grsecurity-3.1-4.3.3-20160117191320160117

2 files changed, 135 insertions, 78 deletions

diff --git a/4.3.3/0000_README b/4.3.3/0000_README
index 8ff755f..737c59b 100644
--- a/4.3.3/0000_README
+++ b/4.3.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.3.3-201601161757.patch
+Patch:	4420_grsecurity-3.1-4.3.3-201601171913.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201601161757.patch b/4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch
index 15482a1..c47605c 100644
--- a/4.3.3/4420_grsecurity-3.1-4.3.3-201601161757.patch
+++ b/4.3.3/4420_grsecurity-3.1-4.3.3-201601171913.patch
@@ -42417,24 +42417,58 @@ index 6068d82..7ecd87c 100644
  
  static const struct vga_switcheroo_client_ops amdgpu_switcheroo_ops = {
 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
-index b190c2a..d1b18c2 100644
+index b190c2a..67a7707 100644
 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
-@@ -544,8 +544,12 @@ static int __init amdgpu_init(void)
+@@ -471,7 +471,7 @@ static struct drm_driver kms_driver = {
+ 	.driver_features =
+ 	    DRIVER_USE_AGP |
+ 	    DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED | DRIVER_GEM |
+-	    DRIVER_PRIME | DRIVER_RENDER,
++	    DRIVER_PRIME | DRIVER_RENDER | DRIVER_MODESET,
+ 	.dev_priv_size = 0,
+ 	.load = amdgpu_driver_load_kms,
+ 	.open = amdgpu_driver_open_kms,
+@@ -522,9 +522,6 @@ static struct drm_driver kms_driver = {
+ 	.patchlevel = KMS_DRIVER_PATCHLEVEL,
+ };
+ 
+-static struct drm_driver *driver;
+-static struct pci_driver *pdriver;
+-
+ static struct pci_driver amdgpu_kms_pci_driver = {
+ 	.name = DRIVER_NAME,
+ 	.id_table = pciidlist,
+@@ -542,22 +539,23 @@ static int __init amdgpu_init(void)
+ 	}
+ #endif
  	DRM_INFO("amdgpu kernel modesetting enabled.\n");
- 	driver = &kms_driver;
- 	pdriver = &amdgpu_kms_pci_driver;
+-	driver = &kms_driver;
+-	pdriver = &amdgpu_kms_pci_driver;
 -	driver->driver_features |= DRIVER_MODESET;
 -	driver->num_ioctls = amdgpu_max_kms_ioctl;
 +
 +	pax_open_kernel();
-+	*(u32 *)&driver->driver_features |= DRIVER_MODESET;
-+	*(int *)&driver->num_ioctls = amdgpu_max_kms_ioctl;
++	*(int *)&kms_driver.num_ioctls = amdgpu_max_kms_ioctl;
 +	pax_close_kernel();
 +
  	amdgpu_register_atpx_handler();
  
  	amdgpu_amdkfd_init();
+ 
+ 	/* let modprobe override vga console setting */
+-	return drm_pci_init(driver, pdriver);
++	return drm_pci_init(&kms_driver, &amdgpu_kms_pci_driver);
+ }
+ 
+ static void __exit amdgpu_exit(void)
+ {
+ 	amdgpu_amdkfd_fini();
+-	drm_pci_exit(driver, pdriver);
++	drm_pci_exit(&kms_driver, &amdgpu_kms_pci_driver);
+ 	amdgpu_unregister_atpx_handler();
+ }
+ 
 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
 index 5d11e79..04cc53e 100644
 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -43160,7 +43194,7 @@ index d93e737..edb8a4a 100644
  	int retcode = -EINVAL;
  	char stack_kdata[128];
 diff --git a/drivers/gpu/drm/drm_pci.c b/drivers/gpu/drm/drm_pci.c
-index 1b1bd42..0e49027 100644
+index 1b1bd42..2d28e80 100644
 --- a/drivers/gpu/drm/drm_pci.c
 +++ b/drivers/gpu/drm/drm_pci.c
 @@ -305,7 +305,7 @@ int drm_get_pci_dev(struct pci_dev *pdev, const struct pci_device_id *ent,
@@ -43172,16 +43206,19 @@ index 1b1bd42..0e49027 100644
  
  	return 0;
  
-@@ -340,7 +340,7 @@ int drm_pci_init(struct drm_driver *driver, struct pci_driver *pdriver)
+@@ -340,7 +340,10 @@ int drm_pci_init(struct drm_driver *driver, struct pci_driver *pdriver)
  		return pci_register_driver(pdriver);
  
  	/* If not using KMS, fall back to stealth mode manual scanning. */
 -	INIT_LIST_HEAD(&driver->legacy_dev_list);
++	pax_open_kernel();
 +	INIT_LIST_HEAD((struct list_head *)&driver->legacy_dev_list);
++	pax_close_kernel();
++
  	for (i = 0; pdriver->id_table[i].vendor != 0; i++) {
  		pid = &pdriver->id_table[i];
  
-@@ -446,7 +446,7 @@ void drm_pci_exit(struct drm_driver *driver, struct pci_driver *pdriver)
+@@ -446,7 +449,7 @@ void drm_pci_exit(struct drm_driver *driver, struct pci_driver *pdriver)
  	} else {
  		list_for_each_entry_safe(dev, tmp, &driver->legacy_dev_list,
  					 legacy_dev_list) {
@@ -43226,18 +43263,14 @@ index d4813e0..6c1ab4d 100644
  		pipeconf_reg = PIPECCONF;
  		dspcntr_reg = DSPCCNTR;
 diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c
-index 92e7e57..f59f5d3 100644
+index 92e7e57..5d74ff5 100644
 --- a/drivers/gpu/drm/gma500/psb_drv.c
 +++ b/drivers/gpu/drm/gma500/psb_drv.c
-@@ -376,7 +376,10 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags)
+@@ -376,7 +376,6 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags)
  
  	dev->vblank_disable_allowed = true;
  	dev->max_vblank_count = 0xffffff; /* only 24 bits of frame count */
 -	dev->driver->get_vblank_counter = psb_get_vblank_counter;
-+
-+	pax_open_kernel();
-+	*(void **)&dev->driver->get_vblank_counter = psb_get_vblank_counter;
-+	pax_close_kernel();
  
  	psb_modeset_init(dev);
  	psb_fbdev_init(dev);
@@ -43315,48 +43348,47 @@ index ab37d11..5cbacc7 100644
 -int i915_max_ioctl = ARRAY_SIZE(i915_ioctls);
 +const int i915_max_ioctl = ARRAY_SIZE(i915_ioctls);
 diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
-index ab64d68..e6be8e5 100644
+index ab64d68..b74a68e 100644
 --- a/drivers/gpu/drm/i915/i915_drv.c
 +++ b/drivers/gpu/drm/i915/i915_drv.c
-@@ -1697,25 +1697,27 @@ static struct pci_driver i915_pci_driver = {
+@@ -40,7 +40,7 @@
+ #include <linux/pm_runtime.h>
+ #include <drm/drm_crtc_helper.h>
+ 
+-static struct drm_driver driver;
++static drm_driver_no_const driver;
+ 
+ #define GEN_DEFAULT_PIPEOFFSETS \
+ 	.pipe_offsets = { PIPE_A_OFFSET, PIPE_B_OFFSET, \
+@@ -1643,7 +1643,7 @@ static const struct file_operations i915_driver_fops = {
+ 	.llseek = noop_llseek,
+ };
+ 
+-static struct drm_driver driver = {
++static drm_driver_no_const driver __read_only = {
+ 	/* Don't use MTRRs here; the Xserver or userspace app should
+ 	 * deal with them for Intel hardware.
+ 	 */
+@@ -1697,6 +1697,7 @@ static struct pci_driver i915_pci_driver = {
  
  static int __init i915_init(void)
  {
--	driver.num_ioctls = i915_max_ioctl;
 +	pax_open_kernel();
-+	*(int *)&driver.num_ioctls = i915_max_ioctl;
+ 	driver.num_ioctls = i915_max_ioctl;
  
  	/*
- 	 * Enable KMS by default, unless explicitly overriden by
- 	 * either the i915.modeset prarameter or by the
- 	 * vga_text_mode_force boot option.
- 	 */
--	driver.driver_features |= DRIVER_MODESET;
-+	*(u32 *)&driver.driver_features |= DRIVER_MODESET;
- 
- 	if (i915.modeset == 0)
--		driver.driver_features &= ~DRIVER_MODESET;
-+		*(u32 *)&driver.driver_features &= ~DRIVER_MODESET;
- 
- #ifdef CONFIG_VGA_CONSOLE
- 	if (vgacon_text_force() && i915.modeset == -1)
--		driver.driver_features &= ~DRIVER_MODESET;
-+		*(u32 *)&driver.driver_features &= ~DRIVER_MODESET;
- #endif
+@@ -1716,6 +1717,7 @@ static int __init i915_init(void)
  
  	if (!(driver.driver_features & DRIVER_MODESET)) {
--		driver.get_vblank_timestamp = NULL;
-+		*(void **)&driver.get_vblank_timestamp = NULL;
+ 		driver.get_vblank_timestamp = NULL;
 +		pax_close_kernel();
  		/* Silently fail loading to not upset userspace. */
  		DRM_DEBUG_DRIVER("KMS and UMS disabled.\n");
  		return 0;
-@@ -1727,7 +1729,8 @@ static int __init i915_init(void)
- 	 * a single CRTC will actually work.
+@@ -1728,6 +1730,7 @@ static int __init i915_init(void)
  	 */
  	if (driver.driver_features & DRIVER_MODESET)
--		driver.driver_features |= DRIVER_ATOMIC;
-+		*(u32 *)&driver.driver_features |= DRIVER_ATOMIC;
+ 		driver.driver_features |= DRIVER_ATOMIC;
 +	pax_close_kernel();
  
  	return drm_pci_init(&driver, &i915_pci_driver);
@@ -43833,17 +43865,20 @@ index 4dca65a..3486961 100644
  #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
  
 diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
-index ccefb64..a19593d 100644
+index ccefb64..10c4d33 100644
 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c
 +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
-@@ -76,7 +76,6 @@ MODULE_PARM_DESC(runpm, "disable (0), force enable (1), optimus only default (-1
+@@ -76,9 +76,8 @@ MODULE_PARM_DESC(runpm, "disable (0), force enable (1), optimus only default (-1
  int nouveau_runtime_pm = -1;
  module_param_named(runpm, nouveau_runtime_pm, int, 0400);
  
 -static struct drm_driver driver_stub;
  static struct drm_driver driver_pci;
- static struct drm_driver driver_platform;
+-static struct drm_driver driver_platform;
++static drm_driver_no_const driver_platform __read_only;
  
+ static u64
+ nouveau_pci_name(struct pci_dev *pdev)
 @@ -917,7 +916,7 @@ nouveau_driver_fops = {
  };
  
@@ -43869,10 +43904,9 @@ index ccefb64..a19593d 100644
 -	driver_pci = driver_stub;
 -	driver_pci.set_busid = drm_pci_set_busid;
 -	driver_platform = driver_stub;
--	driver_platform.set_busid = drm_platform_set_busid;
 +	pax_open_kernel();
-+	memcpy((void *)&driver_platform, &driver_pci, sizeof driver_pci);
-+	*(void **)&driver_platform.set_busid = drm_platform_set_busid;
++	driver_platform = driver_pci;
+ 	driver_platform.set_busid = drm_platform_set_busid;
 +	pax_close_kernel();
  
  	nouveau_display_options();
@@ -44404,7 +44438,7 @@ index f3f562f..0c099bb 100644
  
  static const struct vga_switcheroo_client_ops radeon_switcheroo_ops = {
 diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
-index 5751446..f39a861 100644
+index 5751446..2ec7c5d 100644
 --- a/drivers/gpu/drm/radeon/radeon_drv.c
 +++ b/drivers/gpu/drm/radeon/radeon_drv.c
 @@ -130,7 +130,7 @@ extern int radeon_get_crtc_scanoutpos(struct drm_device *dev, int crtc,
@@ -44416,7 +44450,16 @@ index 5751446..f39a861 100644
  int radeon_mmap(struct file *filp, struct vm_area_struct *vma);
  int radeon_mode_dumb_mmap(struct drm_file *filp,
  			  struct drm_device *dev,
-@@ -650,8 +650,12 @@ static int __init radeon_init(void)
+@@ -566,7 +566,7 @@ static struct drm_driver kms_driver = {
+ 	.driver_features =
+ 	    DRIVER_USE_AGP |
+ 	    DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED | DRIVER_GEM |
+-	    DRIVER_PRIME | DRIVER_RENDER,
++	    DRIVER_PRIME | DRIVER_RENDER | DRIVER_MODESET,
+ 	.load = radeon_driver_load_kms,
+ 	.open = radeon_driver_open_kms,
+ 	.preclose = radeon_driver_preclose_kms,
+@@ -650,8 +650,11 @@ static int __init radeon_init(void)
  		DRM_INFO("radeon kernel modesetting enabled.\n");
  		driver = &kms_driver;
  		pdriver = &radeon_kms_pci_driver;
@@ -44424,14 +44467,13 @@ index 5751446..f39a861 100644
 -		driver->num_ioctls = radeon_max_kms_ioctl;
 +
 +		pax_open_kernel();
-+		*(u32 *)&driver->driver_features |= DRIVER_MODESET;
 +		*(int *)&driver->num_ioctls = radeon_max_kms_ioctl;
 +		pax_close_kernel();
 +
  		radeon_register_atpx_handler();
  
  	} else {
-@@ -659,8 +663,11 @@ static int __init radeon_init(void)
+@@ -659,8 +662,10 @@ static int __init radeon_init(void)
  		DRM_INFO("radeon userspace modesetting enabled.\n");
  		driver = &driver_old;
  		pdriver = &radeon_pci_driver;
@@ -44439,7 +44481,6 @@ index 5751446..f39a861 100644
 -		driver->num_ioctls = radeon_max_ioctl;
 +
 +		pax_open_kernel();
-+		*(u32 *)&driver->driver_features &= ~DRIVER_MODESET;
 +		*(int *)&driver->num_ioctls = radeon_max_ioctl;
 +		pax_close_kernel();
  #else
@@ -52677,6 +52718,20 @@ index 976aa97..c1efed2 100644
  	if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
  		if (copy_from_user(&ifr, argp, ifreq_len))
  			return -EFAULT;
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 079069a..a11e690 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -108,7 +108,8 @@ int asix_rx_fixup_internal(struct usbnet *dev, struct sk_buff *skb,
+ 		}
+ 
+ 		if (rx->size > skb->len - offset) {
+-			remaining = rx->size - (skb->len - offset);
++			remaining = skb->len - offset;
++			remaining = rx->size - remaining;
+ 			rx->size = skb->len - offset;
+ 		}
+ 
 diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
 index 111d907..1ee643e 100644
 --- a/drivers/net/usb/hso.c
@@ -78448,7 +78503,7 @@ index e4141f2..d8263e8 100644
  		i += packet_length_size;
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff --git a/fs/exec.c b/fs/exec.c
-index b06623a..122301f 100644
+index b06623a..10a5c14 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,8 +56,20 @@
@@ -78494,7 +78549,7 @@ index b06623a..122301f 100644
  static DEFINE_RWLOCK(binfmt_lock);
  
 +extern int gr_process_kernel_exec_ban(void);
-+extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm);
++extern int gr_process_sugid_exec_ban(const struct linux_binprm *bprm);
 +
  void __register_binfmt(struct linux_binfmt * fmt, int insert)
  {
@@ -78874,7 +78929,7 @@ index b06623a..122301f 100644
 +		current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
 +#endif
 +
-+	if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) {
++	if (gr_process_kernel_exec_ban() || gr_process_sugid_exec_ban(bprm)) {
 +		retval = -EPERM;
 +		goto out_fail;
 +	}
@@ -96383,10 +96438,10 @@ index 0000000..304c518
 +}
 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
 new file mode 100644
-index 0000000..1e6f893
+index 0000000..528fd00
 --- /dev/null
 +++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,243 @@
+@@ -0,0 +1,244 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/fs.h>
@@ -96496,10 +96551,10 @@ index 0000000..1e6f893
 +			user = find_user(uid);
 +			if (user == NULL)
 +				goto unlock;
-+			user->suid_banned = 1;
-+			user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
-+			if (user->suid_ban_expires == ~0UL)
-+				user->suid_ban_expires--;
++			user->sugid_banned = 1;
++			user->sugid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
++			if (user->sugid_ban_expires == ~0UL)
++				user->sugid_ban_expires--;
 +
 +			/* only kill other threads of the same binary, from the same user */
 +			do_each_thread(tsk2, tsk) {
@@ -96585,11 +96640,11 @@ index 0000000..1e6f893
 +}
 +
 +#ifdef CONFIG_GRKERNSEC_BRUTE
-+static bool suid_ban_expired(struct user_struct *user)
++static bool sugid_ban_expired(struct user_struct *user)
 +{
-+	if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) {
-+		user->suid_banned = 0;
-+		user->suid_ban_expires = 0;
++	if (user->sugid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->sugid_ban_expires)) {
++		user->sugid_banned = 0;
++		user->sugid_ban_expires = 0;
 +		free_uid(user);
 +		return true;
 +	}
@@ -96616,15 +96671,16 @@ index 0000000..1e6f893
 +	return 0;
 +}
 +
-+int gr_process_suid_exec_ban(const struct linux_binprm *bprm)
++int gr_process_sugid_exec_ban(const struct linux_binprm *bprm)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
 +	struct user_struct *user = current->cred->user;
-+	if (unlikely(user->suid_banned)) {
-+		if (suid_ban_expired(user))
++	if (unlikely(user->sugid_banned)) {
++		if (sugid_ban_expired(user))
 +			return 0;
-+		/* disallow execution of suid binaries only */
-+		else if (!uid_eq(bprm->cred->euid, current->cred->uid))
++		/* disallow execution of suid/sgid binaries only */
++		else if (!uid_eq(bprm->cred->euid, current->cred->uid) ||
++			 !gid_eq(bprm->cred->egid, current->cred->gid))
 +			return -EPERM;
 +	}
 +#endif
@@ -98230,7 +98286,7 @@ index c9fe145..9fb2337 100644
  struct crypto_instance {
  	struct crypto_alg alg;
 diff --git a/include/drm/drmP.h b/include/drm/drmP.h
-index 8b5ce7c..a0ee191 100644
+index 8b5ce7c..89c5676 100644
 --- a/include/drm/drmP.h
 +++ b/include/drm/drmP.h
 @@ -59,6 +59,7 @@
@@ -98268,16 +98324,17 @@ index 8b5ce7c..a0ee191 100644
  
  /**
   * Creates a driver or general drm_ioctl_desc array entry for the given
-@@ -630,7 +633,7 @@ struct drm_driver {
+@@ -630,7 +633,8 @@ struct drm_driver {
  
  	/* List of devices hanging off this driver with stealth attach. */
  	struct list_head legacy_dev_list;
 -};
 +} __do_const;
++typedef struct drm_driver __no_const drm_driver_no_const;
  
  enum drm_minor_type {
  	DRM_MINOR_LEGACY,
-@@ -648,7 +651,8 @@ struct drm_info_list {
+@@ -648,7 +652,8 @@ struct drm_info_list {
  	int (*show)(struct seq_file*, void*); /** show callback */
  	u32 driver_features; /**< Required driver features for this entry */
  	void *data;
@@ -98287,7 +98344,7 @@ index 8b5ce7c..a0ee191 100644
  
  /**
   * debugfs node structure. This structure represents a debugfs file.
-@@ -735,7 +739,7 @@ struct drm_device {
+@@ -735,7 +740,7 @@ struct drm_device {
  
  	/** \name Usage Counters */
  	/*@{ */
@@ -103310,7 +103367,7 @@ index 556ec1e..38c19c9 100644
  
  /*
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index b7b9501..46d7e52 100644
+index b7b9501..ab1a134 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -7,7 +7,7 @@
@@ -103392,8 +103449,8 @@ index b7b9501..46d7e52 100644
 +	unsigned char kernel_banned;
 +#endif
 +#ifdef CONFIG_GRKERNSEC_BRUTE
-+	unsigned char suid_banned;
-+	unsigned long suid_ban_expires;
++	unsigned char sugid_banned;
++	unsigned long sugid_ban_expires;
 +#endif
 +
  	/* Hash table maintenance information */