Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.39/, 2.6.32/
Date: Wed, 29 Jun 2011 14:38:39
Message-Id: 7013e899f6294835d95a1c3e309412c990bad2aa.blueness@gentoo
1 commit: 7013e899f6294835d95a1c3e309412c990bad2aa
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jun 29 14:37:32 2011 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 29 14:37:43 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=7013e899
7
8 Update Grsec/PaX and address bug #366019
9 2.2.2-2.6.32.42-201106281648
10 2.2.2-2.6.39.2-201106281648
11
12 ---
13 2.6.32/0000_README | 2 +-
14 ..._grsecurity-2.2.2-2.6.32.42-201106281648.patch} | 32 ++++++-------------
15 2.6.32/4437-grsec-kconfig-proc-user.patch | 26 +++++++++++++++
16 2.6.39/0000_README | 2 +-
17 ...0_grsecurity-2.2.2-2.6.39.2-201106281648.patch} | 33 +++++++------------
18 2.6.39/4437-grsec-kconfig-proc-user.patch | 26 +++++++++++++++
19 6 files changed, 76 insertions(+), 45 deletions(-)
20
21 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
22 index 35d3570..03320de 100644
23 --- a/2.6.32/0000_README
24 +++ b/2.6.32/0000_README
25 @@ -3,7 +3,7 @@ README
26
27 Individual Patch Descriptions:
28 -----------------------------------------------------------------------------
29 -Patch: 4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
30 +Patch: 4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
31 From: http://www.grsecurity.net
32 Desc: hardened-sources base patch from upstream grsecurity
33
34
35 diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
36 similarity index 99%
37 rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
38 rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
39 index 12c6656..d0d2a83 100644
40 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
41 +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
42 @@ -27407,27 +27407,6 @@ diff -urNp linux-2.6.32.42/drivers/char/vt_ioctl.c linux-2.6.32.42/drivers/char/
43 if (!perm) {
44 ret = -EPERM;
45 goto reterr;
46 -diff -urNp linux-2.6.32.42/drivers/connector/Kconfig linux-2.6.32.42/drivers/connector/Kconfig
47 ---- linux-2.6.32.42/drivers/connector/Kconfig 2011-03-27 14:31:47.000000000 -0400
48 -+++ linux-2.6.32.42/drivers/connector/Kconfig 2011-06-20 17:54:56.000000000 -0400
49 -@@ -1,7 +1,7 @@
50 -
51 - menuconfig CONNECTOR
52 - tristate "Connector - unified userspace <-> kernelspace linker"
53 -- depends on NET
54 -+ depends on NET && !GRKERNSEC
55 - ---help---
56 - This is unified userspace <-> kernelspace connector working on top
57 - of the netlink socket protocol.
58 -@@ -13,7 +13,7 @@ if CONNECTOR
59 -
60 - config PROC_EVENTS
61 - boolean "Report process events to userspace"
62 -- depends on CONNECTOR=y
63 -+ depends on CONNECTOR=y && !GRKERNSEC
64 - default y
65 - ---help---
66 - Provide a connector that reports process events to userspace. Send
67 diff -urNp linux-2.6.32.42/drivers/cpufreq/cpufreq.c linux-2.6.32.42/drivers/cpufreq/cpufreq.c
68 --- linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
69 +++ linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
70 @@ -67135,7 +67114,7 @@ diff -urNp linux-2.6.32.42/net/atm/resources.c linux-2.6.32.42/net/atm/resources
71 }
72 diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l2cap.c
73 --- linux-2.6.32.42/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
74 -+++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-12 06:34:08.000000000 -0400
75 ++++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400
76 @@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
77 err = -ENOTCONN;
78 break;
79 @@ -67145,6 +67124,15 @@ diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l
80 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
81 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
82
83 +@@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
84 +
85 + /* Reject if config buffer is too small. */
86 + len = cmd_len - sizeof(*req);
87 +- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
88 ++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
89 + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
90 + l2cap_build_conf_rsp(sk, rsp,
91 + L2CAP_CONF_REJECT, flags), rsp);
92 diff -urNp linux-2.6.32.42/net/bluetooth/rfcomm/sock.c linux-2.6.32.42/net/bluetooth/rfcomm/sock.c
93 --- linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
94 +++ linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
95
96 diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
97 new file mode 100644
98 index 0000000..de044fb
99 --- /dev/null
100 +++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
101 @@ -0,0 +1,26 @@
102 +From: Anthony G. Basile <blueness@g.o>
103 +
104 +Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
105 +in a different way to avoid bug #366019. This patch should eventually go upstream.
106 +
107 +diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig
108 +--- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
109 ++++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
110 +@@ -670,7 +670,7 @@
111 +
112 + config GRKERNSEC_PROC_USER
113 + bool "Restrict /proc to user only"
114 +- depends on GRKERNSEC_PROC
115 ++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
116 + help
117 + If you say Y here, non-root users will only be able to view their own
118 + processes, and restricts them from viewing network-related information,
119 +@@ -678,7 +678,7 @@
120 +
121 + config GRKERNSEC_PROC_USERGROUP
122 + bool "Allow special group"
123 +- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
124 ++ depends on GRKERNSEC_PROC
125 + help
126 + If you say Y here, you will be able to select a group that will be
127 + able to view all processes and network-related information. If you've
128
129 diff --git a/2.6.39/0000_README b/2.6.39/0000_README
130 index 339b393..b6b1a96 100644
131 --- a/2.6.39/0000_README
132 +++ b/2.6.39/0000_README
133 @@ -3,7 +3,7 @@ README
134
135 Individual Patch Descriptions:
136 -----------------------------------------------------------------------------
137 -Patch: 4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
138 +Patch: 4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
139 From: http://www.grsecurity.net
140 Desc: hardened-sources base patch from upstream grsecurity
141
142
143 diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
144 similarity index 99%
145 rename from 2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
146 rename to 2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
147 index 9451ea7..8495f8b 100644
148 --- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
149 +++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
150 @@ -28599,27 +28599,6 @@ diff -urNp linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.3
151 .get_configuration = fifo_icap_get_configuration,
152 .set_configuration = fifo_icap_set_configuration,
153 .get_status = fifo_icap_get_status,
154 -diff -urNp linux-2.6.39.2/drivers/connector/Kconfig linux-2.6.39.2/drivers/connector/Kconfig
155 ---- linux-2.6.39.2/drivers/connector/Kconfig 2011-05-19 00:06:34.000000000 -0400
156 -+++ linux-2.6.39.2/drivers/connector/Kconfig 2011-06-20 17:54:16.000000000 -0400
157 -@@ -1,7 +1,7 @@
158 -
159 - menuconfig CONNECTOR
160 - tristate "Connector - unified userspace <-> kernelspace linker"
161 -- depends on NET
162 -+ depends on NET && !GRKERNSEC
163 - ---help---
164 - This is unified userspace <-> kernelspace connector working on top
165 - of the netlink socket protocol.
166 -@@ -13,7 +13,7 @@ if CONNECTOR
167 -
168 - config PROC_EVENTS
169 - boolean "Report process events to userspace"
170 -- depends on CONNECTOR=y
171 -+ depends on CONNECTOR=y && !GRKERNSEC
172 - default y
173 - ---help---
174 - Provide a connector that reports process events to userspace. Send
175 diff -urNp linux-2.6.39.2/drivers/crypto/hifn_795x.c linux-2.6.39.2/drivers/crypto/hifn_795x.c
176 --- linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
177 +++ linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
178 @@ -75786,6 +75765,18 @@ diff -urNp linux-2.6.39.2/net/batman-adv/unicast.c linux-2.6.39.2/net/batman-adv
179 frag1->seqno = htons(seqno - 1);
180 frag2->seqno = htons(seqno);
181
182 +diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_core.c linux-2.6.39.2/net/bluetooth/l2cap_core.c
183 +--- linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400
184 ++++ linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400
185 +@@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
186 +
187 + /* Reject if config buffer is too small. */
188 + len = cmd_len - sizeof(*req);
189 +- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
190 ++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
191 + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
192 + l2cap_build_conf_rsp(sk, rsp,
193 + L2CAP_CONF_REJECT, flags), rsp);
194 diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_sock.c linux-2.6.39.2/net/bluetooth/l2cap_sock.c
195 --- linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
196 +++ linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
197
198 diff --git a/2.6.39/4437-grsec-kconfig-proc-user.patch b/2.6.39/4437-grsec-kconfig-proc-user.patch
199 new file mode 100644
200 index 0000000..372507c
201 --- /dev/null
202 +++ b/2.6.39/4437-grsec-kconfig-proc-user.patch
203 @@ -0,0 +1,26 @@
204 +From: Anthony G. Basile <blueness@g.o>
205 +
206 +Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
207 +in a different way to avoid bug #366019. This patch should eventually go upstream.
208 +
209 +diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
210 +--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
211 ++++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
212 +@@ -670,7 +670,7 @@
213 +
214 + config GRKERNSEC_PROC_USER
215 + bool "Restrict /proc to user only"
216 +- depends on GRKERNSEC_PROC
217 ++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
218 + help
219 + If you say Y here, non-root users will only be able to view their own
220 + processes, and restricts them from viewing network-related information,
221 +@@ -678,7 +678,7 @@
222 +
223 + config GRKERNSEC_PROC_USERGROUP
224 + bool "Allow special group"
225 +- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
226 ++ depends on GRKERNSEC_PROC
227 + help
228 + If you say Y here, you will be able to select a group that will be
229 + able to view all processes and network-related information. If you've
Report Message
Find on MARC Find on Google Groups