aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2016-01-01 10:49:21 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2016-01-01 11:23:41 +0000
commit4e1c1da17e075b7dbabef56d8f11b1b31f89bed9 (patch)
treeb059d35eeb962a5f40a5b417cf1a53ca79b82f9f /main/linux-grsec
parenta580066b5c02d154c8a4cc0acfd2a2ef8c08afb6 (diff)
downloadaports-4e1c1da17e075b7dbabef56d8f11b1b31f89bed9.tar.bz2
aports-4e1c1da17e075b7dbabef56d8f11b1b31f89bed9.tar.xz
main/linux-grsec: security fixes (CVE-2015-7872, CVE-2015-7885)
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD14
-rw-r--r--main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch52
-rw-r--r--main/linux-grsec/keys-fixes.patch117
-rw-r--r--main/linux-grsec/staging-dgnc-fix-info-leak-in-ioctl.patch33
4 files changed, 215 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 7fc883b8ba..0445aee049 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=2
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs"
@@ -26,9 +26,12 @@ source="http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
validate-vj-compression-slot-parameters-completely.patch
kvm-svm-unconditionally-intercept-#db.patch
vivid-osd-fix-info-leak-in-ioctl.patch
+ staging-dgnc-fix-info-leak-in-ioctl.patch
net-add-validation-socket-syscall-protocol-argument.patch
pptp-verify-sockaddr_len.patch
ovl-fix-permission-checking-for-setattr.patch
+ keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
+ keys-fixes.patch
config-grsec.x86
config-grsec.x86_64
@@ -219,9 +222,12 @@ b0337a2a9abed17c37eae5db332522d2 fix-spi-nor-namespace-clash.patch
9b150b8017a25fb6c9e9e29b1f1e791f validate-vj-compression-slot-parameters-completely.patch
c02b7d642341d3b82cff47d801813254 kvm-svm-unconditionally-intercept-#db.patch
b52be7e646d3572687e4d26d4291233e vivid-osd-fix-info-leak-in-ioctl.patch
+6c48221dbad6928f2b9f6c1f521c5844 staging-dgnc-fix-info-leak-in-ioctl.patch
730439fc2751795dc00f1fb3ec810b12 net-add-validation-socket-syscall-protocol-argument.patch
e4590e034252bb838220d2bedc19be2e pptp-verify-sockaddr_len.patch
5f27a173424a42db509b46372c200e85 ovl-fix-permission-checking-for-setattr.patch
+0526ef5b0cb5c8b697ab8fcd337d303e keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
+370b4498d0dc52eb8a85a23a5973bebf keys-fixes.patch
f8eec4df8fcd64f5f4810a2840e8cee7 config-grsec.x86
dcccfa220ed2b2041971492d1dfa9440 config-grsec.x86_64
cf395fd923139074f3f1095c29a63e2b config-grsec.armhf
@@ -237,9 +243,12 @@ a92b81dbd4fa4fbee28cebad93b0bd623820c809e98e8841151842341b9626eb grsec-4.1.15-3
d2670dc40c47de365d36ba1e1bbef0ea3e6381f5d4c38e88a4c5db2eb4383925 validate-vj-compression-slot-parameters-completely.patch
eb787ea2e4637708475569f7498c1ef0fa5e4e80ae22df5c5f44092615f86ebd kvm-svm-unconditionally-intercept-#db.patch
4070f46003fb5e1a16474f682da78d989809272a7aa209f794caa8d0b941e2c0 vivid-osd-fix-info-leak-in-ioctl.patch
+144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5 staging-dgnc-fix-info-leak-in-ioctl.patch
180af96ce8310913f6662be50ca69c9737af250ef8dd3fdefdc58bef5f55ca9e net-add-validation-socket-syscall-protocol-argument.patch
5d3f0311176addb6cbbe0739736962cdb3826816e5cc0384f52d34cbd7c2c2a0 pptp-verify-sockaddr_len.patch
79fa593d628d740c7bc2b68398ab381ad978293102d1f282919ee69aeab6a17d ovl-fix-permission-checking-for-setattr.patch
+c3a7a6d1ca5c23c98ea703c716144dc88b5bcf5052416a7ff3c766beed78d7db keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
+653bdfac4fdac0fed19b60c8ae34afe97a699bbabe0e00888584c1ef52a626e1 keys-fixes.patch
b179db21c31861da5da8a49307994e11e6a6b83d88fb3dffcf20b369ab32f8e6 config-grsec.x86
f2c3a2b565346baa29bdf48bab6da6fcfa1723b505237ef33a0655bf80ef2e18 config-grsec.x86_64
b996d6fc9eb8bd453826fb9c0ae573ef42a6fff3193adf33c2bf14480924ca16 config-grsec.armhf
@@ -255,9 +264,12 @@ c737219a382206894889ddf8e807836a6fd08bb983b5e2327fae9f8427a0fa591c17f896b6e3f8da
528604f2296bd1a67e32b465b4885ddba8ccf50925909e80cc523186ab03439c47eb5c016c133f3e3f27b0666f234f88a9c33399d7550867a448e12c73f878c2 validate-vj-compression-slot-parameters-completely.patch
5d9628e59117b9b0e464bfdac4249663a8c46f8c0ac5f521e19bbb1d59ad3a0dc0d97de34a1f011033d31c792452e6b20a70081ec8cc208bf0671fb50017ab6c kvm-svm-unconditionally-intercept-#db.patch
98bd4ef55ce0b7c4b4fee638ba079555a7363f1b34bc415135bd2fcbd12957ef45d569d7bf85edcbf322638f9951e01951807279279e729bbc13bee3be5d2b45 vivid-osd-fix-info-leak-in-ioctl.patch
+51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec staging-dgnc-fix-info-leak-in-ioctl.patch
d41f3b7c30d59a0fb43f877fff5a311c7fad8e12dfb51c519af368e8d1511202e6cceace3e051620a90e30f3c4b170847172764db045c9a5777663e2e9f2116c net-add-validation-socket-syscall-protocol-argument.patch
9454738454abee92200c7025a5b19e6870056ee71faf7e78dc10c0e7317e2d27c940ab031e2e53db856e1bea3b3fe5e32ce5aaa7c29dc833aa0f75d35bbf7a79 pptp-verify-sockaddr_len.patch
061d58353e8d8eb83a10ae1cdfd16ff5d982ee594decd115d42f438293747b9f4ea3cb16ce242685b34d52ca57feb3b8e9f344adc425e1894f0283abe47ef355 ovl-fix-permission-checking-for-setattr.patch
+d4d65eacdac1d9baed2ddf926f09a6d66b4dc42ea40ac9b118ad69dfd8dcc06052afb742aaf906fad54d70182d2243bdc1f0649eea7754a2402fc94447d568b1 keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
+2611db9cca53ac6851beb9f48e51651090e6b97a644d260671d6f4aa2b2d75ff71276b6d14d0b2e5908bc261c86fc6c2dc4bd88e093fdd74e144983c720f0a2b keys-fixes.patch
b31862d0998cbe72882f2db3ab9452051bb5202a3921f5f4aebb24727a187227792af88c6b6ceef8ff28ab34123d1321bb8d06656f37c844afcf566571ba8865 config-grsec.x86
87c4c3be53f03ee6e7c4fa1853b43c506ee5d35d4c156b5030424b7712e469521898a56c0b6a4562e31ea2bca855dae7429ea9048f9d2fa8b29db2d14211d230 config-grsec.x86_64
aecd465ceb265355ef71c213ee589cc18c7695589e3410fb8762669d5f728a7e071e1b05e3864a8c621dec870a472a0e1075b2b335fafabfe62891c7d746161d config-grsec.armhf
diff --git a/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch b/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
new file mode 100644
index 0000000000..792296068f
--- /dev/null
+++ b/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
@@ -0,0 +1,52 @@
+From 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 25 Sep 2015 16:30:08 +0100
+Subject: KEYS: Fix race between key destruction and finding a keyring by name
+
+There appears to be a race between:
+
+ (1) key_gc_unused_keys() which frees key->security and then calls
+ keyring_destroy() to unlink the name from the name list
+
+ (2) find_keyring_by_name() which calls key_permission(), thus accessing
+ key->security, on a key before checking to see whether the key usage is 0
+ (ie. the key is dead and might be cleaned up).
+
+Fix this by calling ->destroy() before cleaning up the core key data -
+including key->security.
+
+Reported-by: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ security/keys/gc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index c795237..39eac1f 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -134,6 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+ kdebug("- %u", key->serial);
+ key_check(key);
+
++ /* Throw away the key data */
++ if (key->type->destroy)
++ key->type->destroy(key);
++
+ security_key_free(key);
+
+ /* deal with the user's key tracking and quota */
+@@ -148,10 +152,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
+ atomic_dec(&key->user->nikeys);
+
+- /* now throw away the key memory */
+- if (key->type->destroy)
+- key->type->destroy(key);
+-
+ key_user_put(key->user);
+
+ kfree(key->description);
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/keys-fixes.patch b/main/linux-grsec/keys-fixes.patch
new file mode 100644
index 0000000000..8ef8a0c359
--- /dev/null
+++ b/main/linux-grsec/keys-fixes.patch
@@ -0,0 +1,117 @@
+From f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 15 Oct 2015 17:21:37 +0100
+Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated
+ keyring
+
+The following sequence of commands:
+
+ i=`keyctl add user a a @s`
+ keyctl request2 keyring foo bar @t
+ keyctl unlink $i @s
+
+tries to invoke an upcall to instantiate a keyring if one doesn't already
+exist by that name within the user's keyring set. However, if the upcall
+fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
+other error code. When the key is garbage collected, the key destroy
+function is called unconditionally and keyring_destroy() uses list_empty()
+on keyring->type_data.link - which is in a union with reject_error.
+Subsequently, the kernel tries to unlink the keyring from the keyring names
+list - which oopses like this:
+
+ BUG: unable to handle kernel paging request at 00000000ffffff8a
+ IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
+ ...
+ Workqueue: events key_garbage_collector
+ ...
+ RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
+ RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
+ RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
+ RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
+ R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
+ R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
+ ...
+ CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
+ ...
+ Call Trace:
+ [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
+ [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
+ [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
+ [<ffffffff8105fd17>] worker_thread+0x26e/0x361
+ [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
+ [<ffffffff810648ad>] kthread+0xf3/0xfb
+ [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
+ [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
+ [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
+
+Note the value in RAX. This is a 32-bit representation of -ENOKEY.
+
+The solution is to only call ->destroy() if the key was successfully
+instantiated.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+---
+ security/keys/gc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 39eac1f..addf060 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+ kdebug("- %u", key->serial);
+ key_check(key);
+
+- /* Throw away the key data */
+- if (key->type->destroy)
++ /* Throw away the key data if the key is instantiated */
++ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
++ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
++ key->type->destroy)
+ key->type->destroy(key);
+
+ security_key_free(key);
+--
+cgit v0.11.2
+
+
+From 911b79cde95c7da0ec02f48105358a36636b7a71 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 19 Oct 2015 11:20:28 +0100
+Subject: KEYS: Don't permit request_key() to construct a new keyring
+
+If request_key() is used to find a keyring, only do the search part - don't
+do the construction part if the keyring was not found by the search. We
+don't really want keyrings in the negative instantiated state since the
+rejected/negative instantiation error value in the payload is unioned with
+keyring metadata.
+
+Now the kernel gives an error:
+
+ request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ security/keys/request_key.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 486ef6f..0d62531 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+
+ kenter("");
+
++ if (ctx->index_key.type == &key_type_keyring)
++ return ERR_PTR(-EPERM);
++
+ user = key_user_lookup(current_fsuid());
+ if (!user)
+ return ERR_PTR(-ENOMEM);
+--
+cgit v0.11.2
+
diff --git a/main/linux-grsec/staging-dgnc-fix-info-leak-in-ioctl.patch b/main/linux-grsec/staging-dgnc-fix-info-leak-in-ioctl.patch
new file mode 100644
index 0000000000..c89d8d3b1e
--- /dev/null
+++ b/main/linux-grsec/staging-dgnc-fix-info-leak-in-ioctl.patch
@@ -0,0 +1,33 @@
+From 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
+Date: Wed, 14 Oct 2015 17:48:02 +0200
+Subject: staging/dgnc: fix info leak in ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of
+struct digi_dinfo after the ->dinfo_nboards member. Add an explicit
+memset(0) before filling the structure to avoid the info leak.
+
+Signed-off-by: Salva Peiró <speirofr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/dgnc/dgnc_mgmt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
+index 9ec3efe..518fbd5 100644
+--- a/drivers/staging/dgnc/dgnc_mgmt.c
++++ b/drivers/staging/dgnc/dgnc_mgmt.c
+@@ -110,6 +110,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+
+ spin_lock_irqsave(&dgnc_global_lock, flags);
+
++ memset(&ddi, 0, sizeof(ddi));
+ ddi.dinfo_nboards = dgnc_NumBoards;
+ sprintf(ddi.dinfo_version, "%s", DG_PART);
+
+--
+cgit v0.11.2
+