Commit be7afbff authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/linux-virt-grsec: upgrade to 3.10.19

parent 3fde020c
From b8bf456d13988fb38cfe248676327f44a2d2ed2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Wed, 23 Oct 2013 09:54:54 +0300
Subject: [PATCH] pax: x86_64: fix copy_user_generic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Pax patch removed r10 from clobbers list as all assembly code was
updated to not use it. However, in the error path the assembly code
ends up calling copy_user_handle_tail() C-function that can clobber
r10. This broke things for certain gcc optimizations (at least for gcc
4.8.x), as copy_user_generic() is inline function, and the inline
assembly incorrectly guaranteed not to clobber r10.
Add r10 back to clobbers list like vanilla kernel has it. It is
needed always due to the possibly C-function call in error path.
Signed-off-by: Timo Teräs <timo.teras@iki.f>
Acked-by: Natanael Copa <ncopa@alpinelinux.org>
---
arch/x86/include/asm/uaccess_64.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index 1dbe82f..9d398f4 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -44,7 +44,7 @@ copy_user_generic(void *to, const void *from, unsigned len)
ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from),
"=d" (len)),
"1" (to), "2" (from), "3" (len)
- : "memory", "rcx", "r8", "r9", "r11");
+ : "memory", "rcx", "r8", "r9", "r10", "r11");
return ret;
}
--
1.8.4.1
......@@ -3,7 +3,7 @@
_flavor=grsec
pkgname=linux-virt-${_flavor}
pkgver=3.10.17
pkgver=3.10.19
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
......@@ -18,8 +18,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
grsecurity-2.9.1-3.10.17-unofficial.patch
0001-pax-x86_64-fix-copy_user_generic.patch
grsecurity-2.9.1-$pkgver-unofficial.patch
0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -27,7 +26,9 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
fix-memory-map-for-PIE-applications.patch
remove-cap-sys-admin-for-proc-sys.patch
sysctl_lxc.patch
CVE-2013-4348.patch
kernelconfig.x86
kernelconfig.x86_64
"
......@@ -151,9 +152,8 @@ dev() {
}
md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz
8431ee4e2467fdfde47e31701813a265 patch-3.10.17.xz
6894537e9ccc2b296b27b42c39c64b31 grsecurity-2.9.1-3.10.17-unofficial.patch
51607abf0a105aebbe65e3df6fb415bd 0001-pax-x86_64-fix-copy_user_generic.patch
b7f932eecbbf5636ad69add480fa1573 patch-3.10.19.xz
4440f9004d3b62cf9b526d53c02416ad grsecurity-2.9.1-3.10.19-unofficial.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -161,13 +161,13 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p
6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
ebb624500d0b89fbf2daadfc7151c693 remove-cap-sys-admin-for-proc-sys.patch
b3c0153d53e508e03d73b94d15b24a96 sysctl_lxc.patch
09ae7985af988c75ff35ed503558eb8b CVE-2013-4348.patch
539c848d541c1656851fe865018273df kernelconfig.x86
82cd965fc82651f2e6b35e75c17d8031 kernelconfig.x86_64"
sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz
5552fc6f24a56d13d603ddc7759114a7b52e92ad2fb84a23a1b80b37b739a33b patch-3.10.17.xz
8e82e71c0da392a601a952aa712b56a5116fcf626c19d69ae9d86dda2d200852 grsecurity-2.9.1-3.10.17-unofficial.patch
0742780b41ded0837d25f0b2f646b954da9362ac5956886427ad630000c0e335 0001-pax-x86_64-fix-copy_user_generic.patch
c420b1da0aefe23e4a6953e579374fd377385b6041f967694cf4f828e2f3252e patch-3.10.19.xz
532870eb3c59200b045efb64463bcc544d394410b2aba63ed5c6dbfe9d974e38 grsecurity-2.9.1-3.10.19-unofficial.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -175,13 +175,13 @@ dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush
ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
01c33a3093d23a6ef5ea50cb91174d524be5bfcc4f3dd9694844cf47697d5287 remove-cap-sys-admin-for-proc-sys.patch
9ba55b0f45d5aa97503e376a13be6d249a10f32e36687055b2fa1e5a39fa0584 sysctl_lxc.patch
39acdfc0bb2298e3a9ba62ee42ac2b6556fc31d8eaa2c085f84897cdeaa1a996 CVE-2013-4348.patch
997d4c8a5a2b911047d26fe1bf8ee8d5cd3b7133e6abdc07b7deacd0b3eb2330 kernelconfig.x86
7845194551137fbc3b69a75249696bc843bb7fe7f4a4e6b0582c0ca0856caa64 kernelconfig.x86_64"
sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz
38f9085d67d59cb37c32db69b84714a96f327fe74b69bb4a7304861ea6e474614216067ee08093f41739ce803b83a70400c83f06c695cb1114cf41c0b2dc7aa7 patch-3.10.17.xz
6d27a986f32f42b12c4291ebb4b7365d8cd90b604ee9bc57344b9f9764efd7c5aae89c5ab4977878a24ae4b6e812c1db6030c3451bd15fdb2ea01a2a50e2ce41 grsecurity-2.9.1-3.10.17-unofficial.patch
b32903a59cd582c2acf95869640bb34fefee544d242702e04af1db188f381da3889c9db9475e8ffc31628cda0b0641828f609c5ac9a387dd86ac4917be26792f 0001-pax-x86_64-fix-copy_user_generic.patch
6a8bfb124f90f1c8ed27ce3315629601b1b72d4bc8b1d2b776424e56b3a72e4cd03bcebe6cde35223a3beba75ec6d69e949e217504acc611becb7e62aa88f05c patch-3.10.19.xz
015b090eedeb4bcd75025690bab264afddc9e5a54a897f918a8c5f260b5ddf46bd6cbf510e6efdeb26cc5d351e8c5ccb3c921738f315e4ee5153e288b86608cd grsecurity-2.9.1-3.10.19-unofficial.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -189,6 +189,7 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71
28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
90d236cb79054751d9081c0ffc002c89cb855e0785c5419449563724e4f9de1c67f763923bdc8c1a5b336ab7850ad33d21fa41ad33b9e2e680badefe40c26626 remove-cap-sys-admin-for-proc-sys.patch
41071e21c59997604a380575d3c4171d35a12eaae6ddcf158d95e4fd5ccc69d61753cbd38b7bd08d879cce5bfea3fed2df15e5a3dca944f6f7cbd95d5d2daa23 sysctl_lxc.patch
6c5165692519c630cb96a254088e55d4d7412bd0f45920c0bf514dd9c68d24625da91798158fe502b6c214a7b8d44ae6b2e49b39aed6da3c1344f816f90405a3 CVE-2013-4348.patch
08f5bb86f03415f60e9bb171ffa192fa70fa85dafeada10817a4b8ae7932fffd1b0f2df01750407e576bb71cd6c3f2c5fe76f2613922cd77f398bce134fd3ec2 kernelconfig.x86
7a373bec279fe00601bff7ed64c5a09bb4318bf07557fece194afb426d78bf13191b0510642192518f3ffa68b9a36aa6f971f77f55ea09ae4f42c4a84afc00a5 kernelconfig.x86_64"
From 6f092343855a71e03b8d209815d8c45bf3a27fcd Mon Sep 17 00:00:00 2001
From: Jason Wang <jasowang@redhat.com>
Date: Fri, 01 Nov 2013 07:01:10 +0000
Subject: net: flow_dissector: fail on evil iph->ihl
We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
is evil (less than 5).
This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
(rps: support IPIP encapsulation).
Cc: Eric Dumazet <edumazet@google.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 8d7d0dd..143b6fd 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -40,7 +40,7 @@ again:
struct iphdr _iph;
ip:
iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
- if (!iph)
+ if (!iph || iph->ihl < 5)
return false;
if (ip_is_fragment(iph))
--
cgit v0.9.2
This patch allows guests to set /proc/sys/net/*/ip_forward without
needing CAP_SYS_ADMIN.
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 1e6dc7e..d65d119 100644
index 1e6dc7e..0a5638b 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -521,8 +521,6 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
@@ -11,6 +11,7 @@
#include <linux/namei.h>
#include <linux/mm.h>
#include <linux/module.h>
+#include <linux/nsproxy.h>
#include "internal.h"
extern int gr_handle_chroot_sysctl(const int op);
@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
dput(filp->f_path.dentry);
if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
goto out;
- if (write && !capable(CAP_SYS_ADMIN))
- goto out;
+ if (write) {
+ if (current->nsproxy->net_ns != table->extra2) {
+ if (!capable(CAP_SYS_ADMIN))
+ goto out;
+ } else if (!nsown_capable(CAP_NET_ADMIN))
+ goto out;
+ }
#endif
/* careful: calling conventions are nasty here */
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment