main/linux-grsec: security fixes (CVE-2013-0290) + sock_diag out of bounds

fixes #1626
fixes #1619

3 files changed, 129 insertions, 1 deletions

diff --git a/main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch b/main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
new file mode 100644
index 000000000..9124b975d
--- /dev/null
+++ b/main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
@@ -0,0 +1,36 @@
+From ecc18050ef1ebd1dd63ebab44297d09a48360fc5 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 23 Feb 2013 01:13:47 +0000
+Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to
+ sock_diag_handlers[]
+
+Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+with a family greater or equal then AF_MAX -- the array size of
+sock_diag_handlers[]. The current code does not test for this
+condition therefore is vulnerable to an out-of-bound access opening
+doors for a privilege escalation.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/sock_diag.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 849f809..5e8d4a9 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -133,6 +133,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 	if (nlmsg_len(nlh) < sizeof(*req))
+ 		return -EINVAL;
+ 
++	if (req->sdiag_family >= AF_MAX)
++		return -EINVAL;
++
+ 	hndl = sock_diag_lock_handler(req->sdiag_family);
+ 	if (hndl == NULL)
+ 		err = -ENOENT;
+-- 
+1.8.1.4
+
diff --git a/main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch b/main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
new file mode 100644
index 000000000..189999c7f
--- /dev/null
+++ b/main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
@@ -0,0 +1,52 @@
+From 8679699f038e5cbd360df52e347e733f367bb30f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 12 Feb 2013 06:16:53 +0000
+Subject: [PATCH 2/2] net: fix infinite loop in __skb_recv_datagram()
+
+Tommi was fuzzing with trinity and reported the following problem :
+
+commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
+missed that a raw socket receive queue can contain skbs with no payload.
+
+We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
+wait_for_packet() is not prepared to skip these skbs.
+
+[   83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
+(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
+[   83.541011] INFO: Stall ended before state dump start
+[  108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847]
+...
+[  108.067010] Call Trace:
+[  108.067010]  [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
+[  108.067010]  [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
+[  108.067010]  [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
+[  108.067010]  [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
+[  108.067010]  [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
+[  108.067010]  [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
+[  108.067010]  [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b
+
+Reported-by: Tommi Rantala <tt.rantala@gmail.com>
+Tested-by: Tommi Rantala <tt.rantala@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Acked-by: Pavel Emelyanov <xemul@parallels.com>
+---
+ net/core/datagram.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/datagram.c b/net/core/datagram.c
+index 6a6ac94..07ccc3e 100644
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned flags,
+ 		skb_queue_walk(queue, skb) {
+ 			*peeked = skb->peeked;
+ 			if (flags & MSG_PEEK) {
+-				if (*off >= skb->len) {
++				if (*off >= skb->len && skb->len) {
+ 					*off -= skb->len;
+ 					continue;
+ 				}
+-- 
+1.8.1.4
+
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 9afa066a7..fd7f18623 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.6.11
 _kernver=3.6
-pkgrel=13
+pkgrel=14
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -28,6 +28,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
 	xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
 	xsa43-pvops.patch
+	0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
+	0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -163,5 +165,43 @@ d9b4a528e722d10ba53034ebd440c31b  ipv4-remove-output-route-check-in-ipv4_mtu.pat
 89dbb0886c9d17c3c4a5ff4f1443e936  xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
 bce9f08c86570a0a86ef36f1d2e7a2dd  xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
 2399192c10ba600a086a4c946f1b72f2  xsa43-pvops.patch
+2eae706f3b25a4a3341ef78eb29197dc  0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
+9fcb70f1b8e22ad83e959afc58a7332d  0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
 02ed0c981afbf6a1fc81d5fa9b44e7df  kernelconfig.x86
 4927251c008b2c2bf5648d732ec63f9d  kernelconfig.x86_64"
+sha256sums="4ab9a6ef1c1735713f9f659d67f92efa7c1dfbffb2a2ad544005b30f9791784f  linux-3.6.tar.xz
+4bdc3822571a4a765bf6f347aad8b899730acef549ae4236813fd17f254f4327  patch-3.6.11.xz
+3949b8aff2f0c2e108f897f119c98c002937093baa54385d46baad19300954e1  patch-3.6.11-al3.patch
+09a266a5aeba727b29304f4ec41bc08962a71df931646cc6910c5555ffbee14c  grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
+e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde  0004-arp-flush-arp-cache-on-device-change.patch
+fdce1143aa10a48582b5bb9cf441b75c6f52701a61f28139970f3110a170fb97  r8169-num-rx-desc.patch
+c3673636d7604b7b3df665acc0fc0153a76ac6b7f36bb931d235ea1132ac1852  ipv4-remove-output-route-check-in-ipv4_mtu.patch
+2c5f4fc70c9e6c1be9890cd5e5a8c45cc500cc71c7faf8b8f7a7152b1e6bcf88  0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
+7ba9b10b04197d3009ad3facabd0bdb2cab870fabcc841716efb1041412a20cd  r8169-fix-vlan-tag-reordering.patch
+99cf93e37985908243b974cc726f57e592e62ae005eca52969f11fb6fdea6fb5  xsa39-pvops-0001-xen-netback-shutdown-the-ring-if-it-contains-garbage.patch
+e0c4226b0910ca455f22ae117e8346d87053e9faf03ec155dd6c31e2f58a1969  xsa39-pvops-0002-xen-netback-don-t-leak-pages-on-failure-in-xen_netbk.patch
+70e6cb644a57cdda7f29eb86086a8e697706c3fc974a44c52322e451fd6b9d5c  xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
+5d0db59bbd5ad3a7efae78a6c26fc2491b7c553e5519dd946d1422a116af73dd  xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
+6efe83c9951dcba20f18095814d19089e19230c6876bbdab32cc2f1165bb07c8  xsa43-pvops.patch
+c8981bb73042f2a14a32c80e15f85d31e78c425808de437c455e0f4f90b17ec2  0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
+4aaf19e18a71a502ff12ebacaf7c8d0c14b4c3d46d88058dbce0cb567aed0f3c  0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
+c4236fa6150c9cba98280aadc2daccd917410148e06d2231cc8c5370d1735577  kernelconfig.x86
+3afefde6d92e1c41f6487c2279c5b707ef42ce42e4f7fe9e37d482c3e24ec3b1  kernelconfig.x86_64"
+sha512sums="6e3354184d1799228a2d33b92e4a6b743cc24352b8ccc1fd487fab07ab97be2aa03ba87b8406a177581692db1fd40674fbd4e213a782cbe0a6a969b10c4c17a1  linux-3.6.tar.xz
+08423f145ee7aef49f50d95032595ee79250135b6ecfa72f802502a277f215b63c4dc04ed149fe4ed7cdaa5ef063b8003b7f72f41d8417e45efbe7e30e621387  patch-3.6.11.xz
+8b9656c1b535dea4e32fcb9a6b44ae6c12548a262f40bd94ea81c4f475d301da20cbf0ab0eef77a61dcdddaad21b850858ddc1a03c741bf6f2ae285310f49508  patch-3.6.11-al3.patch
+f2b6735194597e9296f0fccd65bdbfd6f2489c40526294f00a1ad543e8cb3b0a41ceee26cd2f0cbfa31ec423927c5e693d63856e65c7ad8a79666176595aca8a  grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
+b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e  0004-arp-flush-arp-cache-on-device-change.patch
+d9c91b57415c7c3c365add35565f72ba6225e48212f55abb209e1f426902206543edefb9fc01715357e445b69222a6fb94c3469d701e465450919bad3c83d874  r8169-num-rx-desc.patch
+fbbaa9c940f70823f5672db04b78de71233ecdda83d0cbeaeac941d732b0e3b18be38a0ed85d7bd03818114d00d9fe00935532968bee5b4673e8fadfda8c0281  ipv4-remove-output-route-check-in-ipv4_mtu.patch
+55ebc903f2384926c7a0a9abbb685b1719d08363fa97deddbd6b632928d94956cdc0b4c75d4b0230d627a02baf249d57033820e0fb11ff6723faa904370a54c8  0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
+958f5dfb57b6760e92d39027e8ec8d0abc2d99f6b40ef3c108fe90acfe00f3d5fdc2ccebddeffbf70794f6d7a394d985adf40808c2d4c8f7d0591c589b88bbbc  r8169-fix-vlan-tag-reordering.patch
+29bbd379a06dbb060871b089c9926cadc6e6a2cae141246386f98e5737436ff503b522f08e91bdfa220cf9610cfe19990375e395a2cb01e19cf9b4f37c59a7f1  xsa39-pvops-0001-xen-netback-shutdown-the-ring-if-it-contains-garbage.patch
+abb148ef92e516d9632912d10ce5d1f5c1425c25fc601a84cfd3a4ba10a374a7cc8ec38c4ad5d2ba815e17d8b2ce006ce364650aa0418b76b5dcdafd54194707  xsa39-pvops-0002-xen-netback-don-t-leak-pages-on-failure-in-xen_netbk.patch
+162885acbdea08dd6089d692fba65bacdcfc02e3617ce6b170b736167294bdb2a9b0eac5d33634fcafc91ca2acac9301e2bc9873aa70c43eba1107d3ae83c4ab  xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
+61388dab7a572da5ea598ff430359007288901f00a7f6b243163dc901bf57a2270de8ef897e17273532aab9c08d5c7c2dbce58e6b85e7b3ca724ffe138559802  xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
+383c00a2520f0e27a4e51ef4e499cd8dc33f75ef4d3d5eab22944126c41de20dccf563d1d05cd557cae4091167de78f44ec5bfb76e33f503b36b5e3d756fcaed  xsa43-pvops.patch
+025c948e157c1bbc0158fea124205792ecc0abc692ad862c14861a304492c0d2e1f931ad5c6434ba37ae9a8389e9cea0d5fd111f44e99f7dcb9336d7e4bfdb7b  0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
+c95a0c71cee924686185d138b15c94c7593ecac7afa48957204b16bd24b0fbf641fbefd2e18dd5e72eef33f8eb07c24240f5c64b8c73c0bc73d9dfcda44b237a  0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
+065fff74ab7f885a45d98a1cd2bc5aaf6cb9a08d830297aaab54b512b7c90d692e37101810ee36a1f26e757990f763b664788a858b3ab40d0b4821205b9d3995  kernelconfig.x86
+ba9a0b035a97089e51e0a0b723c69148866dabb4baf74c870a005350f7bfd789ab47595c7bc7e218de6d7479d16279cb906aee2ffeda9a6b141ad43ecc26dd4f  kernelconfig.x86_64"