Grsec/PaX: 3.0-{3.2.56,3.13.8}-20140403115720140403

author: Anthony G. Basile <blueness@gentoo.org> 2014-04-04 11:23:14 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2014-04-04 11:23:14 -0400
commit: 8faf11a689dd695f6cf54cabb0705ee146b7f878 (patch)
tree: ed863e122ba12d9d1bc05d662567ec346b7abfb0
parent: Grsec/PaX: 3.0-{3.2.56,3.13.8}-201404012135 (diff)
download: hardened-patchset-8faf11a689dd695f6cf54cabb0705ee146b7f878.tar.gz
hardened-patchset-8faf11a689dd695f6cf54cabb0705ee146b7f878.tar.bz2
hardened-patchset-8faf11a689dd695f6cf54cabb0705ee146b7f878.zip
4 files changed, 157 insertions, 11 deletions
diff --git a/3.13.8/0000_README b/3.13.8/0000_README
index c7f2d48..261bc85 100644
--- a/3.13.8/0000_README
+++ b/3.13.8/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.13.8-201404011912.patch
+Patch:	4420_grsecurity-3.0-3.13.8-201404031157.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.13.8/4420_grsecurity-3.0-3.13.8-201404011912.patch b/3.13.8/4420_grsecurity-3.0-3.13.8-201404031157.patch
index 9c4aaac..1ca327a 100644
--- a/3.13.8/4420_grsecurity-3.0-3.13.8-201404011912.patch
+++ b/3.13.8/4420_grsecurity-3.0-3.13.8-201404031157.patch
@@ -65163,10 +65163,10 @@ index 104455b..764c512 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..13b7885
+index 0000000..81a6826
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1155 @@
+@@ -0,0 +1,1160 @@
 +#
 +# grecurity configuration
 +#
@@ -65647,6 +65647,11 @@ index 0000000..13b7885
 +	  encounter no software incompatibilities with the following options, it
 +	  is recommended that you enable each one.
 +
++	  Note that the chroot restrictions are not intended to apply to "chroots"
++	  to directories that are simple bind mounts of the global root filesystem.
++	  For several other reasons, a user shouldn't expect any significant
++	  security by performing such a chroot.
++
 +config GRKERNSEC_CHROOT_MOUNT
 +	bool "Deny mounts"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -96923,10 +96928,66 @@ index 5b7d0e1..cb960fc 100644
  }
  EXPORT_SYMBOL(dev_load);
 diff --git a/net/core/filter.c b/net/core/filter.c
-index ad30d62..c2757df 100644
+index ad30d62..821081f 100644
 --- a/net/core/filter.c
 +++ b/net/core/filter.c
-@@ -679,7 +679,7 @@ int sk_unattached_filter_create(struct sk_filter **pfp,
+@@ -126,7 +126,7 @@ unsigned int sk_run_filter(const struct sk_buff *skb,
+ 	void *ptr;
+ 	u32 A = 0;			/* Accumulator */
+ 	u32 X = 0;			/* Index Register */
+-	u32 mem[BPF_MEMWORDS];		/* Scratch Memory Store */
++	u32 mem[BPF_MEMWORDS] = {};	/* Scratch Memory Store */
+ 	u32 tmp;
+ 	int k;
+ 
+@@ -292,10 +292,10 @@ load_b:
+ 			X = K;
+ 			continue;
+ 		case BPF_S_LD_MEM:
+-			A = mem[K];
++			A = mem[K&15];
+ 			continue;
+ 		case BPF_S_LDX_MEM:
+-			X = mem[K];
++			X = mem[K&15];
+ 			continue;
+ 		case BPF_S_MISC_TAX:
+ 			X = A;
+@@ -308,10 +308,10 @@ load_b:
+ 		case BPF_S_RET_A:
+ 			return A;
+ 		case BPF_S_ST:
+-			mem[K] = A;
++			mem[K&15] = A;
+ 			continue;
+ 		case BPF_S_STX:
+-			mem[K] = X;
++			mem[K&15] = X;
+ 			continue;
+ 		case BPF_S_ANC_PROTOCOL:
+ 			A = ntohs(skb->protocol);
+@@ -391,9 +391,10 @@ load_b:
+ 			continue;
+ #endif
+ 		default:
+-			WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
++			WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u tf:%u k:%u\n",
+ 				       fentry->code, fentry->jt,
+ 				       fentry->jf, fentry->k);
++			BUG();
+ 			return 0;
+ 		}
+ 	}
+@@ -416,7 +417,7 @@ static int check_load_and_stores(struct sock_filter *filter, int flen)
+ 	u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+ 	int pc, ret = 0;
+ 
+-	BUILD_BUG_ON(BPF_MEMWORDS > 16);
++	BUILD_BUG_ON(BPF_MEMWORDS != 16);
+ 	masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+ 	if (!masks)
+ 		return -ENOMEM;
+@@ -679,7 +680,7 @@ int sk_unattached_filter_create(struct sk_filter **pfp,
  	fp = kmalloc(sk_filter_size(fprog->len), GFP_KERNEL);
  	if (!fp)
  		return -ENOMEM;
diff --git a/3.2.56/0000_README b/3.2.56/0000_README
index ce219c9..b2a75bc 100644
--- a/3.2.56/0000_README
+++ b/3.2.56/0000_README
@@ -142,7 +142,7 @@ Patch:	1055_linux-3.2.56.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.56
 
-Patch:	4420_grsecurity-3.0-3.2.56-201404012135.patch
+Patch:	4420_grsecurity-3.0-3.2.56-201404031155.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.56/4420_grsecurity-3.0-3.2.56-201404012135.patch b/3.2.56/4420_grsecurity-3.0-3.2.56-201404031155.patch
index 4f4f0f9..a7d359a 100644
--- a/3.2.56/4420_grsecurity-3.0-3.2.56-201404012135.patch
+++ b/3.2.56/4420_grsecurity-3.0-3.2.56-201404031155.patch
@@ -63410,10 +63410,10 @@ index 8a89949..6776861 100644
  xfs_init_zones(void)
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..3dd4ae7
+index 0000000..d913d1e
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1141 @@
+@@ -0,0 +1,1146 @@
 +#
 +# grecurity configuration
 +#
@@ -63880,6 +63880,11 @@ index 0000000..3dd4ae7
 +	  encounter no software incompatibilities with the following options, it
 +	  is recommended that you enable each one.
 +
++	  Note that the chroot restrictions are not intended to apply to "chroots"
++	  to directories that are simple bind mounts of the global root filesystem.
++	  For several other reasons, a user shouldn't expect any significant
++	  security by performing such a chroot.
++
 +config GRKERNSEC_CHROOT_MOUNT
 +	bool "Deny mounts"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -97863,7 +97868,7 @@ index 2367246..4a0a677 100644
  		ret = -EFAULT;
  		goto out;
 diff --git a/net/core/filter.c b/net/core/filter.c
-index 5dea452..d775edc 100644
+index 5dea452..e17caac 100644
 --- a/net/core/filter.c
 +++ b/net/core/filter.c
 @@ -39,6 +39,7 @@
@@ -97874,7 +97879,42 @@ index 5dea452..d775edc 100644
  
  /* No hurry in this branch */
  static void *__load_pointer(const struct sk_buff *skb, int k, unsigned int size)
-@@ -350,6 +351,11 @@ load_b:
+@@ -115,7 +116,7 @@ unsigned int sk_run_filter(const struct sk_buff *skb,
+ 	void *ptr;
+ 	u32 A = 0;			/* Accumulator */
+ 	u32 X = 0;			/* Index Register */
+-	u32 mem[BPF_MEMWORDS];		/* Scratch Memory Store */
++	u32 mem[BPF_MEMWORDS] = {};	/* Scratch Memory Store */
+ 	u32 tmp;
+ 	int k;
+ 
+@@ -266,10 +267,10 @@ load_b:
+ 			X = K;
+ 			continue;
+ 		case BPF_S_LD_MEM:
+-			A = mem[K];
++			A = mem[K&15];
+ 			continue;
+ 		case BPF_S_LDX_MEM:
+-			X = mem[K];
++			X = mem[K&15];
+ 			continue;
+ 		case BPF_S_MISC_TAX:
+ 			X = A;
+@@ -282,10 +283,10 @@ load_b:
+ 		case BPF_S_RET_A:
+ 			return A;
+ 		case BPF_S_ST:
+-			mem[K] = A;
++			mem[K&15] = A;
+ 			continue;
+ 		case BPF_S_STX:
+-			mem[K] = X;
++			mem[K&15] = X;
+ 			continue;
+ 		case BPF_S_ANC_PROTOCOL:
+ 			A = ntohs(skb->protocol);
+@@ -350,10 +351,16 @@ load_b:
  				A = 0;
  			continue;
  		}
@@ -97884,8 +97924,53 @@ index 5dea452..d775edc 100644
 +			continue;
 +#endif
  		default:
- 			WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
+-			WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
++			WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u tf:%u k:%u\n",
  				       fentry->code, fentry->jt,
+ 				       fentry->jf, fentry->k);
++			BUG();
+ 			return 0;
+ 		}
+ 	}
+@@ -376,7 +383,7 @@ static int check_load_and_stores(struct sock_filter *filter, int flen)
+ 	u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+ 	int pc, ret = 0;
+ 
+-	BUILD_BUG_ON(BPF_MEMWORDS > 16);
++	BUILD_BUG_ON(BPF_MEMWORDS != 16);
+ 	masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+ 	if (!masks)
+ 		return -ENOMEM;
+@@ -490,6 +497,7 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
+ 		[BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X,
+ 	};
+ 	int pc;
++	bool anc_found;
+ 
+ 	if (flen == 0 || flen > BPF_MAXINSNS)
+ 		return -EINVAL;
+@@ -545,8 +553,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
+ 		case BPF_S_LD_W_ABS:
+ 		case BPF_S_LD_H_ABS:
+ 		case BPF_S_LD_B_ABS:
++			anc_found = false;
+ #define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE:	\
+ 				code = BPF_S_ANC_##CODE;	\
++				anc_found = true;		\
+ 				break
+ 			switch (ftest->k) {
+ 			ANCILLARY(PROTOCOL);
+@@ -560,6 +570,10 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
+ 			ANCILLARY(RXHASH);
+ 			ANCILLARY(CPU);
+ 			}
++
++			/* ancillary operation unknown or unsupported */
++			if (anc_found == false && ftest->k >= SKF_AD_OFF)
++				return -EINVAL;
+ 		}
+ 		ftest->code = code;
+ 	}
 diff --git a/net/core/flow.c b/net/core/flow.c
 index e318c7e..168b1d0 100644
 --- a/net/core/flow.c
author	Anthony G. Basile <blueness@gentoo.org>	2014-04-04 11:23:14 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2014-04-04 11:23:14 -0400
commit	8faf11a689dd695f6cf54cabb0705ee146b7f878 (patch)
tree	ed863e122ba12d9d1bc05d662567ec346b7abfb0
parent	Grsec/PaX: 3.0-{3.2.56,3.13.8}-201404012135 (diff)
download	hardened-patchset-8faf11a689dd695f6cf54cabb0705ee146b7f878.tar.gz hardened-patchset-8faf11a689dd695f6cf54cabb0705ee146b7f878.tar.bz2 hardened-patchset-8faf11a689dd695f6cf54cabb0705ee146b7f878.zip