summaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2012-10-01 09:08:07 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2012-10-01 09:43:19 +0000
commit1dff697f8db0cbf2f0a6ea983ef225b9fa9604a8 (patch)
tree321401887711383bff2743f851b8f9005222f363 /main/linux-grsec
parentefdc2d1f01d104449fe029f22dd17561ea804552 (diff)
downloadaports-1dff697f8db0cbf2f0a6ea983ef225b9fa9604a8.tar.bz2
aports-1dff697f8db0cbf2f0a6ea983ef225b9fa9604a8.tar.xz
main/linux-grsec: import pax changes from upstream
merge in changes up to pax-linux-3.2.30-test78 / pax-linux-3.5.4-test30
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD6
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.4.11-3.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.4.11-2.patch)627
2 files changed, 588 insertions, 45 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 2c91259e4..5ebe063c2 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.4.11
_kernver=3.4
-pkgrel=1
+pkgrel=2
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-$pkgver-2.patch
+ grsecurity-2.9.1-$pkgver-3.patch
0004-arp-flush-arp-cache-on-device-change.patch
0001-Revert-ipv4-Don-t-use-the-cached-pmtu-informations-f.patch
@@ -142,7 +142,7 @@ dev() {
md5sums="967f72983655e2479f951195953e8480 linux-3.4.tar.xz
2149df47fc96fec05787bf0197fb7b16 patch-3.4.11.xz
-2a05125c1486b1db0fd59a90d11d8b7a grsecurity-2.9.1-3.4.11-2.patch
+fe55cc4d88fa6749b90d77152b42ea7f grsecurity-2.9.1-3.4.11-3.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
cb6fcd6e966e73c87a839c4c0183f81f 0001-Revert-ipv4-Don-t-use-the-cached-pmtu-informations-f.patch
d2f7ba780ff7567c21381428264d7fdd intel_idle.patch
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.4.11-2.patch b/main/linux-grsec/grsecurity-2.9.1-3.4.11-3.patch
index cdb78084f..659c8d52c 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.4.11-2.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.4.11-3.patch
@@ -7576,7 +7576,7 @@ index ef34d2c..d6ce60c 100644
else
copy_from_user_overflow();
diff --git a/arch/um/Makefile b/arch/um/Makefile
-index 55c0661..86ad413 100644
+index 55c0661..10f4cb1 100644
--- a/arch/um/Makefile
+++ b/arch/um/Makefile
@@ -62,6 +62,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -D__KERNEL__,,\
@@ -7584,7 +7584,7 @@ index 55c0661..86ad413 100644
$(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64 -idirafter include
+ifdef CONSTIFY_PLUGIN
-+USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
++USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify
+endif
+
#This will adjust *FLAGS accordingly to the platform.
@@ -7856,7 +7856,7 @@ index b1c611e..2c1a823 100644
+archprepare:
+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
-index 5a747dd..ff7b12c 100644
+index 5a747dd..00bece7 100644
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -64,6 +64,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \
@@ -7864,7 +7864,7 @@ index 5a747dd..ff7b12c 100644
$(call cc-option, -mpreferred-stack-boundary=2)
KBUILD_CFLAGS += $(call cc-option, -m32)
+ifdef CONSTIFY_PLUGIN
-+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
+endif
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
GCOV_PROFILE := n
@@ -7914,7 +7914,7 @@ index 18997e5..83d9c67 100644
return diff;
}
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index e398bb5..3a382ca 100644
+index e398bb5..80fc805 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=small
@@ -7922,7 +7922,7 @@ index e398bb5..3a382ca 100644
KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
+ifdef CONSTIFY_PLUGIN
-+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
+endif
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
@@ -13774,7 +13774,7 @@ index c6ce245..ffbdab7 100644
"2:\n"
".section .fixup,\"ax\"\n"
diff --git a/arch/x86/kernel/acpi/realmode/Makefile b/arch/x86/kernel/acpi/realmode/Makefile
-index 6a564ac..9b1340c 100644
+index 6a564ac..3f3a3d7 100644
--- a/arch/x86/kernel/acpi/realmode/Makefile
+++ b/arch/x86/kernel/acpi/realmode/Makefile
@@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os -D_SETUP -D_WAKEUP -D__KERNEL__ \
@@ -13782,7 +13782,7 @@ index 6a564ac..9b1340c 100644
$(call cc-option, -mpreferred-stack-boundary=2)
KBUILD_CFLAGS += $(call cc-option, -m32)
+ifdef CONSTIFY_PLUGIN
-+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
+endif
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
GCOV_PROFILE := n
@@ -19852,7 +19852,7 @@ index c6eba2b..3303326 100644
return pc;
}
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index 9d9d2f9..ed344e4 100644
+index 9d9d2f9..cad418a 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -84,6 +84,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
@@ -19867,6 +19867,15 @@ index 9d9d2f9..ed344e4 100644
set_tls_desc(p, idx, &info, 1);
return 0;
+@@ -204,7 +209,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+
+ if (kbuf)
+ info = kbuf;
+- else if (__copy_from_user(infobuf, ubuf, count))
++ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
+ return -EFAULT;
+ else
+ info = infobuf;
diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S
index 451c0a7..e57f551 100644
--- a/arch/x86/kernel/trampoline_32.S
@@ -20782,9 +20791,28 @@ index 185a2b8..866d2a6 100644
int r;
struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
-index 642d880..44e0f3f 100644
+index 642d880..cc9ebac 100644
--- a/arch/x86/lguest/boot.c
+++ b/arch/x86/lguest/boot.c
+@@ -1116,12 +1116,12 @@ static u32 lguest_apic_safe_wait_icr_idle(void)
+
+ static void set_lguest_basic_apic_ops(void)
+ {
+- apic->read = lguest_apic_read;
+- apic->write = lguest_apic_write;
+- apic->icr_read = lguest_apic_icr_read;
+- apic->icr_write = lguest_apic_icr_write;
+- apic->wait_icr_idle = lguest_apic_wait_icr_idle;
+- apic->safe_wait_icr_idle = lguest_apic_safe_wait_icr_idle;
++ *(void **)&apic->read = lguest_apic_read;
++ *(void **)&apic->write = lguest_apic_write;
++ *(void **)&apic->icr_read = lguest_apic_icr_read;
++ *(void **)&apic->icr_write = lguest_apic_icr_write;
++ *(void **)&apic->wait_icr_idle = lguest_apic_wait_icr_idle;
++ *(void **)&apic->safe_wait_icr_idle = lguest_apic_safe_wait_icr_idle;
+ };
+ #endif
+
@@ -1200,9 +1200,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count)
* Rebooting also tells the Host we're finished, but the RESTART flag tells the
* Launcher to reboot us.
@@ -27252,7 +27280,7 @@ index 00aaf04..4a26505 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 40edfc3..b4d80ac 100644
+index 40edfc3..9911bdb 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -95,8 +95,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -27264,6 +27292,29 @@ index 40edfc3..b4d80ac 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
+@@ -883,14 +881,14 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+
+ static void set_xen_basic_apic_ops(void)
+ {
+- apic->read = xen_apic_read;
+- apic->write = xen_apic_write;
+- apic->icr_read = xen_apic_icr_read;
+- apic->icr_write = xen_apic_icr_write;
+- apic->wait_icr_idle = xen_apic_wait_icr_idle;
+- apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
+- apic->set_apic_id = xen_set_apic_id;
+- apic->get_apic_id = xen_get_apic_id;
++ *(void **)&apic->read = xen_apic_read;
++ *(void **)&apic->write = xen_apic_write;
++ *(void **)&apic->icr_read = xen_apic_icr_read;
++ *(void **)&apic->icr_write = xen_apic_icr_write;
++ *(void **)&apic->wait_icr_idle = xen_apic_wait_icr_idle;
++ *(void **)&apic->safe_wait_icr_idle = xen_safe_apic_wait_icr_idle;
++ *(void **)&apic->set_apic_id = xen_set_apic_id;
++ *(void **)&apic->get_apic_id = xen_get_apic_id;
+ }
+
+ #endif
@@ -1165,30 +1163,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -35382,6 +35433,29 @@ index ee11e93..c8f19c7 100644
err = platform_driver_register(&sk_isa_driver);
if (err)
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 147b628..7b00f8a 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1243,7 +1243,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
+ }
+
+ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+- unsigned long arg, int ifreq_len)
++ unsigned long arg, size_t ifreq_len)
+ {
+ struct tun_file *tfile = file->private_data;
+ struct tun_struct *tun;
+@@ -1254,6 +1254,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+ int vnet_hdr_sz;
+ int ret;
+
++ if (ifreq_len > sizeof ifr)
++ return -EFAULT;
++
+ if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ if (copy_from_user(&ifr, argp, ifreq_len))
+ return -EFAULT;
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 2d2a688..35f2372 100644
--- a/drivers/net/usb/hso.c
@@ -35758,6 +35832,167 @@ index faec404..a5277f1 100644
}
D_INFO("*** LOAD DRIVER ***\n");
+diff --git a/drivers/net/wireless/iwlwifi/iwl-debugfs.c b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+index 2bbaebd..95a0b40 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-debugfs.c
++++ b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+@@ -157,7 +157,7 @@ static ssize_t iwl_dbgfs_clear_traffic_statistics_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+ u32 clear_flag;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+@@ -305,7 +305,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[64];
+- int buf_size;
++ size_t buf_size;
+ u32 offset, len;
+
+ memset(buf, 0, sizeof(buf));
+@@ -588,7 +588,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
+ struct iwl_priv *priv = file->private_data;
+
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ u32 reset_flag;
+
+ memset(buf, 0, sizeof(buf));
+@@ -669,7 +669,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int ht40;
+
+ memset(buf, 0, sizeof(buf));
+@@ -724,7 +724,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int value;
+
+ memset(buf, 0, sizeof(buf));
+@@ -882,7 +882,7 @@ static ssize_t iwl_dbgfs_traffic_log_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int traffic_log;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2087,7 +2087,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int clear;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2132,7 +2132,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int trace;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2203,7 +2203,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int missed;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2244,7 +2244,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int plcp;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2298,7 +2298,7 @@ static ssize_t iwl_dbgfs_force_reset_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int reset, ret;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2324,7 +2324,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int flush;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2348,7 +2348,7 @@ static ssize_t iwl_dbgfs_wd_timeout_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int timeout;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2437,7 +2437,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
+
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int rts;
+
+ if (!cfg(priv)->ht_params)
+@@ -2462,7 +2462,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
+ {
+ struct iwl_priv *priv = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+
+ memset(buf, 0, sizeof(buf));
+ buf_size = min(count, sizeof(buf) - 1);
+diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+index 8741048..ea9653c 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
++++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c
+@@ -2111,7 +2111,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
+ struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
+
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ u32 reset_flag;
+
+ memset(buf, 0, sizeof(buf));
+@@ -2132,7 +2132,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
+ {
+ struct iwl_trans *trans = file->private_data;
+ char buf[8];
+- int buf_size;
++ size_t buf_size;
+ int csr;
+
+ memset(buf, 0, sizeof(buf));
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index b7ce6a6..5649756 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
@@ -41881,7 +42116,7 @@ index d146e18..12d1bd1 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 16f7354..7cc1e24 100644
+index 16f7354..a2c5da7 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -32,6 +32,7 @@
@@ -42033,7 +42268,7 @@ index 16f7354..7cc1e24 100644
+#endif
+
+#ifdef CONFIG_PAX_EMUTRAMP
-+ if (elf_phdata->p_flags & PF_EMUTRAMP)
++ if ((elf_phdata->p_flags & PF_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
+ pax_flags |= MF_PAX_EMUTRAMP;
+#endif
+
@@ -69121,7 +69356,7 @@ index 671f959..91c51cb 100644
struct tasklet_struct *list;
diff --git a/kernel/sys.c b/kernel/sys.c
-index e7006eb..8fb7c51 100644
+index e7006eb..cf33a96 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -69245,11 +69480,30 @@ index e7006eb..8fb7c51 100644
abort_creds(new);
return old_fsgid;
-@@ -1198,7 +1234,10 @@ static int override_release(char __user *release, int len)
+@@ -1179,12 +1215,12 @@ DECLARE_RWSEM(uts_sem);
+ * Work around broken programs that cannot handle "Linux 3.0".
+ * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+ */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ int ret = 0;
+- char buf[65];
+
+ if (current->personality & UNAME26) {
++ char buf[65] = { 0 };
+ char *rest = UTS_RELEASE;
+ int ndots = 0;
+ unsigned v;
+@@ -1197,8 +1233,14 @@ static int override_release(char __user *release, int len)
+ rest++;
}
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
++ if (sizeof buf < len)
++ len = sizeof buf;
snprintf(buf, len, "2.6.%u%s", v, rest);
- ret = copy_to_user(release, buf, len);
++ buf[len - 1] = 0;
+ if (len > sizeof(buf))
+ ret = -EFAULT;
+ else
@@ -69257,7 +69511,7 @@ index e7006eb..8fb7c51 100644
}
return ret;
}
-@@ -1252,19 +1291,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
+@@ -1252,19 +1294,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
return -EFAULT;
down_read(&uts_sem);
@@ -69282,7 +69536,7 @@ index e7006eb..8fb7c51 100644
__OLD_UTS_LEN);
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
up_read(&uts_sem);
-@@ -1847,7 +1886,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
+@@ -1847,7 +1889,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = get_dumpable(me->mm);
break;
case PR_SET_DUMPABLE:
@@ -75036,6 +75290,19 @@ index 5238b6b..c9798ce 100644
hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
}
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 5914623..93355a5 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -941,7 +941,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
+ uf.event_mask[1] = *((u32 *) f->event_mask + 1);
+ }
+
+- len = min_t(unsigned int, len, sizeof(uf));
++ len = min((size_t)len, sizeof(uf));
+ if (copy_from_user(&uf, optval, len)) {
+ err = -EFAULT;
+ break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 9a86759..f0951ea 100644
--- a/net/bluetooth/l2cap_core.c
@@ -75066,8 +75333,81 @@ index 9a86759..f0951ea 100644
goto done;
}
}
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 04e7c17..b37a140 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -443,7 +443,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
+ struct sock *sk = sock->sk;
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_options opts;
+- int len, err = 0;
++ int err = 0;
++ size_t len = optlen;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -465,7 +466,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
+ opts.max_tx = chan->max_tx;
+ opts.txwin_size = chan->tx_win;
+
+- len = min_t(unsigned int, sizeof(opts), optlen);
++ len = min(sizeof(opts), len);
+ if (copy_from_user((char *) &opts, optval, len)) {
+ err = -EFAULT;
+ break;
+@@ -538,7 +539,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+ struct bt_security sec;
+ struct bt_power pwr;
+ struct l2cap_conn *conn;
+- int len, err = 0;
++ int err = 0;
++ size_t len = optlen;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -561,7 +563,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
+@@ -655,7 +657,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+
+ pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
+
+- len = min_t(unsigned int, sizeof(pwr), optlen);
++ len = min(sizeof(pwr), len);
+ if (copy_from_user((char *) &pwr, optval, len)) {
+ err = -EFAULT;
+ break;
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index a55a43e..57c5d37 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -684,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+ struct sock *sk = sock->sk;
+ struct bt_security sec;
+ int err = 0;
+- size_t len;
++ size_t len = optlen;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -706,7 +706,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
++ len = min(sizeof(sec), len);
+ if (copy_from_user((char *) &sec, optval, len)) {
+ err = -EFAULT;
+ break;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
-index 5fe2ff3..10968b5 100644
+index 5fe2ff3..121d696 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1523,7 +1523,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
@@ -75079,6 +75419,24 @@ index 5fe2ff3..10968b5 100644
BUGPRINT("c2u Didn't work\n");
ret = -EFAULT;
break;
+@@ -2327,7 +2327,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
+ goto out;
+ tmp.valid_hooks = t->valid_hooks;
+
+- if (copy_to_user(user, &tmp, *len) != 0) {
++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
+ ret = -EFAULT;
+ break;
+ }
+@@ -2338,7 +2338,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
+ tmp.entries_size = t->table->entries_size;
+ tmp.valid_hooks = t->table->valid_hooks;
+
+- if (copy_to_user(user, &tmp, *len) != 0) {
++ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
+ ret = -EFAULT;
+ break;
+ }
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index 5cf5222..6f704ad 100644
--- a/net/caif/cfctrl.c
@@ -75136,7 +75494,7 @@ index 3d79b12..8de85fa 100644
diff --git a/net/compat.c b/net/compat.c
-index ae6d67a..95dbaf6 100644
+index ae6d67a..73c8c35 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -75266,6 +75624,15 @@ index ae6d67a..95dbaf6 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
+@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+
+ if (call < SYS_SOCKET || call > SYS_SENDMMSG)
+ return -EINVAL;
+- if (copy_from_user(a, args, nas[call]))
++ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
+ return -EFAULT;
+ a0 = a[0];
+ a1 = a[1];
diff --git a/net/core/datagram.c b/net/core/datagram.c
index e4fbfd6..6a6ac94 100644
--- a/net/core/datagram.c
@@ -75499,7 +75866,7 @@ index 611c5ef..88f6d6d 100644
{
int new_fd;
diff --git a/net/core/sock.c b/net/core/sock.c
-index 0f8402e..f0b6338 100644
+index 0f8402e..158dcd1 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -340,7 +340,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -75547,7 +75914,23 @@ index 0f8402e..f0b6338 100644
goto discard_and_relse;
}
-@@ -984,7 +984,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+@@ -838,12 +838,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ struct timeval tm;
+ } v;
+
+- int lv = sizeof(int);
+- int len;
++ unsigned int lv = sizeof(int);
++ unsigned int len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+- if (len < 0)
++ if (len > INT_MAX)
+ return -EINVAL;
+
+ memset(&v, 0, sizeof(v));
+@@ -984,18 +984,18 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len > sizeof(peercred))
len = sizeof(peercred);
cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
@@ -75556,15 +75939,19 @@ index 0f8402e..f0b6338 100644
return -EFAULT;
goto lenout;
}
-@@ -997,7 +997,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+
+ case SO_PEERNAME:
+ {
+- char address[128];
++ char address[_K_SS_MAXSIZE];
+
+ if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
return -ENOTCONN;
- if (lv < len)
+- if (lv < len)
++ if (lv < len || sizeof address < len)
return -EINVAL;
-- if (copy_to_user(optval, address, len))
-+ if (len > sizeof(address) || copy_to_user(optval, address, len))
+ if (copy_to_user(optval, address, len))
return -EFAULT;
- goto lenout;
- }
@@ -1043,7 +1043,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
if (len > lv)
@@ -75802,6 +76189,104 @@ index 92ac7e7..13f93d9 100644
set_fs(oldfs);
return res;
}
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index fd7a3f6..21e76da 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -880,14 +880,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct arpt_getinfo)) {
+- duprintf("length %u != %Zu\n", *len,
++ if (len != sizeof(struct arpt_getinfo)) {
++ duprintf("length %u != %Zu\n", len,
+ sizeof(struct arpt_getinfo));
+ return -EINVAL;
+ }
+@@ -924,7 +924,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1683,7 +1683,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case ARPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -1728,7 +1728,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
+
+ switch (cmd) {
+ case ARPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case ARPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 24e556e..f6918b4 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1069,14 +1069,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct ipt_getinfo)) {
+- duprintf("length %u != %zu\n", *len,
++ if (len != sizeof(struct ipt_getinfo)) {
++ duprintf("length %u != %zu\n", len,
+ sizeof(struct ipt_getinfo));
+ return -EINVAL;
+ }
+@@ -1113,7 +1113,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1967,7 +1967,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IPT_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2014,7 +2014,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IPT_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IPT_SO_GET_ENTRIES:
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 50009c7..5996a9f 100644
--- a/net/ipv4/ping.c
@@ -76252,6 +76737,55 @@ index 63dd1f8..e7f53ca 100644
msg.msg_controllen = len;
msg.msg_flags = flags;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 9d4e155..992bdfe 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1078,14 +1078,14 @@ static int compat_table_info(const struct xt_table_info *info,
+ #endif
+
+ static int get_info(struct net *net, void __user *user,
+- const int *len, int compat)
++ int len, int compat)
+ {
+ char name[XT_TABLE_MAXNAMELEN];
+ struct xt_table *t;
+ int ret;
+
+- if (*len != sizeof(struct ip6t_getinfo)) {
+- duprintf("length %u != %zu\n", *len,
++ if (len != sizeof(struct ip6t_getinfo)) {
++ duprintf("length %u != %zu\n", len,
+ sizeof(struct ip6t_getinfo));
+ return -EINVAL;
+ }
+@@ -1122,7 +1122,7 @@ static int get_info(struct net *net, void __user *user,
+ info.size = private->size;
+ strcpy(info.name, name);
+
+- if (copy_to_user(user, &info, *len) != 0)
++ if (copy_to_user(user, &info, len) != 0)
+ ret = -EFAULT;
+ else
+ ret = 0;
+@@ -1976,7 +1976,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 1);
++ ret = get_info(sock_net(sk), user, *len, 1);
+ break;
+ case IP6T_SO_GET_ENTRIES:
+ ret = compat_get_entries(sock_net(sk), user, len);
+@@ -2023,7 +2023,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+
+ switch (cmd) {
+ case IP6T_SO_GET_INFO:
+- ret = get_info(sock_net(sk), user, len, 0);
++ ret = get_info(sock_net(sk), user, *len, 0);
+ break;
+
+ case IP6T_SO_GET_ENTRIES:
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 5bddea7..82d9d67 100644
--- a/net/ipv6/raw.c
@@ -77800,18 +78334,18 @@ index 1e2eee8..ce3967e 100644
assoc->assoc_id,
assoc->sndbuf_used,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index dba20d6..9352c05 100644
+index dba20d6..9fa89aa 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -4577,7 +4577,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4577,6 +4577,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
-- if (copy_to_user(to, &temp, addrlen))
-+ if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
++ if (addrlen > sizeof(temp) || addrlen < 0)
++ return -EFAULT;
+ if (copy_to_user(to, &temp, addrlen))
return -EFAULT;
to += addrlen;
- cnt++;
diff --git a/net/socket.c b/net/socket.c
index 06ffa0f..aff61b1 100644
--- a/net/socket.c
@@ -78922,10 +79456,10 @@ index 5c11312..72742b5 100644
write_hex_cnt = 0;
for (i = 0; i < logo_clutsize; i++) {
diff --git a/security/Kconfig b/security/Kconfig
-index ccc61f8..0759500 100644
+index ccc61f8..d0ff756 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,876 @@
+@@ -4,6 +4,873 @@
menu "Security options"
@@ -79500,9 +80034,6 @@ index ccc61f8..0759500 100644
+ that is, enabling this option will make it harder to inject
+ and execute 'foreign' code in kernel memory itself.
+
-+ Note that on x86_64 kernels there is a known regression when
-+ this feature and KVM/VMX are both enabled in the host kernel.
-+
+choice
+ prompt "Return Address Instrumentation Method"
+ default PAX_KERNEXEC_PLUGIN_METHOD_BTS
@@ -79802,7 +80333,7 @@ index ccc61f8..0759500 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1039,7 @@ config INTEL_TXT
+@@ -169,7 +1036,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -81065,10 +81596,10 @@ index 0000000..846aeb0
+}
diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
new file mode 100644
-index 0000000..048d4ff
+index 0000000..92ed719
--- /dev/null
+++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,331 @@
+/*
+ * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
+ * Copyright 2011 by PaX Team <pageexec@freemail.hu>
@@ -81282,6 +81813,9 @@ index 0000000..048d4ff
+ for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
+ tree type = TREE_TYPE(field);
+ enum tree_code code = TREE_CODE(type);
++
++ if (node == type)
++ return false;
+ if (code == RECORD_TYPE || code == UNION_TYPE) {
+ if (!(walk_struct(type)))
+ return false;
@@ -81295,7 +81829,7 @@ index 0000000..048d4ff
+{
+ tree type = (tree)event_data;
+
-+ if (type == NULL_TREE)
++ if (type == NULL_TREE || type == error_mark_node)
+ return;
+
+ if (TYPE_READONLY(type))
@@ -87399,7 +87933,7 @@ index af0f22f..9a7d479 100644
break;
}
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 9739b53..6d457e3 100644
+index 9739b53..462f93d 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -75,7 +75,7 @@ LIST_HEAD(vm_list);
@@ -87411,6 +87945,15 @@ index 9739b53..6d457e3 100644
struct kmem_cache *kvm_vcpu_cache;
EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
+@@ -707,7 +707,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
+ /* We can read the guest memory with __xxx_user() later on. */
+ if (user_alloc &&
+ ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
+- !access_ok(VERIFY_WRITE,
++ !__access_ok(VERIFY_WRITE,
+ (void __user *)(unsigned long)mem->userspace_addr,
+ mem->memory_size)))
+ goto out;
@@ -2247,7 +2247,7 @@ static void hardware_enable_nolock(void *junk)
if (r) {