main/linux-grsec: upgrade to 3.10.20

a92a97d8 · Natanael Copa · 469837bc · a92a97d8 · a92a97d8 · 469837bc
Commit a92a97d8 authored Nov 22, 2013 by Natanael Copa
4 changed files
--- a/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch
+++ b/main/linux-grsec/0001-Revert-scripts-kallsyms-filter-symbols-not-in-kernel.patch
+From 74c511bbdb5833d67c3c80aebfaf9b8921127b12 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 22 Nov 2013 12:31:19 +0000
+Subject: [PATCH] Revert "scripts/kallsyms: filter symbols not in kernel
+ address space"
+
+Does not work with i386 KERNEXEC
+
+This reverts commit 27b840ea211f8a36fadabaa07ef94fb1b45730c3.
+---
+ scripts/kallsyms.c      | 12 +-----------
+ scripts/link-vmlinux.sh |  2 --
+ 2 files changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
+index 9a11f9f..487ac6f 100644
+--- a/scripts/kallsyms.c
+++ b/scripts/kallsyms.c
+@@ -55,7 +55,6 @@ static struct sym_entry *table;
+ static unsigned int table_size, table_cnt;
+ static int all_symbols = 0;
+ static char symbol_prefix_char = '\0';
+-static unsigned long long kernel_start_addr = 0;
+ 
+ int token_profit[0x10000];
+ 
+@@ -66,10 +65,7 @@ unsigned char best_table_len[256];
+ 
+ static void usage(void)
+ {
+-	fprintf(stderr, "Usage: kallsyms [--all-symbols] "
+-			"[--symbol-prefix=<prefix char>] "
+-			"[--page-offset=<CONFIG_PAGE_OFFSET>] "
+-			"< in.map > out.S\n");
+	fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n");
+ 	exit(1);
+ }
+ 
+@@ -198,9 +194,6 @@ static int symbol_valid(struct sym_entry *s)
+ 	int i;
+ 	int offset = 1;
+ 
+-	if (s->addr < kernel_start_addr)
+-		return 0;
+-
+ 	/* skip prefix char */
+ 	if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char)
+ 		offset++;
+@@ -653,9 +646,6 @@ int main(int argc, char **argv)
+ 				if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\''))
+ 					p++;
+ 				symbol_prefix_char = *p;
+-			} else if (strncmp(argv[i], "--page-offset=", 14) == 0) {
+-				const char *p = &argv[i][14];
+-				kernel_start_addr = strtoull(p, NULL, 16);
+ 			} else
+ 				usage();
+ 		}
+diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
+index 0d8d2ee..d482a0d 100644
+--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
+@@ -82,8 +82,6 @@ kallsyms()
+ 		kallsymopt="${kallsymopt} --all-symbols"
+ 	fi
+ 
+-	kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET"
+-
+ 	local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL}               \
+ 		      ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}"
+ 
+-- 
+1.8.4.3
+
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,7 +2,7 @@

 _flavor=grsec
 pkgname=linux-${_flavor}
-pkgver=3.10.19
+pkgver=3.10.20
 case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
@@ -27,7 +27,6 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 	fix-memory-map-for-PIE-applications.patch
 	sysctl_lxc.patch
-	CVE-2013-4348.patch

 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -152,8 +151,8 @@ dev() {
 }

 md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481  linux-3.10.tar.xz
-b7f932eecbbf5636ad69add480fa1573  patch-3.10.19.xz
-4440f9004d3b62cf9b526d53c02416ad  grsecurity-2.9.1-3.10.19-unofficial.patch
+6762bab77ec96530b8915728f3bfb813  patch-3.10.20.xz
+f8921f35e2a0c11e7358359d90bd24d4  grsecurity-2.9.1-3.10.20-unofficial.patch
 a16f11b12381efb3bec79b9bfb329836  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 656ae7b10dd2f18dbfa1011041d08d60  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -162,12 +161,11 @@ aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-p
 1a5800a2122ba0cc0d06733cb3bb8b8f  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 c6a4ae7e8ca6159e1631545515805216  fix-memory-map-for-PIE-applications.patch
 b3c0153d53e508e03d73b94d15b24a96  sysctl_lxc.patch
-09ae7985af988c75ff35ed503558eb8b  CVE-2013-4348.patch
 cb5c938dccbee36cfb8bb7ee3546b8af  kernelconfig.x86
 daa81b89f18254155ac33c5239abf3a4  kernelconfig.x86_64"
 sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544  linux-3.10.tar.xz
-c420b1da0aefe23e4a6953e579374fd377385b6041f967694cf4f828e2f3252e  patch-3.10.19.xz
-532870eb3c59200b045efb64463bcc544d394410b2aba63ed5c6dbfe9d974e38  grsecurity-2.9.1-3.10.19-unofficial.patch
+b6d2a828c38e2791d3490d7f05556156f4a0624cb55460631b8e2667c66527fa  patch-3.10.20.xz
+7f11be19130a61aad90eb27e0205b5d729150688c35829818499df76c8d8bdae  grsecurity-2.9.1-3.10.20-unofficial.patch
 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -176,12 +174,11 @@ ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3  0005-ipv4-use-
 fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7  fix-memory-map-for-PIE-applications.patch
 9ba55b0f45d5aa97503e376a13be6d249a10f32e36687055b2fa1e5a39fa0584  sysctl_lxc.patch
-39acdfc0bb2298e3a9ba62ee42ac2b6556fc31d8eaa2c085f84897cdeaa1a996  CVE-2013-4348.patch
 3e6c4101bfb90b6a30173ef81cd0d0bea51d6a995fc045ca67db7fed271d969d  kernelconfig.x86
 da67ef700372d080bffb12a86f0a16c987dc79e18fdfb1a88d2704660239e5f0  kernelconfig.x86_64"
 sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35  linux-3.10.tar.xz
-6a8bfb124f90f1c8ed27ce3315629601b1b72d4bc8b1d2b776424e56b3a72e4cd03bcebe6cde35223a3beba75ec6d69e949e217504acc611becb7e62aa88f05c  patch-3.10.19.xz
-015b090eedeb4bcd75025690bab264afddc9e5a54a897f918a8c5f260b5ddf46bd6cbf510e6efdeb26cc5d351e8c5ccb3c921738f315e4ee5153e288b86608cd  grsecurity-2.9.1-3.10.19-unofficial.patch
+86c61f1d18c370fb24808cda03c8fe1e33879fe5a4553f78c943ec896e2bed1e196cd9e64ab830e9e6a2f9967d7c8396a848610c44fc09d2e426814618f4deec  patch-3.10.20.xz
+7e8dbb18b77adeb43fa99b1283d6101a075f0bbcc06681ae30547698778e66976ae3e7533406c7754b0337e908b88643fbcee3d55aa45073623445c4b906cb43  grsecurity-2.9.1-3.10.20-unofficial.patch
 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -190,6 +187,5 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71
 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7  fix-memory-map-for-PIE-applications.patch
 41071e21c59997604a380575d3c4171d35a12eaae6ddcf158d95e4fd5ccc69d61753cbd38b7bd08d879cce5bfea3fed2df15e5a3dca944f6f7cbd95d5d2daa23  sysctl_lxc.patch
-6c5165692519c630cb96a254088e55d4d7412bd0f45920c0bf514dd9c68d24625da91798158fe502b6c214a7b8d44ae6b2e49b39aed6da3c1344f816f90405a3  CVE-2013-4348.patch
 e81d6780a33f00d5ee03b069fc3610da2eda3ba43e515707ae67cd2d609a226b18e9ec446eeacd2afaafe6aa480bb30b9908cce41e0d90f1a3b41e7daf2034c5  kernelconfig.x86
 01e38549e92a98f041cb7ee1fec04a35d55322eff718fce6cd5774b60d0db287478ca034309e3dbd06b0194a2ec4b67584ef281018c16681a0ac7ac0fdc7c3ba  kernelconfig.x86_64"
--- a/main/linux-grsec/CVE-2013-4348.patch
+++ b/main/linux-grsec/CVE-2013-4348.patch
-From 6f092343855a71e03b8d209815d8c45bf3a27fcd Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Fri, 01 Nov 2013 07:01:10 +0000
-Subject: net: flow_dissector: fail on evil iph->ihl
-
-We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
-skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
-is evil (less than 5).
-
-This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
-(rps: support IPIP encapsulation).
-
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
---
-diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
-index 8d7d0dd..143b6fd 100644
--- a/net/core/flow_dissector.c
-+++ b/net/core/flow_dissector.c
-@@ -40,7 +40,7 @@ again:
- 		struct iphdr _iph;
- ip:
- 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
-+		if (!iph || iph->ihl < 5)
- 			return false;
- 
- 		if (ip_is_fragment(iph))
--
-cgit v0.9.2
--- a/main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.10.19-unofficial.patch
@@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644
 
 	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 83a02f5..8673672 100644
+index ba784b7..c665163 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -48720,10 +48720,10 @@ index 2a3bbdf..91d72cf 100644
 		file->f_version = event_count;
 		return POLLIN | POLLRDNORM;
 diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index d53547d..6a22d02 100644
+index d3aa353..0e284af 100644
 --- a/drivers/usb/core/hcd.c
 +++ b/drivers/usb/core/hcd.c
-@@ -1526,7 +1526,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
+@@ -1527,7 +1527,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
 	 */
 	usb_get_urb(urb);
 	atomic_inc(&urb->use_count);
@@ -48732,7 +48732,7 @@ index d53547d..6a22d02 100644
 	usbmon_urb_submit(&hcd->self, urb);
 
 	/* NOTE requirements on root-hub callers (usbfs and the hub
-@@ -1553,7 +1553,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
+@@ -1554,7 +1554,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
 		urb->hcpriv = NULL;
 		INIT_LIST_HEAD(&urb->urb_list);
 		atomic_dec(&urb->use_count);
@@ -48742,7 +48742,7 @@ index d53547d..6a22d02 100644
 			wake_up(&usb_kill_urb_queue);
 		usb_put_urb(urb);
 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 6cf2ae0..f701610 100644
+index c8b9fa0..abb8ce1 100644
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
 @@ -27,6 +27,7 @@
@@ -48753,7 +48753,7 @@ index 6cf2ae0..f701610 100644
 
 #include <asm/uaccess.h>
 #include <asm/byteorder.h>
-@@ -4419,6 +4420,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -4431,6 +4432,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
   			goto done;
 		return;
 	}
@@ -49244,7 +49244,7 @@ index 098bfc6..796841d 100644
 		if (!registered_fb[con2fb.framebuffer])
 			request_module("fb%d", con2fb.framebuffer);
 diff --git a/drivers/video/hyperv_fb.c b/drivers/video/hyperv_fb.c
-index d4d2c5f..ebbd113 100644
+index 0f3b33c..b4304eb 100644
 --- a/drivers/video/hyperv_fb.c
 +++ b/drivers/video/hyperv_fb.c
 @@ -233,7 +233,7 @@ static uint screen_fb_size;
@@ -85745,10 +85745,10 @@ index e444ff8..438b8f4 100644
 		*data_page = bpage;
 
 diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 0582a01..310bed1 100644
+index 5546ae9..26f7728 100644
 --- a/kernel/trace/trace.c
 +++ b/kernel/trace/trace.c
-@@ -3327,7 +3327,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
+@@ -3330,7 +3330,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
 	return 0;
 }
 
@@ -93387,7 +93387,7 @@ index b66910a..cfe416e 100644
 	return -ENOMEM;
 }
 diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index c52fee0..9644112 100644
+index 64e4e98..db77052 100644
 --- a/net/ipv4/ip_gre.c
 +++ b/net/ipv4/ip_gre.c
 @@ -115,7 +115,7 @@ static bool log_ecn_error = true;
@@ -93507,7 +93507,7 @@ index efa1138..20dbba0 100644
 	return res;
 }
 diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
-index 7cfc456..e726868 100644
+index f5cc7b3..33d7577 100644
 --- a/net/ipv4/ipip.c
 +++ b/net/ipv4/ipip.c
 @@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
@@ -94632,10 +94632,10 @@ index 1aeb473..bea761c 100644
 	return -ENOMEM;
 }
 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 3c1f493..4129ccc 100644
+index 548a1f7c..63ee520 100644
 --- a/net/ipv6/route.c
 +++ b/net/ipv6/route.c
-@@ -2931,7 +2931,7 @@ ctl_table ipv6_route_table_template[] = {
+@@ -2934,7 +2934,7 @@ ctl_table ipv6_route_table_template[] = {
 
 struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
 {
@@ -97940,11 +97940,64 @@ index 643764f..6cc0137 100644
 		-e 's/__attribute_const__([ \t]|$)/\1/g' \
 		-e 's@^#include <linux/compiler.h>@@' \
 		-e 's/(^|[^a-zA-Z0-9])__packed([^a-zA-Z0-9_]|$)/\1__attribute__((packed))\2/g' \
+diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
+index 9a11f9f..487ac6f 100644
+--- a/scripts/kallsyms.c
+++ b/scripts/kallsyms.c
+@@ -55,7 +55,6 @@ static struct sym_entry *table;
+ static unsigned int table_size, table_cnt;
+ static int all_symbols = 0;
+ static char symbol_prefix_char = '\0';
+-static unsigned long long kernel_start_addr = 0;
+ 
+ int token_profit[0x10000];
+ 
+@@ -66,10 +65,7 @@ unsigned char best_table_len[256];
+ 
+ static void usage(void)
+ {
+-	fprintf(stderr, "Usage: kallsyms [--all-symbols] "
+-			"[--symbol-prefix=<prefix char>] "
+-			"[--page-offset=<CONFIG_PAGE_OFFSET>] "
+-			"< in.map > out.S\n");
+	fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n");
+ 	exit(1);
+ }
+ 
+@@ -198,9 +194,6 @@ static int symbol_valid(struct sym_entry *s)
+ 	int i;
+ 	int offset = 1;
+ 
+-	if (s->addr < kernel_start_addr)
+-		return 0;
+-
+ 	/* skip prefix char */
+ 	if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char)
+ 		offset++;
+@@ -653,9 +646,6 @@ int main(int argc, char **argv)
+ 				if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\''))
+ 					p++;
+ 				symbol_prefix_char = *p;
+-			} else if (strncmp(argv[i], "--page-offset=", 14) == 0) {
+-				const char *p = &argv[i][14];
+-				kernel_start_addr = strtoull(p, NULL, 16);
+ 			} else
+ 				usage();
+ 		}
 diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
-index 32b10f5..0d8d2ee 100644
+index 32b10f5..d482a0d 100644
 --- a/scripts/link-vmlinux.sh
 +++ b/scripts/link-vmlinux.sh
-@@ -160,7 +160,7 @@ else
+@@ -82,8 +82,6 @@ kallsyms()
+ 		kallsymopt="${kallsymopt} --all-symbols"
+ 	fi
+ 
+-	kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET"
+-
+ 	local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL}               \
+ 		      ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}"
+ 
+@@ -160,7 +158,7 @@ else
 fi;
 
 # final build of init/