aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-11-22 07:37:02 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-11-22 14:46:33 +0000
commita92a97d88164b64584135a89e565926fd19497af (patch)
tree064f0f7dd13b529ffffdfc637625b2e6ef60d2cd /main/linux-grsec
parent469837bce3d0c70590151d8b46a4edc5b5d61f25 (diff)
downloadaports-a92a97d88164b64584135a89e565926fd19497af.tar.bz2
aports-a92a97d88164b64584135a89e565926fd19497af.tar.xz
main/linux-grsec: upgrade to 3.10.20
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch74
-rw-r--r--main/linux-grsec/APKBUILD18
-rw-r--r--main/linux-grsec/CVE-2013-4348.patch35
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.10.20-unofficial.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch)83
4 files changed, 149 insertions, 61 deletions
diff --git a/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch b/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch
new file mode 100644
index 0000000000..894211f909
--- /dev/null
+++ b/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch
@@ -0,0 +1,74 @@
+From 74c511bbdb5833d67c3c80aebfaf9b8921127b12 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 22 Nov 2013 12:31:19 +0000
+Subject: [PATCH] Revert "scripts/kallsyms: filter symbols not in kernel
+ address space"
+
+Does not work with i386 KERNEXEC
+
+This reverts commit 27b840ea211f8a36fadabaa07ef94fb1b45730c3.
+---
+ scripts/kallsyms.c | 12 +-----------
+ scripts/link-vmlinux.sh | 2 --
+ 2 files changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
+index 9a11f9f..487ac6f 100644
+--- a/scripts/kallsyms.c
++++ b/scripts/kallsyms.c
+@@ -55,7 +55,6 @@ static struct sym_entry *table;
+ static unsigned int table_size, table_cnt;
+ static int all_symbols = 0;
+ static char symbol_prefix_char = '\0';
+-static unsigned long long kernel_start_addr = 0;
+
+ int token_profit[0x10000];
+
+@@ -66,10 +65,7 @@ unsigned char best_table_len[256];
+
+ static void usage(void)
+ {
+- fprintf(stderr, "Usage: kallsyms [--all-symbols] "
+- "[--symbol-prefix=<prefix char>] "
+- "[--page-offset=<CONFIG_PAGE_OFFSET>] "
+- "< in.map > out.S\n");
++ fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n");
+ exit(1);
+ }
+
+@@ -198,9 +194,6 @@ static int symbol_valid(struct sym_entry *s)
+ int i;
+ int offset = 1;
+
+- if (s->addr < kernel_start_addr)
+- return 0;
+-
+ /* skip prefix char */
+ if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char)
+ offset++;
+@@ -653,9 +646,6 @@ int main(int argc, char **argv)
+ if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\''))
+ p++;
+ symbol_prefix_char = *p;
+- } else if (strncmp(argv[i], "--page-offset=", 14) == 0) {
+- const char *p = &argv[i][14];
+- kernel_start_addr = strtoull(p, NULL, 16);
+ } else
+ usage();
+ }
+diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
+index 0d8d2ee..d482a0d 100644
+--- a/scripts/link-vmlinux.sh
++++ b/scripts/link-vmlinux.sh
+@@ -82,8 +82,6 @@ kallsyms()
+ kallsymopt="${kallsymopt} --all-symbols"
+ fi
+
+- kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET"
+-
+ local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL} \
+ ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}"
+
+--
+1.8.4.3
+
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index a8cf687192..3007b4c50e 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,7 +2,7 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.10.19
+pkgver=3.10.20
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
@@ -27,7 +27,6 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
fix-memory-map-for-PIE-applications.patch
sysctl_lxc.patch
- CVE-2013-4348.patch
kernelconfig.x86
kernelconfig.x86_64
@@ -152,8 +151,8 @@ dev() {
}
md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz
-b7f932eecbbf5636ad69add480fa1573 patch-3.10.19.xz
-4440f9004d3b62cf9b526d53c02416ad grsecurity-2.9.1-3.10.19-unofficial.patch
+6762bab77ec96530b8915728f3bfb813 patch-3.10.20.xz
+f8921f35e2a0c11e7358359d90bd24d4 grsecurity-2.9.1-3.10.20-unofficial.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -162,12 +161,11 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p
1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
b3c0153d53e508e03d73b94d15b24a96 sysctl_lxc.patch
-09ae7985af988c75ff35ed503558eb8b CVE-2013-4348.patch
cb5c938dccbee36cfb8bb7ee3546b8af kernelconfig.x86
daa81b89f18254155ac33c5239abf3a4 kernelconfig.x86_64"
sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz
-c420b1da0aefe23e4a6953e579374fd377385b6041f967694cf4f828e2f3252e patch-3.10.19.xz
-532870eb3c59200b045efb64463bcc544d394410b2aba63ed5c6dbfe9d974e38 grsecurity-2.9.1-3.10.19-unofficial.patch
+b6d2a828c38e2791d3490d7f05556156f4a0624cb55460631b8e2667c66527fa patch-3.10.20.xz
+7f11be19130a61aad90eb27e0205b5d729150688c35829818499df76c8d8bdae grsecurity-2.9.1-3.10.20-unofficial.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -176,12 +174,11 @@ ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-
fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
9ba55b0f45d5aa97503e376a13be6d249a10f32e36687055b2fa1e5a39fa0584 sysctl_lxc.patch
-39acdfc0bb2298e3a9ba62ee42ac2b6556fc31d8eaa2c085f84897cdeaa1a996 CVE-2013-4348.patch
3e6c4101bfb90b6a30173ef81cd0d0bea51d6a995fc045ca67db7fed271d969d kernelconfig.x86
da67ef700372d080bffb12a86f0a16c987dc79e18fdfb1a88d2704660239e5f0 kernelconfig.x86_64"
sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz
-6a8bfb124f90f1c8ed27ce3315629601b1b72d4bc8b1d2b776424e56b3a72e4cd03bcebe6cde35223a3beba75ec6d69e949e217504acc611becb7e62aa88f05c patch-3.10.19.xz
-015b090eedeb4bcd75025690bab264afddc9e5a54a897f918a8c5f260b5ddf46bd6cbf510e6efdeb26cc5d351e8c5ccb3c921738f315e4ee5153e288b86608cd grsecurity-2.9.1-3.10.19-unofficial.patch
+86c61f1d18c370fb24808cda03c8fe1e33879fe5a4553f78c943ec896e2bed1e196cd9e64ab830e9e6a2f9967d7c8396a848610c44fc09d2e426814618f4deec patch-3.10.20.xz
+7e8dbb18b77adeb43fa99b1283d6101a075f0bbcc06681ae30547698778e66976ae3e7533406c7754b0337e908b88643fbcee3d55aa45073623445c4b906cb43 grsecurity-2.9.1-3.10.20-unofficial.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -190,6 +187,5 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71
249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
41071e21c59997604a380575d3c4171d35a12eaae6ddcf158d95e4fd5ccc69d61753cbd38b7bd08d879cce5bfea3fed2df15e5a3dca944f6f7cbd95d5d2daa23 sysctl_lxc.patch
-6c5165692519c630cb96a254088e55d4d7412bd0f45920c0bf514dd9c68d24625da91798158fe502b6c214a7b8d44ae6b2e49b39aed6da3c1344f816f90405a3 CVE-2013-4348.patch
e81d6780a33f00d5ee03b069fc3610da2eda3ba43e515707ae67cd2d609a226b18e9ec446eeacd2afaafe6aa480bb30b9908cce41e0d90f1a3b41e7daf2034c5 kernelconfig.x86
01e38549e92a98f041cb7ee1fec04a35d55322eff718fce6cd5774b60d0db287478ca034309e3dbd06b0194a2ec4b67584ef281018c16681a0ac7ac0fdc7c3ba kernelconfig.x86_64"
diff --git a/main/linux-grsec/CVE-2013-4348.patch b/main/linux-grsec/CVE-2013-4348.patch
deleted file mode 100644
index cce1592eb8..0000000000
--- a/main/linux-grsec/CVE-2013-4348.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 6f092343855a71e03b8d209815d8c45bf3a27fcd Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Fri, 01 Nov 2013 07:01:10 +0000
-Subject: net: flow_dissector: fail on evil iph->ihl
-
-We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
-skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
-is evil (less than 5).
-
-This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
-(rps: support IPIP encapsulation).
-
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
-index 8d7d0dd..143b6fd 100644
---- a/net/core/flow_dissector.c
-+++ b/net/core/flow_dissector.c
-@@ -40,7 +40,7 @@ again:
- struct iphdr _iph;
- ip:
- iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-- if (!iph)
-+ if (!iph || iph->ihl < 5)
- return false;
-
- if (ip_is_fragment(iph))
---
-cgit v0.9.2
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch b/main/linux-grsec/grsecurity-2.9.1-3.10.20-unofficial.patch
index cf1b0625d0..ece0a705ee 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.10.20-unofficial.patch
@@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 83a02f5..8673672 100644
+index ba784b7..c665163 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -48720,10 +48720,10 @@ index 2a3bbdf..91d72cf 100644
file->f_version = event_count;
return POLLIN | POLLRDNORM;
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index d53547d..6a22d02 100644
+index d3aa353..0e284af 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
-@@ -1526,7 +1526,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
+@@ -1527,7 +1527,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
*/
usb_get_urb(urb);
atomic_inc(&urb->use_count);
@@ -48732,7 +48732,7 @@ index d53547d..6a22d02 100644
usbmon_urb_submit(&hcd->self, urb);
/* NOTE requirements on root-hub callers (usbfs and the hub
-@@ -1553,7 +1553,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
+@@ -1554,7 +1554,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
urb->hcpriv = NULL;
INIT_LIST_HEAD(&urb->urb_list);
atomic_dec(&urb->use_count);
@@ -48742,7 +48742,7 @@ index d53547d..6a22d02 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 6cf2ae0..f701610 100644
+index c8b9fa0..abb8ce1 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -27,6 +27,7 @@
@@ -48753,7 +48753,7 @@ index 6cf2ae0..f701610 100644
#include <asm/uaccess.h>
#include <asm/byteorder.h>
-@@ -4419,6 +4420,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -4431,6 +4432,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
goto done;
return;
}
@@ -49244,7 +49244,7 @@ index 098bfc6..796841d 100644
if (!registered_fb[con2fb.framebuffer])
request_module("fb%d", con2fb.framebuffer);
diff --git a/drivers/video/hyperv_fb.c b/drivers/video/hyperv_fb.c
-index d4d2c5f..ebbd113 100644
+index 0f3b33c..b4304eb 100644
--- a/drivers/video/hyperv_fb.c
+++ b/drivers/video/hyperv_fb.c
@@ -233,7 +233,7 @@ static uint screen_fb_size;
@@ -85745,10 +85745,10 @@ index e444ff8..438b8f4 100644
*data_page = bpage;
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 0582a01..310bed1 100644
+index 5546ae9..26f7728 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
-@@ -3327,7 +3327,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
+@@ -3330,7 +3330,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
return 0;
}
@@ -93387,7 +93387,7 @@ index b66910a..cfe416e 100644
return -ENOMEM;
}
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index c52fee0..9644112 100644
+index 64e4e98..db77052 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -115,7 +115,7 @@ static bool log_ecn_error = true;
@@ -93507,7 +93507,7 @@ index efa1138..20dbba0 100644
return res;
}
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
-index 7cfc456..e726868 100644
+index f5cc7b3..33d7577 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
@@ -94632,10 +94632,10 @@ index 1aeb473..bea761c 100644
return -ENOMEM;
}
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 3c1f493..4129ccc 100644
+index 548a1f7c..63ee520 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
-@@ -2931,7 +2931,7 @@ ctl_table ipv6_route_table_template[] = {
+@@ -2934,7 +2934,7 @@ ctl_table ipv6_route_table_template[] = {
struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
{
@@ -97940,11 +97940,64 @@ index 643764f..6cc0137 100644
-e 's/__attribute_const__([ \t]|$)/\1/g' \
-e 's@^#include <linux/compiler.h>@@' \
-e 's/(^|[^a-zA-Z0-9])__packed([^a-zA-Z0-9_]|$)/\1__attribute__((packed))\2/g' \
+diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
+index 9a11f9f..487ac6f 100644
+--- a/scripts/kallsyms.c
++++ b/scripts/kallsyms.c
+@@ -55,7 +55,6 @@ static struct sym_entry *table;
+ static unsigned int table_size, table_cnt;
+ static int all_symbols = 0;
+ static char symbol_prefix_char = '\0';
+-static unsigned long long kernel_start_addr = 0;
+
+ int token_profit[0x10000];
+
+@@ -66,10 +65,7 @@ unsigned char best_table_len[256];
+
+ static void usage(void)
+ {
+- fprintf(stderr, "Usage: kallsyms [--all-symbols] "
+- "[--symbol-prefix=<prefix char>] "
+- "[--page-offset=<CONFIG_PAGE_OFFSET>] "
+- "< in.map > out.S\n");
++ fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n");
+ exit(1);
+ }
+
+@@ -198,9 +194,6 @@ static int symbol_valid(struct sym_entry *s)
+ int i;
+ int offset = 1;
+
+- if (s->addr < kernel_start_addr)
+- return 0;
+-
+ /* skip prefix char */
+ if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char)
+ offset++;
+@@ -653,9 +646,6 @@ int main(int argc, char **argv)
+ if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\''))
+ p++;
+ symbol_prefix_char = *p;
+- } else if (strncmp(argv[i], "--page-offset=", 14) == 0) {
+- const char *p = &argv[i][14];
+- kernel_start_addr = strtoull(p, NULL, 16);
+ } else
+ usage();
+ }
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
-index 32b10f5..0d8d2ee 100644
+index 32b10f5..d482a0d 100644
--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
-@@ -160,7 +160,7 @@ else
+@@ -82,8 +82,6 @@ kallsyms()
+ kallsymopt="${kallsymopt} --all-symbols"
+ fi
+
+- kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET"
+-
+ local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL} \
+ ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}"
+
+@@ -160,7 +158,7 @@ else
fi;
# final build of init/