diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-02-08 12:38:31 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-02-08 12:38:31 -0500 |
| commit | f31dc62ba3b58489d68b09632c7f5c9272bf9d78 (patch) | |
| tree | 62888e9832ecf08a14b01de9f90f14de33abf467 | |
| parent | Grsec/PaX: 3.0-{3.2.54,3.13.1}-201402052349 (diff) | |
| download | hardened-patchset-f31dc62ba3b58489d68b09632c7f5c9272bf9d78.tar.gz hardened-patchset-f31dc62ba3b58489d68b09632c7f5c9272bf9d78.tar.bz2 hardened-patchset-f31dc62ba3b58489d68b09632c7f5c9272bf9d78.zip | |
Grsec/PaX: 3.0-{3.2.54,3.13.2}-20140206222420140206
| -rw-r--r-- | 3.13.2/0000_README (renamed from 3.13.1/0000_README) | 2 | ||||
| -rw-r--r-- | 3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch (renamed from 3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch) | 382 | ||||
| -rw-r--r-- | 3.13.2/4425_grsec_remove_EI_PAX.patch (renamed from 3.13.1/4425_grsec_remove_EI_PAX.patch) | 2 | ||||
| -rw-r--r-- | 3.13.2/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.13.1/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.13.2/4430_grsec-remove-localversion-grsec.patch (renamed from 3.13.1/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.13.2/4435_grsec-mute-warnings.patch (renamed from 3.13.1/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.13.2/4440_grsec-remove-protected-paths.patch (renamed from 3.13.1/4440_grsec-remove-protected-paths.patch) | 7 | ||||
| -rw-r--r-- | 3.13.2/4450_grsec-kconfig-default-gids.patch (renamed from 3.13.1/4450_grsec-kconfig-default-gids.patch) | 20 | ||||
| -rw-r--r-- | 3.13.2/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.13.1/4465_selinux-avc_audit-log-curr_ip.patch) | 2 | ||||
| -rw-r--r-- | 3.13.2/4470_disable-compat_vdso.patch (renamed from 3.13.1/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.13.2/4475_emutramp_default_on.patch (renamed from 3.13.1/4475_emutramp_default_on.patch) | 2 | ||||
| -rw-r--r-- | 3.2.54/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch (renamed from 3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch) | 41 | ||||
| -rw-r--r-- | 3.2.54/4425_grsec_remove_EI_PAX.patch | 2 | ||||
| -rw-r--r-- | 3.2.54/4440_grsec-remove-protected-paths.patch | 7 | ||||
| -rw-r--r-- | 3.2.54/4450_grsec-kconfig-default-gids.patch | 8 | ||||
| -rw-r--r-- | 3.2.54/4475_emutramp_default_on.patch | 2 |
17 files changed, 313 insertions, 166 deletions
diff --git a/3.13.1/0000_README b/3.13.2/0000_README index 6b35ea7..850ef1e 100644 --- a/3.13.1/0000_README +++ b/3.13.2/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.13.1-201402052349.patch +Patch: 4420_grsecurity-3.0-3.13.2-201402062224.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch b/3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch index ee1465f..824a474 100644 --- a/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch +++ b/3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch @@ -287,7 +287,7 @@ index b9e9bd8..bf49b92 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index de4cda9..e5ec62c 100644 +index a7fd5d9..84ed0df 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -302,7 +302,23 @@ index de4cda9..e5ec62c 100644 # Decide whether to build built-in, modular, or both. # Normally, just do built-in. -@@ -417,8 +418,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ +@@ -311,9 +312,15 @@ endif + # If the user is running make -s (silent mode), suppress echoing of + # commands + ++ifneq ($(filter 4.%,$(MAKE_VERSION)),) # make-4 ++ifneq ($(filter %s ,$(firstword x$(MAKEFLAGS))),) ++ quiet=silent_ ++endif ++else # make-3.8x + ifneq ($(filter s% -s%,$(MAKEFLAGS)),) + quiet=silent_ + endif ++endif + + export quiet Q KBUILD_VERBOSE + +@@ -417,8 +424,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ # Rules shared between *config targets and build targets # Basic helpers built in scripts/ @@ -313,7 +329,7 @@ index de4cda9..e5ec62c 100644 $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -579,6 +580,76 @@ else +@@ -579,6 +586,74 @@ else KBUILD_CFLAGS += -O2 endif @@ -340,10 +356,8 @@ index de4cda9..e5ec62c 100644 +KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN +endif +ifdef CONFIG_GRKERNSEC_RANDSTRUCT -+GRKERNSEC_RANDSTRUCT_SEED := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gen-random-seed.sh) +RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN -+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-seed=$(GRKERNSEC_RANDSTRUCT_SEED) -+RANDSTRUCT_HASHED_SEED := $(shell cat "$(srctree)/tools/gcc/randstruct.hashed_seed") ++RANDSTRUCT_HASHED_SEED := $(shell cat "$(objtree)/tools/gcc/randomize_layout_hash.data") +RANDSTRUCT_PLUGIN_CFLAGS += -DRANDSTRUCT_HASHED_SEED="\"$(RANDSTRUCT_HASHED_SEED)\"" +ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE +RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode @@ -390,7 +404,16 @@ index de4cda9..e5ec62c 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifdef CONFIG_READABLE_ASM -@@ -754,7 +825,7 @@ export mod_sign_cmd +@@ -619,7 +694,7 @@ endif + + ifdef CONFIG_DEBUG_INFO + KBUILD_CFLAGS += -g +-KBUILD_AFLAGS += -gdwarf-2 ++KBUILD_AFLAGS += -Wa,--gdwarf-2 + endif + + ifdef CONFIG_DEBUG_INFO_REDUCED +@@ -754,7 +829,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -399,7 +422,7 @@ index de4cda9..e5ec62c 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -803,6 +874,8 @@ endif +@@ -803,6 +878,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -408,7 +431,7 @@ index de4cda9..e5ec62c 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -812,7 +885,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -812,7 +889,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -417,7 +440,7 @@ index de4cda9..e5ec62c 100644 $(Q)$(MAKE) $(build)=$@ define filechk_kernel.release -@@ -855,10 +928,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -855,10 +932,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -431,7 +454,7 @@ index de4cda9..e5ec62c 100644 prepare: prepare0 # Generate some files -@@ -966,6 +1042,8 @@ all: modules +@@ -966,6 +1046,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -440,7 +463,7 @@ index de4cda9..e5ec62c 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -981,7 +1059,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -981,7 +1063,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -449,17 +472,17 @@ index de4cda9..e5ec62c 100644 # Target to install modules PHONY += modules_install -@@ -1047,7 +1125,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ +@@ -1047,7 +1129,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ - signing_key.x509.signer + signing_key.x509.signer tools/gcc/size_overflow_hash.h \ -+ tools/gcc/randstruct.seed tools/gcc/randstruct.hashed_seed ++ tools/gcc/randomize_layout_seed.h tools/gcc/randomize_layout_hash.data # clean - Delete most, but leave enough to build external modules # -@@ -1087,6 +1166,7 @@ distclean: mrproper +@@ -1087,6 +1170,7 @@ distclean: mrproper \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ -o -name '.*.rej' \ @@ -467,7 +490,7 @@ index de4cda9..e5ec62c 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1248,6 +1328,8 @@ PHONY += $(module-dirs) modules +@@ -1248,6 +1332,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -476,7 +499,7 @@ index de4cda9..e5ec62c 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1387,17 +1469,21 @@ else +@@ -1387,17 +1473,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -502,7 +525,7 @@ index de4cda9..e5ec62c 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1407,11 +1493,15 @@ endif +@@ -1407,11 +1497,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -3596,6 +3619,29 @@ index 8a1b5e0..5f30074 100644 /* omap_hwmod_list contains all registered struct omap_hwmods */ static LIST_HEAD(omap_hwmod_list); +diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c +index 95fee54..cfa9cf1 100644 +--- a/arch/arm/mach-omap2/powerdomains43xx_data.c ++++ b/arch/arm/mach-omap2/powerdomains43xx_data.c +@@ -10,6 +10,7 @@ + + #include <linux/kernel.h> + #include <linux/init.h> ++#include <asm/pgtable.h> + + #include "powerdomain.h" + +@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void) + + void __init am43xx_powerdomains_init(void) + { +- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp; ++ pax_open_kernel(); ++ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp; ++ pax_close_kernel(); + pwrdm_register_platform_funcs(&omap4_pwrdm_operations); + pwrdm_register_pwrdms(powerdomains_am43xx); + pwrdm_complete_init(); diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c index d15c7bb..b2d1f0c 100644 --- a/arch/arm/mach-omap2/wd_timer.c @@ -18643,7 +18689,7 @@ index 3ba3de4..6c113b2 100644 #endif #endif /* _ASM_X86_THREAD_INFO_H */ diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index e6d90ba..0897f44 100644 +index e6d90ba..f81f114 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -17,18 +17,44 @@ @@ -18697,11 +18743,10 @@ index e6d90ba..0897f44 100644 } static inline void __native_flush_tlb_global(void) -@@ -49,6 +75,42 @@ static inline void __native_flush_tlb_global(void) +@@ -49,6 +75,41 @@ static inline void __native_flush_tlb_global(void) static inline void __native_flush_tlb_single(unsigned long addr) { -+ + if (static_cpu_has(X86_FEATURE_INVPCID)) { + u64 descriptor[2]; + @@ -20255,10 +20300,10 @@ index 47b56a7..efc2bc6 100644 obj-y += proc.o capflags.o powerflags.o common.o obj-y += rdrand.o diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index bca023b..c544908 100644 +index 59bfebc..d8f27bd 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c -@@ -743,7 +743,7 @@ static void init_amd(struct cpuinfo_x86 *c) +@@ -753,7 +753,7 @@ static void init_amd(struct cpuinfo_x86 *c) static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size) { /* AMD errata T13 (order #21922) */ @@ -27510,7 +27555,7 @@ index c697625..a032162 100644 out: diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 775702f..737d4a9 100644 +index d86ff15..e77b023 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -55,7 +55,7 @@ @@ -27723,10 +27768,10 @@ index da7837e..86c6ebf 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 5d004da..0802480 100644 +index d89d51b..f3c612a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1788,8 +1788,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1791,8 +1791,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -27737,7 +27782,7 @@ index 5d004da..0802480 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2673,6 +2673,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2676,6 +2676,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -27746,7 +27791,7 @@ index 5d004da..0802480 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -5482,7 +5484,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -5485,7 +5487,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -35509,7 +35554,7 @@ index c482f8c..c832240 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 1393a58..3bf8cbe 100644 +index 1a3dbd1..dfc6e5c 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); @@ -35521,7 +35566,7 @@ index 1393a58..3bf8cbe 100644 struct ata_force_param { const char *name; -@@ -4823,7 +4823,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4850,7 +4850,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -35530,7 +35575,7 @@ index 1393a58..3bf8cbe 100644 ap = qc->ap; qc->flags = 0; -@@ -4839,7 +4839,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4866,7 +4866,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -35539,7 +35584,7 @@ index 1393a58..3bf8cbe 100644 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); ap = qc->ap; link = qc->dev->link; -@@ -5958,6 +5958,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5985,6 +5985,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) return; spin_lock(&lock); @@ -35547,7 +35592,7 @@ index 1393a58..3bf8cbe 100644 for (cur = ops->inherits; cur; cur = cur->inherits) { void **inherit = (void **)cur; -@@ -5971,8 +5972,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5998,8 +5999,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) if (IS_ERR(*pp)) *pp = NULL; @@ -35558,7 +35603,7 @@ index 1393a58..3bf8cbe 100644 spin_unlock(&lock); } -@@ -6165,7 +6167,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) +@@ -6192,7 +6194,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) /* give ports names and add SCSI hosts */ for (i = 0; i < host->n_ports; i++) { @@ -35568,10 +35613,10 @@ index 1393a58..3bf8cbe 100644 } diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c -index 377eb88..8591b44 100644 +index ef8567d..8bdbd03 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c -@@ -4135,7 +4135,7 @@ int ata_sas_port_init(struct ata_port *ap) +@@ -4147,7 +4147,7 @@ int ata_sas_port_init(struct ata_port *ap) if (rc) return rc; @@ -39035,6 +39080,27 @@ index 9902732..64b62dd 100644 return -EINVAL; } +diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c +index 62d0ff3..073dbf3 100644 +--- a/drivers/gpu/drm/armada/armada_drv.c ++++ b/drivers/gpu/drm/armada/armada_drv.c +@@ -68,15 +68,7 @@ void __armada_drm_queue_unref_work(struct drm_device *dev, + { + struct armada_private *priv = dev->dev_private; + +- /* +- * Yes, we really must jump through these hoops just to store a +- * _pointer_ to something into the kfifo. This is utterly insane +- * and idiotic, because it kfifo requires the _data_ pointed to by +- * the pointer const, not the pointer itself. Not only that, but +- * you have to pass a pointer _to_ the pointer you want stored. +- */ +- const struct drm_framebuffer *silly_api_alert = fb; +- WARN_ON(!kfifo_put(&priv->fb_unref, &silly_api_alert)); ++ WARN_ON(!kfifo_put(&priv->fb_unref, fb)); + schedule_work(&priv->fb_unref_work); + } + diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index d6cf77c..2842146 100644 --- a/drivers/gpu/drm/drm_crtc.c @@ -40354,6 +40420,19 @@ index ae1cb31..5b5b6b7c 100644 err = drm_debugfs_create_files(dc->debugfs_files, ARRAY_SIZE(debugfs_files), +diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c +index 0cd9bc2..9759be4 100644 +--- a/drivers/gpu/drm/tegra/hdmi.c ++++ b/drivers/gpu/drm/tegra/hdmi.c +@@ -57,7 +57,7 @@ struct tegra_hdmi { + bool stereo; + bool dvi; + +- struct drm_info_list *debugfs_files; ++ drm_info_list_no_const *debugfs_files; + struct drm_minor *minor; + struct dentry *debugfs; + }; diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c index c58eba33..83c2728 100644 --- a/drivers/gpu/drm/ttm/ttm_bo_manager.c @@ -44379,6 +44458,21 @@ index 464419b..64bae8d 100644 c2dev->dev = device_create(c2port_class, NULL, 0, c2dev, "c2port%d", c2dev->id); +diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c +index 9c34e57..b981cda 100644 +--- a/drivers/misc/eeprom/sunxi_sid.c ++++ b/drivers/misc/eeprom/sunxi_sid.c +@@ -127,7 +127,9 @@ static int sunxi_sid_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, sid_data); + +- sid_bin_attr.size = sid_data->keysize; ++ pax_open_kernel(); ++ *(size_t *)&sid_bin_attr.size = sid_data->keysize; ++ pax_close_kernel(); + if (device_create_bin_file(&pdev->dev, &sid_bin_attr)) + return -ENODEV; + diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c index 36f5d52..32311c3 100644 --- a/drivers/misc/kgdbts.c @@ -44809,6 +44903,25 @@ index f320579..7b7ebac 100644 mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE); } +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 1dcaf8a..025af25 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1009,9 +1009,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev) + host->quirks2 |= SDHCI_QUIRK2_PRESET_VALUE_BROKEN; + } + +- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) +- sdhci_esdhc_ops.platform_execute_tuning = ++ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) { ++ pax_open_kernel(); ++ *(void **)&sdhci_esdhc_ops.platform_execute_tuning = + esdhc_executing_tuning; ++ pax_close_kernel(); ++ } + boarddata = &imx_data->boarddata; + if (sdhci_esdhc_imx_probe_dt(pdev, boarddata) < 0) { + if (!host->mmc->parent->platform_data) { diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c index 6debda9..2ba7427 100644 --- a/drivers/mmc/host/sdhci-s3c.c @@ -45549,10 +45662,10 @@ index a79e9d3..78cd4fa 100644 /* we will have to manufacture ethernet headers, prepare template */ diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index ed384fe..9e3f4f4 100644 +index 0247973..088193a 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -2617,7 +2617,7 @@ nla_put_failure: +@@ -2615,7 +2615,7 @@ nla_put_failure: return -EMSGSIZE; } @@ -46226,10 +46339,10 @@ index 7aad766..06addb4 100644 data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled", data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled", diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index cde9c16..e485cfe 100644 +index f53ef83..5e34bcb 100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c -@@ -1368,7 +1368,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, +@@ -1390,7 +1390,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, struct isr_statistics *isr_stats = &trans_pcie->isr_stats; char buf[8]; @@ -46238,7 +46351,7 @@ index cde9c16..e485cfe 100644 u32 reset_flag; memset(buf, 0, sizeof(buf)); -@@ -1389,7 +1389,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, +@@ -1411,7 +1411,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, { struct iwl_trans *trans = file->private_data; char buf[8]; @@ -48544,10 +48657,10 @@ index 084d1fd..9f939eb 100644 uint32_t default_time2wait; /* Default Min time between * relogins (+aens) */ diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c -index a28d5e6..000a8af 100644 +index cf174a4..128a420 100644 --- a/drivers/scsi/qla4xxx/ql4_os.c +++ b/drivers/scsi/qla4xxx/ql4_os.c -@@ -3308,12 +3308,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) +@@ -3311,12 +3311,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) */ if (!iscsi_is_session_online(cls_sess)) { /* Reset retry relogin timer */ @@ -48562,7 +48675,7 @@ index a28d5e6..000a8af 100644 ddb_entry->default_time2wait + 4)); set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags); atomic_set(&ddb_entry->retry_relogin_timer, -@@ -5455,7 +5455,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, +@@ -5458,7 +5458,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY); atomic_set(&ddb_entry->relogin_timer, 0); @@ -50607,7 +50720,7 @@ index d0e3a44..5f8b754 100644 ret = -EPERM; goto reterr; diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c -index f7beb6e..8c0bbd0 100644 +index a673e5b..36e5d32 100644 --- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -25,6 +25,7 @@ @@ -50886,7 +50999,7 @@ index 6bffb8c..b404e8b 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index bd9dc35..c04ae2f 100644 +index 07e6654..6420edf 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -27,6 +27,7 @@ @@ -50897,7 +51010,7 @@ index bd9dc35..c04ae2f 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -4463,6 +4464,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, +@@ -4442,6 +4443,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, goto done; return; } @@ -56118,10 +56231,10 @@ index a4b38f9..f86a509 100644 spin_lock_init(&delayed_root->lock); init_waitqueue_head(&delayed_root->wait); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 21da576..3551e09 100644 +index 9f831bb..14afde5 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c -@@ -3451,9 +3451,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -3457,9 +3457,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) for (i = 0; i < num_types; i++) { struct btrfs_space_info *tmp; @@ -56134,7 +56247,7 @@ index 21da576..3551e09 100644 info = NULL; rcu_read_lock(); list_for_each_entry_rcu(tmp, &root->fs_info->space_info, -@@ -3475,10 +3478,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -3481,10 +3484,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) memcpy(dest, &space, sizeof(space)); dest++; space_args.total_spaces++; @@ -57166,7 +57279,7 @@ index bc3fbcd..6031650 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index cb4a106..b75581f 100644 +index fdbe230..ba17c1f 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1495,7 +1495,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) @@ -57178,7 +57291,7 @@ index cb4a106..b75581f 100644 if (!dname) { kmem_cache_free(dentry_cache, dentry); return NULL; -@@ -3429,7 +3429,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3428,7 +3428,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -60150,7 +60263,7 @@ index 92a0f0a..45a48f0 100644 spin_lock(&inode->i_lock); diff --git a/fs/mount.h b/fs/mount.h -index d64c594..6c283db 100644 +index a17458c..e69fb5b 100644 --- a/fs/mount.h +++ b/fs/mount.h @@ -11,7 +11,7 @@ struct mnt_namespace { @@ -64110,7 +64223,7 @@ index 104455b..764c512 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..01d5523 +index 0000000..e98584b --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,1147 @@ @@ -64343,7 +64456,7 @@ index 0000000..01d5523 + Volatility against the system (unless the kernel source tree isn't + cleaned after kernel installation). + -+ The seed used for compilation is located at tools/gcc/randstruct.seed. ++ The seed used for compilation is located at tools/gcc/randomize_layout_seed.h. + It remains after a make clean to allow for external modules to be compiled + with the existing seed and will be removed by a make mrproper or + make distclean. @@ -65263,10 +65376,10 @@ index 0000000..01d5523 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..8a0354c +index 0000000..5307c8a --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,53 @@ +@@ -0,0 +1,54 @@ +# grsecurity – access control and security hardening for Linux +# All code in this directory and various hooks located throughout the Linux kernel are +# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc. @@ -65318,6 +65431,7 @@ index 0000000..8a0354c + @-chmod -f 500 /lib64/modules + @-chmod -f 500 /lib32/modules + @-chmod -f 700 . ++ @-chmod -f 700 $(objtree) + @echo ' grsec: protected kernel image paths' +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c @@ -75711,7 +75825,7 @@ index e73c19e..5b89e00 100644 struct crypto_instance { struct crypto_alg alg; diff --git a/include/drm/drmP.h b/include/drm/drmP.h -index 1d4a920..53a3229 100644 +index 1d4a920..da65658 100644 --- a/include/drm/drmP.h +++ b/include/drm/drmP.h @@ -66,6 +66,7 @@ @@ -75750,16 +75864,17 @@ index 1d4a920..53a3229 100644 /** * Creates a driver or general drm_ioctl_desc array entry for the given -@@ -1013,7 +1016,7 @@ struct drm_info_list { +@@ -1013,7 +1016,8 @@ struct drm_info_list { int (*show)(struct seq_file*, void*); /** show callback */ u32 driver_features; /**< Required driver features for this entry */ void *data; -}; +} __do_const; ++typedef struct drm_info_list __no_const drm_info_list_no_const; /** * debugfs node structure. This structure represents a debugfs file. -@@ -1097,7 +1100,7 @@ struct drm_device { +@@ -1097,7 +1101,7 @@ struct drm_device { /** \name Usage Counters */ /*@{ */ @@ -75807,6 +75922,18 @@ index 72dcbe8..8db58d7 100644 /** * struct ttm_mem_global - Global memory accounting structure. +diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h +index d1f61bf..2239439 100644 +--- a/include/drm/ttm/ttm_page_alloc.h ++++ b/include/drm/ttm/ttm_page_alloc.h +@@ -78,6 +78,7 @@ void ttm_dma_page_alloc_fini(void); + */ + extern int ttm_dma_page_alloc_debugfs(struct seq_file *m, void *data); + ++struct device; + extern int ttm_dma_populate(struct ttm_dma_tt *ttm_dma, struct device *dev); + extern void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev); + diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h index 4b840e8..155d235 100644 --- a/include/keys/asymmetric-subtype.h @@ -78620,10 +78747,10 @@ index 9523d2a..16c0424 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); diff --git a/include/linux/libata.h b/include/linux/libata.h -index 9b50337..712d748 100644 +index bec6dbe..2873d64 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h -@@ -973,7 +973,7 @@ struct ata_port_operations { +@@ -975,7 +975,7 @@ struct ata_port_operations { * fields must be pointers. */ const struct ata_port_operations *inherits; @@ -91285,7 +91412,7 @@ index 6768ce9..4c41d69 100644 mm = get_task_mm(tsk); if (!mm) diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 0cd2c4d..9558c83 100644 +index e1bd997..055f496 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, @@ -95513,7 +95640,7 @@ index 4a5df7b..9ad1f1d 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index dd32e34..94fa415 100644 +index f50161f..94fa415 100644 --- a/net/compat.c +++ b/net/compat.c @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -95643,31 +95770,7 @@ index dd32e34..94fa415 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - if (flags & MSG_CMSG_COMPAT) - return -EINVAL; - -- if (COMPAT_USE_64BIT_TIME) -- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, -- flags | MSG_CMSG_COMPAT, -- (struct timespec *) timeout); -- - if (timeout == NULL) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, NULL); - -- if (get_compat_timespec(&ktspec, timeout)) -+ if (compat_get_timespec(&ktspec, timeout)) - return -EFAULT; - - datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, &ktspec); -- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) -+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) - datagrams = -EFAULT; - - return datagrams; -@@ -808,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -803,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -96481,7 +96584,7 @@ index a1b5bcb..62ec5c6 100644 #endif if (dflt != &ipv4_devconf_dflt) diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index d846304..d0622bb 100644 +index c7539e2..b455e51 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -1015,12 +1015,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, @@ -96499,7 +96602,7 @@ index d846304..d0622bb 100644 if (ifa->ifa_dev->ifa_list == NULL) { /* Last address was deleted from this interface. * Disable IP. -@@ -1056,7 +1056,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo +@@ -1058,7 +1058,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo #ifdef CONFIG_IP_ROUTE_MULTIPATH fib_sync_up(dev); #endif @@ -96631,7 +96734,7 @@ index 2481993..2d9a7a7 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index e560ef3..218c5c5 100644 +index d306360..1c1a1f1 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -115,7 +115,7 @@ static bool log_ecn_error = true; @@ -101278,20 +101381,6 @@ index 0000000..5e0222d + [[ "$plugincc" =~ "$1" ]] && echo "$1" + [[ "$plugincc" =~ "$2" ]] && echo "$2" +fi -diff --git a/scripts/gen-random-seed.sh b/scripts/gen-random-seed.sh -new file mode 100644 -index 0000000..27e0f4a ---- /dev/null -+++ b/scripts/gen-random-seed.sh -@@ -0,0 +1,8 @@ -+#!/bin/sh -+ -+if [ ! -f 'tools/gcc/randstruct.seed' ]; then -+ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` -+ echo "$SEED" > tools/gcc/randstruct.seed -+ cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed -+fi -+cat tools/gcc/randstruct.seed diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh index 5de5660..d3deb89 100644 --- a/scripts/headers_install.sh @@ -102924,6 +103013,21 @@ index 48c3cc9..8022cf7 100644 rtnl_lock(); for_each_net(net) rt_genid_bump_all(net); +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index d106733..539aadd 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, + struct context context; + int rc = 0; + ++ /* An empty security context is never valid. */ ++ if (!scontext_len) ++ return -EINVAL; ++ + if (!ss_initialized) { + int i; + diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b0be893..646bd94 100644 --- a/security/smack/smack_lsm.c @@ -103730,10 +103834,10 @@ index 0000000..8eb55ca +randstruct.hashed_seed diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile new file mode 100644 -index 0000000..f8ef8a3 +index 0000000..51a2ba2 --- /dev/null +++ b/tools/gcc/Makefile -@@ -0,0 +1,47 @@ +@@ -0,0 +1,55 @@ +#CC := gcc +#PLUGIN_SOURCE_FILES := pax_plugin.c +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) @@ -103773,6 +103877,8 @@ index 0000000..f8ef8a3 +randomize_layout_plugin-objs := randomize_layout_plugin.o + +$(obj)/size_overflow_plugin.o: $(objtree)/$(obj)/size_overflow_hash.h ++$(obj)/randomize_layout_plugin.o: $(objtree)/$(obj)/randomize_layout_seed.h \ ++ $(objtree)/$(obj)/randomize_layout_hash.data + +quiet_cmd_build_size_overflow_hash = GENHASH $@ + cmd_build_size_overflow_hash = \ @@ -103780,7 +103886,13 @@ index 0000000..f8ef8a3 +$(objtree)/$(obj)/size_overflow_hash.h: $(src)/size_overflow_hash.data FORCE + $(call if_changed,build_size_overflow_hash) + -+targets += size_overflow_hash.h ++quiet_cmd_create_randomize_layout_seed = GENSEED $@ ++ cmd_create_randomize_layout_seed = \ ++ $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/$(obj)/randomize_layout_hash.data ++$(objtree)/$(obj)/randomize_layout_seed.h $(objtree)/$(obj)/randomize_layout_hash.data: FORCE ++ $(call if_changed,create_randomize_layout_seed) ++ ++targets += size_overflow_hash.h randomize_layout_seed.h randomize_layout_hash.data diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c new file mode 100644 index 0000000..5452feea @@ -104672,10 +104784,10 @@ index 0000000..4f67ac1 +} diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h new file mode 100644 -index 0000000..986f39b +index 0000000..312d3b6 --- /dev/null +++ b/tools/gcc/gcc-common.h -@@ -0,0 +1,267 @@ +@@ -0,0 +1,268 @@ +#ifndef GCC_COMMON_H_INCLUDED +#define GCC_COMMON_H_INCLUDED + @@ -104766,6 +104878,7 @@ index 0000000..986f39b +#if BUILDING_GCC_VERSION >= 4009 +#include "tree-ssa-operands.h" +#include "tree-phinodes.h" ++#include "tree-cfg.h" +#include "gimple-iterator.h" +#include "gimple-ssa.h" +#include "ssa-iterators.h" @@ -104943,6 +105056,19 @@ index 0000000..986f39b +#endif + +#endif +diff --git a/tools/gcc/gen-random-seed.sh b/tools/gcc/gen-random-seed.sh +new file mode 100644 +index 0000000..8030e6e +--- /dev/null ++++ b/tools/gcc/gen-random-seed.sh +@@ -0,0 +1,7 @@ ++#!/bin/sh ++ ++if [ ! -f "$1" ]; then ++ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` ++ echo "const char *randstruct_seed = \"$SEED\";" > "$1" ++ echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d "\n" > "$2" ++fi diff --git a/tools/gcc/generate_size_overflow_hash.sh b/tools/gcc/generate_size_overflow_hash.sh new file mode 100644 index 0000000..e518932 @@ -106089,10 +106215,10 @@ index 0000000..592b923 +} diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c new file mode 100644 -index 0000000..8ed761c6 +index 0000000..fed12bf --- /dev/null +++ b/tools/gcc/randomize_layout_plugin.c -@@ -0,0 +1,914 @@ +@@ -0,0 +1,902 @@ +/* + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net> + * and PaX Team <pageexec@freemail.hu> @@ -106107,6 +106233,7 @@ index 0000000..8ed761c6 + */ + +#include "gcc-common.h" ++#include "randomize_layout_seed.h" + +#define ORIG_TYPE_NAME(node) \ + (TYPE_NAME(TYPE_MAIN_VARIANT(node)) != NULL_TREE ? ((const unsigned char *)IDENTIFIER_POINTER(TYPE_NAME(TYPE_MAIN_VARIANT(node)))) : (const unsigned char *)"anonymous") @@ -106116,9 +106243,8 @@ index 0000000..8ed761c6 +static int performance_mode; + +static struct plugin_info randomize_layout_plugin_info = { -+ .version = "201402011940", ++ .version = "201402061950", + .help = "disable\t\t\tdo not activate plugin\n" -+ "seed\t\t\tprovide a required 64-byte seed in hex format\n" + "performance-mode\tenable cacheline-aware layout randomization\n" +}; + @@ -106685,13 +106811,8 @@ index 0000000..8ed761c6 + struct varpool_node *node; + tree init; + -+#if BUILDING_GCC_VERSION <= 4007 -+ for (node = varpool_nodes; node; node = node->next) { -+ tree var = node->decl; -+#else + FOR_EACH_VARIABLE(node) { -+ tree var = node->symbol.decl; -+#endif ++ tree var = NODE_DECL(node); + init = DECL_INITIAL(var); + if (init == NULL_TREE) + continue; @@ -106975,22 +107096,15 @@ index 0000000..8ed761c6 + performance_mode = 1; + continue; + } -+ if (!strcmp(argv[i].key, "seed")) { -+ if (!argv[i].value) { -+ error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); -+ continue; -+ } -+ if (strlen(argv[i].value) != 64) { -+ error(G_("invalid value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); -+ continue; -+ } -+ obtained_seed = sscanf(argv[i].value, "%016llx%016llx%016llx%016llx", -+ &shuffle_seed[0], &shuffle_seed[1], &shuffle_seed[2], &shuffle_seed[3]); -+ continue; -+ } + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + } + ++ if (strlen(randstruct_seed) != 64) { ++ error(G_("invalid seed value supplied for %s plugin"), plugin_name); ++ return 1; ++ } ++ obtained_seed = sscanf(randstruct_seed, "%016llx%016llx%016llx%016llx", ++ &shuffle_seed[0], &shuffle_seed[1], &shuffle_seed[2], &shuffle_seed[3]); + if (obtained_seed != 4) { + error(G_("Invalid seed supplied for %s plugin"), plugin_name); + return 1; diff --git a/3.13.1/4425_grsec_remove_EI_PAX.patch b/3.13.2/4425_grsec_remove_EI_PAX.patch index cf65d90..fc51f79 100644 --- a/3.13.1/4425_grsec_remove_EI_PAX.patch +++ b/3.13.2/4425_grsec_remove_EI_PAX.patch @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 -@@ -267,7 +267,7 @@ +@@ -268,7 +268,7 @@ config PAX_EI_PAX bool 'Use legacy ELF header marking' diff --git a/3.13.1/4427_force_XATTR_PAX_tmpfs.patch b/3.13.2/4427_force_XATTR_PAX_tmpfs.patch index 23e60cd..23e60cd 100644 --- a/3.13.1/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.13.2/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.13.1/4430_grsec-remove-localversion-grsec.patch b/3.13.2/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.13.1/4430_grsec-remove-localversion-grsec.patch +++ b/3.13.2/4430_grsec-remove-localversion-grsec.patch diff --git a/3.13.1/4435_grsec-mute-warnings.patch b/3.13.2/4435_grsec-mute-warnings.patch index cb51a05..cb51a05 100644 --- a/3.13.1/4435_grsec-mute-warnings.patch +++ b/3.13.2/4435_grsec-mute-warnings.patch diff --git a/3.13.1/4440_grsec-remove-protected-paths.patch b/3.13.2/4440_grsec-remove-protected-paths.patch index 05710b1..741546d 100644 --- a/3.13.1/4440_grsec-remove-protected-paths.patch +++ b/3.13.2/4440_grsec-remove-protected-paths.patch @@ -4,9 +4,9 @@ We don't want GRSEC's Makefile to change permissions on paths in the filesystem. diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile ---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 -+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 -@@ -34,10 +34,4 @@ +--- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 ++++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 +@@ -44,11 +44,4 @@ ifdef CONFIG_GRKERNSEC_HIDESYM extra-y := grsec_hidesym.o $(obj)/grsec_hidesym.o: @@ -15,5 +15,6 @@ diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile - @-chmod -f 500 /lib64/modules - @-chmod -f 500 /lib32/modules - @-chmod -f 700 . +- @-chmod -f 700 $(objtree) - @echo ' grsec: protected kernel image paths' endif diff --git a/3.13.1/4450_grsec-kconfig-default-gids.patch b/3.13.2/4450_grsec-kconfig-default-gids.patch index 207c450..88f1f9b 100644 --- a/3.13.1/4450_grsec-kconfig-default-gids.patch +++ b/3.13.2/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -656,7 +656,7 @@ +@@ -657,7 +657,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -887,7 +887,7 @@ +@@ -888,7 +888,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -896,7 +896,7 @@ +@@ -897,7 +897,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -989,7 +989,7 @@ +@@ -990,7 +990,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1010,7 +1010,7 @@ +@@ -1011,7 +1011,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1028,7 +1028,7 @@ +@@ -1029,7 +1029,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig diff -Nuar a/security/Kconfig b/security/Kconfig --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 -@@ -195,7 +195,7 @@ +@@ -196,7 +196,7 @@ config GRKERNSEC_PROC_GID int "GID exempted from /proc restrictions" @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified -@@ -206,7 +206,7 @@ +@@ -207,7 +207,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group untrusted users should be added to. These users will be placed under grsecurity's Trusted Path -@@ -218,7 +218,7 @@ +@@ -219,7 +219,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -227,7 +227,7 @@ +@@ -228,7 +228,7 @@ config GRKERNSEC_SYMLINKOWN_GID int "GID for users with kernel-enforced SymlinksIfOwnerMatch" depends on GRKERNSEC_CONFIG_SERVER diff --git a/3.13.1/4465_selinux-avc_audit-log-curr_ip.patch b/3.13.2/4465_selinux-avc_audit-log-curr_ip.patch index ddabda7..0648169 100644 --- a/3.13.1/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.13.2/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1123,6 +1123,27 @@ +@@ -1124,6 +1124,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.13.1/4470_disable-compat_vdso.patch b/3.13.2/4470_disable-compat_vdso.patch index a25c029..a25c029 100644 --- a/3.13.1/4470_disable-compat_vdso.patch +++ b/3.13.2/4470_disable-compat_vdso.patch diff --git a/3.13.1/4475_emutramp_default_on.patch b/3.13.2/4475_emutramp_default_on.patch index cfde6f8..30f6978 100644 --- a/3.13.1/4475_emutramp_default_on.patch +++ b/3.13.2/4475_emutramp_default_on.patch @@ -10,7 +10,7 @@ See bug: diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 -@@ -427,7 +427,7 @@ +@@ -428,7 +428,7 @@ config PAX_EMUTRAMP bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) diff --git a/3.2.54/0000_README b/3.2.54/0000_README index 18647c3..61f72a8 100644 --- a/3.2.54/0000_README +++ b/3.2.54/0000_README @@ -134,7 +134,7 @@ Patch: 1053_linux-3.2.54.patch From: http://www.kernel.org Desc: Linux 3.2.54 -Patch: 4420_grsecurity-3.0-3.2.54-201402052347.patch +Patch: 4420_grsecurity-3.0-3.2.54-201402062221.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch index fa55d46..88feed1 100644 --- a/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch +++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch @@ -52869,10 +52869,25 @@ index 49eefdb..547693e 100644 do_chunk_alloc(trans, root->fs_info->extent_root, num_bytes, data, CHUNK_ALLOC_FORCE); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 618ae6f..118fe0c 100644 +index 618ae6f..82d0bc6 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c -@@ -2733,9 +2733,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -1329,6 +1329,14 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file, + ret = -EINVAL; + fput(src_file); + goto out; ++ } else if (!inode_owner_or_capable(src_inode)) { ++ /* ++ * Subvolume creation is not restricted, but snapshots ++ * are limited to own subvolumes only ++ */ ++ ret = -EPERM; ++ fput(src_file); ++ goto out; + } + ret = btrfs_mksubvol(&file->f_path, name, namelen, + BTRFS_I(src_inode)->root, +@@ -2733,9 +2741,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) for (i = 0; i < num_types; i++) { struct btrfs_space_info *tmp; @@ -52885,7 +52900,7 @@ index 618ae6f..118fe0c 100644 info = NULL; rcu_read_lock(); list_for_each_entry_rcu(tmp, &root->fs_info->space_info, -@@ -2757,15 +2760,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) +@@ -2757,15 +2768,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) memcpy(dest, &space, sizeof(space)); dest++; space_args.total_spaces++; @@ -62842,10 +62857,10 @@ index 0000000..c4717f9 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..5cb186f +index 0000000..f96524e --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,53 @@ +@@ -0,0 +1,54 @@ +# grsecurity – access control and security hardening for Linux +# All code in this directory and various hooks located throughout the Linux kernel are +# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc. @@ -62897,6 +62912,7 @@ index 0000000..5cb186f + @-chmod -f 500 /lib64/modules + @-chmod -f 500 /lib32/modules + @-chmod -f 700 . ++ @-chmod -f 700 $(objtree) + @echo ' grsec: protected kernel image paths' +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c @@ -104658,6 +104674,21 @@ index b43813c..74be837 100644 } #else static inline int selinux_xfrm_enabled(void) +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 185f849..72b20b1 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -1229,6 +1229,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, + struct context context; + int rc = 0; + ++ /* An empty security context is never valid. */ ++ if (!scontext_len) ++ return -EINVAL; ++ + if (!ss_initialized) { + int i; + diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 7db62b4..ee4d949 100644 --- a/security/smack/smack_lsm.c diff --git a/3.2.54/4425_grsec_remove_EI_PAX.patch b/3.2.54/4425_grsec_remove_EI_PAX.patch index 415fda5..cf65d90 100644 --- a/3.2.54/4425_grsec_remove_EI_PAX.patch +++ b/3.2.54/4425_grsec_remove_EI_PAX.patch @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 -@@ -266,7 +266,7 @@ +@@ -267,7 +267,7 @@ config PAX_EI_PAX bool 'Use legacy ELF header marking' diff --git a/3.2.54/4440_grsec-remove-protected-paths.patch b/3.2.54/4440_grsec-remove-protected-paths.patch index 05710b1..741546d 100644 --- a/3.2.54/4440_grsec-remove-protected-paths.patch +++ b/3.2.54/4440_grsec-remove-protected-paths.patch @@ -4,9 +4,9 @@ We don't want GRSEC's Makefile to change permissions on paths in the filesystem. diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile ---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 -+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 -@@ -34,10 +34,4 @@ +--- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 ++++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 +@@ -44,11 +44,4 @@ ifdef CONFIG_GRKERNSEC_HIDESYM extra-y := grsec_hidesym.o $(obj)/grsec_hidesym.o: @@ -15,5 +15,6 @@ diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile - @-chmod -f 500 /lib64/modules - @-chmod -f 500 /lib32/modules - @-chmod -f 700 . +- @-chmod -f 700 $(objtree) - @echo ' grsec: protected kernel image paths' endif diff --git a/3.2.54/4450_grsec-kconfig-default-gids.patch b/3.2.54/4450_grsec-kconfig-default-gids.patch index 55a02aa..71f6231 100644 --- a/3.2.54/4450_grsec-kconfig-default-gids.patch +++ b/3.2.54/4450_grsec-kconfig-default-gids.patch @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig diff -Nuar a/security/Kconfig b/security/Kconfig --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 -@@ -194,7 +194,7 @@ +@@ -195,7 +195,7 @@ config GRKERNSEC_PROC_GID int "GID exempted from /proc restrictions" @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified -@@ -205,7 +205,7 @@ +@@ -206,7 +206,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group untrusted users should be added to. These users will be placed under grsecurity's Trusted Path -@@ -217,7 +217,7 @@ +@@ -218,7 +218,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -226,7 +226,7 @@ +@@ -227,7 +227,7 @@ config GRKERNSEC_SYMLINKOWN_GID int "GID for users with kernel-enforced SymlinksIfOwnerMatch" depends on GRKERNSEC_CONFIG_SERVER diff --git a/3.2.54/4475_emutramp_default_on.patch b/3.2.54/4475_emutramp_default_on.patch index df700e6..cfde6f8 100644 --- a/3.2.54/4475_emutramp_default_on.patch +++ b/3.2.54/4475_emutramp_default_on.patch @@ -10,7 +10,7 @@ See bug: diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 -@@ -426,7 +426,7 @@ +@@ -427,7 +427,7 @@ config PAX_EMUTRAMP bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) |