aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2015-12-31 14:30:23 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2015-12-31 15:16:33 +0000
commit7dbea86ac6d1cc87bf497ecefa083787a5ee84c1 (patch)
tree94ed508981b4683c0a61ace3609ed299c38ecdce /main/linux-grsec
parent1ea05c13c66c6cf58724e7a68474a0421fc26235 (diff)
downloadaports-7dbea86ac6d1cc87bf497ecefa083787a5ee84c1.tar.bz2
aports-7dbea86ac6d1cc87bf497ecefa083787a5ee84c1.tar.xz
main/linux-grsec: security fixes
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD30
-rw-r--r--main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch40
-rw-r--r--main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch80
-rw-r--r--main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch139
-rw-r--r--main/linux-grsec/ovl-fix-permission-checking-for-setattr.patch46
-rw-r--r--main/linux-grsec/pptp-verify-sockaddr_len.patch39
-rw-r--r--main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch139
-rw-r--r--main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch34
8 files changed, 546 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 7ccfe6e8e7..7fc883b8ba 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=0
+pkgrel=1
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs"
@@ -22,6 +22,13 @@ source="http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
fix-spi-nor-namespace-clash.patch
imx6q-no-unclocked-sleep.patch
+ add-checks-for-allocation-failure-isdn_ppp_open.patch
+ validate-vj-compression-slot-parameters-completely.patch
+ kvm-svm-unconditionally-intercept-#db.patch
+ vivid-osd-fix-info-leak-in-ioctl.patch
+ net-add-validation-socket-syscall-protocol-argument.patch
+ pptp-verify-sockaddr_len.patch
+ ovl-fix-permission-checking-for-setattr.patch
config-grsec.x86
config-grsec.x86_64
@@ -208,6 +215,13 @@ d23ac8110941baf0f37f9e3a011e3720 pax-linux-4.1.15-test24-alpine.patch
ba5670790e9ee117227024cb4b187756 grsec-4.1.15-3.1-201509112213-alpine.patch
b0337a2a9abed17c37eae5db332522d2 fix-spi-nor-namespace-clash.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
+4bf3d4e28a3318ea7251f862aa35dc95 add-checks-for-allocation-failure-isdn_ppp_open.patch
+9b150b8017a25fb6c9e9e29b1f1e791f validate-vj-compression-slot-parameters-completely.patch
+c02b7d642341d3b82cff47d801813254 kvm-svm-unconditionally-intercept-#db.patch
+b52be7e646d3572687e4d26d4291233e vivid-osd-fix-info-leak-in-ioctl.patch
+730439fc2751795dc00f1fb3ec810b12 net-add-validation-socket-syscall-protocol-argument.patch
+e4590e034252bb838220d2bedc19be2e pptp-verify-sockaddr_len.patch
+5f27a173424a42db509b46372c200e85 ovl-fix-permission-checking-for-setattr.patch
f8eec4df8fcd64f5f4810a2840e8cee7 config-grsec.x86
dcccfa220ed2b2041971492d1dfa9440 config-grsec.x86_64
cf395fd923139074f3f1095c29a63e2b config-grsec.armhf
@@ -219,6 +233,13 @@ sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f li
a92b81dbd4fa4fbee28cebad93b0bd623820c809e98e8841151842341b9626eb grsec-4.1.15-3.1-201509112213-alpine.patch
01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc fix-spi-nor-namespace-clash.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
+78ca4ba9863d43ba498db628f2dfc2cf00427236745636025bd24513bdf05189 add-checks-for-allocation-failure-isdn_ppp_open.patch
+d2670dc40c47de365d36ba1e1bbef0ea3e6381f5d4c38e88a4c5db2eb4383925 validate-vj-compression-slot-parameters-completely.patch
+eb787ea2e4637708475569f7498c1ef0fa5e4e80ae22df5c5f44092615f86ebd kvm-svm-unconditionally-intercept-#db.patch
+4070f46003fb5e1a16474f682da78d989809272a7aa209f794caa8d0b941e2c0 vivid-osd-fix-info-leak-in-ioctl.patch
+180af96ce8310913f6662be50ca69c9737af250ef8dd3fdefdc58bef5f55ca9e net-add-validation-socket-syscall-protocol-argument.patch
+5d3f0311176addb6cbbe0739736962cdb3826816e5cc0384f52d34cbd7c2c2a0 pptp-verify-sockaddr_len.patch
+79fa593d628d740c7bc2b68398ab381ad978293102d1f282919ee69aeab6a17d ovl-fix-permission-checking-for-setattr.patch
b179db21c31861da5da8a49307994e11e6a6b83d88fb3dffcf20b369ab32f8e6 config-grsec.x86
f2c3a2b565346baa29bdf48bab6da6fcfa1723b505237ef33a0655bf80ef2e18 config-grsec.x86_64
b996d6fc9eb8bd453826fb9c0ae573ef42a6fff3193adf33c2bf14480924ca16 config-grsec.armhf
@@ -230,6 +251,13 @@ e5bb53ac77a4b285fa4dd52cf50856669cb932669c2c8b1b9cd14d2384375d1ce9e997a760848c2c
c737219a382206894889ddf8e807836a6fd08bb983b5e2327fae9f8427a0fa591c17f896b6e3f8dab4e356ae2d5f2aaa1cb642dea162eddc0c53c3a494928d52 grsec-4.1.15-3.1-201509112213-alpine.patch
4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164 fix-spi-nor-namespace-clash.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
+2fac663732ec9f5d0089b7bfdc31e4166028b381da328aef405f4a2c9102486139bc759dccc704293d9fbc0d4a19d9682e31e62f913bfa5fd22a4ef77e4b2255 add-checks-for-allocation-failure-isdn_ppp_open.patch
+528604f2296bd1a67e32b465b4885ddba8ccf50925909e80cc523186ab03439c47eb5c016c133f3e3f27b0666f234f88a9c33399d7550867a448e12c73f878c2 validate-vj-compression-slot-parameters-completely.patch
+5d9628e59117b9b0e464bfdac4249663a8c46f8c0ac5f521e19bbb1d59ad3a0dc0d97de34a1f011033d31c792452e6b20a70081ec8cc208bf0671fb50017ab6c kvm-svm-unconditionally-intercept-#db.patch
+98bd4ef55ce0b7c4b4fee638ba079555a7363f1b34bc415135bd2fcbd12957ef45d569d7bf85edcbf322638f9951e01951807279279e729bbc13bee3be5d2b45 vivid-osd-fix-info-leak-in-ioctl.patch
+d41f3b7c30d59a0fb43f877fff5a311c7fad8e12dfb51c519af368e8d1511202e6cceace3e051620a90e30f3c4b170847172764db045c9a5777663e2e9f2116c net-add-validation-socket-syscall-protocol-argument.patch
+9454738454abee92200c7025a5b19e6870056ee71faf7e78dc10c0e7317e2d27c940ab031e2e53db856e1bea3b3fe5e32ce5aaa7c29dc833aa0f75d35bbf7a79 pptp-verify-sockaddr_len.patch
+061d58353e8d8eb83a10ae1cdfd16ff5d982ee594decd115d42f438293747b9f4ea3cb16ce242685b34d52ca57feb3b8e9f344adc425e1894f0283abe47ef355 ovl-fix-permission-checking-for-setattr.patch
b31862d0998cbe72882f2db3ab9452051bb5202a3921f5f4aebb24727a187227792af88c6b6ceef8ff28ab34123d1321bb8d06656f37c844afcf566571ba8865 config-grsec.x86
87c4c3be53f03ee6e7c4fa1853b43c506ee5d35d4c156b5030424b7712e469521898a56c0b6a4562e31ea2bca855dae7429ea9048f9d2fa8b29db2d14211d230 config-grsec.x86_64
aecd465ceb265355ef71c213ee589cc18c7695589e3410fb8762669d5f728a7e071e1b05e3864a8c621dec870a472a0e1075b2b335fafabfe62891c7d746161d config-grsec.armhf
diff --git a/main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch b/main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch
new file mode 100644
index 0000000000..2f700ac510
--- /dev/null
+++ b/main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch
@@ -0,0 +1,40 @@
+From 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 1 Nov 2015 16:21:24 +0000
+Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
+
+Compile-tested only.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
+index c4198fa..86f9abe 100644
+--- a/drivers/isdn/i4l/isdn_ppp.c
++++ b/drivers/isdn/i4l/isdn_ppp.c
+@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
+ is->compflags = 0;
+
+ is->reset = isdn_ppp_ccp_reset_alloc(is);
++ if (!is->reset)
++ return -ENOMEM;
+
+ is->lp = NULL;
+ is->mp_seqno = 0; /* MP sequence number */
+@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
+ * VJ header compression init
+ */
+ is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
++ if (!is->slcomp) {
++ isdn_ppp_ccp_reset_free(is);
++ return -ENOMEM;
++ }
+ #endif
+ #ifdef CONFIG_IPPP_FILTER
+ is->pass_filter = NULL;
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch b/main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch
new file mode 100644
index 0000000000..938219ea1a
--- /dev/null
+++ b/main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch
@@ -0,0 +1,80 @@
+From cbdb967af3d54993f5814f1cee0ed311a055377d Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 10 Nov 2015 09:14:39 +0100
+Subject: KVM: svm: unconditionally intercept #DB
+
+This is needed to avoid the possibility that the guest triggers
+an infinite stream of #DB exceptions (CVE-2015-8104).
+
+VMX is not affected: because it does not save DR6 in the VMCS,
+it already intercepts #DB unconditionally.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/svm.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 1839264..1cc1ffc 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1020,6 +1020,7 @@ static void init_vmcb(struct vcpu_svm *svm)
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
+ set_exception_intercept(svm, AC_VECTOR);
++ set_exception_intercept(svm, DB_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1554,20 +1555,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
+ mark_dirty(svm->vmcb, VMCB_SEG);
+ }
+
+-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
++static void update_bp_intercept(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+- clr_exception_intercept(svm, DB_VECTOR);
+ clr_exception_intercept(svm, BP_VECTOR);
+
+- if (svm->nmi_singlestep)
+- set_exception_intercept(svm, DB_VECTOR);
+-
+ if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
+- if (vcpu->guest_debug &
+- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
+- set_exception_intercept(svm, DB_VECTOR);
+ if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
+ set_exception_intercept(svm, BP_VECTOR);
+ } else
+@@ -1673,7 +1667,6 @@ static int db_interception(struct vcpu_svm *svm)
+ if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
+ svm->vmcb->save.rflags &=
+ ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_bp_intercept(&svm->vcpu);
+ }
+
+ if (svm->vcpu.guest_debug &
+@@ -3661,7 +3654,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
+ */
+ svm->nmi_singlestep = true;
+ svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_bp_intercept(vcpu);
+ }
+
+ static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
+@@ -4287,7 +4279,7 @@ static struct kvm_x86_ops svm_x86_ops = {
+ .vcpu_load = svm_vcpu_load,
+ .vcpu_put = svm_vcpu_put,
+
+- .update_db_bp_intercept = update_db_bp_intercept,
++ .update_db_bp_intercept = update_bp_intercept,
+ .get_msr = svm_get_msr,
+ .set_msr = svm_set_msr,
+ .get_segment_base = svm_get_segment_base,
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch b/main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch
new file mode 100644
index 0000000000..910ac7ccea
--- /dev/null
+++ b/main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch
@@ -0,0 +1,139 @@
+From 79462ad02e861803b3840cc782248c7359451cd9 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
+Subject: net: add validation for the socket syscall protocol argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+郭永刚 reported that one could simply crash the kernel as root by
+using a simple program:
+
+ int socket_fd;
+ struct sockaddr_in addr;
+ addr.sin_port = 0;
+ addr.sin_addr.s_addr = INADDR_ANY;
+ addr.sin_family = 10;
+
+ socket_fd = socket(10,3,0x40000000);
+ connect(socket_fd , &addr,16);
+
+AF_INET, AF_INET6 sockets actually only support 8-bit protocol
+identifiers. inet_sock's skc_protocol field thus is sized accordingly,
+thus larger protocol identifiers simply cut off the higher bits and
+store a zero in the protocol fields.
+
+This could lead to e.g. NULL function pointer because as a result of
+the cut off inet_num is zero and we call down to inet_autobind, which
+is NULL for raw sockets.
+
+kernel: Call Trace:
+kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
+kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
+kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
+kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
+kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
+kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
+kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
+
+I found no particular commit which introduced this problem.
+
+CVE: CVE-2015-8543
+Cc: Cong Wang <cwang@twopensource.com>
+Reported-by: 郭永刚 <guoyonggang@360.cn>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/sock.h | 1 +
+ net/ax25/af_ax25.c | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c | 3 +++
+ net/ipv6/af_inet6.c | 3 +++
+ net/irda/af_irda.c | 3 +++
+ 6 files changed, 16 insertions(+)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index eaef414..c4205e0 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -403,6 +403,7 @@ struct sock {
+ sk_no_check_rx : 1,
+ sk_userlocks : 4,
+ sk_protocol : 8,
++#define SK_PROTOCOL_MAX U8_MAX
+ sk_type : 16;
+ kmemcheck_bitfield_end(flags);
+ int sk_wmem_queued;
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index ae3a47f..fbd0acf 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
+ struct sock *sk;
+ ax25_cb *ax25;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index eebf5ac..13d6b1a 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
+ {
+ struct sock *sk;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 11c4ca1..5c5db66 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ sock->state = SS_UNCONNECTED;
+
+ /* Look for the requested type/protocol pair. */
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 8ec0df7..9f5137c 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ /* Look for the requested type/protocol pair. */
+ lookup_protocol:
+ err = -ESOCKTNOSUPPORT;
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index e6aa48b..923abd6 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
+ struct sock *sk;
+ struct irda_sock *self;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (net != &init_net)
+ return -EAFNOSUPPORT;
+
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/ovl-fix-permission-checking-for-setattr.patch b/main/linux-grsec/ovl-fix-permission-checking-for-setattr.patch
new file mode 100644
index 0000000000..894b0df03a
--- /dev/null
+++ b/main/linux-grsec/ovl-fix-permission-checking-for-setattr.patch
@@ -0,0 +1,46 @@
+From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <miklos@szeredi.hu>
+Date: Fri, 4 Dec 2015 19:18:48 +0100
+Subject: ovl: fix permission checking for setattr
+
+[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
+away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
+(with the former being always safe and the latter failing in case of
+insufficient permissions) it tries to combine these two. Note that copyup
+itself will have to do ->setattr() anyway; _that_ is where the elevated
+capabilities are right. Having these two ->setattr() (one to set verbatim
+copy of metadata, another to do what overlayfs ->setattr() had been asked
+to do in the first place) combined is where it breaks.
+
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/overlayfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index ec0c2a0..9612849 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
+ if (err)
+ goto out;
+
+- upperdentry = ovl_dentry_upper(dentry);
+- if (upperdentry) {
++ err = ovl_copy_up(dentry);
++ if (!err) {
++ upperdentry = ovl_dentry_upper(dentry);
++
+ mutex_lock(&upperdentry->d_inode->i_mutex);
+ err = notify_change(upperdentry, attr, NULL);
+ mutex_unlock(&upperdentry->d_inode->i_mutex);
+- } else {
+- err = ovl_copy_up_last(dentry, attr, false);
+ }
+ ovl_drop_write(dentry);
+ out:
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/pptp-verify-sockaddr_len.patch b/main/linux-grsec/pptp-verify-sockaddr_len.patch
new file mode 100644
index 0000000000..0f9c1ec3b3
--- /dev/null
+++ b/main/linux-grsec/pptp-verify-sockaddr_len.patch
@@ -0,0 +1,39 @@
+From 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 14 Dec 2015 13:48:36 -0800
+Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
+
+Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/ppp/pptp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
+index fc69e41..597c53e 100644
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
+ struct pptp_opt *opt = &po->proto.pptp;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ opt->src_addr = sp->sa_addr.pptp;
+@@ -440,6 +443,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ struct flowi4 fl4;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ if (sp->sa_protocol != PX_PROTO_PPTP)
+ return -EINVAL;
+
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch b/main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch
new file mode 100644
index 0000000000..009ff86169
--- /dev/null
+++ b/main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch
@@ -0,0 +1,139 @@
+From 4ab42d78e37a294ac7bc56901d563c642e03c4ae Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 1 Nov 2015 16:22:53 +0000
+Subject: ppp, slip: Validate VJ compression slot parameters completely
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently slhc_init() treats out-of-range values of rslots and tslots
+as equivalent to 0, except that if tslots is too large it will
+dereference a null pointer (CVE-2015-7799).
+
+Add a range-check at the top of the function and make it return an
+ERR_PTR() on error instead of NULL. Change the callers accordingly.
+
+Compile-tested only.
+
+Reported-by: 郭永刚 <guoyonggang@360.cn>
+References: http://article.gmane.org/gmane.comp.security.oss.general/17908
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
+ drivers/net/ppp/ppp_generic.c | 6 ++----
+ drivers/net/slip/slhc.c | 12 ++++++++----
+ drivers/net/slip/slip.c | 2 +-
+ 4 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
+index 86f9abe..9c1e8ad 100644
+--- a/drivers/isdn/i4l/isdn_ppp.c
++++ b/drivers/isdn/i4l/isdn_ppp.c
+@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
+ * VJ header compression init
+ */
+ is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
+- if (!is->slcomp) {
++ if (IS_ERR(is->slcomp)) {
+ isdn_ppp_ccp_reset_free(is);
+- return -ENOMEM;
++ return PTR_ERR(is->slcomp);
+ }
+ #endif
+ #ifdef CONFIG_IPPP_FILTER
+@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
+ is->maxcid = val;
+ #ifdef CONFIG_ISDN_PPP_VJ
+ sltmp = slhc_init(16, val);
+- if (!sltmp) {
+- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
+- return -ENOMEM;
+- }
++ if (IS_ERR(sltmp))
++ return PTR_ERR(sltmp);
+ if (is->slcomp)
+ slhc_free(is->slcomp);
+ is->slcomp = sltmp;
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index ed00446..9a863c6 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ val &= 0xffff;
+ }
+ vj = slhc_init(val2+1, val+1);
+- if (!vj) {
+- netdev_err(ppp->dev,
+- "PPP: no memory (VJ compressor)\n");
+- err = -ENOMEM;
++ if (IS_ERR(vj)) {
++ err = PTR_ERR(vj);
+ break;
+ }
+ ppp_lock(ppp);
+diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
+index 079f7ad..27ed252 100644
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
+ static unsigned char * put16(unsigned char *cp, unsigned short x);
+ static unsigned short pull16(unsigned char **cpp);
+
+-/* Initialize compression data structure
++/* Allocate compression data structure
+ * slots must be in range 0 to 255 (zero meaning no compression)
++ * Returns pointer to structure or ERR_PTR() on error.
+ */
+ struct slcompress *
+ slhc_init(int rslots, int tslots)
+@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
+ register struct cstate *ts;
+ struct slcompress *comp;
+
++ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
++ return ERR_PTR(-EINVAL);
++
+ comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
+ if (! comp)
+ goto out_fail;
+
+- if ( rslots > 0 && rslots < 256 ) {
++ if (rslots > 0) {
+ size_t rsize = rslots * sizeof(struct cstate);
+ comp->rstate = kzalloc(rsize, GFP_KERNEL);
+ if (! comp->rstate)
+@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
+ comp->rslot_limit = rslots - 1;
+ }
+
+- if ( tslots > 0 && tslots < 256 ) {
++ if (tslots > 0) {
+ size_t tsize = tslots * sizeof(struct cstate);
+ comp->tstate = kzalloc(tsize, GFP_KERNEL);
+ if (! comp->tstate)
+@@ -141,7 +145,7 @@ out_free2:
+ out_free:
+ kfree(comp);
+ out_fail:
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ }
+
+
+diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
+index 05387b1..a17d86a 100644
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
+ if (cbuff == NULL)
+ goto err_exit;
+ slcomp = slhc_init(16, 16);
+- if (slcomp == NULL)
++ if (IS_ERR(slcomp))
+ goto err_exit;
+ #endif
+ spin_lock_bh(&sl->lock);
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch b/main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch
new file mode 100644
index 0000000000..1ca7a993f2
--- /dev/null
+++ b/main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch
@@ -0,0 +1,34 @@
+From eda98796aff0d9bf41094b06811f5def3b4c333c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
+Date: Wed, 7 Oct 2015 07:09:26 -0300
+Subject: [media] media/vivid-osd: fix info leak in ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
+struct fb_vblank after the ->hcount member. Add an explicit
+memset(0) before filling the structure to avoid the info leak.
+
+Signed-off-by: Salva Peiró <speirofr@gmail.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/platform/vivid/vivid-osd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
+index 084d346..e15eef6 100644
+--- a/drivers/media/platform/vivid/vivid-osd.c
++++ b/drivers/media/platform/vivid/vivid-osd.c
+@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
+ case FBIOGET_VBLANK: {
+ struct fb_vblank vblank;
+
++ memset(&vblank, 0, sizeof(vblank));
+ vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
+ FB_VBLANK_HAVE_VSYNC;
+ vblank.count = 0;
+--
+cgit v0.11.2
+