1 |
commit: 7013e899f6294835d95a1c3e309412c990bad2aa |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Jun 29 14:37:32 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 29 14:37:43 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=7013e899 |
7 |
|
8 |
Update Grsec/PaX and address bug #366019 |
9 |
2.2.2-2.6.32.42-201106281648 |
10 |
2.2.2-2.6.39.2-201106281648 |
11 |
|
12 |
--- |
13 |
2.6.32/0000_README | 2 +- |
14 |
..._grsecurity-2.2.2-2.6.32.42-201106281648.patch} | 32 ++++++------------- |
15 |
2.6.32/4437-grsec-kconfig-proc-user.patch | 26 +++++++++++++++ |
16 |
2.6.39/0000_README | 2 +- |
17 |
...0_grsecurity-2.2.2-2.6.39.2-201106281648.patch} | 33 +++++++------------ |
18 |
2.6.39/4437-grsec-kconfig-proc-user.patch | 26 +++++++++++++++ |
19 |
6 files changed, 76 insertions(+), 45 deletions(-) |
20 |
|
21 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
22 |
index 35d3570..03320de 100644 |
23 |
--- a/2.6.32/0000_README |
24 |
+++ b/2.6.32/0000_README |
25 |
@@ -3,7 +3,7 @@ README |
26 |
|
27 |
Individual Patch Descriptions: |
28 |
----------------------------------------------------------------------------- |
29 |
-Patch: 4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch |
30 |
+Patch: 4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch |
31 |
From: http://www.grsecurity.net |
32 |
Desc: hardened-sources base patch from upstream grsecurity |
33 |
|
34 |
|
35 |
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch |
36 |
similarity index 99% |
37 |
rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch |
38 |
rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch |
39 |
index 12c6656..d0d2a83 100644 |
40 |
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch |
41 |
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch |
42 |
@@ -27407,27 +27407,6 @@ diff -urNp linux-2.6.32.42/drivers/char/vt_ioctl.c linux-2.6.32.42/drivers/char/ |
43 |
if (!perm) { |
44 |
ret = -EPERM; |
45 |
goto reterr; |
46 |
-diff -urNp linux-2.6.32.42/drivers/connector/Kconfig linux-2.6.32.42/drivers/connector/Kconfig |
47 |
---- linux-2.6.32.42/drivers/connector/Kconfig 2011-03-27 14:31:47.000000000 -0400 |
48 |
-+++ linux-2.6.32.42/drivers/connector/Kconfig 2011-06-20 17:54:56.000000000 -0400 |
49 |
-@@ -1,7 +1,7 @@ |
50 |
- |
51 |
- menuconfig CONNECTOR |
52 |
- tristate "Connector - unified userspace <-> kernelspace linker" |
53 |
-- depends on NET |
54 |
-+ depends on NET && !GRKERNSEC |
55 |
- ---help--- |
56 |
- This is unified userspace <-> kernelspace connector working on top |
57 |
- of the netlink socket protocol. |
58 |
-@@ -13,7 +13,7 @@ if CONNECTOR |
59 |
- |
60 |
- config PROC_EVENTS |
61 |
- boolean "Report process events to userspace" |
62 |
-- depends on CONNECTOR=y |
63 |
-+ depends on CONNECTOR=y && !GRKERNSEC |
64 |
- default y |
65 |
- ---help--- |
66 |
- Provide a connector that reports process events to userspace. Send |
67 |
diff -urNp linux-2.6.32.42/drivers/cpufreq/cpufreq.c linux-2.6.32.42/drivers/cpufreq/cpufreq.c |
68 |
--- linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400 |
69 |
+++ linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400 |
70 |
@@ -67135,7 +67114,7 @@ diff -urNp linux-2.6.32.42/net/atm/resources.c linux-2.6.32.42/net/atm/resources |
71 |
} |
72 |
diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l2cap.c |
73 |
--- linux-2.6.32.42/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400 |
74 |
-+++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-12 06:34:08.000000000 -0400 |
75 |
++++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400 |
76 |
@@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str |
77 |
err = -ENOTCONN; |
78 |
break; |
79 |
@@ -67145,6 +67124,15 @@ diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l |
80 |
cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; |
81 |
memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); |
82 |
|
83 |
+@@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc |
84 |
+ |
85 |
+ /* Reject if config buffer is too small. */ |
86 |
+ len = cmd_len - sizeof(*req); |
87 |
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
88 |
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
89 |
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, |
90 |
+ l2cap_build_conf_rsp(sk, rsp, |
91 |
+ L2CAP_CONF_REJECT, flags), rsp); |
92 |
diff -urNp linux-2.6.32.42/net/bluetooth/rfcomm/sock.c linux-2.6.32.42/net/bluetooth/rfcomm/sock.c |
93 |
--- linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400 |
94 |
+++ linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400 |
95 |
|
96 |
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch |
97 |
new file mode 100644 |
98 |
index 0000000..de044fb |
99 |
--- /dev/null |
100 |
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch |
101 |
@@ -0,0 +1,26 @@ |
102 |
+From: Anthony G. Basile <blueness@g.o> |
103 |
+ |
104 |
+Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP |
105 |
+in a different way to avoid bug #366019. This patch should eventually go upstream. |
106 |
+ |
107 |
+diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig |
108 |
+--- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400 |
109 |
++++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400 |
110 |
+@@ -670,7 +670,7 @@ |
111 |
+ |
112 |
+ config GRKERNSEC_PROC_USER |
113 |
+ bool "Restrict /proc to user only" |
114 |
+- depends on GRKERNSEC_PROC |
115 |
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP |
116 |
+ help |
117 |
+ If you say Y here, non-root users will only be able to view their own |
118 |
+ processes, and restricts them from viewing network-related information, |
119 |
+@@ -678,7 +678,7 @@ |
120 |
+ |
121 |
+ config GRKERNSEC_PROC_USERGROUP |
122 |
+ bool "Allow special group" |
123 |
+- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER |
124 |
++ depends on GRKERNSEC_PROC |
125 |
+ help |
126 |
+ If you say Y here, you will be able to select a group that will be |
127 |
+ able to view all processes and network-related information. If you've |
128 |
|
129 |
diff --git a/2.6.39/0000_README b/2.6.39/0000_README |
130 |
index 339b393..b6b1a96 100644 |
131 |
--- a/2.6.39/0000_README |
132 |
+++ b/2.6.39/0000_README |
133 |
@@ -3,7 +3,7 @@ README |
134 |
|
135 |
Individual Patch Descriptions: |
136 |
----------------------------------------------------------------------------- |
137 |
-Patch: 4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch |
138 |
+Patch: 4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch |
139 |
From: http://www.grsecurity.net |
140 |
Desc: hardened-sources base patch from upstream grsecurity |
141 |
|
142 |
|
143 |
diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch |
144 |
similarity index 99% |
145 |
rename from 2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch |
146 |
rename to 2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch |
147 |
index 9451ea7..8495f8b 100644 |
148 |
--- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch |
149 |
+++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch |
150 |
@@ -28599,27 +28599,6 @@ diff -urNp linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.3 |
151 |
.get_configuration = fifo_icap_get_configuration, |
152 |
.set_configuration = fifo_icap_set_configuration, |
153 |
.get_status = fifo_icap_get_status, |
154 |
-diff -urNp linux-2.6.39.2/drivers/connector/Kconfig linux-2.6.39.2/drivers/connector/Kconfig |
155 |
---- linux-2.6.39.2/drivers/connector/Kconfig 2011-05-19 00:06:34.000000000 -0400 |
156 |
-+++ linux-2.6.39.2/drivers/connector/Kconfig 2011-06-20 17:54:16.000000000 -0400 |
157 |
-@@ -1,7 +1,7 @@ |
158 |
- |
159 |
- menuconfig CONNECTOR |
160 |
- tristate "Connector - unified userspace <-> kernelspace linker" |
161 |
-- depends on NET |
162 |
-+ depends on NET && !GRKERNSEC |
163 |
- ---help--- |
164 |
- This is unified userspace <-> kernelspace connector working on top |
165 |
- of the netlink socket protocol. |
166 |
-@@ -13,7 +13,7 @@ if CONNECTOR |
167 |
- |
168 |
- config PROC_EVENTS |
169 |
- boolean "Report process events to userspace" |
170 |
-- depends on CONNECTOR=y |
171 |
-+ depends on CONNECTOR=y && !GRKERNSEC |
172 |
- default y |
173 |
- ---help--- |
174 |
- Provide a connector that reports process events to userspace. Send |
175 |
diff -urNp linux-2.6.39.2/drivers/crypto/hifn_795x.c linux-2.6.39.2/drivers/crypto/hifn_795x.c |
176 |
--- linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400 |
177 |
+++ linux-2.6.39.2/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400 |
178 |
@@ -75786,6 +75765,18 @@ diff -urNp linux-2.6.39.2/net/batman-adv/unicast.c linux-2.6.39.2/net/batman-adv |
179 |
frag1->seqno = htons(seqno - 1); |
180 |
frag2->seqno = htons(seqno); |
181 |
|
182 |
+diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_core.c linux-2.6.39.2/net/bluetooth/l2cap_core.c |
183 |
+--- linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400 |
184 |
++++ linux-2.6.39.2/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400 |
185 |
+@@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc |
186 |
+ |
187 |
+ /* Reject if config buffer is too small. */ |
188 |
+ len = cmd_len - sizeof(*req); |
189 |
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
190 |
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
191 |
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, |
192 |
+ l2cap_build_conf_rsp(sk, rsp, |
193 |
+ L2CAP_CONF_REJECT, flags), rsp); |
194 |
diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_sock.c linux-2.6.39.2/net/bluetooth/l2cap_sock.c |
195 |
--- linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400 |
196 |
+++ linux-2.6.39.2/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400 |
197 |
|
198 |
diff --git a/2.6.39/4437-grsec-kconfig-proc-user.patch b/2.6.39/4437-grsec-kconfig-proc-user.patch |
199 |
new file mode 100644 |
200 |
index 0000000..372507c |
201 |
--- /dev/null |
202 |
+++ b/2.6.39/4437-grsec-kconfig-proc-user.patch |
203 |
@@ -0,0 +1,26 @@ |
204 |
+From: Anthony G. Basile <blueness@g.o> |
205 |
+ |
206 |
+Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP |
207 |
+in a different way to avoid bug #366019. This patch should eventually go upstream. |
208 |
+ |
209 |
+diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig |
210 |
+--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 |
211 |
++++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 |
212 |
+@@ -670,7 +670,7 @@ |
213 |
+ |
214 |
+ config GRKERNSEC_PROC_USER |
215 |
+ bool "Restrict /proc to user only" |
216 |
+- depends on GRKERNSEC_PROC |
217 |
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP |
218 |
+ help |
219 |
+ If you say Y here, non-root users will only be able to view their own |
220 |
+ processes, and restricts them from viewing network-related information, |
221 |
+@@ -678,7 +678,7 @@ |
222 |
+ |
223 |
+ config GRKERNSEC_PROC_USERGROUP |
224 |
+ bool "Allow special group" |
225 |
+- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER |
226 |
++ depends on GRKERNSEC_PROC |
227 |
+ help |
228 |
+ If you say Y here, you will be able to select a group that will be |
229 |
+ able to view all processes and network-related information. If you've |