Commit 9d439ce1 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/linux-grsec: upgrade to 4.1.10

parent 1acd97cd
../linux-vanilla/0001-inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
\ No newline at end of file
From 9c889e8df035c6eb7993963a7c80bfc75a61124d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 6 Jul 2015 09:54:36 +0300
Subject: [PATCH] ip_tunnel: fix ipv4 pmtu check to honor inner ip header df
Frag needed should be sent only if the inner header asked
to not fragment. Currently fragmentation is broken if the
tunnel has df set. The tunnel's df needs to be still checked
to update internally the pmtu cache.
This got broken in commit 23a3647bc4f93bac and this fixes
the pmtu check back to the way it was.
Fixes: 23a3647bc4f93bac ("ip_tunnels: Use skb-len to PMTU check.")
Cc: Pravin B Shelar <pshelar@nicira.com>
---
net/ipv4/ip_tunnel.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 0bb8e14..6822572 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -587,7 +587,8 @@ int ip_tunnel_encap(struct sk_buff *skb, struct ip_tunnel *t,
EXPORT_SYMBOL(ip_tunnel_encap);
static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,
- struct rtable *rt, __be16 df)
+ struct rtable *rt, __be16 df,
+ const struct iphdr *inner_iph)
{
struct ip_tunnel *tunnel = netdev_priv(dev);
int pkt_size = skb->len - tunnel->hlen - dev->hard_header_len;
@@ -604,7 +605,8 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,
if (skb->protocol == htons(ETH_P_IP)) {
if (!skb_is_gso(skb) &&
- (df & htons(IP_DF)) && mtu < pkt_size) {
+ (inner_iph->frag_off & htons(IP_DF)) &&
+ mtu < pkt_size) {
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
return -E2BIG;
@@ -738,7 +740,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
goto tx_error;
}
- if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off)) {
+ if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off, inner_iph)) {
ip_rt_put(rt);
goto tx_error;
}
--
2.4.5
From cb6ccf09d6b94bec4def1ac5cf4678d12b216474 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 28 Apr 2015 11:43:15 +0800
Subject: [PATCH] route: Use ipv4_mtu instead of raw rt_pmtu
The commit 3cdaa5be9e81a914e633a6be7b7d2ef75b528562 ("ipv4: Don't
increase PMTU with Datagram Too Big message") broke PMTU in cases
where the rt_pmtu value has expired but is smaller than the new
PMTU value.
This obsolete rt_pmtu then prevents the new PMTU value from being
installed.
Fixes: 3cdaa5be9e81 ("ipv4: Don't increase PMTU with Datagram Too Big message")
Reported-by: Gerd v. Egidy <gerd.von.egidy@intra2net.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/route.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index a78540f..bff62fc 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -962,10 +962,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
if (dst_metric_locked(dst, RTAX_MTU))
return;
- if (dst->dev->mtu < mtu)
- return;
-
- if (rt->rt_pmtu && rt->rt_pmtu < mtu)
+ if (ipv4_mtu(dst) < mtu)
return;
if (mtu < ip_rt_min_pmtu)
--
2.4.5
......@@ -2,12 +2,12 @@
_mainflavor=grsec
pkgname=linux-$_mainflavor
pkgver=3.18.21
pkgver=4.1.10
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
pkgrel=1
pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs"
......@@ -15,14 +15,13 @@ makedepends="perl sed installkernel bash gmp-dev bc linux-headers mpfr-dev
mpc1-dev"
options="!strip"
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
http://dev.alpinelinux.org/~ncopa/grsecurity/grsecurity-3.1-3.18.21-201508181951-alpine.patch
source="http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz
https://www.grsecurity.net/~paxguy1/pax-linux-4.1.10-test24.patch
http://dev.alpinelinux.org/~tteras/grsec/grsec-4.1.y-3.1-201509112213-alpine.patch
fix-memory-map-for-PIE-applications.patch
0001-ip_tunnel-fix-ipv4-pmtu-check-to-honor-inner-ip-head.patch
0001-inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
0002-ipv4-Don-t-increase-PMTU-with-Datagram-Too-Big-messa.patch
0003-route-Use-ipv4_mtu-instead-of-raw-rt_pmtu.patch
fix-spi-nor-namespace-clash.patch
imx6q-no-unclocked-sleep.patch
......@@ -205,45 +204,42 @@ dev() {
"$subpkgdir"/lib/modules/${_abi_release}/build
}
md5sums="9e854df51ca3fef8bfe566dbd7b89241 linux-3.18.tar.xz
40fe799b6c9e8ce97af01ba87b14e87e patch-3.18.21.xz
87b02283de552dbd4c02d09030e54692 grsecurity-3.1-3.18.21-201508181951-alpine.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
b7f15811ab0ae0a1225c03cc2cc24411 0001-ip_tunnel-fix-ipv4-pmtu-check-to-honor-inner-ip-head.patch
md5sums="fe9dc0f6729f36400ea81aa41d614c37 linux-4.1.tar.xz
599cb082ef44d8fb76ad8fd49d1b50fc patch-4.1.10.xz
553ea17ee17a3e78bb802bdbf50704ed pax-linux-4.1.10-test24.patch
d4d64785f2ff77db38477b3da0d86f9a grsec-4.1.y-3.1-201509112213-alpine.patch
ffa7fdc282af20f2b48b95b2687b7452 0001-inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
5d708f155fff5fbbbeed2785423832e2 0002-ipv4-Don-t-increase-PMTU-with-Datagram-Too-Big-messa.patch
7aa2fef1b8b352bae5b924ded5d9cab7 0003-route-Use-ipv4_mtu-instead-of-raw-rt_pmtu.patch
b0337a2a9abed17c37eae5db332522d2 fix-spi-nor-namespace-clash.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
f37d251585c4a4fae1795dde82fab4bb config-grsec.x86
53ac7f6224de263d068fa1e484b95da7 config-grsec.x86_64
36892e7e94abde237925ab15e9c7752c config-grsec.armhf
439f55ae4b5221ba31bbf73f2d3439b5 config-virtgrsec.x86
262dff7e1e47834392aeb6c37b124f0a config-virtgrsec.x86_64"
sha256sums="becc413cc9e6d7f5cc52a3ce66d65c3725bc1d1cc1001f4ce6c32b69eb188cbd linux-3.18.tar.xz
fef6b8507c4a88b5b579016773faf1f4b1c78b2cc627e31101f244eeb1cf1895 patch-3.18.21.xz
2a6596b46ae6938d3bd302b390edf0bad7e3be3e65ad88c920e1d2246418b2d5 grsecurity-3.1-3.18.21-201508181951-alpine.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
b4a5d6fc7b1dfe43cee18cf47db3f588a4b8a03e6d474af9a6f9ef487233ba70 0001-ip_tunnel-fix-ipv4-pmtu-check-to-honor-inner-ip-head.patch
1bcf1c98ab042ae7868aca90e0ceaaee config-grsec.x86
ff2951230d00d1cb295031c682863748 config-grsec.x86_64
c4486da497494f746e54cf82cf2e153f config-grsec.armhf
28754e558f94f3b3e0b0fcc27c1c955f config-virtgrsec.x86
e1ee16152cd6b92aef67466e1710cf87 config-virtgrsec.x86_64"
sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f linux-4.1.tar.xz
929e210fe6dbd5dd26812c146630be14e979aae6c960a2feb39544babb8e73cb patch-4.1.10.xz
5a81bd4e2dafc3f8ea9be7e60d519b06c4ecf5ec5f3af58040ec2461e63cd7dd pax-linux-4.1.10-test24.patch
7258089a5e2d5ca65135e47cf13400c47a657f5b2f6ef3f2e2b7383a758e00f8 grsec-4.1.y-3.1-201509112213-alpine.patch
c56583010561ca7d7b5e5aa3eed67c939f67deb2d22af7155e475c10baa4d7a5 0001-inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
e6cef82ab135a8ab23111a90b95d3d034eaed32d7c5829c0322aaac491b781b7 0002-ipv4-Don-t-increase-PMTU-with-Datagram-Too-Big-messa.patch
14b5fb04a3cc5118a74a100fff626c73e7f297c7a020af654f2942207fe39ec9 0003-route-Use-ipv4_mtu-instead-of-raw-rt_pmtu.patch
01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc fix-spi-nor-namespace-clash.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
