl_table_header *__register_sysctl_paths( |
834 |
+@@ -1877,7 +1950,7 @@ struct ctl_table_header *__register_sysctl_paths( |
835 |
if (!header) |
836 |
return NULL; |
837 |
|
838 |
@@ -78861,7 +79137,7 @@ index ea7ec7f..b1c7c88 100644 |
839 |
|
840 |
/* Now connect the dots */ |
841 |
prevp = &header->ctl_table; |
842 |
-@@ -2124,6 +2190,16 @@ int proc_dostring(struct ctl_table *table, int write, |
843 |
+@@ -2124,6 +2197,16 @@ int proc_dostring(struct ctl_table *table, int write, |
844 |
buffer, lenp, ppos); |
845 |
} |
846 |
|
847 |
@@ -78878,7 +79154,7 @@ index ea7ec7f..b1c7c88 100644 |
848 |
static size_t proc_skip_spaces(char **buf) |
849 |
{ |
850 |
size_t ret; |
851 |
-@@ -2229,6 +2305,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
852 |
+@@ -2229,6 +2312,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
853 |
len = strlen(tmp); |
854 |
if (len > *size) |
855 |
len = *size; |
856 |
@@ -78887,7 +79163,7 @@ index ea7ec7f..b1c7c88 100644 |
857 |
if (copy_to_user(*buf, tmp, len)) |
858 |
return -EFAULT; |
859 |
*size -= len; |
860 |
-@@ -2393,7 +2471,7 @@ int proc_dointvec(struct ctl_table *table, int write, |
861 |
+@@ -2393,7 +2478,7 @@ int proc_dointvec(struct ctl_table *table, int write, |
862 |
static int proc_taint(struct ctl_table *table, int write, |
863 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
864 |
{ |
865 |
@@ -78896,7 +79172,7 @@ index ea7ec7f..b1c7c88 100644 |
866 |
unsigned long tmptaint = get_taint(); |
867 |
int err; |
868 |
|
869 |
-@@ -2421,7 +2499,6 @@ static int proc_taint(struct ctl_table *table, int write, |
870 |
+@@ -2421,7 +2506,6 @@ static int proc_taint(struct ctl_table *table, int write, |
871 |
return err; |
872 |
} |
873 |
|
874 |
@@ -78904,7 +79180,7 @@ index ea7ec7f..b1c7c88 100644 |
875 |
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
876 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
877 |
{ |
878 |
-@@ -2430,7 +2507,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
879 |
+@@ -2430,7 +2514,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
880 |
|
881 |
return proc_dointvec_minmax(table, write, buffer, lenp, ppos); |
882 |
} |
883 |
@@ -78912,7 +79188,7 @@ index ea7ec7f..b1c7c88 100644 |
884 |
|
885 |
struct do_proc_dointvec_minmax_conv_param { |
886 |
int *min; |
887 |
-@@ -2488,6 +2564,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, |
888 |
+@@ -2488,6 +2571,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, |
889 |
do_proc_dointvec_minmax_conv, ¶m); |
890 |
} |
891 |
|
892 |
@@ -78947,7 +79223,7 @@ index ea7ec7f..b1c7c88 100644 |
893 |
static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write, |
894 |
void __user *buffer, |
895 |
size_t *lenp, loff_t *ppos, |
896 |
-@@ -2545,8 +2649,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
897 |
+@@ -2545,8 +2656,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
898 |
*i = val; |
899 |
} else { |
900 |
val = convdiv * (*i) / convmul; |
901 |
@@ -78960,7 +79236,7 @@ index ea7ec7f..b1c7c88 100644 |
902 |
err = proc_put_long(&buffer, &left, val, false); |
903 |
if (err) |
904 |
break; |
905 |
-@@ -2941,6 +3048,12 @@ int proc_dostring(struct ctl_table *table, int write, |
906 |
+@@ -2941,6 +3055,12 @@ int proc_dostring(struct ctl_table *table, int write, |
907 |
return -ENOSYS; |
908 |
} |
909 |
|
910 |
@@ -78973,7 +79249,7 @@ index ea7ec7f..b1c7c88 100644 |
911 |
int proc_dointvec(struct ctl_table *table, int write, |
912 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
913 |
{ |
914 |
-@@ -2997,6 +3110,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
915 |
+@@ -2997,6 +3117,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
916 |
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); |
917 |
EXPORT_SYMBOL(proc_dointvec_ms_jiffies); |
918 |
EXPORT_SYMBOL(proc_dostring); |
919 |
@@ -87943,6 +88219,24 @@ index 5485077..7e37374 100644 |
920 |
|
921 |
hdr = register_sysctl_paths(net_ipv4_ctl_path, ipv4_table); |
922 |
if (hdr == NULL) |
923 |
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
924 |
+index fe381c2..ec8b4b7e 100644 |
925 |
+--- a/net/ipv4/tcp.c |
926 |
++++ b/net/ipv4/tcp.c |
927 |
+@@ -3037,8 +3037,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp, |
928 |
+ |
929 |
+ for (i = 0; i < shi->nr_frags; ++i) { |
930 |
+ const struct skb_frag_struct *f = &shi->frags[i]; |
931 |
+- struct page *page = skb_frag_page(f); |
932 |
+- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset); |
933 |
++ unsigned int offset = f->page_offset; |
934 |
++ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT); |
935 |
++ |
936 |
++ sg_set_page(&sg, page, skb_frag_size(f), |
937 |
++ offset_in_page(offset)); |
938 |
+ if (crypto_hash_update(desc, &sg, skb_frag_size(f))) |
939 |
+ return 1; |
940 |
+ } |
941 |
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
942 |
index 872b41d..54a02f1 100644 |
943 |
--- a/net/ipv4/tcp_input.c |
944 |
@@ -88392,6 +88686,19 @@ index 1567fb1..29af910 100644 |
945 |
__sk_dst_reset(sk); |
946 |
dst = NULL; |
947 |
} |
948 |
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c |
949 |
+index 3ccd9b2..6aadaa8 100644 |
950 |
+--- a/net/ipv6/ip6_output.c |
951 |
++++ b/net/ipv6/ip6_output.c |
952 |
+@@ -1233,7 +1233,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, |
953 |
+ if (WARN_ON(np->cork.opt)) |
954 |
+ return -EINVAL; |
955 |
+ |
956 |
+- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); |
957 |
++ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); |
958 |
+ if (unlikely(np->cork.opt == NULL)) |
959 |
+ return -ENOBUFS; |
960 |
+ |
961 |
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c |
962 |
index b204df8..8f274f4 100644 |
963 |
--- a/net/ipv6/ipv6_sockglue.c |
964 |
@@ -88926,6 +89233,19 @@ index e71e85b..29340a9 100644 |
965 |
|
966 |
/* Aborting, close connection! */ |
967 |
iriap_disconnect_request(self); |
968 |
+diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c |
969 |
+index 8c00416..9ea0c93 100644 |
970 |
+--- a/net/irda/irlap_frame.c |
971 |
++++ b/net/irda/irlap_frame.c |
972 |
+@@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self, |
973 |
+ /* |
974 |
+ * We now have some discovery info to deliver! |
975 |
+ */ |
976 |
+- discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC); |
977 |
++ discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC); |
978 |
+ if (!discovery) { |
979 |
+ IRDA_WARNING("%s: unable to malloc!\n", __func__); |
980 |
+ return; |
981 |
diff --git a/net/irda/irttp.c b/net/irda/irttp.c |
982 |
index 32e3bb0..a4e5eb8 100644 |
983 |
--- a/net/irda/irttp.c |
984 |
|
985 |
diff --git a/3.9.4/0000_README b/3.9.4/0000_README |
986 |
index 1cbe9a3..517433d 100644 |
987 |
--- a/3.9.4/0000_README |
988 |
+++ b/3.9.4/0000_README |
989 |
@@ -2,7 +2,7 @@ README |
990 |
----------------------------------------------------------------------------- |
991 |
Individual Patch Descriptions: |
992 |
----------------------------------------------------------------------------- |
993 |
-Patch: 4420_grsecurity-2.9.1-3.9.4-201306011536.patch |
994 |
+Patch: 4420_grsecurity-2.9.1-3.9.4-201306041949.patch |
995 |
From: http://www.grsecurity.net |
996 |
Desc: hardened-sources base patch from upstream grsecurity |
997 |
|
998 |
|
999 |
diff --git a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306011536.patch b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch |
1000 |
similarity index 99% |
1001 |
rename from 3.9.4/4420_grsecurity-2.9.1-3.9.4-201306011536.patch |
1002 |
rename to 3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch |
1003 |
index 9a1a55c..55d122a 100644 |
1004 |
--- a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306011536.patch |
1005 |
+++ b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201306041949.patch |
1006 |
@@ -5763,6 +5763,19 @@ index e0a8235..ce2f1e1 100644 |
1007 |
ret = __copy_from_user(to, from, n); |
1008 |
else |
1009 |
copy_from_user_overflow(); |
1010 |
+diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c |
1011 |
+index 5709c5e..14285ca 100644 |
1012 |
+--- a/arch/parisc/kernel/drivers.c |
1013 |
++++ b/arch/parisc/kernel/drivers.c |
1014 |
+@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath); |
1015 |
+ static void setup_bus_id(struct parisc_device *padev) |
1016 |
+ { |
1017 |
+ struct hardware_path path; |
1018 |
+- char name[20]; |
1019 |
++ char name[28]; |
1020 |
+ char *output = name; |
1021 |
+ int i; |
1022 |
+ |
1023 |
diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c |
1024 |
index 2a625fb..9908930 100644 |
1025 |
--- a/arch/parisc/kernel/module.c |
1026 |
@@ -5866,6 +5879,20 @@ index 2a625fb..9908930 100644 |
1027 |
|
1028 |
DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", |
1029 |
me->arch.unwind_section, table, end, gp); |
1030 |
+diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c |
1031 |
+index a3328c2..3b812eb 100644 |
1032 |
+--- a/arch/parisc/kernel/setup.c |
1033 |
++++ b/arch/parisc/kernel/setup.c |
1034 |
+@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p) |
1035 |
+ /* called from hpux boot loader */ |
1036 |
+ boot_command_line[0] = '\0'; |
1037 |
+ } else { |
1038 |
+- strcpy(boot_command_line, (char *)__va(boot_args[1])); |
1039 |
++ strlcpy(boot_command_line, (char *)__va(boot_args[1]), |
1040 |
++ COMMAND_LINE_SIZE); |
1041 |
+ |
1042 |
+ #ifdef CONFIG_BLK_DEV_INITRD |
1043 |
+ if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ |
1044 |
diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c |
1045 |
index 5dfd248..64914ac 100644 |
1046 |
--- a/arch/parisc/kernel/sys_parisc.c |
1047 |
@@ -31951,7 +31978,7 @@ index f9b983a..887b9d8 100644 |
1048 |
return 0; |
1049 |
} |
1050 |
diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c |
1051 |
-index 77a7480..05cde58 100644 |
1052 |
+index 77a7480d..05cde58 100644 |
1053 |
--- a/drivers/atm/ambassador.c |
1054 |
+++ b/drivers/atm/ambassador.c |
1055 |
@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) { |
1056 |
@@ -37505,6 +37532,37 @@ index 89562a8..218999b 100644 |
1057 |
capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */ |
1058 |
capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */ |
1059 |
capimsg_setu16(skb->data, 16, len); /* Data length */ |
1060 |
+diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c |
1061 |
+index 9b1b274..c123709 100644 |
1062 |
+--- a/drivers/isdn/capi/kcapi.c |
1063 |
++++ b/drivers/isdn/capi/kcapi.c |
1064 |
+@@ -93,7 +93,7 @@ capi_ctr_put(struct capi_ctr *ctr) |
1065 |
+ |
1066 |
+ static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr) |
1067 |
+ { |
1068 |
+- if (contr - 1 >= CAPI_MAXCONTR) |
1069 |
++ if (contr < 1 || contr - 1 >= CAPI_MAXCONTR) |
1070 |
+ return NULL; |
1071 |
+ |
1072 |
+ return capi_controller[contr - 1]; |
1073 |
+@@ -103,7 +103,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid) |
1074 |
+ { |
1075 |
+ lockdep_assert_held(&capi_controller_lock); |
1076 |
+ |
1077 |
+- if (applid - 1 >= CAPI_MAXAPPL) |
1078 |
++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) |
1079 |
+ return NULL; |
1080 |
+ |
1081 |
+ return capi_applications[applid - 1]; |
1082 |
+@@ -111,7 +111,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid) |
1083 |
+ |
1084 |
+ static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid) |
1085 |
+ { |
1086 |
+- if (applid - 1 >= CAPI_MAXAPPL) |
1087 |
++ if (applid < 1 || applid - 1 >= CAPI_MAXAPPL) |
1088 |
+ return NULL; |
1089 |
+ |
1090 |
+ return rcu_dereference(capi_applications[applid - 1]); |
1091 |
diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c |
1092 |
index e2b5396..c5486dc 100644 |
1093 |
--- a/drivers/isdn/gigaset/interface.c |
1094 |
@@ -53758,6 +53816,19 @@ index 1f94167..79c4ce4 100644 |
1095 |
} |
1096 |
|
1097 |
void nfs_fattr_init(struct nfs_fattr *fattr) |
1098 |
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c |
1099 |
+index 0086401..261e9b9 100644 |
1100 |
+--- a/fs/nfs/nfs4proc.c |
1101 |
++++ b/fs/nfs/nfs4proc.c |
1102 |
+@@ -1022,7 +1022,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata) |
1103 |
+ struct nfs4_state *state = opendata->state; |
1104 |
+ struct nfs_inode *nfsi = NFS_I(state->inode); |
1105 |
+ struct nfs_delegation *delegation; |
1106 |
+- int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC); |
1107 |
++ int open_mode = opendata->o_arg.open_flags; |
1108 |
+ fmode_t fmode = opendata->o_arg.fmode; |
1109 |
+ nfs4_stateid stateid; |
1110 |
+ int ret = -EAGAIN; |
1111 |
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c |
1112 |
index d401d01..10b3e62 100644 |
1113 |
--- a/fs/nfsd/nfs4proc.c |
1114 |
@@ -55856,6 +55927,19 @@ index fee38e0..12fdf47 100644 |
1115 |
if (__put_user(d_off, &lastdirent->d_off)) |
1116 |
error = -EFAULT; |
1117 |
else |
1118 |
+diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c |
1119 |
+index 66c53b6..6c2d136 100644 |
1120 |
+--- a/fs/reiserfs/dir.c |
1121 |
++++ b/fs/reiserfs/dir.c |
1122 |
+@@ -204,6 +204,8 @@ int reiserfs_readdir_dentry(struct dentry *dentry, void *dirent, |
1123 |
+ next_pos = deh_offset(deh) + 1; |
1124 |
+ |
1125 |
+ if (item_moved(&tmp_ih, &path_to_entry)) { |
1126 |
++ set_cpu_key_k_offset(&pos_key, |
1127 |
++ next_pos); |
1128 |
+ goto research; |
1129 |
+ } |
1130 |
+ } /* for */ |
1131 |
diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c |
1132 |
index 2b7882b..1c5ef48 100644 |
1133 |
--- a/fs/reiserfs/do_balan.c |
1134 |
@@ -55869,6 +55953,29 @@ index 2b7882b..1c5ef48 100644 |
1135 |
do_balance_starts(tb); |
1136 |
|
1137 |
/* balance leaf returns 0 except if combining L R and S into |
1138 |
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c |
1139 |
+index ea5061f..c3a9de6 100644 |
1140 |
+--- a/fs/reiserfs/inode.c |
1141 |
++++ b/fs/reiserfs/inode.c |
1142 |
+@@ -1810,11 +1810,16 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, |
1143 |
+ TYPE_STAT_DATA, SD_SIZE, MAX_US_INT); |
1144 |
+ memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE); |
1145 |
+ args.dirid = le32_to_cpu(ih.ih_key.k_dir_id); |
1146 |
+- if (insert_inode_locked4(inode, args.objectid, |
1147 |
+- reiserfs_find_actor, &args) < 0) { |
1148 |
++ |
1149 |
++ reiserfs_write_unlock(inode->i_sb); |
1150 |
++ err = insert_inode_locked4(inode, args.objectid, |
1151 |
++ reiserfs_find_actor, &args); |
1152 |
++ reiserfs_write_lock(inode->i_sb); |
1153 |
++ if (err) { |
1154 |
+ err = -EINVAL; |
1155 |
+ goto out_bad_inode; |
1156 |
+ } |
1157 |
++ |
1158 |
+ if (old_format_only(sb)) |
1159 |
+ /* not a perfect generation count, as object ids can be reused, but |
1160 |
+ ** this is as good as reiserfs can do right now. |
1161 |
diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c |
1162 |
index 9cc0740a..46bf953 100644 |
1163 |
--- a/fs/reiserfs/procfs.c |
1164 |
@@ -55904,6 +56011,45 @@ index 157e474..65a6114 100644 |
1165 |
#define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen) |
1166 |
#define __fs_changed(gen,s) (gen != get_generation (s)) |
1167 |
#define fs_changed(gen,s) \ |
1168 |
+diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c |
1169 |
+index 4cce1d9..821bcf7 100644 |
1170 |
+--- a/fs/reiserfs/xattr.c |
1171 |
++++ b/fs/reiserfs/xattr.c |
1172 |
+@@ -318,7 +318,19 @@ static int delete_one_xattr(struct dentry *dentry, void *data) |
1173 |
+ static int chown_one_xattr(struct dentry *dentry, void *data) |
1174 |
+ { |
1175 |
+ struct iattr *attrs = data; |
1176 |
+- return reiserfs_setattr(dentry, attrs); |
1177 |
++ int ia_valid = attrs->ia_valid; |
1178 |
++ int err; |
1179 |
++ |
1180 |
++ /* |
1181 |
++ * We only want the ownership bits. Otherwise, we'll do |
1182 |
++ * things like change a directory to a regular file if |
1183 |
++ * ATTR_MODE is set. |
1184 |
++ */ |
1185 |
++ attrs->ia_valid &= (ATTR_UID|ATTR_GID); |
1186 |
++ err = reiserfs_setattr(dentry, attrs); |
1187 |
++ attrs->ia_valid = ia_valid; |
1188 |
++ |
1189 |
++ return err; |
1190 |
+ } |
1191 |
+ |
1192 |
+ /* No i_mutex, but the inode is unconnected. */ |
1193 |
+diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c |
1194 |
+index d7c01ef..6c8767f 100644 |
1195 |
+--- a/fs/reiserfs/xattr_acl.c |
1196 |
++++ b/fs/reiserfs/xattr_acl.c |
1197 |
+@@ -443,6 +443,9 @@ int reiserfs_acl_chmod(struct inode *inode) |
1198 |
+ int depth; |
1199 |
+ int error; |
1200 |
+ |
1201 |
++ if (IS_PRIVATE(inode)) |
1202 |
++ return 0; |
1203 |
++ |
1204 |
+ if (S_ISLNK(inode->i_mode)) |
1205 |
+ return -EOPNOTSUPP; |
1206 |
+ |
1207 |
diff --git a/fs/select.c b/fs/select.c |
1208 |
index 8c1c96c..a0f9b6d 100644 |
1209 |
--- a/fs/select.c |
1210 |
@@ -56526,7 +56672,7 @@ index d681e34..2a3f5ab 100644 |
1211 |
goto out_put; |
1212 |
|
1213 |
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c |
1214 |
-index d82efaa..0904a8e 100644 |
1215 |
+index d82efaa..60100c7 100644 |
1216 |
--- a/fs/xfs/xfs_iops.c |
1217 |
+++ b/fs/xfs/xfs_iops.c |
1218 |
@@ -395,7 +395,7 @@ xfs_vn_put_link( |
1219 |
@@ -56538,12 +56684,87 @@ index d82efaa..0904a8e 100644 |
1220 |
|
1221 |
if (!IS_ERR(s)) |
1222 |
kfree(s); |
1223 |
+@@ -455,6 +455,28 @@ xfs_vn_getattr( |
1224 |
+ return 0; |
1225 |
+ } |
1226 |
+ |
1227 |
++static void |
1228 |
++xfs_setattr_mode( |
1229 |
++ struct xfs_trans *tp, |
1230 |
++ struct xfs_inode *ip, |
1231 |
++ struct iattr *iattr) |
1232 |
++{ |
1233 |
++ struct inode *inode = VFS_I(ip); |
1234 |
++ umode_t mode = iattr->ia_mode; |
1235 |
++ |
1236 |
++ ASSERT(tp); |
1237 |
++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); |
1238 |
++ |
1239 |
++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) |
1240 |
++ mode &= ~S_ISGID; |
1241 |
++ |
1242 |
++ ip->i_d.di_mode &= S_IFMT; |
1243 |
++ ip->i_d.di_mode |= mode & ~S_IFMT; |
1244 |
++ |
1245 |
++ inode->i_mode &= S_IFMT; |
1246 |
++ inode->i_mode |= mode & ~S_IFMT; |
1247 |
++} |
1248 |
++ |
1249 |
+ int |
1250 |
+ xfs_setattr_nonsize( |
1251 |
+ struct xfs_inode *ip, |
1252 |
+@@ -606,18 +628,8 @@ xfs_setattr_nonsize( |
1253 |
+ /* |
1254 |
+ * Change file access modes. |
1255 |
+ */ |
1256 |
+- if (mask & ATTR_MODE) { |
1257 |
+- umode_t mode = iattr->ia_mode; |
1258 |
+- |
1259 |
+- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) |
1260 |
+- mode &= ~S_ISGID; |
1261 |
+- |
1262 |
+- ip->i_d.di_mode &= S_IFMT; |
1263 |
+- ip->i_d.di_mode |= mode & ~S_IFMT; |
1264 |
+- |
1265 |
+- inode->i_mode &= S_IFMT; |
1266 |
+- inode->i_mode |= mode & ~S_IFMT; |
1267 |
+- } |
1268 |
++ if (mask & ATTR_MODE) |
1269 |
++ xfs_setattr_mode(tp, ip, iattr); |
1270 |
+ |
1271 |
+ /* |
1272 |
+ * Change file access or modified times. |
1273 |
+@@ -714,9 +726,8 @@ xfs_setattr_size( |
1274 |
+ return XFS_ERROR(error); |
1275 |
+ |
1276 |
+ ASSERT(S_ISREG(ip->i_d.di_mode)); |
1277 |
+- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| |
1278 |
+- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID| |
1279 |
+- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); |
1280 |
++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| |
1281 |
++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); |
1282 |
+ |
1283 |
+ if (!(flags & XFS_ATTR_NOLOCK)) { |
1284 |
+ lock_flags |= XFS_IOLOCK_EXCL; |
1285 |
+@@ -860,6 +871,12 @@ xfs_setattr_size( |
1286 |
+ xfs_inode_clear_eofblocks_tag(ip); |
1287 |
+ } |
1288 |
+ |
1289 |
++ /* |
1290 |
++ * Change file access modes. |
1291 |
++ */ |
1292 |
++ if (mask & ATTR_MODE) |
1293 |
++ xfs_setattr_mode(tp, ip, iattr); |
1294 |
++ |
1295 |
+ if (mask & ATTR_CTIME) { |
1296 |
+ inode->i_ctime = iattr->ia_ctime; |
1297 |
+ ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec; |
1298 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
1299 |
new file mode 100644 |
1300 |
-index 0000000..7174794 |
1301 |
+index 0000000..ba9c5e3 |
1302 |
--- /dev/null |
1303 |
+++ b/grsecurity/Kconfig |
1304 |
-@@ -0,0 +1,1031 @@ |
1305 |
+@@ -0,0 +1,1053 @@ |
1306 |
+# |
1307 |
+# grecurity configuration |
1308 |
+# |
1309 |
@@ -56629,6 +56850,25 @@ index 0000000..7174794 |
1310 |
+ If you're using KERNEXEC, it's recommended that you enable this option |
1311 |
+ to supplement the hardening of the kernel. |
1312 |
+ |
1313 |
++config GRKERNSEC_PERF_HARDEN |
1314 |
++ bool "Disable unprivileged PERF_EVENTS usage by default" |
1315 |
++ default y if GRKERNSEC_CONFIG_AUTO |
1316 |
++ depends on PERF_EVENTS |
1317 |
++ help |
1318 |
++ If you say Y here, the range of acceptable values for the |
1319 |
++ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and |
1320 |
++ default to a new value: 3. When the sysctl is set to this value, no |
1321 |
++ unprivileged use of the PERF_EVENTS syscall interface will be permitted. |
1322 |
++ |
1323 |
++ Though PERF_EVENTS can be used legitimately for performance monitoring |
1324 |
++ and low-level application profiling, it is forced on regardless of |
1325 |
++ configuration, has been at fault for several vulnerabilities, and |
1326 |
++ creates new opportunities for side channels and other information leaks. |
1327 |
++ |
1328 |
++ This feature puts PERF_EVENTS into a secure default state and permits |
1329 |
++ the administrator to change out of it temporarily if unprivileged |
1330 |
++ application profiling is needed. |
1331 |
++ |
1332 |
+config GRKERNSEC_RAND_THREADSTACK |
1333 |
+ bool "Insert random gaps between thread stacks" |
1334 |
+ default y if GRKERNSEC_CONFIG_AUTO |
1335 |
@@ -56739,6 +56979,9 @@ index 0000000..7174794 |
1336 |
+ useful protection against local kernel exploitation of overflows |
1337 |
+ and arbitrary read/write vulnerabilities. |
1338 |
+ |
1339 |
++ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN |
1340 |
++ in addition to this feature. |
1341 |
++ |
1342 |
+config GRKERNSEC_KERN_LOCKOUT |
1343 |
+ bool "Active kernel exploit response" |
1344 |
+ default y if GRKERNSEC_CONFIG_AUTO |
1345 |
@@ -70441,7 +70684,7 @@ index 45fc162..01a4068 100644 |
1346 |
/** |
1347 |
* struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot |
1348 |
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h |
1349 |
-index 1d795df..727aa7b 100644 |
1350 |
+index 1d795df..b0a6449 100644 |
1351 |
--- a/include/linux/perf_event.h |
1352 |
+++ b/include/linux/perf_event.h |
1353 |
@@ -333,8 +333,8 @@ struct perf_event { |
1354 |
@@ -70475,8 +70718,15 @@ index 1d795df..727aa7b 100644 |
1355 |
extern int sysctl_perf_event_mlock; |
1356 |
extern int sysctl_perf_event_sample_rate; |
1357 |
|
1358 |
-@@ -714,17 +714,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, |
1359 |
+@@ -712,19 +712,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, |
1360 |
+ void __user *buffer, size_t *lenp, |
1361 |
+ loff_t *ppos); |
1362 |
|
1363 |
++static inline bool perf_paranoid_any(void) |
1364 |
++{ |
1365 |
++ return sysctl_perf_event_legitimately_concerned > 2; |
1366 |
++} |
1367 |
++ |
1368 |
static inline bool perf_paranoid_tracepoint_raw(void) |
1369 |
{ |
1370 |
- return sysctl_perf_event_paranoid > -1; |
1371 |
@@ -70496,7 +70746,7 @@ index 1d795df..727aa7b 100644 |
1372 |
} |
1373 |
|
1374 |
extern void perf_event_init(void); |
1375 |
-@@ -812,7 +812,7 @@ static inline void perf_restore_debug_store(void) { } |
1376 |
+@@ -812,7 +817,7 @@ static inline void perf_restore_debug_store(void) { } |
1377 |
*/ |
1378 |
#define perf_cpu_notifier(fn) \ |
1379 |
do { \ |
1380 |
@@ -70505,7 +70755,7 @@ index 1d795df..727aa7b 100644 |
1381 |
{ .notifier_call = fn, .priority = CPU_PRI_PERF }; \ |
1382 |
unsigned long cpu = smp_processor_id(); \ |
1383 |
unsigned long flags; \ |
1384 |
-@@ -831,7 +831,7 @@ do { \ |
1385 |
+@@ -831,7 +836,7 @@ do { \ |
1386 |
struct perf_pmu_events_attr { |
1387 |
struct device_attribute attr; |
1388 |
u64 id; |
1389 |
@@ -74632,15 +74882,19 @@ index 00eb8f7..d7e3244 100644 |
1390 |
#ifdef CONFIG_MODULE_UNLOAD |
1391 |
{ |
1392 |
diff --git a/kernel/events/core.c b/kernel/events/core.c |
1393 |
-index 9fcb094..fd68c54 100644 |
1394 |
+index 9fcb094..8370228 100644 |
1395 |
--- a/kernel/events/core.c |
1396 |
+++ b/kernel/events/core.c |
1397 |
-@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu; |
1398 |
+@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; |
1399 |
+ * 0 - disallow raw tracepoint access for unpriv |
1400 |
* 1 - disallow cpu events for unpriv |
1401 |
* 2 - disallow kernel profiling for unpriv |
1402 |
++ * 3 - disallow all unpriv perf event use |
1403 |
*/ |
1404 |
-int sysctl_perf_event_paranoid __read_mostly = 1; |
1405 |
-+#ifdef CONFIG_GRKERNSEC_HIDESYM |
1406 |
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
1407 |
++int sysctl_perf_event_legitimately_concerned __read_mostly = 3; |
1408 |
++#elif CONFIG_GRKERNSEC_HIDESYM |
1409 |
+int sysctl_perf_event_legitimately_concerned __read_mostly = 2; |
1410 |
+#else |
1411 |
+int sysctl_perf_event_legitimately_concerned __read_mostly = 1; |
1412 |
@@ -74648,7 +74902,7 @@ index 9fcb094..fd68c54 100644 |
1413 |
|
1414 |
/* Minimum for 512 kiB + 1 user control page */ |
1415 |
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ |
1416 |
-@@ -182,7 +186,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write, |
1417 |
+@@ -182,7 +189,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write, |
1418 |
return 0; |
1419 |
} |
1420 |
|
1421 |
@@ -74657,7 +74911,7 @@ index 9fcb094..fd68c54 100644 |
1422 |
|
1423 |
static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, |
1424 |
enum event_type_t event_type); |
1425 |
-@@ -2677,7 +2681,7 @@ static void __perf_event_read(void *info) |
1426 |
+@@ -2677,7 +2684,7 @@ static void __perf_event_read(void *info) |
1427 |
|
1428 |
static inline u64 perf_event_count(struct perf_event *event) |
1429 |
{ |
1430 |
@@ -74666,7 +74920,7 @@ index 9fcb094..fd68c54 100644 |
1431 |
} |
1432 |
|
1433 |
static u64 perf_event_read(struct perf_event *event) |
1434 |
-@@ -3007,9 +3011,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) |
1435 |
+@@ -3007,9 +3014,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) |
1436 |
mutex_lock(&event->child_mutex); |
1437 |
total += perf_event_read(event); |
1438 |
*enabled += event->total_time_enabled + |
1439 |
@@ -74678,7 +74932,7 @@ index 9fcb094..fd68c54 100644 |
1440 |
|
1441 |
list_for_each_entry(child, &event->child_list, child_list) { |
1442 |
total += perf_event_read(child); |
1443 |
-@@ -3412,10 +3416,10 @@ void perf_event_update_userpage(struct perf_event *event) |
1444 |
+@@ -3412,10 +3419,10 @@ void perf_event_update_userpage(struct perf_event *event) |
1445 |
userpg->offset -= local64_read(&event->hw.prev_count); |
1446 |
|
1447 |
userpg->time_enabled = enabled + |
1448 |
@@ -74691,7 +74945,7 @@ index 9fcb094..fd68c54 100644 |
1449 |
|
1450 |
arch_perf_update_userpage(userpg, now); |
1451 |
|
1452 |
-@@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, |
1453 |
+@@ -3886,7 +3893,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, |
1454 |
|
1455 |
/* Data. */ |
1456 |
sp = perf_user_stack_pointer(regs); |
1457 |
@@ -74700,7 +74954,7 @@ index 9fcb094..fd68c54 100644 |
1458 |
dyn_size = dump_size - rem; |
1459 |
|
1460 |
perf_output_skip(handle, rem); |
1461 |
-@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
1462 |
+@@ -3974,11 +3981,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
1463 |
values[n++] = perf_event_count(event); |
1464 |
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { |
1465 |
values[n++] = enabled + |
1466 |
@@ -74714,7 +74968,7 @@ index 9fcb094..fd68c54 100644 |
1467 |
} |
1468 |
if (read_format & PERF_FORMAT_ID) |
1469 |
values[n++] = primary_event_id(event); |
1470 |
-@@ -4726,12 +4730,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) |
1471 |
+@@ -4726,12 +4733,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) |
1472 |
* need to add enough zero bytes after the string to handle |
1473 |
* the 64bit alignment we do later. |
1474 |
*/ |
1475 |
@@ -74729,7 +74983,7 @@ index 9fcb094..fd68c54 100644 |
1476 |
if (IS_ERR(name)) { |
1477 |
name = strncpy(tmp, "//toolong", sizeof(tmp)); |
1478 |
goto got_name; |
1479 |
-@@ -6167,7 +6171,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, |
1480 |
+@@ -6167,7 +6174,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, |
1481 |
event->parent = parent_event; |
1482 |
|
1483 |
event->ns = get_pid_ns(task_active_pid_ns(current)); |
