diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-08-24 05:02:02 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-08-24 05:02:02 -0400 |
commit | 22102caf72a2ba344bc84da64f789414179259fa (patch) | |
tree | ffcf21e5b7d594dcfdac60956108b18ae9d756cb | |
parent | Grsec/PaX: 2.2.2-2.6.32.45-201108192305 + 2.2.2-2.6.39.4-201108192305 (diff) | |
download | hardened-patchset-20110821.tar.gz hardened-patchset-20110821.tar.bz2 hardened-patchset-20110821.zip |
Grsec/PaX: 2.2.2-2.6.32.45-201108211939 2.2.2-2.6.39.4-20110821193920110821
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch) | 297 | ||||
-rw-r--r-- | 2.6.39/0000_README | 2 | ||||
-rw-r--r-- | 2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch (renamed from 2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch) | 7 |
4 files changed, 272 insertions, 36 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index f4bf114..e5ee171 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -11,7 +11,7 @@ Patch: 1044_linux-2.6.32.45.patch From: http://www.kernel.org Desc: Linux 2.6.39.45 -Patch: 4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch index 26eb4f1..78cefe3 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108192305.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108211939.patch @@ -1484,6 +1484,19 @@ diff -urNp linux-2.6.32.45/arch/mips/include/asm/page.h linux-2.6.32.45/arch/mip #else typedef struct { unsigned long long pte; } pte_t; #define pte_val(x) ((x).pte) +diff -urNp linux-2.6.32.45/arch/mips/include/asm/reboot.h linux-2.6.32.45/arch/mips/include/asm/reboot.h +--- linux-2.6.32.45/arch/mips/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/mips/include/asm/reboot.h 2011-08-21 17:35:02.000000000 -0400 +@@ -9,7 +9,7 @@ + #ifndef _ASM_REBOOT_H + #define _ASM_REBOOT_H + +-extern void (*_machine_restart)(char *command); +-extern void (*_machine_halt)(void); ++extern void (*__noreturn _machine_restart)(char *command); ++extern void (*__noreturn _machine_halt)(void); + + #endif /* _ASM_REBOOT_H */ diff -urNp linux-2.6.32.45/arch/mips/include/asm/system.h linux-2.6.32.45/arch/mips/include/asm/system.h --- linux-2.6.32.45/arch/mips/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/mips/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400 @@ -1559,6 +1572,40 @@ diff -urNp linux-2.6.32.45/arch/mips/kernel/process.c linux-2.6.32.45/arch/mips/ - - return sp & ALMASK; -} +diff -urNp linux-2.6.32.45/arch/mips/kernel/reset.c linux-2.6.32.45/arch/mips/kernel/reset.c +--- linux-2.6.32.45/arch/mips/kernel/reset.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/mips/kernel/reset.c 2011-08-21 17:35:26.000000000 -0400 +@@ -19,8 +19,8 @@ + * So handle all using function pointers to machine specific + * functions. + */ +-void (*_machine_restart)(char *command); +-void (*_machine_halt)(void); ++void (*__noreturn _machine_restart)(char *command); ++void (*__noreturn _machine_halt)(void); + void (*pm_power_off)(void); + + EXPORT_SYMBOL(pm_power_off); +@@ -29,16 +29,19 @@ void machine_restart(char *command) + { + if (_machine_restart) + _machine_restart(command); ++ BUG(); + } + + void machine_halt(void) + { + if (_machine_halt) + _machine_halt(); ++ BUG(); + } + + void machine_power_off(void) + { + if (pm_power_off) + pm_power_off(); ++ BUG(); + } diff -urNp linux-2.6.32.45/arch/mips/kernel/syscall.c linux-2.6.32.45/arch/mips/kernel/syscall.c --- linux-2.6.32.45/arch/mips/kernel/syscall.