grsecurity-3.1-4.2.3-20151009234720151009

author: Anthony G. Basile <blueness@gentoo.org> 2015-10-11 18:56:14 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2015-10-11 18:56:14 -0400
commit: 116b95f1a7590519be254e3128fefd92d8eaaefd (patch)
tree: 507b1e5197d2e4865528bf98857669b40e76d184
parent: grsecurity-3.1-4.2.3-201510072230 (diff)
download: hardened-patchset-116b95f1a7590519be254e3128fefd92d8eaaefd.tar.gz
hardened-patchset-116b95f1a7590519be254e3128fefd92d8eaaefd.tar.bz2
hardened-patchset-116b95f1a7590519be254e3128fefd92d8eaaefd.zip
2 files changed, 235 insertions, 19 deletions
diff --git a/4.2.3/0000_README b/4.2.3/0000_README
index 08d9f55..1d05b9f 100644
--- a/4.2.3/0000_README
+++ b/4.2.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.2.3-201510072230.patch
+Patch:	4420_grsecurity-3.1-4.2.3-201510092347.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch
index b4b589d..5075ca5 100644
--- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510072230.patch
+++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510092347.patch
@@ -24915,7 +24915,7 @@ index eec40f5..4fee808 100644
  #include <asm/processor.h>
  #include <asm/fcntl.h>
 diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index ce95676..da8c6ff 100644
+index ce95676..af5c012 100644
 --- a/arch/x86/kernel/espfix_64.c
 +++ b/arch/x86/kernel/espfix_64.c
 @@ -41,6 +41,7 @@
@@ -24939,12 +24939,12 @@ index ce95676..da8c6ff 100644
  
  static unsigned int page_random, slot_random;
  
-@@ -122,14 +125,25 @@ static void init_espfix_random(void)
+@@ -122,10 +125,19 @@ static void init_espfix_random(void)
  void __init init_espfix_bsp(void)
  {
  	pgd_t *pgd_p;
 +	pud_t *pud_p;
-+	unsigned long addr, index = pgd_index(ESPFIX_BASE_ADDR);
++	unsigned long index = pgd_index(ESPFIX_BASE_ADDR);
  
  	/* Install the espfix pud into the kernel page directory */
 -	pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
@@ -24961,13 +24961,7 @@ index ce95676..da8c6ff 100644
  
  	/* Randomize the locations */
  	init_espfix_random();
- 
-+	addr = espfix_base_addr(0);
-+
- 	/* The rest is the same as for any other processor */
- 	init_espfix_ap(0);
- }
-@@ -170,35 +184,39 @@ void init_espfix_ap(int cpu)
+@@ -170,35 +182,39 @@ void init_espfix_ap(int cpu)
  	pud_p = &espfix_pud_page[pud_index(addr)];
  	pud = *pud_p;
  	if (!pud_present(pud)) {
@@ -26887,6 +26881,80 @@ index c2bedae..25e7ab60 100644
  	.attr = {
  		.name = "data",
  		.mode = S_IRUGO,
+diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
+index 49487b4..a94a0d3 100644
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -29,7 +29,7 @@
+ #include <asm/x86_init.h>
+ #include <asm/reboot.h>
+ 
+-static int kvmclock = 1;
++static int kvmclock __read_only = 1;
+ static int msr_kvm_system_time = MSR_KVM_SYSTEM_TIME;
+ static int msr_kvm_wall_clock = MSR_KVM_WALL_CLOCK;
+ 
+@@ -41,7 +41,7 @@ static int parse_no_kvmclock(char *arg)
+ early_param("no-kvmclock", parse_no_kvmclock);
+ 
+ /* The hypervisor will put information about time periodically here */
+-static struct pvclock_vsyscall_time_info *hv_clock;
++static struct pvclock_vsyscall_time_info hv_clock[NR_CPUS] __page_aligned_bss;
+ static struct pvclock_wall_clock wall_clock;
+ 
+ /*
+@@ -132,7 +132,7 @@ bool kvm_check_and_clear_guest_paused(void)
+ 	struct pvclock_vcpu_time_info *src;
+ 	int cpu = smp_processor_id();
+ 
+-	if (!hv_clock)
++	if (!kvmclock)
+ 		return ret;
+ 
+ 	src = &hv_clock[cpu].pvti;
+@@ -159,7 +159,7 @@ int kvm_register_clock(char *txt)
+ 	int low, high, ret;
+ 	struct pvclock_vcpu_time_info *src;
+ 
+-	if (!hv_clock)
++	if (!kvmclock)
+ 		return 0;
+ 
+ 	src = &hv_clock[cpu].pvti;
+@@ -219,7 +219,6 @@ static void kvm_shutdown(void)
+ void __init kvmclock_init(void)
+ {
+ 	struct pvclock_vcpu_time_info *vcpu_time;
+-	unsigned long mem;
+ 	int size, cpu;
+ 	u8 flags;
+ 
+@@ -237,15 +236,8 @@ void __init kvmclock_init(void)
+ 	printk(KERN_INFO "kvm-clock: Using msrs %x and %x",
+ 		msr_kvm_system_time, msr_kvm_wall_clock);
+ 
+-	mem = memblock_alloc(size, PAGE_SIZE);
+-	if (!mem)
+-		return;
+-	hv_clock = __va(mem);
+-	memset(hv_clock, 0, size);
+-
+ 	if (kvm_register_clock("primary cpu clock")) {
+-		hv_clock = NULL;
+-		memblock_free(mem, size);
++		kvmclock = 0;
+ 		return;
+ 	}
+ 	pv_time_ops.sched_clock = kvm_clock_read;
+@@ -286,7 +278,7 @@ int __init kvm_setup_vsyscall_timeinfo(void)
+ 	struct pvclock_vcpu_time_info *vcpu_time;
+ 	unsigned int size;
+ 
+-	if (!hv_clock)
++	if (!kvmclock)
+ 		return 0;
+ 
+ 	size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
 diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
 index 2bcc052..864eb84 100644
 --- a/arch/x86/kernel/ldt.c
@@ -33514,10 +33582,19 @@ index 81bf3d2..7ef25c2 100644
  	 * XXX: batch / limit 'nr', to avoid large irq off latency
  	 * needs some instrumenting to determine the common sizes used by
 diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
-index eecb207a..ad42a30 100644
+index eecb207a..808343a 100644
 --- a/arch/x86/mm/highmem_32.c
 +++ b/arch/x86/mm/highmem_32.c
-@@ -45,7 +45,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
+@@ -35,6 +35,8 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
+ 	unsigned long vaddr;
+ 	int idx, type;
+ 
++	BUG_ON(pgprot_val(prot) & _PAGE_USER);
++
+ 	preempt_disable();
+ 	pagefault_disable();
+ 
+@@ -45,7 +47,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
  	idx = type + KM_TYPE_NR*smp_processor_id();
  	vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
  	BUG_ON(!pte_none(*(kmap_pte-idx)));
@@ -34682,7 +34759,7 @@ index 9f0614d..92ae64a 100644
  	p += get_opcode(p, &opcode);
  	for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
 diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index fb0a9dd..72a6e6f 100644
+index fb0a9dd..6fc86ab 100644
 --- a/arch/x86/mm/pgtable.c
 +++ b/arch/x86/mm/pgtable.c
 @@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd)
@@ -34970,6 +35047,55 @@ index fb0a9dd..72a6e6f 100644
  	pgd_dtor(pgd);
  	paravirt_pgd_free(mm, pgd);
  	_pgd_free(pgd);
+@@ -544,6 +616,40 @@ void __init reserve_top_address(unsigned long reserve)
+ 
+ int fixmaps_set;
+ 
++static void fix_user_fixmap(enum fixed_addresses idx, unsigned long address)
++{
++#ifdef CONFIG_X86_64
++	pgd_t *pgd;
++	pud_t *pud;
++	pmd_t *pmd;
++
++	switch (idx) {
++	default:
++		return;
++
++#ifdef CONFIG_X86_VSYSCALL_EMULATION
++	case VSYSCALL_PAGE:
++#endif
++#ifdef CONFIG_PARAVIRT_CLOCK
++	case PVCLOCK_FIXMAP_BEGIN ... PVCLOCK_FIXMAP_END:
++#endif
++		break;
++	}
++
++	pgd = pgd_offset_k(address);
++	if (!(pgd_val(*pgd) & _PAGE_USER))
++		set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
++
++	pud = pud_offset(pgd, address);
++	if (!(pud_val(*pud) & _PAGE_USER))
++		set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));
++
++	pmd = pmd_offset(pud, address);
++	if (!(pmd_val(*pmd) & _PAGE_USER))
++		set_pmd(pmd, __pmd(pmd_val(*pmd) | _PAGE_USER));
++#endif
++}
++
+ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
+ {
+ 	unsigned long address = __fix_to_virt(idx);
+@@ -554,6 +660,7 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
+ 	}
+ 	set_pte_vaddr(address, pte);
+ 	fixmaps_set++;
++	fix_user_fixmap(idx, address);
+ }
+ 
+ void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys,
 diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
 index 90555bf..f5f1828 100644
 --- a/arch/x86/mm/setup_nx.c
@@ -37079,6 +37205,33 @@ index 45e7d51..2967121 100644
  	if (!ret)
  		kobject_uevent(&pinst->kobj, KOBJ_ADD);
  
+diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
+index ea5815c..5880da6 100644
+--- a/crypto/scatterwalk.c
++++ b/crypto/scatterwalk.c
+@@ -109,14 +109,20 @@ void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg,
+ {
+ 	struct scatter_walk walk;
+ 	struct scatterlist tmp[2];
++	void *realbuf = buf;
+ 
+ 	if (!nbytes)
+ 		return;
+ 
+ 	sg = scatterwalk_ffwd(tmp, sg, start);
+ 
+-	if (sg_page(sg) == virt_to_page(buf) &&
+-	    sg->offset == offset_in_page(buf))
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
++	if (object_starts_on_stack(buf))
++		realbuf = buf - current->stack + current->lowmem_stack;
++#endif
++
++	if (sg_page(sg) == virt_to_page(realbuf) &&
++	    sg->offset == offset_in_page(realbuf))
+ 		return;
+ 
+ 	scatterwalk_start(&walk, sg);
 diff --git a/crypto/zlib.c b/crypto/zlib.c
 index d51a30a..fb1f8af 100644
 --- a/crypto/zlib.c
@@ -50874,10 +51027,20 @@ index 487be20..f4c87bc 100644
  		err = 0;
  		break;
 diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
-index 079f7ad..b2a2bfa7 100644
+index 079f7ad..7e59810 100644
 --- a/drivers/net/slip/slhc.c
 +++ b/drivers/net/slip/slhc.c
-@@ -487,7 +487,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
+@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots)
+ 	register struct cstate *ts;
+ 	struct slcompress *comp;
+ 
++	if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256)
++		goto out_fail;
++
+ 	comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
+ 	if (! comp)
+ 		goto out_fail;
+@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
  	register struct tcphdr *thp;
  	register struct iphdr *ip;
  	register struct cstate *cs;
@@ -102842,6 +103005,18 @@ index e951453..0685f5b 100644
  }
  
  #endif /* __NET_NET_NAMESPACE_H */
+diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
+index 37cd391..4023c4c 100644
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -292,6 +292,7 @@ extern unsigned int nf_conntrack_hash_rnd;
+ void init_nf_conntrack_hash_rnd(void);
+ 
+ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags);
++void nf_ct_tmpl_free(struct nf_conn *tmpl);
+ 
+ #define NF_CT_STAT_INC(net, count)	  __this_cpu_inc((net)->ct.stat->count)
+ #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
 diff --git a/include/net/netlink.h b/include/net/netlink.h
 index 2a5dbcc..8243656 100644
 --- a/include/net/netlink.h
@@ -121709,10 +121884,25 @@ index 45da11a..ef3e5dc 100644
  	table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
  			GFP_KERNEL);
 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 3c20d02..b7e071a 100644
+index 3c20d02..b2c15f4 100644
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
-@@ -1753,6 +1753,10 @@ void nf_conntrack_init_end(void)
+@@ -320,12 +320,13 @@ out_free:
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_tmpl_alloc);
+ 
+-static void nf_ct_tmpl_free(struct nf_conn *tmpl)
++void nf_ct_tmpl_free(struct nf_conn *tmpl)
+ {
+ 	nf_ct_ext_destroy(tmpl);
+ 	nf_ct_ext_free(tmpl);
+ 	kfree(tmpl);
+ }
++EXPORT_SYMBOL_GPL(nf_ct_tmpl_free);
+ 
+ static void
+ destroy_conntrack(struct nf_conntrack *nfct)
+@@ -1753,6 +1754,10 @@ void nf_conntrack_init_end(void)
  #define DYING_NULLS_VAL		((1<<30)+1)
  #define TEMPLATE_NULLS_VAL	((1<<30)+2)
  
@@ -121723,7 +121913,7 @@ index 3c20d02..b7e071a 100644
  int nf_conntrack_init_net(struct net *net)
  {
  	int ret = -ENOMEM;
-@@ -1777,7 +1781,11 @@ int nf_conntrack_init_net(struct net *net)
+@@ -1777,7 +1782,11 @@ int nf_conntrack_init_net(struct net *net)
  	if (!net->ct.stat)
  		goto err_pcpu_lists;
  
@@ -121854,6 +122044,19 @@ index c68c1e5..8b5d670 100644
  	mutex_unlock(&nf_sockopt_mutex);
  }
  EXPORT_SYMBOL(nf_unregister_sockopt);
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index d7f1685..d6ee8f8 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -378,7 +378,7 @@ static int __net_init synproxy_net_init(struct net *net)
+ err3:
+ 	free_percpu(snet->stats);
+ err2:
+-	nf_conntrack_free(ct);
++	nf_ct_tmpl_free(ct);
+ err1:
+ 	return err;
+ }
 diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
 index 4670821..a6c3c47d 100644
 --- a/net/netfilter/nfnetlink_log.c
@@ -121896,6 +122099,19 @@ index 66def31..d64a66d 100644
  }
  
  static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 43ddeee..f3377ce 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -233,7 +233,7 @@ out:
+ 	return 0;
+ 
+ err3:
+-	nf_conntrack_free(ct);
++	nf_ct_tmpl_free(ct);
+ err2:
+ 	nf_ct_l3proto_module_put(par->family);
+ err1:
 diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
 new file mode 100644
 index 0000000..c566332
author	Anthony G. Basile <blueness@gentoo.org>	2015-10-11 18:56:14 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2015-10-11 18:56:14 -0400
commit	116b95f1a7590519be254e3128fefd92d8eaaefd (patch)
tree	507b1e5197d2e4865528bf98857669b40e76d184
parent	grsecurity-3.1-4.2.3-201510072230 (diff)
download	hardened-patchset-116b95f1a7590519be254e3128fefd92d8eaaefd.tar.gz hardened-patchset-116b95f1a7590519be254e3128fefd92d8eaaefd.tar.bz2 hardened-patchset-116b95f1a7590519be254e3128fefd92d8eaaefd.zip