1484 |
@@ -74738,7 +74992,19 @@ index 9fcb094..fd68c54 100644 |
1485 |
|
1486 |
event->state = PERF_EVENT_STATE_INACTIVE; |
1487 |
|
1488 |
-@@ -6795,10 +6799,10 @@ static void sync_child_event(struct perf_event *child_event, |
1489 |
+@@ -6463,6 +6470,11 @@ SYSCALL_DEFINE5(perf_event_open, |
1490 |
+ if (flags & ~PERF_FLAG_ALL) |
1491 |
+ return -EINVAL; |
1492 |
+ |
1493 |
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
1494 |
++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) |
1495 |
++ return -EACCES; |
1496 |
++#endif |
1497 |
++ |
1498 |
+ err = perf_copy_attr(attr_uptr, &attr); |
1499 |
+ if (err) |
1500 |
+ return err; |
1501 |
+@@ -6795,10 +6807,10 @@ static void sync_child_event(struct perf_event *child_event, |
1502 |
/* |
1503 |
* Add back the child's count to the parent's count: |
1504 |
*/ |
1505 |
@@ -78585,7 +78851,7 @@ index 0da73cf..5c2af3c 100644 |
1506 |
if (!retval) { |
1507 |
if (old_rlim) |
1508 |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
1509 |
-index afc1dc6..5e28bbf 100644 |
1510 |
+index afc1dc6..fb0671d 100644 |
1511 |
--- a/kernel/sysctl.c |
1512 |
+++ b/kernel/sysctl.c |
1513 |
@@ -93,7 +93,6 @@ |
1514 |
@@ -78691,7 +78957,7 @@ index afc1dc6..5e28bbf 100644 |
1515 |
{ |
1516 |
.procname = "ngroups_max", |
1517 |
.data = &ngroups_max, |
1518 |
-@@ -1026,8 +1059,8 @@ static struct ctl_table kern_table[] = { |
1519 |
+@@ -1026,10 +1059,17 @@ static struct ctl_table kern_table[] = { |
1520 |
*/ |
1521 |
{ |
1522 |
.procname = "perf_event_paranoid", |
1523 |
@@ -78700,9 +78966,19 @@ index afc1dc6..5e28bbf 100644 |
1524 |
+ .data = &sysctl_perf_event_legitimately_concerned, |
1525 |
+ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned), |
1526 |
.mode = 0644, |
1527 |
- .proc_handler = proc_dointvec, |
1528 |
+- .proc_handler = proc_dointvec, |
1529 |
++ /* go ahead, be a hero */ |
1530 |
++ .proc_handler = proc_dointvec_minmax_sysadmin, |
1531 |
++ .extra1 = &zero, |
1532 |
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN |
1533 |
++ .extra2 = &three, |
1534 |
++#else |
1535 |
++ .extra2 = &two, |
1536 |
++#endif |
1537 |
}, |
1538 |
-@@ -1283,6 +1316,13 @@ static struct ctl_table vm_table[] = { |
1539 |
+ { |
1540 |
+ .procname = "perf_event_mlock_kb", |
1541 |
+@@ -1283,6 +1323,13 @@ static struct ctl_table vm_table[] = { |
1542 |
.proc_handler = proc_dointvec_minmax, |
1543 |
.extra1 = &zero, |
1544 |
}, |
1545 |
@@ -78716,7 +78992,7 @@ index afc1dc6..5e28bbf 100644 |
1546 |
#else |
1547 |
{ |
1548 |
.procname = "nr_trim_pages", |
1549 |
-@@ -1733,6 +1773,16 @@ int proc_dostring(struct ctl_table *table, int write, |
1550 |
+@@ -1733,6 +1780,16 @@ int proc_dostring(struct ctl_table *table, int write, |
1551 |
buffer, lenp, ppos); |
1552 |
} |
1553 |
|
1554 |
@@ -78733,7 +79009,7 @@ index afc1dc6..5e28bbf 100644 |
1555 |
static size_t proc_skip_spaces(char **buf) |
1556 |
{ |
1557 |
size_t ret; |
1558 |
-@@ -1838,6 +1888,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
1559 |
+@@ -1838,6 +1895,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, |
1560 |
len = strlen(tmp); |
1561 |
if (len > *size) |
1562 |
len = *size; |
1563 |
@@ -78742,7 +79018,7 @@ index afc1dc6..5e28bbf 100644 |
1564 |
if (copy_to_user(*buf, tmp, len)) |
1565 |
return -EFAULT; |
1566 |
*size -= len; |
1567 |
-@@ -2002,7 +2054,7 @@ int proc_dointvec(struct ctl_table *table, int write, |
1568 |
+@@ -2002,7 +2061,7 @@ int proc_dointvec(struct ctl_table *table, int write, |
1569 |
static int proc_taint(struct ctl_table *table, int write, |
1570 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
1571 |
{ |
1572 |
@@ -78751,7 +79027,7 @@ index afc1dc6..5e28bbf 100644 |
1573 |
unsigned long tmptaint = get_taint(); |
1574 |
int err; |
1575 |
|
1576 |
-@@ -2030,7 +2082,6 @@ static int proc_taint(struct ctl_table *table, int write, |
1577 |
+@@ -2030,7 +2089,6 @@ static int proc_taint(struct ctl_table *table, int write, |
1578 |
return err; |
1579 |
} |
1580 |
|
1581 |
@@ -78759,7 +79035,7 @@ index afc1dc6..5e28bbf 100644 |
1582 |
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1583 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
1584 |
{ |
1585 |
-@@ -2039,7 +2090,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1586 |
+@@ -2039,7 +2097,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, |
1587 |
|
1588 |
return proc_dointvec_minmax(table, write, buffer, lenp, ppos); |
1589 |
} |
1590 |
@@ -78767,7 +79043,7 @@ index afc1dc6..5e28bbf 100644 |
1591 |
|
1592 |
struct do_proc_dointvec_minmax_conv_param { |
1593 |
int *min; |
1594 |
-@@ -2186,8 +2236,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
1595 |
+@@ -2186,8 +2243,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int |
1596 |
*i = val; |
1597 |
} else { |
1598 |
val = convdiv * (*i) / convmul; |
1599 |
@@ -78780,7 +79056,7 @@ index afc1dc6..5e28bbf 100644 |
1600 |
err = proc_put_long(&buffer, &left, val, false); |
1601 |
if (err) |
1602 |
break; |
1603 |
-@@ -2579,6 +2632,12 @@ int proc_dostring(struct ctl_table *table, int write, |
1604 |
+@@ -2579,6 +2639,12 @@ int proc_dostring(struct ctl_table *table, int write, |
1605 |
return -ENOSYS; |
1606 |
} |
1607 |
|
1608 |
@@ -78793,7 +79069,7 @@ index afc1dc6..5e28bbf 100644 |
1609 |
int proc_dointvec(struct ctl_table *table, int write, |
1610 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
1611 |
{ |
1612 |
-@@ -2635,5 +2694,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
1613 |
+@@ -2635,5 +2701,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); |
1614 |
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); |
1615 |
EXPORT_SYMBOL(proc_dointvec_ms_jiffies); |
1616 |
EXPORT_SYMBOL(proc_dostring); |
1617 |
@@ -87120,6 +87396,24 @@ index 960fd29..d55bf64 100644 |
1618 |
|
1619 |
hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); |
1620 |
if (hdr == NULL) |
1621 |
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c |
1622 |
+index e220207..cdeb839 100644 |
1623 |
+--- a/net/ipv4/tcp.c |
1624 |
++++ b/net/ipv4/tcp.c |
1625 |
+@@ -3383,8 +3383,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp, |
1626 |
+ |
1627 |
+ for (i = 0; i < shi->nr_frags; ++i) { |
1628 |
+ const struct skb_frag_struct *f = &shi->frags[i]; |
1629 |
+- struct page *page = skb_frag_page(f); |
1630 |
+- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset); |
1631 |
++ unsigned int offset = f->page_offset; |
1632 |
++ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT); |
1633 |
++ |
1634 |
++ sg_set_page(&sg, page, skb_frag_size(f), |
1635 |
++ offset_in_page(offset)); |
1636 |
+ if (crypto_hash_update(desc, &sg, skb_frag_size(f))) |
1637 |
+ return 1; |
1638 |
+ } |
1639 |
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c |
1640 |
index 13b9c08..d33a8d0 100644 |
1641 |
--- a/net/ipv4/tcp_input.c |
1642 |
@@ -87527,6 +87821,19 @@ index 95d13c7..791fe2f 100644 |
1643 |
.kind = "ip6gretap", |
1644 |
.maxtype = IFLA_GRE_MAX, |
1645 |
.policy = ip6gre_policy, |
1646 |
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c |
1647 |
+index 155eccf..851fdae 100644 |
1648 |
+--- a/net/ipv6/ip6_output.c |
1649 |
++++ b/net/ipv6/ip6_output.c |
1650 |
+@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, |
1651 |
+ if (WARN_ON(np->cork.opt)) |
1652 |
+ return -EINVAL; |
1653 |
+ |
1654 |
+- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); |
1655 |
++ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); |
1656 |
+ if (unlikely(np->cork.opt == NULL)) |
1657 |
+ return -ENOBUFS; |
1658 |
+ |
1659 |
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c |
1660 |
index fff83cb..82d49dd 100644 |
1661 |
--- a/net/ipv6/ip6_tunnel.c |
1662 |
@@ -88061,6 +88368,19 @@ index 362ba47..66196f4 100644 |
1663 |
seq_printf(m, "Max data size: %d\n", self->max_data_size); |
1664 |
seq_printf(m, "Max header size: %d\n", self->max_header_size); |
1665 |
|
1666 |
+diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c |
1667 |
+index 8c00416..9ea0c93 100644 |
1668 |
+--- a/net/irda/irlap_frame.c |
1669 |
++++ b/net/irda/irlap_frame.c |
1670 |
+@@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self, |
1671 |
+ /* |
1672 |
+ * We now have some discovery info to deliver! |
1673 |
+ */ |
1674 |
+- discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC); |
1675 |
++ discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC); |
1676 |
+ if (!discovery) { |
1677 |
+ IRDA_WARNING("%s: unable to malloc!\n", __func__); |
1678 |
+ return; |
1679 |
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c |
1680 |
index 206ce6d..cfb27cd 100644 |
1681 |
--- a/net/iucv/af_iucv.c |
1682 |
@@ -90413,6 +90733,18 @@ index c8717c1..08539f5 100644 |
1683 |
err = handler(dev, info, (union iwreq_data *) iwp, extra); |
1684 |
|
1685 |
iwp->length += essid_compat; |
1686 |
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c |
1687 |
+index bcfda89..0cf003d 100644 |
1688 |
+--- a/net/xfrm/xfrm_output.c |
1689 |
++++ b/net/xfrm/xfrm_output.c |
1690 |
+@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err) |
1691 |
+ |
1692 |
+ if (unlikely(x->km.state != XFRM_STATE_VALID)) { |
1693 |
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID); |
1694 |
++ err = -EINVAL; |
1695 |
+ goto error; |
1696 |
+ } |
1697 |
+ |
1698 |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c |
1699 |
index 167c67d..3f2ae427 100644 |
1700 |
--- a/net/xfrm/xfrm_policy.c |