main/linux-grsec: upgrade to 3.10.15 and fix CVE-2013-4387

3 files changed, 146 insertions, 24 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index ced3d23878..30e2bb7717 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
 
 _flavor=grsec
 pkgname=linux-${_flavor}
-pkgver=3.10.14
+pkgver=3.10.15
 case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
 esac
-pkgrel=1
+pkgrel=0
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -26,6 +26,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 	0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 	fix-memory-map-for-PIE-applications.patch
+	ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -150,8 +151,8 @@ dev() {
 }
 
 md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481  linux-3.10.tar.xz
-3c2ce4933f210fef16664dfa16028de1  patch-3.10.14.xz
-8a8f3b99d0072aa72681711dab25848b  grsecurity-2.9.1-3.10.14-unofficial.patch
+70cc9bd12b04382c3783da96edda4562  patch-3.10.15.xz
+84a82b973a08abc43cbf74a8935c59ae  grsecurity-2.9.1-3.10.15-unofficial.patch
 a16f11b12381efb3bec79b9bfb329836  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 656ae7b10dd2f18dbfa1011041d08d60  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -159,11 +160,12 @@ aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-p
 6ce5fed63aad3f1a1ff1b9ba7b741822  0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 1a5800a2122ba0cc0d06733cb3bb8b8f  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 c6a4ae7e8ca6159e1631545515805216  fix-memory-map-for-PIE-applications.patch
+bbb9f3edd60fd5c53ac98f4eab83641c  ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
 866e6c4daed45d563829804f8ad50ed9  kernelconfig.x86
 272aaddd0a19a5052208bc25551995a3  kernelconfig.x86_64"
 sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544  linux-3.10.tar.xz
-fd5fac477f69b5e3c6506fa04f81157aa753538dca017ef23b26ca36e65df38e  patch-3.10.14.xz
-4e61ce7226f2424999e26ccdbdb806f60c6941b63f5be82fc586fa5b8a863107  grsecurity-2.9.1-3.10.14-unofficial.patch
+bb0108609a95ddfe5030938e45ad123445af4e29510a0b1bd8cede89de8c013b  patch-3.10.15.xz
+02736977e0abd475ba3c463b381186d306fd2f6c264968c47c685f0fce08c820  grsecurity-2.9.1-3.10.15-unofficial.patch
 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -171,11 +173,12 @@ dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0  0002-arp-flush
 ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3  0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7  fix-memory-map-for-PIE-applications.patch
+4e2ac6cf0b5f6ef4c2f468aedb3f4b7a2737ef3abef4cf712492ba5daec4b30d  ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
 7fd28634998ef1fddafed5f2516e902924245d2464b9e86476bfaa55ccfc3bc3  kernelconfig.x86
 f2843ae4f9b3e3c27f3138ce4b740c2803bdab0c7a910c662d951843803b9554  kernelconfig.x86_64"
 sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35  linux-3.10.tar.xz
-8bd9af04acec2998d5a6d99e63a84c35802e4affeead51d15cf024020bc326507fee7c59179157b5bd42f5e0633c39ea8f123f02c0262aa50042fea57ed7390d  patch-3.10.14.xz
-7d17742f5dcce1975dfa9d24fa9e665e9e48dcb3acc962a7699923bdb92477f1b2e352b0e946de664e76ab72798cad77e1d2eafc2e6dc167e3dee2bf91d866e5  grsecurity-2.9.1-3.10.14-unofficial.patch
+41f612dc912df68a69bb44343748be5c7b3c1525654890a1d896f466ef6aa22d35343f59a2c4319cde1858a6407f9366817c762670dd711d9ff2890291fa60cc  patch-3.10.15.xz
+7838f4f43c1259d587979255a403b17be26d687aac91d43084417057267fd12643e99beccfbe21f22ed3d423080d9cdd7086598c8cc7e922ddae1024ce1f8005  grsecurity-2.9.1-3.10.15-unofficial.patch
 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -183,5 +186,6 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71
 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87  0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7  fix-memory-map-for-PIE-applications.patch
+39fc019ac5ea5ada03c29846f22ddab0735e288bb3ad8d2109628e5d77d24bd09e6972eea6ee912768391399efe069e77c0e53b8a22329328bcc51f09f963f05  ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
 1721542ff111c8ec550323dae6f6174131db180668cbf14f01dc4c76ffbbb479715919a80c35d8c8ac22a6479dd3b42700be6ddc5ef2a8b6a62de811c7ae86df  kernelconfig.x86
 d49bf57bd0aae17d762d87d5bf983e48219d71ca44bc0c3120db94d357192c07146a8938cef9d435218e4bb748691ec426387545837be637d47e45cdc4482d71  kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.10.14-unofficial.patch b/main/linux-grsec/grsecurity-2.9.1-3.10.15-unofficial.patch
index 386c1a5258..bd0f3808e8 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.10.14-unofficial.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.10.15-unofficial.patch
@@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 129c49f..643835b 100644
+index 9a77179..052a254 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -25220,7 +25220,7 @@ index 2cb9470..ff1fd80 100644
  
  	return ret;
 diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
-index 76fa1e9..abf09ea 100644
+index 90fd119..61aa5d2 100644
 --- a/arch/x86/kernel/reboot.c
 +++ b/arch/x86/kernel/reboot.c
 @@ -36,7 +36,7 @@ void (*pm_power_off)(void);
@@ -25275,7 +25275,7 @@ index 76fa1e9..abf09ea 100644
  		     "rm" (real_mode_header->machine_real_restart_asm),
  		     "a" (type));
  #else
-@@ -531,7 +558,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
+@@ -547,7 +574,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
   * try to force a triple fault and then cycle between hitting the keyboard
   * controller and doing that
   */
@@ -25284,7 +25284,7 @@ index 76fa1e9..abf09ea 100644
  {
  	int i;
  	int attempt = 0;
-@@ -654,13 +681,13 @@ void native_machine_shutdown(void)
+@@ -670,13 +697,13 @@ void native_machine_shutdown(void)
  #endif
  }
  
@@ -25300,7 +25300,7 @@ index 76fa1e9..abf09ea 100644
  {
  	pr_notice("machine restart\n");
  
-@@ -669,7 +696,7 @@ static void native_machine_restart(char *__unused)
+@@ -685,7 +712,7 @@ static void native_machine_restart(char *__unused)
  	__machine_emergency_restart(0);
  }
  
@@ -25309,7 +25309,7 @@ index 76fa1e9..abf09ea 100644
  {
  	/* Stop other cpus and apics */
  	machine_shutdown();
-@@ -679,7 +706,7 @@ static void native_machine_halt(void)
+@@ -695,7 +722,7 @@ static void native_machine_halt(void)
  	stop_this_cpu(NULL);
  }
  
@@ -25318,7 +25318,7 @@ index 76fa1e9..abf09ea 100644
  {
  	if (pm_power_off) {
  		if (!reboot_force)
-@@ -688,9 +715,10 @@ static void native_machine_power_off(void)
+@@ -704,9 +731,10 @@ static void native_machine_power_off(void)
  	}
  	/* A fallback in case there is no PM info available */
  	tboot_shutdown(TB_SHUTDOWN_HALT);
@@ -39029,10 +39029,10 @@ index c8d16a6..ca71b5e 100644
  	iir = I915_READ(IIR);
  
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index eea5982..eeef407 100644
+index 2667d6d..410dc80 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -8935,13 +8935,13 @@ struct intel_quirk {
+@@ -8939,13 +8939,13 @@ struct intel_quirk {
  	int subsystem_vendor;
  	int subsystem_device;
  	void (*hook)(struct drm_device *dev);
@@ -39048,7 +39048,7 @@ index eea5982..eeef407 100644
  
  static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
  {
-@@ -8949,18 +8949,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -8953,18 +8953,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
  	return 1;
  }
  
@@ -39440,7 +39440,7 @@ index 5a82b6b..9e69c73 100644
  	if (regcomp
  	    (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index b0dc0b6..a9bfe9c 100644
+index 8df1525..62e95ef 100644
 --- a/drivers/gpu/drm/radeon/radeon_device.c
 +++ b/drivers/gpu/drm/radeon/radeon_device.c
 @@ -1014,7 +1014,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
@@ -40213,10 +40213,10 @@ index 6351aba..dc4aaf4 100644
  	int res = 0;
  
 diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
-index 62c2e32..8f2859a 100644
+index 98814d1..9435d05 100644
 --- a/drivers/hwmon/applesmc.c
 +++ b/drivers/hwmon/applesmc.c
-@@ -1084,7 +1084,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
+@@ -1093,7 +1093,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
  {
  	struct applesmc_node_group *grp;
  	struct applesmc_dev_attr *node;
@@ -42066,7 +42066,7 @@ index 60bce43..9b997d0 100644
  	pmd->bl_info.value_type.inc = data_block_inc;
  	pmd->bl_info.value_type.dec = data_block_dec;
 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 33f2010..23fb84c 100644
+index 1c13071..4bb0452 100644
 --- a/drivers/md/dm.c
 +++ b/drivers/md/dm.c
 @@ -169,9 +169,9 @@ struct mapped_device {
@@ -42101,7 +42101,7 @@ index 33f2010..23fb84c 100644
  	wake_up(&md->eventq);
  }
  
-@@ -2690,18 +2690,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2701,18 +2701,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
  
  uint32_t dm_next_uevent_seq(struct mapped_device *md)
  {
@@ -53794,7 +53794,7 @@ index d50bbe5..af3b649 100644
  			goto err;
  		}
 diff --git a/fs/bio.c b/fs/bio.c
-index c5eae72..599e3cf 100644
+index 5e7507d..418c639 100644
 --- a/fs/bio.c
 +++ b/fs/bio.c
 @@ -1106,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
diff --git a/main/linux-grsec/ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch b/main/linux-grsec/ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
new file mode 100644
index 0000000000..a98faca44e
--- /dev/null
+++ b/main/linux-grsec/ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
@@ -0,0 +1,118 @@
+From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sat, 21 Sep 2013 04:27:00 +0000
+Subject: ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
+
+In the following scenario the socket is corked:
+If the first UDP packet is larger then the mtu we try to append it to the
+write queue via ip6_ufo_append_data. A following packet, which is smaller
+than the mtu would be appended to the already queued up gso-skb via
+plain ip6_append_data. This causes random memory corruptions.
+
+In ip6_ufo_append_data we also have to be careful to not queue up the
+same skb multiple times. So setup the gso frame only when no first skb
+is available.
+
+This also fixes a shortcoming where we add the current packet's length to
+cork->length but return early because of a packet > mtu with dontfrag set
+(instead of sutracting it again).
+
+Found with trinity.
+
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 3a692d5..a54c45c 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ 	 * udp datagram
+ 	 */
+ 	if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
++		struct frag_hdr fhdr;
++
+ 		skb = sock_alloc_send_skb(sk,
+ 			hh_len + fragheaderlen + transhdrlen + 20,
+ 			(flags & MSG_DONTWAIT), &err);
+@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ 		skb->protocol = htons(ETH_P_IPV6);
+ 		skb->ip_summed = CHECKSUM_PARTIAL;
+ 		skb->csum = 0;
+-	}
+-
+-	err = skb_append_datato_frags(sk,skb, getfrag, from,
+-				      (length - transhdrlen));
+-	if (!err) {
+-		struct frag_hdr fhdr;
+ 
+ 		/* Specify the length of each IPv6 datagram fragment.
+ 		 * It has to be a multiple of 8.
+@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ 		ipv6_select_ident(&fhdr, rt);
+ 		skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ 		__skb_queue_tail(&sk->sk_write_queue, skb);
+-
+-		return 0;
+ 	}
+-	/* There is not enough support do UPD LSO,
+-	 * so follow normal path
+-	 */
+-	kfree_skb(skb);
+ 
+-	return err;
++	return skb_append_datato_frags(sk, skb, getfrag, from,
++				       (length - transhdrlen));
+ }
+ 
+ static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
+@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ 	 * --yoshfuji
+ 	 */
+ 
+-	cork->length += length;
+-	if (length > mtu) {
+-		int proto = sk->sk_protocol;
+-		if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
+-			ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
+-			return -EMSGSIZE;
+-		}
+-
+-		if (proto == IPPROTO_UDP &&
+-		    (rt->dst.dev->features & NETIF_F_UFO)) {
++	if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
++					   sk->sk_protocol == IPPROTO_RAW)) {
++		ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
++		return -EMSGSIZE;
++	}
+ 
+-			err = ip6_ufo_append_data(sk, getfrag, from, length,
+-						  hh_len, fragheaderlen,
+-						  transhdrlen, mtu, flags, rt);
+-			if (err)
+-				goto error;
+-			return 0;
+-		}
++	skb = skb_peek_tail(&sk->sk_write_queue);
++	cork->length += length;
++	if (((length > mtu) ||
++	     (skb && skb_is_gso(skb))) &&
++	    (sk->sk_protocol == IPPROTO_UDP) &&
++	    (rt->dst.dev->features & NETIF_F_UFO)) {
++		err = ip6_ufo_append_data(sk, getfrag, from, length,
++					  hh_len, fragheaderlen,
++					  transhdrlen, mtu, flags, rt);
++		if (err)
++			goto error;
++		return 0;
+ 	}
+ 
+-	if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
++	if (!skb)
+ 		goto alloc_new_skb;
+ 
+ 	while (length > 0) {
+--
+cgit v0.9.2