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/mips/kernel/syscall.c 2011-04-17 15:56:45.000000000 -0400 @@ -1596,6 +1643,18 @@ diff -urNp linux-2.6.32.45/arch/mips/kernel/syscall.c linux-2.6.32.45/arch/mips/ return addr; addr = vmm->vm_end; if (do_color_align) +diff -urNp linux-2.6.32.45/arch/mips/Makefile linux-2.6.32.45/arch/mips/Makefile +--- linux-2.6.32.45/arch/mips/Makefile 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/mips/Makefile 2011-08-21 19:26:52.000000000 -0400 +@@ -51,6 +51,8 @@ endif + cflags-y := -ffunction-sections + cflags-y += $(call cc-option, -mno-check-zero-division) + ++cflags-y += -Wno-sign-compare -Wno-extra ++ + ifdef CONFIG_32BIT + ld-emul = $(32bit-emul) + vmlinux-32 = vmlinux diff -urNp linux-2.6.32.45/arch/mips/mm/fault.c linux-2.6.32.45/arch/mips/mm/fault.c --- linux-2.6.32.45/arch/mips/mm/fault.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/mips/mm/fault.c 2011-04-17 15:56:45.000000000 -0400 @@ -2146,7 +2205,7 @@ diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/page_64.h linux-2.6.32.45/ar diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/page.h linux-2.6.32.45/arch/powerpc/include/asm/page.h --- linux-2.6.32.45/arch/powerpc/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.45/arch/powerpc/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400 ++++ linux-2.6.32.45/arch/powerpc/include/asm/page.h 2011-08-21 16:07:39.000000000 -0400 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr; * and needs to be executable. This means the whole heap ends * up being executable. @@ -2205,6 +2264,18 @@ diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.45 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */ #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ +diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h +--- linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/powerpc/include/asm/ptrace.h 2011-08-21 15:53:58.000000000 -0400 +@@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p + } while(0) + + struct task_struct; +-extern unsigned long ptrace_get_reg(struct task_struct *task, int regno); ++extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno); + extern int ptrace_put_reg(struct task_struct *task, int regno, + unsigned long data); + diff -urNp linux-2.6.32.45/arch/powerpc/include/asm/reg.h linux-2.6.32.45/arch/powerpc/include/asm/reg.h --- linux-2.6.32.45/arch/powerpc/include/asm/reg.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/powerpc/include/asm/reg.h 2011-04-17 15:56:45.000000000 -0400 @@ -2727,6 +2798,27 @@ diff -urNp linux-2.6.32.45/arch/powerpc/kernel/process.c linux-2.6.32.45/arch/po - - return ret; -} +diff -urNp linux-2.6.32.45/arch/powerpc/kernel/ptrace.c linux-2.6.32.45/arch/powerpc/kernel/ptrace.c +--- linux-2.6.32.45/arch/powerpc/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/powerpc/kernel/ptrace.c 2011-08-21 15:53:39.000000000 -0400 +@@ -86,7 +86,7 @@ static int set_user_trap(struct task_str + /* + * Get contents of register REGNO in task TASK. + */ +-unsigned long ptrace_get_reg(struct task_struct *task, int regno) ++unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno) + { + if (task->thread.regs == NULL) + return -EIO; +@@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi + + CHECK_FULL_REGS(child->thread.regs); + if (index < PT_FPR0) { +- tmp = ptrace_get_reg(child, (int) index); ++ tmp = ptrace_get_reg(child, index); + } else { + flush_fp_to_thread(child); + tmp = ((unsigned long *)child->thread.fpr) diff -urNp linux-2.6.32.45/arch/powerpc/kernel/signal_32.c linux-2.6.32.45/arch/powerpc/kernel/signal_32.c --- linux-2.6.32.45/arch/powerpc/kernel/signal_32.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/powerpc/kernel/signal_32.c 2011-04-17 15:56:45.000000000 -0400 @@ -2876,6 +2968,18 @@ diff -urNp linux-2.6.32.45/arch/powerpc/lib/usercopy_64.c linux-2.6.32.45/arch/p -EXPORT_SYMBOL(copy_to_user); EXPORT_SYMBOL(copy_in_user); +diff -urNp linux-2.6.32.45/arch/powerpc/Makefile linux-2.6.32.45/arch/powerpc/Makefile +--- linux-2.6.32.45/arch/powerpc/Makefile 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/powerpc/Makefile 2011-08-21 19:27:08.000000000 -0400 +@@ -74,6 +74,8 @@ KBUILD_AFLAGS += -Iarch/$(ARCH) + KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y) + CPP = $(CC) -E $(KBUILD_CFLAGS) + ++cflags-y += -Wno-sign-compare -Wno-extra ++ + CHECKFLAGS += -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__ + + ifeq ($(CONFIG_PPC64),y) diff -urNp linux-2.6.32.45/arch/powerpc/mm/fault.c linux-2.6.32.45/arch/powerpc/mm/fault.c --- linux-2.6.32.45/arch/powerpc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/powerpc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400 @@ -2983,6 +3087,18 @@ diff -urNp linux-2.6.32.45/arch/powerpc/mm/fault.c linux-2.6.32.45/arch/powerpc/ _exception(SIGSEGV, regs, code, address); return 0; } +diff -urNp linux-2.6.32.45/arch/powerpc/mm/mem.c linux-2.6.32.45/arch/powerpc/mm/mem.c +--- linux-2.6.32.45/arch/powerpc/mm/mem.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/arch/powerpc/mm/mem.c 2011-08-21 15:50:39.000000000 -0400 +@@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi + { + unsigned long lmb_next_region_start_pfn, + lmb_region_max_pfn; +- int i; ++ unsigned int i; + + for (i = 0; i < lmb.memory.cnt - 1; i++) { + lmb_region_max_pfn = diff -urNp linux-2.6.32.45/arch/powerpc/mm/mmap_64.c linux-2.6.32.45/arch/powerpc/mm/mmap_64.c --- linux-2.6.32.45/arch/powerpc/mm/mmap_64.c 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/arch/powerpc/mm/mmap_64.c 2011-04-17 15:56:45.000000000 -0400 @@ -24064,7 +24180,7 @@ diff -urNp linux-2.6.32.45/crypto/serpent.c linux-2.6.32.45/crypto/serpent.c for (i = 0; i < keylen; ++i) diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/dontdiff --- linux-2.6.32.45/Documentation/dontdiff 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.45/Documentation/dontdiff 2011-05-18 20:09:36.000000000 -0400 ++++ linux-2.6.32.45/Documentation/dontdiff 2011-08-21 18:59:02.000000000 -0400 @@ -1,13 +1,16 @@ *.a *.aux @@ -24122,7 +24238,14 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/ comp*.log compile.h* conf -@@ -103,13 +117,14 @@ gen_crc32table +@@ -97,19 +111,21 @@ elfconfig.h* + fixdep + fore200e_mkfirm + fore200e_pca_fw.c* ++gate.lds + gconf + gen-devlist + gen_crc32table gen_init_cpio genksyms *_gray256.c @@ -24138,7 +24261,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/ keywords.c ksym.c* ksym.h* -@@ -133,7 +148,9 @@ mkboot +@@ -133,7 +149,9 @@ mkboot mkbugboot mkcpustr mkdep @@ -24148,7 +24271,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/ mktables mktree modpost -@@ -149,6 +166,7 @@ patches* +@@ -149,6 +167,7 @@ patches* pca200e.bin pca200e_ecd.bin2 piggy.gz @@ -24156,7 +24279,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/ piggyback pnmtologo ppc_defs.h* -@@ -157,12 +175,15 @@ qconf +@@ -157,12 +176,15 @@ qconf raid6altivec*.c raid6int*.c raid6tables.c @@ -24172,7 +24295,7 @@ diff -urNp linux-2.6.32.45/Documentation/dontdiff linux-2.6.32.45/Documentation/ sm_tbl* split-include syscalltab.h -@@ -186,14 +207,20 @@ version.h* +@@ -186,14 +208,20 @@ version.h* vmlinux vmlinux-* vmlinux.aout @@ -56645,8 +56768,8 @@ diff -urNp linux-2.6.32.45/grsecurity/Kconfig linux-2.6.32.45/grsecurity/Kconfig +endmenu diff -urNp linux-2.6.32.45/grsecurity/Makefile linux-2.6.32.45/grsecurity/Makefile --- linux-2.6.32.45/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.45/grsecurity/Makefile 2011-08-17 19:02:41.000000000 -0400 -@@ -0,0 +1,33 @@ ++++ linux-2.6.32.45/grsecurity/Makefile 2011-08-21 18:54:34.000000000 -0400 +@@ -0,0 +1,34 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -56665,7 +56788,8 @@ diff -urNp linux-2.6.32.45/grsecurity/Makefile linux-2.6.32.45/grsecurity/Makefi +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o + +ifdef CONFIG_NET -+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o grsec_sock.o ++obj-y += grsec_sock.o ++obj-$(CONFIG_GRKERNSEC) += gracl_ip.o +endif + +ifndef CONFIG_GRKERNSEC @@ -56993,6 +57117,23 @@ diff -urNp linux-2.6.32.45/include/asm-generic/atomic-long.h linux-2.6.32.45/inc +#endif + #endif /* _ASM_GENERIC_ATOMIC_LONG_H */ +diff -urNp linux-2.6.32.45/include/asm-generic/bug.h linux-2.6.32.45/include/asm-generic/bug.h +--- linux-2.6.32.45/include/asm-generic/bug.h 2011-07-13 17:23:04.000000000 -0400 ++++ linux-2.6.32.45/include/asm-generic/bug.h 2011-08-21 17:56:07.000000000 -0400 +@@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha + + #else /* !CONFIG_BUG */ + #ifndef HAVE_ARCH_BUG +-#define BUG() do {} while(0) ++#define BUG() do { for (;;) ; } while(0) + #endif + + #ifndef HAVE_ARCH_BUG_ON +-#define BUG_ON(condition) do { if (condition) ; } while(0) ++#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0) + #endif + + #ifndef HAVE_ARCH_WARN_ON diff -urNp linux-2.6.32.45/include/asm-generic/cache.h linux-2.6.32.45/include/asm-generic/cache.h --- linux-2.6.32.45/include/asm-generic/cache.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/include/asm-generic/cache.h 2011-07-06 19:53:33.000000000 -0400 @@ -57117,6 +57258,18 @@ diff -urNp linux-2.6.32.45/include/asm-generic/dma-mapping-common.h linux-2.6.32 BUG_ON(!valid_dma_direction(dir)); if (ops->sync_sg_for_device) +diff -urNp linux-2.6.32.45/include/asm-generic/emergency-restart.h linux-2.6.32.45/include/asm-generic/emergency-restart.h +--- linux-2.6.32.45/include/asm-generic/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/include/asm-generic/emergency-restart.h 2011-08-21 19:17:17.000000000 -0400 +@@ -1,7 +1,7 @@ + #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H + #define _ASM_GENERIC_EMERGENCY_RESTART_H + +-static inline void machine_emergency_restart(void) ++static inline __noreturn void machine_emergency_restart(void) + { + machine_restart(NULL); + } diff -urNp linux-2.6.32.45/include/asm-generic/futex.h linux-2.6.32.45/include/asm-generic/futex.h --- linux-2.6.32.45/include/asm-generic/futex.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/include/asm-generic/futex.h 2011-04-17 15:56:46.000000000 -0400 @@ -60528,8 +60681,16 @@ diff -urNp linux-2.6.32.45/include/linux/shm.h linux-2.6.32.45/include/linux/shm /* shm_mode upper byte flags */ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/skbuff.h --- linux-2.6.32.45/include/linux/skbuff.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.45/include/linux/skbuff.h 2011-07-06 19:53:33.000000000 -0400 -@@ -544,7 +544,7 @@ static inline union skb_shared_tx *skb_t ++++ linux-2.6.32.45/include/linux/skbuff.h 2011-08-21 15:27:56.000000000 -0400 +@@ -14,6 +14,7 @@ + #ifndef _LINUX_SKBUFF_H + #define _LINUX_SKBUFF_H + ++#include <linux/const.h> + #include <linux/kernel.h> + #include <linux/kmemcheck.h> + #include <linux/compiler.h> +@@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t */ static inline int skb_queue_empty(const struct sk_buff_head *list) { @@ -60538,7 +60699,7 @@ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/ } /** -@@ -557,7 +557,7 @@ static inline int skb_queue_empty(const +@@ -557,7 +558,7 @@ static inline int skb_queue_empty(const static inline bool skb_queue_is_last(const struct sk_buff_head *list, const struct sk_buff *skb) { @@ -60547,7 +60708,7 @@ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/ } /** -@@ -570,7 +570,7 @@ static inline bool skb_queue_is_last(con +@@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con static inline bool skb_queue_is_first(const struct sk_buff_head *list, const struct sk_buff *skb) { @@ -60556,7 +60717,7 @@ diff -urNp linux-2.6.32.45/include/linux/skbuff.h linux-2.6.32.45/include/linux/ } /** -@@ -1367,7 +1367,7 @@ static inline int skb_network_offset(con +@@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con * headroom, you should not reduce this. */ #ifndef NET_SKB_PAD @@ -61369,7 +61530,16 @@ diff -urNp linux-2.6.32.45/include/net/neighbour.h linux-2.6.32.45/include/net/n struct pneigh_entry diff -urNp linux-2.6.32.45/include/net/netlink.h linux-2.6.32.45/include/net/netlink.h --- linux-2.6.32.45/include/net/netlink.h 2011-07-13 17:23:04.000000000 -0400 -+++ linux-2.6.32.45/include/net/netlink.h 2011-07-13 17:23:19.000000000 -0400 ++++ linux-2.6.32.45/include/net/netlink.h 2011-08-21 18:08:11.000000000 -0400 +@@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct + { + return (remaining >= (int) sizeof(struct nlmsghdr) && + nlh->nlmsg_len >= sizeof(struct nlmsghdr) && +- nlh->nlmsg_len <= remaining); ++ nlh->nlmsg_len <= (unsigned int)remaining); + } + + /** @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct static inline void nlmsg_trim(struct sk_buff *skb, const void *mark) { @@ -61429,7 +61599,7 @@ diff -urNp linux-2.6.32.45/include/net/secure_seq.h linux-2.6.32.45/include/net/ #endif /* _NET_SECURE_SEQ */ diff -urNp linux-2.6.32.45/include/net/sock.h linux-2.6.32.45/include/net/sock.h --- linux-2.6.32.45/include/net/sock.h 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.45/include/net/sock.h 2011-05-04 17:56:28.000000000 -0400 ++++ linux-2.6.32.45/include/net/sock.h 2011-08-21 17:24:37.000000000 -0400 @@ -272,7 +272,7 @@ struct sock { rwlock_t sk_callback_lock; int sk_err, @@ -61439,6 +61609,15 @@ diff -urNp linux-2.6.32.45/include/net/sock.h linux-2.6.32.45/include/net/sock.h unsigned short sk_ack_backlog; unsigned short sk_max_ack_backlog; __u32 sk_priority; +@@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea + extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc); + extern int sock_prot_inuse_get(struct net *net, struct proto *proto); + #else +-static void inline sock_prot_inuse_add(struct net *net, struct proto *prot, ++static inline void sock_prot_inuse_add(struct net *net, struct proto *prot, + int inc) + { + } diff -urNp linux-2.6.32.45/include/net/tcp.h linux-2.6.32.45/include/net/tcp.h --- linux-2.6.32.45/include/net/tcp.h 2011-03-27 14:31:47.000000000 -0400 +++ linux-2.6.32.45/include/net/tcp.h 2011-04-17 15:56:46.000000000 -0400 @@ -64600,7 +64779,7 @@ diff -urNp linux-2.6.32.45/kernel/perf_event.c linux-2.6.32.45/kernel/perf_event /* diff -urNp linux-2.6.32.45/kernel/pid.c linux-2.6.32.45/kernel/pid.c --- linux-2.6.32.45/kernel/pid.c 2011-04-22 19:16:29.000000000 -0400 -+++ linux-2.6.32.45/kernel/pid.c 2011-07-14 19:15:33.000000000 -0400 ++++ linux-2.6.32.45/kernel/pid.c 2011-08-21 19:11:29.000000000 -0400 @@ -33,6 +33,7 @@ #include <linux/rculist.h> #include <linux/bootmem.h> @@ -64634,14 +64813,12 @@ diff -urNp linux-2.6.32.45/kernel/pid.c linux-2.6.32.45/kernel/pid.c } struct task_struct *find_task_by_vpid(pid_t vnr) -@@ -391,6 +399,13 @@ struct task_struct *find_task_by_vpid(pi +@@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns); } +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr) +{ -+ struct task_struct *task; -+ + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID); +} + @@ -65486,8 +65663,20 @@ diff -urNp linux-2.6.32.45/kernel/rtmutex-tester.c linux-2.6.32.45/kernel/rtmute case RTTEST_LOCKBKL: diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c --- linux-2.6.32.45/kernel/sched.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.45/kernel/sched.c 2011-05-22 23:02:06.000000000 -0400 -@@ -5043,7 +5043,7 @@ out: ++++ linux-2.6.32.45/kernel/sched.c 2011-08-21 19:29:25.000000000 -0400 +@@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct + { + unsigned long flags; + struct rq *rq; +- int cpu = get_cpu(); + + #ifdef CONFIG_SMP ++ int cpu = get_cpu(); ++ + rq = task_rq_lock(p, &flags); + p->state = TASK_WAKING; + +@@ -5043,7 +5044,7 @@ out: * In CONFIG_NO_HZ case, the idle load balance owner will do the * rebalancing for all the cpus for whom scheduler ticks are stopped. */ @@ -65496,7 +65685,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c { int this_cpu = smp_processor_id(); struct rq *this_rq = cpu_rq(this_cpu); -@@ -5700,6 +5700,8 @@ asmlinkage void __sched schedule(void) +@@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void) struct rq *rq; int cpu; @@ -65505,7 +65694,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c need_resched: preempt_disable(); cpu = smp_processor_id(); -@@ -5770,7 +5772,7 @@ EXPORT_SYMBOL(schedule); +@@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule); * Look out! "owner" is an entirely speculative pointer * access and not reliable. */ @@ -65514,7 +65703,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c { unsigned int cpu; struct rq *rq; -@@ -5784,10 +5786,10 @@ int mutex_spin_on_owner(struct mutex *lo +@@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo * DEBUG_PAGEALLOC could have unmapped it if * the mutex owner just released it and exited. */ @@ -65527,7 +65716,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c #endif /* -@@ -5816,7 +5818,7 @@ int mutex_spin_on_owner(struct mutex *lo +@@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo /* * Is that owner really running on that cpu? */ @@ -65536,7 +65725,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c return 0; cpu_relax(); -@@ -6359,6 +6361,8 @@ int can_nice(const struct task_struct *p +@@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -65545,7 +65734,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur || capable(CAP_SYS_NICE)); } -@@ -6392,7 +6396,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -65555,7 +65744,7 @@ diff -urNp linux-2.6.32.45/kernel/sched.c linux-2.6.32.45/kernel/sched.c return -EPERM; retval = security_task_setnice(current, nice); -@@ -8774,7 +8779,7 @@ static void init_sched_groups_power(int +@@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int long power; int weight; @@ -66970,7 +67159,7 @@ diff -urNp linux-2.6.32.45/localversion-grsec linux-2.6.32.45/localversion-grsec +-grsec diff -urNp linux-2.6.32.45/Makefile linux-2.6.32.45/Makefile --- linux-2.6.32.45/Makefile 2011-08-16 20:37:25.000000000 -0400 -+++ linux-2.6.32.45/Makefile 2011-08-16 20:42:28.000000000 -0400 ++++ linux-2.6.32.45/Makefile 2011-08-21 19:35:55.000000000 -0400 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" HOSTCC = gcc @@ -71623,6 +71812,29 @@ diff -urNp linux-2.6.32.45/net/ipv4/netfilter/arp_tables.c linux-2.6.32.45/net/i info.valid_hooks = t->valid_hooks; memcpy(info.hook_entry, private->hook_entry, sizeof(info.hook_entry)); +diff -urNp linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c +--- linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/net/ipv4/netfilter/ip_queue.c 2011-08-21 18:42:53.000000000 -0400 +@@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st + + if (v->data_len < sizeof(*user_iph)) + return 0; ++ if (v->data_len > 65535) ++ return -EMSGSIZE; ++ + diff = v->data_len - e->skb->len; + if (diff < 0) { + if (pskb_trim(e->skb, v->data_len)) +@@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex) + static inline void + __ipq_rcv_skb(struct sk_buff *skb) + { +- int status, type, pid, flags, nlmsglen, skblen; ++ int status, type, pid, flags; ++ unsigned int nlmsglen, skblen; + struct nlmsghdr *nlh; + + skblen = skb->len; diff -urNp linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c --- linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:00:52.000000000 -0400 +++ linux-2.6.32.45/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:04:18.000000000 -0400 @@ -72142,6 +72354,29 @@ diff -urNp linux-2.6.32.45/net/ipv6/ipv6_sockglue.c linux-2.6.32.45/net/ipv6/ipv if (ip6_mroute_opt(optname)) return ip6_mroute_getsockopt(sk, optname, optval, optlen); +diff -urNp linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c +--- linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c 2011-03-27 14:31:47.000000000 -0400 ++++ linux-2.6.32.45/net/ipv6/netfilter/ip6_queue.c 2011-08-21 18:43:32.000000000 -0400 +@@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st + + if (v->data_len < sizeof(*user_iph)) + return 0; ++ if (v->data_len > 65535) ++ return -EMSGSIZE; ++ + diff = v->data_len - e->skb->len; + if (diff < 0) { + if (pskb_trim(e->skb, v->data_len)) +@@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex) + static inline void + __ipq_rcv_skb(struct sk_buff *skb) + { +- int status, type, pid, flags, nlmsglen, skblen; ++ int status, type, pid, flags; ++ unsigned int nlmsglen, skblen; + struct nlmsghdr *nlh; + + skblen = skb->len; diff -urNp linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c --- linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:00:52.000000000 -0400 +++ linux-2.6.32.45/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:04:18.000000000 -0400 diff --git a/2.6.39/0000_README b/2.6.39/0000_README index 38058ed..3af2064 100644 --- a/2.6.39/0000_README +++ b/2.6.39/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch +Patch: 4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch index 6d92b4a..9fd74be 100644 --- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108192305.patch +++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.4-201108211939.patch @@ -51118,8 +51118,8 @@ diff -urNp linux-2.6.39.4/grsecurity/Kconfig linux-2.6.39.4/grsecurity/Kconfig +endmenu diff -urNp linux-2.6.39.4/grsecurity/Makefile linux-2.6.39.4/grsecurity/Makefile --- linux-2.6.39.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.39.4/grsecurity/Makefile 2011-08-17 19:03:10.000000000 -0400 -@@ -0,0 +1,33 @@ ++++ linux-2.6.39.4/grsecurity/Makefile 2011-08-21 18:54:57.000000000 -0400 +@@ -0,0 +1,34 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -51138,7 +51138,8 @@ diff -urNp linux-2.6.39.4/grsecurity/Makefile linux-2.6.39.4/grsecurity/Makefile +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o + +ifdef CONFIG_NET -+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o grsec_sock.o ++obj-y += grsec_sock.o ++obj-$(CONFIG_GRKERNSEC) += gracl_ip.o +endif + +ifndef CONFIG_GRKERNSEC |