diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2012-10-01 09:08:07 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-10-01 09:43:19 +0000 |
commit | 1dff697f8db0cbf2f0a6ea983ef225b9fa9604a8 (patch) | |
tree | 321401887711383bff2743f851b8f9005222f363 /main/linux-grsec | |
parent | efdc2d1f01d104449fe029f22dd17561ea804552 (diff) | |
download | aports-1dff697f8db0cbf2f0a6ea983ef225b9fa9604a8.tar.bz2 aports-1dff697f8db0cbf2f0a6ea983ef225b9fa9604a8.tar.xz |
main/linux-grsec: import pax changes from upstream
merge in changes up to pax-linux-3.2.30-test78 /
pax-linux-3.5.4-test30
Diffstat (limited to 'main/linux-grsec')
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.4.11-3.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.4.11-2.patch) | 627 |
2 files changed, 588 insertions, 45 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 2c91259e4..5ebe063c2 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.4.11 _kernver=3.4 -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-$pkgver-2.patch + grsecurity-2.9.1-$pkgver-3.patch 0004-arp-flush-arp-cache-on-device-change.patch 0001-Revert-ipv4-Don-t-use-the-cached-pmtu-informations-f.patch @@ -142,7 +142,7 @@ dev() { md5sums="967f72983655e2479f951195953e8480 linux-3.4.tar.xz 2149df47fc96fec05787bf0197fb7b16 patch-3.4.11.xz -2a05125c1486b1db0fd59a90d11d8b7a grsecurity-2.9.1-3.4.11-2.patch +fe55cc4d88fa6749b90d77152b42ea7f grsecurity-2.9.1-3.4.11-3.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch cb6fcd6e966e73c87a839c4c0183f81f 0001-Revert-ipv4-Don-t-use-the-cached-pmtu-informations-f.patch d2f7ba780ff7567c21381428264d7fdd intel_idle.patch diff --git a/main/linux-grsec/grsecurity-2.9.1-3.4.11-2.patch b/main/linux-grsec/grsecurity-2.9.1-3.4.11-3.patch index cdb78084f..659c8d52c 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.4.11-2.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.4.11-3.patch @@ -7576,7 +7576,7 @@ index ef34d2c..d6ce60c 100644 else copy_from_user_overflow(); diff --git a/arch/um/Makefile b/arch/um/Makefile -index 55c0661..86ad413 100644 +index 55c0661..10f4cb1 100644 --- a/arch/um/Makefile +++ b/arch/um/Makefile @@ -62,6 +62,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -D__KERNEL__,,\ @@ -7584,7 +7584,7 @@ index 55c0661..86ad413 100644 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64 -idirafter include +ifdef CONSTIFY_PLUGIN -+USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify ++USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify +endif + #This will adjust *FLAGS accordingly to the platform. @@ -7856,7 +7856,7 @@ index b1c611e..2c1a823 100644 +archprepare: + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD))) diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index 5a747dd..ff7b12c 100644 +index 5a747dd..00bece7 100644 --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile @@ -64,6 +64,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \ @@ -7864,7 +7864,7 @@ index 5a747dd..ff7b12c 100644 $(call cc-option, -mpreferred-stack-boundary=2) KBUILD_CFLAGS += $(call cc-option, -m32) +ifdef CONSTIFY_PLUGIN -+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify ++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify +endif KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n @@ -7914,7 +7914,7 @@ index 18997e5..83d9c67 100644 return diff; } diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile -index e398bb5..3a382ca 100644 +index e398bb5..80fc805 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=small @@ -7922,7 +7922,7 @@ index e398bb5..3a382ca 100644 KBUILD_CFLAGS += $(call cc-option,-ffreestanding) KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) +ifdef CONSTIFY_PLUGIN -+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify ++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify +endif KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ @@ -13774,7 +13774,7 @@ index c6ce245..ffbdab7 100644 "2:\n" ".section .fixup,\"ax\"\n" diff --git a/arch/x86/kernel/acpi/realmode/Makefile b/arch/x86/kernel/acpi/realmode/Makefile -index 6a564ac..9b1340c 100644 +index 6a564ac..3f3a3d7 100644 --- a/arch/x86/kernel/acpi/realmode/Makefile +++ b/arch/x86/kernel/acpi/realmode/Makefile @@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D_WAKEUP -D__KERNEL__ \ @@ -13782,7 +13782,7 @@ index 6a564ac..9b1340c 100644 $(call cc-option, -mpreferred-stack-boundary=2) KBUILD_CFLAGS += $(call cc-option, -m32) +ifdef CONSTIFY_PLUGIN -+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify ++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify +endif KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n @@ -19852,7 +19852,7 @@ index c6eba2b..3303326 100644 return pc; } diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index 9d9d2f9..ed344e4 100644 +index 9d9d2f9..cad418a 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c @@ -84,6 +84,11 @@ int do_set_thread_area(struct task_struct *p, int idx, @@ -19867,6 +19867,15 @@ index 9d9d2f9..ed344e4 100644 set_tls_desc(p, idx, &info, 1); return 0; +@@ -204,7 +209,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, + + if (kbuf) + info = kbuf; +- else if (__copy_from_user(infobuf, ubuf, count)) ++ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count)) + return -EFAULT; + else + info = infobuf; diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S index 451c0a7..e57f551 100644 --- a/arch/x86/kernel/trampoline_32.S @@ -20782,9 +20791,28 @@ index 185a2b8..866d2a6 100644 int r; struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque; diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c -index 642d880..44e0f3f 100644 +index 642d880..cc9ebac 100644 --- a/arch/x86/lguest/boot.c +++ b/arch/x86/lguest/boot.c +@@ -1116,12 +1116,12 @@ static u32 lguest_apic_safe_wait_icr_idle(void) + + static void set_lguest_basic_apic_ops(void) + { +- apic->read = lguest_apic_read; +- apic->write = lguest_apic_write; +- apic->icr_read = lguest_apic_icr_read; +- apic->icr_write = lguest_apic_icr_write; +- apic->wait_icr_idle = lguest_apic_wait_icr_idle; +- apic->safe_wait_icr_idle = lguest_apic_safe_wait_icr_idle; ++ *(void **)&apic->read = lguest_apic_read; ++ *(void **)&apic->write = lguest_apic_write; ++ *(void **)&apic->icr_read = lguest_apic_icr_read; ++ *(void **)&apic->icr_write = lguest_apic_icr_write; ++ *(void **)&apic->wait_icr_idle = lguest_apic_wait_icr_idle; ++ *(void **)&apic->safe_wait_icr_idle = lguest_apic_safe_wait_icr_idle; + }; + #endif + @@ -1200,9 +1200,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count) * Rebooting also tells the Host we're finished, but the RESTART flag tells the * Launcher to reboot us. @@ -27252,7 +27280,7 @@ index 00aaf04..4a26505 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 40edfc3..b4d80ac 100644 +index 40edfc3..9911bdb 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -95,8 +95,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -27264,6 +27292,29 @@ index 40edfc3..b4d80ac 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); +@@ -883,14 +881,14 @@ static u32 xen_safe_apic_wait_icr_idle(void) + + static void set_xen_basic_apic_ops(void) + { +- apic->read = xen_apic_read; +- apic->write = xen_apic_write; +- apic->icr_read = xen_apic_icr_read; +- apic->icr_write = xen_apic_icr_write; +- apic->wait_icr_idle = xen_apic_wait_icr_idle; +- apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle; +- apic->set_apic_id = xen_set_apic_id; +- apic->get_apic_id = xen_get_apic_id; ++ *(void **)&apic->read = xen_apic_read; ++ *(void **)&apic->write = xen_apic_write; ++ *(void **)&apic->icr_read = xen_apic_icr_read; ++ *(void **)&apic->icr_write = xen_apic_icr_write; ++ *(void **)&apic->wait_icr_idle = xen_apic_wait_icr_idle; ++ *(void **)&apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle; ++ *(void **)&apic->set_apic_id = xen_set_apic_id; ++ *(void **)&apic->get_apic_id = xen_get_apic_id; + } + + #endif @@ -1165,30 +1163,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -35382,6 +35433,29 @@ index ee11e93..c8f19c7 100644 err = platform_driver_register(&sk_isa_driver); if (err) +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 147b628..7b00f8a 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1243,7 +1243,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg) + } + + static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +- unsigned long arg, int ifreq_len) ++ unsigned long arg, size_t ifreq_len) + { + struct tun_file *tfile = file->private_data; + struct tun_struct *tun; +@@ -1254,6 +1254,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, + int vnet_hdr_sz; + int ret; + ++ if (ifreq_len > sizeof ifr) ++ return -EFAULT; ++ + if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { + if (copy_from_user(&ifr, argp, ifreq_len)) + return -EFAULT; diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 2d2a688..35f2372 100644 --- a/drivers/net/usb/hso.c @@ -35758,6 +35832,167 @@ index faec404..a5277f1 100644 } D_INFO("*** LOAD DRIVER ***\n"); +diff --git a/drivers/net/wireless/iwlwifi/iwl-debugfs.c b/drivers/net/wireless/iwlwifi/iwl-debugfs.c +index 2bbaebd..95a0b40 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-debugfs.c ++++ b/drivers/net/wireless/iwlwifi/iwl-debugfs.c +@@ -157,7 +157,7 @@ static ssize_t iwl_dbgfs_clear_traffic_statistics_write(struct file *file, + struct iwl_priv *priv = file->private_data; + u32 clear_flag; + char buf[8]; +- int buf_size; ++ size_t buf_size; + + memset(buf, 0, sizeof(buf)); + buf_size = min(count, sizeof(buf) - 1); +@@ -305,7 +305,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[64]; +- int buf_size; ++ size_t buf_size; + u32 offset, len; + + memset(buf, 0, sizeof(buf)); +@@ -588,7 +588,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file, + struct iwl_priv *priv = file->private_data; + + char buf[8]; +- int buf_size; ++ size_t buf_size; + u32 reset_flag; + + memset(buf, 0, sizeof(buf)); +@@ -669,7 +669,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int ht40; + + memset(buf, 0, sizeof(buf)); +@@ -724,7 +724,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int value; + + memset(buf, 0, sizeof(buf)); +@@ -882,7 +882,7 @@ static ssize_t iwl_dbgfs_traffic_log_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int traffic_log; + + memset(buf, 0, sizeof(buf)); +@@ -2087,7 +2087,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int clear; + + memset(buf, 0, sizeof(buf)); +@@ -2132,7 +2132,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int trace; + + memset(buf, 0, sizeof(buf)); +@@ -2203,7 +2203,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int missed; + + memset(buf, 0, sizeof(buf)); +@@ -2244,7 +2244,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int plcp; + + memset(buf, 0, sizeof(buf)); +@@ -2298,7 +2298,7 @@ static ssize_t iwl_dbgfs_force_reset_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int reset, ret; + + memset(buf, 0, sizeof(buf)); +@@ -2324,7 +2324,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int flush; + + memset(buf, 0, sizeof(buf)); +@@ -2348,7 +2348,7 @@ static ssize_t iwl_dbgfs_wd_timeout_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int timeout; + + memset(buf, 0, sizeof(buf)); +@@ -2437,7 +2437,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int rts; + + if (!cfg(priv)->ht_params) +@@ -2462,7 +2462,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + + memset(buf, 0, sizeof(buf)); + buf_size = min(count, sizeof(buf) - 1); +diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c +index 8741048..ea9653c 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c ++++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c +@@ -2111,7 +2111,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, + struct isr_statistics *isr_stats = &trans_pcie->isr_stats; + + char buf[8]; +- int buf_size; ++ size_t buf_size; + u32 reset_flag; + + memset(buf, 0, sizeof(buf)); +@@ -2132,7 +2132,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, + { + struct iwl_trans *trans = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int csr; + + memset(buf, 0, sizeof(buf)); diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index b7ce6a6..5649756 100644 --- a/drivers/net/wireless/mac80211_hwsim.c @@ -41881,7 +42116,7 @@ index d146e18..12d1bd1 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 16f7354..7cc1e24 100644 +index 16f7354..a2c5da7 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -42033,7 +42268,7 @@ index 16f7354..7cc1e24 100644 +#endif + +#ifdef CONFIG_PAX_EMUTRAMP -+ if (elf_phdata->p_flags & PF_EMUTRAMP) ++ if ((elf_phdata->p_flags & PF_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))) + pax_flags |= MF_PAX_EMUTRAMP; +#endif + @@ -69121,7 +69356,7 @@ index 671f959..91c51cb 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index e7006eb..8fb7c51 100644 +index e7006eb..cf33a96 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -69245,11 +69480,30 @@ index e7006eb..8fb7c51 100644 abort_creds(new); return old_fsgid; -@@ -1198,7 +1234,10 @@ static int override_release(char __user *release, int len) +@@ -1179,12 +1215,12 @@ DECLARE_RWSEM(uts_sem); + * Work around broken programs that cannot handle "Linux 3.0". + * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 + */ +-static int override_release(char __user *release, int len) ++static int override_release(char __user *release, size_t len) + { + int ret = 0; +- char buf[65]; + + if (current->personality & UNAME26) { ++ char buf[65] = { 0 }; + char *rest = UTS_RELEASE; + int ndots = 0; + unsigned v; +@@ -1197,8 +1233,14 @@ static int override_release(char __user *release, int len) + rest++; } v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; ++ if (sizeof buf < len) ++ len = sizeof buf; snprintf(buf, len, "2.6.%u%s", v, rest); - ret = copy_to_user(release, buf, len); ++ buf[len - 1] = 0; + if (len > sizeof(buf)) + ret = -EFAULT; + else @@ -69257,7 +69511,7 @@ index e7006eb..8fb7c51 100644 } return ret; } -@@ -1252,19 +1291,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) +@@ -1252,19 +1294,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) return -EFAULT; down_read(&uts_sem); @@ -69282,7 +69536,7 @@ index e7006eb..8fb7c51 100644 __OLD_UTS_LEN); error |= __put_user(0, name->machine + __OLD_UTS_LEN); up_read(&uts_sem); -@@ -1847,7 +1886,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, +@@ -1847,7 +1889,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; case PR_SET_DUMPABLE: @@ -75036,6 +75290,19 @@ index 5238b6b..c9798ce 100644 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); } +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 5914623..93355a5 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -941,7 +941,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char + uf.event_mask[1] = *((u32 *) f->event_mask + 1); + } + +- len = min_t(unsigned int, len, sizeof(uf)); ++ len = min((size_t)len, sizeof(uf)); + if (copy_from_user(&uf, optval, len)) { + err = -EFAULT; + break; diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 9a86759..f0951ea 100644 --- a/net/bluetooth/l2cap_core.c @@ -75066,8 +75333,81 @@ index 9a86759..f0951ea 100644 goto done; } } +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 04e7c17..b37a140 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -443,7 +443,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us + struct sock *sk = sock->sk; + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; +- int len, err = 0; ++ int err = 0; ++ size_t len = optlen; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -465,7 +466,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us + opts.max_tx = chan->max_tx; + opts.txwin_size = chan->tx_win; + +- len = min_t(unsigned int, sizeof(opts), optlen); ++ len = min(sizeof(opts), len); + if (copy_from_user((char *) &opts, optval, len)) { + err = -EFAULT; + break; +@@ -538,7 +539,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch + struct bt_security sec; + struct bt_power pwr; + struct l2cap_conn *conn; +- int len, err = 0; ++ int err = 0; ++ size_t len = optlen; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -561,7 +563,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); ++ len = min(sizeof(sec), len); + if (copy_from_user((char *) &sec, optval, len)) { + err = -EFAULT; + break; +@@ -655,7 +657,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch + + pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; + +- len = min_t(unsigned int, sizeof(pwr), optlen); ++ len = min(sizeof(pwr), len); + if (copy_from_user((char *) &pwr, optval, len)) { + err = -EFAULT; + break; +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index a55a43e..57c5d37 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -684,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c + struct sock *sk = sock->sk; + struct bt_security sec; + int err = 0; +- size_t len; ++ size_t len = optlen; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -706,7 +706,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); ++ len = min(sizeof(sec), len); + if (copy_from_user((char *) &sec, optval, len)) { + err = -EFAULT; + break; diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c -index 5fe2ff3..10968b5 100644 +index 5fe2ff3..121d696 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1523,7 +1523,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) @@ -75079,6 +75419,24 @@ index 5fe2ff3..10968b5 100644 BUGPRINT("c2u Didn't work\n"); ret = -EFAULT; break; +@@ -2327,7 +2327,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, + goto out; + tmp.valid_hooks = t->valid_hooks; + +- if (copy_to_user(user, &tmp, *len) != 0) { ++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) { + ret = -EFAULT; + break; + } +@@ -2338,7 +2338,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, + tmp.entries_size = t->table->entries_size; + tmp.valid_hooks = t->table->valid_hooks; + +- if (copy_to_user(user, &tmp, *len) != 0) { ++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) { + ret = -EFAULT; + break; + } diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c index 5cf5222..6f704ad 100644 --- a/net/caif/cfctrl.c @@ -75136,7 +75494,7 @@ index 3d79b12..8de85fa 100644 diff --git a/net/compat.c b/net/compat.c -index ae6d67a..95dbaf6 100644 +index ae6d67a..73c8c35 100644 --- a/net/compat.c +++ b/net/compat.c @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -75266,6 +75624,15 @@ index ae6d67a..95dbaf6 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; +@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) + + if (call < SYS_SOCKET || call > SYS_SENDMMSG) + return -EINVAL; +- if (copy_from_user(a, args, nas[call])) ++ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call])) + return -EFAULT; + a0 = a[0]; + a1 = a[1]; diff --git a/net/core/datagram.c b/net/core/datagram.c index e4fbfd6..6a6ac94 100644 --- a/net/core/datagram.c @@ -75499,7 +75866,7 @@ index 611c5ef..88f6d6d 100644 { int new_fd; diff --git a/net/core/sock.c b/net/core/sock.c -index 0f8402e..f0b6338 100644 +index 0f8402e..158dcd1 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -340,7 +340,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -75547,7 +75914,23 @@ index 0f8402e..f0b6338 100644 goto discard_and_relse; } -@@ -984,7 +984,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, +@@ -838,12 +838,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + struct timeval tm; + } v; + +- int lv = sizeof(int); +- int len; ++ unsigned int lv = sizeof(int); ++ unsigned int len; + + if (get_user(len, optlen)) + return -EFAULT; +- if (len < 0) ++ if (len > INT_MAX) + return -EINVAL; + + memset(&v, 0, sizeof(v)); +@@ -984,18 +984,18 @@ int sock_getsockopt(struct socket *sock, int level, int optname, if (len > sizeof(peercred)) len = sizeof(peercred); cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred); @@ -75556,15 +75939,19 @@ index 0f8402e..f0b6338 100644 return -EFAULT; goto lenout; } -@@ -997,7 +997,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, + + case SO_PEERNAME: + { +- char address[128]; ++ char address[_K_SS_MAXSIZE]; + + if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2)) return -ENOTCONN; - if (lv < len) +- if (lv < len) ++ if (lv < len || sizeof address < len) return -EINVAL; -- if (copy_to_user(optval, address, len)) -+ if (len > sizeof(address) || copy_to_user(optval, address, len)) + if (copy_to_user(optval, address, len)) return -EFAULT; - goto lenout; - } @@ -1043,7 +1043,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, if (len > lv) @@ -75802,6 +76189,104 @@ index 92ac7e7..13f93d9 100644 set_fs(oldfs); return res; } +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index fd7a3f6..21e76da 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -880,14 +880,14 @@ static int compat_table_info(const struct xt_table_info *info, + #endif + + static int get_info(struct net *net, void __user *user, +- const int *len, int compat) ++ int len, int compat) + { + char name[XT_TABLE_MAXNAMELEN]; + struct xt_table *t; + int ret; + +- if (*len != sizeof(struct arpt_getinfo)) { +- duprintf("length %u != %Zu\n", *len, ++ if (len != sizeof(struct arpt_getinfo)) { ++ duprintf("length %u != %Zu\n", len, + sizeof(struct arpt_getinfo)); + return -EINVAL; + } +@@ -924,7 +924,7 @@ static int get_info(struct net *net, void __user *user, + info.size = private->size; + strcpy(info.name, name); + +- if (copy_to_user(user, &info, *len) != 0) ++ if (copy_to_user(user, &info, len) != 0) + ret = -EFAULT; + else + ret = 0; +@@ -1683,7 +1683,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, + + switch (cmd) { + case ARPT_SO_GET_INFO: +- ret = get_info(sock_net(sk), user, len, 1); ++ ret = get_info(sock_net(sk), user, *len, 1); + break; + case ARPT_SO_GET_ENTRIES: + ret = compat_get_entries(sock_net(sk), user, len); +@@ -1728,7 +1728,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len + + switch (cmd) { + case ARPT_SO_GET_INFO: +- ret = get_info(sock_net(sk), user, len, 0); ++ ret = get_info(sock_net(sk), user, *len, 0); + break; + + case ARPT_SO_GET_ENTRIES: +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 24e556e..f6918b4 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1069,14 +1069,14 @@ static int compat_table_info(const struct xt_table_info *info, + #endif + + static int get_info(struct net *net, void __user *user, +- const int *len, int compat) ++ int len, int compat) + { + char name[XT_TABLE_MAXNAMELEN]; + struct xt_table *t; + int ret; + +- if (*len != sizeof(struct ipt_getinfo)) { +- duprintf("length %u != %zu\n", *len, ++ if (len != sizeof(struct ipt_getinfo)) { ++ duprintf("length %u != %zu\n", len, + sizeof(struct ipt_getinfo)); + return -EINVAL; + } +@@ -1113,7 +1113,7 @@ static int get_info(struct net *net, void __user *user, + info.size = private->size; + strcpy(info.name, name); + +- if (copy_to_user(user, &info, *len) != 0) ++ if (copy_to_user(user, &info, len) != 0) + ret = -EFAULT; + else + ret = 0; +@@ -1967,7 +1967,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + + switch (cmd) { + case IPT_SO_GET_INFO: +- ret = get_info(sock_net(sk), user, len, 1); ++ ret = get_info(sock_net(sk), user, *len, 1); + break; + case IPT_SO_GET_ENTRIES: + ret = compat_get_entries(sock_net(sk), user, len); +@@ -2014,7 +2014,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + + switch (cmd) { + case IPT_SO_GET_INFO: +- ret = get_info(sock_net(sk), user, len, 0); ++ ret = get_info(sock_net(sk), user, *len, 0); + break; + + case IPT_SO_GET_ENTRIES: diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index 50009c7..5996a9f 100644 --- a/net/ipv4/ping.c @@ -76252,6 +76737,55 @@ index 63dd1f8..e7f53ca 100644 msg.msg_controllen = len; msg.msg_flags = flags; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 9d4e155..992bdfe 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1078,14 +1078,14 @@ static int compat_table_info(const struct xt_table_info *info, + #endif + + static int get_info(struct net *net, void __user *user, +- const int *len, int compat) ++ int len, int compat) + { + char name[XT_TABLE_MAXNAMELEN]; + struct xt_table *t; + int ret; + +- if (*len != sizeof(struct ip6t_getinfo)) { +- duprintf("length %u != %zu\n", *len, ++ if (len != sizeof(struct ip6t_getinfo)) { ++ duprintf("length %u != %zu\n", len, + sizeof(struct ip6t_getinfo)); + return -EINVAL; + } +@@ -1122,7 +1122,7 @@ static int get_info(struct net *net, void __user *user, + info.size = private->size; + strcpy(info.name, name); + +- if (copy_to_user(user, &info, *len) != 0) ++ if (copy_to_user(user, &info, len) != 0) + ret = -EFAULT; + else + ret = 0; +@@ -1976,7 +1976,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + + switch (cmd) { + case IP6T_SO_GET_INFO: +- ret = get_info(sock_net(sk), user, len, 1); ++ ret = get_info(sock_net(sk), user, *len, 1); + break; + case IP6T_SO_GET_ENTRIES: + ret = compat_get_entries(sock_net(sk), user, len); +@@ -2023,7 +2023,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + + switch (cmd) { + case IP6T_SO_GET_INFO: +- ret = get_info(sock_net(sk), user, len, 0); ++ ret = get_info(sock_net(sk), user, *len, 0); + break; + + case IP6T_SO_GET_ENTRIES: diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 5bddea7..82d9d67 100644 --- a/net/ipv6/raw.c @@ -77800,18 +78334,18 @@ index 1e2eee8..ce3967e 100644 assoc->assoc_id, assoc->sndbuf_used, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index dba20d6..9352c05 100644 +index dba20d6..9fa89aa 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -4577,7 +4577,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4577,6 +4577,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; -- if (copy_to_user(to, &temp, addrlen)) -+ if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen)) ++ if (addrlen > sizeof(temp) || addrlen < 0) ++ return -EFAULT; + if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; - cnt++; diff --git a/net/socket.c b/net/socket.c index 06ffa0f..aff61b1 100644 --- a/net/socket.c @@ -78922,10 +79456,10 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index ccc61f8..0759500 100644 +index ccc61f8..d0ff756 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,876 @@ +@@ -4,6 +4,873 @@ menu "Security options" @@ -79500,9 +80034,6 @@ index ccc61f8..0759500 100644 + that is, enabling this option will make it harder to inject + and execute 'foreign' code in kernel memory itself. + -+ Note that on x86_64 kernels there is a known regression when -+ this feature and KVM/VMX are both enabled in the host kernel. -+ +choice + prompt "Return Address Instrumentation Method" + default PAX_KERNEXEC_PLUGIN_METHOD_BTS @@ -79802,7 +80333,7 @@ index ccc61f8..0759500 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1039,7 @@ config INTEL_TXT +@@ -169,7 +1036,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -81065,10 +81596,10 @@ index 0000000..846aeb0 +} diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c new file mode 100644 -index 0000000..048d4ff +index 0000000..92ed719 --- /dev/null +++ b/tools/gcc/constify_plugin.c -@@ -0,0 +1,328 @@ +@@ -0,0 +1,331 @@ +/* + * Copyright 2011 by Emese Revfy <re.emese@gmail.com> + * Copyright 2011 by PaX Team <pageexec@freemail.hu> @@ -81282,6 +81813,9 @@ index 0000000..048d4ff + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) { + tree type = TREE_TYPE(field); + enum tree_code code = TREE_CODE(type); ++ ++ if (node == type) ++ return false; + if (code == RECORD_TYPE || code == UNION_TYPE) { + if (!(walk_struct(type))) + return false; @@ -81295,7 +81829,7 @@ index 0000000..048d4ff +{ + tree type = (tree)event_data; + -+ if (type == NULL_TREE) ++ if (type == NULL_TREE || type == error_mark_node) + return; + + if (TYPE_READONLY(type)) @@ -87399,7 +87933,7 @@ index af0f22f..9a7d479 100644 break; } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 9739b53..6d457e3 100644 +index 9739b53..462f93d 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,7 +75,7 @@ LIST_HEAD(vm_list); @@ -87411,6 +87945,15 @@ index 9739b53..6d457e3 100644 struct kmem_cache *kvm_vcpu_cache; EXPORT_SYMBOL_GPL(kvm_vcpu_cache); +@@ -707,7 +707,7 @@ int __kvm_set_memory_region(struct kvm *kvm, + /* We can read the guest memory with __xxx_user() later on. */ + if (user_alloc && + ((mem->userspace_addr & (PAGE_SIZE - 1)) || +- !access_ok(VERIFY_WRITE, ++ !__access_ok(VERIFY_WRITE, + (void __user *)(unsigned long)mem->userspace_addr, + mem->memory_size))) + goto out; @@ -2247,7 +2247,7 @@ static void hardware_enable_nolock(void *junk) if (r) { |