Grsec/PaX: 2.2.2-2.6.32.44-201108141242 and 2.2.2-2.6.39.4-20110814124220110814

4 files changed, 98 insertions, 28 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 5e4d4d1..3c9e2ca 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -7,7 +7,7 @@ Patch:	1043_linux-2.6.32.44.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.39.44
 
-Patch:	4420_grsecurity-2.2.2-2.6.32.44-201108111959.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.44-201108141242.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.44-201108111959.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.44-201108141242.patch
index 39c74d4..09a1d99 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.44-201108111959.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.44-201108141242.patch
@@ -72413,7 +72413,7 @@ diff -urNp linux-2.6.32.44/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.4
  			printk("OOM in bsalg (%d)\n", __LINE__);
 diff -urNp linux-2.6.32.44/net/ipv4/raw.c linux-2.6.32.44/net/ipv4/raw.c
 --- linux-2.6.32.44/net/ipv4/raw.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.44/net/ipv4/raw.c	2011-05-04 17:59:08.000000000 -0400
++++ linux-2.6.32.44/net/ipv4/raw.c	2011-08-14 11:46:51.000000000 -0400
 @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
  	/* Charge it to the socket. */
  
@@ -72432,7 +72432,7 @@ diff -urNp linux-2.6.32.44/net/ipv4/raw.c linux-2.6.32.44/net/ipv4/raw.c
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -724,15 +724,22 @@ static int raw_init(struct sock *sk)
+@@ -724,16 +724,23 @@ static int raw_init(struct sock *sk)
  
  static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
  {
@@ -72445,24 +72445,26 @@ diff -urNp linux-2.6.32.44/net/ipv4/raw.c linux-2.6.32.44/net/ipv4/raw.c
 -	if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
 +	if (copy_from_user(&filter, optval, optlen))
  		return -EFAULT;
-+	memcpy(&raw_sk(sk)->filter, &filter, optlen);
++	raw_sk(sk)->filter = filter;
 +
  	return 0;
  }
  
  static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
  {
-+	struct icmp_filter filter;
  	int len, ret = -EFAULT;
++	struct icmp_filter filter;
  
  	if (get_user(len, optlen))
+ 		goto out;
 @@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
  	if (len > sizeof(struct icmp_filter))
  		len = sizeof(struct icmp_filter);
  	ret = -EFAULT;
-+	memcpy(&filter, &raw_sk(sk)->filter, len);
- 	if (put_user(len, optlen) ||
+-	if (put_user(len, optlen) ||
 -	    copy_to_user(optval, &raw_sk(sk)->filter, len))
++	filter = raw_sk(sk)->filter;
++	if (put_user(len, optlen) || len > sizeof filter ||
 +	    copy_to_user(optval, &filter, len))
  		goto out;
  	ret = 0;
@@ -72942,7 +72944,7 @@ diff -urNp linux-2.6.32.44/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.44/net/i
  		       sizeof(info.hook_entry));
 diff -urNp linux-2.6.32.44/net/ipv6/raw.c linux-2.6.32.44/net/ipv6/raw.c
 --- linux-2.6.32.44/net/ipv6/raw.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.44/net/ipv6/raw.c	2011-05-16 21:46:57.000000000 -0400
++++ linux-2.6.32.44/net/ipv6/raw.c	2011-08-14 11:48:20.000000000 -0400
 @@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
  {
  	if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
@@ -73020,25 +73022,25 @@ diff -urNp linux-2.6.32.44/net/ipv6/raw.c linux-2.6.32.44/net/ipv6/raw.c
 -		if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
 +		if (copy_from_user(&filter, optval, optlen))
  			return -EFAULT;
-+		memcpy(&raw6_sk(sk)->filter, &filter, optlen);
++		raw6_sk(sk)->filter = filter;
  		return 0;
  	default:
  		return -ENOPROTOOPT;
-@@ -933,6 +940,7 @@ static int rawv6_seticmpfilter(struct so
- static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -934,6 +941,7 @@ static int rawv6_geticmpfilter(struct so
  			       char __user *optval, int __user *optlen)
  {
-+	struct icmp6_filter filter;
  	int len;
++	struct icmp6_filter filter;
  
  	switch (optname) {
+ 	case ICMPV6_FILTER:
 @@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
  			len = sizeof(struct icmp6_filter);
  		if (put_user(len, optlen))
  			return -EFAULT;
 -		if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
-+		memcpy(&filter, &raw6_sk(sk)->filter, len);
-+		if (copy_to_user(optval, &filter, len))
++		filter = raw6_sk(sk)->filter;
++		if (len > sizeof filter || copy_to_user(optval, &filter, len))
  			return -EFAULT;
  		return 0;
  	default:
diff --git a/2.6.39/0000_README b/2.6.39/0000_README
index 3d8bf57..0dac428 100644
--- a/2.6.39/0000_README
+++ b/2.6.39/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.39.4-201108132040.patch
+Patch:	4420_grsecurity-2.2.2-2.6.39.4-201108141242.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108132040.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108141242.patch
index 85fe52d..8d522f2 100644
--- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108132040.patch
+++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108141242.patch
@@ -21239,6 +21239,7 @@ diff -urNp linux-2.6.39.4/arch/x86/power/cpu.c linux-2.6.39.4/arch/x86/power/cpu
  
  	syscall_init();				/* This sets MSR_*STAR and related */
  #endif
+Binary files linux-2.6.39.4/arch/x86/tools/test_get_len and linux-2.6.39.4/arch/x86/tools/test_get_len differ
 diff -urNp linux-2.6.39.4/arch/x86/vdso/Makefile linux-2.6.39.4/arch/x86/vdso/Makefile
 --- linux-2.6.39.4/arch/x86/vdso/Makefile	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.4/arch/x86/vdso/Makefile	2011-08-05 19:44:35.000000000 -0400
@@ -31979,6 +31980,30 @@ diff -urNp linux-2.6.39.4/drivers/spi/spi.c linux-2.6.39.4/drivers/spi/spi.c
  
  static u8	*buf;
  
+diff -urNp linux-2.6.39.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-2.6.39.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c
+--- linux-2.6.39.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c	2011-08-14 12:12:59.000000000 -0400
+@@ -384,7 +384,7 @@ static struct ar_cookie s_ar_cookie_mem[
+         (((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0))
+ 
+ 
+-static struct net_device_ops ar6000_netdev_ops = {
++static net_device_ops_no_const ar6000_netdev_ops = {
+     .ndo_init               = NULL,
+     .ndo_open               = ar6000_open,
+     .ndo_stop               = ar6000_close,
+diff -urNp linux-2.6.39.4/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h linux-2.6.39.4/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h
+--- linux-2.6.39.4/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.4/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h	2011-08-14 09:32:05.000000000 -0400
+@@ -30,7 +30,7 @@ typedef bool (*ar6k_pal_recv_pkt_t)(void
+ typedef struct ar6k_pal_config_s
+ {
+ 	ar6k_pal_recv_pkt_t fpar6k_pal_recv_pkt;
+-}ar6k_pal_config_t;
++} __no_const ar6k_pal_config_t;
+ 
+ void register_pal_cb(ar6k_pal_config_t *palConfig_p);
+ #endif /* _AR6K_PAL_H_ */
 diff -urNp linux-2.6.39.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.39.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
 --- linux-2.6.39.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c	2011-08-05 20:34:06.000000000 -0400
@@ -32074,6 +32099,22 @@ diff -urNp linux-2.6.39.4/drivers/staging/et131x/et131x_adapter.h linux-2.6.39.4
  	u32 norcvbuf;	/* # Rx packets discarded */
  	u32 noxmtbuf;	/* # Tx packets discarded */
  
+diff -urNp linux-2.6.39.4/drivers/staging/gma500/psb_ttm_glue.c linux-2.6.39.4/drivers/staging/gma500/psb_ttm_glue.c
+--- linux-2.6.39.4/drivers/staging/gma500/psb_ttm_glue.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.4/drivers/staging/gma500/psb_ttm_glue.c	2011-08-14 12:25:25.000000000 -0400
+@@ -230,8 +230,10 @@ int psb_mmap(struct file *filp, struct v
+ 	if (unlikely(dev_priv->ttm_vm_ops == NULL)) {
+ 		dev_priv->ttm_vm_ops = (struct vm_operations_struct *)
+ 								vma->vm_ops;
+-		psb_ttm_vm_ops = *vma->vm_ops;
+-		psb_ttm_vm_ops.fault = &psb_ttm_fault;
++		pax_open_kernel();
++		memcpy((void *)&psb_ttm_vm_ops, vma->vm_ops, sizeof(psb_ttm_vm_ops));
++		*(void **)&psb_ttm_vm_ops.fault = &psb_ttm_fault;
++		pax_close_kernel();
+ 	}
+ 
+ 	vma->vm_ops = &psb_ttm_vm_ops;
 diff -urNp linux-2.6.39.4/drivers/staging/hv/channel.c linux-2.6.39.4/drivers/staging/hv/channel.c
 --- linux-2.6.39.4/drivers/staging/hv/channel.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.4/drivers/staging/hv/channel.c	2011-08-05 19:44:37.000000000 -0400
@@ -32326,6 +32367,18 @@ diff -urNp linux-2.6.39.4/drivers/staging/rtl8712/rtl871x_io.h linux-2.6.39.4/dr
  
  struct io_req {
  	struct list_head list;
+diff -urNp linux-2.6.39.4/drivers/staging/sbe-2t3e3/netdev.c linux-2.6.39.4/drivers/staging/sbe-2t3e3/netdev.c
+--- linux-2.6.39.4/drivers/staging/sbe-2t3e3/netdev.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.4/drivers/staging/sbe-2t3e3/netdev.c	2011-08-14 12:29:10.000000000 -0400
+@@ -51,7 +51,7 @@ int t3e3_ioctl(struct net_device *dev, s
+ 	t3e3_if_config(sc, cmd_2t3e3, (char *)&param, &resp, &rlen);
+ 
+ 	if (rlen)
+-		if (copy_to_user(data, &resp, rlen))
++		if (rlen > sizeof resp || copy_to_user(data, &resp, rlen))
+ 			return -EFAULT;
+ 
+ 	return 0;
 diff -urNp linux-2.6.39.4/drivers/staging/tty/istallion.c linux-2.6.39.4/drivers/staging/tty/istallion.c
 --- linux-2.6.39.4/drivers/staging/tty/istallion.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.4/drivers/staging/tty/istallion.c	2011-08-05 19:44:37.000000000 -0400
@@ -39060,6 +39113,19 @@ diff -urNp linux-2.6.39.4/fs/nfsd/vfs.c linux-2.6.39.4/fs/nfsd/vfs.c
  	set_fs(oldfs);
  
  	if (host_err < 0)
+diff -urNp linux-2.6.39.4/fs/notify/fanotify/fanotify_user.c linux-2.6.39.4/fs/notify/fanotify/fanotify_user.c
+--- linux-2.6.39.4/fs/notify/fanotify/fanotify_user.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.4/fs/notify/fanotify/fanotify_user.c	2011-08-14 11:28:46.000000000 -0400
+@@ -276,7 +276,8 @@ static ssize_t copy_event_to_user(struct
+ 		goto out_close_fd;
+ 
+ 	ret = -EFAULT;
+-	if (copy_to_user(buf, &fanotify_event_metadata,
++	if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
++	    copy_to_user(buf, &fanotify_event_metadata,
+ 			 fanotify_event_metadata.event_len))
+ 		goto out_kill_access_response;
+ 
 diff -urNp linux-2.6.39.4/fs/notify/notification.c linux-2.6.39.4/fs/notify/notification.c
 --- linux-2.6.39.4/fs/notify/notification.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.4/fs/notify/notification.c	2011-08-05 19:44:37.000000000 -0400
@@ -65813,7 +65879,7 @@ diff -urNp linux-2.6.39.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.39.4/
  			pr_notice("OOM in bsalg (%d)\n", __LINE__);
 diff -urNp linux-2.6.39.4/net/ipv4/raw.c linux-2.6.39.4/net/ipv4/raw.c
 --- linux-2.6.39.4/net/ipv4/raw.c	2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.4/net/ipv4/raw.c	2011-08-05 19:44:37.000000000 -0400
++++ linux-2.6.39.4/net/ipv4/raw.c	2011-08-14 11:22:59.000000000 -0400
 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
  int raw_rcv(struct sock *sk, struct sk_buff *skb)
  {
@@ -65823,7 +65889,7 @@ diff -urNp linux-2.6.39.4/net/ipv4/raw.c linux-2.6.39.4/net/ipv4/raw.c
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -730,15 +730,19 @@ static int raw_init(struct sock *sk)
+@@ -730,16 +730,20 @@ static int raw_init(struct sock *sk)
  