45d894f9151225fe06801045d25fb454c6775d09ca4320a43ec8806cd7c15903 config-grsec.x86
edc9834868f794668478ec58a6f581440de6dd2c9f5fb39d8d6370e237058ccc config-grsec.x86_64
03ba6e2ed62e27e5fceb0bc405cccfe3de2e2d3be1486287500f38a1b2ecf786 config-grsec.armhf
b947c5a7e64cfeab0b10dba57fa642c416e24526d39b63869f89ed0ca0554ab2 config-virtgrsec.x86
f17d4fca4903a1f5310521a464cdc0da5d85624bf576182c515b035019d32add config-virtgrsec.x86_64"
sha512sums="2f0b72466e9bc538a675738aa416573d41bbbd7e3e2ffd5b5b127afde609ebc278cec5a3c37e73479607e957c13f1b4ed9782a3795e0dcc2cf8e550228594009 linux-3.18.tar.xz
b82d6f79d59c9d949a149a351ba2c77d334df83d66491a7776d909badff800ed2431ec6216adc7df3c2315886088a659450bc8e1a8d141d2e173a8a4e2492c8d patch-3.18.21.xz
0dfa2457ef611beb8563230ddd5fdf65c57914053640bf529f5444e2d396e472d52263f5174c5090dec135e9b9f0963d761f08eafee7916177ff281aab62caf3 grsecurity-3.1-3.18.21-201508181951-alpine.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
c5f7bda0a5bf88d7ce5de8c405ee5a018b652d70def2a5c6eea8e718b39efc0fed860bb61c70d950ba42cb11e0c264ee5ddd9a1505b7b60d19a56322ece894b6 0001-ip_tunnel-fix-ipv4-pmtu-check-to-honor-inner-ip-head.patch
d9fa91765f13f00fff2a4bb39e6ecf91940ff4e83e9b4ade5783eab4b7c0faac config-grsec.x86
79cf436f28b723eaeae721e2ae5d2cd1aad5a6e16080cf314c481d5278d7346b config-grsec.x86_64
6e6fdaab4a9229d4e3bd0e68e5ee7d5bf2562215a72cf16f98071015cd98ba52 config-grsec.armhf
fcfeedde29606b94f79f79ceb9351bd5d018aca6a76bba04459d85e4ad94939f config-virtgrsec.x86
a3f09fc1092ecf4456980a6e2e723a9ea95746e0da5bf4a7363046614dc6ffd8 config-virtgrsec.x86_64"
sha512sums="168ef84a4e67619f9f53f3574e438542a5747f9b43443363cb83597fcdac9f40d201625c66e375a23226745eaada9176eb006ca023613cec089349e91751f3c0 linux-4.1.tar.xz
3b5cb5c8f494958c39a06a1b416e3e5a075a3c76c44f8bf1ae5a14deec9861407100c2ef59b0720e8fc0729b5c8422b4d819ff59f1f7ec4eed20c5ba8a95d6d5 patch-4.1.10.xz
4f14bdef481bcd039bbfdd2073e864a92c1b99600fa57d9a302ce028460efa45acdd2101e62c3bbc76456bd350b10bc76e4d055b89fa35ddf5029ad5dc1d1c3f pax-linux-4.1.10-test24.patch
7d25216434876e4cdbab9c3a37f554a1ad908416c2afa8b70e92d681029accdd120c9ee4e5ed3df54f806920f05e0e29f0e06fc417083b953e26401be350858d grsec-4.1.y-3.1-201509112213-alpine.patch
32ae58cf74d5e02cb09445be35772dad0a517949bd1836f8dbc90b871de67901b61dba5eccdc2a795a9f7e5c06831335504a738205eb49768f7424cf30ddd8ae 0001-inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
0d533a7ae0fd7a524326312d5e10f505936941826766b778508c91698e1ba5b7125248cc6fbbb6adc27db0f6172a68c818fb12818e6d6a27cf4f85a961013bdb 0002-ipv4-Don-t-increase-PMTU-with-Datagram-Too-Big-messa.patch
af9059f3d62430e55c4105fcc28ebf4d176c0a642fc5594879eedbf5ab5bd605db32243bcbcfe5932487abe55f18ea9faee8b041dd14c3e1569331cb5db9a04f 0003-route-Use-ipv4_mtu-instead-of-raw-rt_pmtu.patch
4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164 fix-spi-nor-namespace-clash.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
d77575a7d9ed1199541207750fb6f3cf56a179885400580b3fa0b9875be44ccf8bd9d7f2aa615cb931f78d5c9a87db0ee6e1b692be02614b75a721ee56c0c166 config-grsec.x86
d7186814354d43a1f8aae93eca091e04a60bd8c3f601591a6b9e5ef324c945d4cd6c3dcd3b3305a130a811aad57da84bc0c408ca556bae8f4a20a62515829a5a config-grsec.x86_64
025cd3689f2c1a469d855deccbab34a56e6cbcaaf59648c04af7257779136a6b4bbb96584d70ff2e2713af33da56e2b8f7eb59490ccf30eaa4b62a15051a4806 config-grsec.armhf
79845c86558b4861ae24224b1eedbc0d5589d46ca709f4d51e06dd55d6bc2bfbf5feb9549873be81ee49c3247431ba8223ce495754563a6c4bd289f4e4c9e412 config-virtgrsec.x86
4b11c48cf4767cf71dcfe3b40057cca0363062e1c5dc7a65ada33fab23054427b91859863b1c5d2f715ad78c6f95a0d39a973a19b3db20d71d6bae6fe70da885 config-virtgrsec.x86_64"
98eaa89a171bef67c59c51ad91ea764992a10cfbcce5b1ad01fbbb576f05de6db4dfbb5eabc166994ae7faacb7e89f53580fc0e609e4eebc7e5c8b1fe2d38b7f config-grsec.x86
e441d0d7f0575656773e25c4cbde6668aaf1e96942482b5cecd78704b386d2be206104a501945476f5ff12af5a822c56af45a1d79d3e85b28afa3132cdd58062 config-grsec.x86_64
6bd17b168a3f083247e673cf9a8786059969796d4962fe6442f453fa3eae06f8c93131270d0cea2c0cb36515bd3cae4896c97ccf6c58c7cb9657843b31a1f307 config-grsec.armhf
caec0c97bfd25c9cc6921addc8b39941284a38746d5b9c5f19c0f1fe679d9f4c6ee7881a2eb95a16dcfbb082486435f467d27d539405ee6094b70d13b3bf2276 config-virtgrsec.x86
36f4cb73009cb5cf9f8e52ceae3537e8d84f4eaa1a7aa3850c893472cc661ce76b65b88403a3d7fa0bf31b179ac030bf0b8a1188214c771ebbc1c92c95d398a2 config-virtgrsec.x86_64"
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
From 21f973f87f480e3d24f1cb6c22b71253d25a3ea1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Tue, 1 Oct 2013 13:46:04 +0300
Subject: [PATCH 3.10-grsec] fs/binfmt_elf: fix memory map for PIE applications
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
arch/*/include/asm/elf.h comments say:
ELF_ET_DYN_BASE is the location that an ET_DYN program is loaded
if exec'ed. Typical use of this is to invoke "./ld.so someprog"
to test out a new version of the loader. We need to make sure
that it is out of the way of the program that it will "exec",
and that there is sufficient room for the brk.
In case we have main application linked as PIE, this can cause
problems as the main program itself is being loaded to this
alternate address. And this allows limited heap size. While
this is inevitable when exec'ing the interpreter directly,
we should do better for PIE applications.
This fixes the loader to detect PIE application by checking if
elf_interpreter is requested. This images are loaded to beginning
of the address space instead of the specially crafted place for elf
interpreter. This allows full heap address space for PIE applications
and fixes random "out of memory" errors.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
fs/binfmt_elf.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 6f036ed..06419af 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1217,21 +1217,19 @@ static int load_elf_binary(struct linux_binprm *bprm)
* default mmap base, as well as whatever program they
* might try to exec. This is because the brk will
* follow the loader, and is not movable. */
+ if (elf_interpreter)
+ load_bias = 0x00400000UL;
+ else
+ load_bias = ELF_ET_DYN_BASE;
#ifdef CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE
/* Memory randomization might have been switched off
* in runtime via sysctl or explicit setting of
* personality flags.
- * If that is the case, retain the original non-zero
- * load_bias value in order to establish proper
- * non-randomized mappings.
*/
if (current->flags & PF_RANDOMIZE)
- load_bias = 0;
- else
- load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
-#else
- load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+ load_bias = (get_random_int() & STACK_RND_MASK) << PAGE_SHIFT;
#endif
+ load_bias = ELF_PAGESTART(load_bias - vaddr);
#ifdef CONFIG_PAX_RANDMMAP
/* PaX: randomize base address at the default exe base if requested */
--
1.8.4
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment