Commit 87d27c34 authored by Natanael Copa's avatar Natanael Copa

main/linux-grsec: upgrade to 3.10.15 and fix CVE-2013-4387

parent 3af9d39c
......@@ -2,12 +2,12 @@
_flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.10.14
pkgver=3.10.15
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
pkgrel=1
pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -26,6 +26,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
fix-memory-map-for-PIE-applications.patch
ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
kernelconfig.x86
kernelconfig.x86_64
......@@ -150,8 +151,8 @@ dev() {
}
md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz
3c2ce4933f210fef16664dfa16028de1 patch-3.10.14.xz
8a8f3b99d0072aa72681711dab25848b grsecurity-2.9.1-3.10.14-unofficial.patch
70cc9bd12b04382c3783da96edda4562 patch-3.10.15.xz
84a82b973a08abc43cbf74a8935c59ae grsecurity-2.9.1-3.10.15-unofficial.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -159,11 +160,12 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p
6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
bbb9f3edd60fd5c53ac98f4eab83641c ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
866e6c4daed45d563829804f8ad50ed9 kernelconfig.x86
272aaddd0a19a5052208bc25551995a3 kernelconfig.x86_64"
sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz
fd5fac477f69b5e3c6506fa04f81157aa753538dca017ef23b26ca36e65df38e patch-3.10.14.xz
4e61ce7226f2424999e26ccdbdb806f60c6941b63f5be82fc586fa5b8a863107 grsecurity-2.9.1-3.10.14-unofficial.patch
bb0108609a95ddfe5030938e45ad123445af4e29510a0b1bd8cede89de8c013b patch-3.10.15.xz
02736977e0abd475ba3c463b381186d306fd2f6c264968c47c685f0fce08c820 grsecurity-2.9.1-3.10.15-unofficial.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -171,11 +173,12 @@ dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush
ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
4e2ac6cf0b5f6ef4c2f468aedb3f4b7a2737ef3abef4cf712492ba5daec4b30d ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
7fd28634998ef1fddafed5f2516e902924245d2464b9e86476bfaa55ccfc3bc3 kernelconfig.x86
f2843ae4f9b3e3c27f3138ce4b740c2803bdab0c7a910c662d951843803b9554 kernelconfig.x86_64"
sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz
8bd9af04acec2998d5a6d99e63a84c35802e4affeead51d15cf024020bc326507fee7c59179157b5bd42f5e0633c39ea8f123f02c0262aa50042fea57ed7390d patch-3.10.14.xz
7d17742f5dcce1975dfa9d24fa9e665e9e48dcb3acc962a7699923bdb92477f1b2e352b0e946de664e76ab72798cad77e1d2eafc2e6dc167e3dee2bf91d866e5 grsecurity-2.9.1-3.10.14-unofficial.patch
41f612dc912df68a69bb44343748be5c7b3c1525654890a1d896f466ef6aa22d35343f59a2c4319cde1858a6407f9366817c762670dd711d9ff2890291fa60cc patch-3.10.15.xz
7838f4f43c1259d587979255a403b17be26d687aac91d43084417057267fd12643e99beccfbe21f22ed3d423080d9cdd7086598c8cc7e922ddae1024ce1f8005 grsecurity-2.9.1-3.10.15-unofficial.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -183,5 +186,6 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71
28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
39fc019ac5ea5ada03c29846f22ddab0735e288bb3ad8d2109628e5d77d24bd09e6972eea6ee912768391399efe069e77c0e53b8a22329328bcc51f09f963f05 ipv6-udp-packets-following-an-UFO-enqueued-packet-needs-al.patch
1721542ff111c8ec550323dae6f6174131db180668cbf14f01dc4c76ffbbb479715919a80c35d8c8ac22a6479dd3b42700be6ddc5ef2a8b6a62de811c7ae86df kernelconfig.x86
d49bf57bd0aae17d762d87d5bf983e48219d71ca44bc0c3120db94d357192c07146a8938cef9d435218e4bb748691ec426387545837be637d47e45cdc4482d71 kernelconfig.x86_64"
......@@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
index 129c49f..643835b 100644
index 9a77179..052a254 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
......@@ -25220,7 +25220,7 @@ index 2cb9470..ff1fd80 100644
return ret;
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
index 76fa1e9..abf09ea 100644
index 90fd119..61aa5d2 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -36,7 +36,7 @@ void (*pm_power_off)(void);
......@@ -25275,7 +25275,7 @@ index 76fa1e9..abf09ea 100644
"rm" (real_mode_header->machine_real_restart_asm),
"a" (type));
#else
@@ -531,7 +558,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
@@ -547,7 +574,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
* try to force a triple fault and then cycle between hitting the keyboard
* controller and doing that
*/
......@@ -25284,7 +25284,7 @@ index 76fa1e9..abf09ea 100644
{
int i;
int attempt = 0;
@@ -654,13 +681,13 @@ void native_machine_shutdown(void)
@@ -670,13 +697,13 @@ void native_machine_shutdown(void)
#endif
}
......@@ -25300,7 +25300,7 @@ index 76fa1e9..abf09ea 100644
{
pr_notice("machine restart\n");
@@ -669,7 +696,7 @@ static void native_machine_restart(char *__unused)
@@ -685,7 +712,7 @@ static void native_machine_restart(char *__unused)
__machine_emergency_restart(0);
}
......@@ -25309,7 +25309,7 @@ index 76fa1e9..abf09ea 100644
{
/* Stop other cpus and apics */
machine_shutdown();
@@ -679,7 +706,7 @@ static void native_machine_halt(void)
@@ -695,7 +722,7 @@ static void native_machine_halt(void)
stop_this_cpu(NULL);
}
......@@ -25318,7 +25318,7 @@ index 76fa1e9..abf09ea 100644
{
if (pm_power_off) {
if (!reboot_force)
@@ -688,9 +715,10 @@ static void native_machine_power_off(void)
@@ -704,9 +731,10 @@ static void native_machine_power_off(void)
}
/* A fallback in case there is no PM info available */
tboot_shutdown(TB_SHUTDOWN_HALT);
......@@ -39029,10 +39029,10 @@ index c8d16a6..ca71b5e 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index eea5982..eeef407 100644
index 2667d6d..410dc80 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8935,13 +8935,13 @@ struct intel_quirk {
@@ -8939,13 +8939,13 @@ struct intel_quirk {
int subsystem_vendor;
int subsystem_device;
void (*hook)(struct drm_device *dev);
......@@ -39048,7 +39048,7 @@ index eea5982..eeef407 100644
static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
{
@@ -8949,18 +8949,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
@@ -8953,18 +8953,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
return 1;
}
......@@ -39440,7 +39440,7 @@ index 5a82b6b..9e69c73 100644
if (regcomp
(&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
index b0dc0b6..a9bfe9c 100644
index 8df1525..62e95ef 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1014,7 +1014,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
......@@ -40213,10 +40213,10 @@ index 6351aba..dc4aaf4 100644
int res = 0;
diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
index 62c2e32..8f2859a 100644
index 98814d1..9435d05 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
@@ -1084,7 +1084,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
@@ -1093,7 +1093,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
{
struct applesmc_node_group *grp;
struct applesmc_dev_attr *node;
......@@ -42066,7 +42066,7 @@ index 60bce43..9b997d0 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 33f2010..23fb84c 100644
index 1c13071..4bb0452 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -169,9 +169,9 @@ struct mapped_device {
......@@ -42101,7 +42101,7 @@ index 33f2010..23fb84c 100644
wake_up(&md->eventq);
}
@@ -2690,18 +2690,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
@@ -2701,18 +2701,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
......@@ -53794,7 +53794,7 @@ index d50bbe5..af3b649 100644
goto err;
}
diff --git a/fs/bio.c b/fs/bio.c
index c5eae72..599e3cf 100644
index 5e7507d..418c639 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -1106,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Sat, 21 Sep 2013 04:27:00 +0000
Subject: ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
In the following scenario the socket is corked:
If the first UDP packet is larger then the mtu we try to append it to the
write queue via ip6_ufo_append_data. A following packet, which is smaller
than the mtu would be appended to the already queued up gso-skb via
plain ip6_append_data. This causes random memory corruptions.
In ip6_ufo_append_data we also have to be careful to not queue up the
same skb multiple times. So setup the gso frame only when no first skb
is available.
This also fixes a shortcoming where we add the current packet's length to
cork->length but return early because of a packet > mtu with dontfrag set
(instead of sutracting it again).
Found with trinity.
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 3a692d5..a54c45c 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
* udp datagram
*/
if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
+ struct frag_hdr fhdr;
+
skb = sock_alloc_send_skb(sk,
hh_len + fragheaderlen + transhdrlen + 20,
(flags & MSG_DONTWAIT), &err);
@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
skb->protocol = htons(ETH_P_IPV6);
skb->ip_summed = CHECKSUM_PARTIAL;
skb->csum = 0;
- }
-
- err = skb_append_datato_frags(sk,skb, getfrag, from,
- (length - transhdrlen));
- if (!err) {
- struct frag_hdr fhdr;
/* Specify the length of each IPv6 datagram fragment.
* It has to be a multiple of 8.
@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
ipv6_select_ident(&fhdr, rt);
skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
__skb_queue_tail(&sk->sk_write_queue, skb);
-
- return 0;
}
- /* There is not enough support do UPD LSO,
- * so follow normal path
- */
- kfree_skb(skb);
- return err;
+ return skb_append_datato_frags(sk, skb, getfrag, from,
+ (length - transhdrlen));
}
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
* --yoshfuji
*/
- cork->length += length;
- if (length > mtu) {
- int proto = sk->sk_protocol;
- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
- return -EMSGSIZE;
- }
-
- if (proto == IPPROTO_UDP &&
- (rt->dst.dev->features & NETIF_F_UFO)) {
+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
+ sk->sk_protocol == IPPROTO_RAW)) {
+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
+ return -EMSGSIZE;
+ }
- err = ip6_ufo_append_data(sk, getfrag, from, length,
- hh_len, fragheaderlen,
- transhdrlen, mtu, flags, rt);
- if (err)
- goto error;
- return 0;
- }
+ skb = skb_peek_tail(&sk->sk_write_queue);
+ cork->length += length;
+ if (((length > mtu) ||
+ (skb && skb_is_gso(skb))) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
+ (rt->dst.dev->features & NETIF_F_UFO)) {
+ err = ip6_ufo_append_data(sk, getfrag, from, length,
+ hh_len, fragheaderlen,
+ transhdrlen, mtu, flags, rt);
+ if (err)
+ goto error;
+ return 0;
}
- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
+ if (!skb)
goto alloc_new_skb;
while (length > 0) {
--
cgit v0.9.2
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment