diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-11-22 07:37:02 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-11-22 14:46:33 +0000 |
commit | a92a97d88164b64584135a89e565926fd19497af (patch) | |
tree | 064f0f7dd13b529ffffdfc637625b2e6ef60d2cd /main/linux-grsec | |
parent | 469837bce3d0c70590151d8b46a4edc5b5d61f25 (diff) | |
download | aports-a92a97d88164b64584135a89e565926fd19497af.tar.bz2 aports-a92a97d88164b64584135a89e565926fd19497af.tar.xz |
main/linux-grsec: upgrade to 3.10.20
Diffstat (limited to 'main/linux-grsec')
-rw-r--r-- | main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch | 74 | ||||
-rw-r--r-- | main/linux-grsec/APKBUILD | 18 | ||||
-rw-r--r-- | main/linux-grsec/CVE-2013-4348.patch | 35 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.10.20-unofficial.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch) | 83 |
4 files changed, 149 insertions, 61 deletions
diff --git a/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch b/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch new file mode 100644 index 0000000000..894211f909 --- /dev/null +++ b/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch @@ -0,0 +1,74 @@ +From 74c511bbdb5833d67c3c80aebfaf9b8921127b12 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Fri, 22 Nov 2013 12:31:19 +0000 +Subject: [PATCH] Revert "scripts/kallsyms: filter symbols not in kernel + address space" + +Does not work with i386 KERNEXEC + +This reverts commit 27b840ea211f8a36fadabaa07ef94fb1b45730c3. +--- + scripts/kallsyms.c | 12 +----------- + scripts/link-vmlinux.sh | 2 -- + 2 files changed, 1 insertion(+), 13 deletions(-) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 9a11f9f..487ac6f 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -55,7 +55,6 @@ static struct sym_entry *table; + static unsigned int table_size, table_cnt; + static int all_symbols = 0; + static char symbol_prefix_char = '\0'; +-static unsigned long long kernel_start_addr = 0; + + int token_profit[0x10000]; + +@@ -66,10 +65,7 @@ unsigned char best_table_len[256]; + + static void usage(void) + { +- fprintf(stderr, "Usage: kallsyms [--all-symbols] " +- "[--symbol-prefix=<prefix char>] " +- "[--page-offset=<CONFIG_PAGE_OFFSET>] " +- "< in.map > out.S\n"); ++ fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n"); + exit(1); + } + +@@ -198,9 +194,6 @@ static int symbol_valid(struct sym_entry *s) + int i; + int offset = 1; + +- if (s->addr < kernel_start_addr) +- return 0; +- + /* skip prefix char */ + if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char) + offset++; +@@ -653,9 +646,6 @@ int main(int argc, char **argv) + if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\'')) + p++; + symbol_prefix_char = *p; +- } else if (strncmp(argv[i], "--page-offset=", 14) == 0) { +- const char *p = &argv[i][14]; +- kernel_start_addr = strtoull(p, NULL, 16); + } else + usage(); + } +diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh +index 0d8d2ee..d482a0d 100644 +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -82,8 +82,6 @@ kallsyms() + kallsymopt="${kallsymopt} --all-symbols" + fi + +- kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET" +- + local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL} \ + ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}" + +-- +1.8.4.3 + diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index a8cf687192..3007b4c50e 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,7 +2,7 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.10.19 +pkgver=3.10.20 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; @@ -27,7 +27,6 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch fix-memory-map-for-PIE-applications.patch sysctl_lxc.patch - CVE-2013-4348.patch kernelconfig.x86 kernelconfig.x86_64 @@ -152,8 +151,8 @@ dev() { } md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -b7f932eecbbf5636ad69add480fa1573 patch-3.10.19.xz -4440f9004d3b62cf9b526d53c02416ad grsecurity-2.9.1-3.10.19-unofficial.patch +6762bab77ec96530b8915728f3bfb813 patch-3.10.20.xz +f8921f35e2a0c11e7358359d90bd24d4 grsecurity-2.9.1-3.10.20-unofficial.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -162,12 +161,11 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch b3c0153d53e508e03d73b94d15b24a96 sysctl_lxc.patch -09ae7985af988c75ff35ed503558eb8b CVE-2013-4348.patch cb5c938dccbee36cfb8bb7ee3546b8af kernelconfig.x86 daa81b89f18254155ac33c5239abf3a4 kernelconfig.x86_64" sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz -c420b1da0aefe23e4a6953e579374fd377385b6041f967694cf4f828e2f3252e patch-3.10.19.xz -532870eb3c59200b045efb64463bcc544d394410b2aba63ed5c6dbfe9d974e38 grsecurity-2.9.1-3.10.19-unofficial.patch +b6d2a828c38e2791d3490d7f05556156f4a0624cb55460631b8e2667c66527fa patch-3.10.20.xz +7f11be19130a61aad90eb27e0205b5d729150688c35829818499df76c8d8bdae grsecurity-2.9.1-3.10.20-unofficial.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -176,12 +174,11 @@ ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use- fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch 9ba55b0f45d5aa97503e376a13be6d249a10f32e36687055b2fa1e5a39fa0584 sysctl_lxc.patch -39acdfc0bb2298e3a9ba62ee42ac2b6556fc31d8eaa2c085f84897cdeaa1a996 CVE-2013-4348.patch 3e6c4101bfb90b6a30173ef81cd0d0bea51d6a995fc045ca67db7fed271d969d kernelconfig.x86 da67ef700372d080bffb12a86f0a16c987dc79e18fdfb1a88d2704660239e5f0 kernelconfig.x86_64" sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz -6a8bfb124f90f1c8ed27ce3315629601b1b72d4bc8b1d2b776424e56b3a72e4cd03bcebe6cde35223a3beba75ec6d69e949e217504acc611becb7e62aa88f05c patch-3.10.19.xz -015b090eedeb4bcd75025690bab264afddc9e5a54a897f918a8c5f260b5ddf46bd6cbf510e6efdeb26cc5d351e8c5ccb3c921738f315e4ee5153e288b86608cd grsecurity-2.9.1-3.10.19-unofficial.patch +86c61f1d18c370fb24808cda03c8fe1e33879fe5a4553f78c943ec896e2bed1e196cd9e64ab830e9e6a2f9967d7c8396a848610c44fc09d2e426814618f4deec patch-3.10.20.xz +7e8dbb18b77adeb43fa99b1283d6101a075f0bbcc06681ae30547698778e66976ae3e7533406c7754b0337e908b88643fbcee3d55aa45073623445c4b906cb43 grsecurity-2.9.1-3.10.20-unofficial.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -190,6 +187,5 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch 41071e21c59997604a380575d3c4171d35a12eaae6ddcf158d95e4fd5ccc69d61753cbd38b7bd08d879cce5bfea3fed2df15e5a3dca944f6f7cbd95d5d2daa23 sysctl_lxc.patch -6c5165692519c630cb96a254088e55d4d7412bd0f45920c0bf514dd9c68d24625da91798158fe502b6c214a7b8d44ae6b2e49b39aed6da3c1344f816f90405a3 CVE-2013-4348.patch e81d6780a33f00d5ee03b069fc3610da2eda3ba43e515707ae67cd2d609a226b18e9ec446eeacd2afaafe6aa480bb30b9908cce41e0d90f1a3b41e7daf2034c5 kernelconfig.x86 01e38549e92a98f041cb7ee1fec04a35d55322eff718fce6cd5774b60d0db287478ca034309e3dbd06b0194a2ec4b67584ef281018c16681a0ac7ac0fdc7c3ba kernelconfig.x86_64" diff --git a/main/linux-grsec/CVE-2013-4348.patch b/main/linux-grsec/CVE-2013-4348.patch deleted file mode 100644 index cce1592eb8..0000000000 --- a/main/linux-grsec/CVE-2013-4348.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 6f092343855a71e03b8d209815d8c45bf3a27fcd Mon Sep 17 00:00:00 2001 -From: Jason Wang <jasowang@redhat.com> -Date: Fri, 01 Nov 2013 07:01:10 +0000 -Subject: net: flow_dissector: fail on evil iph->ihl - -We don't validate iph->ihl which may lead a dead loop if we meet a IPIP -skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl -is evil (less than 5). - -This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae -(rps: support IPIP encapsulation). - -Cc: Eric Dumazet <edumazet@google.com> -Cc: Petr Matousek <pmatouse@redhat.com> -Cc: Michael S. Tsirkin <mst@redhat.com> -Cc: Daniel Borkmann <dborkman@redhat.com> -Signed-off-by: Jason Wang <jasowang@redhat.com> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- -diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c -index 8d7d0dd..143b6fd 100644 ---- a/net/core/flow_dissector.c -+++ b/net/core/flow_dissector.c -@@ -40,7 +40,7 @@ again: - struct iphdr _iph; - ip: - iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); -- if (!iph) -+ if (!iph || iph->ihl < 5) - return false; - - if (ip_is_fragment(iph)) --- -cgit v0.9.2 diff --git a/main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch b/main/linux-grsec/grsecurity-2.9.1-3.10.20-unofficial.patch index cf1b0625d0..ece0a705ee 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.10.20-unofficial.patch @@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 83a02f5..8673672 100644 +index ba784b7..c665163 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -48720,10 +48720,10 @@ index 2a3bbdf..91d72cf 100644 file->f_version = event_count; return POLLIN | POLLRDNORM; diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index d53547d..6a22d02 100644 +index d3aa353..0e284af 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c -@@ -1526,7 +1526,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) +@@ -1527,7 +1527,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) */ usb_get_urb(urb); atomic_inc(&urb->use_count); @@ -48732,7 +48732,7 @@ index d53547d..6a22d02 100644 usbmon_urb_submit(&hcd->self, urb); /* NOTE requirements on root-hub callers (usbfs and the hub -@@ -1553,7 +1553,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) +@@ -1554,7 +1554,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) urb->hcpriv = NULL; INIT_LIST_HEAD(&urb->urb_list); atomic_dec(&urb->use_count); @@ -48742,7 +48742,7 @@ index d53547d..6a22d02 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 6cf2ae0..f701610 100644 +index c8b9fa0..abb8ce1 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -27,6 +27,7 @@ @@ -48753,7 +48753,7 @@ index 6cf2ae0..f701610 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -4419,6 +4420,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, +@@ -4431,6 +4432,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, goto done; return; } @@ -49244,7 +49244,7 @@ index 098bfc6..796841d 100644 if (!registered_fb[con2fb.framebuffer]) request_module("fb%d", con2fb.framebuffer); diff --git a/drivers/video/hyperv_fb.c b/drivers/video/hyperv_fb.c -index d4d2c5f..ebbd113 100644 +index 0f3b33c..b4304eb 100644 --- a/drivers/video/hyperv_fb.c +++ b/drivers/video/hyperv_fb.c @@ -233,7 +233,7 @@ static uint screen_fb_size; @@ -85745,10 +85745,10 @@ index e444ff8..438b8f4 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 0582a01..310bed1 100644 +index 5546ae9..26f7728 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c -@@ -3327,7 +3327,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) +@@ -3330,7 +3330,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) return 0; } @@ -93387,7 +93387,7 @@ index b66910a..cfe416e 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index c52fee0..9644112 100644 +index 64e4e98..db77052 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -115,7 +115,7 @@ static bool log_ecn_error = true; @@ -93507,7 +93507,7 @@ index efa1138..20dbba0 100644 return res; } diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c -index 7cfc456..e726868 100644 +index f5cc7b3..33d7577 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c @@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN"); @@ -94632,10 +94632,10 @@ index 1aeb473..bea761c 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 3c1f493..4129ccc 100644 +index 548a1f7c..63ee520 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2931,7 +2931,7 @@ ctl_table ipv6_route_table_template[] = { +@@ -2934,7 +2934,7 @@ ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -97940,11 +97940,64 @@ index 643764f..6cc0137 100644 -e 's/__attribute_const__([ \t]|$)/\1/g' \ -e 's@^#include <linux/compiler.h>@@' \ -e 's/(^|[^a-zA-Z0-9])__packed([^a-zA-Z0-9_]|$)/\1__attribute__((packed))\2/g' \ +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 9a11f9f..487ac6f 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -55,7 +55,6 @@ static struct sym_entry *table; + static unsigned int table_size, table_cnt; + static int all_symbols = 0; + static char symbol_prefix_char = '\0'; +-static unsigned long long kernel_start_addr = 0; + + int token_profit[0x10000]; + +@@ -66,10 +65,7 @@ unsigned char best_table_len[256]; + + static void usage(void) + { +- fprintf(stderr, "Usage: kallsyms [--all-symbols] " +- "[--symbol-prefix=<prefix char>] " +- "[--page-offset=<CONFIG_PAGE_OFFSET>] " +- "< in.map > out.S\n"); ++ fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n"); + exit(1); + } + +@@ -198,9 +194,6 @@ static int symbol_valid(struct sym_entry *s) + int i; + int offset = 1; + +- if (s->addr < kernel_start_addr) +- return 0; +- + /* skip prefix char */ + if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char) + offset++; +@@ -653,9 +646,6 @@ int main(int argc, char **argv) + if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\'')) + p++; + symbol_prefix_char = *p; +- } else if (strncmp(argv[i], "--page-offset=", 14) == 0) { +- const char *p = &argv[i][14]; +- kernel_start_addr = strtoull(p, NULL, 16); + } else + usage(); + } diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh -index 32b10f5..0d8d2ee 100644 +index 32b10f5..d482a0d 100644 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh -@@ -160,7 +160,7 @@ else +@@ -82,8 +82,6 @@ kallsyms() + kallsymopt="${kallsymopt} --all-symbols" + fi + +- kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET" +- + local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL} \ + ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}" + +@@ -160,7 +158,7 @@ else fi; # final build of init/ |