summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-10-14 21:42:23 -0400
committerAnthony G. Basile <blueness@gentoo.org>2015-10-14 21:42:23 -0400
commitde0f65da3cbe9d37cb7b2e5ece46152fd8274ed7 (patch)
tree62f8fed9137571fbce1dcc7f8cdbff2bb05b8882
parentgrsecurity-3.1-4.2.3-201510111839 (diff)
downloadhardened-patchset-de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7.tar.gz
hardened-patchset-de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7.tar.bz2
hardened-patchset-de0f65da3cbe9d37cb7b2e5ece46152fd8274ed7.zip
grsecurity-3.1-4.2.3-20151013085820151013
-rw-r--r--4.2.3/0000_README2
-rw-r--r--4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch (renamed from 4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch)205
2 files changed, 200 insertions, 7 deletions
diff --git a/4.2.3/0000_README b/4.2.3/0000_README
index f4ca83e..4b76bbf 100644
--- a/4.2.3/0000_README
+++ b/4.2.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.2.3-201510111839.patch
+Patch: 4420_grsecurity-3.1-4.2.3-201510130858.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch
index 3eeb3c5..28448c3 100644
--- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510111839.patch
+++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510130858.patch
@@ -37144,6 +37144,20 @@ index d6e5ba3..2bb142c 100644
return ERR_PTR(-EINVAL);
nr_pages += end - start;
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index d6283b3..9cc48d1d 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
+ blkg_destroy(blkg);
+ spin_unlock(&blkcg->lock);
+ }
++
++ q->root_blkg = NULL;
++ q->root_rl.blkg = NULL;
+ }
+
+ /*
diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
index 0736729..2ec3b48 100644
--- a/block/blk-iopoll.c
@@ -56284,7 +56298,7 @@ index 382d3fc..b16d625 100644
dlci->modem_rx = 0;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index ee8bfac..9e4ed6f 100644
+index ee8bfac..95461a3 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -116,7 +116,7 @@ struct n_tty_data {
@@ -56296,7 +56310,50 @@ index ee8bfac..9e4ed6f 100644
size_t line_start;
/* protected by output lock */
-@@ -2579,6 +2579,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -343,8 +343,7 @@ static void n_tty_packet_mode_flush(struct tty_struct *tty)
+ spin_lock_irqsave(&tty->ctrl_lock, flags);
+ tty->ctrl_status |= TIOCPKT_FLUSHREAD;
+ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
+- if (waitqueue_active(&tty->link->read_wait))
+- wake_up_interruptible(&tty->link->read_wait);
++ wake_up_interruptible(&tty->link->read_wait);
+ }
+ }
+
+@@ -1382,8 +1381,7 @@ handle_newline:
+ put_tty_queue(c, ldata);
+ smp_store_release(&ldata->canon_head, ldata->read_head);
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- if (waitqueue_active(&tty->read_wait))
+- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, POLLIN);
+ return 0;
+ }
+ }
+@@ -1667,8 +1665,7 @@ static void __receive_buf(struct tty_struct *tty, const unsigned char *cp,
+
+ if ((read_cnt(ldata) >= ldata->minimum_to_wake) || L_EXTPROC(tty)) {
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- if (waitqueue_active(&tty->read_wait))
+- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, POLLIN);
+ }
+ }
+
+@@ -1887,10 +1884,8 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
+ }
+
+ /* The termios change make the tty ready for I/O */
+- if (waitqueue_active(&tty->write_wait))
+- wake_up_interruptible(&tty->write_wait);
+- if (waitqueue_active(&tty->read_wait))
+- wake_up_interruptible(&tty->read_wait);
++ wake_up_interruptible(&tty->write_wait);
++ wake_up_interruptible(&tty->read_wait);
+ }
+
+ /**
+@@ -2579,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -57058,11 +57115,147 @@ index b5b4278..bb9c7b0 100644
char c;
if (get_user(c, buf))
+diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
+index 4cf263d..fd011fa 100644
+--- a/drivers/tty/tty_buffer.c
++++ b/drivers/tty/tty_buffer.c
+@@ -242,7 +242,10 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
+ atomic_inc(&buf->priority);
+
+ mutex_lock(&buf->lock);
+- while ((next = buf->head->next) != NULL) {
++ /* paired w/ release in __tty_buffer_request_room; ensures there are
++ * no pending memory accesses to the freed buffer
++ */
++ while ((next = smp_load_acquire(&buf->head->next)) != NULL) {
+ tty_buffer_free(port, buf->head);
+ buf->head = next;
+ }
+@@ -290,13 +293,15 @@ static int __tty_buffer_request_room(struct tty_port *port, size_t size,
+ if (n != NULL) {
+ n->flags = flags;
+ buf->tail = n;
+- b->commit = b->used;
+- /* paired w/ barrier in flush_to_ldisc(); ensures the
++ /* paired w/ acquire in flush_to_ldisc(); ensures
++ * flush_to_ldisc() sees buffer data.
++ */
++ smp_store_release(&b->commit, b->used);
++ /* paired w/ acquire in flush_to_ldisc(); ensures the
+ * latest commit value can be read before the head is
+ * advanced to the next buffer
+ */
+- smp_wmb();
+- b->next = n;
++ smp_store_release(&b->next, n);
+ } else if (change)
+ size = 0;
+ else
+@@ -394,7 +399,10 @@ void tty_schedule_flip(struct tty_port *port)
+ {
+ struct tty_bufhead *buf = &port->buf;
+
+- buf->tail->commit = buf->tail->used;
++ /* paired w/ acquire in flush_to_ldisc(); ensures
++ * flush_to_ldisc() sees buffer data.
++ */
++ smp_store_release(&buf->tail->commit, buf->tail->used);
+ schedule_work(&buf->work);
+ }
+ EXPORT_SYMBOL(tty_schedule_flip);
+@@ -469,7 +477,7 @@ static void flush_to_ldisc(struct work_struct *work)
+ struct tty_struct *tty;
+ struct tty_ldisc *disc;
+
+- tty = port->itty;
++ tty = READ_ONCE(port->itty);
+ if (tty == NULL)
+ return;
+
+@@ -488,13 +496,15 @@ static void flush_to_ldisc(struct work_struct *work)
+ if (atomic_read(&buf->priority))
+ break;
+
+- next = head->next;
+- /* paired w/ barrier in __tty_buffer_request_room();
++ /* paired w/ release in __tty_buffer_request_room();
+ * ensures commit value read is not stale if the head
+ * is advancing to the next buffer
+ */
+- smp_rmb();
+- count = head->commit - head->read;
++ next = smp_load_acquire(&head->next);
++ /* paired w/ release in __tty_buffer_request_room() or in
++ * tty_buffer_flush(); ensures we see the committed buffer data
++ */
++ count = smp_load_acquire(&head->commit) - head->read;
+ if (!count) {
+ if (next == NULL) {
+ check_other_closed(tty);
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 57fc6ee..b83cc81 100644
+index 57fc6ee..62fa290 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
-@@ -3501,7 +3501,7 @@ EXPORT_SYMBOL(tty_devnum);
+@@ -2136,8 +2136,24 @@ retry_open:
+ if (!noctty &&
+ current->signal->leader &&
+ !current->signal->tty &&
+- tty->session == NULL)
+- __proc_set_tty(tty);
++ tty->session == NULL) {
++ /*
++ * Don't let a process that only has write access to the tty
++ * obtain the privileges associated with having a tty as
++ * controlling terminal (being able to reopen it with full
++ * access through /dev/tty, being able to perform pushback).
++ * Many distributions set the group of all ttys to "tty" and
++ * grant write-only access to all terminals for setgid tty
++ * binaries, which should not imply full privileges on all ttys.
++ *
++ * This could theoretically break old code that performs open()
++ * on a write-only file descriptor. In that case, it might be
++ * necessary to also permit this if
++ * inode_permission(inode, MAY_READ) == 0.
++ */
++ if (filp->f_mode & FMODE_READ)
++ __proc_set_tty(tty);
++ }
+ spin_unlock_irq(&current->sighand->siglock);
+ read_unlock(&tasklist_lock);
+ tty_unlock(tty);
+@@ -2426,7 +2442,7 @@ static int fionbio(struct file *file, int __user *p)
+ * Takes ->siglock() when updating signal->tty
+ */
+
+-static int tiocsctty(struct tty_struct *tty, int arg)
++static int tiocsctty(struct tty_struct *tty, struct file *file, int arg)
+ {
+ int ret = 0;
+
+@@ -2460,6 +2476,13 @@ static int tiocsctty(struct tty_struct *tty, int arg)
+ goto unlock;
+ }
+ }
++
++ /* See the comment in tty_open(). */
++ if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) {
++ ret = -EPERM;
++ goto unlock;
++ }
++
+ proc_set_tty(tty);
+ unlock:
+ read_unlock(&tasklist_lock);
+@@ -2852,7 +2875,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ no_tty();
+ return 0;
+ case TIOCSCTTY:
+- return tiocsctty(tty, arg);
++ return tiocsctty(tty, file, arg);
+ case TIOCGPGRP:
+ return tiocgpgrp(tty, real_tty, p);
+ case TIOCSPGRP:
+@@ -3501,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum);
void tty_default_fops(struct file_operations *fops)
{
@@ -125541,7 +125734,7 @@ index c0a932d..817c587 100755
# Find all available archs
find_all_archs()
diff --git a/security/Kconfig b/security/Kconfig
-index bf4ec46..20e8f1f 100644
+index bf4ec46..3303bc0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,6 +4,981 @@
@@ -126376,7 +126569,7 @@ index bf4ec46..20e8f1f 100644
+
+config PAX_MEMORY_UDEREF
+ bool "Prevent invalid userland pointer dereference"
-+ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
++ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && !(X86_64 && GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX) && (!X86 || GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
+ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN
+ select PAX_PER_CPU_PGD if X86_64
+ help