1 |
commit: 514be5c53d9181c227ebe4371a4ac0f1bdfcbcf1 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Aug 1 23:41:42 2012 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Aug 1 23:41:42 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=514be5c5 |
7 |
|
8 |
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.24,3.4.6}-201208011848 |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 2 +- |
12 |
..._grsecurity-2.9.1-2.6.32.59-201208011848.patch} | 27 ++++++++++++++++++++ |
13 |
3.2.24/0000_README | 2 +- |
14 |
...420_grsecurity-2.9.1-3.2.24-201208011849.patch} | 27 ++++++++++++++++++++ |
15 |
3.4.6/0000_README | 2 +- |
16 |
...4420_grsecurity-2.9.1-3.4.7-201208011850.patch} | 27 ++++++++++++++++++++ |
17 |
6 files changed, 84 insertions(+), 3 deletions(-) |
18 |
|
19 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
20 |
index 3010d85..ae80b1d 100644 |
21 |
--- a/2.6.32/0000_README |
22 |
+++ b/2.6.32/0000_README |
23 |
@@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch |
24 |
From: http://www.kernel.org |
25 |
Desc: Linux 2.6.32.59 |
26 |
|
27 |
-Patch: 4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
28 |
+Patch: 4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch |
29 |
From: http://www.grsecurity.net |
30 |
Desc: hardened-sources base patch from upstream grsecurity |
31 |
|
32 |
|
33 |
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch |
34 |
similarity index 99% |
35 |
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
36 |
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch |
37 |
index a17194d..4d11792 100644 |
38 |
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201207311908.patch |
39 |
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208011848.patch |
40 |
@@ -105356,6 +105356,33 @@ index 30b3189..e2e4b55 100644 |
41 |
goto out; |
42 |
} |
43 |
|
44 |
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c |
45 |
+index 8df3477..797ae6d 100644 |
46 |
+--- a/net/netfilter/nf_conntrack_core.c |
47 |
++++ b/net/netfilter/nf_conntrack_core.c |
48 |
+@@ -1298,6 +1298,10 @@ err_proto: |
49 |
+ #define UNCONFIRMED_NULLS_VAL ((1<<30)+0) |
50 |
+ #define DYING_NULLS_VAL ((1<<30)+1) |
51 |
+ |
52 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
53 |
++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0); |
54 |
++#endif |
55 |
++ |
56 |
+ static int nf_conntrack_init_net(struct net *net) |
57 |
+ { |
58 |
+ int ret; |
59 |
+@@ -1311,7 +1315,11 @@ static int nf_conntrack_init_net(struct net *net) |
60 |
+ goto err_stat; |
61 |
+ } |
62 |
+ |
63 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
64 |
++ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return(&conntrack_cache_id)); |
65 |
++#else |
66 |
+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net); |
67 |
++#endif |
68 |
+ if (!net->ct.slabname) { |
69 |
+ ret = -ENOMEM; |
70 |
+ goto err_slabname; |
71 |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c |
72 |
index d521718..d0fd7a1 100644 |
73 |
--- a/net/netfilter/nf_conntrack_netlink.c |
74 |
|
75 |
diff --git a/3.2.24/0000_README b/3.2.24/0000_README |
76 |
index e45dbd8..5b9308c 100644 |
77 |
--- a/3.2.24/0000_README |
78 |
+++ b/3.2.24/0000_README |
79 |
@@ -14,7 +14,7 @@ Patch: 1023_linux-3.2.24.patch |
80 |
From: http://www.kernel.org |
81 |
Desc: Linux 3.2.24 |
82 |
|
83 |
-Patch: 4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
84 |
+Patch: 4420_grsecurity-2.9.1-3.2.24-201208011849.patch |
85 |
From: http://www.grsecurity.net |
86 |
Desc: hardened-sources base patch from upstream grsecurity |
87 |
|
88 |
|
89 |
diff --git a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201208011849.patch |
90 |
similarity index 99% |
91 |
rename from 3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
92 |
rename to 3.2.24/4420_grsecurity-2.9.1-3.2.24-201208011849.patch |
93 |
index 4c10305..c4edc06 100644 |
94 |
--- a/3.2.24/4420_grsecurity-2.9.1-3.2.24-201207311909.patch |
95 |
+++ b/3.2.24/4420_grsecurity-2.9.1-3.2.24-201208011849.patch |
96 |
@@ -78633,6 +78633,33 @@ index aa2d720..d8aa111 100644 |
97 |
goto out; |
98 |
} |
99 |
|
100 |
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c |
101 |
+index 1d15193..1062656 100644 |
102 |
+--- a/net/netfilter/nf_conntrack_core.c |
103 |
++++ b/net/netfilter/nf_conntrack_core.c |
104 |
+@@ -1485,6 +1485,10 @@ err_proto: |
105 |
+ #define UNCONFIRMED_NULLS_VAL ((1<<30)+0) |
106 |
+ #define DYING_NULLS_VAL ((1<<30)+1) |
107 |
+ |
108 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
109 |
++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0); |
110 |
++#endif |
111 |
++ |
112 |
+ static int nf_conntrack_init_net(struct net *net) |
113 |
+ { |
114 |
+ int ret; |
115 |
+@@ -1498,7 +1502,11 @@ static int nf_conntrack_init_net(struct net *net) |
116 |
+ goto err_stat; |
117 |
+ } |
118 |
+ |
119 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
120 |
++ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return(&conntrack_cache_id)); |
121 |
++#else |
122 |
+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net); |
123 |
++#endif |
124 |
+ if (!net->ct.slabname) { |
125 |
+ ret = -ENOMEM; |
126 |
+ goto err_slabname; |
127 |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c |
128 |
index 66b2c54..c7884e3 100644 |
129 |
--- a/net/netfilter/nfnetlink_log.c |
130 |
|
131 |
diff --git a/3.4.6/0000_README b/3.4.6/0000_README |
132 |
index 14b45fc..2236f0c 100644 |
133 |
--- a/3.4.6/0000_README |
134 |
+++ b/3.4.6/0000_README |
135 |
@@ -6,7 +6,7 @@ Patch: 1005_linux-3.4.6.patch |
136 |
From: http://www.kernel.org |
137 |
Desc: Linux 3.4.6 |
138 |
|
139 |
-Patch: 4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
140 |
+Patch: 4420_grsecurity-2.9.1-3.4.7-201208011850.patch |
141 |
From: http://www.grsecurity.net |
142 |
Desc: hardened-sources base patch from upstream grsecurity |
143 |
|
144 |
|
145 |
diff --git a/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201208011850.patch |
146 |
similarity index 99% |
147 |
rename from 3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
148 |
rename to 3.4.6/4420_grsecurity-2.9.1-3.4.7-201208011850.patch |
149 |
index 9da1ccd..23880cf 100644 |
150 |
--- a/3.4.6/4420_grsecurity-2.9.1-3.4.7-201207311909.patch |
151 |
+++ b/3.4.6/4420_grsecurity-2.9.1-3.4.7-201208011850.patch |
152 |
@@ -76824,6 +76824,33 @@ index 7fd66de..e6fb361 100644 |
153 |
goto out; |
154 |
} |
155 |
|
156 |
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c |
157 |
+index 729f157..08edc6c 100644 |
158 |
+--- a/net/netfilter/nf_conntrack_core.c |
159 |
++++ b/net/netfilter/nf_conntrack_core.c |
160 |
+@@ -1538,6 +1538,10 @@ err_proto: |
161 |
+ #define UNCONFIRMED_NULLS_VAL ((1<<30)+0) |
162 |
+ #define DYING_NULLS_VAL ((1<<30)+1) |
163 |
+ |
164 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
165 |
++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0); |
166 |
++#endif |
167 |
++ |
168 |
+ static int nf_conntrack_init_net(struct net *net) |
169 |
+ { |
170 |
+ int ret; |
171 |
+@@ -1551,7 +1555,11 @@ static int nf_conntrack_init_net(struct net *net) |
172 |
+ goto err_stat; |
173 |
+ } |
174 |
+ |
175 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
176 |
++ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return(&conntrack_cache_id)); |
177 |
++#else |
178 |
+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net); |
179 |
++#endif |
180 |
+ if (!net->ct.slabname) { |
181 |
+ ret = -ENOMEM; |
182 |
+ goto err_slabname; |
183 |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c |
184 |
index 66b2c54..c7884e3 100644 |
185 |
--- a/net/netfilter/nfnetlink_log.c |