  static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
  {
@@ -65834,23 +65900,25 @@ diff -urNp linux-2.6.39.4/net/ipv4/raw.c linux-2.6.39.4/net/ipv4/raw.c
 -	if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
 +	if (copy_from_user(&filter, optval, optlen))
  		return -EFAULT;
-+	memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
++	raw_sk(sk)->filter = filter;
  	return 0;
  }
  
  static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
  {
-+	struct icmp_filter filter;
  	int len, ret = -EFAULT;
++	struct icmp_filter filter;
  
  	if (get_user(len, optlen))
+ 		goto out;
 @@ -749,8 +753,9 @@ static int raw_geticmpfilter(struct sock
  	if (len > sizeof(struct icmp_filter))
  		len = sizeof(struct icmp_filter);
  	ret = -EFAULT;
-+	memcpy(&filter, &raw_sk(sk)->filter, len);
- 	if (put_user(len, optlen) ||
+-	if (put_user(len, optlen) ||
 -	    copy_to_user(optval, &raw_sk(sk)->filter, len))
++	filter = raw_sk(sk)->filter;
++	if (put_user(len, optlen) || len > sizeof filter ||
 +	    copy_to_user(optval, &filter, len))
  		goto out;
  	ret = 0;
@@ -66255,7 +66323,7 @@ diff -urNp linux-2.6.39.4/net/ipv6/ipv6_sockglue.c linux-2.6.39.4/net/ipv6/ipv6_
  
 diff -urNp linux-2.6.39.4/net/ipv6/raw.c linux-2.6.39.4/net/ipv6/raw.c
 --- linux-2.6.39.4/net/ipv6/raw.c	2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.4/net/ipv6/raw.c	2011-08-05 19:44:37.000000000 -0400
++++ linux-2.6.39.4/net/ipv6/raw.c	2011-08-14 11:25:44.000000000 -0400
 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
  {
  	if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
@@ -66314,25 +66382,25 @@ diff -urNp linux-2.6.39.4/net/ipv6/raw.c linux-2.6.39.4/net/ipv6/raw.c
 -		if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
 +		if (copy_from_user(&filter, optval, optlen))
  			return -EFAULT;
-+		memcpy(&raw6_sk(sk)->filter, &filter, optlen);
++		raw6_sk(sk)->filter = filter;
  		return 0;
  	default:
  		return -ENOPROTOOPT;
-@@ -926,6 +931,7 @@ static int rawv6_seticmpfilter(struct so
- static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -927,6 +932,7 @@ static int rawv6_geticmpfilter(struct so
  			       char __user *optval, int __user *optlen)
  {
-+	struct icmp6_filter filter;
  	int len;
++	struct icmp6_filter filter;
  
  	switch (optname) {
+ 	case ICMPV6_FILTER:
 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
  			len = sizeof(struct icmp6_filter);
  		if (put_user(len, optlen))
  			return -EFAULT;
 -		if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
-+		memcpy(&filter, &raw6_sk(sk)->filter, len);
-+		if (copy_to_user(optval, &filter, len))
++		filter = raw6_sk(sk)->filter;
++		if (len > sizeof filter || copy_to_user(optval, &filter, len))
  			return -EFAULT;
  		return 0;
  	default: