commit facbff181ef6e99400f215f93c3259aca442754c Merge: 13e09e2 00d46cd Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 14 21:29:40 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit 00d46cd059b886a277793e1e972d311738a5ca9f Merge: 92efcfe d07c3d9 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 14 21:29:31 2015 -0400 Merge branch 'linux-3.2.y' into pax-stable Conflicts: lib/bitmap.c mm/memory.c commit 13e09e261792b1cdb577d89af5cdf7dafe6403b1 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Aug 1 15:33:26 2015 +0300 rds: fix an integer overflow test in rds_info_getsockopt() "len" is a signed integer. We check that len is not negative, so it goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than INT_MAX so the condition can never be true. I don't know if this is harmful but it seems safe to limit "len" to INT_MAX - 4095. Fixes: a8c879a7ee98 ('RDS: Info and stats') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/info.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5f71a17e4b3f406474055ef8723e55f82118517c Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 02:39:35 2015 -0400 Backport virtio-net security fix by Jason Wang from: http://marc.info/?l=linux-netdev&m=143868216724068&w=2 drivers/net/virtio_net.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 655452be4ba3abe1864d157001723762498432f7 Merge: a6667a3 92efcfe Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 01:50:01 2015 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/mips/kernel/irq.c kernel/trace/trace_events_filter.c commit 92efcfeca5be11a36c8a089a374d9396764e397d Merge: 16c1a7a 058fbb1 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 01:48:25 2015 -0400 Update to pax-linux-3.2.70-test179.patch: Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/arm/include/asm/elf.h arch/powerpc/mm/mmap_64.c fs/binfmt_elf.c commit a6667a39ecfc62cad6ae68e7f38f7b40f6dd559f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 2 08:26:16 2015 -0400 Update plugins from 4.1 tree to fix reported compilation errors tools/gcc/kernexec_plugin.c | 8 ++++++-- tools/gcc/stackleak_plugin.c | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) commit 5088787d1a19583ff0a46387a108e3b99c11bf92 Author: Benjamin Randazzo <benjamin@randazzo.fr> Date: Sat Jul 25 16:36:50 2015 +0200 md: use kzalloc() when bitmap is disabled In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a mdu_bitmap_file_t called "file". 5769 file = kmalloc(sizeof(*file), GFP_NOIO); 5770 if (!file) 5771 return -ENOMEM; This structure is copied to user space at the end of the function. 5786 if (err == 0 && 5787 copy_to_user(arg, file, sizeof(*file))) 5788 err = -EFAULT But if bitmap is disabled only the first byte of "file" is initialized with zero, so it's possible to read some bytes (up to 4095) of kernel space memory from user space. This is an information leak. 5775 /* bitmap disabled, zero the first byte and copy out */ 5776 if (!mddev->bitmap_info.file) 5777 file->pathname[0] = '\0'; Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> Signed-off-by: NeilBrown <neilb@suse.com> Conflicts: drivers/md/md.c Conflicts: drivers/md/md.c Conflicts: drivers/md/md.c drivers/md/md.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 4e3e47675ff3f830a69f39ff1ea094563715bbcc Author: Andy Lutomirski <luto@kernel.org> Date: Thu Jul 30 14:31:31 2015 -0700 x86/xen: Probe target addresses in set_aliased_prot() before the hypercall The update_va_mapping hypercall can fail if the VA isn't present in the guest's page tables. Under certain loads, this can result in an OOPS when the target address is in unpopulated vmap space. While we're at it, add comments to help explain what's going on. This isn't a great long-term fix. This code should probably be changed to use something like set_memory_ro. Signed-off-by: Andy Lutomirski <luto@kernel.org> Cc: Andrew Cooper <andrew.cooper3@citrix.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: David Vrabel <dvrabel@cantab.net> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Jan Beulich <jbeulich@suse.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: security@kernel.org <security@kernel.org> Cc: <stable@vger.kernel.org> Cc: xen-devel <xen-devel@lists.xen.org> Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/xen/enlighten.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 40 insertions(+), 0 deletions(-) commit a23e976defed00e9c2f6ff7533450578d245181c Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 1 14:29:08 2015 -0400 Backport fix for another vuln the fix for which was snuck into the 4.1-rc1 merge process by Al Viro. Spotted by Ben Hutchings: http://seclists.org/oss-sec/2015/q3/271 drivers/scsi/sg.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 216cb9c00c93f345089a829deaa63f062d2b03d8 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 12:18:43 2015 -0400 Update to pax-linux-3.14.48-test53.patch: - fixed the constify plugin for gcc-5 - Emese fixed the size_overflow plugin for gcc-5 include/linux/compiler-gcc5.h | 1 - tools/gcc/constify_plugin.c | 2 +- tools/gcc/gcc-common.h | 130 +++++++++++++-- .../insert_size_overflow_asm.c | 112 +++++++------ .../insert_size_overflow_check_core.c | 80 ++++----- .../insert_size_overflow_check_ipa.c | 174 +++++++++++--------- .../size_overflow_plugin/intentional_overflow.c | 96 ++++++----- tools/gcc/size_overflow_plugin/misc.c | 20 ++- .../size_overflow_plugin/remove_unnecessary_dup.c | 19 +- tools/gcc/size_overflow_plugin/size_overflow.h | 88 ++++++++-- .../gcc/size_overflow_plugin/size_overflow_debug.c | 23 ++- .../size_overflow_plugin/size_overflow_plugin.c | 7 +- .../size_overflow_plugin_hash.c | 31 ++--- 13 files changed, 491 insertions(+), 292 deletions(-) commit 7af5bff119d8d09e14b15f8367af6bb423c0b6e7 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:49:44 2015 -0400 compile fix kernel/sysctl.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 3331b04884e8ddbbf89ee53f802cd7dbbc0d2e84 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:02:49 2015 -0400 compile fix grsecurity/grsec_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 67eb0dfbf04d28e8591660eb199082cbd7dbd6ea Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 10:59:07 2015 -0400 compile fix include/linux/sysctl.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 95245366379da1cce9d960181673403479fb70d5 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 10:50:51 2015 -0400 Add framework for having ambiently read-only sysctl variables. Add all grsecurity sysctl entries to it, as well as security-relevant upstream sysctl values (modules_disabled, kptr_restrict, etc) Conflicts: kernel/printk/printk.c Conflicts: grsecurity/grsec_init.c kernel/module.c kernel/printk/printk.c grsecurity/grsec_init.c | 104 +- grsecurity/grsec_sysctl.c | 104 +- include/linux/sysctl.h | 2 + kernel/events/core.c | 6 +- kernel/module.c | 2 +- kernel/printk/printk.c | 2912 +++++++++++++++++++++++++++++++++++++++++++++ kernel/sysctl.c | 89 ++- lib/vsprintf.c | 4 +- 8 files changed, 3106 insertions(+), 117 deletions(-) commit 06fa0ab59a1a4027a6531b43e9d3f8d810c2e7ae Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:33:44 2015 -0400 port modify_ldt code arch/x86/kernel/ldt.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 069012f660f2b16c690782e96eccbbe4eaf8b206 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:28:15 2015 -0400 Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103, make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off regardless of config setting if grsec is enabled (with the allowance to turn it on at runtime), and harden up the implementation a bit Conflicts: arch/x86/Kconfig kernel/sysctl.c Documentation/sysctl/kernel.txt | 15 +++++++++++++++ arch/x86/Kconfig | 16 ++++++++++++++++ arch/x86/kernel/ldt.c | 18 ++++++++++++++++++ kernel/sysctl.c | 8 ++++++++ 4 files changed, 57 insertions(+), 0 deletions(-) commit 2235626a23679463294d505fb58c59cc6c52b1ad Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Date: Fri Jul 17 16:23:42 2015 -0700 include, lib: add __printf attributes to several function prototypes Using __printf attributes helps to detect several format string issues at compile time (even though -Wformat-security is currently disabled in Makefile). For example it can detect when formatting a pointer as a number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show rx_frames_per_rates as an array as it really is"), or when the arguments do not match the format string, c.f. for example commit 5ce1aca81435 ("reiserfs: fix __RASSERT format string"). To prevent similar bugs in the future, add a __printf attribute to every function prototype which needs one in include/linux/ and lib/. These functions were mostly found by using gcc's -Wsuggest-attribute=format flag. Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Felipe Balbi <balbi@ti.com> Cc: Joel Becker <jlbec@evilplan.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: include/linux/clkdev.h include/linux/configfs.h include/linux/printk.h Conflicts: include/linux/cpu.h include/linux/device.h include/linux/iommu.h include/linux/printk.h Conflicts: include/linux/clkdev.h include/linux/compat.h include/linux/dcache.h include/linux/printk.h include/linux/clkdev.h | 2 +- include/linux/compat.h | 2 +- include/linux/configfs.h | 3 ++- include/linux/dcache.h | 3 ++- include/linux/device.h | 10 ++++------ include/linux/kernel.h | 9 +++++---- include/linux/kobject.h | 5 +++-- include/linux/mmiotrace.h | 2 +- lib/kobject.c | 5 +++-- 9 files changed, 22 insertions(+), 19 deletions(-) commit da6704ee4e2d2766937cb999d56ac9d37550937d Author: Daniel Borkmann <daniel@iogearbox.net> Date: Mon Jul 13 00:06:02 2015 +0200 rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver"), we have a double nesting of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT that is nested itself. While IFLA_VF_PORTS is a verified attribute from ifla_policy[], we only check if the IFLA_VF_PORTS container has IFLA_VF_PORT attributes and then pass the attribute's content itself via nla_parse_nested(). It would be more correct to reject inner types other than IFLA_VF_PORT instead of continuing parsing and also similarly as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Roopa Prabhu <roopa@cumulusnetworks.com> Cc: Scott Feldman <sfeldma@gmail.com> Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/rtnetlink.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 8c17fc6c51e1acfe973259bc8c00f83e84c37119 Author: Richard Stearn <richard@rns-stearn.demon.co.uk> Date: Mon Jul 13 11:38:24 2015 +0200 NET: AX.25: Stop heartbeat timer on disconnect. This may result in a kernel panic. The bug has always existed but somehow we've run out of luck now and it bites. Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk> Cc: stable@vger.kernel.org # all branches Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ax25/ax25_subr.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4aae781438b44e2d5af7286fe12e976f539c5174 Author: Neil Horman <nhorman@tuxdriver.com> Date: Tue Jul 7 14:02:18 2015 -0400 vmxnet3: prevent receive getting out of sequence on napi poll vmxnet3's current napi path is built to count every rx descriptor we recieve, and use that as a count of the napi budget. That means its possible to return from a napi poll halfway through recieving a fragmented packet accross multiple dma descriptors. If that happens, the next napi poll will start with the descriptor ring in an improper state (e.g. the first descriptor we look at may have the end-of-packet bit set), which will cause a BUG halt in the driver. Fix the issue by only counting whole received packets in the napi poll and returning that value, rather than the descriptor count. Tested by the reporter and myself, successfully Signed-off-by: Neil Horman <nhorman@tuxdriver.com> CC: Shreyas Bhatewara <sbhatewara@vmware.com> CC: "David S. Miller" <davem@davemloft.net> Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/vmxnet3/vmxnet3_drv.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 617ddad89f6b3db5fdd2d00a695119d9e1075353 Author: Johannes Thumshirn <jthumshirn@suse.de> Date: Wed Jul 8 17:16:49 2015 +0200 macvtap: Destroy minor_idr on module_exit Destroy minor_idr on module_exit, reclaiming the allocated memory. This was detected by the following semantic patch (written by Luis Rodriguez <mcgrof@suse.com>) <SmPL> @ defines_module_init @ declarer name module_init, module_exit; declarer name DEFINE_IDR; identifier init; @@ module_init(init); @ defines_module_exit @ identifier exit; @@ module_exit(exit); @ declares_idr depends on defines_module_init && defines_module_exit @ identifier idr; @@ DEFINE_IDR(idr); @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... idr_destroy(&idr); ... } @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... +idr_destroy(&idr); } </SmPL> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/macvtap.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e611dd22d8eaf06948d7782a50512b779d8e563e Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sun Jul 12 10:34:29 2015 -0400 9p: don't leave a half-initialized inode sitting around Cc: stable@vger.kernel.org # all branches Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/9p/vfs_inode.c | 3 +-- fs/9p/vfs_inode_dotl.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) commit af6fe5f9223e7c99118e01025ceae0c0a2580494 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 09:20:34 2015 -0400 Backport: commit 36b84539390fc30663a7a026eef598c4656124bc Author: Al Viro <viro@ZenIV.linux.org.uk> Date: Wed Jul 8 02:42:38 2015 +0100 freeing unlinked file indefinitely delayed Conflicts: fs/dcache.c fs/dcache.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) commit 61f2cbfbadebefa1849412249a912adde2a48e40 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 12 12:40:03 2015 -0400 fix RBAC debug compilation grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ba90e3ffe6ba0d2d6e2e9634e676c487c79c8af4 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 18:46:04 2015 -0400 Add missing virtual execute() method to constify plugin for GCC 5.1. The missing function didn't affect the security provided by the constify plugin, but would prevent compilation errors from being generated in cases where const structures were declared as local variables. tools/gcc/constify_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 7b17e50ada6008a8020610830090798f1e891334 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 12:25:32 2015 -0400 RANDSTRUCT fix for GCC 5.1: make sure we run our bad cast logging pass Doesn't affect the security provided by the plugin, is purely for informational purposes tools/gcc/randomize_layout_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 586603783933d8530faf6af7f35056a74678bcfe Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 11:26:23 2015 -0400 compile fix security/selinux/hooks.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 34ce24798d9137b7becdd1c62cf996163a4f2678 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 10:08:47 2015 -0400 Backport vuln fix from Stephen Smalley for an SELinux execmem bypass: http://lkml.iu.edu/hypermail/linux/kernel/1507.1/02442.html Not marked for -stable even though its handling has been inconsistent since at least 3.2 (as far back as I checked). Shared anonymous memory has been implemented through pseudo-files for a while now. One would expect fine-grained military-grade expert policy writers to have spotted this long ago. Grsec is not affected. security/selinux/hooks.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5689dd1f9bd31c3527069a76f05f70df40e946ce Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 10:04:18 2015 -0400 Functionally no different than the existing code, but at least now we aren't comparing negative values against unsigned types as done by Linus: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45820c294fe1b1a9df495d57f40585ef2d069a39 and Jan: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0b08c5e5944 kernel/auditsc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 37b1602e9cccf4f35c495c51f6173a2eefddb4ec Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 5 07:26:54 2015 -0400 Fix format string vulns in config_item_set_name (used by configfs) Thanks to Nicolas Iooss for the report! Conflicts: drivers/usb/gadget/configfs.c fs/configfs/item.c | 4 ++-- include/linux/configfs.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 7dbba86245ec789a322ca2e55baffc7af0958594 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 4 11:16:00 2015 -0400 add newer socket families for logging grsecurity/gracl_ip.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2020f19df7dd9424c43353ca5c5cf63468b783a Merge: bb306ce 16c1a7a Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 29 21:37:06 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit 16c1a7a89be87b08227a8f09ced6cccf399bd1d9 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 29 21:36:16 2015 -0400 Update to pax-linux-3.2.69-test178.patch: - fixed incorrect lowmem mapping setup on certain amd64 memory configurations (also fixed by the never backported upstream commit 20167d3421a089a1bf1bd680b150dc69c9506810), reported and much helped by rfree@mempo.org - use non-deprecated cpumask accessors arch/x86/include/asm/mmu_context.h | 6 +++--- arch/x86/kernel/ldt.c | 2 +- arch/x86/mm/fault.c | 2 +- arch/x86/mm/init_64.c | 2 +- mm/mprotect.c | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) commit bb306ce3d630da517b25c836533ef390480989e7 Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org> Date: Thu Jun 25 18:10:09 2015 -0400 tracing/filter: Do not allow infix to exceed end of string While debugging a WARN_ON() for filtering, I found that it is possible for the filter string to be referenced after its end. With the filter: # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter The filter_parse() function can call infix_get_op() which calls infix_advance() that updates the infix filter pointers for the cnt and tail without checking if the filter is already at the end, which will put the cnt to zero and the tail beyond the end. The loop then calls infix_next() that has ps->infix.cnt--; return ps->infix.string[ps->infix.tail++]; The cnt will now be below zero, and the tail that is returned is already passed the end of the filter string. So far the allocation of the filter string usually has some buffer that is zeroed out, but if the filter string is of the exact size of the allocated buffer there's no guarantee that the charater after the nul terminating character will be zero. Luckily, only root can write to the filter. Cc: stable@vger.kernel.org # 2.6.33+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/trace_events_filter.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 4b8f3676356d8bf9a737092ec552d2f9d230b5ea Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 29 17:43:34 2015 -0400 make DEBUG_PAGEALLOC depend on !PAX_MEMORY_SANITIZE, as done in 3.14 and 4.0 patches mm/Kconfig.debug | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 6e69a0460bb713319fa1d3e3bd955ea30240f686 Merge: 0abe521 80d4987 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 26 18:52:16 2015 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/mm/fault.c fs/exec.c commit 80d4987a12450d03431f988517281310d5497907 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 26 18:50:44 2015 -0400 Update to pax-linux-3.2.69-test176.patch: - Emese fixed a size overflow compile error, reported by Daniel Micay (https://bugs.archlinux.org/task/45320) - the size overflow plugin caught an integer mixup in scsi_finish_command and sd_done, reported by hunger - changed the loglevel of our own messages that could result in a kernel panic - some small cleanups backported from the upcoming 4.1 port - the size overflow plugin caught an integer mixup in the unlzma code, reported by Vladimir Lushnikov (https://bugs.gentoo.org/show_bug.cgi?id=552642) arch/s390/mm/mmap.c | 6 ++++++ arch/x86/mm/fault.c | 6 +++--- drivers/scsi/scsi.c | 2 +- drivers/scsi/sd.c | 4 ++-- drivers/scsi/sr.c | 8 ++++---- fs/exec.c | 8 ++++---- include/scsi/scsi_driver.h | 2 +- lib/decompress_unlzma.c | 4 ++-- tools/gcc/gcc-common.h | 4 ++-- 9 files changed, 25 insertions(+), 19 deletions(-) commit 0abe5214ad610defd446cf0e666e1bb5f7c37797 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 23 19:26:36 2015 -0400 compile fix kernel/trace/trace_events_filter.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 62272cf4a3b7c93a8a7ae81017c06934cfae7849 Author: Steven Rostedt <rostedt@goodmis.org> Date: Mon Jun 15 17:50:25 2015 -0400 tracing: Have filter check for balanced ops When the following filter is used it causes a warning to trigger: # cd /sys/kernel/debug/tracing # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter -bash: echo: write error: Invalid argument # cat events/ext4/ext4_truncate_exit/filter ((dev==1)blocks==2) ^ parse_error: No error ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990() Modules linked in: bnep lockd grace bluetooth ... CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0 0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea Call Trace: [<ffffffff816ed4f9>] dump_stack+0x4c/0x6e [<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0 [<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80 [<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20 [<ffffffff81159065>] replace_preds+0x3c5/0x990 [<ffffffff811596b2>] create_filter+0x82/0xb0 [<ffffffff81159944>] apply_event_filter+0xd4/0x180 [<ffffffff81152bbf>] event_filter_write+0x8f/0x120 [<ffffffff811db2a8>] __vfs_write+0x28/0xe0 [<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0 [<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0 [<ffffffff811dc408>] vfs_write+0xb8/0x1b0 [<ffffffff811dc72f>] SyS_write+0x4f/0xb0 [<ffffffff816f5217>] system_call_fastpath+0x12/0x6a ---[ end trace e11028bd95818dcd ]--- Worse yet, reading the error message (the filter again) it says that there was no error, when there clearly was. The issue is that the code that checks the input does not check for balanced ops. That is, having an op between a closed parenthesis and the next token. This would only cause a warning, and fail out before doing any real harm, but it should still not caues a warning, and the error reported should work: # cd /sys/kernel/debug/tracing # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter -bash: echo: write error: Invalid argument # cat events/ext4/ext4_truncate_exit/filter ((dev==1)blocks==2) ^ parse_error: Meaningless filter expression And give no kernel warning. Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Ingo Molnar <mingo@redhat.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: stable@vger.kernel.org # 2.6.31+ Reported-by: Vince Weaver <vincent.weaver@maine.edu> Tested-by: Vince Weaver <vincent.weaver@maine.edu> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/trace_events_filter.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) commit b22ad091991bafe57d9b746ed12415bd0726893a Author: Ben Hutchings <bhutchings@solarflare.com> Date: Mon Jan 16 12:38:59 2012 +0000 net: Use device model to get driver name in skb_gso_segment() ethtool operations generally require the caller to hold RTNL and are not safe to call in atomic context. The device model provides this information for most devices; we'll only lose it for some old ISA drivers. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/core/dev.c net/core/dev.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 61d4a80220bc6bc70f8cf43f3ea3b4a36c1cf395 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 21:15:22 2015 -0400 use -std=gnu89 for HOSTCFLAGS Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5614c872ad694f964cfbea588a55a924d4079041 Author: Helge Deller <deller@gmx.de> Date: Thu Jun 4 23:57:18 2015 +0200 compat: cleanup coding in compat_get_bitmap() and compat_put_bitmap() In the functions compat_get_bitmap() and compat_put_bitmap() the variable nr_compat_longs stores how many compat_ulong_t words should be copied in a loop. The copy loop itself is this: if (nr_compat_longs-- > 0) { if (__get_user(um, umask)) return -EFAULT; } else { um = 0; } Since nr_compat_longs gets unconditionally decremented in each loop and since it's type is unsigned this could theoretically lead to out of bounds accesses to userspace if nr_compat_longs wraps around to (unsigned)(-1). Although the callers currently do not trigger out-of-bounds accesses, we should better implement the loop in a safe way to completely avoid such warp-arounds. Signed-off-by: Helge Deller <deller@gmx.de> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> kernel/compat.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 737ed1a5841292f8e226093cbbbb2ca7810824b3 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 20:58:12 2015 -0400 Backport CVE-2015-1805 fix from http://seclists.org/oss-sec/2015/q2/652 fs/pipe.c | 55 ++++++++++++++++++++++++++++++++----------------------- 1 files changed, 32 insertions(+), 23 deletions(-) commit 188395da0792bc5c094f4f1c954e12d02c27b95f Author: Rusty Russell <rusty@rustcorp.com.au> Date: Wed May 27 10:59:26 2015 +0930 lguest: fix out-by-one error in address checking. This bug has been there since day 1; addresses in the top guest physical page weren't considered valid. You could map that page (the check in check_gpte() is correct), but if a guest tried to put a pagetable there we'd check that address manually when walking it, and kill the guest. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/lguest/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c9d6e6f29bb91c3cb735fd9b73f990d7cc7ea540 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu May 28 23:09:19 2015 -0400 d_walk() might skip too much when we find that a child has died while we'd been trying to ascend, we should go into the first live sibling itself, rather than its sibling. Off-by-one in question had been introduced in "deal with deadlock in d_walk()" and the fix needs to be backported to all branches this one has been backported to. Cc: stable@vger.kernel.org # 3.2 and later Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/dcache.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 04453e48d367ed485741e260c63971d56f9465df Author: Eric Dumazet <edumazet@google.com> Date: Sat May 30 09:16:53 2015 -0700 udp: fix behavior of wrong checksums We have two problems in UDP stack related to bogus checksums : 1) We return -EAGAIN to application even if receive queue is not empty. This breaks applications using edge trigger epoll() 2) Under UDP flood, we can loop forever without yielding to other processes, potentially hanging the host, especially on non SMP. This patch is an attempt to make things better. We might in the future add extra support for rt applications wanting to better control time spent doing a recv() in a hostile environment. For example we could validate checksums before queuing packets in socket receive queue. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/udp.c | 6 ++---- net/ipv6/udp.c | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) commit 54b6695eaa28ffa87efb9fbafcbf3532484e76c2 Merge: 9610345 ad86648 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 27 19:24:17 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit ad8664877959e5e4d027b1441f1e4a5c9abc7ec0 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 27 19:21:54 2015 -0400 Update to pax-linux-3.2.69-test175.patch: - fixed a regression in the structleak plugin that would disable it under LTO - synchronized some plugin files with the other trees tools/gcc/constify_plugin.c | 3 ++- tools/gcc/gcc-common.h | 23 +++++++++++++++++++++++ tools/gcc/structleak_plugin.c | 2 +- 3 files changed, 26 insertions(+), 2 deletions(-) commit 96103451e5718d3cce1f504f553413b58d16639f Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 18 18:01:08 2015 -0400 Remove __inline__ from .c files, let the compiler decide grsecurity/gracl.c | 12 ++++++------ grsecurity/gracl_alloc.c | 4 ++-- grsecurity/gracl_segv.c | 6 +++--- grsecurity/grsec_sock.c | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) commit 0de1c3c5cf33ca3ec42428568aaddde0b73e2a35 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 18 17:54:21 2015 -0400 Actually wire up use of the RANDSTRUCT attributes for GCC 5.1, otherwise we'd ICE on some Xen PARAVIRT code (and would miss explicit randomization and would break other code) include/linux/compiler-gcc5.h | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit a8d8e8106a40b50db4f5bc89f03cae550f5a4071 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 17 14:22:18 2015 -0400 Fix an ICE in the RANDSTRUCT plugin on GCC 5.1 reported and fixed by pipacs tools/gcc/randomize_layout_plugin.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e0e4c89c9a105d5359b543a847cbe298bf85fe14 Merge: 577b968 72e2b50 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 13 18:21:36 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit 72e2b500b3718849de6b7b7b52f9d573baecebc9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 13 18:21:01 2015 -0400 Update to pax-linux-3.2.69-test174.patch: - fixed a size overflow false positive in squashfs, reported by Martin Vath <martin@mvath.de> (https://bugs.gentoo.org/show_bug.cgi?id=548960) - fixed a /proc/kcore regression to not return uninitialized memory if the requested kernel address range is not fully mapped arch/x86/kernel/head_64.S | 12 +++++++++--- fs/proc/kcore.c | 14 ++++++-------- fs/squashfs/xattr.c | 12 ++++++------ 3 files changed, 21 insertions(+), 17 deletions(-) commit 577b968ed6fcf3d9e3b6de0e45e3d6cf80af15c9 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 11:16:18 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 6178e173f21d9ab1121c90db3c1bfa3655c52285 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 10:31:54 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit fcf8bbbf9a815d2431fe664b917dbf44271bba35 Merge: 70fc60d 6b71bd6 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 10:30:41 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit 6b71bd614295b6a79680327058140dad7eafc9cd Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 10:30:25 2015 -0400 Update to pax-linux-3.2.69-test173.patch arch/x86/kernel/traps.c | 2 +- include/linux/compiler.h | 8 ++++---- kernel/trace/ftrace.c | 2 -- 3 files changed, 5 insertions(+), 7 deletions(-) commit 70fc60ddae5089ff56db4eafee75cfa64b63a25a Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 09:51:57 2015 -0400 compile fix arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 90052e90ee56d8def1a775eef8c1dafa10d17c4a Merge: 321b4a8 a6ec535 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 08:57:35 2015 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: fs/exec.c fs/udf/inode.c net/ipv4/ip_sockglue.c commit a6ec535ffc2a318ee17e3aa818204f5c0c05b527 Merge: f1cc348 d9f31c5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 10 08:49:43 2015 -0400 Merge branch 'linux-3.2.y' into pax-stable Conflicts: include/linux/compiler.h kernel/trace/ftrace.c commit 321b4a805257805ab97a4d215c3497ed0523d970 Author: Jason A. Donenfeld <Jason@zx2c4.com> Date: Wed May 6 15:09:40 2015 +0200 usbnet: avoid integer overflow in start_xmit transfer_buffer_length is of type u32. It's therefore wrong to assign it to a signed integer. This patch avoids the overflow. It's worth noting that entry->length here is a long; perhaps it would be beneficial at somepoint to change this to be unsigned as well, if nothing else relies on its signedness for error conditions or the like. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/usb/usbnet.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 69d7ed75345f15799589d4b91b6a4799dd6b9b58 Author: Christophe Leroy <christophe.leroy@c-s.fr> Date: Wed May 6 17:26:47 2015 +0200 splice: sendfile() at once fails for big files Using sendfile with below small program to get MD5 sums of some files, it appear that big files (over 64kbytes with 4k pages system) get a wrong MD5 sum while small files get the correct sum. This program uses sendfile() to send a file to an AF_ALG socket for hashing. /* md5sum2.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/types.h> #include <linux/if_alg.h> int main(int argc, char **argv) { int sk = socket(AF_ALG, SOCK_SEQPACKET, 0); struct stat st; struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = "hash", .salg_name = "md5", }; int n; bind(sk, (struct sockaddr*)&sa, sizeof(sa)); for (n = 1; n < argc; n++) { int size; int offset = 0; char buf[4096]; int fd; int sko; int i; fd = open(argv[n], O_RDONLY); sko = accept(sk, NULL, 0); fstat(fd, &st); size = st.st_size; sendfile(sko, fd, &offset, size); size = read(sko, buf, sizeof(buf)); for (i = 0; i < size; i++) printf("%2.2x", buf[i]); printf(" %s\n", argv[n]); close(fd); close(sko); } exit(0); } Test below is done using official linux patch files. First result is with a software based md5sum. Second result is with the program above. root@vgoip:~# ls -l patch-3.6.* -rw-r--r-- 1 root root 64011 Aug 24 12:01 patch-3.6.2.gz -rw-r--r-- 1 root root 94131 Aug 24 12:01 patch-3.6.3.gz root@vgoip:~# md5sum patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz root@vgoip:~# ./md5sum2 patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz 5fd77b24e68bb24dcc72d6e57c64790e patch-3.6.3.gz After investivation, it appears that sendfile() sends the files by blocks of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each block, the SPLICE_F_MORE flag is missing, therefore the hashing operation is reset as if it was the end of the file. This patch adds SPLICE_F_MORE to the flags when more data is pending. With the patch applied, we get the correct sums: root@vgoip:~# md5sum patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz root@vgoip:~# ./md5sum2 patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by: Jens Axboe <axboe@fb.com> fs/splice.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) commit 813308a7db37854542b4452ef7808ee38f25f1d2 Merge: 9d08c90 f1cc348 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:28:38 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit f1cc348c69051d8a58237bdbb3fdb771c0d2a4ad Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:28:04 2015 -0400 Update to pax-linux-3.2.68-test173.patch: - worked around a gcc induced intentional overflow in the bunzip decompressor, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=548508) - F_SETPIPE_SZ handling ignored pipe_min_size and could trigger the size overflow instrumentation, reported by minipli - fixed an integer signedness mixup in a parameter of semop and semtimedop, by minipli fs/pipe.c | 13 ++++++++----- include/linux/compat.h | 2 +- include/linux/syscalls.h | 4 ++-- ipc/compat.c | 2 +- ipc/sem.c | 4 ++-- lib/decompress_bunzip2.c | 3 ++- 6 files changed, 16 insertions(+), 12 deletions(-) commit 9d08c9084b135cacccd2fe9ea0ca7e41ae6a8d84 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:01:36 2015 -0400 Even though in the history of autoconfig it has never tripped anyone up under realistic use cases (e.g. nobody starts a config, enables only CONFIG_GRKERNSEC, then exits menuconfig, then loads it back up and tries to apply an autoconfig setting) explicitly mention that you cannot do it and expect the autoconfig to work. Due to how the Kbuild system works, we can't apply defaults and also allow them to be modified via custom settings -- if they're 'select'ed then they can't be modified, and using 'select' violates any dependencies that may exist. Therefore we have to resort to using 'default', which after a user has already chosen all the settings by virtue of enabling CONFIG_GRKERNSEC and then saving their complete kernel config, cannot have any effect as the options have now all been chosen and there's no 'default' applicable. security/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1d714093f257f05e9513ea72a17d55a6d3fd3ad Merge: ff5cfd8 bee8f9a Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 4 19:36:14 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit bee8f9a8e65a87c104f0f31c8747ff4240e5baa7 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 4 19:35:53 2015 -0400 Update to pax-linux-3.2.68-test171.patch: - fixed a bunch of NULL function pointer dereference regressions in the compat drm ioctl code for i915/mga/r128/radeon, reported by minipli drivers/gpu/drm/i915/i915_ioc32.c | 13 ++++++------- drivers/gpu/drm/mga/mga_ioc32.c | 7 +++---- drivers/gpu/drm/r128/r128_ioc32.c | 7 +++---- drivers/gpu/drm/radeon/radeon_ioc32.c | 7 +++---- 4 files changed, 15 insertions(+), 19 deletions(-) commit ff5cfd8d5e09199432ebf729d03dbd9b20c74db6 Author: David S. Miller <davem@davemloft.net> Date: Fri May 1 22:02:47 2015 -0400 ipv4: Missing sk_nulls_node_init() in ping_unhash(). If we don't do that, then the poison value is left in the ->pprev backlink. This can cause crashes if we do a disconnect, followed by a connect(). Tested-by: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: Wen Xu <hotdog3645@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ping.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0baf8370967e9882079a3b8f4044d55e50996954 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 19:40:23 2015 -0400 Fix a refcount underflow reported by Jan Hejl caused by GRKERNSEC_CHROOT_RENAME We failed to increment the tree in copy_fs_struct, so users of clone with CLONE_FS who then exited caused a decrement of the refcounts with no associated increment. This would generally occur on / and took at least a month on a heavily-loaded system to trigger. It shouldn't cause any security problems as no freeing is associated with the refcount, and the only interesting value is 0, which permits renames in that tree. I've tested this fixed implementation to ensure the refcounts are under control in both directions. fs/fs_struct.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7e576c1e0c3affc3d074d20023987068dec14dc4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 08:42:48 2015 -0400 compile fix arch/x86/kernel/apic/io_apic.c | 2 +- drivers/xen/events.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit 854af2d5a6205dc0140cc9a5d965c014f4713782 Merge: 1e2a5f5 1fc75df Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 08:42:12 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit 1fc75dff2760dfb7a5917698577a6946fde8805c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 08:41:57 2015 -0400 Update to pax-linux-3.2.68-test170.patch: - fixed compilation errors due to some overzealous constification of irq_chip variables, reported by spender arch/x86/kernel/apic/io_apic.c | 4 ++-- drivers/xen/events.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) commit 1e2a5f5ad440487e4cb17e8cbd17932ebb99a88d Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 07:16:44 2015 -0400 compile fix drivers/xen/events.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 194c3cf240f1606dc51af7466646b44e4ec7da9b Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 22:34:18 2015 -0400 compile fix arch/x86/kernel/apic/io_apic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 64d9fdff41de53618377e012b6aeca908cf656de Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 22:36:56 2015 -0400 compile fix tools/gcc/gcc-common.h | 45 --------------------------------------------- 1 files changed, 0 insertions(+), 45 deletions(-) commit ef834e332e0553f1653ac11646968716bed8c3e2 Merge: def1c6f ad13b69 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 21:47:53 2015 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: security/Kconfig tools/gcc/gcc-common.h commit ad13b6908bd3b7d4fd3fac297c1a58b3b3120e5e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 21:44:47 2015 -0400 Update to pax-linux-3.2.68-test169.patch: - fixed a false positive size overflow bug in raid5, reported by jack mort (https://bugs.gentoo.org/show_bug.cgi?id=545492) - the overflow plugin caught an incorrect sign conversion in zlib, reported by Attila Tóth (https://bugs.gentoo.org/show_bug.cgi?id=545776) - the overflow plugin caught an incorrect sign conversion in get_user on x86, reported by Gábor Hasenfrasz (https://forums.grsecurity.net/viewtopic.php?f=3&t=4188) - ported all plugins to gcc-5 except size overflow - fixed integer signedness mixup in mmc error code handling, caught by the size overflow plugin, reported by Tom Seewald - fixed a few section conflicts exposed by LTO - fixed the latent entropy plugin for LTO - fixed the stackleak plugin for LTO arch/sparc/include/asm/uaccess_32.h | 1 + arch/sparc/include/asm/uaccess_64.h | 5 + arch/x86/include/asm/page_32.h | 2 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/uaccess.h | 11 +- arch/x86/kernel/apic/io_apic.c | 4 +- arch/x86/kernel/apm_32.c | 2 +- arch/x86/kernel/cpu/common.c | 14 +- arch/x86/kernel/reboot.c | 2 +- crypto/zlib.c | 4 +- drivers/acpi/bus.c | 4 +- drivers/acpi/ec.c | 2 +- drivers/acpi/pci_slot.c | 2 +- drivers/acpi/processor_core.c | 2 +- drivers/acpi/sleep.c | 2 +- drivers/acpi/thermal.c | 2 +- drivers/acpi/video.c | 2 +- drivers/char/i8k.c | 2 +- drivers/char/sonypi.c | 2 +- drivers/firmware/google/gsmi.c | 2 +- drivers/firmware/google/memconsole.c | 2 +- drivers/hwmon/acpi_power_meter.c | 2 +- drivers/infiniband/core/uverbs_cmd.c | 3 + drivers/input/touchscreen/htcpen.c | 2 +- drivers/md/raid5.c | 12 +- drivers/net/ethernet/via/via-rhine.c | 2 +- drivers/pci/pcie/portdrv_pci.c | 2 +- drivers/platform/x86/compal-laptop.c | 2 +- drivers/platform/x86/hdaps.c | 2 +- drivers/platform/x86/ibm_rtl.c | 2 +- drivers/platform/x86/intel_oaktrail.c | 2 +- drivers/platform/x86/msi-laptop.c | 2 +- drivers/platform/x86/samsung-laptop.c | 2 +- drivers/platform/x86/samsung-q10.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/pnp/pnpbios/core.c | 2 +- drivers/xen/events.c | 6 +- include/linux/compiler-gcc5.h | 2 - include/linux/compiler.h | 2 + include/linux/mmc/core.h | 2 +- include/linux/syscalls.h | 3 +- include/net/netlink.h | 10 + kernel/trace/ring_buffer.c | 12 +- mm/madvise.c | 4 +- net/l2tp/l2tp_ip.c | 2 +- scripts/gcc-plugin.sh | 2 +- security/Kconfig | 2 +- tools/gcc/Makefile | 2 +- tools/gcc/colorize_plugin.c | 11 +- tools/gcc/constify_plugin.c | 11 +- tools/gcc/gcc-common.h | 297 +++++++++++++++++++++++- tools/gcc/kallocstat_plugin.c | 11 +- tools/gcc/kernexec_plugin.c | 63 ++++-- tools/gcc/latent_entropy_plugin.c | 24 ++- tools/gcc/size_overflow_plugin/size_overflow.h | 10 +- tools/gcc/stackleak_plugin.c | 55 ++++- tools/gcc/structleak_plugin.c | 25 ++- 57 files changed, 545 insertions(+), 123 deletions(-) commit def1c6f2ead1dd9b1115db95a2f2c3c7b54f0bcb Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 27 07:31:18 2015 -0400 Backport GCC 5.1 support include/linux/compiler-gcc5.h | 3 -- tools/gcc/colorize_plugin.c | 4 +- tools/gcc/constify_plugin.c | 11 +++++-- tools/gcc/gcc-common.h | 24 ++++++++++++++- tools/gcc/kallocstat_plugin.c | 11 +++++-- tools/gcc/kernexec_plugin.c | 59 ++++++++++++++++++++++++++---------- tools/gcc/latent_entropy_plugin.c | 12 +++++-- tools/gcc/stackleak_plugin.c | 22 ++++++++++--- tools/gcc/structleak_plugin.c | 25 ++++++++++++---- 9 files changed, 127 insertions(+), 44 deletions(-) commit 0a93a118992ffa23e1033e0330d2996b3203bf02 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 26 16:09:26 2015 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 308f5d5d33b0de2e686060560055518a6ca245ff Author: David S. Miller <davem@davemloft.net> Date: Fri Apr 17 15:15:40 2015 -0400 sfc: Fix memcpy() with const destination compiler warning. drivers/net/ethernet/sfc/selftest.c: In function ‘efx_iterate_state’: drivers/net/ethernet/sfc/selftest.c:388:9: warning: passing argument 1 of ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers] This is because the msg[] member of struct efx_loopback_payload is marked as 'const'. Remove that. Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/sfc/selftest.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 45009beecf6ef95319de265086e78a987e3e2bfd Author: Jann Horn <jann@thejh.net> Date: Sun Apr 19 02:48:39 2015 +0200 fs: take i_mutex during prepare_binprm for set[ug]id executables This prevents a race between chown() and execve(), where chowning a setuid-user binary to root would momentarily make the binary setuid root. This patch was mostly written by Linus Torvalds. Signed-off-by: Jann Horn <jann@thejh.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: fs/exec.c Conflicts: fs/exec.c fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++------------------------- 1 files changed, 45 insertions(+), 31 deletions(-) commit ff8def064f6bb06ba8b176e2b402b508a1b507b0 Author: Kirill Tkhai <ktkhai@parallels.com> Date: Thu Apr 16 12:48:01 2015 -0700 fs/exec.c:de_thread: move notify_count write under lock We set sig->notify_count = -1 between RELEASE and ACQUIRE operations: spin_unlock_irq(lock); ... if (!thread_group_leader(tsk)) { ... for (;;) { sig->notify_count = -1; write_lock_irq(&tasklist_lock); There are no restriction on it so other processors may see this STORE mixed with other STOREs in both areas limited by the spinlocks. Probably, it may be reordered with the above sig->group_exit_task = tsk; sig->notify_count = zap_other_threads(tsk); in some way. Set it under tasklist_lock locked to be sure nothing will be reordered. Signed-off-by: Kirill Tkhai <ktkhai@parallels.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/exec.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 533e02a98c35103cf6f0e4fc4abee6f629636530 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 25 21:37:30 2015 -0400 Update RANDSTRUCT plugin to support GCC 5.1 tools/gcc/randomize_layout_plugin.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 87f3e57baff74dc19fe69e50b1804fc2d233ee1c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 22:56:35 2015 -0400 fix escaping of unix domain paths added in previous patch net/unix/af_unix.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 86fbe5640b869ea4fb966382a07af30b185fbbc6 Author: Sowmini Varadhan <sowmini.varadhan@oracle.com> Date: Wed Apr 8 12:33:47 2015 -0400 RDS: make sure not to loop forever inside rds_send_xmit If a determined set of concurrent senders keep the send queue full, we can loop forever inside rds_send_xmit. This fix has two parts. First we are dropping out of the while(1) loop after we've processed a large batch of messages. Second we add a generation number that gets bumped each time the xmit bit lock is acquired. If someone else has jumped in and made progress in the queue, we skip our goto restart. Original patch by Chris Mason. Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/connection.c | 1 + net/rds/rds.h | 1 + net/rds/send.c | 33 +++++++++++++++++++++++++++++++-- 3 files changed, 33 insertions(+), 2 deletions(-) commit 1b06d848eefdf56df8fda3a3b84ebb9dda322657 Author: Stephan Mueller <smueller@chronox.de> Date: Thu Mar 12 09:17:51 2015 +0100 crypto: aesni - fix memory usage in GCM decryption The kernel crypto API logic requires the caller to provide the length of (ciphertext || authentication tag) as cryptlen for the AEAD decryption operation. Thus, the cipher implementation must calculate the size of the plaintext output itself and cannot simply use cryptlen. The RFC4106 GCM decryption operation tries to overwrite cryptlen memory in req->dst. As the destination buffer for decryption only needs to hold the plaintext memory but cryptlen references the input buffer holding (ciphertext || authentication tag), the assumption of the destination buffer length in RFC4106 GCM operation leads to a too large size. This patch simply uses the already calculated plaintext size. In addition, this patch fixes the offset calculation of the AAD buffer pointer: as mentioned before, cryptlen already includes the size of the tag. Thus, the tag does not need to be added. With the addition, the AAD will be written beyond the already allocated buffer. Note, this fixes a kernel crash that can be triggered from user space via AF_ALG(aead) -- simply use the libkcapi test application from [1] and update it to use rfc4106-gcm-aes. Using [1], the changes were tested using CAVS vectors to demonstrate that the crypto operation still delivers the right results. [1] http://www.chronox.de/libkcapi.html CC: Tadeusz Struk <tadeusz.struk@intel.com> Cc: stable@vger.kernel.org Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> arch/x86/crypto/aesni-intel_glue.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7a98a4581392b190f805dd4befd2a1d7f999b0d0 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:46:33 2015 -0400 Revert this for the time being -- I want to more closely match the original behavior if possible, so it needs a little more work. This reverts commit dfe78d5f846ab72aa6d51911cf93cb5f07d4d03b. fs/exec.c | 9 ++++++- fs/proc/array.c | 2 +- grsecurity/gracl.c | 44 ++++++++++++++++++++++++++++++++++++++++++ grsecurity/gracl_res.c | 45 ------------------------------------------- grsecurity/grsec_disabled.c | 13 ------------ include/linux/sched.h | 7 +---- kernel/acct.c | 3 -- kernel/fork.c | 2 +- kernel/posix-cpu-timers.c | 5 ++- mm/mmap.c | 5 ++- 10 files changed, 61 insertions(+), 74 deletions(-) commit baa51a476eca7e76e8f31ef32e17504918f42718 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:46:24 2015 -0400 Revert "fix typo" This reverts commit fb5a8dfe9a3061c5709941111d5d3f0f13ed96fc. grsecurity/gracl_res.c | 4 ++-- grsecurity/grsec_disabled.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit eb75529c98f16078376edb71a12f98e85da744f0 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:46:11 2015 -0400 Revert "compile fix" This reverts commit 70e84614b1fc0aa75de8abb24f50b478f96ef28d. grsecurity/gracl_res.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit cc5b3b25743b9328242ff8e111660297d72d0379 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:44:48 2015 -0400 make the usermodehelper message more generic about paths kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc4b31888ba6e1ea852382091ebda6a433f72cfb Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:34:32 2015 -0400 Prevent /proc/net/unix from containing newlines or tabs in filenames as used in: http://seclists.org/oss-sec/2015/q2/143 net/unix/af_unix.c | 19 +++++++++++++++++-- 1 files changed, 17 insertions(+), 2 deletions(-) commit fd3797577bfa896e6b3ff4bf884fcf783f2c4133 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:13:02 2015 -0400 Backport gcc plugin changes from 3.14 scripts/gcc-plugin.sh | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/colorize_plugin.c | 7 +- tools/gcc/gcc-common.h | 149 +++++++++++++++++++++++- tools/gcc/latent_entropy_plugin.c | 3 +- tools/gcc/size_overflow_plugin/size_overflow.h | 10 +- tools/gcc/stackleak_plugin.c | 3 +- 7 files changed, 164 insertions(+), 11 deletions(-) commit 70e84614b1fc0aa75de8abb24f50b478f96ef28d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 19:44:37 2015 -0400 compile fix grsecurity/gracl_res.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit fb5a8dfe9a3061c5709941111d5d3f0f13ed96fc Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 19:43:36 2015 -0400 fix typo grsecurity/gracl_res.c | 4 ++-- grsecurity/grsec_disabled.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit dfe78d5f846ab72aa6d51911cf93cb5f07d4d03b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 19:23:01 2015 -0400 Modify the resource handling of RBAC so that it doesn't actually modify the user-visible resource limits. We now won't have to copy the entire rlimit array on each exec or have any special handing for setting rlimits via a subject. Since most kernel code is now using rlimit() and variants, we place ourselves there to provide a minimum of the process' original limit and RBAC's mandatory limits. This also removes the exception of RBAC's resource handling being capable of providing higher resource limits than normally possible for a given process. fs/exec.c | 9 +------ fs/proc/array.c | 2 +- grsecurity/gracl.c | 44 ------------------------------------------ grsecurity/gracl_res.c | 45 +++++++++++++++++++++++++++++++++++++++++++ grsecurity/grsec_disabled.c | 13 ++++++++++++ include/linux/sched.h | 7 ++++- kernel/acct.c | 3 ++ kernel/fork.c | 2 +- kernel/posix-cpu-timers.c | 5 +-- mm/mmap.c | 5 +-- 10 files changed, 74 insertions(+), 61 deletions(-) commit f36775fad604e617564de12c2a6707203512c9cd Author: Joe Perches <joe@perches.com> Date: Mon Mar 23 18:01:35 2015 -0700 selinux: fix sel_write_enforce broken return value Return a negative error value like the rest of the entries in this function. Cc: <stable@vger.kernel.org> Signed-off-by: Joe Perches <joe@perches.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: tweaked subject line] Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/selinuxfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a94607d737d77dad48c24abe27e097846b540f42 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 07:43:01 2015 -0400 Allow usermodehelper executions from /usr/bin/ for distros plagued by Lennart's bikeshedding, as reported in https://bugs.archlinux.org/task/44568 kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 798dc8036640b1e950095d9e3850f906b93adc36 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 17:36:28 2015 -0400 fix typo kernel/trace/ring_buffer.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ba24a613272baf988cc7c73d9fce42e75dc1f636 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 17:25:47 2015 -0400 backport: - fixed some REFCOUNT false positives in the tracing ring buffer code, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4186) kernel/trace/ring_buffer.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 75bdf38048377ce8bfd0ab24d66af39156c7248c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 09:38:13 2015 -0400 move backported cpu check arch/x86/kernel/cpu/common.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) commit d08d78ee07545b194e2be3e3f6177b1614f0f6cc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 09:29:48 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit aba4ad6f4d69a6a6c8bbd36e5e3e09dc300410d2 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:57:55 2015 -0400 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 57a8a7ec36812bf64d043c0df171c03bafb2541f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:28:06 2015 -0400 compile fix arch/x86/kernel/cpu/common.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit 8d71a5684d4d64a8c9332c20d60fb24eb722e76b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:17:32 2015 -0400 Backport fix for crash with old PAGEEXEC method and PSE, reported by Merlin arch/x86/kernel/cpu/common.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit d26a970bc14a1cf9305a927cd39fdc973f832640 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:03:59 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit ca92e78bdd6e85b3ec771c9b815dd0a480a8f475 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:02:11 2015 -0400 fix the infiniband vuln properly, since nobody seems to know how access_ok actually works and that it's the correct fix here arch/sparc/include/asm/uaccess_32.h | 1 + arch/sparc/include/asm/uaccess_64.h | 5 +++++ drivers/infiniband/core/uverbs_cmd.c | 3 +++ 3 files changed, 9 insertions(+), 0 deletions(-) commit b1317682ea1b680491e3939895e0b084e11d975a Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 31 19:15:03 2015 -0400 backport a fix for the skb_gso_segment() null pointer deref fixed in upstream commit 330966e501ffe282d7184fde4518d5e0c24bc7f8 but never queued up for any -stable fixes apparently. net/netfilter/nf_queue.c | 2 +- net/xfrm/xfrm_output.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) commit eec6d0e71c80d1fb0f2418bef0930736d2b1c8aa Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 31 17:14:21 2015 -0400 add an additional guard against negative copy lengths on nla_memcpy as signed integers are being used with the expectation that they will always be positive. lib/nlattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e2b3eb19b7b27e6542c47c9979fb97a7b5b72509 Author: Jiri Benc <jbenc@redhat.com> Date: Sun Mar 29 16:05:28 2015 +0200 netlink: pad nla_memcpy dest buffer with zeroes This is especially important in cases where the kernel allocs a new structure and expects a field to be set from a netlink attribute. If such attribute is shorter than expected, the rest of the field is left containing previous data. When such field is read back by the user space, kernel memory content is leaked. Signed-off-by: Jiri Benc <jbenc@redhat.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> lib/nlattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 065c1756ef21185008ece2c75e2e3a3e0fe6b583 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 30 20:57:48 2015 -0400 compile fix init/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dd318c8b7225895a4f9b8e55bbc325369cd3aaa Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 30 23:28:01 2015 -0400 Add a boot-time parameter to disable GRKERNSEC_SYSFS_RESTRICT. To disable it at boot time (when compiled into the kernel), use grsec_sysfs_restrict=0 on the kernel commandline Conflicts: Documentation/kernel-parameters.txt fs/debugfs/inode.c fs/sysfs/dir.c Documentation/kernel-parameters.txt | 4 ++++ fs/debugfs/inode.c | 15 ++++++++++----- fs/sysfs/dir.c | 6 ++++++ init/main.c | 10 ++++++++++ 4 files changed, 30 insertions(+), 5 deletions(-) commit 425f1f2051bcbd81181dc77af511a7ec74a45b8d Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 25 18:40:53 2015 -0400 Add allowance for /usr/libexec/abrt-hook-cpp to be executed as a usermode helper, as observed on some cPanel systems kernel/kmod.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d8146886b870a2c72eca4c48842fa444fb1da7fb Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 25 18:36:57 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 25a83e0374bad9573e80786c13cf12475d911400 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 25 16:53:50 2015 -0400 Revert an incorrect fix from Dan Rosenberg for a btrfs heap overflow which preserved the vulnerability in some cases. https://lkml.org/lkml/2011/2/9/147 Thanks to eswierk from the forums for spotting this! fs/btrfs/ioctl.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 7accd898dbf156b5350cdca7f70c81311b9957c9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:45:42 2015 -0400 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 75799fc77d6af3a60e27fbe2d4dfa8b871111326 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:15:49 2015 -0400 update size_overflow hash data .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8d13cad9215a109562fc24570478c2e4a9e3de5f Merge: 4f83b92 d9d8bd4 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:12:27 2015 -0400 Merge branch 'pax-stable' into grsec-stable commit d9d8bd4ea744fd261f219254a58afd6a1a1f5c3c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:12:01 2015 -0400 Update to pax-linux-3.2.68-test167.patch: - fixed a use-after-free in AF_UNIX socket handling, by Mathias Krause <minipli@googlemail.com>, reported by coredumb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4150) - fixed a USERCOPY false positive and a LATENT_ENTROPY related compile error on ppc, reported by lynliuyan (https://forums.grsecurity.net/viewtopic.php?f=3&t=4158) - fixed a compile regression in gcc plugins under gcc 4.6, reported by Kamil Kaczkowski and spender arch/powerpc/kernel/Makefile | 5 +++++ arch/powerpc/kernel/process.c | 2 +- net/unix/af_unix.c | 7 +++++-- tools/gcc/gcc-common.h | 4 ++-- 4 files changed, 13 insertions(+), 5 deletions(-) commit 4f83b92bc61bfe66f15e8f0513673be08a38cacc Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 20:14:07 2015 -0400 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 93486ef652b3e7c09f735f735e6b27a57de4e332 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 19:54:15 2015 -0400 From: Shachar Raindel <raindel () mellanox com> Date: Sun, 04 Jan 2015 18:30:32 +0200 Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address arithmetic Properly verify that the resulting page aligned end address is larger than both the start address and the length of the memory area requested. Both the start and length arguments for ib_umem_get are controlled by the user. A misbehaving user can provide values which will cause an integer overflow when calculating the page aligned end address. This overflow can cause also miscalculation of the number of pages mapped, and additional logic issues. Signed-off-by: Shachar Raindel <raindel () mellanox com> Signed-off-by: Jack Morgenstein <jackm () mellanox com> Signed-off-by: Or Gerlitz <ogerlitz () mellanox com> drivers/infiniband/core/umem.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 76f1581f1267fffe747d6345ec7c0f7fece588e8 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 19:44:26 2015 -0400 Fix several instances of DMA on stack in the rts5139 driver, as reported by z80 on the forums drivers/staging/rts5139/rts51x_transport.c | 50 ++++++++++++++++++++++++--- 1 files changed, 44 insertions(+), 6 deletions(-) commit afb2306b649b4dd4249a1042f578253d2676fec0 Author: Alexey Kodanev <alexey.kodanev@oracle.com> Date: Wed Mar 11 14:29:17 2015 +0300 net: sysctl_net_core: check SNDBUF and RCVBUF for min length sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be set to incorrect values. Given that 'struct sk_buff' allocates from rcvbuf, incorrectly set buffer length could result to memory allocation failures. For example, set them as follows: # sysctl net.core.rmem_default=64 net.core.wmem_default = 64 # sysctl net.core.wmem_default=64 net.core.wmem_default = 64 # ping localhost -s 1024 -i 0 > /dev/null This could result to the following failure: skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32 head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL> kernel BUG at net/core/skbuff.c:102! invalid opcode: 0000 [#1] SMP ... task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000 RIP: 0010:[<ffffffff8155fbd1>] [<ffffffff8155fbd1>] skb_put+0xa1/0xb0 RSP: 0018:ffff88003ae8bc68 EFLAGS: 00010296 RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000 RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8 RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900 FS: 00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0 Stack: ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550 ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00 Call Trace: [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470 [<ffffffff81556f56>] sock_write_iter+0x146/0x160 [<ffffffff811d9612>] new_sync_write+0x92/0xd0 [<ffffffff811d9cd6>] vfs_write+0xd6/0x180 [<ffffffff811da499>] SyS_write+0x59/0xd0 [<ffffffff81651532>] system_call_fastpath+0x12/0x17 Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00 00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 RIP [<ffffffff8155fbd1>] skb_put+0xa1/0xb0 RSP <ffff88003ae8bc68> Kernel panic - not syncing: Fatal exception Moreover, the possible minimum is 1, so we can get another kernel panic: ... BUG: unable to handle kernel paging request at ffff88013caee5c0 IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0 ... Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/core/sysctl_net_core.c net/core/sysctl_net_core.c | 14 ++++++++++---- 1 files changed, 10 insertions(+), 4 deletions(-) commit 96a0fd06045f3ea598276a49f499b4dd838dc66c Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sun Mar 15 13:48:03 2015 +0300 isdn: icn: use strlcpy() when parsing setup options If you pass an invalid string here then you probably deserve the memory corruption, but it annoys static analysis tools so lets fix it. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/icn/icn.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 94263f91d6dd8ffc67b428e8f7a6642efb01e41b Author: Eric Dumazet <edumazet@google.com> Date: Fri Mar 13 09:49:59 2015 -0700 inet_diag: fix possible overflow in inet_diag_dump_one_icsk() inet_diag_dump_one_icsk() allocates too small skb. Add inet_sk_attr_size() helper right before inet_sk_diag_fill() so that it can be updated if/when new attributes are added. iproute2/ss currently does not use this dump_one() interface, this might explain nobody noticed this problem yet. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/inet_diag.c net/ipv4/inet_diag.c | 18 ++++++++++++++---- 1 files changed, 14 insertions(+), 4 deletions(-) commit bcda2d441b6a07eb0317fb2196fa6dca8843ade5 Author: Arnd Bergmann <arnd@arndb.de> Date: Wed Mar 11 22:46:59 2015 +0100 rds: avoid potential stack overflow The rds_iw_update_cm_id function stores a large 'struct rds_sock' object on the stack in order to pass a pair of addresses. This happens to just fit withint the 1024 byte stack size warning limit on x86, but just exceed that limit on ARM, which gives us this warning: net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=] As the use of this large variable is basically bogus, we can rearrange the code to not do that. Instead of passing an rds socket into rds_iw_get_device, we now just pass the two addresses that we have available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly, to create two address structures on the stack there. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/iw_rdma.c | 40 ++++++++++++++++++++++------------------ 1 files changed, 22 insertions(+), 18 deletions(-) commit 5364315c426b0ead29ca879fbab7b7fffd1588c2 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 9 18:26:00 2015 -0400 Fix compilation with plugins, reported by Kamil Kaczkowski. Apparently the version of gcc 4.6.4 being shipped with some distros is different from that produced by source builds in that it places the c-common.h header file in a different directory. We'll now choose the path used by distros for compatibility reasons. tools/gcc/gcc-common.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 832270da1a613c1086b9fd8032663d81fdf48051 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 9 18:24:39 2015 -0400 Backport "console: Fix console name size mismatch" from Peter Hurley kernel/printk.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 691c644c696ef5bab09d73364f36f70d02f63676 Author: Jiri Slaby <jslaby@suse.cz> Date: Fri Feb 27 18:40:31 2015 +0100 tty: fix up atime/mtime mess, take four This problem was taken care of three times already in * b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update atime/mtime on read/write), * 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime regression), and * b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime mess, take three) But it still misses one point. As John Paul correctly points out, we do not care about setting date. If somebody ever changes wall time backwards (by mistake for example), tty timestamps are never updated until the original wall time passes. So check the absolute difference of times and if it large than "8 seconds or so", always update the time. That means we will update immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the check, but it was always that way. Thanks John for serving me this so nicely debugged. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com> Cc: <stable@vger.kernel.org> # all, as b0b885657 was backported Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/tty/tty_io.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 6f455c2bd5d38281ccb9e330a313b31c43c90142 Author: Al Viro <viro@ZenIV.linux.org.uk> Date: Sat Mar 7 21:08:46 2015 +0000 sunrpc: fix braino in ->poll() POLL_OUT isn't what callers of ->poll() are expecting to see; it's actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap bit... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Cc: Bruce Fields <bfields@fieldses.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> net/sunrpc/cache.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c14b1325c66059a4b14b8cf620d1717b078d205 Author: Johan Hovold <johan@kernel.org> Date: Wed Mar 4 10:39:06 2015 +0100 TTY: fix tty_wait_until_sent on 64-bit machines Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an infinite timeout (0) would be passed to the underlying tty-driver's wait_until_sent-operation as a negative timeout (-1), causing it to return immediately. This manifests itself for example as tcdrain() returning immediately, drivers not honouring the drain flags when setting terminal attributes, or even dropped data on close as a requested infinite closing-wait timeout would be ignored. The first symptom was reported by Asier LLANO who noted that tcdrain() returned prematurely when using the ftdi_sio usb-serial driver. Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the underlying tty driver. Note that the serial-core wait_until_sent-implementation is not affected by this bug due to a lucky chance (comparison to an unsigned maximum timeout), and neither is the cyclades one that had an explicit check for negative timeouts, but all other tty drivers appear to be affected. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # v2.6.12 Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/tty/tty_ioctl.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1f70370902c9390c3e779a7bd733e59253611d51 Merge: 48adb39 b53a4ac Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 11:36:18 2015 -0500 Merge branch 'pax-stable' into grsec-stable commit b53a4acf81c7275bcf002f7d56cdfe3a36868ce5 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 11:36:04 2015 -0500 update to pax-linux-3.2.68-test166.patch include/linux/irqdesc.h | 2 +- kernel/irq/manage.c | 2 +- kernel/irq/spurious.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 48adb39fa9933a6aa26b9582ca1f27e4219cce70 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 10:09:49 2015 -0500 Revert "net: Verify permission to dest_net in newlink" This reverts commit 468169ce1059ab1ca366c19a8d499e2370e1a49c. net/core/rtnetlink.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit 468169ce1059ab1ca366c19a8d499e2370e1a49c Author: Eric W. Biederman <ebiederm@xmission.com> Date: Thu Feb 26 16:19:00 2015 -0600 net: Verify permission to dest_net in newlink When applicable verify that the caller has permision to create a network device in another network namespace. This check is already present when moving a network device between network namespaces in setlink so all that is needed is to duplicate that check in newlink. This change almost backports cleanly, but there are context conflicts as the code that follows was added in v4.0-rc1 Fixes: b51642f6d77b net: Enable a userns root rtnl calls that are safe for unprivilged users Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/core/rtnetlink.c Conflicts: net/core/rtnetlink.c Conflicts: net/core/rtnetlink.c net/core/rtnetlink.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit d17f94b4f867a86e6e94a233c923a34c066ea27a Author: Florian Westphal <fw@strlen.de> Date: Tue Mar 3 13:53:31 2015 +0100 net: bridge: add compile-time assert for cb struct size make build fail if structure no longer fits into ->cb storage. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> net/bridge/br.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d487b34c4dc734010d2517376b9163ef82736ef0 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Mar 5 01:09:44 2015 +0100 x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization 'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and the related state make sense for 'ret_from_sys_call'. This is entirely the wrong check. TS_COMPAT would make a little more sense, but there's really no point in keeping this optimization at all. This fixes a return to the wrong user CS if we came from int 0x80 in a 64-bit task. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net [ Backported from tip:x86/asm. ] Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/entry_64.S | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) commit ca805862e18a0953e810fb2d078aea571df2fe11 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:27:50 2015 -0500 Backport fix for upstream vuln in unprivileged ping from Lorenzo Colitti net/ipv4/ping.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 1efc2a1c892642770ddade9f0e8b5687fcd8812d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:08:54 2015 -0500 Fix compilation with the latent entropy plugin on powerpc, as reported by lynliuyan at https://forums.grsecurity.net/viewtopic.php?f=3&t=4158 arch/powerpc/kernel/Makefile | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 933755c07625e2ce468577a28b06f4c03474475d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:06:09 2015 -0500 On architectures that use specific slabs for kernel stacks, mark them with SLAB_USERCOPY Reported by lynliuyan at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4158 arch/hexagon/kernel/process.c | 2 +- arch/powerpc/kernel/process.c | 2 +- arch/sh/kernel/process.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 3de9a9b74102b71d6ffaa7e77ae893e42f7bdc3a Merge: 0edd280 5939900 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:02:58 2015 -0500 Merge branch 'pax-stable' into grsec-stable commit 5939900a888ff7652c7f237484459dcd4d35fe49 Merge: 4d586f9 9b81446 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:02:51 2015 -0500 Merge branch 'linux-3.2.y' into pax-stable commit 0edd2805942f355b5b357d4d3b9ed169a0789355 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 27 08:18:24 2015 -0500 Fix a PAX_REFCOUNT false positive on the threads_handled statistic field Conflicts: kernel/irq/manage.c include/linux/irqdesc.h | 2 +- kernel/irq/manage.c | 2 +- kernel/irq/spurious.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 5b72f696461c6a084c739c02cc41da0e7d885ae4 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sat Feb 21 22:19:57 2015 -0500 autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation X-Coverup: just ask spender Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/autofs4/dev-ioctl.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 760430f3efa04fde7fe36735e136aeef9ae5303c Author: Sasha Levin <sasha.levin@oracle.com> Date: Tue Apr 8 16:04:11 2014 -0700 autofs4: check dev ioctl size before allocating There wasn't any check of the size passed from userspace before trying to allocate the memory required. This meant that userspace might request more space than allowed, triggering an OOM. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/autofs4/dev-ioctl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b490d57dd5c7beb00025afe37b9e78b954c856a5 Author: Sasha Levin <sasha.levin@oracle.com> Date: Fri Jan 23 20:47:00 2015 -0500 net: llc: use correct size for sysctl timeout entries The timeout entries are sizeof(int) rather than sizeof(long), which means that when they were getting read we'd also leak kernel memory to userspace along with the timeout values. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/llc/sysctl_net_llc.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 2292e135c382b70cc66eb0d53cd8b4181ff4bea2 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 25 18:07:08 2015 -0500 Disable a near-stack-overflow BUG() on x64 where we have GRKERNSEC_KSTACKOVERFLOW to use instead. Works around a rarely reported issue where it seems for some driver we're executing a copy_*_user on a debug stack instead of on the process stack. fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 591d1e124e23119ba7ac837049ec926b81027078 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 11:36:26 2015 -0500 use compat_u64 in the compat code include/linux/gracl_compat.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3ad8ef598deeac0b1023d2235fb3e2aa5f91de3c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 09:48:42 2015 -0500 Require version 3.1 gradm to load RBAC grsecurity/gracl_compat.c | 3 +-- grsecurity/gracl_policy.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) commit 929a3359b424a4e27abe7584c2180eb72f95a1bb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 08:54:26 2015 -0500 use div_u64_rem for 32-bit archs include/linux/gracl.h | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 76cbe6847478796139d1a25b1a0993a48665fa2f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 07:37:57 2015 -0500 compile fix when grsec is disabled grsecurity/grsec_disabled.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 6acea99126791882cdf990aa581726c449164a91 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 07:25:43 2015 -0500 Add support for 64-bit inodes: as this breaks compatibility with gradm, bump the grsecurity version to 3.1 fs/namei.c | 8 ++-- grsecurity/gracl.c | 65 +++++++++++++++++++++++++---------------- grsecurity/gracl_policy.c | 6 ++-- grsecurity/gracl_segv.c | 17 +++++++++-- grsecurity/grsec_disabled.c | 4 +- include/linux/gracl.h | 14 ++++---- include/linux/gracl_compat.h | 6 ++-- include/linux/grsecurity.h | 5 ++- 8 files changed, 76 insertions(+), 49 deletions(-) commit 743d5c1d30694671da6492b8aef89172ed30dd48 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 20 17:58:04 2015 -0500 clamp RLIMIT_NOFILE based on sysctl instead of enforcing a 1024 limit in userland grsecurity/gracl.c | 19 ++++++++++++++++--- 1 files changed, 16 insertions(+), 3 deletions(-) commit 1614915a5e2ef3f03a5bbf00c7845a86d59dc442 Merge: eb6b485 4d586f9 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 20 07:41:07 2015 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: mm/mmap.c commit 4d586f9144673f9fa204a7b849444134895d4c62 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 20 07:38:45 2015 -0500 revert broken upstream stack accounting code mm/mmap.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit eb6b485501b7937798b98a0526c9b7efacbdc46a Merge: 25f33c2 f0eb7bf Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 20 07:38:34 2015 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: fs/udf/dir.c mm/mmap.c commit f0eb7bfc24988bf0ab6fdb76ff3605a251eff502 Merge: 307172b fd62350 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 20 07:31:03 2015 -0500 Update to pax-linux-3.2.67-test165.patch: - fixed a few integer type mixups that failed the size overflow checks - increased the early pcpu dynamic slots to survive boot with allyesconfig - fixed potential boot crash when applying alternatives under KERNEXEC/i386 - fixed potential integer truncation bug in xlate_dev_mem_ptr under PAE/i386 - fail gcc plugins a bit more gracefully on gcc-5 - fixed a few shellcheck.net warnings in gcc-plugin.sh - fixed kernel oops caused by accessing invalid virtual addresses via /dev/[k]mem under USERCOPY, reported by minipli - added preliminary support for gcc-5 to gcc-common.h and the constify plugin Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/vdso/vma.c fs/dcache.c mm/memory.c net/ipv4/tcp_output.c commit 25f33c2df1477edbf35b18ef53367d1697b614ca Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 21:43:28 2015 -0500 compile fix grsecurity/grsec_chroot.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit fc508f05156fa529dd2f71d7ad85e088d2c29bc6 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 20:48:10 2015 -0500 compile fix fs/fs_struct.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 43bbfb1faa88404081967f9b73f8b2c789fc3ccd Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 19:51:21 2015 -0500 compile fix for GRKERNSEC_CHROOT_RENAME fs/dcache.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ad4f3b52c64e1f82d9204e90187ec1e45c740045 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 20:03:59 2015 -0500 add some extra enforcement that only forward jumps are permitted arch/x86/net/bpf_jit_comp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit ba02e7c5a70374f5890aa0f5ad83092d2a2bbdbf Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 19:47:08 2015 -0500 Properly fix relative (un)conditional jumps with GRKERNSEC_JIT_HARDEN so that we don't land into our added breakpoint instructions arch/x86/net/bpf_jit_comp.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b93889dc063e44437fd75b25a4fefaffa6f075b0 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 17:44:11 2015 -0500 Add GRKERNSEC_CHROOT_RENAME -- no one reported any problems with my posted patch, so let's introduce the more secure version Conflicts: include/linux/grsecurity.h Conflicts: fs/fs_struct.c grsecurity/grsec_chroot.c include/linux/grsecurity.h fs/dcache.c | 1 + fs/fs_struct.c | 7 +++- fs/namei.c | 8 ++++ grsecurity/Kconfig | 16 ++++++++ grsecurity/grsec_chroot.c | 82 ++++++++++++++++++++++++++++++++++++++++++++ grsecurity/grsec_init.c | 4 ++ grsecurity/grsec_sysctl.c | 9 +++++ include/linux/dcache.h | 3 ++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 5 +++ 11 files changed, 136 insertions(+), 1 deletions(-) commit da4e988d0eef8c1e2eaba9470049aec58c6ad4d9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 18 17:48:15 2015 -0500 Fix several issues with the code generated by GRKERNSEC_JIT_HARDEN. In the mov/test imm case we would generate incorrect instructions in the JIT -> the move case is relatively harmless as it would simply load an incorrect value into the accumulator, but the test case would result in a movs, allowing for the skb the BPF program is attached to to be clobbered. In a case of conditional jumps, the size of the jump instruction wasn't computed properly, leading to the code jumping into a breakpoint instruction and triggering an OOPs. Thanks to rfree@mempo.org and avvs@mempo.org for reporting an OOPs that led to the discovery of these problems. The BPF JIT is disabled by default (only able to be enabled by an administrator) and they are likely the first and only users to ever use this feature as any JIT'd BPF program containing a conditional jump would crash the system. arch/x86/net/bpf_jit_comp.c | 19 +++++++++++++++---- 1 files changed, 15 insertions(+), 4 deletions(-) commit f1986bd9a8a034a02336c795443a4bb243ebefcb Author: David Jeffery <djeffery@redhat.com> Date: Thu Feb 12 16:45:31 2015 +0000 Don't leak a key reference if request_key() tries to use a revoked keyring If a request_key() call to allocate and fill out a key attempts to insert the key structure into a revoked keyring, the key will leak, using memory and part of the user's key quota until the system reboots. This is from a failure of construct_alloc_key() to decrement the key's reference count after the attempt to insert into the requested keyring is rejected. key_put() needs to be called in the link_prealloc_failed callpath to ensure the unused key is released. Signed-off-by: David Jeffery <djeffery@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> security/keys/request_key.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 379b0a4d3e2ae5095796d2def99e47b5253fac19 Merge: ad89d65 307172b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 5 22:31:35 2015 -0500 Merge branch 'pax-stable' into grsec-stable commit 307172b4c08144555935a189c6599a681cb7a24c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 5 22:30:49 2015 -0500 Update to pax-linux-3.2.66-test164.patch: - fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121) - fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr. - bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces - fixed rcu lock imbalance in have_submounts, by Steven Rostedt <rostedt@goodmis.org> (https://lkml.org/lkml/2015/1/17/71), reported by rfree@mempo.org arch/x86/kernel/dumpstack_64.c | 2 +- arch/x86/kernel/entry_32.S | 1 + arch/x86/kernel/entry_64.S | 1 + arch/x86/kernel/process_32.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/xen/enlighten.c | 3 +++ fs/dcache.c | 4 +++- fs/exec.c | 2 +- scripts/Kbuild.include | 2 +- 9 files changed, 13 insertions(+), 6 deletions(-) commit ad89d65da4bfbea5fa820fe56ed5e70fabc8247d Author: Giel van Schijndel <me@mortis.eu> Date: Tue Jan 6 22:37:00 2015 +0100 cifs: use memzero_explicit to clear stack buffer When leaving a function use memzero_explicit instead of memset(0) to clear stack allocated buffers. memset(0) may be optimized away. This particular buffer is highly likely to contain sensitive data which we shouldn't leak (it's named 'passwd' after all). Signed-off-by: Giel van Schijndel <me@mortis.eu> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Reported-at: http://www.viva64.com/en/b/0299/ Reported-by: Andrey Karpov Reported-by: Svyatoslav Razmyslov Signed-off-by: Steve French <steve.french@primarydata.com> fs/cifs/smbencrypt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 896d0cda0f8bceefe92052c5dfd7ea5d4f51e5ad Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jan 15 16:34:35 2015 +0100 net: sctp: fix race for one-to-many sockets in sendmsg's auto associate I.e. one-to-many sockets in SCTP are not required to explicitly call into connect(2) or sctp_connectx(2) prior to data exchange. Instead, they can directly invoke sendmsg(2) and the SCTP stack will automatically trigger connection establishment through 4WHS via sctp_primitive_ASSOCIATE(). However, this in its current implementation is racy: INIT is being sent out immediately (as it cannot be bundled anyway) and the rest of the DATA chunks are queued up for later xmit when connection is established, meaning sendmsg(2) will return successfully. This behaviour can result in an undesired side-effect that the kernel made the application think the data has already been transmitted, although none of it has actually left the machine, worst case even after close(2)'ing the socket. Instead, when the association from client side has been shut down e.g. first gracefully through SCTP_EOF and then close(2), the client could afterwards still receive the server's INIT_ACK due to a connection with higher latency. This INIT_ACK is then considered out of the blue and hence responded with ABORT as there was no alive assoc found anymore. This can be easily reproduced f.e. with sctp_test application from lksctp. One way to fix this race is to wait for the handshake to actually complete. The fix defers waiting after sctp_primitive_ASSOCIATE() and sctp_primitive_SEND() succeeded, so that DATA chunks cooked up from sctp_sendmsg() have already been placed into the output queue through the side-effect interpreter, and therefore can then be bundeled together with COOKIE_ECHO control chunks. strace from example application (shortened): socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...}, msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF close(3) = 0 tcpdump before patch (fooling the application): 22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684] 22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591] 22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT] tcpdump after patch: 14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729] 14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492] 14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...] 14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0] 14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...] 14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0] 14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...] 14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0] 14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN] 14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK] 14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE] Looks like this bug is from the pre-git history museum. ;) Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/sctp/socket.c Conflicts: net/sctp/socket.c net/sctp/socket.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 28e7551a10df3b00676519fa269fc9f21562eefd Author: Sasha Levin <sasha.levin@oracle.com> Date: Tue Feb 3 08:55:58 2015 -0500 net: rds: use correct size for max unacked packets and bytes Max unacked packets/bytes is an int while sizeof(long) was used in the sysctl table. This means that when they were getting read we'd also leak kernel memory to userspace along with the timeout values. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/sysctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ebb75bc888f1613c4e332a48b883b463e492ed63 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 5 08:09:18 2015 -0500 Fix another upstream bug, rcu lock imbalance causing OOPses since an upstream 3.2 backport. Reported and fixed here: https://lkml.org/lkml/2015/1/17/71 Presumably will be fixed in 3.2.67, but since we have users hitting it already, let's fix it now. Thanks to rfree@mempo.org for the oops reports fs/dcache.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit d14bff6a2ee562e886a34069980ae2c6956fdd24 Author: Florian Westphal <fw@strlen.de> Date: Wed Jan 28 10:56:04 2015 +0100 ppp: deflate: never return len larger than output buffer When we've run out of space in the output buffer to store more data, we will call zlib_deflate with a NULL output buffer until we've consumed remaining input. When this happens, olen contains the size the output buffer would have consumed iff we'd have had enough room. This can later cause skb_over_panic when ppp_generic skb_put()s the returned length. Reported-by: Iain Douglas <centos@1n6.org.uk> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ppp/ppp_deflate.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8dbb050410cd847d7e34cb058f71ce30f8b91310 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 2 17:43:03 2015 -0500 Backport fix for CVE-2015-1420: http://marc.info/?l=linux-kernel&m=142247707318982&w=2 Though it requires CAP_DAC_READ_SEARCH and (additionally in grsec) cannot be performed in a chroot fs/fhandle.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit bea8d87e4fd8c70bd96aeaa09378fde6852efe44 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 2 16:57:54 2015 -0500 Backport from PaX patch: - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr. scripts/Kbuild.include | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46d784468156a0712d4973b03d7cd6448834851e Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Jan 22 11:27:59 2015 -0800 x86, tls: Interpret an all-zero struct user_desc as "no segment" The Witcher 2 did something like this to allocate a TLS segment index: struct user_desc u_info; bzero(&u_info, sizeof(u_info)); u_info.entry_number = (uint32_t)-1; syscall(SYS_set_thread_area, &u_info); Strictly speaking, this code was never correct. It should have set read_exec_only and seg_not_present to 1 to indicate that it wanted to find a free slot without putting anything there, or it should have put something sensible in the TLS slot if it wanted to allocate a TLS entry for real. The actual effect of this code was to allocate a bogus segment that could be used to exploit espfix. The set_thread_area hardening patches changed the behavior, causing set_thread_area to return -EINVAL and crashing the game. This changes set_thread_area to interpret this as a request to find a free slot and to leave it empty, which isn't *quite* what the game expects but should be close enough to keep it working. In particular, using the code above to allocate two segments will allocate the same segment both times. According to FrostbittenKing on Github, this fixes The Witcher 2. If this somehow still causes problems, we could instead allocate a limit==0 32-bit data segment, but that seems rather ugly to me. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: stable@vger.kernel.org Cc: torvalds@linux-foundation.org Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net Signed-off-by: Thomas Gleixner <tglx@linutronix.de> arch/x86/include/asm/desc.h | 13 +++++++++++++ arch/x86/kernel/tls.c | 25 +++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) commit fbfda9617d4e349cb55343f5b265db7ada6b28f9 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Jan 22 11:27:58 2015 -0800 x86, tls, ldt: Stop checking lm in LDT_empty 32-bit programs don't have an lm bit in their ABI, so they can't reliably cause LDT_empty to return true without resorting to memset. They shouldn't need to do this. This should fix a longstanding, if minor, issue in all 64-bit kernels as well as a potential regression in the TLS hardening code. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: torvalds@linux-foundation.org Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net Signed-off-by: Thomas Gleixner <tglx@linutronix.de> arch/x86/include/asm/desc.h | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit 512a4bad2a5fff934aa1855ba0fa64cd5357733b Author: Nadav Amit <namit@cs.technion.ac.il> Date: Thu Jan 1 23:11:11 2015 +0200 KVM: x86: SYSENTER emulation is broken SYSENTER emulation is broken in several ways: 1. It misses the case of 16-bit code segments completely (CVE-2015-0239). 2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can still be set without causing #GP). 3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in legacy-mode. 4. There is some unneeded code. Fix it. Cc: stable@vger.linux.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Conflicts: arch/x86/kvm/emulate.c Conflicts: arch/x86/kvm/emulate.c arch/x86/kvm/emulate.c | 23 +++++++---------------- 1 files changed, 7 insertions(+), 16 deletions(-) commit 7a964f0b7ee8c4641cc39ea736e551e24f3fddba Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jan 22 18:26:54 2015 +0100 net: sctp: fix slab corruption from use after free on INIT collisions When hitting an INIT collision case during the 4WHS with AUTH enabled, as already described in detail in commit 1be9a950c646 ("net: sctp: inherit auth_capable on INIT collisions"), it can happen that we occasionally still remotely trigger the following panic on server side which seems to have been uncovered after the fix from commit 1be9a950c646 ... [ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff [ 533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230 [ 533.940559] PGD 5030f2067 PUD 0 [ 533.957104] Oops: 0000 [#1] SMP [ 533.974283] Modules linked in: sctp mlx4_en [...] [ 534.939704] Call Trace: [ 534.951833] [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0 [ 534.984213] [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0 [ 535.015025] [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170 [ 535.045661] [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0 [ 535.074593] [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50 [ 535.105239] [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp] [ 535.138606] [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0 [ 535.166848] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b ... or depending on the the application, for example this one: [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0 [ 1370.054568] PGD 633c94067 PUD 0 [ 1370.070446] Oops: 0000 [#1] SMP [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...] [ 1370.963431] Call Trace: [ 1370.974632] [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960 [ 1371.000863] [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960 [ 1371.027154] [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170 [ 1371.054679] [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130 [ 1371.080183] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b With slab debugging enabled, we can see that the poison has been overwritten: [ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten [ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b [ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494 [ 669.826424] __slab_alloc+0x4bf/0x566 [ 669.826433] __kmalloc+0x280/0x310 [ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp] [ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp] [ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp] [ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...] [ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494 [ 669.826635] __slab_free+0x39/0x2a8 [ 669.826643] kfree+0x1d6/0x230 [ 669.826650] kzfree+0x31/0x40 [ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp] [ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp] [ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp] Since this only triggers in some collision-cases with AUTH, the problem at heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice when having refcnt 1, once directly in sctp_assoc_update() and yet again from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on the already kzfree'd memory, which is also consistent with the observation of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected at a later point in time when poison is checked on new allocation). Reference counting of auth keys revisited: Shared keys for AUTH chunks are being stored in endpoints and associations in endpoint_shared_keys list. On endpoint creation, a null key is being added; on association creation, all endpoint shared keys are being cached and thus cloned over to the association. struct sctp_shared_key only holds a pointer to the actual key bytes, that is, struct sctp_auth_bytes which keeps track of users internally through refcounting. Naturally, on assoc or enpoint destruction, sctp_shared_key are being destroyed directly and the reference on sctp_auth_bytes dropped. User space can add keys to either list via setsockopt(2) through struct sctp_authkey and by passing that to sctp_auth_set_key() which replaces or adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes with refcount 1 and in case of replacement drops the reference on the old sctp_auth_bytes. A key can be set active from user space through setsockopt() on the id via sctp_auth_set_active_key(), which iterates through either endpoint_shared_keys and in case of an assoc, invokes (one of various places) sctp_auth_asoc_init_active_key(). sctp_auth_asoc_init_active_key() computes the actual secret from local's and peer's random, hmac and shared key parameters and returns a new key directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops the reference if there was a previous one. The secret, which where we eventually double drop the ref comes from sctp_auth_asoc_set_secret() with intitial refcount of 1, which also stays unchanged eventually in sctp_assoc_update(). This key is later being used for crypto layer to set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac(). To close the loop: asoc->asoc_shared_key is freshly allocated secret material and independant of the sctp_shared_key management keeping track of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76 ("net: sctp: fix memory leak in auth key management") is independant of this bug here since it concerns a different layer (though same structures being used eventually). asoc->asoc_shared_key is reference dropped correctly on assoc destruction in sctp_association_free() and when active keys are being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is to remove that sctp_auth_key_put() from there which fixes these panics. Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/associola.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 1301d30706a83116f0c74659878d291fc6608a0e Author: subashab@codeaurora.org <subashab@codeaurora.org> Date: Fri Jan 23 22:26:02 2015 +0000 ping: Fix race in free in receive path An exception is seen in ICMP ping receive path where the skb destructor sock_rfree() tries to access a freed socket. This happens because ping_rcv() releases socket reference with sock_put() and this internally frees up the socket. Later icmp_rcv() will try to free the skb and as part of this, skb destructor is called and which leads to a kernel panic as the socket is freed already in ping_rcv(). -->|exception -007|sk_mem_uncharge -007|sock_rfree -008|skb_release_head_state -009|skb_release_all -009|__kfree_skb -010|kfree_skb -011|icmp_rcv -012|ip_local_deliver_finish Fix this incorrect free by cloning this skb and processing this cloned skb instead. This patch was suggested by Eric Dumazet Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ping.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 27e359f049d7304d2e306ca97db6e89eb1255586 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 18:31:25 2015 -0500 Make it easier to work with inherited subjects that change roles. If a subject of the same name of the current inherited subject exists in the role being changed to with a similar object in it that would trigger inheritance on execution of the current process' binary, then we'll use that subject instead of the normal one obtained through lookup. See: https://forums.grsecurity.net/viewtopic.php?f=3&t=4129 Conflicts: grsecurity/gracl_policy.c grsecurity/gracl.c | 42 ++++++++++++++++++++++++++++++------------ grsecurity/gracl_policy.c | 10 +++++----- 2 files changed, 35 insertions(+), 17 deletions(-) commit f16802f0823a3a303b18789c57a4b7c35449174a Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon Jan 19 22:34:51 2015 +0300 s2io: use snprintf() as a safety feature "sp->desc[i]" has 25 characters. "dev->name" has 15 characters. If we used all 15 characters then the sprintf() would overflow. I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as well, even though it can't overflow just to be consistent. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/neterion/s2io.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 2e4a361a46dab6bc80f948e4dda9c100d8550adb Author: Willem de Bruijn <willemb@google.com> Date: Thu Jan 15 13:18:40 2015 -0500 ip: zero sockaddr returned on error queue The sockaddr is returned in IP(V6)_RECVERR as part of errhdr. That structure is defined and allocated on the stack as struct { struct sock_extended_err ee; struct sockaddr_in(6) offender; } errhdr; The second part is only initialized for certain SO_EE_ORIGIN values. Always initialize it completely. An MTU exceeded error on a SOCK_RAW/IPPROTO_RAW is one example that would return uninitialized bytes. Signed-off-by: Willem de Bruijn <willemb@google.com> ---- Also verified that there is no padding between errhdr.ee and errhdr.offender that could leak additional kernel data. Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/ip_sockglue.c net/ipv6/datagram.c Conflicts: net/ipv6/datagram.c net/ipv4/ip_sockglue.c | 9 +++------ net/ipv6/datagram.c | 10 +++------- 2 files changed, 6 insertions(+), 13 deletions(-) commit 81b2008552c0bb59b762bec69a0e5e4922baba24 Author: Hagen Paul Pfeifer <hagen@jauu.net> Date: Thu Jan 15 22:34:25 2015 +0100 ipv6: stop sending PTB packets for MTU < 1280 Reduce the attack vector and stop generating IPv6 Fragment Header for paths with an MTU smaller than the minimum required IPv6 MTU size (1280 byte) - called atomic fragments. See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1] for more information and how this "feature" can be misused. [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00 Signed-off-by: Fernando Gont <fgont@si6networks.com> Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/route.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 9840c41643e27ad6593d7cb9c5015bf64ee769ec Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 14 22:48:11 2015 -0500 Allow the admin role and subjects with ptrace override ability to view /proc/pid/mem, /proc/pid/fd, and /proc/pid/cmdline of tasks with "d" in their subject mode. Thanks to tjh for the report! grsecurity/gracl_fs.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit b893083b6fe3ec6ec22acfc6f22d9d29c2252b39 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 14 21:47:00 2015 -0500 Fix some instances of dma-on-stack reported by xxterry1xx on the forums drivers/staging/line6/driver.c | 16 ++++++++++++---- drivers/staging/line6/toneport.c | 13 ++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) commit 3f4ac907f2f59cbcaeaeedbea222241309d28b0b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 11 09:46:33 2015 -0500 squelch a harmless compiler warning drivers/iommu/amd_iommu.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9759066f743d84a8f7faeec2600d864fa0b3c663 Merge: 293330c a63b181 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 5 18:18:42 2015 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/kernel/espfix_64.c commit a63b181acea3b68bfb509aa9d566c05f29d82ace Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 5 18:16:35 2015 -0500 Update to pax-linux-3.2.66-test163.patch: - added a temporary workaround for a few size overflow false positives when REFCOUNT was disabled until the new plugin is ready, by Mathias Krause <mathias.krause@secunet.com> - preliminary fix by Steffen Klassert (http://marc.info/?l=linux-netdev&m=141768340108789) for an upstream bug in the ipv6 tunnel code caught by the size overflow plugin, reported by Alexander Wetzel (https://forums.grsecurity.net/viewtopic.php?f=1&t=4083) and Colton Reeder (https://bugs.gentoo.org/show_bug.cgi?id=529352) - fixed a few REFCOUNT accessors on arm/sparc - fixed a few section mismatches for CONSTIFY - fixed a (probably harmless) integer underflow in ttm_page_pool_free, caught by the size overflow plugin, reported by hunger - fixed a REFCOUNT false positive in ftrace - fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski <luto@amacapital.net> - constified a few variables - removed superfluous section attr on espfix_pud_page, reported by spender arch/arm/include/asm/atomic.h | 2 +- arch/sparc/include/asm/atomic_64.h | 4 ++-- arch/x86/include/asm/atomic.h | 4 ++-- arch/x86/kernel/entry_64.S | 10 +++++----- arch/x86/kernel/espfix_64.c | 13 +++++++------ arch/x86/kvm/emulate.c | 2 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 16 ++++++++-------- drivers/net/can/dev.c | 2 +- drivers/net/can/vcan.c | 2 +- drivers/net/dummy.c | 2 +- drivers/net/ifb.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/tun.c | 2 +- include/asm-generic/atomic-long.h | 2 +- include/drm/ttm/ttm_page_alloc.h | 2 +- include/linux/linkage.h | 1 + include/linux/sched.h | 2 +- kernel/trace/ftrace.c | 4 ++-- kernel/trace/trace_functions_graph.c | 4 ++-- net/8021q/vlan_netlink.c | 2 +- net/bridge/br_netlink.c | 2 +- net/caif/chnl_net.c | 2 +- net/ieee802154/6lowpan.c | 2 +- net/ipv6/xfrm6_policy.c | 2 +- 24 files changed, 45 insertions(+), 43 deletions(-) commit 293330cf03806f4cbd887e76e557089b3722fbaa Merge: eb2c0a0 574ca55 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 4 21:30:56 2015 -0500 Merge branch 'pax-stable' into grsec-stable commit 574ca556bcef707872bfc8c02c43d1a33f5bee13 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 4 19:09:32 2015 -0500 Update to pax-linux-3.2.66-test162.patch: - fixed kernel stack corruption in iret fault handling under RANDKSTACK/amd64, triggered by Andy Lutomirski's linux-clock-tests suite (sigreturn_32) arch/x86/kernel/traps.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit eb2c0a0021b1ce8a9f877aa380d1b5873d232fab Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 16:15:51 2014 +0200 udf: Make udf_read_inode() and udf_iget() return error Currently __udf_read_inode() wasn't returning anything and we found out whether we succeeded reading inode by checking whether inode is bad or not. udf_iget() returned NULL on failure and inode pointer otherwise. Make these two functions properly propagate errors up the call stack and use the return value in callers. Signed-off-by: Jan Kara <jack@suse.cz> Conflicts: fs/udf/super.c fs/udf/inode.c | 99 +++++++++++++++++++++++++----------------------------- fs/udf/namei.c | 22 +++++------- fs/udf/super.c | 72 ++++++++++++++++++++++----------------- fs/udf/udfdecl.h | 1 - 4 files changed, 96 insertions(+), 98 deletions(-) commit cde4c9834629a063ab39d606cc61b735a57341eb Author: Jan Kara <jack@suse.cz> Date: Fri Dec 19 14:27:55 2014 +0100 udf: Check component length before reading it Check that length specified in a component of a symlink fits in the input buffer we are reading. Also properly ignore component length for component types that do not use it. Otherwise we read memory after end of buffer for corrupted udf image. Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/symlink.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 4901723ff94fa2e1da789f24abb8598071a15476 Author: Jan Kara <jack@suse.cz> Date: Thu Dec 18 22:37:50 2014 +0100 udf: Check path length when reading symlink Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz> Conflicts: fs/udf/dir.c fs/udf/symlink.c fs/udf/dir.c | 3 ++- fs/udf/namei.c | 3 ++- fs/udf/symlink.c | 45 ++++++++++++++++++++++++++++++++++++--------- fs/udf/udfdecl.h | 3 ++- fs/udf/unicode.c | 28 ++++++++++++++++------------ 5 files changed, 58 insertions(+), 24 deletions(-) commit bcac5b9ecb07f540878ae65bd955193795c276d4 Author: Jan Kara <jack@suse.cz> Date: Fri Dec 19 12:21:47 2014 +0100 udf: Verify symlink size before loading it UDF specification allows arbitrarily large symlinks. However we support only symlinks at most one block large. Check the length of the symlink so that we don't access memory beyond end of the symlink block. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/symlink.c | 17 +++++++++++++---- 1 files changed, 13 insertions(+), 4 deletions(-) commit 2e3b3d6033e7fc145bccad33ba3899f968e6cc87 Author: Jan Kara <jack@suse.cz> Date: Fri Dec 19 12:03:53 2014 +0100 udf: Verify i_size when loading inode Verify that inode size is sane when loading inode with data stored in ICB. Otherwise we may get confused later when working with the inode and inode size is too big. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit fe0706647ef89092fe98ebfc5cd24f2f11d41af9 Author: Jan Kara <jack@suse.cz> Date: Thu Dec 18 17:26:10 2014 +0100 isofs: Fix unchecked printing of ER records We didn't check length of rock ridge ER records before printing them. Thus corrupted isofs image can cause us to access and print some memory behind the buffer with obvious consequences. Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/isofs/rock.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6b0d4654592f127bfedb7afb992ff3ebf5b4220a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 1 09:23:42 2015 -0500 compile fix fs/udf/inode.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0fd452435279b1fb6cc47a5b04ac6fff6d06eb42 Merge: f2986d3 f531dba Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 1 09:06:40 2015 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/kernel/tls.c fs/udf/inode.c include/linux/dcache.h commit f531dba1bb6dce85eda2444a6ae670865c696b6c Merge: a7bdd00 ac4619ec Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 1 09:03:34 2015 -0500 Merge branch 'linux-3.2.y' into pax-stable Conflicts: fs/libfs.c commit f2986d3f727a4a226a2b73b96e185a0cbae32288 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 30 23:57:25 2014 -0500 resync with PaX arch/x86/kernel/entry_64.S | 10 +++++----- arch/x86/kvm/emulate.c | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) commit d5d88b95dc4e700e694fe96816a83c008e865c67 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 27 17:24:20 2014 -0500 remove the %preun step, we don't want to remove old kernels installed from the paid kernel service scripts/package/mkspec | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit cc567a0ec5edd4ec396ec7926e1a9df48ada4926 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 23 23:28:21 2014 -0500 invoke new-kernel-pkg directly instead of using installkernel, which fixes some issues beta testers experienced with the new paid kernel service. suggested by a sponsor scripts/package/mkspec | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit 56c9ae9491243eca1455c8d5fd15a0cade6099be Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 21 17:30:42 2014 -0500 compile fix arch/x86/kernel/espfix_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e145fe4a0c6e6d977555818423c13f0384bdc76f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 21 17:27:00 2014 -0500 compile fix arch/x86/kernel/espfix_64.c | 3 +-- include/linux/linkage.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit 08122cf232f4d74b3d08973fc6a8bd4459d2d8f8 Author: Andy Lutomirski <luto@amacapital.net> Date: Fri Dec 5 19:03:28 2014 -0800 x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit paravirt_enabled has the following effects: - Disables the F00F bug workaround warning. There is no F00F bug workaround any more because Linux's standard IDT handling already works around the F00F bug, but the warning still exists. This is only cosmetic, and, in any event, there is no such thing as KVM on a CPU with the F00F bug. - Disables 32-bit APM BIOS detection. On a KVM paravirt system, there should be no APM BIOS anyway. - Disables tboot. I think that the tboot code should check the CPUID hypervisor bit directly if it matters. - paravirt_enabled disables espfix32. espfix32 should *not* be disabled under KVM paravirt. The last point is the purpose of this patch. It fixes a leak of the high 16 bits of the kernel stack address on 32-bit KVM paravirt guests. Fixes CVE-2014-8134. Cc: stable@vger.kernel.org Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> arch/x86/kernel/kvm.c | 9 ++++++++- arch/x86/kernel/kvmclock.c | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) commit c1bd6f4031572a1c6c7241cf7e63fb0be3bb2503 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed Dec 17 14:48:30 2014 -0800 x86/tls: Don't validate lm in set_thread_area() after all It turns out that there's a lurking ABI issue. GCC, when compiling this in a 32-bit program: struct user_desc desc = { .entry_number = idx, .base_addr = base, .limit = 0xfffff, .seg_32bit = 1, .contents = 0, /* Data, grow-up */ .read_exec_only = 0, .limit_in_pages = 1, .seg_not_present = 0, .useable = 0, }; will leave .lm uninitialized. This means that anything in the kernel that reads user_desc.lm for 32-bit tasks is unreliable. Revert the .lm check in set_thread_area(). The value never did anything in the first place. Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments") Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org # Only if 0e58af4e1d21 is backported Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/include/asm/ldt.h | 7 +++++++ arch/x86/kernel/tls.c | 6 ------ 2 files changed, 7 insertions(+), 6 deletions(-) commit 99b684c2de95f411e5f5605a2ed4221457910507 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Dec 4 16:48:17 2014 -0800 x86/tls: Disallow unusual TLS segments Users have no business installing custom code segments into the GDT, and segments that are not present but are otherwise valid are a historical source of interesting attacks. For completeness, block attempts to set the L bit. (Prior to this patch, the L bit would have been silently dropped.) This is an ABI break. I've checked glibc, musl, and Wine, and none of them look like they'll have any trouble. Note to stable maintainers: this is a hardening patch that fixes no known bugs. Given the possibility of ABI issues, this probably shouldn't be backported quickly. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: H. Peter Anvin <hpa@zytor.com> Cc: stable@vger.kernel.org # optional Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: security@kernel.org <security@kernel.org> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/tls.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) commit 2f0fbd6f26487aedb0083b41f3f4934e07862f8b Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Dec 4 16:48:16 2014 -0800 x86/tls: Validate TLS entries to protect espfix Installing a 16-bit RW data segment into the GDT defeats espfix. AFAICT this will not affect glibc, Wine, or dosemu at all. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: H. Peter Anvin <hpa@zytor.com> Cc: stable@vger.kernel.org Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: security@kernel.org <security@kernel.org> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) commit 2e25e863b7f60a472ff9b1696adbae7ed910dc8a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 21 16:32:08 2014 -0500 Fix a long-standing incompatibility between x64 UDEREF and CONFIG_PARAVIRT on PCID-capable systems. Generally it resulted in userland crashes preventing boot of the system which were able to be worked around by booting with nopcid and receiving a weaker UDEREF implementation. The source of the problem was paravirt-specific asm alternatives for flush_tlb_single rewriting the pv_mm_ops's native code with a single invlpg. As of this patch, no recommendations should be made to boot with nopcid, as it results in a weaker UDEREF implementation. arch/x86/kernel/paravirt_patch_64.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit ff52bcb704eaf2c42535ef6390240d7ad82c1061 Author: Nadav Amit <namit@cs.technion.ac.il> Date: Sun Nov 2 11:54:52 2014 +0200 KVM: x86: MOV to CR3 can set bit 63 Although Intel SDM mentions bit 63 is reserved, MOV to CR3 can have bit 63 set. As Intel SDM states in section 4.10.4 "Invalidation of TLBs and Paging-Structure Caches": " MOV to CR3. ... If CR4.PCIDE = 1 and bit 63 of the instruction’s source operand is 0 ..." In other words, bit 63 is not reserved. KVM emulator currently consider bit 63 as reserved. Fix it. Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Conflicts: arch/x86/include/asm/kvm_host.h arch/x86/kvm/emulate.c arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/emulate.c | 2 +- arch/x86/kvm/x86.c | 2 ++ 3 files changed, 4 insertions(+), 1 deletions(-) commit 07cd66dcab9820195bb99e167c11b34ed61e4cba Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 20 11:50:30 2014 -0500 force off X86_16BIT if grsecurity is enabled -- nobody cares about running Windows 3.1 apps under wine, it's not worth the risk arch/x86/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 8dc9f1ed790cd8cc213aee401ef257b091528ec9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 17 18:30:48 2014 -0500 make the statically allocated pud page read-only while we're at it arch/x86/kernel/espfix_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8d1d3b044d7f714045bd5788612867a2ccf9a715 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 17 18:28:16 2014 -0500 Fix doublefault in espfix code when PAX_PER_CPU_PGD is enabled, reported by Andy Lutomirski arch/x86/kernel/espfix_64.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 7a8c1daa8e4494ee211b54c8ae3850a4b9f1e1d1 Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 14:22:46 2014 +0100 isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/isofs/rock.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit f0141de20a94881331289127085a3c37ee055eb1 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 16 17:18:16 2014 -0500 Force support on for user extended attributes for filesystems that currently don't default to on to match up with other filesystems like ext4/xfs that do. We'll need this to make an upcoming addition to the paid kernel packages work without any additional configuration by the user. If there's a particular mountpoint you don't want to have user extended attributes enabled on for whatever reason, the "nouser_xattr" mount option will honor it. fs/ext2/super.c | 8 +++----- fs/ext3/super.c | 8 +++----- fs/reiserfs/super.c | 4 ++++ 3 files changed, 10 insertions(+), 10 deletions(-) commit 72dae807fa5ee98838514b3e98893f016d312314 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 19:47:05 2014 -0500 propagate count type drivers/gpu/drm/ttm/ttm_tt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5e14f99f5da1d757a48818411de3717e4f121aa4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 19:46:01 2014 -0500 compile fix include/drm/ttm/ttm_page_alloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0cd9e3b10d0ae52c4893aa8accb1c9011fbcefd5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 19:20:27 2014 -0500 Point the AMD IOMMU driver to the lowmem-mapped stack instead of allowing it to wrongly acquire the physical address of the vmap'd kernel stack under KSTACKOVERFLOW. Thanks to Victor <silentworks@gmail.com> for the report drivers/iommu/amd_iommu.c | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-) commit 009d1343a7e0e21404c9aa39aae05f08e9ea56f7 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 19:02:25 2014 -0500 backport ttm size_overflow fix drivers/gpu/drm/ttm/ttm_page_alloc.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) commit a0aa6c14e7e1f4f4f59498ea2c5c3745a1d857f4 Merge: 731b0ef a7bdd00 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 16:45:04 2014 -0500 Merge branch 'pax-stable' into grsec-stable commit a7bdd005ae63b9365f583e7fc6d29372780f184a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 16:44:52 2014 -0500 resync with PaX arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 731b0efae7f14c75bef16ba212a830dfb584e3d6 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 16:42:01 2014 -0500 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit dc57f3974edd8a4ada205091f42c48d5773d6386 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 08:56:31 2014 -0500 compilation fix arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ece1a66d2ea871e810f35001c97fa9e47f3b3755 Merge: 2a8622f 778b494 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 16:20:50 2014 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: include/linux/string.h commit 778b4949f1e05f5b569c4596eec6f23c2d3b491f Merge: d8acbe5 6a367cd Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 16:20:18 2014 -0500 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kernel/entry_64.S mm/mmap.c net/mac80211/iface.c commit 2a8622fcdbfb7b0cfb763402d9de6c2cdc1f8d85 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 4 20:42:21 2014 -0500 Subject: [PATCH] xfrm6: Fix transport header offset in _decode_session6. skb->transport_header might not be valid when we do a reverse decode because the ipv6 tunnel error handlers don't update it to the inner transport header. This leads to a wrong offset calculation and to wrong layer 4 informations. We fix this by using the size of the ipv6 header as the first offset. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Bug found with the size_overflow plugin net/ipv6/xfrm6_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e9af2431bc80e5761a320f0fd0ff7390ebb067a6 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 2 07:26:25 2014 -0500 change name security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c3fe56a44a2e747e512f49eed7c4a02c5e09f987 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 2 07:24:49 2014 -0500 add Hyper-V to auto-configuration security/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit fc12e990aeafab216e27899a3d91b8a6b62d99ce Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 26 00:57:50 2014 -0500 add the exclusion back scripts/package/mkspec | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 0096b982d885bcf5a24ab25aacf0712c816d4f4f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 25 23:39:17 2014 -0500 install symlinks in -devel package properly scripts/package/mkspec | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit c59c87659cd7d8cca18bc29646d043d5f980f235 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 25 22:13:24 2014 -0500 Give the files in the tarball used by the source rpm root.root ownership scripts/package/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 26ef1245da16a6ac5831188d754ab220a0a2103e Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 25 22:09:09 2014 -0500 Revert "Give the files in the tarball used by the source rpm root.root ownership" This reverts commit a49bfe985435a279361feb9c1e53ad65736f4af6. scripts/package/Makefile | 47 ++++++++++++++++++++++++++------------------- 1 files changed, 27 insertions(+), 20 deletions(-) commit a49bfe985435a279361feb9c1e53ad65736f4af6 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 25 21:52:00 2014 -0500 Give the files in the tarball used by the source rpm root.root ownership Conflicts: scripts/package/Makefile scripts/package/Makefile | 47 +++++++++++++++++++-------------------------- 1 files changed, 20 insertions(+), 27 deletions(-) commit 0925f49db68edea999a3dffaba8a2d4622c7accb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 23 14:08:10 2014 -0500 move our make rpm chmods to %pre scripts/package/mkspec | 22 ++++++++++++---------- 1 files changed, 12 insertions(+), 10 deletions(-) commit 345f3be3c9beb7182fd9654917783f9a13566057 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 23 09:54:26 2014 -0500 Harden network settings by default since most users won't bother modifying /etc/sysctl.conf. Specifically we're now setting rp_filter = 1 and accept_redirects = 0 net/ipv4/devinet.c | 6 ++++-- net/ipv6/addrconf.c | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit ea07aca49c23771bf88fea479b505997856e45b9 Author: Laura Abbott <lauraa@codeaurora.org> Date: Sat Dec 21 01:03:06 2013 +0100 ARM: 7931/1: Correct virt_addr_valid The definition of virt_addr_valid is that virt_addr_valid should return true if and only if virt_to_page returns a valid pointer. The current definition of virt_addr_valid only checks against the virtual address range. There's no guarantee that just because a virtual address falls bewteen PAGE_OFFSET and high_memory the associated physical memory has a valid backing struct page. Follow the example of other architectures and convert to pfn_valid to verify that the virtual address is actually valid. The check for an address between PAGE_OFFSET and high_memory is still necessary as vmalloc/highmem addresses are not valid with virt_to_page. Cc: Will Deacon <will.deacon@arm.com> Cc: Nicolas Pitre <nico@linaro.org> Acked-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Laura Abbott <lauraa@codeaurora.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> arch/arm/include/asm/memory.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a8d06d0a75f9576c2cee14268e8150a54bb87975 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 19 17:25:18 2014 -0500 From: Mathias Krause <minipli@googlemail.com> To: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>, Dmitry Kozlov <xeb@mail.ru> Subject: [PATCH net] pptp: fix stack info leak in pptp_getname() pptp_getname() only partially initializes the stack variable sa, particularly only fills the pptp part of the sa_addr union. The code thereby discloses 16 bytes of kernel stack memory via getsockname(). Fix this by memset(0)'ing the union before. Cc: Dmitry Kozlov <xeb@mail.ru> Signed-off-by: Mathias Krause <minipli@googlemail.com> --- Probably material for stable, too -- v2.6.37+. drivers/net/ppp/pptp.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 364afa01eb7e1e31eab44addf8f7563c3db2ae8e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 19 08:37:05 2014 -0500 increase amount of memory reserved for modules in server configs security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ff71f599298edb9e77adbb8785931ee9d48832f4 Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Nov 10 18:00:09 2014 +0100 net: sctp: fix memory leak in auth key management A very minimal and simple user space application allocating an SCTP socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing the socket again will leak the memory containing the authentication key from user space: unreferenced object 0xffff8800837047c0 (size 16): comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s) hex dump (first 16 bytes): 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811c88d8>] __kmalloc+0xe8/0x270 [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp] [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp] [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp] [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20 [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0 [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17 [<ffffffffffffffff>] 0xffffffffffffffff This is bad because of two things, we can bring down a machine from user space when auth_enable=1, but also we would leave security sensitive keying material in memory without clearing it after use. The issue is that sctp_auth_create_key() already sets the refcount to 1, but after allocation sctp_auth_set_key() does an additional refcount on it, and thus leaving it around when we free the socket. Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/auth.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 93687bc50e84e3466e54149ffe09df189097c2b4 Author: Nadav Amit <namit@cs.technion.ac.il> Date: Wed Sep 17 02:50:50 2014 +0300 KVM: x86: Don't report guest userspace emulation error to userspace Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to user-space") disabled the reporting of L2 (nested guest) emulation failures to userspace due to race-condition between a vmexit and the instruction emulator. The same rational applies also to userspace applications that are permitted by the guest OS to access MMIO area or perform PIO. This patch extends the current behavior - of injecting a #UD instead of reporting it to userspace - also for guest userspace code. Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10271c71740c76a8d9f05529d66476818245d289 Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Nov 10 17:54:26 2014 +0100 net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet An SCTP server doing ASCONF will panic on malformed INIT ping-of-death in the form of: ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> While the INIT chunk parameter verification dissects through many things in order to detect malformed input, it misses to actually check parameters inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary IP address' parameter in ASCONF, which has as a subparameter an address parameter. So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 and thus sctp_get_af_specific() returns NULL, too, which we then happily dereference unconditionally through af->from_addr_param(). The trace for the log: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] PGD 0 Oops: 0000 [#1] SMP [...] Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] [...] Call Trace: <IRQ> [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp] [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp] [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp] [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [...] A minimal way to address this is to check for NULL as we do on all other such occasions where we know sctp_get_af_specific() could possibly return with NULL. Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/sm_make_chunk.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit cf03f413cb7a521f972d043fd44dd3286e02faa5 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 14 23:06:29 2014 -0500 Backport: Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri Sep 5 09:09:28 2014 -0300 [media] ttusb-dec: buffer overflow in ioctl We need to add a limit check here so we don't overflow the buffer. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> drivers/media/dvb/ttusb-dec/ttusbdecfe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0a3190868b001a2defe98eac355a39bbfe01d772 Author: Ilya Dryomov <idryomov@redhat.com> Date: Thu Oct 23 00:25:22 2014 +0400 libceph: do not crash on large auth tickets Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth tickets will have their buffers vmalloc'ed, which leads to the following crash in crypto: [ 28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0 [ 28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80 [ 28.686032] PGD 0 [ 28.688088] Oops: 0000 [#1] PREEMPT SMP [ 28.688088] Modules linked in: [ 28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305 [ 28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 28.688088] Workqueue: ceph-msgr con_work [ 28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000 [ 28.688088] RIP: 0010:[<ffffffff81392b42>] [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80 [ 28.688088] RSP: 0018:ffff8800d903f688 EFLAGS: 00010286 [ 28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0 [ 28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750 [ 28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880 [ 28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010 [ 28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000 [ 28.688088] FS: 00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000 [ 28.688088] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0 [ 28.688088] Stack: [ 28.688088] ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32 [ 28.688088] ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020 [ 28.688088] ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010 [ 28.688088] Call Trace: [ 28.688088] [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40 [ 28.688088] [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40 [ 28.688088] [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220 [ 28.688088] [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180 [ 28.688088] [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30 [ 28.688088] [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0 [ 28.688088] [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0 [ 28.688088] [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60 [ 28.688088] [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0 [ 28.688088] [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360 [ 28.688088] [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0 [ 28.688088] [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80 [ 28.688088] [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0 [ 28.688088] [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80 [ 28.688088] [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0 [ 28.688088] [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0 [ 28.688088] [<ffffffff81559289>] try_read+0x1e59/0x1f10 This is because we set up crypto scatterlists as if all buffers were kmalloc'ed. Fix it. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@redhat.com> Reviewed-by: Sage Weil <sage@redhat.com> net/ceph/crypto.c | 169 +++++++++++++++++++++++++++++++++++++++++------------ 1 files changed, 132 insertions(+), 37 deletions(-) commit aafa4475f259b57627560b2bc4ab940d1cee8175 Author: Stefan Richter <stefanr@s5r6.in-berlin.de> Date: Tue Nov 11 17:16:44 2014 +0100 firewire: cdev: prevent kernel stack leaking into ioctl arguments Found by the UC-KLEE tool: A user could supply less input to firewire-cdev ioctls than write- or write/read-type ioctl handlers expect. The handlers used data from uninitialized kernel stack then. This could partially leak back to the user if the kernel subsequently generated fw_cdev_event_'s (to be read from the firewire-cdev fd) which notably would contain the _u64 closure field which many of the ioctl argument structures contain. The fact that the handlers would act on random garbage input is a lesser issue since all handlers must check their input anyway. The fix simply always null-initializes the entire ioctl argument buffer regardless of the actual length of expected user input. That is, a runtime overhead of memset(..., 40) is added to each firewirew-cdev ioctl() call. [Comment from Clemens Ladisch: This part of the stack is most likely to be already in the cache.] Remarks: - There was never any leak from kernel stack to the ioctl output buffer itself. IOW, it was not possible to read kernel stack by a read-type or write/read-type ioctl alone; the leak could at most happen in combination with read()ing subsequent event data. - The actual expected minimum user input of each ioctl from include/uapi/linux/firewire-cdev.h is, in bytes: [0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16, [0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20, [0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8, [0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12, [0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4. Reported-by: David Ramos <daramos@stanford.edu> Cc: <stable@vger.kernel.org> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> drivers/firewire/core-cdev.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e2af9fe7a51667cabae68a142529a2db2fd4ccdc Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 12 18:06:32 2014 -0500 fix a case of DMA-on-stack reported here: https://bugs.archlinux.org/task/42756 Conflicts: drivers/staging/line6/driver.c drivers/staging/line6/driver.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit df8edaa95c47032e8fe57fe7222b829d76c02e63 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 9 17:51:13 2014 -0500 update mkspec to also chmod /boot, etc since we have no control over generated initrd images scripts/package/mkspec | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit a212bffcabd3bfc120a967d10703f9510ae461c0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 9 08:51:17 2014 -0500 set directory mode to 500 scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5d086b901dee6040ed285aab22ccefc5c8f75d3a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 9 07:56:51 2014 -0500 force make rpm to install sensitive files with 0400 scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 11f4f37191435da7708d941b0299a94ad10678b5 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 8 21:54:19 2014 -0500 backport mkspec scripts/package/mkspec | 48 +++++++++++++++++++++++++++++++++++++++++------- 1 files changed, 41 insertions(+), 7 deletions(-) commit 4eef462cd7f38a5e1a1efa098c8f17c4d4474652 Author: Mike Marciniszyn <mike.marciniszyn@intel.com> Date: Mon Jun 24 08:48:37 2013 -0400 kbuild: fix error when building from src rpm The following issue can be reproduced with Linus' tree on an x86_64 server. >+ cp /home/user/rpmbuild-test/BUILDROOT/kernel-3.9.2.x86_64/boot/vmlinuz-3.9.2 >cp: missing destination file operand after >/home/user/rpmbuild-test/BUILDROOT/kernel-3.9.2-1.x86_64/boot/vmlinuz-3.9.2' >Try `cp --help' for more information. >error: Bad exit status from /var/tmp/rpm-tmp.R4o0iI (%install) Here are the commands to reproduce: make defconfig make rpm-pkg Use the resulting src rpm to build as follows: mkdir ~/rpmbuild-test cd ~/rpmbuild-test rpmbuild --rebuild --define "_topdir `pwd`" -vv ~/rpmbuild/SRPMS/kernel-3.10.0_rc1+-1.src.rpm The issue is because the %install script uses $KBUILD_IMAGE and it hasn't been set since it is only available in the kbuild system and not in the %install script. This patch adds a Makefile target to emit the image_name that can be used and modifies the mkspec to use the dynamic name in %install. Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com> Signed-off-by: Michal Marek <mmarek@suse.cz> Conflicts: Makefile Makefile | 15 ++++++++++++++- scripts/package/mkspec | 1 + 2 files changed, 15 insertions(+), 1 deletions(-) commit 76503f668448645f0026a0aaabee4d2517c41d55 Author: Robert Richter <robert.richter@calxeda.com> Date: Thu May 2 14:50:37 2013 +0200 Makefile: Fix install error with make -j option Make modules_install fails with -j option: DEPMOD Usage: .../.source/linux/scripts/depmod.sh /sbin/depmod <kernelrelease> make[1]: *** [_modinst_post] Error 1 Adding kernelrelease dependency to fix this. Signed-off-by: Robert Richter <robert.richter@calxeda.com> Cc: <stable@vger.kernel.org> Signed-off-by: Michal Marek <mmarek@suse.cz> Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1fcf40a8dc8791d0609c26ea638172acbdc977c8 Author: å¼ å¿ å±± <zzs0213@gmail.com> Date: Sun Jun 30 17:09:28 2013 +0800 kbuild: create directory for dir/file.o When add a obj with dir to obj-y, like this obj-y += dir/file.o The $(obj)/dir not created, this patch fix this. When try to add a file(which in a subdir) to my board's obj-y, the build progress crashed. For example, I use at91rm9200ek board, and in kernel dir run: mkdir objtree make O=objtree at91rm9200_defconfig mkdir arch/arm/mach-at91/dir touch arch/arm/mach-at91/dir/file.c and edit arch/arm/mach-at91/dir/file.c to add some code. then edit arch/arm/mach-at91/Makefile, change the following line: obj-$(CONFIG_MACH_AT91RM9200EK) += board-rm9200ek.o to: obj-$(CONFIG_MACH_AT91RM9200EK) += board-rm9200ek.o dir/file.o Now build it: make O=objtree Then the error appears: ... CC arch/arm/mach-at91/board-rm9200dk.o CC arch/arm/mach-at91/board-rm9200ek.o CC arch/arm/mach-at91/dir/file.o linux-2.6/arch/arm/mach-at91/dir/file.c:5: fatal error: opening dependency file arch/arm/mach-at91/dir/.file.o.d: No such file or directory Check the objtree: LANG=en ls objtree/arch/arm/mach-at91/dir ls: cannot access objtree/arch/arm/mach-at91/dir: No such file or directory It's apparently that the target dir not created for file.o Check kbuild source code. It seems that kbuild create dirs for that in $(obj-dirs). But if the dir need not to create a built-in.o, It should never in $(obj-dirs). So I make this patch to make sure It in $(obj-dirs) this bug caused by commit f5fb976520a53f45f8bbf2e851f16b3b5558d485 Signed-off-by: å¼ å¿ å±± <zzs0213@gmail.com> Signed-off-by: Michal Marek <mmarek@suse.cz> scripts/Makefile.lib | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 45244eed041187d7d0646fc706b5b6aa42cfb0f5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 6 19:32:02 2014 -0500 add additional unnecessary checks kernel/trace/trace_syscalls.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 4a99fd4808d62e255d9ca9eee53b22548409b184 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 6 19:26:53 2014 -0500 add additional unnecessary checks kernel/trace/trace_syscalls.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8a0f199e3ee0e27d0ec77b508f8fedbfd4b416c3 Author: Rabin Vincent <rabin@rab.in> Date: Wed Oct 29 23:06:58 2014 +0100 tracing/syscalls: Ignore numbers outside NR_syscalls' range ARM has some private syscalls (for example, set_tls(2)) which lie outside the range of NR_syscalls. If any of these are called while syscall tracing is being performed, out-of-bounds array access will occur in the ftrace and perf sys_{enter,exit} handlers. # trace-cmd record -e raw_syscalls:* true && trace-cmd report ... true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0) true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264 true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1) true-653 [000] 384.675988: sys_exit: NR 983045 = 0 ... # trace-cmd record -e syscalls:* true [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace [ 17.289590] pgd = 9e71c000 [ 17.289696] [aaaaaace] *pgd=00000000 [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 17.290169] Modules linked in: [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21 [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000 [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8 [ 17.290866] LR is at syscall_trace_enter+0x124/0x184 Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers. Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" added the check for less than zero, but it should have also checked for greater than NR_syscalls. Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" Cc: stable@vger.kernel.org # 2.6.33+ Signed-off-by: Rabin Vincent <rabin@rab.in> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Conflicts: kernel/trace/trace_syscalls.c kernel/trace/trace_syscalls.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 2266e7f10843e5604f5bad64cf5ffcf3bc682ec1 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 5 18:58:28 2014 -0500 remove duplicate definition of alarm_expires_remaining() kernel/time/alarmtimer.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit 84ce6cc8416f8efdd4e89f2e315f4856b4074573 Merge: 2ce01ec d8acbe5 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 5 17:58:45 2014 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: net/ceph/mon_client.c commit d8acbe5f02ec899be4eb1dd4e2cc28b2c9db7694 Merge: 0ae27fae 7d039b9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 5 17:57:14 2014 -0500 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kvm/vmx.c commit 2ce01ec7e2fa13e6127ead8d3ff2b9f25328a3eb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 2 07:48:21 2014 -0500 Apply https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=12;filename=ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch;att=1;bug=766195 net/ipv6/udp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6d89098a102aa6e390bd81afc0251481153a0000 Merge: d1aabff 0ae27fae Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 31 20:01:33 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 0ae27fae60a294e66c123c86514a703755ba0a7f Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 31 20:00:03 2014 -0400 Update to pax-linux-3.2.63-test161.patch: - added pax_sanitize_slab=full mode, by Mathias Krause <minipli@googlemail.com> - fixed pax_sanitize_slab breakage on SLAB_DESTROY_BY_RCU slabs, by Mathias Krause <minipli@googlemail.com> - this should fix several reports: - https://forums.grsecurity.net/viewtopic.php?f=1&t=4020 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4037 - https://forums.grsecurity.net/viewtopic.php?f=1&t=4071 - updated size overflow hash table Documentation/kernel-parameters.txt | 9 ++++- include/linux/slab.h | 7 +++- mm/mm_init.c | 24 ++++++++++--- mm/slab.c | 22 +++++++---- mm/slob.c | 37 ++++++++++++-------- mm/slub.c | 13 ++++++- security/Kconfig | 8 +++- .../size_overflow_plugin/size_overflow_hash.data | 6 +++- 8 files changed, 91 insertions(+), 35 deletions(-) commit d1aabffb4f6d13f860ddf15a44d69f0a2cb6f6f2 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Oct 25 09:04:00 2014 -0400 remove memweight prototype added in recent backport, thanks to minipli include/linux/string.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit aa0ebeb5f62bea5736cbc2ad48383398ad2edbe8 Author: Cesar Eduardo Barros <cesarb@cesarb.eti.br> Date: Mon Nov 25 22:00:41 2013 -0200 Backport OPTIMIZER_HIDE_VAR from cesarb@cesarb.eti.br Conflicts: crypto/memneq.c include/linux/compiler.h include/linux/compiler-gcc.h | 3 +++ include/linux/compiler-intel.h | 7 +++++++ include/linux/compiler.h | 4 ++++ 3 files changed, 14 insertions(+), 0 deletions(-) commit 33ae23dc594e91d4a7456e5c4921b49391d93f97 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 22:14:37 2014 -0400 compile fix net/ipv4/ipmr.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 52630e6e12591ebb415b3921b285eeabcae752f2 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 21:53:05 2014 -0400 compile fix fs/xfs/xfs_iget.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 95b3935d5b5e01119d49aba3c2043907d505ac20 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 21:39:40 2014 -0400 add missing rcu_read_unlock() to upstream code fs/xfs/xfs_iget.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2263a7d02fa8569eb4ec15d8f5440be3157e4dc1 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 21:38:14 2014 -0400 add missing rcu_read_unlock() to upstream code net/ipv4/ipmr.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 4dbd1dfaac8b2935eb0232076dbcdee22bc2c2b0 Author: Hugh Dickins <hughd@google.com> Date: Mon Mar 3 15:38:23 2014 -0800 lib/radix-tree.c: swapoff tmpfs radix_tree: remember to rcu_read_unlock Running fsx on tmpfs with concurrent memhog-swapoff-swapon, lots of BUG: sleeping function called from invalid context at kernel/fork.c:606 in_atomic(): 0, irqs_disabled(): 0, pid: 1394, name: swapoff 1 lock held by swapoff/1394: #0: (rcu_read_lock){.+.+.+}, at: [<ffffffff812520a1>] radix_tree_locate_item+0x1f/0x2b6 followed by ================================================ [ BUG: lock held when returning to user space! ] 3.14.0-rc1 #3 Not tainted ------------------------------------------------ swapoff/1394 is leaving the kernel with locks still held! 1 lock held by swapoff/1394: #0: (rcu_read_lock){.+.+.+}, at: [<ffffffff812520a1>] radix_tree_locate_item+0x1f/0x2b6 after which the system recovered nicely. Whoops, I long ago forgot the rcu_read_unlock() on one unlikely branch. Fixes e504f3fdd63d ("tmpfs radix_tree: locate_item to speed up swapoff") Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> lib/radix-tree.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit e98b77860805307f14a4a2dd28d0c2be1a6a1fa8 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 21:04:47 2014 -0400 add missing rcu_read_unlock() to upstream code block/blk-throttle.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9b86430ca1bb41a884684c6973dd855d5cb9a9ab Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 21:02:44 2014 -0400 add missing rcu_read_unlock() to upstream code drivers/acpi/atomicio.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e5f58ab0435a2de85281a5f0381ae8fc42f4cb53 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 24 21:02:07 2014 -0400 add missing rcu_read_unlock() to upstream code drivers/acpi/atomicio.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit fc16ca66e9b6650d822767836eb118169400987c Author: Quentin Casasnovas <quentin.casasnovas@oracle.com> Date: Fri Oct 17 22:55:59 2014 +0200 kvm: fix excessive pages un-pinning in kvm_iommu_map error path. The third parameter of kvm_unpin_pages() when called from kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin and not the page size. This error was facilitated with an inconsistent API: kvm_pin_pages() takes a size, but kvn_unpin_pages() takes a number of pages, so fix the problem by matching the two. This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of un-pinning for pages intended to be un-pinned (i.e. memory leak) but unfortunately potentially aggravated the number of pages we un-pin that should have stayed pinned. As far as I understand though, the same practical mitigations apply. This issue was found during review of Red Hat 6.6 patches to prepare Ksplice rebootless updates. Thanks to Vegard for his time on a late Friday evening to help me in understanding this code. Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") Cc: stable@vger.kernel.org Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Jamie Iles <jamie.iles@oracle.com> Reviewed-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Conflicts: virt/kvm/iommu.c virt/kvm/iommu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 27cf85cd00dbaf29559b9a497fefbd49e888b031 Author: David S. Miller <davem@davemloft.net> Date: Thu Oct 23 12:58:13 2014 -0700 sparc64: Fix register corruption in top-most kernel stack frame during boot. Meelis Roos reported that kernels built with gcc-4.9 do not boot, we eventually narrowed this down to only impacting machines using UltraSPARC-III and derivitive cpus. The crash happens right when the first user process is spawned: [ 54.451346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 [ 54.451346] [ 54.571516] CPU: 1 PID: 1 Comm: init Not tainted 3.16.0-rc2-00211-gd7933ab #96 [ 54.666431] Call Trace: [ 54.698453] [0000000000762f8c] panic+0xb0/0x224 [ 54.759071] [000000000045cf68] do_exit+0x948/0x960 [ 54.823123] [000000000042cbc0] fault_in_user_windows+0xe0/0x100 [ 54.902036] [0000000000404ad0] __handle_user_windows+0x0/0x10 [ 54.978662] Press Stop-A (L1-A) to return to the boot prom [ 55.050713] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 Further investigation showed that compiling only per_cpu_patch() with an older compiler fixes the boot. Detailed analysis showed that the function is not being miscompiled by gcc-4.9, but it is using a different register allocation ordering. With the gcc-4.9 compiled function, something during the code patching causes some of the %i* input registers to get corrupted. Perhaps we have a TLB miss path into the firmware that is deep enough to cause a register window spill and subsequent restore when we get back from the TLB miss trap. Let's plug this up by doing two things: 1) Stop using the firmware stack for client interface calls into the firmware. Just use the kernel's stack. 2) As soon as we can, call into a new function "start_early_boot()" to put a one-register-window buffer between the firmware's deepest stack frame and the top-most initial kernel one. Reported-by: Meelis Roos <mroos@linux.ee> Tested-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: arch/sparc/include/asm/oplib_64.h arch/sparc/include/asm/setup.h arch/sparc/kernel/entry.h Conflicts: arch/sparc/include/asm/setup.h arch/sparc/kernel/entry.h arch/sparc/kernel/setup_64.c arch/sparc/include/asm/oplib_64.h | 3 +- arch/sparc/include/asm/setup.h | 4 +++ arch/sparc/kernel/entry.h | 11 +++------ arch/sparc/kernel/head_64.S | 40 +++--------------------------------- arch/sparc/kernel/hvtramp.S | 1 - arch/sparc/kernel/setup_64.c | 28 ++++++++++++++++++------- arch/sparc/kernel/trampoline_64.S | 12 ++++++---- arch/sparc/prom/cif.S | 5 +-- arch/sparc/prom/init_64.c | 6 ++-- arch/sparc/prom/p1275.c | 2 - 10 files changed, 46 insertions(+), 66 deletions(-) commit ae29f67b96cc0744b9860cf92f14f75c651d123b Author: David S. Miller <davem@davemloft.net> Date: Fri Oct 24 09:59:02 2014 -0700 sparc64: Implement __get_user_pages_fast(). It is not sufficient to only implement get_user_pages_fast(), you must also implement the atomic version __get_user_pages_fast() otherwise you end up using the weak symbol fallback implementation which simply returns zero. This is dangerous, because it causes the futex code to loop forever if transparent hugepages are supported (see get_futex_key()). Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/mm/gup.c | 30 ++++++++++++++++++++++++++++++ 1 files changed, 30 insertions(+), 0 deletions(-) commit 15bd5778f6b3afd30e34de674ec90f0137e9fefb Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 18:59:09 2014 -0600 clocksource: Remove "weak" from clocksource_default_clock() declaration kernel/time/jiffies.c provides a default clocksource_default_clock() definition explicitly marked "weak". arch/s390 provides its own definition intended to override the default, but the "weak" attribute on the declaration applied to the s390 definition as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the clocksource_default_clock() declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection") Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: John Stultz <john.stultz@linaro.org> Acked-by: Ingo Molnar <mingo@kernel.org> CC: Daniel Lezcano <daniel.lezcano@linaro.org> CC: Martin Schwidefsky <schwidefsky@de.ibm.com> include/linux/clocksource.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 424b26633455d26d7239285884ea38185f7c0bea Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 19:00:25 2014 -0600 kgdb: Remove "weak" from kgdb_arch_pc() declaration kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition explicitly marked "weak". Several architectures provide their own definitions intended to override the default, but the "weak" attribute on the declaration applied to the arch definitions as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header") Tested-by: Vineet Gupta <vgupta@synopsys.com> # for ARC build Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Harvey Harrison <harvey.harrison@gmail.com> include/linux/kgdb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cd6d89dd9f50d38c331519ae5b5727f744679480 Author: Daniel Borkmann <dborkman@redhat.com> Date: Tue Aug 26 23:16:35 2014 -0400 random: add and use memzero_explicit() for clearing data zatimend has reported that in his environment (3.16/gcc4.8.3/corei7) memset() calls which clear out sensitive data in extract_{buf,entropy, entropy_user}() in random driver are being optimized away by gcc. Add a helper memzero_explicit() (similarly as explicit_bzero() variants) that can be used in such cases where a variable with sensitive data is being cleared out in the end. Other use cases might also be in crypto code. [ I have put this into lib/string.c though, as it's always built-in and doesn't need any dependencies then. ] Fixes kernel bugzilla: 82041 Reported-by: zatimend@hotmail.co.uk Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org Conflicts: drivers/char/random.c include/linux/string.h drivers/char/random.c | 10 +++++----- include/linux/string.h | 6 +++++- lib/string.c | 16 ++++++++++++++++ 3 files changed, 26 insertions(+), 6 deletions(-) commit 1eca6943de770d5ac058934e455cec897306ea41 Author: Li RongQing <roy.qing.li@gmail.com> Date: Wed Oct 22 17:09:53 2014 +0800 xfrm6: fix a potential use after free in xfrm6_policy.c pskb_may_pull() maybe change skb->data and make nh and exthdr pointer oboslete, so recompute the nd and exthdr Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/xfrm6_policy.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 956456e7076fcfd07485e0f2684d0e5a190a3c73 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 22 20:20:21 2014 -0400 compile fix net/ipv4/inet_hashtables.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 120ea2af6c8332faf60d13774ec9c3794d70e425 Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Date: Thu Jun 28 02:57:49 2012 +0000 netfilter: nfnetlink: fix missing rcu_read_unlock in nfnetlink_rcv_msg Bug added in commit 6b75e3e8d664a9a (netfilter: nfnetlink: add RCU in nfnetlink_rcv_msg()) Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/netfilter/nfnetlink.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 056a85cc432d465ef8a51bb69a6b01366466e717 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 22 18:36:16 2014 -0400 Remove argument from gr_update_task_in_ip_table, as it's always called with 'current' grsecurity/grsec_sock.c | 4 ++-- net/ipv4/inet_hashtables.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit b27761767932b4052399e4722dc3fb412e2eed24 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 22 18:19:01 2014 -0400 hold sighand lock while accessing ->signal fs/proc/array.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 822662d8112a3078613bef60e41c2e0266526c65 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 20 17:34:00 2014 -0400 Revert "x86,kvm,vmx: Preserve CR4 across VM entry" This reverts commit ae21ca789a180a1146d84440d0293f9f8dce5875. arch/x86/kvm/vmx.c | 16 ++-------------- 1 files changed, 2 insertions(+), 14 deletions(-) commit 47b962c93d130853fdadd9b27a14b26068c599e6 Author: David S. Miller <davem@davemloft.net> Date: Sat Oct 18 23:12:33 2014 -0400 sparc64: Do not define thread fpregs save area as zero-length array. This breaks the stack end corruption detection facility. What that facility does it write a magic value to "end_of_stack()" and checking to see if it gets overwritten. "end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is the beginning of the FPU register save area. So once the user uses the FPU, the magic value is overwritten and the debug checks trigger. Fix this by making the size explicit. Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we are limited to 7 levels of FPU state saves. So each FPU register set is 256 bytes, allocate 256 * 7 for the fpregs area. Reported-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: arch/sparc/include/asm/thread_info_64.h arch/sparc/include/asm/thread_info_64.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ae21ca789a180a1146d84440d0293f9f8dce5875 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed Oct 8 09:02:13 2014 -0700 x86,kvm,vmx: Preserve CR4 across VM entry CR4 isn't constant; at least the TSD and PCE bits can vary. TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks like it's correct. This adds a branch and a read from cr4 to each vm entry. Because it is extremely likely that consecutive entries into the same vcpu will have the same host cr4 value, this fixes up the vmcs instead of restoring cr4 after the fact. A subsequent patch will add a kernel-wide cr4 shadow, reducing the overhead in the common case to just two memory reads and a branch. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Cc: Petr Matousek <pmatouse@redhat.com> Cc: Gleb Natapov <gleb@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: arch/x86/kvm/vmx.c Conflicts: arch/x86/kvm/vmx.c Conflicts: arch/x86/kvm/vmx.c arch/x86/kvm/vmx.c | 16 ++++++++++++++-- 1 files changed, 14 insertions(+), 2 deletions(-) commit b025a1925f7ea22127022fba62cf4f7abb9abc91 Author: Catalin Marinas <catalin.marinas@arm.com> Date: Fri Oct 17 17:38:49 2014 +0100 futex: Ensure get_futex_key_refs() always implies a barrier Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) changes the futex code to avoid taking a lock when there are no waiters. This code has been subsequently fixed in commit 11d4616bd07f (futex: revert back to the explicit waiter counting code). Both the original commit and the fix-up rely on get_futex_key_refs() to always imply a barrier. However, for private futexes, none of the cases in the switch statement of get_futex_key_refs() would be hit and the function completes without a memory barrier as required before checking the "waiters" in futex_wake() -> hb_waiters_pending(). The consequence is a race with a thread waiting on a futex on another CPU, allowing the waker thread to read "waiters == 0" while the waiter thread to have read "futex_val == locked" (in kernel). Without this fix, the problem (user space deadlocks) can be seen with Android bionic's mutex implementation on an arm64 multi-cluster system. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Reported-by: Matteo Franchin <Matteo.Franchin@arm.com> Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) Acked-by: Davidlohr Bueso <dave@stgolabs.net> Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com> Cc: <stable@vger.kernel.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/futex.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7dcfaa72177dd7ea055b02d7132e06032a46feea Author: Stephen Smalley <sds@tycho.nsa.gov> Date: Mon Oct 6 16:32:52 2014 -0400 selinux: fix inode security list corruption sb_finish_set_opts() can race with inode_free_security() when initializing inode security structures for inodes created prior to initial policy load or by the filesystem during ->mount(). This appears to have always been a possible race, but commit 3dc91d4 ("SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()") made it more evident by immediately reusing the unioned list/rcu element of the inode security structure for call_rcu() upon an inode_free_security(). But the underlying issue was already present before that commit as a possible use-after-free of isec. Shivnandan Kumar reported the list corruption and proposed a patch to split the list and rcu elements out of the union as separate fields of the inode_security_struct so that setting the rcu element would not affect the list element. However, this would merely hide the issue and not truly fix the code. This patch instead moves up the deletion of the list entry prior to dropping the sbsec->isec_lock initially. Then, if the inode is dropped subsequently, there will be no further references to the isec. Reported-by: Shivnandan Kumar <shivnandan.k@samsung.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/hooks.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9ead2f4f82f8812b5e708c69df0f35a43303cdd6 Author: Emil Tantilov <emil.s.tantilov@intel.com> Date: Thu Oct 16 15:49:02 2014 +0000 ixgbe: check for vfs outside of sriov_num_vfs before dereference The check for vfinfo is not sufficient because it does not protect against specifying vf that is outside of sriov_num_vfs range. All of the ndo functions have a check for it except for ixgbevf_ndo_set_spoofcheck(). The following patch is all we need to protect against this panic: ip link set p96p1 vf 0 spoofchk off BUG: unable to handle kernel NULL pointer dereference at 0000000000000052 IP: [<ffffffffa044a1c1>] ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe] Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com> Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Acked-by: Thierry Herbelot <thierry.herbelot@6wind.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b339b27c54edc34ab000ed44750fd2a6f2a92d71 Author: Cong Wang <cwang@twopensource.com> Date: Tue Oct 14 12:35:08 2014 -0700 rds: avoid calling sock_kfree_s() on allocation failure It is okay to free a NULL pointer but not okay to mischarge the socket optmem accounting. Compile test only. Reported-by: rucsoftsec@gmail.com Cc: Chien Yen <chien.yen@oracle.com> Cc: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Cong Wang <cwang@twopensource.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/rdma.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8cb7feae433dcd9c588fa06511999428dc2523bd Author: David S. Miller <davem@davemloft.net> Date: Tue Oct 14 17:02:37 2014 -0400 net: Trap attempts to call sock_kfree_s() with a NULL pointer. Unlike normal kfree() it is never right to call sock_kfree_s() with a NULL pointer, because sock_kfree_s() also has the side effect of discharging the memory from the sockets quota. Signed-off-by: David S. Miller <davem@davemloft.net> net/core/sock.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 715a5366c9682a82390ada6325b9e69502eeeaf9 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Wed Oct 8 23:44:00 2014 -0400 fix misuses of f_count() in ppp we used to check for "nobody else could start doing anything with that opened file" by checking that refcount was 2 or less - one for descriptor table and one we'd acquired in fget() on the way to wherever we are. That was race-prone (somebody else might have had a reference to descriptor table and do fget() just as we'd been checking) and it had become flat-out incorrect back when we switched to fget_light() on those codepaths - unlike fget(), it doesn't grab an extra reference unless the descriptor table is shared. The same change allowed a race-free check, though - we are safe exactly when refcount is less than 2. It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH, netlink hadn't grown that check until 3.9 and ppp used to live in drivers/net, not drivers/net/ppp until 3.1. The bug existed well before that, though, and the same fix used to apply in old location of file. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Conflicts: net/netlink/af_netlink.c drivers/net/ppp/ppp_generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ade236d58652fa8f628280e4063af42ed0711124 Author: Mikulas Patocka <mpatocka@redhat.com> Date: Sun Jul 27 13:00:41 2014 -0400 fs: make cont_expand_zero interruptible This patch makes it possible to kill a process looping in cont_expand_zero. A process may spend a lot of time in this function, so it is desirable to be able to kill it. It happened to me that I wanted to copy a piece data from the disk to a file. By mistake, I used the "seek" parameter to dd instead of "skip". Due to the "seek" parameter, dd attempted to extend the file and became stuck doing so - the only possibility was to reset the machine or wait many hours until the filesystem runs out of space and cont_expand_zero fails. We need this patch to be able to terminate the process. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/buffer.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 99897cc1fd3d5db9f99e304eaf9384e173b7f014 Author: Sasha Levin <sasha.levin@oracle.com> Date: Thu Oct 9 15:24:37 2014 -0700 fsnotify: don't put user context if it was never assigned On some failure paths we may attempt to free user context even if it wasn't assigned yet. This will cause a NULL ptr deref and a kernel BUG. The path I was looking at is in inotify_new_group(): oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL); if (unlikely(!oevent)) { fsnotify_destroy_group(group); return ERR_PTR(-ENOMEM); } fsnotify_destroy_group() would get called here, but group->inotify_data.user is only getting assigned later: group->inotify_data.user = get_current_user(); Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Cc: John McCutchan <john@johnmccutchan.com> Cc: Robert Love <rlove@rlove.org> Cc: Eric Paris <eparis@parisplace.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/notify/inotify/inotify_fsnotify.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit cc70da15da095551dfa374da20202ece530aa8f9 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 13 19:31:03 2014 -0400 compile fix net/ipv4/ip_input.c | 4 ++++ net/ipv4/tcp_input.c | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) commit 68a280187838ca8f9f403f7e1762cfcc8a95147b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 13 19:16:43 2014 -0400 add reference to grsec_enable_blackhole net/ipv4/tcp_input.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit c165ea4f4f4e91311d13d97aa11e2759c6b8b06f Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 13 19:11:12 2014 -0400 Fix RANDSTRUCT compilation with brcm80211 driver drivers/net/wireless/brcm80211/brcmsmac/otp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 24fa7d5a380deef772813033a93928994f458a88 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 12 21:07:48 2014 -0400 update GRKERNSEC_BLACKHOLE documentation grsecurity/Kconfig | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 180f8243abab1f9be35e3126cb661dc86e710919 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 12 21:03:37 2014 -0400 Though it can be done easily enough with iptables by dropping packets of unknown protocols, when GRKERNSEC_BLACKHOLE is enabled avoid sending icmp protocol unreachable for unknown protocols except on the loopback interface. Suggested by @NoAgendaIT net/ipv4/ip_input.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0167ef50b08f65e4d6568f935bbb39051ac051f1 Author: Mel Gorman <mgorman@suse.de> Date: Thu Oct 2 19:47:41 2014 +0100 mm: migrate: Close race between migration completion and mprotect A migration entry is marked as write if pte_write was true at the time the entry was created. The VMA protections are not double checked when migration entries are being removed as mprotect marks write-migration-entries as read. It means that potentially we take a spurious fault to mark PTEs write again but it's straight-forward. However, there is a race between write migrations being marked read and migrations finishing. This potentially allows a PTE to be write that should have been read. Close this race by double checking the VMA permissions using maybe_mkwrite when migration completes. [torvalds@linux-foundation.org: use maybe_mkwrite] Cc: stable@vger.kernel.org Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Rik van Riel <riel@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/migrate.c mm/migrate.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ccf387045d784306de13eb2d2d72286f486ae2aa Author: Herton R. Krzesinski <herton@redhat.com> Date: Wed Oct 1 18:49:54 2014 -0300 net/rds: fix possible double free on sock tear down I got a report of a double free happening at RDS slab cache. One suspicion was that may be somewhere we were doing a sock_hold/sock_put on an already freed sock. Thus after providing a kernel with the following change: static inline void sock_hold(struct sock *sk) { - atomic_inc(&sk->sk_refcnt); + if (!atomic_inc_not_zero(&sk->sk_refcnt)) + WARN(1, "Trying to hold sock already gone: %p (family: %hd)\n", + sk, sk->sk_family); } The warning successfuly triggered: Trying to hold sock already gone: ffff81f6dda61280 (family: 21) WARNING: at include/net/sock.h:350 sock_hold() Call Trace: <IRQ> [<ffffffff8adac135>] :rds:rds_send_remove_from_sock+0xf0/0x21b [<ffffffff8adad35c>] :rds:rds_send_drop_acked+0xbf/0xcf [<ffffffff8addf546>] :rds_rdma:rds_ib_recv_tasklet_fn+0x256/0x2dc [<ffffffff8009899a>] tasklet_action+0x8f/0x12b [<ffffffff800125a2>] __do_softirq+0x89/0x133 [<ffffffff8005f30c>] call_softirq+0x1c/0x28 [<ffffffff8006e644>] do_softirq+0x2c/0x7d [<ffffffff8006e4d4>] do_IRQ+0xee/0xf7 [<ffffffff8005e625>] ret_from_intr+0x0/0xa <EOI> Looking at the call chain above, the only way I think this would be possible is if somewhere we already released the same socket->sock which is assigned to the rds_message at rds_send_remove_from_sock. Which seems only possible to happen after the tear down done on rds_release. rds_release properly calls rds_send_drop_to to drop the socket from any rds_message, and some proper synchronization is in place to avoid race with rds_send_drop_acked/rds_send_remove_from_sock. However, I still see a very narrow window where it may be possible we touch a sock already released: when rds_release races with rds_send_drop_acked, we check RDS_MSG_ON_CONN to avoid cleanup on the same rds_message, but in this specific case we don't clear rm->m_rs. In this case, it seems we could then go on at rds_send_drop_to and after it returns, the sock is freed by last sock_put on rds_release, with concurrently we being at rds_send_remove_from_sock; then at some point in the loop at rds_send_remove_from_sock we process an rds_message which didn't have rm->m_rs unset for a freed sock, and a possible sock_hold on an sock already gone at rds_release happens. This hopefully address the described condition above and avoids a double free on "second last" sock_put. In addition, I removed the comment about socket destruction on top of rds_send_drop_acked: we call rds_send_drop_to in rds_release and we should have things properly serialized there, thus I can't see the comment being accurate there. Signed-off-by: Herton R. Krzesinski <herton@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/send.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 814084597d04dad0a63fa31ec62843d1be0c1b35 Author: Peter Zijlstra <peterz@infradead.org> Date: Thu Oct 2 16:17:02 2014 -0700 perf: fix perf bug in fork() Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by calling perf_event_free_task() when failing sched_fork() we will not yet have done the memset() on ->perf_event_ctxp[] and will therefore try and 'free' the inherited contexts, which are still in use by the parent process. This is bad.. Suggested-by: Oleg Nesterov <oleg@redhat.com> Reported-by: Oleg Nesterov <oleg@redhat.com> Reported-by: Sylvain 'ythier' Hitier <sylvain.hitier@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/events/core.c | 4 +++- kernel/fork.c | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit f9bbaa2d511c409c33108afc8d95be1458a8b399 Author: Mel Gorman <mgorman@suse.de> Date: Thu Oct 2 19:47:42 2014 +0100 mm: numa: Do not mark PTEs pte_numa when splitting huge pages This patch reverts 1ba6e0b50b ("mm: numa: split_huge_page: transfer the NUMA type from the pmd to the pte"). If a huge page is being split due a protection change and the tail will be in a PROT_NONE vma then NUMA hinting PTEs are temporarily created in the protected VMA. VM_RW|VM_PROTNONE |-----------------| ^ split here In the specific case above, it should get fixed up by change_pte_range() but there is a window of opportunity for weirdness to happen. Similarly, if a huge page is shrunk and split during a protection update but before pmd_numa is cleared then a pte_numa can be left behind. Instead of adding complexity trying to deal with the case, this patch will not mark PTEs NUMA when splitting a huge page. NUMA hinting faults will not be triggered which is marginal in comparison to the complexity in dealing with the corner cases during THP split. Cc: stable@vger.kernel.org Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/huge_memory.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit ed22c82434784ecdb766ce2ca5b08f8271a2887a Merge: c8b7520 a072601 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 6 18:28:59 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit a072601054f8387ccd9ca7b25e1b852194053a60 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 6 18:28:19 2014 -0400 Update to pax-linux-3.2.63-test160.patch: - fixed a potential miscompile with certain gcc versions in pax_open_kernel/pax_close_kernel, reported by gyurix and hunger arch/x86/include/asm/pgtable.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c8b75207af997e24ce98faba23fdf4bf53058562 Merge: 415d00a be01ef4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 28 13:57:15 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit be01ef4bda6b1918b5623d98ef83ca56065bf818 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 28 13:56:35 2014 -0400 Update to pax-linux-3.2.63-test159.patch: - made mmap_rnd use the passed down mm on ppc - fixed some REFCOUNT false positives in drbd, reported by schiffi (https://forums.grsecurity.net/viewtopic.php?f=3&t=3786) - removed bash dependence from scripts/gcc-plugin.sh arch/powerpc/mm/mmap_64.c | 10 +++++----- arch/x86/include/asm/atomic.h | 4 ++-- drivers/block/drbd/drbd_bitmap.c | 2 +- drivers/block/drbd/drbd_int.h | 4 ++-- drivers/block/drbd/drbd_main.c | 4 ++-- drivers/block/drbd/drbd_receiver.c | 12 ++++++------ drivers/block/drbd/drbd_worker.c | 8 ++++---- scripts/gcc-plugin.sh | 28 ++++++++++++++++++---------- 8 files changed, 40 insertions(+), 32 deletions(-) commit 415d00aaae1b4639be3059a87fd1aadb40ad5fd9 Author: Mike Christie <michaelc@cs.wisc.edu> Date: Wed Sep 3 00:00:39 2014 -0500 [SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. This function is used by iscsi drivers and userspace to send iscsi PDUs/ commands. For login commands, we have a set buffer size. For all other commands we do not support data buffers. This was reported by Dan Carpenter here: http://www.spinics.net/lists/linux-scsi/msg66838.html Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <JBottomley@Parallels.com> drivers/scsi/libiscsi.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 5f973d4bb62ee99e0282101e5a86045c6a71517d Author: Anton Altaparmakov <aia21@cam.ac.uk> Date: Mon Sep 22 01:53:03 2014 +0100 Fix nasty 32-bit overflow bug in buffer i/o code. On 32-bit architectures, the legacy buffer_head functions are not always handling the sector number with the proper 64-bit types, and will thus fail on 4TB+ disks. Any code that uses __getblk() (and thus bread(), breadahead(), sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop in __getblk_slow() with an infinite stream of errors logged to dmesg like this: __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648 b_state=0x00000020, b_size=512 device sda1 blocksize: 512 Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the top 32-bits are missing (in this case the 0x1 at the top). This is because grow_dev_page() is broken and has a 32-bit overflow due to shifting the page index value (a pgoff_t - which is just 32 bits on 32-bit architectures) left-shifted as the block number. But the top bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit before the shift. This patch fixes this issue by type casting "index" to sector_t before doing the left shift. Note this is not a theoretical bug but has been seen in the field on a 4TiB hard drive with logical sector size 512 bytes. This patch has been verified to fix the infinite loop problem on 3.17-rc5 kernel using a 4TB disk image mounted using "-o loop". Without this patch doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop 100% reproducibly whilst with the patch it works fine as expected. Signed-off-by: Anton Altaparmakov <aia21@cantab.net> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/buffer.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 28c151879ad50651c4d1d55bb0bcd42d8b92d462 Author: Miklos Szeredi <mszeredi@suse.cz> Date: Wed Sep 24 17:56:17 2014 +0200 shmem: fix nlink for rename overwrite directory If overwriting an empty directory with rename, then need to drop the extra nlink. Test prog: #include <stdio.h> #include <fcntl.h> #include <err.h> #include <sys/stat.h> int main(void) { const char *test_dir1 = "test-dir1"; const char *test_dir2 = "test-dir2"; int res; int fd; struct stat statbuf; res = mkdir(test_dir1, 0777); if (res == -1) err(1, "mkdir(\"%s\")", test_dir1); res = mkdir(test_dir2, 0777); if (res == -1) err(1, "mkdir(\"%s\")", test_dir2); fd = open(test_dir2, O_RDONLY); if (fd == -1) err(1, "open(\"%s\")", test_dir2); res = rename(test_dir1, test_dir2); if (res == -1) err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2); res = fstat(fd, &statbuf); if (res == -1) err(1, "fstat(%i)", fd); if (statbuf.st_nlink != 0) { fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink); return 1; } return 0; } Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> mm/shmem.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit e87359e46a367c3d502ec4b61ae16a344afc8bf0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 18 08:55:03 2014 -0400 update documentation security/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 67bcf446004cbaff424450d0943fb0321e505493 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 18 07:42:34 2014 -0400 update documentation security/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b8d9c7f895650cec62bc43a9a2eb5a3a913aadff Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 23:36:38 2014 -0400 reorganize EFI backport arch/x86/include/asm/efi.h | 1 + arch/x86/platform/efi/efi.c | 15 ++------------- arch/x86/platform/efi/efi_32.c | 4 ++++ arch/x86/platform/efi/efi_64.c | 16 ++++++++++++++++ 4 files changed, 23 insertions(+), 13 deletions(-) commit 767429f32d1557e71f1ea6b271c9ff9bb470f58c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 23:17:07 2014 -0400 Backport a best-effort variant of minipli's KERNEXEC/EFI patch to 3.2. Only if EFI runtime services are active will we allow the physmap to be RWX -- shouldn't be the case for most users, but this at least protects those blindly using distro configs. arch/x86/kernel/head_64.S | 8 ++++++-- arch/x86/platform/efi/efi.c | 13 +++++++++++++ security/Kconfig | 3 +++ 3 files changed, 22 insertions(+), 2 deletions(-) commit 0163725f9f230f4b58641a875a7de730afc80c74 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 15 08:30:05 2014 -0400 exempt atomic_[inc|add]_return_unchecked() from size_overflow arch/x86/include/asm/atomic.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9056786e17d0bbeebf5ad5a8554ba8c8a76960dc Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 18:41:06 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ab9e7ecf3984d4e5ef4ff3a45278710aacd396ce Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 17:17:26 2014 -0400 compile fix kernel/time/alarmtimer.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit f838dc40b8e11a24b7075f0c978f4fab134c831b Author: Richard Larocque <rlarocque@google.com> Date: Tue Sep 9 18:31:03 2014 -0700 alarmtimer: Return relative times in timer_gettime Returns the time remaining for an alarm timer, rather than the time at which it is scheduled to expire. If the timer has already expired or it is not currently scheduled, the it_value's members are set to zero. This new behavior matches that of the other posix-timers and the POSIX specifications. This is a change in user-visible behavior, and may break existing applications. Hopefully, few users rely on the old incorrect behavior. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> [jstultz: minor style tweak] Signed-off-by: John Stultz <john.stultz@linaro.org> kernel/time/alarmtimer.c | 18 +++++++++++------- 1 files changed, 11 insertions(+), 7 deletions(-) commit 0b0613996b5978239272e4204191848027ed5b89 Author: Richard Larocque <rlarocque@google.com> Date: Tue Sep 9 18:31:05 2014 -0700 alarmtimer: Lock k_itimer during timer callback Locks the k_itimer's it_lock member when handling the alarm timer's expiry callback. The regular posix timers defined in posix-timers.c have this lock held during timout processing because their callbacks are routed through posix_timer_fn(). The alarm timers follow a different path, so they ought to grab the lock somewhere else. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> Signed-off-by: John Stultz <john.stultz@linaro.org> kernel/time/alarmtimer.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 8117fc080568e6aa32ff446c070100a6eab6272b Author: Richard Larocque <rlarocque@google.com> Date: Tue Sep 9 18:31:04 2014 -0700 alarmtimer: Do not signal SIGEV_NONE timers Avoids sending a signal to alarm timers created with sigev_notify set to SIGEV_NONE by checking for that special case in the timeout callback. The regular posix timers avoid sending signals to SIGEV_NONE timers by not scheduling any callbacks for them in the first place. Although it would be possible to do something similar for alarm timers, it's simpler to handle this as a special case in the timeout. Prior to this patch, the alarm timer would ignore the sigev_notify value and try to deliver signals to the process anyway. Even worse, the sanity check for the value of sigev_signo is skipped when SIGEV_NONE was specified, so the signal number could be bogus. If sigev_signo was an unitialized value (as it often would be if SIGEV_NONE is used), then it's hard to predict which signal will be sent. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> Signed-off-by: John Stultz <john.stultz@linaro.org> kernel/time/alarmtimer.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 038a6c21fd91be8221651495d280f60a4a252444 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 13:22:45 2014 -0400 compile fix kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 51ae12a86010d07565a351852e4205c7b4bc6f6e Author: Thomas Gleixner <tglx@linutronix.de> Date: Thu Sep 11 23:44:35 2014 +0200 futex: Unlock hb->lock in futex_wait_requeue_pi() error path futex_wait_requeue_pi() calls futex_wait_setup(). If futex_wait_setup() succeeds it returns with hb->lock held and preemption disabled. Now the sanity check after this does: if (match_futex(&q.key, &key2)) { ret = -EINVAL; goto out_put_keys; } which releases the keys but does not release hb->lock. So we happily return to user space with hb->lock held and therefor preemption disabled. Unlock hb->lock before taking the exit route. Reported-by: Dave "Trinity" Jones <davej@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Darren Hart <dvhart@linux.intel.com> Reviewed-by: Davidlohr Bueso <dave@stgolabs.net> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos Signed-off-by: Thomas Gleixner <tglx@linutronix.de> kernel/futex.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7044939f80c7cc215bfdf67010793989ea099a7a Merge: df4e799 c312fd4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 11:43:48 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: include/net/secure_seq.h tools/gcc/size_overflow_plugin/size_overflow_hash.data commit c312fd4b91bc9dd81a4c8732ab1ddef762f9c827 Merge: 31cded1 de9ba61 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 11:39:36 2014 -0400 Update to pax-linux-3.2.63-test157.patch: - forward port to 3.2.63 - updated the size overflow hash table - hopefully fixed a build race on ia64, reported by Dennis Schridde (https://bugs.gentoo.org/show_bug.cgi?id=503878) Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/sparc/mm/fault_64.c arch/x86/include/asm/pgtable_64_types.h arch/x86/kernel/entry_64.S arch/x86/kernel/ldt.c drivers/gpu/drm/ttm/ttm_page_alloc.c include/net/inetpeer.h net/ipv4/inetpeer.c net/ipv4/route.c net/ipv6/ip6_output.c commit df4e7992d0535f0fd5ac23e766a05934fa5c1e5f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 11 22:12:35 2014 -0400 compile fix net/ceph/mon_client.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ee18422bf9260f9fb20f33197fb32261b47530d8 Author: Ilya Dryomov <ilya.dryomov@inktank.com> Date: Tue Sep 9 19:39:15 2014 +0400 libceph: do not hard code max auth ticket len We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for any moderate setups and, in case tickets themselves are not encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the buffer is allocated dynamically anyway, allocated it a bit later, at the point where we know how much is going to be needed. Fixes: http://tracker.ceph.com/issues/8979 Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> Reviewed-by: Sage Weil <sage@redhat.com> net/ceph/auth_x.c | 64 ++++++++++++++++++++++++----------------------------- 1 files changed, 29 insertions(+), 35 deletions(-) commit 4dfa313156b7147936b3bad7f2807a1f74a421bd Author: Ilya Dryomov <ilya.dryomov@inktank.com> Date: Mon Sep 8 17:25:34 2014 +0400 libceph: add process_one_ticket() helper Add a helper for processing individual cephx auth tickets. Needed for the next commit, which deals with allocating ticket buffers. (Most of the diff here is whitespace - view with git diff -b). Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> Reviewed-by: Sage Weil <sage@redhat.com> net/ceph/auth_x.c | 228 +++++++++++++++++++++++++++++------------------------ 1 files changed, 124 insertions(+), 104 deletions(-) commit d0840d5576f29f2f51c18aef2e5c3e825a9a3025 Author: Sage Weil <sage@redhat.com> Date: Mon Aug 4 07:01:54 2014 -0700 libceph: gracefully handle large reply messages from the mon We preallocate a few of the message types we get back from the mon. If we get a larger message than we are expecting, fall back to trying to allocate a new one instead of blindly using the one we have. CC: stable@vger.kernel.org Signed-off-by: Sage Weil <sage@redhat.com> Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com> net/ceph/mon_client.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 1cf74ebe958195a7dc114e56f0100bc3ca97d9a8 Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 14:06:55 2014 +0200 udf: Avoid infinite loop when processing indirect ICBs We did not implement any bound on number of indirect ICBs we follow when loading inode. Thus corrupted medium could cause kernel to go into an infinite loop, possibly causing a stack overflow. Fix the possible stack overflow by removing recursion from __udf_read_inode() and limit number of indirect ICBs we follow to avoid infinite loops. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 35 +++++++++++++++++++++-------------- 1 files changed, 21 insertions(+), 14 deletions(-) commit 617f4c4872b809c6b6ea651d5198b7820b3e0abf Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 13:32:50 2014 +0200 udf: Fold udf_fill_inode() into __udf_read_inode() There's no good reason to separate these since udf_fill_inode() is called only from __udf_read_inode() and both do part of the same thing. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 22 +++++----------------- 1 files changed, 5 insertions(+), 17 deletions(-) commit df842208ddd1fae7409c4bc8e8e008e88ede1f46 Author: Ashish Sangwan <ashishsangwan2@gmail.com> Date: Tue Jun 26 19:33:11 2012 +0530 UDF: Remove unnecessary variable "offset" from udf_fill_inode The variable "offset" is not needed. Remove it. Signed-off-by: Ashish Sangwan <ashish.sangwan2@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> Conflicts: fs/udf/inode.c fs/udf/inode.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit fc485c36ac5e9d60f2dec3fa5b338271aaeda71b Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 11:47:51 2014 +0200 udf: Avoid dir link count to go negative If we are writing back inode of unlinked directory, its link count ends up being (u16)-1. Although the inode is deleted, udf_iget() can load the inode when NFS uses stale file handle and get confused. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 148f1629b2c5874e0159a8770c9d119265b698ed Author: Ani Sinha <ani@arista.com> Date: Mon Sep 8 14:49:59 2014 -0700 net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha <ani@arista.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/socket.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3edd6b95bf89a262d09ac87c05e2e2432db18bd0 Merge: ca5c222 31cded1 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 11 18:30:45 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 31cded121ad293acd7ddb47a01d20bfbc59aff0c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 11 18:30:03 2014 -0400 Update to pax-linux-3.2.62-test157.patch: - fixed an assert in the latent entropy plugin under gcc 4.5, reported by Emese tools/gcc/latent_entropy_plugin.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ca5c222c961d8336eff035e27432a714c27cf674 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 11 18:20:33 2014 -0400 3.2 didn't need this deferring Revert "pax: defer KERNEXEC instrumentation in IRQ return path" This reverts commit 188e7e319dfbd150d27d1d7451ebad1834000ce5. arch/x86/kernel/entry_64.S | 19 ------------------- 1 files changed, 0 insertions(+), 19 deletions(-) commit 77c5c6e41bc486fc92de079882048cdfeb88558b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 8 20:59:54 2014 -0400 compile fix drivers/media/dvb/dvb-usb/cinergyT2-fe.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit e35a79ff36f8d1822a12f64784e886260bf472e4 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 8 20:36:10 2014 -0400 fix several more cases of DMA-on-stack drivers/media/dvb/dvb-usb/cinergyT2-fe.c | 179 ++++++++++++++++++++++-------- 1 files changed, 132 insertions(+), 47 deletions(-) commit c5584f68b79036abf8b615a828c83844babeef86 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 8 19:28:37 2014 -0400 compile fix drivers/media/dvb/dvb-usb/cinergyT2-core.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4da912717213ddce20610d7c73a166ff19943bd6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 8 19:09:58 2014 -0400 Fix yet another DMA-on-stack case in the driver for the DVB-T TerraTec Cinergy T2, reported by sainz76 on the forums. drivers/media/dvb/dvb-usb/cinergyT2-core.c | 90 +++++++++++++++++++++++----- 1 files changed, 74 insertions(+), 16 deletions(-) commit 188e7e319dfbd150d27d1d7451ebad1834000ce5 Author: Mathias Krause <mathias.krause@secunet.com> Date: Mon Sep 8 13:13:02 2014 +0200 pax: defer KERNEXEC instrumentation in IRQ return path The EFI runtime service to relocate, well, the EFI runtime services (SetVirtualAddressMap) gets called with a physical mapping and with interrupts enabled. If an IRQ triggers while we're executing code in the EFI region, the KERNEXEC instrumentation will set the MSB of the return address. But this address is actually located in the lower 4GB, thereby setting the MSB makes the CPU #GP as the return address just got non-canonical. Fix this by deferring the KERNEXEC instrumentation for the iret path until alternatives are applied. This allows this early EFI runtime service calls to get interrupted not only by IRQs but also NMIs and activates the instrumentation before any userland code will be executed -- even before the other APs are started. Signed-off-by: Mathias Krause <mathias.krause@secunet.com> arch/x86/kernel/entry_64.S | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) commit 224a98d17f5ece6294e223cbce0a94cf171ca861 Author: Jiri Kosina <jkosina@suse.cz> Date: Wed Aug 27 09:12:24 2014 +0200 HID: magicmouse: sanity check report size in raw_event() callback The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that magicmouse_emit_touch() gets only valid values of raw_id. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> drivers/hid/hid-magicmouse.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit bb7484b97c9ca1fffe1f2b75a67731f1d3f7ea2c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 26 00:35:30 2014 -0400 add comment mm/mmap.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 3b450781121defb7f48dc7274dd721fe978e497b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 23:30:08 2014 -0400 reuse mm instead of current->mm mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 08c93cf28f505aaebda320de06909f3652e9a640 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 23:19:09 2014 -0400 Kill Chris Evans' ulimit -d 1 technique to slightly reduce heap ASLR entropy on suid/sgid binaries. Time he spent developing the entire exploit: who knows Time I spent adding another way in addition to the 6 or so existing ways his exploit is prevented: ~ 5 minutes Hashtag: ProjectZeroImpact mm/mmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 7175f416f0740888987a185618501d7eb44d25b6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 19:40:32 2014 -0400 make sure in every case where we would end up performing a role transition in the full-learned policy that we log the necessary CAP_SETUID/CAP_SETGID. This will happen regardless of the process actually having CAP_SETUID or CAP_SETGID set, as the check on role transition is done only against the subject's permitted capabilities, not actual active capabilities This fixes full-learning on sshd and likely other applications Thanks to Stephane from the forums for the report! Conflicts: grsecurity/gracl_cap.c kernel/sys.c grsecurity/gracl_cap.c | 41 +++++++++++++++++++++++++++++------------ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grsecurity.h | 2 ++ kernel/sys.c | 19 +++++++++++++++++++ 4 files changed, 56 insertions(+), 12 deletions(-) commit d8c343125b0c9b5c17fbe8f5b52d44d698b81c68 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 24 14:48:12 2014 -0400 remove makefile entry for no-longer-used file scripts/Makefile | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c6a1f020e3e659e55605294bd33d3e917cf3d6f8 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 16:41:15 2014 -0400 Introduce an experimental change to TPE -- reject execution of binaries that are world-writable. Contributed by Mickaël Salaün grsecurity/grsec_tpe.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 7534afe048b5291c6282a204f5884b164395c5e2 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Aug 21 23:53:18 2014 -0400 If no cgroup agent release path is specified, don't bother trying to exec any nonexistent usermode helper -- prevents a waste of resources and fixes some annoying grsec logs detecting this case. Thanks to ice9 from the forums for help with testing. Conflicts: kernel/cgroup.c kernel/cgroup.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ca6848c4921b08cfaf698337f5f83a555f74c5ce Author: Eric Dumazet <edumazet@google.com> Date: Fri Aug 15 09:16:04 2014 -0700 Upstream commit: dc808110bb62b64a448696ecac3938902c92e1ab packet: handle too big packets for PACKET_V3 af_packet can currently overwrite kernel memory by out of bound accesses, because it assumed a [new] block can always hold one frame. This is not generally the case, even if most existing tools do it right. This patch clamps too long frames as API permits, and issue a one time error on syslog. [ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82 In this example, packet header tp_snaplen was set to 3966, and tp_len was set to 5042 (skb->len) Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Acked-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/packet/internal.h net/packet/af_packet.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 913589f0f9f214fc738582b3a12542ab67923704 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Aug 21 20:33:45 2014 -0400 Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some time now, at least since get_random_bytes started to be used directly for filling of AT_RANDOM on each exec -- it's not really possible anymore to store up sufficient entropy such that this option would have any effect. Conflicts: drivers/char/random.c drivers/char/random.c | 15 --------------- grsecurity/Kconfig | 10 ---------- 2 files changed, 0 insertions(+), 25 deletions(-) commit df7e0d44063474bfa491b4b59fb2e1bcf300c440 Author: Jiri Kosina <jkosina@suse.cz> Date: Thu Aug 21 09:57:17 2014 -0500 Upstream commit: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 HID: logitech: perform bounds checking on device_id early enough device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> drivers/hid/hid-logitech-dj.c | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-) commit bee2e71c3211342d70b2aef3c066ba8c815e4b2c Author: Jiri Kosina <jkosina@suse.cz> Date: Thu Aug 21 09:57:48 2014 -0500 Upstream commit: 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 HID: fix a couple of off-by-ones There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Conflicts: drivers/hid/hid-kye.c drivers/hid/hid-lg.c drivers/hid/hid-cherry.c | 2 +- drivers/hid/hid-kye.c | 2 +- drivers/hid/hid-lg.c | 4 ++-- drivers/hid/hid-monterey.c | 2 +- drivers/hid/hid-petalynx.c | 2 +- drivers/hid/hid-sunplus.c | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) commit 610012c53a64d9b9ef0b8ea589c19066a31ebe1e Author: Jan Kara <jack@suse.cz> Date: Sun Aug 17 11:49:57 2014 +0200 Upstream commit: 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 isofs: Fix unbounded recursion when processing relocated directories We did not check relocated directory in any way when processing Rock Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL entry pointing to another CL entry leading to possibly unbounded recursion in kernel code and thus stack overflow or deadlocks (if there is a loop created from CL entries). Fix the problem by not allowing CL entry to point to a directory entry with CL entry (such use makes no good sense anyway) and by checking whether CL entry doesn't point to itself. CC: stable@vger.kernel.org Reported-by: Chris Evans <cevans@google.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/isofs/inode.c | 15 ++++++++------- fs/isofs/isofs.h | 23 +++++++++++++++++++---- fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++----------- 3 files changed, 55 insertions(+), 22 deletions(-) commit 06c94f632931f42ee57420627ca758d6ce85f111 Author: NeilBrown <neilb@suse.de> Date: Wed Aug 13 09:57:07 2014 +1000 Upstream commit: 9c4bdf697c39805078392d5ddbbba5ae5680e0dd md/raid6: avoid data corruption during recovery of double-degraded RAID6 During recovery of a double-degraded RAID6 it is possible for some blocks not to be recovered properly, leading to corruption. If a write happens to one block in a stripe that would be written to a missing device, and at the same time that stripe is recovering data to the other missing device, then that recovered data may not be written. This patch skips, in the double-degraded case, an optimisation that is only safe for single-degraded arrays. Bug was introduced in 2.6.32 and fix is suitable for any kernel since then. In an older kernel with separate handle_stripe5() and handle_stripe6() functions the patch must change handle_stripe6(). Cc: stable@vger.kernel.org (2.6.32+) Fixes: 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8 Cc: Yuri Tikhonov <yur@emcraft.com> Cc: Dan Williams <dan.j.williams@intel.com> Reported-by: "Manibalan P" <pmanibalan@amiindia.co.in> Tested-by: "Manibalan P" <pmanibalan@amiindia.co.in> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423 Signed-off-by: NeilBrown <neilb@suse.de> Acked-by: Dan Williams <dan.j.williams@intel.com> drivers/md/raid5.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d5379a8db503082781c6cec4938eed956f24d1df Author: Jiri Kosina <jkosina@suse.cz> Date: Wed Aug 6 16:08:43 2014 -0700 Upstream commit: 69102311a57d1fd65cdc4002c55c5d551c799044 ./Makefile: tell gcc optimizer to never introduce new data races We have been chasing a memory corruption bug, which turned out to be caused by very old gcc (4.3.4), which happily turned conditional load into a non-conditional one, and that broke correctness (the condition was met only if lock was held) and corrupted memory. This particular problem with that particular code did not happen when never gccs were used. I've brought this up with our gcc folks, as I wanted to make sure that this can't really happen again, and it turns out it actually can. Quoting Martin Jambor <mjambor@suse.cz>: "More current GCCs are more careful when it comes to replacing a conditional load with a non-conditional one, most notably they check that a store happens in each iteration of _a_ loop but they assume loops are executed. They also perform a simple check whether the store cannot trap which currently passes only for non-const variables. A simple testcase demonstrating it on an x86_64 is for example the following: $ cat cond_store.c int g_1 = 1; int g_2[1024] __attribute__((section ("safe_section"), aligned (4096))); int c = 4; int __attribute__ ((noinline)) foo (void) { int l; for (l = 0; (l != 4); l++) { if (g_1) return l; for (g_2[0] = 0; (g_2[0] >= 26); ++g_2[0]) ; } return 2; } int main (int argc, char* argv[]) { if (mprotect (g_2, sizeof(g_2), PROT_READ) == -1) { int e = errno; error (e, e, "mprotect error %i", e); } foo (); __builtin_printf("OK\n"); return 0; } /* EOF */ $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=0 $ ./a.out OK $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=1 $ ./a.out Segmentation fault The testcase fails the same at least with 4.9, 4.8 and 4.7. Therefore I would suggest building kernels with this parameter set to zero. I also agree with Jikos that the default should be changed for -O2. I have run most of the SPEC 2k6 CPU benchmarks (gamess and dealII failed, at -O2, not sure why) compiled with and without this option and did not see any real difference between respective run-times" Hopefully the default will be changed in newer gccs, but let's force it for kernel builds so that we are on a safe side even when older gcc are used. The code in question was out-of-tree printk-in-NMI (yeah, surprise suprise, once again) patch written by Petr Mladek, let me quote his comment from our internal bugzilla: "I have spent few days investigating inconsistent state of kernel ring buffer. It went out that it was caused by speculative store generated by gcc-4.3.4. The problem is in assembly generated for make_free_space(). The functions is called the following way: + vprintk_emit(); + log = MAIN_LOG; // with logbuf_lock or log = NMI_LOG; // with nmi_logbuf_lock cont_add(log, ...); + cont_flush(log, ...); + log_store(log, ...); + log_make_free_space(log, ...); If called with log = NMI_LOG then only nmi_log_* global variables are safe to modify but the generated code does store also into (main_)log_* global variables: <log_make_free_space>: 55 push %rbp 89 f6 mov %esi,%esi 48 8b 05 03 99 51 01 mov 0x1519903(%rip),%rax # ffffffff82620868 <nmi_log_next_id> 44 8b 1d ec 98 51 01 mov 0x15198ec(%rip),%r11d # ffffffff82620858 <log_next_idx> 8b 35 36 60 14 01 mov 0x1146036(%rip),%esi # ffffffff8224cfa8 <log_buf_len> 44 8b 35 33 60 14 01 mov 0x1146033(%rip),%r14d # ffffffff8224cfac <nmi_log_buf_len> 4c 8b 2d d0 98 51 01 mov 0x15198d0(%rip),%r13 # ffffffff82620850 <log_next_seq> 4c 8b 25 11 61 14 01 mov 0x1146111(%rip),%r12 # ffffffff8224d098 <log_buf> 49 89 c2 mov %rax,%r10 48 21 c2 and %rax,%rdx 48 8b 1d 0c 99 55 01 mov 0x155990c(%rip),%rbx # ffffffff826608a0 <nmi_log_buf> 49 c1 ea 20 shr $0x20,%r10 48 89 55 d0 mov %rdx,-0x30(%rbp) 44 29 de sub %r11d,%esi 45 29 d6 sub %r10d,%r14d 4c 8b 0d 97 98 51 01 mov 0x1519897(%rip),%r9 # ffffffff82620840 <log_first_seq> eb 7e jmp ffffffff81107029 <log_make_free_space+0xe9> [...] 85 ff test %edi,%edi # edi = 1 for NMI_LOG 4c 89 e8 mov %r13,%rax 4c 89 ca mov %r9,%rdx 74 0a je ffffffff8110703d <log_make_free_space+0xfd> 8b 15 27 98 51 01 mov 0x1519827(%rip),%edx # ffffffff82620860 <nmi_log_first_id> 48 8b 45 d0 mov -0x30(%rbp),%rax 48 39 c2 cmp %rax,%rdx # end of loop 0f 84 da 00 00 00 je ffffffff81107120 <log_make_free_space+0x1e0> [...] 85 ff test %edi,%edi # edi = 1 for NMI_LOG 4c 89 0d 17 97 51 01 mov %r9,0x1519717(%rip) # ffffffff82620840 <log_first_seq> ^^^^^^^^^^^^^^^^^^^^^^^^^^ KABOOOM 74 35 je ffffffff81107160 <log_make_free_space+0x220> It stores log_first_seq when edi == NMI_LOG. This instructions are used also when edi == MAIN_LOG but the store is done speculatively before the condition is decided. It is unsafe because we do not have "logbuf_lock" in NMI context and some other process migh modify "log_first_seq" in parallel" I believe that the best course of action is both - building kernel (and anything multi-threaded, I guess) with that optimization turned off - persuade gcc folks to change the default for future releases Signed-off-by: Jiri Kosina <jkosina@suse.cz> Cc: Martin Jambor <mjambor@suse.cz> Cc: Petr Mladek <pmladek@suse.cz> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Marek Polacek <polacek@redhat.com> Cc: Jakub Jelinek <jakub@redhat.com> Cc: Steven Noonan <steven@uplinklabs.net> Cc: Richard Biener <richard.guenther@gmail.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: Makefile Makefile | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit e86025ad7d01a84c9ba3f313938722ef23ba2b79 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 23:24:39 2014 -0400 error on a brain-damaged configuration seen on the forums: https://forums.grsecurity.net/viewtopic.php?f=3&t=4026 include/linux/grsecurity.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 885b2e50d6ddb86aacd68ee62e51d0e24ab42395 Merge: 5c8425c 07f56cf Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 23:00:26 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/Kconfig include/linux/slab.h net/sctp/ulpevent.c commit 07f56cf38dc1df04ad4fcbe3523be248c146ec12 Merge: 38d7c9d 73886aa Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 22:58:31 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kernel/entry_32.S arch/x86/mm/ioremap.c include/linux/slab.h commit 5c8425c91ff3a1c03c49f76bf83c500e4a4bb73b Merge: 939438a 38d7c9d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 19:57:57 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 38d7c9d5ef23ecea2a93849d3a13f5401f6d7786 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 19:57:21 2014 -0400 Update to pax-linux-3.2.61-test156.patch: - fixed an incompatiblity between STACKLEAK and Xen, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997#p14241) - fixed the ESPFIX SS limit on i386 so that it actually works instead of triggering a double fault, reported by Oscon arch/x86/kernel/head_32.S | 2 +- tools/gcc/stackleak_plugin.c | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) commit 939438a85bbd7b4b4cf5256a9d1696c5de45ed10 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 10:20:05 2014 -0400 compile fix grsecurity/grsum.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f603c29fb37dfa40aaaab54756561819eeaf2270 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 10:15:31 2014 -0400 fix retval grsecurity/grsum.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 6e4064de66c5d780617b50f2ec7586d485e833c3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 10:00:44 2014 -0400 Mark the right declarations __read_only grsecurity/gracl_policy.c | 6 +++--- grsecurity/grsec_init.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) commit 87f27b2d88b0f6da9dd581ec23e7e3ea3c8cc52a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 09:52:39 2014 -0400 While on x86/x64 scatterlists can be created from kernel image buffers, on sparc64 this is apparently invalid and causes a system hang. Convert gr_usermode, gr_system_sum, and gr_system_salt back to using memory allocated at init. grsecurity/gracl_policy.c | 60 ++++++++++++++++++++++---------------------- grsecurity/grsec_init.c | 14 ++++++++++ grsecurity/grsum.c | 37 +++++++++++++-------------- 3 files changed, 62 insertions(+), 49 deletions(-) commit 940d0f2a492432cbe173439a6badd36fb2f356d1 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 2 18:21:02 2014 -0400 cleanup arch/sparc/include/asm/thread_info_64.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 22492b445ac341dd4bb7f80df5499f7a70819f17 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 2 18:18:48 2014 -0400 Fix KSTACKOVERFLOW compilation on sparc64 arch/sparc/include/asm/thread_info_64.h | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 3c38d5b731571fc80f97eae431ec85fbd46b0e99 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 19:06:01 2014 -0400 fix compile error tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 24710f447a99053e6ce35a8dce8c102b5a506825 Author: James Bottomley <JBottomley@Parallels.com> Date: Thu Jul 3 19:17:34 2014 +0200 Upstream commit: 89fb4cd1f717a871ef79fa7debbe840e3225cd54 scsi: handle flush errors properly Flush commands don't transfer data and thus need to be special cased in the I/O completion handler so that we can propagate errors to the block layer and filesystem. Signed-off-by: James Bottomley <JBottomley@Parallels.com> Reported-by: Steven Haber <steven@qumulo.com> Tested-by: Steven Haber <steven@qumulo.com> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Christoph Hellwig <hch@lst.de> drivers/scsi/scsi_lib.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 22af163d0654be43242c6d4b1681ab9875b1ab6e Author: Christoph Paasch <christoph.paasch@uclouvain.be> Date: Tue Jul 29 12:07:27 2014 +0200 Upstream commit: 45a07695bc64b3ab5d6d2215f9677e5b8c05a7d0 tcp: Fix integer-overflows in TCP veno In veno we do a multiplication of the cwnd and the rtt. This may overflow and thus their result is stored in a u64. However, we first need to cast the cwnd so that actually 64-bit arithmetic is done. A first attempt at fixing 76f1017757aa0 ([TCP]: TCP Veno congestion control) was made by 159131149c2 (tcp: Overflow bug in Vegas), but it failed to add the required cast in tcp_veno_cong_avoid(). Fixes: 76f1017757aa0 ([TCP]: TCP Veno congestion control) Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp_veno.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e304749a01bdb4bc8695674a5f247013a5b13d54 Author: Milan Broz <gmazyland@gmail.com> Date: Tue Jul 29 18:41:09 2014 +0000 Upstream commit: 4c63f83c2c2e16a13ce274ee678e28246bd33645 crypto: af_alg - properly label AF_ALG socket Th AF_ALG socket was missing a security label (e.g. SELinux) which means that socket was in "unlabeled" state. This was recently demonstrated in the cryptsetup package (cryptsetup v1.6.5 and later.) See https://bugzilla.redhat.com/show_bug.cgi?id=1115120 This patch clones the sock's label from the parent sock and resolves the issue (similar to AF_BLUETOOTH protocol family). Cc: stable@vger.kernel.org Signed-off-by: Milan Broz <gmazyland@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> crypto/af_alg.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 805577529b565c454ed6acb56c879fdc4614350f Author: Christoph Paasch <christoph.paasch@uclouvain.be> Date: Tue Jul 29 13:40:57 2014 +0200 Upstream commit: 1f74e613ded11517db90b2bd57e9464d9e0fb161 tcp: Fix integer-overflow in TCP vegas In vegas we do a multiplication of the cwnd and the rtt. This may overflow and thus their result is stored in a u64. However, we first need to cast the cwnd so that actually 64-bit arithmetic is done. Then, we need to do do_div to allow this to be used on 32-bit arches. Cc: Stephen Hemminger <stephen@networkplumber.org> Cc: Neal Cardwell <ncardwell@google.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Doug Leith <doug.leith@nuim.ie> Fixes: 8d3a564da34e (tcp: tcp_vegas cong avoid fix) Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp_vegas.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 017aa069e797bfeefaf5d4f846f81a5b02aac423 Author: Sven Wegener <sven.wegener@stealer.net> Date: Tue Jul 22 10:26:06 2014 +0200 Upstream commit: 80705fca953d4f2983d5197401de4ce7af7699d3 x86_32, entry: Store badsys error code in %eax commit 8142b215501f8b291a108a202b3a053a265b03dd upstream. Commit 554086d ("x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)") introduced a regression in the x86_32 syscall entry code, resulting in syscall() not returning proper errors for undefined syscalls on CPUs supporting the sysenter feature. The following code: > int result = syscall(666); > printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno)); results in: > result=666 errno=0 error=Success Obviously, the syscall return value is the called syscall number, but it should have been an ENOSYS error. When run under ptrace it behaves correctly, which makes it hard to debug in the wild: > result=-1 errno=38 error=Function not implemented The %eax register is the return value register. For debugging via ptrace the syscall entry code stores the complete register context on the stack. The badsys handlers only store the ENOSYS error code in the ptrace register set and do not set %eax like a regular syscall handler would. The old resume_userspace call chain contains code that clobbers %eax and it restores %eax from the ptrace registers afterwards. The same goes for the ptrace-enabled call chain. When ptrace is not used, the syscall return value is the passed-in syscall number from the untouched %eax register. Use %eax as the return value register in syscall_badsys and sysenter_badsys, like a real syscall handler does, and have the caller push the value onto the stack for ptrace access. Signed-off-by: Sven Wegener <sven.wegener@stealer.net> Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net Reviewed-and-tested-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: arch/x86/kernel/entry_32.S arch/x86/kernel/entry_32.S | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 1b7dd9b4c864a650c87c0b2f4ee428d8a58cb0fc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 18:02:05 2014 -0400 Work around a compatibility issue between the VirtualBox drivers and RANDSTRUCT. Two of its ops structs, INTNETTRUNKFACTORY and RAWPCIFACTORY, were chosen for randomization, but these seem to be part of a public interface used by code not compiled by RANDSTRUCT. To resolve this, omit these two type names from randomization. Thanks to Pedro Ribeiro for the report. tools/gcc/randomize_layout_plugin.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 32ab0eb3774f2b04ec7d412dce297ecc77081cd8 Author: Andrey Ryabinin <ryabinin.a.a@gmail.com> Date: Sat Jul 26 21:26:58 2014 +0400 Upstream commit: 40eea803c6b2cfaab092f053248cbeab3f368412 net: sendmsg: fix NULL pointer dereference Sasha's report: > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel with the KASAN patchset, I've stumbled on the following spew: > > [ 4448.949424] ================================================================== > [ 4448.951737] AddressSanitizer: user-memory-access on address 0 > [ 4448.952988] Read of size 2 by thread T19638: > [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813 > [ 4448.956823] ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40 > [ 4448.958233] ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d > [ 4448.959552] 0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000 > [ 4448.961266] Call Trace: > [ 4448.963158] dump_stack (lib/dump_stack.c:52) > [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184) > [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352) > [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339) > [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339) > [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555) > [ 4448.970103] sock_sendmsg (net/socket.c:654) > [ 4448.971584] ? might_fault (mm/memory.c:3741) > [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740) > [ 4448.973596] ? verify_iovec (net/core/iovec.c:64) > [ 4448.974522] ___sys_sendmsg (net/socket.c:2096) > [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254) > [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273) > [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1)) > [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188) > [ 4448.980535] __sys_sendmmsg (net/socket.c:2181) > [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600) > [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607) > [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2)) > [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600) > [ 4448.986754] SyS_sendmmsg (net/socket.c:2201) > [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542) > [ 4448.988929] ================================================================== This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0. After this report there was no usual "Unable to handle kernel NULL pointer dereference" and this gave me a clue that address 0 is mapped and contains valid socket address structure in it. This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c (net: rework recvmsg handler msg_name and msg_namelen logic). Commit message states that: "Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address." But in fact this affects sendto when address 0 is mapped and contains socket address structure in it. In such case copy-in address will succeed, verify_iovec() function will successfully exit with msg->msg_namelen > 0 and msg->msg_name == NULL. This patch fixes it by setting msg_namelen to 0 if msg_name == NULL. Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Eric Dumazet <edumazet@google.com> Cc: <stable@vger.kernel.org> Reported-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/compat.c | 9 +++++---- net/core/iovec.c | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) commit 4197e21dff54db8838d8bb2bb54cde06a4c50596 Merge: 97419e4 039d801 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 27 19:57:21 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 039d8018a40cd3baf7dab410155e19af5fe28a5e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 27 19:56:53 2014 -0400 Update to pax-linux-3.2.61-test155.patch: - fixed an incorrect get_user cast, reported by Corey Minyard - there're a few more instances in the kernel still - Emese fixed a compile error in the size overflow plugin that manifested under gcc 4.9 fs/compat_ioctl.c | 2 +- .../insert_size_overflow_asm.c | 42 -------------------- .../insert_size_overflow_check_core.c | 41 +++++++++++++++++++ .../insert_size_overflow_check_ipa.c | 2 +- .../size_overflow_plugin/intentional_overflow.c | 3 + .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 6 files changed, 47 insertions(+), 45 deletions(-) commit 97419e41b6d1530da186ecfa5b7db9214ca93b94 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sat Jul 26 14:52:01 2014 -0700 Upstream commit: 2062afb4f804afef61cbe62a30cac9a46e58e067 Fix gcc-4.9.0 miscompilation of load_balance() in scheduler Michel Dänzer and a couple of other people reported inexplicable random oopses in the scheduler, and the cause turns out to be gcc mis-compiling the load_balance() function when debugging is enabled. The gcc bug apparently goes back to gcc-4.5, but slight optimization changes means that it now showed up as a problem in 4.9.0 and 4.9.1. The instruction scheduling problem causes gcc to schedule a spill operation to before the stack frame has been created, which in turn can corrupt the spilled value if an interrupt comes in. There may be other effects of this bug too, but that's the code generation problem seen in Michel's case. This is fixed in current gcc HEAD, but the workaround as suggested by Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments when compiling the kernel, which disables the gcc code that causes the problem. This can result in slightly worse debug information for variable accesses, but that is infinitely preferable to actual code generation problems. Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows non-debug builds to verify that the debug build would be identical: we can do export GCC_COMPARE_DEBUG=1 to make gcc internally verify that the result of the build is independent of the "-g" flag (it will make the compiler build everything twice, toggling the debug flag, and compare the results). Without the "-fno-var-tracking-assignments" option, the build would fail (even with 4.8.3 that didn't show the actual stack frame bug) with a gcc compare failure. See also gcc bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801 Reported-by: Michel Dänzer <michel@daenzer.net> Suggested-by: Markus Trippelsdorf <markus@trippelsdorf.de> Cc: Jakub Jelinek <jakub@redhat.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 17acc2739760940b289b18da5efd01d928494ce0 Author: Ben Hutchings <ben@decadent.org.uk> Date: Mon Jul 21 00:06:48 2014 +0100 Upstream commit: 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a dns_resolver: Null-terminate the right string *_result[len] is parsed as *(_result[len]) which is not at all what we want to touch here. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated") Signed-off-by: David S. Miller <davem@davemloft.net> net/dns_resolver/dns_query.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9c203f84a04ea62b9f78b07039b32ddf4dac2283 Author: Manuel Schölling <manuel.schoelling@gmx.de> Date: Sat Jun 7 23:57:25 2014 +0200 Upstream commit: 84a7c0b1db1c17d5ded8d3800228a608e1070b40 dns_resolver: assure that dns_query() result is null-terminated dns_query() credulously assumes that keys are null-terminated and returns a copy of a memory block that is off by one. Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de> Signed-off-by: David S. Miller <davem@davemloft.net> net/dns_resolver/dns_query.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 7da80c789c04170dd8219da791d0f4423bc53b56 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Fri Jul 18 17:26:41 2014 -0400 Upstream commit: 79a8468747c5f95ed3d5ce8376a3e82e0c5857fc random: check for increase of entropy_count because of signed conversion The expression entropy_count -= ibytes << (ENTROPY_SHIFT + 3) could actually increase entropy_count if during assignment of the unsigned expression on the RHS (mind the -=) we reduce the value modulo 2^width(int) and assign it to entropy_count. Trinity found this. [ Commit modified by tytso to add an additional safety check for a negative entropy_count -- which should never happen, and to also add an additional paranoia check to prevent overly large count values to be passed into urandom_read(). ] Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org drivers/char/random.c | 17 ++++++++++++++--- 1 files changed, 14 insertions(+), 3 deletions(-) commit 2e174f924f1136bc3ae13d1efb49344199327432 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Thu Jul 17 13:50:45 2014 +0300 Upstream commit: a28d0e873d2899bd750ae495f84fe9c1a2f53809 wan/x25_asy: integer overflow in x25_asy_change_mtu() If "newmtu * 2 + 4" is too large then it can cause an integer overflow leading to memory corruption. Eric Dumazet suggests that 65534 is a reasonable upper limit. Btw, "newmtu" is not allowed to be a negative number because of the check in dev_set_mtu(), so that's ok. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/wan/x25_asy.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ca73e57546661064611d6add30c4cf030df1292b Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 23 20:38:57 2014 -0400 Backport actual fixes from 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea not sure why upstream saw it necessary to lump in over a dozen comment and noop formatting changes into the same patch net/sctp/ulpevent.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit dcd31ea940876862f32f91290b483c85bdaa0dca Author: Daniel Borkmann <dborkman@redhat.com> Date: Tue Jul 22 15:22:45 2014 +0200 Upstream commit: 1be9a950c646c9092fb3618197f7b6bfb50e82aa net: sctp: inherit auth_capable on INIT collisions Jason reported an oops caused by SCTP on his ARM machine with SCTP authentication enabled: Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1 task: c6eefa40 ti: c6f52000 task.ti: c6f52000 PC is at sctp_auth_calculate_hmac+0xc4/0x10c LR is at sg_init_table+0x20/0x38 pc : [<c024bb80>] lr : [<c00f32dc>] psr: 40000013 sp : c6f538e8 ip : 00000000 fp : c6f53924 r10: c6f50d80 r9 : 00000000 r8 : 00010000 r7 : 00000000 r6 : c7be4000 r5 : 00000000 r4 : c6f56254 r3 : c00c8170 r2 : 00000001 r1 : 00000008 r0 : c6f1e660 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005397f Table: 06f28000 DAC: 00000015 Process sctp-test (pid: 104, stack limit = 0xc6f521c0) Stack: (0xc6f538e8 to 0xc6f54000) [...] Backtrace: [<c024babc>] (sctp_auth_calculate_hmac+0x0/0x10c) from [<c0249af8>] (sctp_packet_transmit+0x33c/0x5c8) [<c02497bc>] (sctp_packet_transmit+0x0/0x5c8) from [<c023e96c>] (sctp_outq_flush+0x7fc/0x844) [<c023e170>] (sctp_outq_flush+0x0/0x844) from [<c023ef78>] (sctp_outq_uncork+0x24/0x28) [<c023ef54>] (sctp_outq_uncork+0x0/0x28) from [<c0234364>] (sctp_side_effects+0x1134/0x1220) [<c0233230>] (sctp_side_effects+0x0/0x1220) from [<c02330b0>] (sctp_do_sm+0xac/0xd4) [<c0233004>] (sctp_do_sm+0x0/0xd4) from [<c023675c>] (sctp_assoc_bh_rcv+0x118/0x160) [<c0236644>] (sctp_assoc_bh_rcv+0x0/0x160) from [<c023d5bc>] (sctp_inq_push+0x6c/0x74) [<c023d550>] (sctp_inq_push+0x0/0x74) from [<c024a6b0>] (sctp_rcv+0x7d8/0x888) While we already had various kind of bugs in that area ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache auth_enable per endpoint"), this one is a bit of a different kind. Giving a bit more background on why SCTP authentication is needed can be found in RFC4895: SCTP uses 32-bit verification tags to protect itself against blind attackers. These values are not changed during the lifetime of an SCTP association. Looking at new SCTP extensions, there is the need to have a method of proving that an SCTP chunk(s) was really sent by the original peer that started the association and not by a malicious attacker. To cause this bug, we're triggering an INIT collision between peers; normal SCTP handshake where both sides intent to authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO parameters that are being negotiated among peers: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- RFC4895 says that each endpoint therefore knows its own random number and the peer's random number *after* the association has been established. The local and peer's random number along with the shared key are then part of the secret used for calculating the HMAC in the AUTH chunk. Now, in our scenario, we have 2 threads with 1 non-blocking SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling sctp_bindx(3), listen(2) and connect(2) against each other, thus the handshake looks similar to this, e.g.: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------- -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------> ... Since such collisions can also happen with verification tags, the RFC4895 for AUTH rather vaguely says under section 6.1: In case of INIT collision, the rules governing the handling of this Random Number follow the same pattern as those for the Verification Tag, as explained in Section 5.2.4 of RFC 2960 [5]. Therefore, each endpoint knows its own Random Number and the peer's Random Number after the association has been established. In RFC2960, section 5.2.4, we're eventually hitting Action B: B) In this case, both sides may be attempting to start an association at about the same time but the peer endpoint started its INIT after responding to the local endpoint's INIT. Thus it may have picked a new Verification Tag not being aware of the previous Tag it had sent this endpoint. The endpoint should stay in or enter the ESTABLISHED state but it MUST update its peer's Verification Tag from the State Cookie, stop any init or cookie timers that may running and send a COOKIE ACK. In other words, the handling of the Random parameter is the same as behavior for the Verification Tag as described in Action B of section 5.2.4. Looking at the code, we exactly hit the sctp_sf_do_dupcook_b() case which triggers an SCTP_CMD_UPDATE_ASSOC command to the side effect interpreter, and in fact it properly copies over peer_{random, hmacs, chunks} parameters from the newly created association to update the existing one. Also, the old asoc_shared_key is being released and based on the new params, sctp_auth_asoc_init_active_key() updated. However, the issue observed in this case is that the previous asoc->peer.auth_capable was 0, and has *not* been updated, so that instead of creating a new secret, we're doing an early return from the function sctp_auth_asoc_init_active_key() leaving asoc->asoc_shared_key as NULL. However, we now have to authenticate chunks from the updated chunk list (e.g. COOKIE-ACK). That in fact causes the server side when responding with ... <------------------ AUTH; COOKIE-ACK ----------------- ... to trigger a NULL pointer dereference, since in sctp_packet_transmit(), it discovers that an AUTH chunk is being queued for xmit, and thus it calls sctp_auth_calculate_hmac(). Since the asoc->active_key_id is still inherited from the endpoint, and the same as encoded into the chunk, it uses asoc->asoc_shared_key, which is still NULL, as an asoc_key and dereferences it in ... crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len) ... causing an oops. All this happens because sctp_make_cookie_ack() called with the *new* association has the peer.auth_capable=1 and therefore marks the chunk with auth=1 after checking sctp_auth_send_cid(), but it is *actually* sent later on over the then *updated* association's transport that didn't initialize its shared key due to peer.auth_capable=0. Since control chunks in that case are not sent by the temporary association which are scheduled for deletion, they are issued for xmit via SCTP_CMD_REPLY in the interpreter with the context of the *updated* association. peer.auth_capable was 0 in the updated association (which went from COOKIE_WAIT into ESTABLISHED state), since all previous processing that performed sctp_process_init() was being done on temporary associations, that we eventually throw away each time. The correct fix is to update to the new peer.auth_capable value as well in the collision case via sctp_assoc_update(), so that in case the collision migrated from 0 -> 1, sctp_auth_asoc_init_active_key() can properly recalculate the secret. This therefore fixes the observed server panic. Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/associola.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 723a9740df77f121e66b66279e43e7737f4795d1 Author: Sasha Levin <sasha.levin@oracle.com> Date: Mon Jul 14 17:02:31 2014 -0700 Upstream commit: 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Yet another upstream silent security fix net/l2tp: don't fall back on UDP [get|set]sockopt The l2tp [get|set]sockopt() code has fallen back to the UDP functions for socket option levels != SOL_PPPOL2TP since day one, but that has never actually worked, since the l2tp socket isn't an inet socket. As David Miller points out: "If we wanted this to work, it'd have to look up the tunnel and then use tunnel->sk, but I wonder how useful that would be" Since this can never have worked so nobody could possibly have depended on that functionality, just remove the broken code and return -EINVAL. Reported-by: Sasha Levin <sasha.levin@oracle.com> Acked-by: James Chapman <jchapman@katalix.com> Acked-by: David Miller <davem@davemloft.net> Cc: Phil Turnbull <phil.turnbull@oracle.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c86a686a85e05591c1f88282f3e22f48802c911a Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 15 16:40:36 2014 -0400 fix more DMA-on-stack cases drivers/media/dvb/dvb-usb/dvb-usb-firmware.c | 37 ++++++++++++++++++------- 1 files changed, 26 insertions(+), 11 deletions(-) commit 862b3b49a8fed0720d62674f5ead9bd5eec69fa0 Merge: 0b43139 9f35dc2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 19:37:28 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 9f35dc281dd37d104be973ad3bd47066b4662865 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 19:35:52 2014 -0400 Update to pax-linux-3.2.61-test154.patch: - Emese fixed a size overflow false positive, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997) - reverted an old compiler warning fix now causing problems with PCI device enumeration, reported by /dev/random (http://forums.grsecurity.net/viewtopic.php?f=3&t=3989) include/linux/mod_devicetable.h | 2 +- .../insert_size_overflow_check_ipa.c | 18 +++++++++++++----- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) commit 0b4313939d0db675558bb5320fa3c981c0e26d44 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 11:30:26 2014 -0400 fix another DMA-on-stack case Conflicts: drivers/usb/host/hwa-hc.c drivers/usb/host/hwa-hc.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 3cd4f741d3fd7c8242c0449f63961f5ec3032058 Author: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us> Date: Wed Aug 21 01:43:19 2013 -0700 hso: Fix stack corruption on some architectures As Sergei Shtylyov explained in the #mipslinux IRC channel: [Mon 2013-08-19 12:28:21 PM PDT] <headless> guys, are you sure it's not "DMA off stack" case? [Mon 2013-08-19 12:28:35 PM PDT] <headless> it's a known stack corruptor on non-coherent arches [Mon 2013-08-19 12:31:48 PM PDT] <DonkeyHotei> headless: for usb/ehci? [Mon 2013-08-19 12:34:11 PM PDT] <DonkeyHotei> headless: explain [Mon 2013-08-19 12:35:38 PM PDT] <headless> usb_control_msg() (or other such func) should not use buffer on stack. DMA from/to stack is prohibited [Mon 2013-08-19 12:35:58 PM PDT] <headless> and EHCI uses DMA on control xfers (as well as all the others) Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/usb/hso.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ecbc9370398c612d176b2f55b5e18d68f7a79824 Merge: eced417 37db411 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jul 11 21:32:28 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/mips/kernel/scall32-o32.S arch/mips/kernel/scall64-64.S arch/mips/kernel/scall64-n32.S arch/mips/kernel/scall64-o32.S lib/lzo/lzo1x_decompress.c commit 37db411be348f02b54e131e560216f65fd8c7858 Merge: 9a2f790 e9b1a5c Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jul 11 21:25:42 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kernel/entry_32.S include/net/inetpeer.h net/ipv6/ip6_output.c commit eced417d64539e2cdd3488aa6380a868345f9bff Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 10 00:07:03 2014 -0400 compile fix net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f36ba2a503a679875cb23d5ae46c6dabb5ea0804 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 9 23:14:19 2014 -0400 Allow /proc/net/if_inet6 to be visible by non-root users -- it is needed on Fedora 20 and the contents are similar to those of the already-allowed /proc/net/dev Conflicts: fs/proc/proc_net.c net/ipv6/addrconf.c fs/proc/proc_net.c | 22 +++++++++++++++++++++- net/ipv6/addrconf.c | 11 +++++++++-- 2 files changed, 30 insertions(+), 3 deletions(-) commit 58f7da419b21858b8f8589015e3442cfc92916b1 Author: nikolay@redhat.com <nikolay@redhat.com> Date: Sat Apr 6 00:54:37 2013 +0000 Revert "bonding: remove sysfs before removing devices" This reverts commit 4de79c737b200492195ebc54a887075327e1ec1d. This patch introduces a new bug which causes access to freed memory. In bond_uninit: list_del(&bond->bond_list); bond_list is linked in bond_net's dev_list which is freed by unregister_pernet_subsys. Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f79fb7679dacc533e16aec452ca10d181205b636 Author: David S. Miller <davem@davemloft.net> Date: Wed Nov 14 22:32:15 2012 -0500 Revert "drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free" This reverts commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e. As pointed out by Ben Hutchings, this change is not correct. mdiobus_unregister() can't be called if the bus isn't registered yet, however this change can result in situations which cause that to happen. Part of the confusion here revolves around the fact that the callers of this module control registration/unregistration, rather than the module itself. Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/phy/mdio-bitbang.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 4526f7c8009b81c1de66725f95122217316050e2 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 17:22:16 2014 -0400 fix gcc warning net/netfilter/nf_conntrack_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f754fafe847590003a676629746d0b76e6b34a4f Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 16:07:41 2014 -0400 Backport extra commit for safety sake: commit f302b21ee907f65af6434d8618d2c1a921c02d48 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed Jul 2 14:52:55 2014 -0700 x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699) Don't allow ptrace to set RIP to a value that couldn't happen by ordinary control flow. There are CPU bugs^Wfeatures that can have interesting effects if RIP is non-canonical. I didn't make the corresponding x86_32 change, since x86_32 has no concept of canonical addresses. putreg32 doesn't need this fix: value is only 32 bits, so it can't be non-canonical. Fixes CVE-2014-4699. There are arguably still bugs here, but this fixes the major issue. Signed-off-by: Andy Lutomirski <luto@amacapital.net> CVE-2014-4699 BugLink: http://bugs.launchpad.net/bugs/1337339 Acked-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> arch/x86/kernel/ptrace.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit fa5713f5b0214732cd02a8d155daa2077bffbfa0 Author: Tejun Heo <tj@kernel.org> Date: Thu Jul 3 15:43:15 2014 -0400 Upstream commit: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a ptrace,x86: force IRET path after a ptrace_stop() The 'sysret' fastpath does not correctly restore even all regular registers, much less any segment registers or reflags values. That is very much part of why it's faster than 'iret'. Normally that isn't a problem, because the normal ptrace() interface catches the process using the signal handler infrastructure, which always returns with an iret. However, some paths can get caught using ptrace_event() instead of the signal path, and for those we need to make sure that we aren't going to return to user space using 'sysret'. Otherwise the modifications that may have been done to the register set by the tracer wouldn't necessarily take effect. Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from arch_ptrace_stop_needed() which is invoked from ptrace_stop(). Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Oleg Nesterov <oleg@redhat.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> arch/x86/include/asm/ptrace.h | 16 ++++++++++++++++ include/linux/ptrace.h | 3 +++ 2 files changed, 19 insertions(+), 0 deletions(-) commit 0f3319928845248bff4ec7a52a8574c1eaef951d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 29 18:11:08 2014 -0400 revert PCI_ANY_ID change to fix problem with vgaswitcheroo as reported by /dev/random here: https://forums.grsecurity.net/viewtopic.php?f=3&t=3989 include/linux/mod_devicetable.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ac3cb18307b0e019e2d0df3e81f793ef5f128174 Author: Zhaowei Yuan <zhaowei.yuan@samsung.com> Date: Wed Jun 18 14:33:59 2014 +0800 Upstream commit: 1539fb9bd405ee32282ea0a38404f9e008ac5b7a drm: fix NULL pointer access by wrong ioctl If user uses wrong ioctl command with _IOC_NONE and argument size greater than 0, it can cause NULL pointer access from memset of line 463. If _IOC_NONE, don't memset to 0 for kdata. Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com> Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Dave Airlie <airlied@redhat.com> Conflicts: drivers/gpu/drm/drm_drv.c drivers/gpu/drm/drm_drv.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 74a3bdf236caeaaf6584578ca3182ca56042f1a7 Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:31 2014 +0200 Upstream commit: 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 ALSA: control: Protect user controls against concurrent access The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> include/sound/core.h | 2 ++ sound/core/control.c | 31 +++++++++++++++++++++++++------ sound/core/init.c | 1 + 3 files changed, 28 insertions(+), 6 deletions(-) commit 507712085e5ea6cd7900444b79762ec3961faf3e Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:33 2014 +0200 Upstream commit: fd9f26e4eca5d08a27d12c0933fceef76ed9663d ALSA: control: Don't access controls outside of protected regions A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> sound/core/control.c | 15 ++++++++++----- 1 files changed, 10 insertions(+), 5 deletions(-) commit 23e0b172e9dcaebbd9aa378f8bfa6a0371d43830 Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:32 2014 +0200 Upstream commit: 82262a46627bebb0febcc26664746c25cef08563 ALSA: control: Fix replacing user controls There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> sound/core/control.c | 25 +++++++++---------------- 1 files changed, 9 insertions(+), 16 deletions(-) commit 97213774257d345f19783dfee25261b24924d09c Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:35 2014 +0200 Upstream commit: 883a1d49f0d77d30012f114b2e19fc141beb3e8e ALSA: control: Make sure that id->index does not overflow The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> sound/core/control.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 71b51afcc4fee7852d4381360de4e6335e8b2726 Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:34 2014 +0200 Upstream commit: ac902c112d90a89e59916f751c2745f4dbdbb4bd ALSA: control: Handle numid overflow Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> sound/core/control.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 6a8b19ad31ebc2f7522a292c6195cc5dc92ab750 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 26 18:19:44 2014 -0400 Upstream commit: 206a81c18401c0cde6e579164f752c4b147324ce lzo: properly check for overruns The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Tested-by: "Don A. Bailey" <donb@securitymouse.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> lib/lzo/lzo1x_decompress.c | 62 +++++++++++++++++++++++++++++--------------- 1 files changed, 41 insertions(+), 21 deletions(-) commit 00767c94053d15f23871ba7d6cbc35ee5da8fddb Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 26 18:16:38 2014 -0400 upstream commit 8b975bd3f9089f8ee5d7bbfd798537b992bbc7e7 Author: Markus F.X.J. Oberhumer <markus@oberhumer.com> Date: Mon Aug 13 17:25:44 2012 +0200 lib/lzo: Update LZO compression to current upstream version This commit updates the kernel LZO code to the current upsteam version which features a significant speed improvement - benchmarking the Calgary and Silesia test corpora typically shows a doubled performance in both compression and decompression on modern i386/x86_64/powerpc machines. Signed-off-by: Markus F.X.J. Oberhumer <markus@oberhumer.com> include/linux/lzo.h | 15 +- lib/lzo/lzo1x_compress.c | 335 ++++++++++++++++++++++++------------------ lib/lzo/lzo1x_decompress.c | 350 +++++++++++++++++++++----------------------- lib/lzo/lzodefs.h | 38 ++++-- 4 files changed, 395 insertions(+), 343 deletions(-) commit 742ec59022c7a0b84482c868fd7334a2b7d8c7cd Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 23 21:07:10 2014 -0400 change vunmap documentation back, it was changed when I was exploring a simpler approach to the KSTACKOVERFLOW problem mm/vmalloc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fbe6bbb49405c4f392ecaaeeb16940daf33be713 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 17:45:49 2014 -0400 apply patch from http://marc.info/?l=linux-fsdevel&m=140128600801771&w=2 to ensure "hidden" files can't be created due to get_next_ino returning an inode of 0 fs/inode.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 801f7094c71d49b78d05f5055fd22b0b6b271f49 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 12:28:46 2014 -0400 move grkernsec_setxid flag on mips into the LSW to match header documentation arch/mips/include/asm/thread_info.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a20924dd0fb5655c3bdbbb9ced629ceb0d50e6fa Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 00:47:05 2014 -0400 fix !GRKERNSEC_KSTACKOVERFLOW compilation include/linux/vmalloc.h | 2 ++ mm/vmalloc.c | 10 ++++++++++ 2 files changed, 12 insertions(+), 0 deletions(-) commit b4a3ab65850c171ca72716ad05a39d16158e45e4 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 21 23:17:23 2014 -0400 Fix GRKERNSEC_KSTACKOVERFLOW incompatibility with virtio_net and other more rare drivers. Unfortunately to resolve the problem we had to choose between invasive changes to dozens of call-sites and continued future maintenance work, or rearchitecting the feature to be able to handle the uses seamlessly. With some tips from pipacs, I chose the latter. Various drivers including virtio_net use scatterlists derived from stack-based buffers (e.g. as an argument to sg_set_buf/sg_init_one). The scatterlist API requires that these buffers be in the kernel image or in kmalloc'd buffers, which caused a problem when vmalloc'd stacks were used due to GRKERNSEC_KSTACKOVERFLOW. What we do now is keep the original lowmem kstack allocation and then perform a THREAD_SIZE-aligned vmapped alias of the lowmem kstack's physical pages. We also restore kernel stack accounting by using this method. The downside is the existence of the lowmem kstack mapping, but the security guarantees of the feature are preserved. In sg_set_buf() (called by sg_init_one and directly) we now check to see if the buffer is on the current kernel stack. If it is, then we redirect the API to the lowmem alias of the kernel stack, preserving its assumptions. Since the unmapping of the virtual alias can sleep, we need to schedule it when called in interrupt context similar to before with vfree. Unlike before however, the contents of the alias depend on the lowmem physical pages, so we also need to defer the execution of free_thread_info(). We also have added a temporary debugging measure for this feature by adding a BUG_ON() to virt_to_page() to ensure we're not using a vmapped kernel stack address for APIs needing lowmem buffers -- this way we can be notified of any other APIs that need similar redirection. Thanks to kocka for assisting with some initial qemu/kernel debugging. arch/x86/include/asm/page.h | 12 ++++++- include/linux/scatterlist.h | 7 ++++ include/linux/sched.h | 5 ++- include/linux/vmalloc.h | 3 +- kernel/fork.c | 53 +++++++++++++++++++++++-------- mm/vmalloc.c | 72 ++++++++++++++++++++++++++++++++++--------- 6 files changed, 120 insertions(+), 32 deletions(-) commit 5fc86e48c1652e5cb320f0e45d03532403588cfb Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 13:43:33 2014 -0400 Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate that the system call needs to be checked against a seccomp filter. Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Reviewed-by: Paul Burton <paul.burton@imgtec.com> Reviewed-by: James Hogan <james.hogan@imgtec.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6405/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> arch/mips/include/asm/thread_info.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cb15c793e2be50234c292ef81bfb65b36c12d5b4 Merge: 9e9978f 9a2f790 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 12:20:34 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 9a2f7909dafce8ab50c0c78b11f2b12fd832ebc2 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 12:19:44 2014 -0400 Update to pax-linux-3.2.60-test153.patch: - fixed wrong asm constraint in __range_not_ok, reported by klimo (http://forums.grsecurity.net/viewtopic.php?f=3&t=3979) - added detection for more broken CC/HOSTCC combinations, reported by GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3973) arch/x86/include/asm/uaccess.h | 2 +- scripts/gcc-plugin.sh | 35 +++++++++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) commit 9e9978fb35dea4711690cb540ea250efe8adb923 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 11:57:30 2014 -0400 fix infoleak in raid5 slab cache names reported by Philippe Ganon drivers/md/raid5.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 92c9055a72ac0a516df262888f0bd6ea9ce23f9c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 11:16:51 2014 -0400 Revert "as reported by Mathias Krause, perf needs to use copy_to/from_user in" We don't need this for 3.2, as the copy_from_user_nmi will never reach check_object_size This reverts commit 9509274ffaeabd8053b3aface3ea8c77d8c1b3a1. fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9509274ffaeabd8053b3aface3ea8c77d8c1b3a1 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 10:34:21 2014 -0400 as reported by Mathias Krause, perf needs to use copy_to/from_user in NMI context, using the appropriate _nmi versions of the routines. Only BUG() if we're not in NMI context fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0f248003a96710667425681f7e21f4d57c51da0a Author: Theodore Ts'o <tytso@mit.edu> Date: Sun Jun 15 21:04:32 2014 -0400 Upstream commit: e33ba5fa7afce1a9f159704121d4e4d110df8185 (this should have already been fixed by previous commit in May: f9c6d4987b23e0a514464bae6771933a48e4cd01, and the size_overflow plugin should have caught the bad case) random: fix nasty entropy accounting bug Commit 0fb7a01af5b0 "random: simplify accounting code", introduced in v3.15, has a very nasty accounting problem when the entropy pool has has fewer bytes of entropy than the number of requested reserved bytes. In that case, "have_bytes - reserved" goes negative, and since size_t is unsigned, the expression: ibytes = min_t(size_t, ibytes, have_bytes - reserved); ... does not do the right thing. This is rather bad, because it defeats the catastrophic reseeding feature in the xfer_secondary_pool() path. It also can cause the "BUG: spinlock trylock failure on UP" for some kernel configurations when prandom_reseed() calls get_random_bytes() in the early init, since when the entropy count gets corrupted, credit_entropy_bits() erroneously believes that the nonblocking pool has been fully initialized (when in fact it is not), and so it calls prandom_reseed(true) recursively leading to the spinlock BUG. The logic is *not* the same it was originally, but in the cases where it matters, the behavior is the same, and the resulting code is hopefully easier to read and understand. Fixes: 0fb7a01af5b0 "random: simplify accounting code" Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: Greg Price <price@mit.edu> Cc: stable@vger.kernel.org #v3.15 Conflicts: drivers/char/random.c drivers/char/random.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit 0e1bd8028f5abd9e28e28d322ab06ef7f1a83c0a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 10:01:17 2014 -0400 add missing include fs/fhandle.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 6d168543c94235cb6669de01c1a6e686cd1b94ae Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 09:51:38 2014 -0400 Disable access to file handles inside chroots as part of GRKERNSEC_CHROOT_FCHDIR, as stealth's attack on docker containers also works against grsec chroots with uid 0 and CAP_DAC_READ_SEARCH inside. Contrary to the changelog in the test branch, the stable tree was affected as well. fs/fhandle.c | 2 +- grsecurity/Kconfig | 8 +++++--- grsecurity/grsec_chroot.c | 17 +++++++++++++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 25 insertions(+), 4 deletions(-) commit 96f72e4c712c55b8ea0011994c7139f5026c62f7 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed May 28 23:09:58 2014 -0400 Upstream commit: a3c54931199565930d6d84f4c3456f6440aefd41 auditsc: audit_krule mask accesses need bounds checking Fixes an easy DoS and possible information disclosure. This does nothing about the broken state of x32 auditing. eparis: If the admin has enabled auditd and has specifically loaded audit rules. This bug has been around since before git. Wow... Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: kernel/auditsc.c kernel/auditsc.c | 25 ++++++++++++++++++------- 1 files changed, 18 insertions(+), 7 deletions(-) commit d20f2736b8c185c0dccb03d2c600a51c7131ee8d Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 12:25:17 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 4b4e8eb16b000f63b26b530d442ca4566336d015 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 10:01:00 2014 -0400 fix !x86 compilation, reported by Blake Self fs/exec.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit b17ed609e4b3ee5244faf36a2f5d4b802baf626d Merge: bc7622c 3ceecde Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 09:43:02 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/core/filter.c net/ipv4/ping.c security/Kconfig commit 3ceecde1a9ba0b5d3d250561445b279b11d87a5c Merge: 9aa785b0 6b3965a Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 09:33:31 2014 -0400 Update to pax-linux-3.2.60-test152.patch: - backported 'x86_64: expand kernel stack to 16K', commit 6538b8ea886e472f4431db8ca1d60478f838d14b upstream - backported 'mm: rmap: fix use-after-free in __put_anon_vma', commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream - CPUs are switched to the percpu pgd earlier to support early vmalloc faults (needed for grsecurity's KSTACKOVERFLOW) - cleaned up some unnecessary hunks - folded RANDUSTACK into RANDMMAP as supporting them separately isn't worth it, reported by Roy Li <rongqing.li@windriver.com> Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: mm/memory-failure.c commit bc7622c3ee8df64e72a925fcb1973701e14e3dc8 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 5 21:57:02 2014 -0400 Fix KSTACKOVERFLOW harder -- if we didn't get a cr3 reload event prior to the first vmalloc fault, PaX's per-cpu pgd sanity checking would BUG() on detecting cr3 being set to init_level4_pgt. Fix this by switching to the per-cpu pgds immediately after starting up secondary CPUs. Reported by the mempo team, fixed by pipacs arch/x86/kernel/smpboot.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a3d64cfb85e859de3464c2dcf94f33a3a32dbfd5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 5 12:33:38 2014 -0400 randomize layouts of two futex structs kernel/futex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c806e64af3e3c62c371707ceaebe8dcd64a89501 Author: Thomas Gleixner <tglx@linutronix.de> Date: Mon May 12 20:45:35 2014 +0000 Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a futex: Prevent attaching to kernel threads We happily allow userspace to declare a random kernel thread to be the owner of a user space PI futex. Found while analysing the fallout of Dave Jones syscall fuzzer. We also should validate the thread group for private futexes and find some fast way to validate whether the "alleged" owner has RW access on the file which backs the SHM, but that's a separate issue. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Dave Jones <davej@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Darren Hart <darren@dvhart.com> Cc: Davidlohr Bueso <davidlohr@hp.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Clark Williams <williams@redhat.com> Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> Cc: Lai Jiangshan <laijs@cn.fujitsu.com> Cc: Roland McGrath <roland@hack.frob.com> Cc: Carlos ODonell <carlos@redhat.com> Cc: Jakub Jelinek <jakub@redhat.com> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org kernel/futex.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 0bb5fb443fb3ec3e5430cc63c42f835b7e8dbcaa Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:08 2014 +0000 futex: Make lookup_pi_state more robust The current implementation of lookup_pi_state has ambigous handling of the TID value 0 in the user space futex. We can get into the kernel even if the TID value is 0, because either there is a stale waiters bit or the owner died bit is set or we are called from the requeue_pi path or from user space just for fun. The current code avoids an explicit sanity check for pid = 0 in case that kernel internal state (waiters) are found for the user space address. This can lead to state leakage and worse under some circumstances. Handle the cases explicit: Waiter | pi_state | pi->owner | uTID | uODIED | ? [1] NULL | --- | --- | 0 | 0/1 | Valid [2] NULL | --- | --- | >0 | 0/1 | Valid [3] Found | NULL | -- | Any | 0/1 | Invalid [4] Found | Found | NULL | 0 | 1 | Valid [5] Found | Found | NULL | >0 | 1 | Invalid [6] Found | Found | task | 0 | 1 | Valid [7] Found | Found | NULL | Any | 0 | Invalid [8] Found | Found | task | ==taskTID | 0/1 | Valid [9] Found | Found | task | 0 | 0 | Invalid [10] Found | Found | task | !=taskTID | 0/1 | Invalid [1] Indicates that the kernel can acquire the futex atomically. We came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. [2] Valid, if TID does not belong to a kernel thread. If no matching thread is found then it indicates that the owner TID has died. [3] Invalid. The waiter is queued on a non PI futex [4] Valid state after exit_robust_list(), which sets the user space value to FUTEX_WAITERS | FUTEX_OWNER_DIED. [5] The user space value got manipulated between exit_robust_list() and exit_pi_state_list() [6] Valid state after exit_pi_state_list() which sets the new owner in the pi_state but cannot access the user space value. [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. [8] Owner and user space value match [9] There is no transient state which sets the user space TID to 0 except exit_robust_list(), but this is indicated by the FUTEX_OWNER_DIED bit. See [4] [10] There is no transient state which leaves owner and user space TID out of sync. Backport to 3.13 conflicts: kernel/futex.c Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: John Johansen <john.johansen@canonical.com> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 106 insertions(+), 17 deletions(-) commit 2df614887f85813e24ae89492efd29d66b959f57 Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:07 2014 +0000 futex: Always cleanup owner tid in unlock_pi If the owner died bit is set at futex_unlock_pi, we currently do not cleanup the user space futex. So the owner TID of the current owner (the unlocker) persists. That's observable inconsistant state, especially when the ownership of the pi state got transferred. Clean it up unconditionally. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 40 ++++++++++++++++++---------------------- 1 files changed, 18 insertions(+), 22 deletions(-) commit 348e435c71215446448474427c173801cc509a63 Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:06 2014 +0000 futex: Validate atomic acquisition in futex_lock_pi_atomic() We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart <dvhart@linux.intel.com> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 14 +++++++++++--- 1 files changed, 11 insertions(+), 3 deletions(-) commit 8688b2037d58dc0d5b105abb9621e7194cf83815 Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:06 2014 +0000 futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() into line with futex_wait_requeue_pi() which performs the same check as per commit 6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()) [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) commit 8798a53cd1e84e1b2c0ecee1afed25a08648041d Author: Oleg Nesterov <oleg@redhat.com> Date: Mon Jul 8 16:00:08 2013 -0700 vfree: don't schedule free_work() if llist_add() returns false vfree() only needs schedule_work(&p->wq) if p->list was empty, otherwise vfree_deferred->wq is already pending or it is running and didn't do llist_del_all() yet. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/vmalloc.c mm/vmalloc.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8a62a7ce273800b19fb3626a7c6b3005dd7b5577 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sun Mar 10 20:14:08 2013 -0400 make vfree() safe to call from interrupt contexts A bunch of RCU callbacks want to be able to do vfree() and end up with rather kludgy schemes. Just let vfree() do the right thing - put the victim on llist and schedule actual __vunmap() via schedule_work(), so that it runs from non-interrupt context. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> mm/vmalloc.c | 45 ++++++++++++++++++++++++++++++++++++++++----- 1 files changed, 40 insertions(+), 5 deletions(-) commit 966a25b66eefc148cb927aae1bb9551a576b82e3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 3 09:49:01 2014 -0400 fix compiler warning fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ba92b6c35509ac0b667d9ba1d425de47a65ee7a7 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 3 07:23:49 2014 -0400 Revert "mark KSTACKOVERFLOW as broken on 3.2 until it is fixed. Wasn't caught by" This reverts commit 6bbd3978f194a25e2317f229cdf3985e9daee35c. grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6bbd3978f194a25e2317f229cdf3985e9daee35c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 3 07:13:32 2014 -0400 mark KSTACKOVERFLOW as broken on 3.2 until it is fixed. Wasn't caught by my automated testing due to a bug in my build scripts grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f0006cb4e64a5083cd3def0718c3cf9522a81102 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 3 06:29:37 2014 -0400 add another populate_stack under switch_mm() mm/mmu_context.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e684d267aa65130a25bb0355bf08f15d748e8971 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 16:50:02 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dec01c65a1c17bba1c39964df0b8acbf40ed5af5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 16:18:35 2014 -0400 compile fix kernel/fork.c | 41 ++++++++++++++++++++++++++--------------- mm/vmalloc.c | 4 ++-- 2 files changed, 28 insertions(+), 17 deletions(-) commit 409239ea3d7a8e95dccb66a1732bd995c48626e0 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 15:36:59 2014 -0400 compile fix mm/vmalloc.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit b9bdbdf615bc879205c4e8e9d8c6c3bc40a330d4 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 15:29:48 2014 -0400 Add a new feature for 64-bit kernels to defend against stack overflows GRKERNSEC_KSTACKOVERFLOW Contrary to some naive suggestions on Twitter, it's not just a simple process of "adding guard pages" due to how kernel stacks are allocated on Linux and the fact that just adding guard pages to that existing allocation mechanism would require breaking up large pages, adding a large maintenance and performance cost. Instead we allocate the kernel process stacks using vmalloc which provides us with the "guard pages" for free, though we only do this on 64-bit architectures (other than Itanium) due to the limited space for vmalloc allocations on 32-bit. We've been working on some other approaches for solving this problem, including one that required several advances in GCC plugin analysis, but this will exist for now as a stopgap until another approach replaces it. arch/x86/kernel/traps.c | 5 +++++ fs/exec.c | 1 + grsecurity/Kconfig | 13 +++++++++++++ include/linux/sched.h | 19 +++++++++++++++++++ include/linux/vmalloc.h | 1 + kernel/fork.c | 15 +++++++++++++++ kernel/sched.c | 8 ++++++-- mm/vmalloc.c | 6 ++++++ 8 files changed, 66 insertions(+), 2 deletions(-) commit 7f9eb5130b5ca75efc0cdbd5090d1bed9bbeeb16 Merge: 265e351 9aa785b0 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 15:11:37 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: Makefile tools/gcc/Makefile commit 9aa785b03e380493c4c8ca31af2c49b2e276fb40 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 15:06:29 2014 -0400 Update to pax-linux-3.2.59-test151.patch: - Emese refactored the size overflow plugin and also fixed several integer constant related false positives - https://forums.grsecurity.net/viewtopic.php?f=3&t=3940 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3942 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3943 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3949 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3950 - Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender - Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli - updated the mrproper target for the new location of the overflow plugin headers, by minipli - fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li <rongqing.li@windriver.com> it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall - updated gcc-common.h Makefile | 6 +- arch/x86/include/asm/uaccess.h | 34 +- tools/gcc/.gitignore | 1 - tools/gcc/Makefile | 29 +- tools/gcc/gcc-common.h | 10 +- tools/gcc/generate_size_overflow_hash.sh | 97 - tools/gcc/size_overflow_hash.data | 4429 -------------------- tools/gcc/size_overflow_hash_aux.data | 91 - tools/gcc/size_overflow_plugin.c | 4169 ------------------ tools/gcc/size_overflow_plugin/.gitignore | 1 + tools/gcc/size_overflow_plugin/Makefile | 20 + .../generate_size_overflow_hash.sh | 102 + .../insert_size_overflow_asm.c | 790 ++++ .../insert_size_overflow_check_core.c | 902 ++++ .../insert_size_overflow_check_ipa.c | 1133 +++++ .../size_overflow_plugin/intentional_overflow.c | 733 ++++ tools/gcc/size_overflow_plugin/misc.c | 203 + .../size_overflow_plugin/remove_unnecessary_dup.c | 138 + tools/gcc/size_overflow_plugin/size_overflow.h | 127 + .../gcc/size_overflow_plugin/size_overflow_debug.c | 116 + .../size_overflow_plugin/size_overflow_hash.data | 4429 ++++++++++++++++++++ .../size_overflow_hash_aux.data | 91 + .../size_overflow_plugin/size_overflow_plugin.c | 259 ++ .../size_overflow_plugin_hash.c | 364 ++ 24 files changed, 9448 insertions(+), 8826 deletions(-) commit 265e3519eb88d6eee96d14afe7bdb26691fd471b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 14:35:00 2014 -0400 backport ntpd fix for GRKERNSEC_SETXID include/linux/cred.h | 1 + kernel/cred.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletions(-) commit f7a7ffb4dd3c028442edee5ad7405aa9fc3bb974 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 06:51:24 2014 -0400 avoid include hell by moving the stack check to fs/exec.c and passing in an extra bool to the function specifying whether the length is const or not. we'll also perform this check regardless of USERCOPY status Conflicts: include/linux/thread_info.h fs/exec.c | 17 +++++++++++++++-- include/linux/thread_info.h | 16 +++------------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 58fe3a791c09108f829e729952aff4fcbaf4f3a6 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 1 12:43:42 2014 -0400 We can use an even stricter check on the stack for copy*user as it should only ever be called in process context -- this allows us not only to check for potential future overflow but actual overflow Conflicts: include/linux/thread_info.h include/linux/thread_info.h | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit d123ba06b839092349c0e774e857f1ab1e8fc6b6 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 1 11:14:01 2014 -0400 remove my backport of the pty fix as it's now fixed upstream reported by rfree/mempo drivers/tty/n_tty.c | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 63466f8f452573994ad1373c54de36ff73b711f3 Author: Brad Spengler <spender@grsecurity.net> Date: Fri May 30 21:38:31 2014 -0400 fix DEBUG_STACKOVERFLOW properly, reported by jeff on IRC arch/x86/kernel/irq_64.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) commit 44f972e59e9d10b9a249977ae066949f2c2180ce Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 28 18:16:00 2014 -0400 don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK improvements and KSTACKOVERFLOW security/Kconfig | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c66753f04e015df79161be0daab7b7a7cea145b6 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 28 17:04:39 2014 -0400 fix bad WARN_ON and triggering of kernel bruteforce logic in the x64 DEBUG_STACKOVERFLOW case, reported by jeff on IRC arch/x86/kernel/irq_64.c | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-) commit 47be0d85ed13e8cfeec42f612c08319ca27c8e6d Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 27 12:54:48 2014 -0400 make pax_track_stack BUG() immediately if it notices the stack getting too deep -- this will happen separately to its later check that we're clearing too much stack on syscall exit fs/exec.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 61685e688b41d0d914736e99750ff034af9f8a60 Author: Anthony Iliopoulos <anthony.iliopoulos@huawei.com> Date: Wed May 14 11:29:48 2014 +0200 Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676 x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow() The invalidation is required in order to maintain proper semantics under CoW conditions. In scenarios where a process clones several threads, a thread operating on a core whose DTLB entry for a particular hugepage has not been invalidated, will be reading from the hugepage that belongs to the forked child process, even after hugetlb_cow(). The thread will not see the updated page as long as the stale DTLB entry remains cached, the thread attempts to write into the page, the child process exits, or the thread gets migrated to a different processor. Signed-off-by: Anthony Iliopoulos <anthony.iliopoulos@huawei.com> Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp Suggested-by: Shay Goikhman <shay.goikhman@huawei.com> Acked-by: Dave Hansen <dave.hansen@intel.com> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Cc: <stable@vger.kernel.org> # v2.6.16+ (!) arch/x86/include/asm/hugetlb.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9386cb913f41ad5fddc2782a3245a70c6cb74d50 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Wed May 14 16:33:54 2014 -0700 Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff x86-64, modify_ldt: Make support for 16-bit segments a runtime option Checkin: b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels disabled 16-bit segments on 64-bit kernels due to an information leak. However, it does seem that people are genuinely using Wine to run old 16-bit Windows programs on Linux. A proper fix for this ("espfix64") is coming in the upcoming merge window, but as a temporary fix, create a sysctl to allow the administrator to re-enable support for 16-bit segments. It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If you hit this issue and care about your old Windows program more than you care about a kernel stack address information leak, you can do echo 1 > /proc/sys/abi/ldt16 as root (add it to your startup scripts), and you should be ok. The sysctl table is only added if you have COMPAT support enabled on x86-64, but I assume anybody who runs old windows binaries very much does that ;) Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com Cc: <stable@vger.kernel.org> arch/x86/kernel/ldt.c | 4 +++- arch/x86/vdso/vdso32-setup.c | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletions(-) commit 58edf59a3ee94bbbe27c3967db6a5d283f4e01fa Author: Theodore Ts'o <tytso@mit.edu> Date: Fri May 16 21:40:41 2014 -0400 Upstream commit: f9c6d4987b23e0a514464bae6771933a48e4cd01 random: fix BUG_ON caused by accounting simplification Commit ee1de406ba6eb1 ("random: simplify accounting logic") simplified things too much, in that it allows the following to trigger an overflow that results in a BUG_ON crash: dd if=/dev/urandom of=/dev/zero bs=67108707 count=1 Thanks to Peter Zihlstra for discovering the crash, and Hannes Frederic for analyizing the root cause. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Reported-by: Peter Zijlstra <peterz@infradead.org> Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Greg Price <price@mit.edu> drivers/char/random.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit bd1f060663648057d1a1662c7d788058b8ac417a Merge: 5249b28 abe5854 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 11:56:37 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit abe585404d0fe8c70e29ad4296ea21b698a610ec Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 11:56:10 2014 -0400 Update to pax-linux-3.2.59-test150.patch arch/x86/kernel/paravirt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c6e6e2ee5f4722da22512eac57077dafad9da608 Merge: 6fed70a 382ae9d Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 11:45:58 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 5249b288c860d8ad83335db0bd44a0529782c3a8 Author: David S. Miller <davem@davemloft.net> Date: Mon Apr 28 23:50:08 2014 -0700 Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0 sparc64: Handle 32-bit tasks properly in compute_effective_address(). If we have a 32-bit task we must chop off the top 32-bits of the 64-bit value just as the cpu would. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/kernel/unaligned_64.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1bd029b6a18a5f97ee1284a61bef4cd3381e0d35 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 11 12:40:46 2014 -0400 fix compilation, reported by mcp fs/proc/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 578116be14bf158bc2e340952bd8a28afa5cc0f9 Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 17:31:17 2014 -0400 fix compilation include/linux/thread_info.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e62d30699e81b93e65213ee3275e7c8e855ad7ed Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 17:24:47 2014 -0400 force DEBUG_STACKOVERFLOW on on grsec kernels and make it trigger the bruteforce logic Conflicts: arch/powerpc/kernel/irq.c arch/x86/kernel/irq_32.c arch/x86/kernel/irq_64.c arch/mips/kernel/irq.c | 4 ++++ arch/powerpc/kernel/irq.c | 3 +++ arch/x86/kernel/irq_32.c | 4 ++++ arch/x86/kernel/irq_64.c | 3 +++ security/Kconfig | 1 + 5 files changed, 15 insertions(+), 0 deletions(-) commit 495a3bb3c5488519188cf3da926aff5ea0eac2eb Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 16:46:48 2014 -0400 always perform the stack overflow check, not just for non-fixed size copies fs/exec.c | 16 +--------------- include/linux/thread_info.h | 8 ++++++++ 2 files changed, 9 insertions(+), 15 deletions(-) commit 434193e5563a158139ecdb479865728af57f048a Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 16:26:25 2014 -0400 compile fix fs/proc/stat.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit d44fc35cea3e921ce6c0e6de16b539dafbb1e99b Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 15:52:44 2014 -0400 improve PAX_USERCOPY on x86 to detect attempted copies when the current stack has overflowed arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- fs/exec.c | 17 ++++++++++++++++- 3 files changed, 18 insertions(+), 3 deletions(-) commit 7997ac44201621628c670827226bb393ed4b0187 Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 15:29:13 2014 -0400 relax /proc/stat restrictions Conflicts: fs/proc/stat.c fs/proc/stat.c | 49 +++++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 22 deletions(-) commit df5c216e9ab4541d08dd7a45ea5701d75b78df9b Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat May 3 23:27:00 2014 +0300 Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33 agp: info leak in agpioc_info_wrap() On 64 bit systems the agp_info struct has a 4 byte hole between ->agp_mode and ->aper_base. We need to clear it to avoid disclosing stack information to userspace. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dave Airlie <airlied@redhat.com> drivers/char/agp/frontend.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 02a5d53352be8c02a37d4b533dc9b57a6434fa68 Author: Matthew Daley <mattd@bugfuzz.com> Date: Mon Apr 28 19:05:20 2014 +1200 Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c floppy: ignore kernel-only members in FDRAWCMD ioctl input Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/block/floppy.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0b505d92305c57ad572115a67665b530c449496b Author: Matthew Daley <mattd@bugfuzz.com> Date: Mon Apr 28 19:05:21 2014 +1200 Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f floppy: don't write kernel-only members to FDRAWCMD ioctl output Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/block/floppy.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit fba8cb418be22f02333b5fe4d7ddfdbba3f1f82a Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 6 17:04:33 2014 -0400 fix compilation with older gcc (redefinition of pid_alive) include/linux/sched.h | 26 ++++++++++++-------------- 1 files changed, 12 insertions(+), 14 deletions(-) commit ee26ef6fe974459d501d2583a7d3d605f1073934 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 5 18:21:03 2014 -0400 backport fix (there is no n_tty_data in 3.2) drivers/tty/n_tty.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) commit e74da1fee4e283ea2b847a5176bb97453e661e11 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 5 18:12:30 2014 -0400 Backport fix for heap overflow in the tty layer, CVE-2014-0196 http://bugzillafiles.novell.org/attachment.cgi?id=588355 drivers/tty/n_tty.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit f06aa00fbffaf0d80f041e6b25fad80f6e6ac0ab Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 12:03:07 2014 -0400 restrict rt_cache net/ipv4/route.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bf1dd6158696947c5bc8d84df33574c4d21d44e3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:41:02 2014 -0400 use ERR_PTR fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6e84b936802845f9e27020b45e5dfadd90cdb033 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 10:50:33 2014 -0400 fix warnings net/core/dev.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4d9e583020590b209f4aad6fa4c2cf4e2bcb3e0b Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 10:47:36 2014 -0400 reuse the format string to preserve padding net/core/dev.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 4be476f6b229508e218e4942c4ff16ba9dce933f Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 10:41:45 2014 -0400 compile fix fs/proc/generic.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d46294dd750ab1ec8621c0f978315f6c42398059 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 10:35:58 2014 -0400 refactor the code for the previous commit and sanitize /proc/net/dev output fs/proc/generic.c | 21 ++------------------- fs/proc/proc_net.c | 21 +++------------------ fs/seq_file.c | 23 +++-------------------- grsecurity/Makefile | 2 +- grsecurity/grsec_proc.c | 20 ++++++++++++++++++++ include/linux/grsecurity.h | 2 ++ net/core/dev.c | 5 ++++- 7 files changed, 35 insertions(+), 59 deletions(-) commit 1e13912f8215757a9d42d6b9e915ceb3072968a6 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 10:00:07 2014 -0400 Previously all of /proc/net was inaccessible under GRKERNSEC_PROC except for a special group (under GRKERNSEC_PROC_USERGROUP) but which also required that that process be able to see all other processes in /proc. Several programs need to access /proc/net/dev and /proc/net/dev only. Matlab for instance needs it and will crash if it can't open it. The interface list in /proc/net/dev is not sensitive (we will zero out packet counts in the next commit) and the same information can be obtained via netlink. So now we will allow /proc/net/dev to anyone and restrict access to all other entries in /proc/net. Requested by a commercial support customer. fs/proc/generic.c | 82 +++++++++++++++++++++++++++++++++++- fs/proc/internal.h | 2 + fs/proc/proc_net.c | 35 ++++++++++----- fs/seq_file.c | 39 +++++++++++++++++ include/linux/proc_fs.h | 2 + include/linux/seq_file.h | 2 + net/appletalk/atalk_proc.c | 2 +- net/can/bcm.c | 2 +- net/can/proc.c | 2 +- net/core/dev.c | 4 +- net/core/pktgen.c | 2 +- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- net/ipv6/proc.c | 2 +- net/ipx/ipx_proc.c | 2 +- net/irda/irproc.c | 2 +- net/llc/llc_proc.c | 2 +- net/netfilter/core.c | 2 +- net/netfilter/xt_hashlimit.c | 4 +- net/netfilter/xt_recent.c | 2 +- net/sctp/protocol.c | 2 +- net/sunrpc/cache.c | 2 +- net/sunrpc/stats.c | 2 +- net/wanrouter/wanproc.c | 2 +- net/x25/x25_proc.c | 2 +- 24 files changed, 169 insertions(+), 33 deletions(-) commit 4a458454aa859a2715e11d0db51e5226c152d8e5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 1 17:46:13 2014 -0400 Fix CVE-2014-1739, upstream vuln in media_enum_entities() Author Salva Peiró Date April 2014 - Discovery of the vulnerability. Impact The vulnerability discloses 200 bytes of kernel process stack. Affected Version From linux-2.6.38 to linux-3.15-rc3 Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b (Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html drivers/media/media-device.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 000428a7bbab546333e4c42222846c91e3be0a22 Merge: b8f4923 6fed70a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 30 19:00:04 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6fed70ad4afb6a9b3f8b45b375da62c0ec554410 Merge: 76178e3 f453538 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 30 18:59:36 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/ldt.c commit b8f492389e6c99083e043ace700dfeed56879043 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 29 20:23:46 2014 -0400 update gitignore tools/gcc/.gitignore | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 21f5c3f135f6387d594f583853919d32455b9f3c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 29 20:20:28 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 16c404220e8f5c1970cdbb94a1ec8501bb837ce7 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 29 18:55:26 2014 -0400 Include backported virtio SCSI driver from Debian, thanks to Ben Hutchings drivers/scsi/Kconfig | 8 + drivers/scsi/Makefile | 1 + drivers/scsi/virtio_scsi.c | 838 ++++++++++++++++++++++++++++++++++++++++++ drivers/virtio/virtio.c | 5 +- drivers/virtio/virtio_ring.c | 60 +++- include/linux/virtio.h | 5 + include/linux/virtio_ids.h | 1 + include/linux/virtio_scsi.h | 125 +++++++ 8 files changed, 1035 insertions(+), 8 deletions(-) commit 2be3acc4be4e2f1aa47d1d73104cc29668b022ba Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 24 00:02:59 2014 -0400 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 777 ++++++++++++++++++++++++++++++++++--- 1 files changed, 726 insertions(+), 51 deletions(-) commit 0191ef479be656defb1a7c54e36dea0a7745edff Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Tue Apr 22 13:49:40 2014 -0700 Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc mm: make fixup_user_fault() check the vma access rights too fixup_user_fault() is used by the futex code when the direct user access fails, and the futex code wants it to either map in the page in a usable form or return an error. It relied on handle_mm_fault() to map the page, and correctly checked the error return from that, but while that does map the page, it doesn't actually guarantee that the page will be mapped with sufficient permissions to be then accessed. So do the appropriate tests of the vma access rights by hand. [ Side note: arguably handle_mm_fault() could just do that itself, but we have traditionally done it in the caller, because some callers - notably get_user_pages() - have been able to access pages even when they are mapped with PROT_NONE. Maybe we should re-visit that design decision, but in the meantime this is the minimal patch. ] Found by Dave Jones running his trinity tool. Reported-by: Dave Jones <davej@redhat.com> Acked-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/memory.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit f2d509f7f0c1ef9b59e2ff990225a5afe58118cc Merge: 2013ce2 76178e3 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 23 19:11:10 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_hash.data commit 76178e36bfd7964195812cc79c8f49bbacb248cd Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 23 19:09:00 2014 -0400 Update to pax-linux-3.2.57-test150.patch: - changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9 - http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html - by default colorization is off - if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal - -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color= - e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always - the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead - fixed all warnings on the gcc plugins reported by clang - Emese regenerated the size overflow hash table from scratch Makefile | 2 +- arch/x86/kernel/traps.c | 4 +- tools/gcc/colorize_plugin.c | 77 +- tools/gcc/constify_plugin.c | 13 +- tools/gcc/kallocstat_plugin.c | 9 +- tools/gcc/kernexec_plugin.c | 27 +- tools/gcc/latent_entropy_plugin.c | 13 +- tools/gcc/size_overflow_hash.data | 2347 ++++++------------------------------- tools/gcc/size_overflow_plugin.c | 27 +- tools/gcc/stackleak_plugin.c | 18 +- tools/gcc/structleak_plugin.c | 9 +- 11 files changed, 519 insertions(+), 2027 deletions(-) commit 2013ce2b93ee8217b2e2133d1a5ef60034ebda47 Merge: e0ce59a 3187a79 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 18 21:09:07 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3187a798b98447aba2a4b3eacbd8b459c05c4a54 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 18 21:08:32 2014 -0400 Update to pax-linux-3.2.57-test149.patch: - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves tools/gcc/size_overflow_hash.data | 1 - tools/gcc/size_overflow_plugin.c | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) commit e0ce59a56f1e59eaab4f2aec82461a442e1d740d Merge: f669ea3 0980044 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 17 18:56:30 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 0980044f49cfc2eeb3cc4ef226ec228a4c0bf5e7 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 17 18:56:10 2014 -0400 fix compilation tools/gcc/size_overflow_hash_aux.data | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f669ea3f27b8efa83d91315b79508f6b1c1151b4 Merge: b3ca5e6 4dc7a2c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 17 17:57:25 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 4dc7a2cafe7bc6c0cc025c2bfa0990c051c345aa Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 17 17:56:59 2014 -0400 Update to pax-linux-3.2.57-test148.patch: - Emese fixed a size overflow false positive due to intentional overflow, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940) tools/gcc/size_overflow_hash_aux.data | 9 +++++ tools/gcc/size_overflow_plugin.c | 58 ++++++++++++++++++++++++++++++++- 2 files changed, 66 insertions(+), 1 deletions(-) commit b3ca5e6b6f1919adebd5f0f224973d00e207a8a5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 17 17:12:50 2014 -0400 fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on specific shmemfs reads that end up copying from empty_zero_page, which on 32bit x86 has the same address as _etext. Fix up some other harmless instances of this error as well Thanks to 'jy' from IRC for reporting this arch/x86/mm/init_32.c | 6 +++--- fs/exec.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) commit 1c930d360ce624a56b857812faa6d577209fdc9c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 13 12:47:57 2014 -0400 From: Mathias Krause <minipli@googlemail.com> [PATCH net] filter: prevent nla extensions to peek beyond the end of the message The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check for a minimal message length before testing the supplied offset to be within the bounds of the message. This allows the subtraction of the nla header to underflow and therefore -- as the data type is unsigned -- allowing far to big offset and length values for the search of the netlink attribute. The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is also wrong. It has the minuend und subtrahend mixed up, therefore calculates a huge length value, allowing to overrun the end of the message while looking for the netlink attribute. The following three BPF snippets will trigger the bugs when attached to a UNIX datagram socket and parsing a message with length 1, 2 or 3. ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- | ld #0x87654321 | ldx #42 | ld #nla | ret a `--- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- | ld #0x87654321 | ldx #42 | ld #nlan | ret a `--- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- | ; (needs a fake netlink header at offset 0) | ld #0 | ldx #42 | ld #nlan | ret a `--- Fix the first issue by ensuring the message length fulfills the minimal size constrains of a nla header. Fix the second bug by getting the math for the remainder calculation right. Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> net/core/filter.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 3970fc037238549eb27d4e9b85ce987c6980c54c Author: Andrey Vagin <avagin@openvz.org> Date: Fri Mar 28 13:54:32 2014 +0400 Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279 netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst case it can contain all extensions. Bellow you can find sizes for all types of extensions. Their sum is definitely bigger than 256. nf_ct_ext_types[0]->len = 24 nf_ct_ext_types[1]->len = 32 nf_ct_ext_types[2]->len = 24 nf_ct_ext_types[3]->len = 32 nf_ct_ext_types[4]->len = 152 nf_ct_ext_types[5]->len = 2 nf_ct_ext_types[6]->len = 16 nf_ct_ext_types[7]->len = 8 I have seen "len" up to 280 and my host has crashes w/o this patch. The right way to fix this problem is reducing the size of the ecache extension (4) and Florian is going to do this, but these changes will be quite large to be appropriate for a stable tree. Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable) Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Patrick McHardy <kaber@trash.net> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> include/net/netfilter/nf_conntrack_extend.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 90cdd94d118ebd1be0383b0e56cb7467f6dc99c8 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 11 17:19:35 2014 -0400 Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737 isdnloop: several buffer overflows There are three buffer overflows addressed in this patch. 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and then copy it into a 60 character buffer. I have made the destination buffer 64 characters and I'm changed the sprintf() to a snprintf(). 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 character buffer so we have 54 characters. The ->eazlist[] is 11 characters long. I have modified the code to return if the source buffer is too long. 3) In isdnloop_command() the cbuf[] array was 60 characters long but the max length of the string then can be up to 79 characters. I made the cbuf array 80 characters long and changed the sprintf() to snprintf(). I also removed the temporary "dial" buffer and changed it to use "p" directly. Unfortunately, we pass the "cbuf" string from isdnloop_command() to isdnloop_writecmd() which truncates anything over 60 characters to make it fit in card->omsg[]. (It can accept values up to 255 characters so long as there is a '\n' character every 60 characters). For now I have just fixed the memory corruption bug and left the other problems in this driver alone. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit acd45ebd8972ce66191c2005f59c25da91b439fc Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 11 16:57:17 2014 -0400 Apply: https://lkml.org/lkml/2014/4/10/736 PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak Conflicts: net/ipv4/ping.c net/ipv4/ping.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 46314ee3485b6d11360e51b1a89fc8cdcc45da9c Author: H. Peter Anvin <hpa@linux.intel.com> Date: Sun Mar 16 15:31:54 2014 -0700 Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Cc: <stable@vger.kernel.org> Conflicts: arch/x86/kernel/ldt.c arch/x86/kernel/ldt.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 96e52f165fa1db9241275603db6bfa12f1409caf Merge: c325dfd 986375e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 9 17:16:27 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 986375eaf9ddfb549dee39703b5a7afd6f4fe733 Merge: d46def7 a2601fc Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 9 17:15:51 2014 -0400 Update to pax-linux-3.2.57-test147.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: scripts/package/builddeb commit c325dfd10e11e8f3d12fa7ead45b5ffaa7fba4b6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 7 18:41:45 2014 -0400 Update GRKERNSEC_IO documentation grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 936f7cbd75a811dc46bee8b6edde793398c1a090 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 18:59:00 2014 -0400 add compiler.h to path.h include/linux/path.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 01256430ba03319966146dcd8eea67521770ec5e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 18:38:42 2014 -0400 fix tomoyo compilation security/tomoyo/tomoyo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4468372984e9faa4f3ccda3f6190a5b8341368ab Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 17:58:39 2014 -0400 fix tomoyo compilation with RANDSTRUCT security/tomoyo/tomoyo.c | 22 +++++++++++----------- 1 files changed, 11 insertions(+), 11 deletions(-) commit 9380e23fd600b64d5d1fb6920b4cf29c197075c0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 17:50:38 2014 -0400 fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit d711e2f0ef5392b6a555411d92fd662d0f0647d9 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 17:43:47 2014 -0400 Fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d4886c92a23273e0362c0660a987745410460d55 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 17:23:09 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit dbfdaec0a04221391d22ad10651d2a31bfe38c0c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 17:11:40 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/lsm.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 3b6b32eafd2f773f971c777174328b98198d6ca2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 16:58:35 2014 -0400 add __randomize_layout to more important structures include/linux/binfmts.h | 4 ++-- include/linux/filter.h | 2 +- include/linux/path.h | 2 +- include/linux/security.h | 2 +- include/linux/tty_driver.h | 2 +- include/net/af_unix.h | 2 +- include/net/sock.h | 4 ++-- 7 files changed, 9 insertions(+), 9 deletions(-) commit d563f80fb8783c3fb4d571dd9e72f35497ac3db1 Merge: 63680ac d46def7 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 09:30:06 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/boot/compressed/misc.c tools/gcc/Makefile commit d46def7c02984f06b0a9479b186569763afd4613 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 09:26:52 2014 -0400 Update to pax-linux-3.2.56-test147.patch: - actually applied the changes meant for test146 :P - updated the hash database for external modules, by Emese - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream - fixed plugin compilation under gcc 4.5, reported by Emese Revfy - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594 arch/x86/boot/compressed/misc.c | 7 ++- scripts/gcc-plugin.sh | 4 +- tools/gcc/Makefile | 12 +++- tools/gcc/gcc-common.h | 1 + tools/gcc/generate_size_overflow_hash.sh | 5 ++- tools/gcc/size_overflow_hash.data | 1 + tools/gcc/size_overflow_hash_aux.data | 83 ++++++++++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 25 ++++++--- 8 files changed, 122 insertions(+), 16 deletions(-) commit 63680ac0edd9a72295df07b792096d4f84570e78 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 6 08:34:08 2014 -0400 This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b. net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d20a625ed406f6bb5c9be627993798b0e259284d Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 3 16:42:54 2014 -0400 change clearing char to 0xff arch/x86/boot/compressed/misc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9f64dbb310f8d4e1f893b0d85e3d50c077cfdb86 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 3 16:33:52 2014 -0400 Zero out the difference between file size and mapped size for kernel elf sections mapped by the loader -- proper fix by pipacs for: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=309944be296efbb3ca4737d12ef49d2ba97cbecc arch/x86/boot/compressed/misc.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 3f69f5d8d98b1641e897c09b88bd86f07843ba0d Author: Pablo Neira <pablo@netfilter.org> Date: Tue Apr 1 19:38:44 2014 +0200 Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835 netlink: don't compare the nul-termination in nla_strcmp nla_strcmp compares the string length plus one, so it's implicitly including the nul-termination in the comparison. int nla_strcmp(const struct nlattr *nla, const char *str) { int len = strlen(str) + 1; ... d = memcmp(nla_data(nla), str, len); However, if NLA_STRING is used, userspace can send us a string without the nul-termination. This is a problem since the string comparison will not match as the last byte may be not the nul-termination. Fix this by skipping the comparison of the nul-termination if the attribute data is nul-terminated. Suggested by Thomas Graf. Cc: Florian Westphal <fw@strlen.de> Cc: Thomas Graf <tgraf@suug.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> lib/nlattr.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 06d25eda5d0c46184e9454900a2b6fd3fde8e5a3 Author: YOSHIFUJI Hideaki / å‰è—¤è‹±æ˜Ž <yoshfuji@linux-ipv6.org> Date: Wed Apr 2 12:48:42 2014 +0900 Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62 isdnloop: Validate NUL-terminated strings from user. Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 0857ee882e7f5b2218917237e8d05d9ea52232c0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 3 11:34:13 2014 -0400 revert last change Conflicts: net/core/filter.c net/core/filter.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit b8c5f11b66edabec0d652bf0a8c79ed8fbee71e4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 3 11:01:13 2014 -0400 add additional checking, convert WARN to a BUG since we should be able to filter out any invalid ops at filter install time -- finding them during runtime is a sign of memory corruption net/core/filter.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit c57bdff374931d151bdc31758b21a7355d9889c9 Author: Daniel Borkmann <dborkman@redhat.com> Date: Fri Dec 28 10:50:17 2012 +0000 net: filter: return -EINVAL if BPF_S_ANC* operation is not supported Currently, we return -EINVAL for malformed or wrong BPF filters. However, this is not done for BPF_S_ANC* operations, which makes it more difficult to detect if it's actually supported or not by the BPF machine. Therefore, we should also return -EINVAL if K is within the SKF_AD_OFF universe and the ancillary operation did not match. Why exactly is it needed? If tools such as libpcap/tcpdump want to make use of new ancillary operations (like filtering VLAN in kernel space), there is currently no sane way to test if this feature / BPF_S_ANC* op is present or not, since no error is returned. This patch will make life easier for that and allow for a proper usage for user space applications. There was concern, if this patch will break userland. Short answer: Yes and no. Long answer: It will "break" only for code that calls ... { BPF_LD | BPF_(W|H|B) | BPF_ABS, 0, 0, <K> }, ... where <K> is in [0xfffff000, 0xffffffff] _and_ <K> is *not* an ancillary. And here comes the BUT: assuming some *old* code will have such an instruction where <K> is between [0xfffff000, 0xffffffff] and it doesn't know ancillary operations, then this will give a non-expected / unwanted behavior as well (since we do not return the BPF machine with 0 after a failed load_pointer(), which was the case before introducing ancillary operations, but load sth. into the accumulator instead, and continue with the next instruction, for instance). Thus, user space code would already have been broken by introducing ancillary operations into the BPF machine per se. Code that does such a direct load, e.g. "load word at packet offset 0xffffffff into accumulator" ("ld [0xffffffff]") is quite broken, isn't it? The whole assumption of ancillary operations is that no-one intentionally calls things like "ld [0xffffffff]" and expect this word to be loaded from such a packet offset. Hence, we can also safely make use of this feature testing patch and facilitate application development. Therefore, at least from this patch onwards, we have *for sure* a check whether current or in future implemented BPF_S_ANC* ops are supported in the kernel. Patch was tested on x86_64. (Thanks to Eric for the previous review.) Cc: Eric Dumazet <eric.dumazet@gmail.com> Reported-by: Ani Sinha <ani@aristanetworks.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/filter.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 624e48d1690d1445df3e5d9f45fd65bd8db10d03 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 3 10:38:55 2014 -0400 harden non-JIT socket filters against memory corruption occuring after check time net/core/filter.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 00dd52f2bd219d4769ce3570b9ad7936a953e175 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 3 07:39:34 2014 -0400 Update documentation on chroot to notify users that chrooting to a bind mount of the root filesystem provides no security benefits and will not trigger the chroot protections. grsecurity/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 07ed3feb4141ee0441d60b31d4771f6e7f651a55 Merge: 0630786 0f43a2c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 1 21:16:34 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/btrfs/ioctl.c commit 0f43a2cc05a01f468913b2927a46ae970b5decd9 Merge: fac950d e08e945 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 1 21:12:09 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: include/linux/compiler-gcc4.h commit 0630786e5f4978b96aa483dfd6b02d691b61efe7 Author: Sasha Levin <sasha.levin@oracle.com> Date: Fri Mar 28 17:38:42 2014 +0100 Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6 random32: avoid attempt to late reseed if in the middle of seeding Commit 4af712e8df ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") has added a late reseed stage that happens as soon as the nonblocking pool is marked as initialized. This fails in the case that the nonblocking pool gets initialized during __prandom_reseed()'s call to get_random_bytes(). In that case we'd double back into __prandom_reseed() in an attempt to do a late reseed - deadlocking on 'lock' early on in the boot process. Instead, just avoid even waiting to do a reseed if a reseed is already occuring. Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> lib/random32.c | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) commit 132e47979cd891bea6e19e829dd32fbb2c2f17d5 Author: Michael S. Tsirkin <mst@redhat.com> Date: Thu Mar 27 12:00:26 2014 +0200 Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0 vhost: fix total length when packets are too short When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/vhost/net.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit bee2386b7a0e6c383f64a907e389afb818086a49 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 30 21:25:24 2014 -0400 Backport upstream fix for 21f8aaee0c62708654988ce092838aa7df4d25d8 drivers/net/wireless/ath/ath9k/xmit.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit dc28ecec3de1fa56f56c841339fc8bc3785d03bd Merge: 7ea86bf fac950d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 30 13:24:00 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit fac950dfb075c6a5bfc8c62ba04ceff2f0a7cd4b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 30 13:22:54 2014 -0400 Update to pax-linux-3.2.55-test145.patch: - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger - fixed a regression in the previous latent entropy plugin change, reported by spender drivers/hv/hv.c | 2 +- scripts/gcc-plugin.sh | 4 ++-- tools/gcc/latent_entropy_plugin.c | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) commit 7ea86bf9cb6158a59aa8996bd804a89051b4c840 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 30 08:43:49 2014 -0400 This fix is inappropriate for 3.2 without additional backports, as register_filesystem performed a needed list initialization which was eliminated in 3.13 with some other fixups. Without the initialization, the kernel will crash on mounting this filesystem in list_add(&s->s_instances, &type->fs_supers); in sget() from mount_pseudo(). Thanks to forum user androsyn for the report! Revert "Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1" This reverts commit 07944030e3c21211bb0c663084340c7929d0a90c. fs/anon_inodes.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3ab717680394fa4e16d1c97bec37c7c3b7ff8cb5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 30 08:43:23 2014 -0400 Revert "remove the unregister_filesystem as well" This reverts commit 5a4843494d3fc45c4c346c72fe96faf3c65f76b6. fs/anon_inodes.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 5a4843494d3fc45c4c346c72fe96faf3c65f76b6 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 28 18:17:59 2014 -0400 remove the unregister_filesystem as well fs/anon_inodes.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 4c4a12f4f8b9ca9a98ae07f6fef8a78e2b03d06c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 27 21:54:11 2014 -0400 ignore noreturn functions for now in the latent_entropy plugin tools/gcc/latent_entropy_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 14247221534cfd15a959eb854a3b5c3fc3d7c084 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 27 21:27:56 2014 -0400 update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity grsecurity/Kconfig | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit e6ed884cf964d4a49223ead5b574de68500e5ba0 Author: Eric Dumazet <edumazet@google.com> Date: Tue Mar 25 18:42:27 2014 -0700 Upstream commit: de1443916791d75fdd26becb116898277bb0273f net: unix: non blocking recvmsg() should not return -EINTR Some applications didn't expect recvmsg() on a non blocking socket could return -EINTR. This possibility was added as a side effect of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines"). To hit this bug, you need to be a bit unlucky, as the u->readlock mutex is usually held for very small periods. Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/unix/af_unix.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit 07944030e3c21211bb0c663084340c7929d0a90c Author: Jan Kara <jack@suse.cz> Date: Tue Mar 25 21:37:09 2014 +0100 Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1 fs: Avoid userspace mounting anon_inodefs filesystem anon_inodefs filesystem is a kernel internal filesystem userspace shouldn't mess with. Remove registration of it so userspace cannot even try to mount it (which would fail anyway because the filesystem is MS_NOUSER). This fixes an oops triggered by trinity when it tried mounting anon_inodefs which overwrote anon_inode_inode pointer while other CPU has been in anon_inode_getfile() between ihold() and d_instantiate(). Thus effectively creating dentry pointing to an inode without holding a reference to it. Reported-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/anon_inodes.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 7e85ceede0437c0834dfff8393e8d528937462a1 Merge: f9f77b1 348f1cc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 27 20:11:47 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/hugetlbfs/inode.c commit 348f1cc2d45d23d1a1e2fa7221f395b87caf3059 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 27 20:10:11 2014 -0400 Update to pax-linux-3.2.55-test143.patch: - fixed the gcc plugin capability detector script for gcc 4.9 - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused) - removed the pointless retaddr instrumentation from the low level kernel relocator code (already included in grsec:) - compile fixes for various archs, by spender - backported 3fa10cc83fb92750af11fab81e11ad96dc75d656 that upstream 'forgot' about as usual, it's a user triggerable DoS (without a CVE) that got caught by Emese's new fuzzer as well Makefile | 2 +- arch/arm/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/local.h | 14 ++++++++++++++ arch/mips/include/asm/pgtable.h | 3 +++ arch/mips/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/local.h | 15 +++++++++++++++ arch/powerpc/include/asm/uaccess.h | 1 + arch/powerpc/kvm/powerpc.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/platforms/pseries/eeh_event.c | 2 +- arch/s390/include/asm/uaccess.h | 1 + arch/sparc/include/asm/pgtable.h | 4 ++++ arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ arch/x86/kernel/head_64.S | 2 +- arch/x86/kernel/relocate_kernel_64.S | 2 -- arch/x86/kernel/smpboot.c | 2 +- arch/x86/mm/gup.c | 4 ++-- drivers/tty/n_tty.c | 9 +++++---- fs/hugetlbfs/inode.c | 3 +-- scripts/gcc-plugin.sh | 17 ++++++++--------- tools/gcc/latent_entropy_plugin.c | 10 ++++++---- virt/kvm/kvm_main.c | 2 +- 25 files changed, 78 insertions(+), 38 deletions(-) commit f9f77b161478fa4ba8ce6f3d64eea4b0d333dad6 Author: Eric Dumazet <edumazet@google.com> Date: Wed Mar 19 21:02:21 2014 -0700 Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8 tcp: syncookies: do not use getnstimeofday() While it is true that getnstimeofday() uses about 40 cycles if TSC is available, it can use 1600 cycles if hpet is the clocksource. Switch to get_jiffies_64(), as this is more than enough, and go back to 60 seconds periods. Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Florian Westphal <fw@strlen.de> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/tcp.h | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 1eab38a527e74fcf503b534ad0680eb84f6172da Author: Dave Kleikamp <dave.kleikamp@oracle.com> Date: Fri Mar 14 10:42:01 2014 -0500 Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371 sparc64: don't treat 64-bit syscall return codes as 32-bit When checking a system call return code for an error, linux_sparc_syscall was sign-extending the lower 32-bit value and comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return codes whose lower 32-bits alone would indicate a failure (such as 4G-1). Use the whole 64-bit value to check for errors. Only the 32-bit path should sign extend the lower 32-bit value. Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> Acked-by: Bob Picco <bob.picco@oracle.com> Acked-by: Allen Pais <allen.pais@oracle.com> Cc: David S. Miller <davem@davemloft.net> Cc: sparclinux@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/kernel/syscalls.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2bb7f15b77583841e2474dcd2a5488624c63109e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 22:53:31 2014 -0400 add local_unchecked_t accessors to fix ppc64 compilation arch/powerpc/include/asm/local.h | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) commit 3ac2b53a0ac70c9912c4ea451e8314c5e66fd8ee Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 22:34:36 2014 -0400 Backport addition of access_ok_noprefault() to fix ppc64+kvm compilation arch/arm/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/mips/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/uaccess.h | 1 + arch/s390/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ arch/x86/mm/gup.c | 4 ++-- virt/kvm/kvm_main.c | 2 +- 9 files changed, 15 insertions(+), 10 deletions(-) commit c247bdf26ed9eaa4f15802d77501f7649ded746b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 21:53:32 2014 -0400 correct function definition for kvm_arch_init() to fix compilation on ppc64 Conflicts: arch/powerpc/kvm/powerpc.c arch/powerpc/kvm/powerpc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9363de8ee4955fda333ae0c1fc44f8bc2dd15ee5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 21:47:35 2014 -0400 fix ppc64 allyesconfig compilation with RANDSTRUCT arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 85bd970b782af453919deddf34abbacdcf432677 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 21:36:39 2014 -0400 use $(LATENT_ENTROPY_PLUGIN_CFLAGS) arch/powerpc/kernel/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7d2471aa1d26823a3c771e29a74b8cf7217072b9 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 21:24:01 2014 -0400 move REMOVE_CFLAGS arch/powerpc/kernel/Makefile | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit feb2f7c4c43e22cae4bed82f1fa30a39890eaa4f Author: Jiri Slaby <jslaby@suse.cz> Date: Thu Apr 26 20:13:00 2012 +0200 Upstream commit: 3fa10cc83fb92750af11fab81e11ad96dc75d656 TTY: n_tty, do not dereference user buffer copy_from_read_buf currently copies data to a user buffer and then checks if the data is single EOF. But it checks it by accessing the user buffer. First, the buffer may be changed by other threads of the user program already. Second, it accesses the buffer without any checks. It might be write-only for example. Fix this by inspecting contents of the tty (kernel) buffer instead. Note that "n == 1" is necessary, but not sufficient. But we check later that there is nothing left by "!tty->read_cnt" condition. There is still an issue with the current code that EOF being wrapped to the start of the circular buffer will result in an inappropriate losing of the EOF character. But this is not intended to be fixed by this patch. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: Emil Goode <emilgoode@gmail.com> Cc: Howard Chu <hyc@symas.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/tty/n_tty.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit ed00c53dd1d944beb8e4ddc16995b8aa347d1d49 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 20:45:17 2014 -0400 use correct args to set_task_comm() arch/powerpc/platforms/pseries/eeh_event.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ecbb706d65834b62e31749432ab95863a0d62ed1 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 20:41:08 2014 -0400 another ppc64 fix for upstream compile failure arch/powerpc/mm/numa.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 948f3c653b20e1e955c648eb7ab0dbee2a98ec79 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 20:37:24 2014 -0400 eliminate use of daemonize in eeh_event.c: http://linuxppc.10917.n7.nabble.com/patch-1-2-powerpc-eeh-remove-eeh-event-handler-gt-daemonize-td9403.html Patch from Oleg Nesterov arch/powerpc/platforms/pseries/eeh_event.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a56c2c4a9b7884b2bfdc169081095d24850e7b6b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 20:33:21 2014 -0400 export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64 Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit def660628f288d9328a8b32893ad707c76c63e4a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 20 20:30:35 2014 -0400 fix compilation by removing the latent entropy plugin from prom_init.c -- there's a script for ppc64 that checks the object file for a whitelisted set of exported symbols, code is very fragile arch/powerpc/kernel/Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit fcab911b30166093d24e64cad30b54adb871afeb Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 19 21:53:12 2014 -0400 add ktla_ktva/ktva_ktla to sparc to fix compilation arch/sparc/include/asm/pgtable.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a4cc0b1f96cd70448c08c00398a470072dc22c24 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 19 21:01:40 2014 -0400 add ktla_ktva/ktva_ktla macros to MIPS arch/mips/include/asm/pgtable.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 600c2114235c825e36e9b85714e8be3d8bd24539 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 19 20:42:35 2014 -0400 include linux/prefetch.h to fix mips64 compilation grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit cd45e08e934be6363832ca553719a367b94f5736 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 19 19:48:31 2014 -0400 convert back to check_heap_stack_gap in hugetlbfs code fs/hugetlbfs/inode.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 61875786196a3d6275e41b5d78ca7b1a6d09b62e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 19 19:42:20 2014 -0400 fix more mips compilation failures/warnings arch/mips/cavium-octeon/dma-octeon.c | 2 +- fs/hugetlbfs/inode.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) commit 1218f040385d88ee78fe77471d1e579c32b2d3df Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 19 19:29:56 2014 -0400 fix mips64 octeon compilation due to missing local_*_unchecked() functions arch/mips/include/asm/local.h | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit c82fbb8b487f786afad13d1837affd4eeca855de Merge: 4d7b6e5 5bdb728 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 17 19:55:41 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5bdb728f63eb2e8308b0a77d235ddfd06e93456b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 17 19:55:02 2014 -0400 Update to pax-linux-3.2.55-test141.patch: - fixed several compilation problems on arm all*configs, by spender - small update to gcc-common.h - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) arch/arm/include/asm/page.h | 1 + arch/arm/include/asm/pgtable.h | 3 + tools/gcc/gcc-common.h | 12 ++++ tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++++++----------- 4 files changed, 99 insertions(+), 33 deletions(-) commit 4d7b6e5e786b011718fbcf853378bd990a2e7935 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 17 19:12:04 2014 -0400 move the location of the include to suit pipacs' OCD arch/arm/include/asm/page.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 9f9b68ce8dd5b1e8387a06067e032e893bbe162e Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 17 18:00:13 2014 -0400 fix ARM compilation with constify plugin arch/arm/include/asm/page.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 772976a300403f5ef01758469ee25ccfd9f1e382 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 17 17:14:12 2014 -0400 Remove use of dma_cache_sync to fix ARM allyesconfig compilation: See: http://www.spinics.net/lists/linux-scsi/msg36488.html drivers/scsi/advansys.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit b6729a8eeab2eb47d212af946dbdd2f3089e15ef Author: Arnd Bergmann <arnd@arndb.de> Date: Fri Sep 28 22:36:00 2012 +0100 Upstream commit: 65cb587d7058441c8c910e8766ee86538c7274d8 staging/iio/lis3l02dq: fix building without irq_to_gpio The driver has not been building for some time after the irq_to_gpio function has been removed from the kernel. The only board in the upstream kernel that provides this device is the "Stargate 2", which is also maintained by Jonathan Cameron. Rather than working around the problem by adding new platform data for this driver, this patch uses the of_gpio framework to get to the gpio number. However, the stargate2 code does not (yet) use DT based probing, so it is still broken, but at least building allyesconfig works again. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Lars-Peter Clausen <lars@metafoo.de> Cc: Jonathan Cameron <jic23@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org> Conflicts: drivers/staging/iio/accel/lis3l02dq_core.c drivers/staging/iio/accel/lis3l02dq.h | 1 + drivers/staging/iio/accel/lis3l02dq_core.c | 8 +++++--- drivers/staging/iio/accel/lis3l02dq_ring.c | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) commit f6e6bd54b67bf0aa6c7bc2de942b4a4657072f15 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 17 15:05:15 2014 -0400 add ktla_ktva/ktva_ktla macros to ARM arch/arm/include/asm/pgtable.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit d0056efec1a24df487171cb7c949ca0a84d499fb Merge: 6e0e4a2 f369295 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 14 20:22:29 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/mips/mm/mmap.c commit f36929517cb8dc68ac8ec01d4ded477be85d9413 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 14 20:19:29 2014 -0400 Update to pax-linux-3.2.55-test140.patch: - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de> arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/reset.c | 4 ++++ arch/mips/mm/mmap.c | 8 ++++---- arch/mips/pci/pci-octeon.c | 4 ++-- arch/mips/pci/pcie-octeon.c | 8 ++++---- arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 ++-- drivers/staging/octeon/ethernet-rx.c | 2 +- 12 files changed, 23 insertions(+), 19 deletions(-) commit 6e0e4a26033721ed98dc5fa0f5ae1a1c93610080 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 14 20:12:02 2014 -0400 add /usr/share/apport/apport to the allowed userland exec paths -- because apparently some distros have no problem just throwing critical binaries around anywhere. kernel/kmod.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0a6f9ab046be3c00d4ddbd0471432884e7f7327a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 12 22:54:32 2014 -0400 add support for PAX_EMUTRAMP by default in the autoconfig security/Kconfig | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 467ec4a97de57f5c2f2112c19eba759f89ae5667 Author: Matthew Leach <matthew.leach@arm.com> Date: Tue Mar 11 11:58:27 2014 +0000 Upstream commit: dbb490b96584d4e958533fb637f08b557f505657 net: socket: error on a negative msg_namelen When copying in a struct msghdr from the user, if the user has set the msg_namelen parameter to a negative value it gets clamped to a valid size due to a comparison between signed and unsigned values. Ensure the syscall errors when the user passes in a negative value. Signed-off-by: Matthew Leach <matthew.leach@arm.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/socket.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8f1e1f746120187e085ac3daa5dc6fda7ecf9d11 Author: Florian Westphal <fw@strlen.de> Date: Fri Sep 20 22:32:55 2013 +0200 Upstream commit: 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 tcp: syncookies: reduce cookie lifetime to 128 seconds We currently accept cookies that were created less than 4 minutes ago (ie, cookies with counter delta 0-3). Combined with the 8 mss table values, this yields 32 possible values (out of 2**32) that will be valid. Reducing the lifetime to < 2 minutes halves the guessing chance while still providing a large enough period. While at it, get rid of jiffies value -- they overflow too quickly on 32 bit platforms. getnstimeofday is used to create a counter that increments every 64s. perf shows getnstimeofday cost is negible compared to sha_transform; normal tcp initial sequence number generation uses getnstimeofday, too. Reported-by: Jakob Lell <jakob@jakoblell.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: include/net/tcp.h include/net/tcp.h | 18 ++++++++++++++++++ net/ipv4/syncookies.c | 31 ++++++++++--------------------- net/ipv6/syncookies.c | 24 +++++++----------------- 3 files changed, 35 insertions(+), 38 deletions(-) commit ddb0025bc2ebf8210d8bb7ddde2c0276e867706c Author: Florian Westphal <fw@strlen.de> Date: Fri Sep 20 22:32:56 2013 +0200 Upstream commit: 086293542b991fb88a2e41ae7b4f82ac65a20e1a tcp: syncookies: reduce mss table to four values Halve mss table size to make blind cookie guessing more difficult. This is sad since the tables were already small, but there is little alternative except perhaps adding more precise mss information in the tcp timestamp. Timestamps are unfortunately not ubiquitous. Guessing all possible cookie values still has 8-in 2**32 chance. Reported-by: Jakob Lell <jakob@jakoblell.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/syncookies.c | 22 +++++++++++----------- net/ipv6/syncookies.c | 15 +++++++++------ 2 files changed, 20 insertions(+), 17 deletions(-) commit 3d3f10f578c0b06d1e5db054f77de4fa5e9bf6d3 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 12 19:21:43 2014 -0400 Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up -- if an attacker had an arbitrary read vuln and ability to redirect control flow, he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a 32bit random key which the attacker has XORed with his desired immediates to cause the constant blinding to produce a potentially useful instruction stream (which he could verify by abusing the infoleak). Instead of using one key per instruction stream, generate a new key for each instruction using prandom_u32(). The downside is some performance impact during JIT compilation, though this shouldn't be so common an event for anyone to notice. Conflicts: arch/x86/net/bpf_jit_comp.c arch/x86/net/bpf_jit_comp.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b5e68c162e96b387b1b55e7af4cf8081c758e9be Author: Sabrina Dubroca <sd@queasysnail.net> Date: Thu Mar 6 17:51:57 2014 +0100 Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39 ipv6: don't set DST_NOCOUNT for remotely added routes DST_NOCOUNT should only be used if an authorized user adds routes locally. In case of routes which are added on behalf of router advertisments this flag must not get used as it allows an unlimited number of routes getting added remotely. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv6/route.c net/ipv6/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c06bf0f41727850ef4d9e28e382307d4c057115f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 4 18:26:06 2014 -0500 sctp_sf_pdiscard() doesn't take a net namespace argument net/sctp/sm_statefuns.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c5e5c2b5abf12c5c787fa5307e7d58c5832fba8f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 4 18:22:12 2014 -0500 backport sctp DoS fix to an older kernel without per-net namespace sctp sysctl entries net/sctp/sm_statefuns.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 59e0ec7d2c9f1fe1ad1c93ef98f7659f80f4eea2 Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Mar 3 17:23:04 2014 +0100 Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729 Remote DoS fix net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable RFC4895 introduced AUTH chunks for SCTP; during the SCTP handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS being optional though): ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- A special case is when an endpoint requires COOKIE-ECHO chunks to be authenticated: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- ------------------ AUTH; COOKIE-ECHO ----------------> <-------------------- COOKIE-ACK --------------------- RFC4895, section 6.3. Receiving Authenticated Chunks says: The receiver MUST use the HMAC algorithm indicated in the HMAC Identifier field. If this algorithm was not specified by the receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk during association setup, the AUTH chunk and all the chunks after it MUST be discarded and an ERROR chunk SHOULD be sent with the error cause defined in Section 4.1. [...] If no endpoint pair shared key has been configured for that Shared Key Identifier, all authenticated chunks MUST be silently discarded. [...] When an endpoint requires COOKIE-ECHO chunks to be authenticated, some special procedures have to be followed because the reception of a COOKIE-ECHO chunk might result in the creation of an SCTP association. If a packet arrives containing an AUTH chunk as a first chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more chunks after them, and the receiver does not have an STCB for that packet, then authentication is based on the contents of the COOKIE-ECHO chunk. In this situation, the receiver MUST authenticate the chunks in the packet by using the RANDOM parameters, CHUNKS parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO chunk, and possibly a local shared secret as inputs to the authentication procedure specified in Section 6.3. If authentication fails, then the packet is discarded. If the authentication is successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO MUST be processed. If the receiver has an STCB, it MUST process the AUTH chunk as described above using the STCB from the existing association to authenticate the COOKIE-ECHO chunk and all the chunks after it. [...] Commit bbd0d59809f9 introduced the possibility to receive and verification of AUTH chunk, including the edge case for authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, the function sctp_sf_do_5_1D_ce() handles processing, unpacks and creates a new association if it passed sanity checks and also tests for authentication chunks being present. After a new association has been processed, it invokes sctp_process_init() on the new association and walks through the parameter list it received from the INIT chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO and SCTP_PARAM_CHUNKS, and copies them into asoc->peer meta data (peer_random, peer_hmacs, peer_chunks) in case sysctl -w net.sctp.auth_enable=1 is set. If in INIT's SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, peer_random != NULL and peer_hmacs != NULL the peer is to be assumed asoc->peer.auth_capable=1, in any other case asoc->peer.auth_capable=0. Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is available, we set up a fake auth chunk and pass that on to sctp_sf_authenticate(), which at latest in sctp_auth_calculate_hmac() reliably dereferences a NULL pointer at position 0..0008 when setting up the crypto key in crypto_hash_setkey() by using asoc->asoc_shared_key that is NULL as condition key_id == asoc->active_key_id is true if the AUTH chunk was injected correctly from remote. This happens no matter what net.sctp.auth_enable sysctl says. The fix is to check for net->sctp.auth_enable and for asoc->peer.auth_capable before doing any operations like sctp_sf_authenticate() as no key is activated in sctp_auth_asoc_init_active_key() for each case. Now as RFC4895 section 6.3 states that if the used HMAC-ALGO passed from the INIT chunk was not used in the AUTH chunk, we SHOULD send an error; however in this case it would be better to just silently discard such a maliciously prepared handshake as we didn't even receive a parameter at all. Also, as our endpoint has no shared key configured, section 6.3 says that MUST silently discard, which we are doing from now onwards. Before calling sctp_sf_pdiscard(), we need not only to free the association, but also the chunk->auth_chunk skb, as commit bbd0d59809f9 created a skb clone in that case. I have tested this locally by using netfilter's nfqueue and re-injecting packets into the local stack after maliciously modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) and the SCTP packet containing the COOKIE_ECHO (injecting AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <yasevich@gmail.com> Cc: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/sm_statefuns.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit ebb74b079b791bb0c34fc6866c18890247a96707 Author: Mike Pecovnik <mike.pecovnik@gmail.com> Date: Mon Feb 24 21:11:16 2014 +0100 Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f net: Fix permission check in netlink_connect() netlink_sendmsg() was changed to prevent non-root processes from sending messages with dst_pid != 0. netlink_connect() however still only checks if nladdr->nl_groups is set. This patch modifies netlink_connect() to check for the same condition. Signed-off-by: Mike Pecovnik <mike.pecovnik@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/netlink/af_netlink.c net/netlink/af_netlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a1743153058a5d94d3bd3531fdb0a6ed26601644 Author: Eric Paris <eparis@redhat.com> Date: Thu Feb 20 10:56:45 2014 -0500 Upstream commit: 9085a6422900092886da8c404e1c5340c4ff1cbf SELinux: bigendian problems with filename trans rules When writing policy via /sys/fs/selinux/policy I wrote the type and class of filename trans rules in CPU endian instead of little endian. On x86_64 this works just fine, but it means that on big endian arch's like ppc64 and s390 userspace reads the policy and converts it from le32_to_cpu. So the values are all screwed up. Write the values in le format like it should have been to start. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/ss/policydb.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit e016024e4b1eaad7ec8c0bbde0fda59dfca3f5c7 Merge: 199dec0 e32eebb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 2 17:34:51 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e32eebb1908d8f0d9715cbb4cbcdff4ac1a4d69b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 2 17:34:16 2014 -0500 Update to pax-linux-3.2.55-test139.patch: - the latent entropy plugin can now initialize structure variables as well lib/random32.c | 2 +- tools/gcc/latent_entropy_plugin.c | 68 +++++++++++++++++++++++++++++++----- 2 files changed, 59 insertions(+), 11 deletions(-) commit 199dec0e64f023d5e0a63dfa3591afe84319c5da Author: Stanislav Kinsbursky <skinsbursky@parallels.com> Date: Thu Aug 9 02:50:40 2012 +0000 Upstream commit: 66d1b9263a371abd15806c53f486f0645ef31a8f tun: don't zeroize sock->file on detach This is a fix for bug, introduced in 3.4 kernel by commit 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d ("tun: don't hold network namespace by tun sockets"), which, among other things, replaced simple sock_put() by sk_release_kernel(). Below is sequence, which leads to oops for non-persistent devices: tun_chr_close() tun_detach() <== tun->socket.file = NULL tun_free_netdev() sk_release_sock() sock_release(sock->file == NULL) iput(SOCK_INODE(sock)) <== dereference on NULL pointer This patch just removes zeroing of socket's file from __tun_detach(). sock_release() will do this. Cc: stable@vger.kernel.org Reported-by: Ruan Zhijie <ruanzhijie@hotmail.com> Tested-by: Ruan Zhijie <ruanzhijie@hotmail.com> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/tun.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 6c1789f469de5e8f2248dcd1b4bfe9168ccdd0af Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 1 23:27:45 2014 -0500 Apply role_umask RBAC restrictions to POSIX ACLs as well fs/posix_acl.c | 7 +++++-- fs/xattr_acl.c | 12 +++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) commit 2e99bfdd2df6bc2974a10e586f002c841c058366 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 24 21:57:37 2014 -0500 mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT grsecurity/Kconfig | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a54c7d3b74b92cd53e50d65ccf1a3103279cecbc Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 24 17:16:47 2014 -0500 when IPC hardening is disabled via sysctl, we shouldn't be imposing any additional restrictions thanks to Mathias Krause (minipli) for the report grsecurity/grsec_ipc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04e245bec848573e1c83eaa4f564f429e876e86d Merge: adfe7d4 a26891a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 20 21:42:56 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/char/random.c commit a26891a7915f8fa411d5c97b57def5d55b0cd1f5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 20 21:41:22 2014 -0500 Update to pax-linux-3.2.55-test138.patch: - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87) - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender - the latent entropy plugin will now insert some entropy at compile time into the random pools drivers/char/random.c | 6 +- fs/binfmt_elf.c | 2 +- include/linux/compiler-gcc4.h | 4 -- tools/gcc/gcc-common.h | 10 ++++- tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++---- tools/gcc/stackleak_plugin.c | 5 +- 6 files changed, 90 insertions(+), 21 deletions(-) commit adfe7d47a64d54abe96f8de64c4222b6e6e4ef61 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 20 18:42:11 2014 -0500 work around pipacs' latent_entropy plugin tools/gcc/randomize_layout_plugin.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit f66c18371cdf6b5579848acee9768e413216aa9b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 20 17:57:36 2014 -0500 .data takes the address of the ints, not their values Conflicts: net/core/neighbour.c net/core/neighbour.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 2804b884e0da1b9f9f901efe7dd9af66e3662616 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 20 16:59:26 2014 -0500 Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was enabled, reported by jacekalex on the forums Conflicts: net/core/neighbour.c include/net/neighbour.h | 1 - net/core/neighbour.c | 9 +++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 6996b07c1b542eadf9a05bbe756b2a254cbff380 Author: Theodore Ts'o <tytso@mit.edu> Date: Sun Feb 16 19:29:32 2014 -0500 Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02 ext4: don't leave i_crtime.tv_sec uninitialized If the i_crtime field is not present in the inode, don't leave the field uninitialized. Fixes: ef7f38359 ("ext4: Add nanosecond timestamps") Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Tested-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Cc: stable@vger.kernel.org fs/ext4/ext4.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit cdfe5f0424a44c95fc48d8ecda35ee8a23ab2ea1 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 19 20:39:37 2014 -0500 While a Xen dom0 is technically a guest, it's perceived as a host by many and there's really no Linux "host" for Xen, so allow PARAVIRT to be enabled on "host" kernels only when Xen is selected Thanks to gaima on the forums for the report arch/x86/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 86d245898feca3788abd59400a6190e5d9e89439 Merge: 9550679 08d74bb Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 15 19:38:45 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kernel/traps.c mm/mmap.c net/ipv4/inet_diag.c commit 08d74bbf2389cb14cebeb54cf5a6f2c4413c06b6 Merge: 3c749fc 39716f2 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 15 19:35:37 2014 -0500 Update to pax-linux-3.2.55-test137.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: mm/memory-failure.c mm/mmap.c commit 9550679471718fb7082fc40068a81a580ac34eca Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 15 14:43:58 2014 -0500 add note on how to disable rate limiting on log messages grsecurity/Kconfig | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 3d39f46966283b73145304c1fa69b2ee12d39077 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 16:50:39 2014 -0500 Force off all virtualization guest options if the autoconfig choice was not for the kernel to be used for vm guests likewise force off Xen if it wasn't mentioned in the autoconfig Conflicts: arch/x86/Kconfig arch/x86/xen/Kconfig arch/x86/Kconfig | 1 + arch/x86/xen/Kconfig | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit e9c1e89ad6c783d5d9b1068bb0cf86c0eb185775 Merge: 3239e60 3c749fc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 15:26:38 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 3c749fc72f906ba0db476db1ab0cad2edb2e698e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 15:25:58 2014 -0500 Update to pax-linux-3.2.54-test137.patch: - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv <n@e-ix.net> for help tools/gcc/Makefile | 2 +- tools/gcc/latent_entropy_plugin.c | 18 +++++++++-- tools/gcc/size_overflow_plugin.c | 19 +++++++++-- tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++-------- 4 files changed, 76 insertions(+), 21 deletions(-) commit 3239e609887cec3078527d1a8ed3feae24d017c9 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 12:35:16 2014 -0500 add missing header grsecurity/grsec_mem.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9ddf6ee010dcd333077a1e6b2b9d3f2e4623608c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 12:04:44 2014 -0500 export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL grsecurity/gracl.c | 8 ++++---- grsecurity/grsec_chroot.c | 2 +- grsecurity/grsec_disabled.c | 6 +++--- grsecurity/grsec_exec.c | 4 ++-- grsecurity/grsec_init.c | 2 +- grsecurity/grsec_mem.c | 1 + grsecurity/grsec_sock.c | 12 ++++++------ grsecurity/grsec_time.c | 2 +- 8 files changed, 19 insertions(+), 18 deletions(-) commit 73ce22c244ede935910517a418e1b3fa3a020407 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 11:28:26 2014 -0500 add missing header arch/x86/kernel/msr.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 83fa54221c9ce274117fb8a828c60b8fae7ae6d1 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 11:12:36 2014 -0500 fix typo arch/x86/kernel/msr.c | 4 ++-- include/linux/grsecurity.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e6fdb064145e3cf3f077c453acfdcdd72f05749b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 10:57:06 2014 -0500 PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 64c804f844b66c2e8cc651d4cdafd4367ee6284f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 09:23:29 2014 -0500 Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts. arch/x86/Kconfig | 1 - arch/x86/kernel/msr.c | 9 +++++++++ grsecurity/grsec_mem.c | 6 ++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 17 insertions(+), 1 deletions(-) commit 2a81ca372d0e3dc8d944782c6c653b78757abd96 Author: Richard Yao <ryao@gentoo.org> Date: Sat Feb 8 19:32:01 2014 -0500 Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers The 9p-virtio transport does zero copy on things larger than 1024 bytes in size. It accomplishes this by returning the physical addresses of pages to the virtio-pci device. At present, the translation is usually a bit shift. That approach produces an invalid page address when we read/write to vmalloc buffers, such as those used for Linux kernel modules. Any attempt to load a Linux kernel module from 9p-virtio produces the following stack. [<ffffffff814878ce>] p9_virtio_zc_request+0x45e/0x510 [<ffffffff814814ed>] p9_client_zc_rpc.constprop.16+0xfd/0x4f0 [<ffffffff814839dd>] p9_client_read+0x15d/0x240 [<ffffffff811c8440>] v9fs_fid_readn+0x50/0xa0 [<ffffffff811c84a0>] v9fs_file_readn+0x10/0x20 [<ffffffff811c84e7>] v9fs_file_read+0x37/0x70 [<ffffffff8114e3fb>] vfs_read+0x9b/0x160 [<ffffffff81153571>] kernel_read+0x41/0x60 [<ffffffff810c83ab>] copy_module_from_fd.isra.34+0xfb/0x180 Subsequently, QEMU will die printing: qemu-system-x86_64: virtio: trying to map MMIO memory This patch enables 9p-virtio to correctly handle this case. This not only enables us to load Linux kernel modules off virtfs, but also enables ZFS file-based vdevs on virtfs to be used without killing QEMU. Special thanks to both Avi Kivity and Alexander Graf for their interpretation of QEMU backtraces. Without their guidence, tracking down this bug would have taken much longer. Also, special thanks to Linus Torvalds for his insightful explanation of why this should use is_vmalloc_addr() instead of is_vmalloc_or_module_addr(): https://lkml.org/lkml/2014/2/8/272 Signed-off-by: Richard Yao <ryao@gentoo.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/9p/trans_virtio.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit b2844ed398049b161754f5d4744b198b967be788 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 13 08:38:14 2014 -0500 rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals add a useful compile error if we try building with < gcc 4.6.4 tools/gcc/randomize_layout_plugin.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 2f04aaaaed6bc1a63152202d4013d21653f01005 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Feb 11 17:33:49 2014 -0500 [PATCH] random: fix overflow for big nbits values in credit_entropy_bits() Commit 30e37ec516ae "random: account for entropy loss due to overwrites" introduced an overflow in the arithmetics of credit_entropy_bits() when CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool size and therefore invalidates the assumptions of the "nifty" formula. Fix the overflow by using 64bit arithmetics. Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com> Signed-off-by: Mathias Krause <mathias.krause@secunet.com> This bug is at worst a privileged DoS -- with RANDNET enabled, an admin with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once can cause less than expected entropy to be credited (but this doesn't affect how much is actually added). For specific buffer sizes, this can result in 0 entropy being credited and end in a situation in which the kernel can't recover, causing future reads from /dev/random to stall. Many thanks to Torsten and Mathias for the report! drivers/char/random.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 464ca7e89e3a1e5833a6877ead67662caf3ecf6a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 9 11:30:53 2014 -0500 just ignore the seed file, the hash is in a different dir tools/gcc/.gitignore | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit e6c2635a2bc4e5d9b60559ffb58d8939d399f80c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 9 11:27:22 2014 -0500 Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead Conflicts: Makefile Documentation/dontdiff | 2 +- Makefile | 4 +--- include/linux/vermagic.h | 1 + tools/gcc/.gitignore | 4 ++-- tools/gcc/Makefile | 9 ++++----- tools/gcc/gen-random-seed.sh | 3 ++- 6 files changed, 11 insertions(+), 12 deletions(-) commit f7928dccf4c16676ff44d067e7d6eb64d1b2a37c Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 31 18:11:51 2014 -0500 force on modversion support if RANDSTRUCT is enabled so that we're sure no modules can be loaded that were built with a different seed grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 74bc16d2da44b78a8f08cceafb7f4c6e1e2581a0 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 23:37:13 2014 -0500 compile fix for RANDSTRUCT drivers/staging/media/solo6x10/g723.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 55487724150cf128355dc5a2dd14bbab9e066c1b Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 23:20:07 2014 -0500 fix initializers for use with RANDSTRUCT drivers/gpu/drm/nouveau/nouveau_mem.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) commit d12a71b090b59adf1e97e22731d6116fddcbb295 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 23:10:16 2014 -0500 compile fix for ipc hardening grsecurity/grsec_ipc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b4fc8d77c9a707b6759f775d0b901de5c70a2061 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 23:01:58 2014 -0500 backport IPC hardening for 3.2 which has no proper user namespaces grsecurity/grsec_ipc.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 1f49c8104f89773d4e34c89e884cf9677101d8e3 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Dec 30 11:13:49 2013 -0500 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. grsecurity/Kconfig | 16 ++++++++++------ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- include/linux/grmsg.h | 2 +- ipc/util.c | 3 ++- 4 files changed, 42 insertions(+), 11 deletions(-) commit 31da7adbf5c68ddb3cf5ff8deb9e9d71074fd8da Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC Signed-off-by: Brad Spengler <spender@grsecurity.net> grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit bc7dcd78312d954f28bd7ed3bb305aaf3fb6b0d8 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ No reported problems while this has been present in -test Signed-off-by: Brad Spengler <spender@grsecurity.net> Conflicts: ipc/util.c grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 421cc90d6b0897702b319dcfb91120d8c9cf64d6 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 22:50:50 2014 -0500 GRKERNSEC_JIT_HARDEN exists only for x86/x64, restrict Kconfig appropriately grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 50aff165b5427d039fb24f8f654cedde1c1417de Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 3 19:39:04 2013 -0500 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. Disable KEXEC when GRKERNSEC_KMEM is enabled: http://mjg59.dreamwidth.org/28746.html Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present Conflicts: arch/arm/Kconfig arch/ia64/Kconfig arch/mips/Kconfig arch/powerpc/Kconfig arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/mips/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/tile/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/kernel/ioport.c | 12 ++++++------ grsecurity/Kconfig | 27 +++++++++++---------------- 8 files changed, 23 insertions(+), 22 deletions(-) commit f287dcd432b99d6365e7609472b77fa867559b4f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 26 11:26:44 2014 -0500 Force HIDESYM on if RANDSTRUCT is used, just in case there is a user who already isn't enabling it (to prevent the seed from potentially being visible to other users if compiled on the same machine). Suggested by minipli grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 51675df74ad0bac7abdeafaaa4d3ec5792983324 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 14:54:11 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler <spender@grsecurity.net> sound/isa/sb/emu8000_synth.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 96d1e15dead6eb84b4ffd6c513b01dab5b90cb86 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 14:34:12 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler <spender@grsecurity.net> drivers/net/wan/z85230.c | 24 ++++++++++++------------ 1 files changed, 12 insertions(+), 12 deletions(-) commit 052f770e6d9118a4f097d1d4fde81763a086881a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 14:30:46 2014 -0500 fix compilation with RANDSTRUCT plugin Signed-off-by: Brad Spengler <spender@grsecurity.net> sound/drivers/opl4/opl4_seq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e8b62b046ded4a3322b55b4eae617d0d4285a139 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 5 23:43:27 2014 -0500 avoid printing jibberish in some instances with RANDSTRUCT and modules built with other seeds, as the kernel's module loader trusts the module layout Conflicts: kernel/module.c kernel/module.c | 31 +++++++++++++++++++++++++++---- 1 files changed, 27 insertions(+), 4 deletions(-) commit d195dd1b7432aab2602aa5f68a382f5e0175f4aa Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 22:32:57 2014 -0500 compile fix include/linux/moduleparam.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit a4840142ad7a2f0aa0ea23fcf74a8b2604ce0814 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 22:25:21 2014 -0500 fix some 3.2-specific initializers for RANDSTRUCT arch/x86/kernel/setup.c | 12 ++++++++++-- include/linux/moduleparam.h | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) commit e008742fbfcfdf661c9f82e15a56f7ee279399f8 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 21:57:10 2014 -0500 update RANDSTRUCT .gitignore tools/gcc/.gitignore | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fc39b489d6b44c9189601d0873d8bcbd3bd7d6ed Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 6 21:26:51 2014 -0500 gcc 4.9 update for RANDSTRUCT plugin part 1 tools/gcc/randomize_layout_plugin.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 9bf4a234f85ecd0ab80c5640c35f0d1e1505b83f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 6 20:16:57 2014 -0500 don't pass the seed via build commandline, store it in a header file instead and build it into the RANDSTRUCT plugin. set up proper dependencies for the generated files used by the RANDSTRUCT plugin, fixing some race conditions in the build process support O= argument to make and place generated files in the target directory tree update RANDSTRUCT documentation Conflicts: Makefile Makefile | 8 +++----- grsecurity/Kconfig | 2 +- scripts/gen-random-seed.sh | 8 -------- tools/gcc/Makefile | 10 +++++++++- tools/gcc/gen-random-seed.sh | 7 +++++++ tools/gcc/randomize_layout_plugin.c | 23 ++++++++--------------- 6 files changed, 28 insertions(+), 30 deletions(-) commit a1c274bf9f3c731b545e1d4d2390b6e96612aad0 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 5 23:32:26 2014 -0500 Introduce the non-performance mode -- the performance mode had previously been inadvertently forced on regardless of config setting Resolve an issue with gcc completing declarations for recently finished types *before* the plugin's finish_type being called to randomize that structure. This resulted in too small a structure size being emitted for this_module and generally crashes whenever modules were loaded. Conflicts: Makefile Makefile | 4 ++-- tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) commit a7db043cf43a7882ce1edf31d3340fe748d689bc Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 1 19:53:04 2014 -0500 update RANDSTRUCT plugin to eliminate false posities on struct type mismatches resulting from an IS_ERR() sequence add checks for bad casts in local and global variable initializers use the main variant when comparing types tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++-- 1 files changed, 144 insertions(+), 6 deletions(-) commit 9e5a1a80d623574b24c55f57e40b5b7707999cca Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 1 15:13:06 2014 -0500 remove unnecessary TODO_* flags for our passive bad cast gimple pass tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9ba79cc1a206b24d68e0818776044338f510b060 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 1 10:55:36 2014 -0500 fix RANDSTRUCT plugin compatibility with gcc 4.9 tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1b7af865815f4a208f7ac681d2c18f96bd88cfe1 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 31 21:52:14 2014 -0500 sanity check to make sure we never randomize a struct in include/uapi/* scripts/gen-random-seed.sh | 2 +- tools/gcc/randomize_layout_plugin.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletions(-) commit 3b37eecf6f83d264aaab51c12e98bbbd27dcb1a3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 26 12:44:21 2014 -0500 add a sha256-hashed version of the seed to modversion to ensure no modules compiled with another seed can be loaded Conflicts: Documentation/dontdiff Makefile Makefile | 4 +++- include/linux/vermagic.h | 8 +++++++- scripts/gen-random-seed.sh | 2 +- tools/gcc/.gitignore | 1 + 4 files changed, 12 insertions(+), 3 deletions(-) commit f1d2e403be5bf1842428a9161e17f274c431bf71 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 27 20:33:30 2014 -0500 Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2c3736f6f9a648e6c7a66c6833370debdc2cb3b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 26 18:24:44 2014 -0500 fix typo tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8f2d87da2eda2d510e543080d42accc9cb4b4c63 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 26 18:22:33 2014 -0500 Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++---------------- 1 files changed, 42 insertions(+), 35 deletions(-) commit e66f5494154f0b1708c3f8a374fce9ea7bb50846 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 14:16:18 2014 -0500 avoid problems by just building our fake field decl node from scratch Signed-off-by: Brad Spengler <spender@grsecurity.net> tools/gcc/randomize_layout_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 1d8ebfacb2d536ed3019a4214c1539fa72b5f362 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 13:45:18 2014 -0500 while in non-debug mode, don't emit notes for non-randomized struct types clear all signs from our fake field decl of being a bitfield Signed-off-by: Brad Spengler <spender@grsecurity.net> tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit e98e8b1fa16cbf5c0d85790b18ea813d52c208ae Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 12:56:05 2014 -0500 revert change to read-only marking of fake struct field Signed-off-by: Brad Spengler <spender@grsecurity.net> tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ce8b04272f6016c11d2d03a06f11784fe213f231 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 12:42:48 2014 -0500 Update RANDSTRUCT plugin help Signed-off-by: Brad Spengler <spender@grsecurity.net> tools/gcc/randomize_layout_plugin.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit db7d20642a7ad48f3db9426e665a672a2ceadf56 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 25 12:25:43 2014 -0500 Initial backport of RANDSTRUCT to 3.2 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures automatically enabled by GRKERNSEC_CONFIG_AUTO performance mode is activated if the config priority is set to performance Signed-off-by: Brad Spengler <spender@grsecurity.net> Conflicts: Documentation/dontdiff Makefile arch/x86/include/asm/paravirt_types.h drivers/acpi/acpica/hwxfsleep.c drivers/block/drbd/drbd_interval.c drivers/gpu/drm/nouveau/nouveau_ttm.c drivers/scsi/bfa/bfa_fcs_lport.c drivers/staging/lustre/lustre/ldlm/ldlm_flock.c drivers/staging/lustre/lustre/libcfs/module.c drivers/staging/media/solo6x10/solo6x10-g723.c fs/mount.h fs/proc/internal.h include/linux/cred.h include/linux/dcache.h include/linux/fs.h include/linux/ipc_namespace.h include/linux/module.h include/linux/mount.h include/linux/pid_namespace.h include/linux/proc_ns.h include/linux/rbtree_augmented.h include/linux/sched.h include/linux/user_namespace.h include/linux/utsname.h include/net/net_namespace.h lib/rbtree.c net/vmw_vsock/vmci_transport_notify.c net/vmw_vsock/vmci_transport_notify_qstate.c Documentation/dontdiff | 2 + Makefile | 10 + arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- drivers/block/cciss.h | 30 +- drivers/block/smart1,2.h | 40 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 ++-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 22 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- fs/reiserfs/item_ops.c | 24 +- grsecurity/Kconfig | 31 +- include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 4 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 14 +- include/linux/fs_struct.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kobject.h | 2 +- include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/pid_namespace.h | 2 +- include/linux/proc_fs.h | 4 +- include/linux/sched.h | 6 +- include/linux/sysctl.h | 2 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/decnet/dn_dev.c | 2 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + scripts/gen-random-seed.sh | 8 + sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 2 + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++++ 62 files changed, 1147 insertions(+), 322 deletions(-) commit 6c1dfb8e0c4342aafaf3da38143aff565f74e357 Merge: c0c1e89 f6b9aab Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 21:25:13 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit f6b9aab54f0b4b4b99dbe494cb56ed6fcab3c7fe Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 21:24:26 2014 -0500 Update to pax-linux-3.2.54-test136.patch: - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender - added a new header to gcc-common.h, reported by spender - some useful backports from upstream 3.14: - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9 Makefile | 8 +++++++- tools/gcc/gcc-common.h | 1 + tools/gcc/latent_entropy_plugin.c | 2 +- tools/gcc/size_overflow_plugin.c | 2 +- 4 files changed, 10 insertions(+), 3 deletions(-) commit c0c1e8928b192455d42a54f54198ad5ffcafef6d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 20:30:40 2014 -0500 on 3.2 the proper routine is task_times() grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5d09902d41934e044fcf68dd00b5f4ad77148ca3 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 8 20:02:12 2014 -0500 don't divide cputime by HZ as some architectures can't handle this use proper task_cputime and cputime_to_secs wrappers Thanks to Michael Tremer for the report grsecurity/gracl.c | 23 ++++++++++++----------- 1 files changed, 12 insertions(+), 11 deletions(-) commit 799f4942cecf292385820730dd7d253cc27df988 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 6 18:15:24 2014 -0500 make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make' grsecurity/Makefile | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 23a8287c65bb4933e3e6c28242b0dad3be1bc8bd Author: David Sterba <dsterba@suse.cz> Date: Wed Jan 15 18:15:52 2014 +0100 Upstream commit: b572f9aaacdcb9b22ee6483fecaaa7a38c757896 btrfs: restrict snapshotting to own subvolumes commit d024206133ce21936b3d5780359afc00247655b7 upstream. Currently, any user can snapshot any subvolume if the path is accessible and thus indirectly create and keep files he does not own under his direcotries. This is not possible with traditional directories. In security context, a user can snapshot root filesystem and pin any potentially buggy binaries, even if the updates are applied. All the snapshots are visible to the administrator, so it's possible to verify if there are suspicious snapshots. Another more practical problem is that any user can pin the space used by eg. root and cause ENOSPC. Original report: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786 Signed-off-by: David Sterba <dsterba@suse.cz> Signed-off-by: Josef Bacik <jbacik@fb.com> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: fs/btrfs/ioctl.c fs/btrfs/ioctl.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit bf11284994657b38a9066c95146b5f2d726b1c27 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 6 20:20:41 2014 -0500 Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2 security/selinux/ss/services.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 026e375ba60b6866de10b3238e083ef9d35846dc Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 3 17:28:44 2014 -0500 select DEBUG_KERNEL in addition to DEBUG_LIST security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4f18c21f3dbcc85b0d65746ac1ef57fe820af6ae Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 2 21:23:30 2014 -0500 update copyright date grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8386e86f2202ea78b3f552c2446946d44799a46f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 2 21:23:08 2014 -0500 update copyright message grsecurity/Makefile | 22 ++++++++++++++++------ 1 files changed, 16 insertions(+), 6 deletions(-) commit 6ad9fb0b598b5e77be4578116cde54a39aada70a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 1 09:46:46 2014 -0500 disable verbose random debugging messages at boot drivers/char/random.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 9a257eeac61664e3a7b17f6e89e10bd8e3dc8285 Author: Weston Andros Adamson <dros@netapp.com> Date: Tue Dec 17 12:16:11 2013 -0500 Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d sunrpc: Fix infinite loop in RPC state machine When a task enters call_refreshresult with status 0 from call_refresh and !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting or max number of retries. Instead of trying forever, make use of the retry path that other errors use. This only seems to be possible when the crrefresh callback is gss_refresh_null, which only happens when destroying the context. To reproduce: 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific operations). 2) reboot - the client will be stuck and will need to be hard rebooted BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46] Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy irq event stamp: 195724 hardirqs last enabled at (195723): [<ffffffff814a925c>] restore_args+0x0/0x30 hardirqs last disabled at (195724): [<ffffffff814b0a6a>] apic_timer_interrupt+0x6a/0x80 softirqs last enabled at (195722): [<ffffffff8103f583>] __do_softirq+0x1df/0x276 softirqs last disabled at (195717): [<ffffffff8103f852>] irq_exit+0x53/0x9a CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013 Workqueue: rpciod rpc_async_schedule [sunrpc] task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000 RIP: 0010:[<ffffffffa0064fd4>] [<ffffffffa0064fd4>] __rpc_execute+0x8a/0x362 [sunrpc] RSP: 0018:ffff880079003d18 EFLAGS: 00000246 RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007 RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900 RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7 R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900 FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0 Stack: ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830 ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260 ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000 Call Trace: [<ffffffff81073f47>] ? trace_hardirqs_on_caller+0x145/0x1a1 [<ffffffffa00652d3>] rpc_async_schedule+0x27/0x32 [sunrpc] [<ffffffff81052974>] process_one_work+0x211/0x3a5 [<ffffffff810528d5>] ? process_one_work+0x172/0x3a5 [<ffffffff81052eeb>] worker_thread+0x134/0x202 [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280 [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280 [<ffffffff810584a0>] kthread+0xc9/0xd1 [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61 [<ffffffff814afd6c>] ret_from_fork+0x7c/0xb0 [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61 Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00 And the output of "rpcdebug -m rpc -s all": RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 Signed-off-by: Weston Andros Adamson <dros@netapp.com> Cc: stable@vger.kernel.org # 2.6.37+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> net/sunrpc/clnt.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit fd1beb50c5eaa0858d30d8f9699857daea7c98db Merge: aaf7afa 49b27c8 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 28 18:26:23 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 49b27c8baad9a11219a62bffe9fd9c26a395e8bc Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 28 18:25:38 2014 -0500 Update to pax-linux-3.2.54-test135.patch: - fixed a constify plugin regression for real, reported by spender - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs arch/x86/kernel/entry_64.S | 22 ++++++++++++---------- include/linux/skbuff.h | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) commit aaf7afa0bc1a4d10383c863dbbeab107168c8228 Merge: df449a2 944ffc0 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 27 23:30:39 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 944ffc0c46fb368461f52f3520f7876b8db6e175 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 27 23:30:12 2014 -0500 backport gcc assert fix from 3.13 constify plugin tools/gcc/constify_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit df449a264e347238c119b0fdcdb3e5d83c08d61e Merge: 1b28d35 99f43f7 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 27 23:16:35 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 99f43f743906732e811f76041355a4e460571223 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 27 23:15:52 2014 -0500 Update to pax-linux-3.2.54-test134.patch: - gcc plugin updates - ported them to gcc trunk (future 4.9) - introduced gcc-common.h to simplify gcc version dependencies - updated size overflow hash table from spender - fixed kallocstat to detect constant size arguments early - fixed constify to preserve type qualifiers on pointer-to-self fields - added a few sparse/checker annotations and changes to satisfy gcc's address space logic - fixed the TRACE_IRQFLAGS problem reported by minipli again - fixed a constify plugin regression, reported by spender - updated gcc-common.h - fixed the size overflow plugin for gcc 4.9, by Emese Revfy arch/x86/ia32/ia32_signal.c | 6 +- arch/x86/kernel/entry_64.S | 86 ++----- arch/x86/kernel/tboot.c | 2 +- block/compat_ioctl.c | 2 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/media/video/v4l2-compat-ioctl32.c | 10 +- drivers/media/video/v4l2-ctrls.c | 4 +- drivers/media/video/v4l2-ioctl.c | 2 +- drivers/mmc/card/block.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/video/fbmem.c | 2 +- fs/compat_ioctl.c | 2 +- fs/exec.c | 2 +- include/linux/videodev2.h | 2 +- net/9p/client.c | 6 +- net/socket.c | 6 +- tools/gcc/Makefile | 2 +- tools/gcc/checker_plugin.c | 30 +-- tools/gcc/colorize_plugin.c | 62 +++-- tools/gcc/constify_plugin.c | 105 ++++---- tools/gcc/gcc-common.h | 267 +++++++++++++++++++ tools/gcc/kallocstat_plugin.c | 164 +++++++------ tools/gcc/kernexec_plugin.c | 333 ++++++++++++++----------- tools/gcc/latent_entropy_plugin.c | 146 +++++------ tools/gcc/size_overflow_plugin.c | 400 +++++++++++++---------------- tools/gcc/stackleak_plugin.c | 236 +++++++++-------- tools/gcc/structleak_plugin.c | 90 +++---- 27 files changed, 1108 insertions(+), 865 deletions(-) commit 1b28d3560eaa3295b735bcc4c6d61b320a1cba9a Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 27 20:30:10 2014 -0500 Make all grsecurity code GPLv2 only for future releases. Not really important as grsecurity is a derivative work of the Linux kernel and thus forced to be GPLv2, the "or higher" was superfluous. grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c904fd3f64736a669cc112e7c1efe8f2e544cc0c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 19 08:42:54 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 9ad0ac28c8d7407657f7685eaa00a6f18f9039ee Author: Theodore Ts'o <tytso@mit.edu> Date: Tue Dec 17 21:16:39 2013 -0500 Upstream commit: a9f069e38cc36d6c4ab3c831bc4bef2ae1a16e96 random: use the architectural HWRNG for the SHA's IV in extract_buf() To help assuage the fears of those who think the NSA can introduce a massive hack into the instruction decode and out of order execution engine in the CPU without hundreds of Intel engineers knowing about it (only one of which woud need to have the conscience and courage of Edward Snowden to spill the beans to the public), use the HWRNG to initialize the SHA starting value, instead of xor'ing it in afterwards. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> drivers/char/random.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) commit bc3de2373709b9c953076c1496be6e871c777036 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 18 20:43:43 2014 -0500 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f0d137f2b202f4b2c7cb4bdbf89888e5c3f2751d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 18 20:09:43 2014 -0500 sync with PaX code from 3.12 arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7978ab13fe239d3dd6d27d868c9fd4c67f9f77cf Merge: 34e52ab 0623c43 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 18 17:26:44 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 34e52ab70ab870616b6c3714f5ed7d39f66c48ec Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 18 17:26:32 2014 -0500 Revert "Revert recent PaX marking change that broke a significant number" This reverts commit 40065cc405e7c8bf859610ce7b10e94b7292564b. fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- 1 files changed, 30 insertions(+), 23 deletions(-) commit 0623c43f4c0a9a0817d514139bf9a054bbfb8f99 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 18 17:25:12 2014 -0500 Update to pax-linux-3.2.54-test133.patch: - new size overflow plugin and hash table from Emese - reworked the interaction between the various PaX control flag mechanisms for better consistency - fixed type attribute handling in the constify plugin, reported by spender fs/binfmt_elf.c | 144 +++++++++++++++++++++----------------- include/linux/sched.h | 1 + include/linux/sysctl.h | 6 -- tools/gcc/constify_plugin.c | 20 +++--- tools/gcc/size_overflow_plugin.c | 64 +++++++++++------ 5 files changed, 132 insertions(+), 103 deletions(-) commit 78348f5b6093f576ea68aa18c23f15750c08c0e3 Author: Steven Rostedt <rostedt@goodmis.org> Date: Thu Jan 9 21:46:34 2014 -0500 Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() While running stress tests on adding and deleting ftrace instances I hit this bug: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_inode_permission+0x85/0x160 PGD 63681067 PUD 7ddbe067 PMD 0 Oops: 0000 [#1] PREEMPT CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20 Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006 task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000 RIP: 0010:[<ffffffff812d8bc5>] [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160 RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840 RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000 RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54 R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000 R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000 FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0 Call Trace: security_inode_permission+0x1c/0x30 __inode_permission+0x41/0xa0 inode_permission+0x18/0x50 link_path_walk+0x66/0x920 path_openat+0xa6/0x6c0 do_filp_open+0x43/0xa0 do_sys_open+0x146/0x240 SyS_open+0x1e/0x20 system_call_fastpath+0x16/0x1b Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff RIP selinux_inode_permission+0x85/0x160 CR2: 0000000000000020 Investigating, I found that the inode->i_security was NULL, and the dereference of it caused the oops. in selinux_inode_permission(): isec = inode->i_security; rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); Note, the crash came from stressing the deletion and reading of debugfs files. I was not able to recreate this via normal files. But I'm not sure they are safe. It may just be that the race window is much harder to hit. What seems to have happened (and what I have traced), is the file is being opened at the same time the file or directory is being deleted. As the dentry and inode locks are not held during the path walk, nor is the inodes ref counts being incremented, there is nothing saving these structures from being discarded except for an rcu_read_lock(). The rcu_read_lock() protects against freeing of the inode, but it does not protect freeing of the inode_security_struct. Now if the freeing of the i_security happens with a call_rcu(), and the i_security field of the inode is not changed (it gets freed as the inode gets freed) then there will be no issue here. (Linus Torvalds suggested not setting the field to NULL such that we do not need to check if it is NULL in the permission check). Note, this is a hack, but it fixes the problem at hand. A real fix is to restructure the destroy_inode() to call all the destructor handlers from the RCU callback. But that is a major job to do, and requires a lot of work. For now, we just band-aid this bug with this fix (it works), and work on a more maintainable solution in the future. Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home Cc: stable@vger.kernel.org Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> security/selinux/hooks.c | 20 ++++++++++++++++++-- security/selinux/include/objsec.h | 5 ++++- 2 files changed, 22 insertions(+), 3 deletions(-) commit e23872879b4d23dc790ccad86aaf9ec2e9ae8e6f Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Mon Jan 13 02:45:22 2014 +0100 Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e net: avoid reference counter overflows on fib_rules in multicast forwarding Bob Falken reported that after 4G packets, multicast forwarding stopped working. This was because of a rule reference counter overflow which freed the rule as soon as the overflow happend. This patch solves this by adding the FIB_LOOKUP_NOREF flag to fib_rules_lookup calls. This is safe even from non-rcu locked sections as in this case the flag only implies not taking a reference to the rule, which we don't need at all. Rules only hold references to the namespace, which are guaranteed to be available during the call of the non-rcu protected function reg_vif_xmit because of the interface reference which itself holds a reference to the net namespace. Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables") Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables") Reported-by: Bob Falken <NetFestivalHaveFun@gmx.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Thomas Graf <tgraf@suug.ch> Cc: Julian Anastasov <ja@ssi.bg> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ipmr.c | 7 +++++-- net/ipv6/ip6mr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 78d6bf0dd1b3d5512b8a5f8ef0655f1e15bfcd7d Author: NeilBrown <neilb@suse.de> Date: Mon Jan 6 10:35:34 2014 +1100 Upstream commit: e8b849158508565e0cd6bc80061124afc5879160 md/raid10: fix bug when raid10 recovery fails to recover a block. commit e875ecea266a543e643b19e44cf472f1412708f9 md/raid10 record bad blocks as needed during recovery. added code to the "cannot recover this block" path to record a bad block rather than fail the whole recovery. Unfortunately this new case was placed *after* r10bio was freed rather than *before*, yet it still uses r10bio. This is will crash with a null dereference. So move the freeing of r10bio down where it is safe. Cc: stable@vger.kernel.org (v3.1+) Fixes: e875ecea266a543e643b19e44cf472f1412708f9 Reported-by: Damian Nowak <spam@nowaker.net> URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown <neilb@suse.de> drivers/md/raid10.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 19ce1cd7bf18f03cf143d7cc12ae3f52e6ba3dd9 Author: NeilBrown <neilb@suse.de> Date: Tue Jan 14 10:38:09 2014 +1100 Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1 md/raid10: fix two bugs in handling of known-bad-blocks. If we discover a bad block when reading we split the request and potentially read some of it from a different device. The code path of this has two bugs in RAID10. 1/ we get a spin_lock with _irq, but unlock without _irq!! 2/ The calculation of 'sectors_handled' is wrong, as can be clearly seen by comparison with raid1.c This leads to at least 2 warnings and a probable crash is a RAID10 ever had known bad blocks. Cc: stable@vger.kernel.org (v3.1+) Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160 Reported-by: Damian Nowak <spam@nowaker.net> URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown <neilb@suse.de> drivers/md/raid10.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 84b9921ab57d01dc6ef681fbc7aed654431af347 Author: Andreas Rohner <andreas.rohner@gmx.net> Date: Tue Jan 14 17:56:36 2014 -0800 Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a nilfs2: fix segctor bug that causes file system corruption There is a bug in the function nilfs_segctor_collect, which results in active data being written to a segment, that is marked as clean. It is possible, that this segment is selected for a later segment construction, whereby the old data is overwritten. The problem shows itself with the following kernel log message: nilfs_sufile_do_cancel_free: segment 6533 must be clean Usually a few hours later the file system gets corrupted: NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0 NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660) The issue can be reproduced with a file system that is nearly full and with the cleaner running, while some IO intensive task is running. Although it is quite hard to reproduce. This is what happens: 1. The cleaner starts the segment construction 2. nilfs_segctor_collect is called 3. sc_stage is on NILFS_ST_SUFILE and segments are freed 4. sc_stage is on NILFS_ST_DAT current segment is full 5. nilfs_segctor_extend_segments is called, which allocates a new segment 6. The new segment is one of the segments freed in step 3 7. nilfs_sufile_cancel_freev is called and produces an error message 8. Loop around and the collection starts again 9. sc_stage is on NILFS_ST_SUFILE and segments are freed including the newly allocated segment, which will contain active data and can be allocated at a later time 10. A few hours later another segment construction allocates the segment and causes file system corruption This can be prevented by simply reordering the statements. If nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments the freed segments are marked as dirty and cannot be allocated any more. Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net> Reviewed-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Tested-by: Andreas Rohner <andreas.rohner@gmx.net> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/nilfs2/segment.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit b5081910f95ef6c358d157e59a8dda19fcf9c64a Author: Salva Peiró <speiro@ai2.upv.es> Date: Tue Dec 17 10:06:30 2013 +0100 Upstream commit: 8e3fbf870481eb53b2d3a322d1fc395ad8b367ed hamradio/yam: fix info leak in ioctl The yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg. Add an explicit memset(0) before filling the structure to avoid the 4-byte info leak. Signed-off-by: Salva Peiró <speiro@ai2.upv.es> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/hamradio/yam.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f36c812008cc490985bd62198500e2555edf7cce Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 18 16:31:17 2014 -0500 Upstream commit: 807a0c12941850ddaff2ed62ba26a748e542c599 x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround commit 26bef1318adc1b3a530ecc807ef99346db2aa8b0 upstream. Before we do an EMMS in the AMD FXSAVE information leak workaround we need to clear any pending exceptions, otherwise we trap with a floating-point exception inside this code. Reported-by: halfdog <me@halfdog.net> Tested-by: Borislav Petkov <bp@suse.de> Link: http://lkml.kernel.org/r/CA%2B55aFxQnY_PCG_n4=0w-VG=YLXL-yr7oMxyy0WU2gCBAf3ydg@mail.gmail.com Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> arch/x86/kernel/traps.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) commit 40065cc405e7c8bf859610ce7b10e94b7292564b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 26 19:23:25 2013 -0500 Revert recent PaX marking change that broke a significant number of existing systems. The marking system will be revamped in a later patch to fix softmode support while making XT markings more usable. fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ 1 files changed, 23 insertions(+), 30 deletions(-) commit 7e6ea015eb7f3d172b7cd9a458fff143c35e794b Merge: 841a673 bec704a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 16 07:03:53 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit bec704a790bd9b7e3b3906849cc164c4c67eef67 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 16 07:02:25 2014 -0500 Update to pax-linux-3.2.54-test132.patch: - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877) - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899) - Emese worked around a few intentional overflows that triggered the size overflow plugin - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907) - fixed powerpc compilation, by Purushothama Siddaiah <psiddaiah@mvista.com> - fixed incorrent module parameter type in vivi, caught by the size overflow plugin - use plugins while building more kernel targets (asm-offsets.c, etc) - small cleanup in no_const attribute handling, reported by spender Makefile | 2 + arch/powerpc/kernel/module_32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/media/video/vivi.c | 4 +- drivers/usb/core/devio.c | 2 +- fs/binfmt_elf.c | 53 ++++++---- include/linux/devfreq.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- security/Kconfig | 1 - tools/gcc/constify_plugin.c | 47 ++++----- tools/gcc/size_overflow_hash.data | 71 +++++++------ tools/gcc/size_overflow_plugin.c | 173 +++++++++++++++++++++++++++----- virt/kvm/kvm_main.c | 13 ++- 13 files changed, 258 insertions(+), 116 deletions(-) commit 841a673ac30f4c753efec687702296ccbdd04f90 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 8 17:46:46 2014 -0500 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers drivers/pci/pci-sysfs.c | 9 --------- drivers/pci/proc.c | 3 --- 2 files changed, 0 insertions(+), 12 deletions(-) commit eb25c5db7c0818cefe240318557152a2300100e0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 2 17:02:24 2014 -0500 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 checks currently drivers/pci/pci-sysfs.c | 17 +++++++---------- drivers/pci/proc.c | 13 ++----------- drivers/pci/syscall.c | 4 ---- 3 files changed, 9 insertions(+), 25 deletions(-) commit 21e33201b298da74f9b923d174d02a072cc71d96 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 5 16:29:52 2014 -0500 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 71 +++++++++++++++++++----------------- 1 files changed, 37 insertions(+), 34 deletions(-) commit 0871ae45aefdad82a1dbd4ff5229938f9fa907ec Merge: caf7b9f 633e6b5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 5 12:43:58 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/arm/lib/getuser.S arch/arm/lib/putuser.S arch/ia64/include/asm/processor.h arch/x86/kvm/lapic.c drivers/isdn/isdnloop/isdnloop.c include/linux/random.h include/linux/sched.h kernel/ptrace.c lib/random32.c commit 633e6b5550a806435021b29919c341e940a7a035 Merge: cc54d65 260716c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 5 12:29:48 2014 -0500 Update to pax-linux-3.2.4-test131.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/boot/Makefile kernel/trace/ftrace.c net/compat.c net/socket.c commit caf7b9fdeebd673bbabff35ad80cd224e1a69f8e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 26 19:20:26 2013 -0500 add missing #include grsecurity/grsec_mount.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit be0a834a86d6537c9765f02d439d06b54b89b7ce Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 26 15:51:51 2013 -0500 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM grsecurity/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit d2f83733f77ca492032bde4546d37227fad5b14b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 26 15:35:31 2013 -0500 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). grsecurity/gracl.c | 2 +- grsecurity/grsec_mount.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 8b2adc3db34a65c9d08847d8eeefec806d43f97d Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 25 16:37:02 2013 -0500 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not the other way around (to produce more secure settings when distro configs are used as a base) drivers/acpi/custom_method.c | 4 ++++ drivers/pci/pci-sysfs.c | 12 ++++++++++++ drivers/pci/proc.c | 12 ++++++++++++ drivers/pci/syscall.c | 4 ++++ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ kernel/power/Kconfig | 2 ++ security/Kconfig | 1 - 7 files changed, 46 insertions(+), 1 deletions(-) commit 4a06a3f6f69a4cc4b3de858c26024c16f4ad9c23 Author: Oleg Nesterov <oleg@redhat.com> Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb <emcnabb@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 37b546741a7d559c8e27814b6254dd4748a6824f Author: Chad Hanson <chanson@trustedcs.com> Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc selinux: fix broken peer recv check Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson <chanson@trustedcs.com> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/hooks.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a5e2af896b4a8817e37cb71c83c1652e7650b4a9 Author: Jianguo Wu <wujianguo@huawei.com> Date: Wed Dec 18 17:08:59 2013 -0800 Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747 mm/hugetlb: check for pte NULL pointer in __page_check_address() In __page_check_address(), if address's pud is not present, huge_pte_offset() will return NULL, we should check the return value. Signed-off-by: Jianguo Wu <wujianguo@huawei.com> Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Cc: Mel Gorman <mgorman@suse.de> Cc: qiuxishi <qiuxishi@huawei.com> Cc: Hanjun Guo <guohanjun@huawei.com> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/rmap.c mm/rmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8b11198e4d492f6a0b8da7e4352391ddfa9216d7 Author: Daniel Borkmann <dborkman@redhat.com> Date: Tue Dec 17 00:38:39 2013 +0100 Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f net: inet_diag: zero out uninitialized idiag_{src,dst} fields Jakub reported while working with nlmon netlink sniffer that parts of the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] memory through this. At least, in udp_dump_one(), we allocate a skb in ... rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); ... and then pass that to inet_sk_diag_fill() that puts the whole struct inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], r->id.idiag_dst[0] and leave the rest untouched: r->id.idiag_src[0] = inet->inet_rcv_saddr; r->id.idiag_dst[0] = inet->inet_daddr; struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / fully filled out in IPv6 case, but for IPv4 not. So just zero them out by using plain memset (for this little amount of bytes it's probably not worth the extra check for idiag_family == AF_INET). Similarly, fix also other places where we fill that out. Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/inet_diag.c Conflicts: net/ipv4/inet_diag.c net/ipv4/inet_diag.c | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) commit 366e01844ca2caf68345eaaf5f70ba5a8621928a Author: Wenliang Fan <fanwlexca@gmail.com> Date: Tue Dec 17 11:25:28 2013 +0800 Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/hamradio/hdlcdrv.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 873c7a6b4bb04970de0b4eabcae099d2809eb4d7 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 25 15:03:13 2013 -0500 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. Conflicts: fs/xattr.c fs/xattr.c | 19 +++++++++++-------- grsecurity/gracl_fs.c | 6 ++++++ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 2 ++ 5 files changed, 27 insertions(+), 9 deletions(-) commit 88fe8224029ead97ec2a16caaa5ee5b89130cfa9 Merge: cd84f8c cc54d65 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 19 17:19:13 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit cc54d65662807e8a22b45724e337e93169649ef6 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 19 17:18:26 2013 -0500 Update to pax-linux-3.2.53-test131.patch: - fixed some more size overflow reports - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898) - better fix for the gcc induced intentional overflow in usbdev_read - updated hash table from spender arch/x86/include/asm/atomic.h | 4 ++-- arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- drivers/usb/core/devio.c | 2 +- fs/file.c | 4 ++-- include/asm-generic/atomic-long.h | 2 +- include/linux/fdtable.h | 2 +- tools/gcc/size_overflow_hash.data | 16 ++++++++++++++-- 8 files changed, 23 insertions(+), 11 deletions(-) commit cd84f8c580fc31535dcabea0ba8b562697a43d6e Merge: 33d1bff 9c07653 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 15 11:58:18 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 9c07653f39572a5fc12e025a8ae170a9d0fe3b18 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 15 11:58:01 2013 -0500 compile fix arch/x86/kernel/entry_64.S | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33d1bff83bef36441aac0cfd8a6b409d71f0d876 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 15 10:54:40 2013 -0500 Backport upstream commit: http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/04774.html This overflow is harmless except to think about, but it's best to fix it. If userspace does a giant read from /dev/urandom, bigger than INT_MAX, then that size gets passed straight through extract_entropy_user and xfer_secondary_pool to _xfer_secondary_pool as nbytes, and we would store it into bytes, which is an int. The result could be negative. The consequence is pretty small -- we would pull only the minimum amount of entropy, rather than as much as we could up to the size of the output pool, and this is urandom so that's fine. But the code is a little easier to read if we make it clear that overflow isn't an issue. Also we might be less likely to make mistakes like the one fixed in the previous commit. As a bonus, give a name to the minimum number of bytes to pull, which we use twice. Signed-off-by: Greg Price <price@xxxxxxx> drivers/char/random.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 092cfa5d608aff41b9db65f39404a21bb864f86e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 15 10:49:31 2013 -0500 Backport of commit: http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/04773.html Negative numbers and size_t don't mix. When the total entropy available was less than 'reserved', we would fail to enforce any limit at all. Fix that. We never care how negative have_bytes - reserved is, so just flatten it to zero if negative. This behavior entered in 987cd8c30 "random: simplify accounting code" a few commits ago. Before that, for a long time we would compare have_bytes - reserved (or equivalent) to ibytes or store it into ibytes, but only inside a condition that guaranteed it wasn't negative. Signed-off-by: Greg Price <price@xxxxxxx> --- drivers/char/random.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) drivers/char/random.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b75e5e057346017f9a71f63fcc4d8f7bda13567b Merge: f3e7ef6 33db4e5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 15 10:46:17 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: include/linux/random.h commit 33db4e57263f16ed44ff12c370b1a1a0c97cfd6e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 15 10:44:24 2013 -0500 Update to pax-linux-3.2.53-test130.patch: - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver - added a bit more amd64 kernel page table hardening - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz SÅ‚awiÅ„ski (https://bugs.gentoo.org/show_bug.cgi?id=487938) - the mask register has been changed from r10 (used by DRAP) to r12 - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible) - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver arch/x86/crypto/aes-x86_64-asm_64.S | 2 +- arch/x86/crypto/aesni-intel_asm.S | 124 +++++++------- arch/x86/crypto/blowfish-x86_64-asm_64.S | 12 +- arch/x86/crypto/salsa20-x86_64-asm_64.S | 2 +- arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 6 +- arch/x86/crypto/twofish-x86_64-asm_64.S | 4 +- arch/x86/ia32/ia32entry.S | 16 +- arch/x86/include/asm/alternative-asm.h | 6 +- arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/calling.h | 118 +++++++------ arch/x86/include/asm/ptrace-abi.h | 1 - arch/x86/kernel/entry_64.S | 71 ++++---- arch/x86/kernel/head_64.S | 18 ++- arch/x86/lib/copy_page_64.S | 20 +- arch/x86/lib/copy_user_64.S | 8 +- arch/x86/lib/copy_user_nocache_64.S | 8 +- arch/x86/lib/csum-copy_64.S | 18 +- arch/x86/lib/memcpy_64.S | 12 +- arch/x86/lib/memmove_64.S | 32 ++-- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/msr-reg.S | 16 +- arch/x86/lib/thunk_64.S | 10 +- arch/x86/mm/gup.c | 4 + drivers/usb/core/devio.c | 6 +- fs/binfmt_elf.c | 17 +- fs/cifs/file.c | 10 +- include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/linux/bitops.h | 2 +- include/linux/random.h | 6 +- include/linux/vmstat.h | 4 +- tools/gcc/kernexec_plugin.c | 29 ++-- tools/gcc/size_overflow_hash.data | 7 - tools/gcc/size_overflow_plugin.c | 239 ++++++++++++++++++-------- 38 files changed, 484 insertions(+), 374 deletions(-) commit f3e7ef6cc6db1ee01870db9006caa48d8989fd26 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Dec 13 21:41:46 2013 -0500 fix typo in backport arch/x86/kvm/lapic.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit ff05ea76cb5dac2a76cc53a6be2e438f293d183d Author: Andy Honig <ahonig@google.com> Date: Tue Nov 19 14:12:18 2013 -0800 Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Reported-by: Andrew Honig <ahonig@google.com> Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Conflicts: arch/x86/kvm/lapic.c arch/x86/kvm/lapic.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit c762a14fdf5622d16bf1c63d4f4fc69f64761daa Author: Andy Honig <ahonig@google.com> Date: Mon Nov 18 16:09:22 2013 -0800 Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96 KVM: Improve create VCPU parameter (CVE-2013-4587) In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig <ahonig@google.com> Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> virt/kvm/kvm_main.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 1e61a4a03c7b68ca586c8df560c5d17c0683d549 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Thu Dec 12 09:38:42 2013 -0800 Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c futex: fix handling of read-only-mapped hugepages The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones <davej@fedoraproject.org> Cc: stable@kernel.org # v2.6.38+ Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: Mel Gorman <mgorman@suse.de> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8076aceaa44345fb14ba048e4c51a4dd976ed92a Author: Brad Spengler <spender@grsecurity.net> Date: Fri Dec 13 19:39:54 2013 -0500 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) In practice this causes bogus auditing messages for / and could potentially cause a subject without executable shared memory support to permit executable shared memory (if PaX is disabled on the binary). Instead just allocate these two special objects with kzalloc at enable time and free them at disable time. Thanks to nyt@countercultured.net for the report grsecurity/gracl_policy.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit dacca7ad7b3303ae2ec9c85c60d10c9a8e4bdc0a Author: Brad Spengler <spender@grsecurity.net> Date: Fri Dec 13 20:34:22 2013 -0500 Convert wholesale to the random driver from 3.13. As GRKERNSEC_RANDNET uses one of the commented polynomials from the random TGFSR code, it likely needs to be fixed to use a primitive and irreducible polynomial as the uncommented polynomials were (see: http://eprint.iacr.org/2012/251.pdf). Though this results in a smaller maximal period for the input entropy pool, this period is still much larger than the default kernel's period. It's thus not security-relevant, but will be fixed in a later update. drivers/char/random.c | 805 ++++++++++++++++++++++++----------------- include/linux/random.h | 19 +- include/trace/events/random.h | 315 ++++++++++++++++ lib/random32.c | 313 ++++++++++++++-- 4 files changed, 1087 insertions(+), 365 deletions(-) commit 27afcd4f45384f64e4ac27acd6756cc2633f88fd Author: Theodore Ts'o <tytso@mit.edu> Date: Sat Jul 14 20:27:52 2012 -0400 Upstream commit: c5857ccf293968348e5eb4ebedc68074de3dcda6 random: remove rand_initialize_irq() With the new interrupt sampling system, we are no longer using the timer_rand_state structure in the irq descriptor, so we can stop initializing it now. [ Merged in fixes from Sedat to find some last missing references to rand_initialize_irq() ] Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Signed-off-by: Sedat Dilek <sedat.dilek@gmail.com> arch/ia64/kernel/irq_ia64.c | 1 - drivers/char/random.c | 55 ------------------------------------------- drivers/mfd/ab3100-core.c | 3 -- include/linux/irqdesc.h | 1 - include/linux/random.h | 2 - kernel/irq/manage.c | 17 ------------- 6 files changed, 0 insertions(+), 79 deletions(-) commit 3d9774a245d90548a252969abcf77d662ca2b494 Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Nov 11 12:20:32 2013 +0100 Upstream commit: d8b3693c2e8727131f4bc0c2b6000e7f563064fb random32: fix off-by-one in seeding requirement [ Upstream commit 51c37a70aaa3f95773af560e6db3073520513912 ] For properly initialising the Tausworthe generator [1], we have a strict seeding requirement, that is, s1 > 1, s2 > 7, s3 > 15. Commit 697f8d0348 ("random32: seeding improvement") introduced a __seed() function that imposes boundary checks proposed by the errata paper [2] to properly ensure above conditions. However, we're off by one, as the function is implemented as: "return (x < m) ? x + m : x;", and called with __seed(X, 1), __seed(X, 7), __seed(X, 15). Thus, an unwanted seed of 1, 7, 15 would be possible, whereas the lower boundary should actually be of at least 2, 8, 16, just as GSL does. Fix this, as otherwise an initialization with an unwanted seed could have the effect that Tausworthe's PRNG properties cannot not be ensured. Note that this PRNG is *not* used for cryptography in the kernel. [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps Joint work with Hannes Frederic Sowa. Fixes: 697f8d0348a6 ("random32: seeding improvement") Cc: Stephen Hemminger <stephen@networkplumber.org> Cc: Florian Weimer <fweimer@redhat.com> Cc: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> include/linux/random.h | 6 +++--- lib/random32.c | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) commit 7717d878dd8db4b2a7217c1f5c1c990159bf4b00 Author: Akinobu Mita <akinobu.mita@gmail.com> Date: Mon Dec 17 16:04:25 2012 -0800 Upstream commit: 6582c665d6b882dad8329e05749fbcf119f1ab88 prandom: introduce prandom_bytes() and prandom_bytes_state() Add functions to get the requested number of pseudo-random bytes. The difference from get_random_bytes() is that it generates pseudo-random numbers by prandom_u32(). It doesn't consume the entropy pool, and the sequence is reproducible if the same rnd_state is used. So it is suitable for generating random bytes for testing. Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Cc: "Theodore Ts'o" <tytso@mit.edu> Cc: Artem Bityutskiy <dedekind1@gmail.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eilon Greenstein <eilong@broadcom.com> Cc: David Laight <david.laight@aculab.com> Cc: Michel Lespinasse <walken@google.com> Cc: Robert Love <robert.w.love@intel.com> Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> include/linux/random.h | 2 + lib/random32.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 0 deletions(-) commit d431aa89213f6e692a1cf39b5d288115775c84ed Author: Akinobu Mita <akinobu.mita@gmail.com> Date: Mon Dec 17 16:04:23 2012 -0800 Upstream commit: 496f2f93b1cc286f5a4f4f9acdc1e5314978683f random32: rename random32 to prandom This renames all random32 functions to have 'prandom_' prefix as follows: void prandom_seed(u32 seed); /* rename from srandom32() */ u32 prandom_u32(void); /* rename from random32() */ void prandom_seed_state(struct rnd_state *state, u64 seed); /* rename from prandom32_seed() */ u32 prandom_u32_state(struct rnd_state *state); /* rename from prandom32() */ The purpose of this renaming is to prevent some kernel developers from assuming that prandom32() and random32() might imply that only prandom32() was the one using a pseudo-random number generator by prandom32's "p", and the result may be a very embarassing security exposure. This concern was expressed by Theodore Ts'o. And furthermore, I'm going to introduce new functions for getting the requested number of pseudo-random bytes. If I continue to use both prandom32 and random32 prefixes for these functions, the confusion is getting worse. As a result of this renaming, "prandom_" is the common prefix for pseudo-random number library. Currently, srandom32() and random32() are preserved because it is difficult to rename too many users at once. Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Cc: "Theodore Ts'o" <tytso@mit.edu> Cc: Robert Love <robert.w.love@intel.com> Cc: Michel Lespinasse <walken@google.com> Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu> Cc: David Laight <david.laight@aculab.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Artem Bityutskiy <dedekind1@gmail.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: lib/interval_tree_test_main.c lib/rbtree_test.c drivers/scsi/fcoe/fcoe_ctlr.c | 4 +- include/linux/random.h | 17 +++++++++---- lib/random32.c | 48 ++++++++++++++++++------------------ tools/gcc/size_overflow_hash.data | 1 - 4 files changed, 38 insertions(+), 32 deletions(-) commit a892fe4f0743f54cf9358b1933119d54c0cb2411 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Wed Nov 27 15:40:21 2013 +0300 net: clamp ->msg_namelen instead of returning an error [ Upstream commit db31c55a6fb245fdbb752a2ca4aefec89afabb06 ] If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the original code that would lead to memory corruption in the kernel if you had audit configured. If you didn't have audit configured it was harmless. There are some programs such as beta versions of Ruby which use too large of a buffer and returning an error code breaks them. We should clamp the ->msg_namelen value instead. Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()") Reported-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Tested-by: Eric Wong <normalperson@yhbt.net> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: net/compat.c net/compat.c | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 80dedee580d6c2d163fc9f746f367009dcb2c863 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 8 16:12:01 2013 -0500 Backport of: If we allocate less than sizeof(struct attrlist) then we end up corrupting memory or doing a ZERO_PTR_SIZE dereference. This can only be triggered with CAP_SYS_ADMIN. Reported-by: Nico Golde <nico@xxxxxxxxx> Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> fs/xfs/xfs_ioctl.c | 3 ++- fs/xfs/xfs_ioctl32.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit e4e1c22256b81ead2e3c4a43c2c9910ab21e9895 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Wed Oct 30 20:12:51 2013 +0300 Upstream commit: a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 libertas: potential oops in debugfs If we do a zero size allocation then it will oops. Also we can't be sure the user passes us a NUL terminated string so I've added a terminator. This code can only be triggered by root. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> drivers/net/wireless/libertas/debugfs.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 90d2846d83850ce24d151b58fb82216e8809e2e3 Author: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> Date: Thu Oct 31 14:01:02 2013 +0530 Upstream commit: b4789b8e6be3151a955ade74872822f30e8cd914 aacraid: prevent invalid pointer dereference It appears that driver runs into a problem here if fibsize is too small because we allocate user_srbcmd with fibsize size only but later we access it until user_srbcmd->sg.count to copy it over to srbcmd. It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this structure already includes one sg element and this is not needed for commands without data. So, we would recommend to add the following (instead of test for fibsize == 0). Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com> Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/scsi/aacraid/commctrl.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8716499e83d7633f218949eb4cf902f0bcfded0a Author: Ursula Braun <ursula.braun@de.ibm.com> Date: Wed Nov 6 09:04:52 2013 +0100 Upstream commit: 6fb392b1a63ae36c31f62bc3fc8630b49d602b62 qeth: avoid buffer overflow in snmp ioctl Check user-defined length in snmp ioctl request and allow request only if it fits into a qeth command buffer. Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Reviewed-by: Heiko Carstens <heicars2@linux.vnet.ibm.com> Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Cc: <stable@vger.kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/s390/net/qeth_core_main.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 37d835c576744e5e4e27a1f13e7f7f1853e65758 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Mon Dec 2 11:50:37 2013 -0800 Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d uio: we cannot mmap unaligned page contents In commit 7314e613d5ff ("Fix a few incorrectly checked [io_]remap_pfn_range() calls") the uio driver started more properly checking the passed-in user mapping arguments against the size of the actual uio driver data. That in turn exposed that some driver authors apparently didn't realize that mmap can only work on a page granularity, and had tried to use it with smaller mappings, with the new size check catching that out. So since it's not just the user mmap() arguments that can be confused, make the uio mmap code also verify that the uio driver has the memory allocated at page boundaries in order for mmap to work. If the device memory isn't properly aligned, we return [ENODEV] The fildes argument refers to a file whose type is not supported by mmap(). as per the open group documentation on mmap. Reported-by: Holger Brunck <holger.brunck@keymile.com> Acked-by: Greg KH <gregkh@linuxfoundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/uio/uio.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e623ce4afbdb00565321a7f2f8603e79f4fcc9f6 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 4 17:51:53 2013 -0500 Backport upstream commit d049f74f2dbe71354d43d393ac3a188947811348 We were using SUID_DUMPABLE_*, so remove the one occurrence of SUID_DUMP_USER and replace it with the appropriate enum arch/ia64/include/asm/processor.h | 2 +- fs/exec.c | 2 +- grsecurity/grsec_sig.c | 5 +++-- include/linux/binfmts.h | 3 --- kernel/ptrace.c | 2 +- 5 files changed, 6 insertions(+), 8 deletions(-) commit 520565f1644600041be905dacbf1188bd3875a6b Merge: fb614dc 3e2e783 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Dec 2 17:26:15 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 3e2e78377a049faeac2dab06f889c8024fc5e08e Author: Brad Spengler <spender@grsecurity.net> Date: Mon Dec 2 17:22:13 2013 -0500 Update to pax-linux-3.2.53-test128.patch: - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885) This caused filesystem corruption in the reported XFS case, problem introduced with Nov 24th patch (IPA-based size overflow plugin) arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fb614dcdf2655b2a2b286a4744a9959bfa342833 Merge: 59d80a9 6b0b183 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 30 10:54:27 2013 -0500 Should have been many more security backports in 3.2.53, but that's the expected results of upstream's silent fix policy and why I do my own independent backports Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/connector/cn_proc.c ^ whitespace drivers/staging/wlags49_h2/wl_priv.c ^ Ben's version is whitespace-broken from copy+paste fs/ecryptfs/keystore.c ^ no need to check for non-null before a kfree, kept my version commit 6b0b1836bfbfce7fb3c4c381aa68923a47920725 Merge: 501523e 66c8d27 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 30 10:49:59 2013 -0500 Update to pax-linux-3.2.53-test127.patch: - forward port to 3.2.53 - added some missing entries to the size overflow hash table - fixed a false positive intentional overflow in count_history_pages, reported by Olivier Mauras Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: net/compat.c commit 59d80a9950846c7b3f67a5deb98d2eb1d063f3e6 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 26 15:16:48 2013 -0500 Fix null deref on application of the shutdown role, reported by zakalwe Conflicts: grsecurity/gracl_policy.c grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- grsecurity/gracl_policy.c | 58 ++++----------------------------------------- 2 files changed, 62 insertions(+), 54 deletions(-) commit aca6ec1a3fa4e812a225e08748ee408cd6a5476e Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 26 13:04:07 2013 -0500 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root kernel/kmod.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit bf8a8329b446e9d1541b3d19e5e3cd0e04a3846f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 26 12:59:00 2013 -0500 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 31d3745f06548847d88e8a87bb63fbb00a950a3d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 25 12:01:21 2013 -0500 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity kernel/kmod.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c908d26d687adb2c69c594ed7f3545a310610668 Merge: 4f48151 501523e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 24 19:59:24 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 501523e239e8fb85aa9fcb3e69205c3436c6f72b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 24 19:58:28 2013 -0500 Update to pax-linux-3.2.52-test126.patch: - new rewritten size overflow plugin from Emese Revfy - internally reorganized based on interprocedural analysis - bugfixes resulting in better coverage (expect more false positives initially) - fixed some calloc calls with swapped arguments - fixed a KERNEXEC open/close nesting problem in ftrace - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) arch/x86/Makefile | 3 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/include/asm/uaccess_32.h | 10 +- arch/x86/include/asm/uaccess_64.h | 8 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/kernel/ftrace.c | 2 - arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/module.c | 1 - arch/x86/lib/usercopy_32.c | 6 +- arch/x86/xen/mmu.c | 2 +- block/scsi_ioctl.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 6 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 4 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/media/video/saa7164/saa7164-encoder.c | 2 - drivers/media/video/saa7164/saa7164-vbi.c | 2 - drivers/usb/core/message.c | 4 +- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/xattr.c | 5 +- fs/seq_file.c | 2 +- fs/ufs/swab.h | 2 +- include/linux/bitops.h | 4 +- include/linux/completion.h | 4 +- include/linux/jiffies.h | 6 +- include/linux/math64.h | 4 +- include/linux/mm.h | 2 +- include/linux/semaphore.h | 2 +- include/linux/slab.h | 4 +- include/linux/slab_def.h | 4 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 7 +- include/linux/uaccess.h | 2 +- include/linux/vmalloc.h | 4 +- kernel/auditsc.c | 2 +- kernel/time.c | 2 +- mm/vmalloc.c | 2 +- net/ipv4/tcp_output.c | 2 +- net/rxrpc/ar-key.c | 4 +- net/sunrpc/svcauth_unix.c | 2 +- tools/gcc/size_overflow_hash.data | 3125 +++++++++++++++++-------- tools/gcc/size_overflow_plugin.c | 2983 +++++++++++++++++++----- 46 files changed, 4594 insertions(+), 1666 deletions(-) commit 4f48151d49f2697c3e2e108a50513a8d61fb150d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 24 17:47:14 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3792 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1824 +++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 3 +- kernel/exit.c | 53 - 13 files changed, 3011 insertions(+), 2787 deletions(-) commit 589fe82539886fa6f2502595ba494be7a66548bb Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit 28fe486725b8fb447d81045930fa9ab8f183ac23 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) commit e2821245fc6b55b9dcfaf59432695c3ed0324ca4 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 9545d5e41f06442704a6624f36cfcf50eb241891 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well Conflicts: fs/exec.c fs/exec.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 12ec6d9bab66c3b097214351b3af03db0cde4c80 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 22 20:34:40 2013 -0500 Revert "Backport the not-marked-for-stable: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 2283514a75d7881b0e3617c126edb2717105f7fa. net/ipv4/ping.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af830a028cf17bb1b884774436b756544950f0f3 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 22 20:34:06 2013 -0500 Revert "Additional backports of: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 794e1b8f4fc2d5bf67dc5c677730b9e8d6d17603. net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 6 files changed, 24 insertions(+), 9 deletions(-) commit 3f4ccdc2c657e0c7fd09999c8f282519a549bff5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:45:12 2013 -0500 Revert "Upstream commit: b291f1b1c86aa0c7bc3df2994e6a1a4e53f1fde0" This reverts commit 149ffec96673ad2a4d69959ccd675b8ff32bbfb4. fs/nfs/nfs4proc.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit e8bba4f8ad2391ff3446fff477c361cb5c4fc274 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:44:53 2013 -0500 Revert "Upstream commit: 4517d526c8aa31b5c14165ef180cc19518ff0a35" This reverts commit a3b3e44eb097d1c12826c21d8867779d035da600. include/linux/sunrpc/xdr.h | 1 - net/sunrpc/xdr.c | 10 ---------- 2 files changed, 0 insertions(+), 11 deletions(-) commit d64ad90da6413a4793f37d4b1014e5692c3b8f62 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:44:40 2013 -0500 Revert "Upstream commit: 5a00689930ab975fdd1b37b034475017e460cf2a" This reverts commit 114bf830ab3dd9591edd67e99f6743d1c45e9016. fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 21538eafee0399b190d46ab15231b20893710d02 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:44:29 2013 -0500 Revert "NFSv4: Simplify the GETATTR attribute length calculation" This reverts commit e9931dac69669549b1b7ec7dbdaf80173636b14f. fs/nfs/nfs4xdr.c | 24 +++++++++++------------- 1 files changed, 11 insertions(+), 13 deletions(-) commit 71873621f4553b3abca77db9d891b420599f21df Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:44:17 2013 -0500 Revert "Avoid beyond bounds copy while caching ACL" This reverts commit 79f9773e406c46d4c2673a2ebc70a82d05849777. fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b7fc2b5eef17e9cbf9ade546d5c45e4f8cc394c6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:44:03 2013 -0500 Revert "Upstream commit: 519d3959e30a98f8e135e7a16647c10af5ad63d5" This reverts commit 5a5974678e1def63cbd534b70f37bf419f594f93. fs/nfs/nfs4proc.c | 2 +- fs/nfs/nfs4xdr.c | 22 +++++++++++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) commit 8e60ef3740f22ef2dd81b87c52d8141c8d2493b5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:43:52 2013 -0500 Revert "Upstream commit: cff298c721099c9ac4cea7196a37097ba2847946" This reverts commit ee6b64d2aa63433f8aaf72471c9ac4ac9005248b. fs/nfs/nfs4xdr.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit aea93502024ada3682a91b924ff23c96f8e20bee Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:43:42 2013 -0500 Revert "Upstream commit: 21f498c2f73bd6150d82931f09965826dca0b5f2" This reverts commit 74cf9ab003176366d07b38cb43dcce6d91328cca. fs/nfs/nfs4proc.c | 20 +++++++++----------- 1 files changed, 9 insertions(+), 11 deletions(-) commit 7897110ca371a6775bfa6e65099d5b86ffe58eb5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:43:25 2013 -0500 Revert "Upstream commit: 1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce" This reverts commit 092fb39f0bf49bc33b866a3fbea6fe76b20f8697. fs/nfs/nfs4proc.c | 31 +++++++++++++++++++------------ fs/nfs/nfs4xdr.c | 14 +++++++++----- include/linux/nfs_xdr.h | 2 +- 3 files changed, 29 insertions(+), 18 deletions(-) commit 54f8f36fb33ef37eee66fd18a7da7fbd124cf97a Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 22:43:07 2013 -0500 Revert "Upstream commit: 7d3e91a89b7adbc2831334def9e494dd9892f9af" This reverts commit 716314beb98602bd771199bf3b814f7be16a0e8f. fs/nfs/nfs4proc.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 794e1b8f4fc2d5bf67dc5c677730b9e8d6d17603 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Mon Nov 18 04:20:45 2013 +0100 Additional backports of: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb <mpb.mail@gmail.com> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ieee802154/dgram.c net/ipv4/ping.c net/ipv6/raw.c net/ipv6/udp.c net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 6 files changed, 9 insertions(+), 24 deletions(-) commit 2283514a75d7881b0e3617c126edb2717105f7fa Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 21:34:32 2013 -0500 Backport the not-marked-for-stable: bceaa90240b6019ed73b49965eac7d167610be69 net/ipv4/ping.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 716314beb98602bd771199bf3b814f7be16a0e8f Author: Sven Wegener <sven.wegener@stealer.net> Date: Sat Dec 8 15:30:18 2012 +0100 Upstream commit: 7d3e91a89b7adbc2831334def9e494dd9892f9af NFSv4: Check for buffer length in __nfs4_get_acl_uncached Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached" accidently dropped the checking for too small result buffer length. If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount supporting ACLs, the ACL has not been cached and the buffer suplied is too short, we still copy the complete ACL, resulting in kernel and user space memory corruption. Signed-off-by: Sven Wegener <sven.wegener@stealer.net> Cc: stable@kernel.org Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> fs/nfs/nfs4proc.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 092fb39f0bf49bc33b866a3fbea6fe76b20f8697 Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Sun Aug 26 11:44:43 2012 -0700 Upstream commit: 1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached Pass the checks made by decode_getacl back to __nfs4_get_acl_uncached so that it knows if the acl has been truncated. The current overflow checking is broken, resulting in Oopses on user-triggered nfs4_getfacl calls, and is opaque to the point where several attempts at fixing it have failed. This patch tries to clean up the code in addition to fixing the Oopses by ensuring that the overflow checks are performed in a single place (decode_getacl). If the overflow check failed, we will still be able to report the acl length, but at least we will no longer attempt to cache the acl or copy the truncated contents to user space. Reported-by: Sachin Prabhu <sprabhu@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Tested-by: Sachin Prabhu <sprabhu@redhat.com> fs/nfs/nfs4proc.c | 31 ++++++++++++------------------- fs/nfs/nfs4xdr.c | 14 +++++--------- include/linux/nfs_xdr.h | 2 +- 3 files changed, 18 insertions(+), 29 deletions(-) commit 74cf9ab003176366d07b38cb43dcce6d91328cca Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Fri Aug 24 10:59:25 2012 -0400 Upstream commit: 21f498c2f73bd6150d82931f09965826dca0b5f2 NFSv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl Ensure that the user supplied buffer size doesn't cause us to overflow the 'pages' array. Also fix up some confusion between the use of PAGE_SIZE and PAGE_CACHE_SIZE when calculating buffer sizes. We're not using the page cache for anything here. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> fs/nfs/nfs4proc.c | 20 +++++++++++--------- 1 files changed, 11 insertions(+), 9 deletions(-) commit ee6b64d2aa63433f8aaf72471c9ac4ac9005248b Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Tue Aug 14 17:14:17 2012 -0400 Upstream commit: cff298c721099c9ac4cea7196a37097ba2847946 NFSv4: Don't use private xdr_stream fields in decode_getacl Instead of using the private field xdr->p from struct xdr_stream, use the public xdr_stream_pos(). Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> fs/nfs/nfs4xdr.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 5a5974678e1def63cbd534b70f37bf419f594f93 Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Tue Aug 14 17:30:10 2012 -0400 Upstream commit: 519d3959e30a98f8e135e7a16647c10af5ad63d5 NFSv4: Fix pointer arithmetic in decode_getacl Resetting the cursor xdr->p to a previous value is not a safe practice: if the xdr_stream has crossed out of the initial iovec, then a bunch of other fields would need to be reset too. Fix this issue by using xdr_enter_page() so that the buffer gets page aligned at the bitmap _before_ we decode it. Also fix the confusion of the ACL length with the page buffer length by not adding the base offset to the ACL length... Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Conflicts: fs/nfs/nfs4xdr.c fs/nfs/nfs4proc.c | 2 +- fs/nfs/nfs4xdr.c | 22 +++++++--------------- 2 files changed, 8 insertions(+), 16 deletions(-) commit 79f9773e406c46d4c2673a2ebc70a82d05849777 Author: Sachin Prabhu <sprabhu@redhat.com> Date: Tue Apr 17 14:36:40 2012 +0100 Avoid beyond bounds copy while caching ACL When attempting to cache ACLs returned from the server, if the bitmap size + the ACL size is greater than a PAGE_SIZE but the ACL size itself is smaller than a PAGE_SIZE, we can read past the buffer page boundary. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com> Reported-by: Jian Li <jiali@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Conflicts: fs/nfs/nfs4proc.c fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e9931dac69669549b1b7ec7dbdaf80173636b14f Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Thu Jun 21 11:18:13 2012 -0400 NFSv4: Simplify the GETATTR attribute length calculation Use the xdr_stream position counter as the basis for the calculation instead of assuming that we can calculate an offset to the start of the iovec. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Conflicts: fs/nfs/nfs4xdr.c fs/nfs/nfs4xdr.c | 24 +++++++++++++----------- 1 files changed, 13 insertions(+), 11 deletions(-) commit 114bf830ab3dd9591edd67e99f6743d1c45e9016 Author: Sachin Prabhu <sprabhu@redhat.com> Date: Tue Apr 17 14:35:39 2012 +0100 Upstream commit: 5a00689930ab975fdd1b37b034475017e460cf2a Avoid reading past buffer when calling GETACL Bug noticed in commit bf118a342f10dafe44b14451a1392c3254629a1f When calling GETACL, if the size of the bitmap array, the length attribute and the acl returned by the server is greater than the allocated buffer(args.acl_len), we can Oops with a General Protection fault at _copy_from_pages() when we attempt to read past the pages allocated. This patch allocates an extra PAGE for the bitmap and checks to see that the bitmap + attribute_length + ACLs don't exceed the buffer space allocated to it. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com> Reported-by: Jian Li <jiali@redhat.com> [Trond: Fixed a size_t vs unsigned int printk() warning] Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Conflicts: fs/nfs/nfs4xdr.c fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a3b3e44eb097d1c12826c21d8867779d035da600 Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Thu Jun 21 17:14:46 2012 -0400 Upstream commit: 4517d526c8aa31b5c14165ef180cc19518ff0a35 SUNRPC: Add the helper xdr_stream_pos Add a helper to report the current offset from the start of the xdr_stream. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> include/linux/sunrpc/xdr.h | 1 + net/sunrpc/xdr.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 0 deletions(-) commit 2b808a58b9c7fe7652de10de611cc68d43805d11 Author: Alex Williamson <alex.williamson@redhat.com> Date: Mon Dec 10 10:32:57 2012 -0700 Upstream commit: e40f193f5bb022e927a57a4f5d5194e4f12ddb74 KVM: Fix iommu map/unmap to handle memory slot moves The iommu integration into memory slots expects memory slots to be added or removed and doesn't handle the move case. We can unmap slots from the iommu after we mark them invalid and map them before installing the final memslot array. Also re-order the kmemdup vs map so we don't leave iommu mappings if we get ENOMEM. Reviewed-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> virt/kvm/kvm_main.c | 19 +++++++++++-------- 1 files changed, 11 insertions(+), 8 deletions(-) commit 15a897ba31a1df69d33b4087dd50ccea95eec124 Author: Marcelo Tosatti <mtosatti@redhat.com> Date: Fri Aug 24 15:54:58 2012 -0300 Upstream commit: 12d6e7538e2d418c08f082b1b44ffa5fb7270ed8 KVM: perform an invalid memslot step for gpa base change PPC must flush all translations before the new memory slot is visible. Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com> Conflicts: virt/kvm/kvm_main.c virt/kvm/kvm_main.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 149ffec96673ad2a4d69959ccd675b8ff32bbfb4 Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Tue Aug 14 18:30:41 2012 -0400 Upstream commit: b291f1b1c86aa0c7bc3df2994e6a1a4e53f1fde0 NFSv4: Fix the acl cache size calculation Currently, we do not take into account the size of the 16 byte struct nfs4_cached_acl header, when deciding whether or not we should cache the acl data. Consequently, we will end up allocating an 8k buffer in order to fit a maximum size 4k acl. This patch adjusts the calculation so that we limit the cache size to 4k for the acl header+data. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> fs/nfs/nfs4proc.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit dcb899d00e1ba139f0d5441df4e17b43f7d92a3b Author: Steve French <smfrench@gmail.com> Date: Fri Nov 15 20:41:32 2013 -0600 Upstream commit: b1d93356427be6f050dc55c86eb019d173700af6 setfacl removes part of ACL when setting POSIX ACLs to Samba setfacl over cifs mounts can remove the default ACL when setting the (non-default part of) the ACL and vice versa (we were leaving at 0 rather than setting to -1 the count field for the unaffected half of the ACL. For example notice the setfacl removed the default ACL in this sequence: steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir ; setfacl -m default:user:test:rwx,user:test:rwx /mnt/test-dir getfacl: Removing leading '/' from absolute path names user::rwx group::r-x other::r-x default:user::rwx default:user:test:rwx default:group::r-x default:mask::rwx default:other::r-x steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir getfacl: Removing leading '/' from absolute path names user::rwx user:test:rwx group::r-x mask::rwx other::r-x CC: Stable <stable@kernel.org> Signed-off-by: Steve French <smfrench@gmail.com> Acked-by: Jeremy Allison <jra@samba.org> Conflicts: fs/cifs/cifssmb.c fs/cifs/cifssmb.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 4ec2d737b61615dcc547663e085d0eed15dd458c Merge: c3e2399 8780214 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 19:10:16 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 8780214daf625764b7fd7019aafacc4b22c2d496 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 18 19:09:26 2013 -0500 Backport latent entropy plugin fix from 3.11.8 for an ICE in gcc 4.6 mm/page_alloc.c | 2 +- tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 11 deletions(-) commit c3e23994b4b167256ded79a3dfd5caf3d27289cd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 14 20:51:54 2013 -0500 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/isdnloop/isdnloop.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 680af9c1f6fd6853904405ddff00b6804e18f8d9 Author: Eric Dumazet <edumazet@google.com> Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a28a6771f9e3a8e0df73aef0a2fd9934e1e7159b Merge: f6dd5fe 5a1d5ae Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 14 20:32:41 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 5a1d5ae1c42f6e82657dc92a0704d88afac5d5e9 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 14 20:31:31 2013 -0500 Update to pax-linux-3.2.52-test124.patch: - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy drivers/bluetooth/btwilink.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- drivers/mfd/max8925-i2c.c | 2 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/nfc/nfcwilink.c | 2 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- drivers/usb/serial/console.c | 2 +- kernel/audit.c | 2 +- mm/mremap.c | 1 - 14 files changed, 27 insertions(+), 36 deletions(-) commit f6dd5fe403291ded95feb18167228de9b091c78a Author: Russell King <rmk+kernel@arm.linux.org.uk> Date: Fri Sep 7 18:22:28 2012 +0100 Upstream commit: 8404663f (though anyone using ARM should have been using the test patch with KERNEXEC/UDEREF which was unaffected by this) ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS The {get,put}_user macros don't perform range checking on the provided __user address when !CPU_HAS_DOMAINS. This patch reworks the out-of-line assembly accessors to check the user address against a specified limit, returning -EFAULT if is is out of range. [will: changed get_user register allocation to match put_user] [rmk: fixed building on older ARM architectures] Reported-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Cc: stable@vger.kernel.org Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> arch/arm/include/asm/assembler.h | 8 +++++++ arch/arm/include/asm/uaccess.h | 40 +++++++++++++++++++++++++------------ arch/arm/lib/getuser.S | 23 ++++++++++++++------- arch/arm/lib/putuser.S | 6 +++++ 4 files changed, 56 insertions(+), 21 deletions(-) commit 1200113a5c6fd6a83101cf8b6732dcda33928f83 Author: Catalin Marinas <catalin.marinas@arm.com> Date: Wed Jan 25 11:38:13 2012 +0100 Upstream commit: 4e7682d0 ARM: 7301/1: Rename the T() macro to TUSER() to avoid namespace conflicts This macro is used to generate unprivileged accesses (LDRT/STRT) to user space. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Acked-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> arch/arm/include/asm/assembler.h | 4 +- arch/arm/include/asm/domain.h | 8 ++-- arch/arm/include/asm/futex.h | 8 ++-- arch/arm/include/asm/uaccess.h | 16 ++++---- arch/arm/lib/getuser.S | 12 +++--- arch/arm/lib/putuser.S | 28 ++++++------ arch/arm/lib/uaccess.S | 82 +++++++++++++++++++------------------- 7 files changed, 79 insertions(+), 79 deletions(-) commit bee81e6898799c5002cd31cdd41cadcf38fd70a2 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d2c1f624b3ce5796b5ea047f2580c13f6ef1e526 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include Conflicts: fs/proc/proc_sysctl.c fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f37b50415b86363a3e732de2c430917eeec001fd Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit de322e5dc505ccfc15428aebd72dfad5d84b9a02 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing Conflicts: fs/proc/proc_sysctl.c fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit be3f3539e5745da7f0a4322e0cef77d763a91793 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1457cd7c50771a37f297e5d5963a003f08134793 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 3b039667e9f82697a42754d5e78a3772757097d5 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Oct 29 22:06:04 2013 +0300 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> arch/um/kernel/exitcode.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 3806af3fc3da19e1fafd934d2bb0344cae8fbac5 Author: Ming Lei <ming.lei@canonical.com> Date: Thu Oct 31 16:34:17 2013 -0700 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei <ming.lei@canonical.com> Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> Tested-by: Simon Baatz <gmbnomis@gmail.com> Cc: Russell King - ARM Linux <linux@arm.linux.org.uk> Cc: Will Deacon <will.deacon@arm.com> Cc: Aaro Koskinen <aaro.koskinen@iki.fi> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Cc: Tejun Heo <tj@kernel.org> Cc: "James E.J. Bottomley" <JBottomley@parallels.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: <stable@vger.kernel.org> [3.2+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> lib/scatterlist.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c68b396467a3235a2396a69cdb3238a6f5fdb14 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Oct 29 23:01:11 2013 +0300 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/staging/bcm/Bcmchar.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a705b2ffd5021ce3aeede89b61acca32531e7b93 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Oct 29 22:11:06 2013 +0300 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/scsi/aacraid/linit.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7575100bfd44edff669603c0f5384f6c5588c7ee Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Oct 29 23:00:15 2013 +0300 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: drivers/staging/wlags49_h2/wl_priv.c drivers/staging/wlags49_h2/wl_priv.c | 21 ++++++++++++--------- 1 files changed, 12 insertions(+), 9 deletions(-) commit 9fec71b334742781b1fa12c096ab79ae7e8627bd Author: Luis Henriques <luis.henriques@canonical.com> Date: Tue Dec 4 14:33:20 2012 +0000 UBUNTU: SAUCE: SECCOMP: audit: fix build on archs without CONFIG_AUDITSYSCALL BugLink: http://bugs.launchpad.net/bugs/1079469 Build is broken for armel or armhf because they don't define __audit_seccomp(), required by: 3479c36 seccomp: forcing auditing of kill condition This fixes the builds defining an empty macro for this function. Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Cc: Kees Cook <kees@ubuntu.com> Acked-by: Colin King <colin.king@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> include/linux/audit.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 29eac4dc6013fb3f3434fecfdb5b63d28b90dd7e Author: Kees Cook <kees@ubuntu.com> Date: Thu Nov 15 16:33:59 2012 -0800 seccomp: forcing auditing of kill condition BugLink: http://bugs.launchpad.net/bugs/1079469 Instead of auditing all seccomp actions, only force the reporting of those that kill a process. All others should be checked for an existing audit context on the process. (This improves the adjustment that commit 426ae7eee59e3de2a4c14ccfc30df0a7d64709fe was attempting.) Signed-off-by: Kees Cook <kees@ubuntu.com> Acked-by: Herton Krzesinski <herton.krzesinski@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> kernel/seccomp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eedb353cf9693ff4940c4646cb25d650696f546c Author: Kees Cook <kees@ubuntu.com> Date: Fri Mar 30 13:20:07 2012 -0700 UBUNTU: SAUCE: SECCOMP: adjust prctl constant 3.4-rc1 contains new prctl values that conflict with the ones chosen for nnp, so push them forward with the hopes that we will align with the future. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> include/linux/prctl.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f9890fabed98fb2841b3d578187df7a2503e9f43 Author: Will Drewry <wad@chromium.org> Date: Thu Feb 9 11:28:23 2012 -0600 UBUNTU: SAUCE: SECCOMP: x86: Enable HAVE_ARCH_SECCOMP_FILTER Enable support for seccomp filter on x86: - asm/tracehook.h exists - syscall_get_arguments() works - syscall_rollback() works - ptrace_report_syscall() works - secure_computing() return value is honored (see below) This also adds support for honoring the return value from secure_computing(). SECCOMP_RET_TRACE and SECCOMP_RET_TRAP may result in seccomp needing to skip a system call without killing the process. This is done by returning a non-zero (-1) value from secure_computing. This change makes x86 respect that return value. To ensure that minimal kernel code is exposed, a non-zero return value results in an immediate return to user space (with an invalid syscall number). Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/x86/Kconfig | 1 + arch/x86/kernel/ptrace.c | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletions(-) commit 5aaf8c4b0bfa4035e02e53458d44895e50755cb7 Author: Will Drewry <wad@chromium.org> Date: Thu Feb 9 12:08:39 2012 -0600 UBUNTU: SAUCE: SECCOMP: ptrace,seccomp: Add PTRACE_SECCOMP support This change adds support for a new ptrace option, PTRACE_O_TRACESECCOMP, and a new return value for seccomp BPF programs, SECCOMP_RET_TRACE. When a tracer specifies the PTRACE_O_TRACESECCOMP ptrace option, the tracer will be notified, via PTRACE_EVENT_SECCOMP, for any syscall that results in a BPF program returning SECCOMP_RET_TRACE. The 16-bit SECCOMP_RET_DATA mask of the BPF program return value will be passed as the ptrace_message and may be retrieved using PTRACE_GETEVENTMSG. If the subordinate process is not using seccomp filter, then no system call notifications will occur even if the option is specified. If there is no tracer with PTRACE_O_TRACESECCOMP when SECCOMP_RET_TRACE is returned, the system call will not be executed and an -ENOSYS errno will be returned to userspace. This change adds a dependency on the system call slow path. Any future efforts to use the system call fast path for seccomp filter will need to address this restriction. v16: - update PT_TRACE_MASK to 0xbf4 so that STOP isn't clear on SETOPTIONS call (indan@nul.nu) [note PT_TRACE_MASK disappears in linux-next] v15: - add audit support for non-zero return codes - clean up style (indan@nul.nu) v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc (Brings back a change to ptrace.c and the masks.) v12: - rebase to linux-next - use ptrace_event and update arch/Kconfig to mention slow-path dependency - drop all tracehook changes and inclusion (oleg@redhat.com) v11: - invert the logic to just make it a PTRACE_SYSCALL accelerator (indan@nul.nu) v10: - moved to PTRACE_O_SECCOMP / PT_TRACE_SECCOMP v9: - n/a v8: - guarded PTRACE_SECCOMP use with an ifdef v7: - introduced Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/Kconfig | 11 ++++++----- include/linux/ptrace.h | 7 +++++-- include/linux/seccomp.h | 1 + kernel/ptrace.c | 3 +++ kernel/seccomp.c | 13 +++++++++++-- 5 files changed, 26 insertions(+), 9 deletions(-) commit 825511ce9b132c1bbd8b6c73a91272ad2521efbc Author: Will Drewry <wad@chromium.org> Date: Thu Feb 9 12:01:37 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: Add SECCOMP_RET_TRAP Adds a new return value to seccomp filters that triggers a SIGSYS to be delivered with the new SYS_SECCOMP si_code. This allows in-process system call emulation, including just specifying an errno or cleanly dumping core, rather than just dying. v15: - use audit_seccomp/skip - pad out error spacing; clean up switch (indan@nul.nu) v14: - n/a v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - rebase on to linux-next v11: - clarify the comment (indan@nul.nu) - s/sigtrap/sigsys v10: - use SIGSYS, syscall_get_arch, updates arch/Kconfig note suggested-by (though original suggestion had other behaviors) v9: - changes to SIGILL v8: - clean up based on changes to dependent patches v7: - introduction Suggested-by: Markus Gutschke <markus@chromium.org> Suggested-by: Julien Tinnes <jln@chromium.org> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/Kconfig | 14 +++++++++----- include/asm-generic/siginfo.h | 2 +- include/linux/seccomp.h | 1 + kernel/seccomp.c | 26 ++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 6 deletions(-) commit 62445946c127cfd0de0e3b93dcbfcf6c87d191dc Author: Will Drewry <wad@chromium.org> Date: Fri Feb 17 11:50:27 2012 -0600 UBUNTU: SAUCE: SECCOMP: signal, x86: add SIGSYS info and make it synchronous. This change enables SIGSYS, defines _sigfields._sigsys, and adds x86 (compat) arch support. _sigsys defines fields which allow a signal handler to receive the triggering system call number, the relevant AUDIT_ARCH_* value for that number, and the address of the callsite. SIGSYS is added to the SYNCHRONOUS_MASK because it is desirable for it to have setup_frame() called for it. The goal is to ensure that ucontext_t reflects the machine state from the time-of-syscall and not from another signal handler. The first consumer of SIGSYS would be seccomp filter. In particular, a filter program could specify a new return value, SECCOMP_RET_TRAP, which would result in the system call being denied and the calling thread signaled. This also means that implementing arch-specific support can be dependent upon HAVE_ARCH_SECCOMP_FILTER. v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - reworded changelog (oleg@redhat.com) v11: - fix dropped words in the change description - added fallback copy_siginfo support. - added __ARCH_SIGSYS define to allow stepped arch support. v10: - first version based on suggestion Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Suggested-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/x86/ia32/ia32_signal.c | 4 ++++ arch/x86/include/asm/ia32.h | 6 ++++++ include/asm-generic/siginfo.h | 22 ++++++++++++++++++++++ kernel/signal.c | 9 ++++++++- 4 files changed, 40 insertions(+), 1 deletions(-) commit 5f14190caf5f9fc29e1cdc5a245258f0e07bbba5 Author: Will Drewry <wad@chromium.org> Date: Wed Feb 15 20:45:54 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: add SECCOMP_RET_ERRNO This change adds the SECCOMP_RET_ERRNO as a valid return value from a seccomp filter. Additionally, it makes the first use of the lower 16-bits for storing a filter-supplied errno. 16-bits is more than enough for the errno-base.h calls. Returning errors instead of immediately terminating processes that violate seccomp policy allow for broader use of this functionality for kernel attack surface reduction. For example, a linux container could maintain a whitelist of pre-existing system calls but drop all new ones with errnos. This would keep a logically static attack surface while providing errnos that may allow for graceful failure without the downside of do_exit() on a bad call. v15: - use audit_seccomp and add a skip label. (eparis@redhat.com) - clean up and pad out return codes (indan@nul.nu) v14: - no change/rebase v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - move to WARN_ON if filter is NULL (oleg@redhat.com, luto@mit.edu, keescook@chromium.org) - return immediately for filter==NULL (keescook@chromium.org) - change evaluation to only compare the ACTION so that layered errnos don't result in the lowest one being returned. (keeschook@chromium.org) v11: - check for NULL filter (keescook@chromium.org) v10: - change loaders to fn v9: - n/a v8: - update Kconfig to note new need for syscall_set_return_value. - reordered such that TRAP behavior follows on later. - made the for loop a little less indent-y v7: - introduced Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/Kconfig | 6 ++++-- include/linux/seccomp.h | 15 +++++++++++---- kernel/seccomp.c | 47 ++++++++++++++++++++++++++++++++++++++--------- 3 files changed, 53 insertions(+), 15 deletions(-) commit e83d1482e89d9725831fdee2984efab3734d3c45 Author: Kees Cook <keescook@chromium.org> Date: Sun Feb 26 11:56:12 2012 -0800 UBUNTU: SAUCE: SECCOMP: seccomp: remove duplicated failure logging This consolidates the seccomp filter error logging path and adds more details to the audit log. v15: added a return code to the audit_seccomp path by wad@chromium.org (suggested by eparis@redhat.com) v*: original by keescook@chromium.org Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> include/linux/audit.h | 8 ++++---- kernel/auditsc.c | 10 ++++++++-- kernel/seccomp.c | 15 +-------------- 3 files changed, 13 insertions(+), 20 deletions(-) commit 19a18a4844a7d16174a8ef4d2780e45ae6c812c8 Author: Will Drewry <wad@chromium.org> Date: Thu Feb 9 11:50:58 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: add system call filtering using BPF [This patch depends on luto@mit.edu's no_new_privs patch: https://lkml.org/lkml/2012/1/30/264 The whole series including Andrew's patches can be found here: https://github.com/redpig/linux/tree/seccomp Complete diff here: https://github.com/redpig/linux/compare/1dc65fed...seccomp A GPG signed tag 'seccomp/v14/posted' will be pushed shortly. ] This patch adds support for seccomp mode 2. Mode 2 introduces the ability for unprivileged processes to install system call filtering policy expressed in terms of a Berkeley Packet Filter (BPF) program. This program will be evaluated in the kernel for each system call the task makes and computes a result based on data in the format of struct seccomp_data. A filter program may be installed by calling: struct sock_fprog fprog = { ... }; ... prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog); The return value of the filter program determines if the system call is allowed to proceed or denied. If the first filter program installed allows prctl(2) calls, then the above call may be made repeatedly by a task to further reduce its access to the kernel. All attached programs must be evaluated before a system call will be allowed to proceed. Filter programs will be inherited across fork/clone and execve. However, if the task attaching the filter is unprivileged (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This ensures that unprivileged tasks cannot attach filters that affect privileged tasks (e.g., setuid binary). There are a number of benefits to this approach. A few of which are as follows: - BPF has been exposed to userland for a long time - BPF optimization (and JIT'ing) are well understood - Userland already knows its ABI: system call numbers and desired arguments - No time-of-check-time-of-use vulnerable data accesses are possible. - system call arguments are loaded on access only to minimize copying required for system call policy decisions. Mode 2 support is restricted to architectures that enable HAVE_ARCH_SECCOMP_FILTER. In this patch, the primary dependency is on syscall_get_arguments(). The full desired scope of this feature will add a few minor additional requirements expressed later in this series. Based on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be the desired additional functionality. No architectures are enabled in this patch. v15: - add a 4 instr penalty when counting a path to account for seccomp_filter size (indan@nul.nu) - drop the max insns to 256KB (indan@nul.nu) - return ENOMEM if the max insns limit has been hit (indan@nul.nu) - move IP checks after args (indan@nul.nu) - drop !user_filter check (indan@nul.nu) - only allow explicit bpf codes (indan@nul.nu) - exit_code -> exit_sig v14: - put/get_seccomp_filter takes struct task_struct (indan@nul.nu,keescook@chromium.org) - adds seccomp_chk_filter and drops general bpf_run/chk_filter user - add seccomp_bpf_load for use by net/core/filter.c - lower max per-process/per-hierarchy: 1MB - moved nnp/capability check prior to allocation (all of the above: indan@nul.nu) v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com) - removed copy_seccomp (keescook@chromium.org,indan@nul.nu) - reworded the prctl_set_seccomp comment (indan@nul.nu) v11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com) - style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu) - do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu) - pare down Kconfig doc reference. - extra comment clean up v10: - seccomp_data has changed again to be more aesthetically pleasing (hpa@zytor.com) - calling convention is noted in a new u32 field using syscall_get_arch. This allows for cross-calling convention tasks to use seccomp filters. (hpa@zytor.com) - lots of clean up (thanks, Indan!) v9: - n/a v8: - use bpf_chk_filter, bpf_run_filter. update load_fns - Lots of fixes courtesy of indan@nul.nu: -- fix up load behavior, compat fixups, and merge alloc code, -- renamed pc and dropped __packed, use bool compat. -- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch dependencies v7: (massive overhaul thanks to Indan, others) - added CONFIG_HAVE_ARCH_SECCOMP_FILTER - merged into seccomp.c - minimal seccomp_filter.h - no config option (part of seccomp) - no new prctl - doesn't break seccomp on systems without asm/syscall.h (works but arg access always fails) - dropped seccomp_init_task, extra free functions, ... - dropped the no-asm/syscall.h code paths - merges with network sk_run_filter and sk_chk_filter v6: - fix memory leak on attach compat check failure - require no_new_privs || CAP_SYS_ADMIN prior to filter installation. (luto@mit.edu) - s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com) - cleaned up Kconfig (amwang@redhat.com) - on block, note if the call was compat (so the # means something) v5: - uses syscall_get_arguments (indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org) - uses union-based arg storage with hi/lo struct to handle endianness. Compromises between the two alternate proposals to minimize extra arg shuffling and account for endianness assuming userspace uses offsetof(). (mcgrathr@chromium.org, indan@nul.nu) - update Kconfig description - add include/seccomp_filter.h and add its installation - (naive) on-demand syscall argument loading - drop seccomp_t (eparis@redhat.com) v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS - now uses current->no_new_privs (luto@mit.edu,torvalds@linux-foundation.com) - assign names to seccomp modes (rdunlap@xenotime.net) - fix style issues (rdunlap@xenotime.net) - reworded Kconfig entry (rdunlap@xenotime.net) v3: - macros to inline (oleg@redhat.com) - init_task behavior fixed (oleg@redhat.com) - drop creator entry and extra NULL check (oleg@redhat.com) - alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com) - adds tentative use of "always_unprivileged" as per torvalds@linux-foundation.org and luto@mit.edu v2: - (patch 2 only) Reviewed-by: Indan Zupancic <indan@nul.nu> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/Kconfig | 17 ++ include/linux/Kbuild | 1 + include/linux/seccomp.h | 76 +++++++++- kernel/fork.c | 3 + kernel/seccomp.c | 393 ++++++++++++++++++++++++++++++++++++++++++++-- kernel/sys.c | 2 +- 6 files changed, 469 insertions(+), 23 deletions(-) commit d5d317ef3be9869343903ee59e485eaf939865cf Author: Eric Paris <eparis@redhat.com> Date: Tue Jan 3 14:23:05 2012 -0500 seccomp: audit abnormal end to a process due to seccomp The audit system likes to collect information about processes that end abnormally (SIGSEGV) as this may me useful intrusion detection information. This patch adds audit support to collect information when seccomp forces a task to exit because of misbehavior in a similar way. Signed-off-by: Eric Paris <eparis@redhat.com> (cherry picked from commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31) Signed-off-by: Kees Cook <kees@ubuntu.com> include/linux/audit.h | 8 +++++++ kernel/auditsc.c | 52 ++++++++++++++++++++++++++++-------------------- kernel/seccomp.c | 2 + 3 files changed, 40 insertions(+), 22 deletions(-) commit c9614d621d49f2c8e1d4832758579da457136418 Author: Will Drewry <wad@chromium.org> Date: Fri Feb 17 15:03:37 2012 -0600 UBUNTU: SAUCE: SECCOMP: asm/syscall.h: add syscall_get_arch Adds a stub for a function that will return the AUDIT_ARCH_* value appropriate to the supplied task based on the system call convention. For audit's use, the value can generally be hard-coded at the audit-site. However, for other functionality not inlined into syscall entry/exit, this makes that information available. seccomp_filter is the first planned consumer and, as such, the comment indicates a tie to HAVE_ARCH_SECCOMP_FILTER. That is probably an unneeded detail. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: rebase on to linux-next v11: fixed improper return type v10: introduced Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Suggested-by: Roland McGrath <mcgrathr@chromium.org> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> include/asm-generic/syscall.h | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 65acde58c865720cf4cab6890efe8f31d5bec60f Author: Will Drewry <wad@chromium.org> Date: Wed Jan 18 15:00:56 2012 -0600 UBUNTU: SAUCE: SECCOMP: arch/x86: add syscall_get_arch to syscall.h Add syscall_get_arch() to export the current AUDIT_ARCH_* based on system call entry path. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> arch/x86/include/asm/syscall.h | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) commit 5b564226379332f09c4f3765394eca26c1e8d1e1 Author: Will Drewry <wad@chromium.org> Date: Fri Jan 13 14:40:01 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: kill the seccomp_t typedef Replaces the seccomp_t typedef with struct seccomp to match modern kernel style. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: rebase on to linux-next v8-v11: no changes v7: struct seccomp_struct -> struct seccomp v6: original inclusion in this series. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Reviewed-by: James Morris <jmorris@namei.org> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees@ubuntu.com> include/linux/sched.h | 2 +- include/linux/seccomp.h | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) commit 8f10416cbf0a71df0d851fdba18ea9b3187f616c Author: Will Drewry <wad@chromium.org> Date: Wed Feb 22 10:59:31 2012 -0600 UBUNTU: SAUCE: SECCOMP: net/compat.c,linux/filter.h: share compat_sock_fprog Any other users of bpf_*_filter that take a struct sock_fprog from userspace will need to be able to also accept a compat_sock_fprog if the arch supports compat calls. This change let's the existing compat_sock_fprog be shared. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: rebase on to linux-next v11: introduction Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Kees Cook <kees@ubuntu.com> include/linux/filter.h | 11 +++++++++++ net/compat.c | 8 -------- 2 files changed, 11 insertions(+), 8 deletions(-) commit 508e69eac8c0f6089ae2f317122f2509ce2c922d Author: Will Drewry <wad@chromium.org> Date: Fri Mar 9 10:43:50 2012 -0600 UBUNTU: SAUCE: SECCOMP: sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Introduces a new BPF ancillary instruction that all LD calls will be mapped through when skb_run_filter() is being used for seccomp BPF. The rewriting will be done using a secondary chk_filter function that is run after skb_chk_filter. The code change is guarded by CONFIG_SECCOMP_FILTER which is added, along with the seccomp_bpf_load() function later in this series. This is based on http://lkml.org/lkml/2012/3/2/141 v15: include seccomp.h explicitly for when seccomp_bpf_load exists. v14: First cut using a single additional instruction ... v13: made bpf functions generic. Suggested-by: Indan Zupancic <indan@nul.nu> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Kees Cook <kees@ubuntu.com> include/linux/filter.h | 1 + net/core/filter.c | 6 ++++++ 2 files changed, 7 insertions(+), 0 deletions(-) commit 29fb0afcb3dbc9563ebc3f2ab26acaa52e5c209f Author: John Johansen <john.johansen@canonical.com> Date: Mon Jan 30 08:17:27 2012 -0800 UBUNTU: SAUCE: SECCOMP: Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com> security/apparmor/domain.c | 39 +++++++++++++++++++++++++++++++++++---- 1 files changed, 35 insertions(+), 4 deletions(-) commit 2ccd05f2a7d8c59be2381399da61865deb7aa540 Author: Andy Lutomirski <luto@amacapital.net> Date: Mon Jan 30 08:17:26 2012 -0800 UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com> Conflicts: include/linux/prctl.h fs/exec.c | 10 +++++++++- include/linux/prctl.h | 15 +++++++++++++++ include/linux/sched.h | 2 ++ include/linux/security.h | 1 + kernel/sys.c | 10 ++++++++++ security/apparmor/domain.c | 4 ++++ security/commoncap.c | 7 +++++-- security/selinux/hooks.c | 10 +++++++++- 8 files changed, 55 insertions(+), 4 deletions(-) commit 5041458714dba17a379e8f68ccc7a620878933b5 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde <nico@ngolde.de> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org. Conflicts: drivers/uio/uio.c Conflicts: drivers/video/au1100fb.c drivers/video/au1200fb.c drivers/uio/uio.c | 19 +++++++++++++++++-- drivers/video/au1100fb.c | 28 +--------------------------- drivers/video/au1200fb.c | 27 +-------------------------- 3 files changed, 19 insertions(+), 55 deletions(-) commit 03676684cf5899178a256001a98845d6c95c0b62 Merge: 8c82885 8e0d793 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 27 15:15:03 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 8e0d7934f8f3995920b52aebbfaa35d8d9710aa4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 27 15:14:41 2013 -0400 Update to pax-linux-3.2.52-test123.patch mm/mremap.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 8c82885408023041feb6020fd0aa1c12fe02c3b9 Author: Eric Dumazet <edumazet@google.com> Date: Tue Oct 1 21:04:11 2013 -0700 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 net: do not call sock_put() on TIMEWAIT sockets commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. We should instead use inet_twsk_put() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/inet_hashtables.c net/ipv6/inet6_hashtables.c net/ipv4/inet_hashtables.c | 2 +- net/ipv6/inet6_hashtables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fddae6370b7e281ef7d80522d7ffcd89a34de74b Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Thu Oct 3 00:27:20 2013 +0300 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 net: heap overflow in __audit_sockaddr() We need to cap ->msg_namelen or it leads to a buffer overflow when we to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to exploit this bug. The call tree is: ___sys_recvmsg() move_addr_to_user() audit_sockaddr() __audit_sockaddr() Reported-by: Jüri Aedla <juri.aedla@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/compat.c net/compat.c | 2 ++ net/socket.c | 24 ++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit d77bb8ded8c2498b6def94c132aecdcb8fea6997 Author: Salva Peiró <speiro@ai2.upv.es> Date: Wed Oct 16 12:46:50 2013 +0200 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 wanxl: fix info leak in ioctl The wanxl_ioctl() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró <speiro@ai2.upv.es> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/wan/wanxl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ee64f2b6a4fc12e106140a04a86a04fee5b5d268 Author: Geyslan G. Bem <geyslan@gmail.com> Date: Fri Oct 11 16:49:16 2013 -0300 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 ecryptfs: Fix memory leakage in keystore.c In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem <geyslan@gmail.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Cc: stable@vger.kernel.org # v2.6.28+ Conflicts: fs/ecryptfs/keystore.c fs/ecryptfs/keystore.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 69d8bba850fbf1acbd367763caf969d52c13e9c6 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 27 13:29:49 2013 -0400 This is a replacement patch only for stable which does fix the problems handled by the following two commits in -net: "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) Three frames are written on a corked udp socket for which the output netdevice has UFO enabled. If the first and third frame are smaller than the mtu and the second one is bigger, we enqueue the second frame with skb_append_datato_frags without initializing the gso fields. This leads to the third frame appended regulary and thus constructing an invalid skb. This fixes the problem by always using skb_append_datato_frags as soon as the first frag got enqueued to the skb without marking the packet as SKB_GSO_UDP. The problem with only two frames for ipv6 was fixed by "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO" (2811ebac2521ceac84f2bdae402455baa6a7fb47). Cc: Jiri Pirko <jiri@resnulli.us> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> include/linux/skbuff.h | 5 +++++ net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) commit a6106104c857d0c99cc68db7299cf6d78164c64d Merge: f489195e 036f7dd Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 27 12:59:48 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/hid/hid-core.c drivers/hid/hid-lg2ff.c drivers/hid/hid-lg3ff.c drivers/hid/hid-lg4ff.c drivers/hid/hid-lgff.c drivers/hid/hid-zpff.c include/linux/hid.h net/sctp/ipv6.c commit 036f7dd38cc46327a6e79debc5268514c479b99f Merge: dd49aee 8b5ed99 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 27 12:56:31 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit f489195e6de890ee1b1d2276da13fdfcdba4ff4c Merge: f049ec9 dd49aee Author: Brad Spengler <spender@grsecurity.net> Date: Sat Oct 26 08:46:57 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit dd49aee1dfcb51b636f5eb8bb0c523d1d563997e Author: Brad Spengler <spender@grsecurity.net> Date: Sat Oct 26 08:44:55 2013 -0400 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) - updated config help for latent entropy to reflect recent changes arch/x86/include/asm/uaccess_64.h | 2 +- security/Kconfig | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit f049ec9ba734ee867a06d55df02c569e2d76e6df Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon Oct 14 15:28:38 2013 +0300 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 yam: integer underflow in yam_ioctl() We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be negative. I don't know the impact of using a negative bitrate but let's prevent it. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/linux/yam.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 34c978ee09e1c278e003c3de72904c509dffe516 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 18 19:37:48 2013 -0400 fix up len for tty_set case, from minipli kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1e34acd4e5bc1fb0b6f9c290211917dff44b9678 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Patrick McHardy <kaber@trash.net> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Mathias Krause <minipli@googlemail.com> net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 7d16536e5aec23a39995a0eac31e28c15f8450ba Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be> Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer <bart.de.schuymer@pandora.be> Signed-off-by: Mathias Krause <minipli@googlemail.com> net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 2314e3da07152cfabd1b64ec24e7f4a68328568f Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit df8f0cdfc0f9c62bab6e4ea113b5c64449e6006e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause <minipli@googlemail.com> kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 612bf8e03d3abc3dad934275e917910cd11af911 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 16 18:35:00 2013 -0400 From: Mathias Krause <minipli@googlemail.com> To: Evgeniy Polyakov <zbr@ioremap.net> Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause <minipli@googlemail.com> drivers/connector/connector.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 27b743c54cd24429ea4240f658d5619adb95e748 Author: Mathias Krause <minipli@googlemail.com> Date: Mon Sep 30 22:03:06 2013 +0200 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 proc connector: fix info leaks Initialize event_data for all possible message types to prevent leaking kernel stack contents to userland (up to 20 bytes). Also set the flags member of the connector message to 0 to prevent leaking two more stack bytes this way. Cc: stable@vger.kernel.org # v2.6.15+ Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: drivers/connector/cn_proc.c drivers/connector/cn_proc.c | 36 ++++++++++++++++++++++++++---------- 1 files changed, 26 insertions(+), 10 deletions(-) commit c9d7d5d95e0415f61bbf33e11b8beb6c4af0aa74 Author: Dave Jones <davej@redhat.com> Date: Thu Oct 10 20:05:35 2013 -0400 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc ext4: fix memory leak in xattr If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones <davej@fedoraproject.org> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Reviewed-by: Eric Sandeen <sandeen@redhat.com> Cc: stable@vger.kernel.org fs/ext4/xattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 15f94d4047a32fb443c1ba1f6b0437e4c886ee1a Author: Salva Peiró <speiro@ai2.upv.es> Date: Fri Oct 11 12:50:03 2013 +0300 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 farsync: fix info leak in ioctl The fst_get_iface() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/wan/farsync.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5712ae2e739b97d3b7319769efd56a6f28d11d27 Author: Fan Du <fan.du@windriver.com> Date: Tue Sep 17 15:14:13 2013 +0800 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda xfrm: Guard IPsec anti replay window against replay bitmap For legacy IPsec anti replay mechanism: bitmap in struct xfrm_replay_state could only provide a 32 bits window size limit in current design, thus user level parameter sadb_sa_replay should honor this limit, otherwise misleading outputs("replay=244") by setkey -D will be: 192.168.25.2 192.168.22.2 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=4854 refcnt=0 192.168.22.2 192.168.25.2 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=4854 refcnt=0 And also, optimizing xfrm_replay_check window checking by setting the desirable x->props.replay_window with only doing the comparison once for all when xfrm_state is first born. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> net/key/af_key.c | 3 ++- net/xfrm/xfrm_replay.c | 3 +-- net/xfrm/xfrm_user.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) commit d1a548f9ae91ab63b92668b0bab71841802fc1c0 Author: Eric Dumazet <edumazet@google.com> Date: Fri Oct 4 10:31:41 2013 -0700 Upstream commit: 5e8a402f831dbe7ee831340a91439e46f0d38acd tcp: do not forget FIN in tcp_shifted_skb() Yuchung found following problem : There are bugs in the SACK processing code, merging part in tcp_shift_skb_data(), that incorrectly resets or ignores the sacked skbs FIN flag. When a receiver first SACK the FIN sequence, and later throw away ofo queue (e.g., sack-reneging), the sender will stop retransmitting the FIN flag, and hangs forever. Following packetdrill test can be used to reproduce the bug. $ cat sack-merge-bug.pkt `sysctl -q net.ipv4.tcp_fack=0` // Establish a connection and send 10 MSS. 0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +.000 bind(3, ..., ...) = 0 +.000 listen(3, 1) = 0 +.050 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7> +.000 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 6> +.001 < . 1:1(0) ack 1 win 1024 +.000 accept(3, ..., ...) = 4 +.100 write(4, ..., 12000) = 12000 +.000 shutdown(4, SHUT_WR) = 0 +.000 > . 1:10001(10000) ack 1 +.050 < . 1:1(0) ack 2001 win 257 +.000 > FP. 10001:12001(2000) ack 1 +.050 < . 1:1(0) ack 2001 win 257 <sack 10001:11001,nop,nop> +.050 < . 1:1(0) ack 2001 win 257 <sack 10001:12002,nop,nop> // SACK reneg +.050 < . 1:1(0) ack 12001 win 257 +0 %{ print "unacked: ",tcpi_unacked }% +5 %{ print "" }% First, a typo inverted left/right of one OR operation, then code forgot to advance end_seq if the merged skb carried FIN. Bug was added in 2.6.29 by commit 832d11c5cd076ab ("tcp: Try to restore large SKBs while SACK processing") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp_input.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit dfe73820c672cf0ee9b39969359023e4921618d1 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Sep 24 15:27:45 2013 -0700 Just a whitespace fix to sync with upstream as we already applied this fix via Vasiliy Kulikov in 2010. It fell through the cracks upstream cciss: fix info leak in cciss_ioctl32_passthru() The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Mike Miller <mike.miller@hp.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: drivers/block/cciss.c drivers/block/cciss.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 8a0a3f1c6c95ebc20c8b992388c114376faa8dcd Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Date: Tue Sep 24 18:29:11 2013 -0700 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b mm: Place preemption point in do_mlockall() loop There is a loop in do_mlockall() that lacks a preemption point, which means that the following can happen on non-preemptible builds of the kernel. Dave Jones reports: "My fuzz tester keeps hitting this. Every instance shows the non-irq stack came in from mlockall. I'm only seeing this on one box, but that has more ram (8gb) than my other machines, which might explain it. INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) sending NMI to all CPUs: NMI backtrace for cpu 3 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 Call Trace: lru_add_drain_all+0x15/0x20 SyS_mlockall+0xa5/0x1a0 tracesys+0xdd/0xe2" This commit addresses this problem by inserting the required preemption point. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com> Cc: Michel Lespinasse <walken@google.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/mlock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 76f841370db07c0bccd906a4749eca8c6bd51da2 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Sat Sep 21 06:27:00 2013 +0200 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO In the following scenario the socket is corked: If the first UDP packet is larger then the mtu we try to append it to the write queue via ip6_ufo_append_data. A following packet, which is smaller than the mtu would be appended to the already queued up gso-skb via plain ip6_append_data. This causes random memory corruptions. In ip6_ufo_append_data we also have to be careful to not queue up the same skb multiple times. So setup the gso frame only when no first skb is available. This also fixes a shortcoming where we add the current packet's length to cork->length but return early because of a packet > mtu with dontfrag set (instead of sutracting it again). Found with trinity. Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- 1 files changed, 22 insertions(+), 31 deletions(-) commit b1d8b0c3e1570d868dfe92adb7ee9129da6287bd Author: Brad Spengler <spender@grsecurity.net> Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit e3cebf5c349362b3049691d7dcd90b91362105d4 Merge: 132b250 db0cbbc Author: Brad Spengler <spender@grsecurity.net> Date: Fri Sep 27 20:41:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit db0cbbc8fa03a6a74130892082c8e60d6f67d091 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Sep 27 20:40:06 2013 -0400 Update to pax-linux-3.2.51-test122.patch: - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) - beefed up latent entropy extraction - latent_entropy itself will be initialized to a compile-time random value (instead of 0) - entropy will be collected from various irq and softirq handlers block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- fs/binfmt_elf.c | 12 +++++++----- include/linux/genhd.h | 2 +- include/linux/random.h | 4 ++-- kernel/hrtimer.c | 2 +- kernel/rcutiny.c | 2 +- kernel/rcutree.c | 2 +- kernel/sched_fair.c | 2 +- kernel/softirq.c | 4 ++-- kernel/timer.c | 2 +- net/core/dev.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 2 +- 13 files changed, 22 insertions(+), 20 deletions(-) commit 132b250814211848e5e9f898dab35d17ce16723c Merge: f257bde 5339a03 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 18 19:05:52 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5339a032c210e775ccd1664e4492dd620b77499c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 18 19:05:10 2013 -0400 Update to pax-linux-3.2.51-test121.patch: - better implementation of __read_only for modules arch/x86/include/asm/cache.h | 4 ---- drivers/net/ethernet/chelsio/cxgb3/sge.c | 6 +++--- include/linux/cache.h | 4 ++++ scripts/module-common.lds | 4 ++++ 4 files changed, 11 insertions(+), 7 deletions(-) commit f257bde95a137146c035b37610149f130bef245c Merge: f817668 9117d25 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 16 20:41:20 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/security.c commit 9117d25f8898cdb5c462372820eebfb74471fcc7 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 16 20:40:00 2013 -0400 Update to pax-linux-3.2.51-test120.patch: - added some latent entropy extraction to fork - got rid of reset_security_ops - added compile time checking for unavailable KERNEXEC accessors - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) - __read_only will now be enforced in modules as well - removed unneccessary __read_only from ntfs arch/x86/include/asm/cache.h | 4 ++++ fs/namespace.c | 2 +- fs/ntfs/file.c | 4 ++-- include/asm-generic/pgtable.h | 8 ++++++++ include/linux/fdtable.h | 2 +- include/linux/init.h | 7 ------- include/linux/random.h | 10 ++++++++++ include/linux/security.h | 2 -- include/net/xfrm.h | 6 +++++- init/main.c | 17 +++-------------- kernel/fork.c | 5 +++-- mm/mremap.c | 5 ++++- mm/page_alloc.c | 1 + net/ipv4/xfrm4_policy.c | 4 ++-- net/ipv6/xfrm6_policy.c | 4 ++-- net/xfrm/xfrm_policy.c | 11 ++--------- security/security.c | 13 ++----------- security/selinux/hooks.c | 9 ++++++--- tools/gcc/kernexec_plugin.c | 4 ++-- 19 files changed, 58 insertions(+), 60 deletions(-) commit f8176689855dc2f85ee4fc35d5078e5aeb6e5f02 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 16 14:20:46 2013 -0400 compile fix for sctp/ipv6 backport net/sctp/ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b17a4d698ffa497a8aa2c241a2f9ded6b1e7b713 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 16 12:53:22 2013 -0400 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce author Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT) committer Steffen Klassert <steffen.klassert@secunet.com> 2013-09-16 07:39:37 (GMT) xfrm: Fix replay size checking on async events We pass the wrong netlink attribute to xfrm_replay_verify_len(). It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as we currently doing. This causes memory corruptions if the replay esn attribute has incorrect length. Fix this by passing the right attribute to xfrm_replay_verify_len(). Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f34821983f5328309b3eddc734df6c43cc455b72 Author: Daniel Borkmann <dborkman@redhat.com> Date: Wed Sep 11 16:58:36 2013 +0200 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester <alan.chester@tekelec.com> Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/sctp/ipv6.c net/sctp/ipv6.c | 45 ++++++++++++++------------------------------- 1 files changed, 14 insertions(+), 31 deletions(-) commit 7afcbda7be5e7ccf2e341659213a1f389c7e7aa4 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Sun Sep 8 14:33:50 2013 +1000 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa crypto: api - Fix race condition in larval lookup crypto_larval_lookup should only return a larval if it created one. Any larval created by another entity must be processed through crypto_larval_wait before being returned. Otherwise this will lead to a larval being killed twice, which will most likely lead to a crash. Cc: stable@vger.kernel.org Reported-by: Kees Cook <keescook@chromium.org> Tested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Conflicts: crypto/api.c crypto/api.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit e8bcf1cecc667aaedb3b804adc3cdfab81609bff Author: Brad Spengler <spender@grsecurity.net> Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 3d59df50f23eab65c537bc4937a78b08fa0095da Author: Brad Spengler <spender@grsecurity.net> Date: Tue Sep 10 18:33:38 2013 -0400 as mentioned in previous revert, undo the change to kmalloc_array that causes build errors on older GCC versions include/linux/slab.h | 10 ---------- 1 files changed, 0 insertions(+), 10 deletions(-) commit 34a2ff67396d9588db478e26e9a4ca87443a0faf Author: Brad Spengler <spender@grsecurity.net> Date: Tue Sep 10 18:30:42 2013 -0400 Revert "reverse ordering of kcalloc call with two constant expression args that" This reverts commit 39c4503ed6669ac69268bede8a6ee4b90c2de60c. As already done with the 3.10 patch, undo this change and instead use a follow-up patch to undo the entire change to kmalloc_array as it causes build errors with older GCC versions drivers/net/ethernet/intel/e1000e/netdev.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 39c4503ed6669ac69268bede8a6ee4b90c2de60c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Sep 10 18:19:50 2013 -0400 reverse ordering of kcalloc call with two constant expression args that exposes a GCC bug for all but the latest version drivers/net/ethernet/intel/e1000e/netdev.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 3fb04bec531de5182fa823ec1bbd25645715af49 Merge: c9bdd44 fa5e8ff Author: Brad Spengler <spender@grsecurity.net> Date: Tue Sep 10 17:15:39 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/bio.c include/linux/slab.h commit fa5e8ff550a8ba177aceb989316b2a4c69baeeff Merge: a8bb97c c3f403c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Sep 10 17:10:33 2013 -0400 Update to pax-linux-3.2.51-test119.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/slab.h commit c9bdd441c8d58e463af7cb1350a95b4f072d233a Merge: 0d37569 a8bb97c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 8 19:50:56 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit a8bb97c7b26562d5be23bdbd37982950861325fb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 8 19:50:26 2013 -0400 - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 20 ++++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) commit 0d375691d6accab268a660e738cd6d7e3d16a9a8 Author: Jakob Bornecrantz <jakob@vmware.com> Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz <jakob@vmware.com> Reviewed-by: Biran Paul <brianp@vmware.com> Reviewed-by: Zack Rusin <zackr@vmware.com> Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie <airlied@gmail.com> drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit a4e9394a69199853445956ef2cb94030f6bf5abe Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 15e432fd1c539aa78522636e5359099ef66f8e9b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit d4f5c9517a4c6fb244992dd5bec318c48914f5c3 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit a4a416ebee17db0240a8ed8ca64b204b613205ca Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 9e6662d6335ffbe8ab2c33f0f98bd40b4465d39b Author: Brad Spengler <spender@grsecurity.net> Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 90280ce227d81e81004d3871a930fe5207c6604b Author: Brad Spengler <spender@grsecurity.net> Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Conflicts: drivers/usb/core/hub.c drivers/usb/core/hub.c | 4 ++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 54 insertions(+), 1 deletions(-) commit 2247ff86d4ee11fb96e70bea4b2c60a52e03974f Merge: 6414043 0c7e99e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 1 15:15:57 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 0c7e99e26011b88ded65c1c1ebeb715193620827 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 1 15:15:13 2013 -0400 Update to pax-linux-3.2.50-test118.patch: - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com> - fixed a bunch more after a quick audit of atomic_inc_return users - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com> - got inet_getid and ipv6_select_ident rid of the cmpxchg loop drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/video/ivtv/ivtv-driver.c | 2 +- drivers/media/video/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/regulator/core.c | 4 ++-- drivers/tty/hvc/hvsi.c | 14 +++++++------- drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/ip6_output.c | 15 ++++++--------- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 23 files changed, 59 insertions(+), 65 deletions(-) commit 6414043ca36390f651f66a33eb5e1c7a553efa0b Merge: ef56283 70a6353 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 31 21:05:24 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 70a6353af67a7a54baf9c659bb4486b3fd1b1143 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 31 21:04:42 2013 -0400 Update to pax-linux-3.2.50-test117.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network - fixed a few more format strings - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- arch/x86/include/asm/uaccess_64.h | 2 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +++--- kernel/events/internal.h | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 ++++---- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- sound/pci/hda/hda_codec.c | 8 ++------ tools/gcc/kernexec_plugin.c | 18 ++++++++++++------ tools/gcc/latent_entropy_plugin.c | 26 ++++++++++---------------- tools/gcc/size_overflow_plugin.c | 3 +-- 21 files changed, 66 insertions(+), 69 deletions(-) commit ef5628372d9892795dd0a8696ddc8fab4a74ff3d Author: Kees Cook <keescook@chromium.org> Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit c8d4736c691ad51231517cc4b10b88d504b10bae Author: Kees Cook <keescook@chromium.org> Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org Conflicts: drivers/hid/hid-multitouch.c drivers/hid/hid-multitouch.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 04c18a2f5869c41af7c7ca6bcdd362f26c427f88 Author: Kees Cook <keescook@chromium.org> Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 803ebf6239ea33a14617b9254883a1e5f3d6107b Author: Kees Cook <keescook@chromium.org> Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 72799ee97b29034f3f22825044dac1f5da6c8b1a Author: Kees Cook <keescook@chromium.org> Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit cd970c289f9917510cf33ab0625b8f0d92aeb12b Author: Kees Cook <keescook@chromium.org> Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 18895733eb62abaad36afe16b7cfdea8bfd9fce0 Author: Kees Cook <keescook@chromium.org> Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org Conflicts: drivers/hid/hid-core.c include/linux/hid.h drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 7830d35b25b97bc978d7e1cd7d9e34d8776dc591 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Aug 28 18:07:26 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook <keescook@chromium.org> The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 1a60670ca0d3e2175e708b8d7c9739d96113ae3c Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com> drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f6f0309783be6c4bb46dff80398eb4a944a26f03 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Aug 28 17:00:03 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 800d64cf6f4a9dd14722be1a247dcb490db7e920 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 27 21:25:10 2013 -0400 second compile fix for backported fix fs/bio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dcb28104a359cbabfb6750f0fc00e7a6d2096e5a Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 27 19:35:11 2013 -0400 compile fix for backported fix fs/bio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c0f11a5a77a475a5f64774a3f2fa65ddc484dfb7 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: <http://seclists.org/oss-sec/2012/q4/292> But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong <dingtianhong@huawei.com> Cc: George Kargiotakis <kargig@void.gr> Cc: P J P <ppandit@redhat.com> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Ding Tianhong <dingtianhong@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv6/addrconf.c Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit de53c8d09bfe74bdcf3d649191882a6e0b816e83 Author: Roland Dreier <roland@purestorage.com> Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>, add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier <roland@purestorage.com> Tested-by: David Milburn <dmilburn@redhat.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: <stable@vger.kernel.org> Signed-off-by: James Bottomley <JBottomley@Parallels.com> fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit bdf13155a365a0c7a3d53bbd43188fd7f9b61996 Merge: 5c8a915 ada87c4 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 27 18:18:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit ada87c4bd0c29b60728b3bc2e9d99d8b82adbdf7 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 27 18:17:28 2013 -0400 Update to pax-linux-3.2.50-test116.patch: - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) - fixed some new REFCOUNT false positives, caught by inspection fs/ceph/super.c | 4 ++-- kernel/posix-timers.c | 2 +- mm/backing-dev.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) commit 5c8a915cc3dff9738d0a40a3b099fa8f17277ae3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 20 20:17:14 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit e2ea872bcfef59633a5600c1da2c4ea08bb70b57. net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 2a9496a83ed15db6423d2d347bbccdeae50f4cf3 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Jun 12 10:37:08 2012 +0300 Upstream commit: 0439f31c35d1da0b28988b308ea455e38e6a350d NFSv4.1: integer overflow in decode_cb_sequence_args() This seems like it could overflow on 32 bits. Use kmalloc_array() which has overflow protection built in. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> fs/nfs/callback_xdr.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 87e36df7119c5c2c6f1931d8ecd4f3e44f052147 Author: Xi Wang <xi.wang@gmail.com> Date: Mon Mar 5 15:14:41 2012 -0800 Upstream commit: a8203725dfded5c1f79dca3368a4a273e24b59bb slab: introduce kmalloc_array() Introduce a kmalloc_array() wrapper that performs integer overflow checking without zeroing the memory. Suggested-by: Andrew Morton <akpm@linux-foundation.org> Suggested-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: David Rientjes <rientjes@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Pekka Enberg <penberg@kernel.org> include/linux/slab.h | 17 ++++++++++++++--- 1 files changed, 14 insertions(+), 3 deletions(-) commit 463c66be36e70bbaeeff2d474595f20c40fc05db Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Wed Jun 26 10:52:20 2013 +0300 Upstream commit: bd5fe738e388ceaa32e5171481e0d3ec59f0ccfe ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info() "idx" is controled by the user and can be a negative offset into the input_names[] array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> sound/i2c/other/ak4xxx-adda.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a1170de58f01454514217ac0afe5c1f2d31f8921 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Thu Sep 27 22:21:19 2012 +0000 Upstream commit: f674e72ff1aad23a99c7c205473cf02c85c2ac33 net/key/af_key.c: add range checks on ->sadb_x_policy_len Because sizeof() is size_t then if "len" is negative, it counts as a large positive value. The call tree looks like: pfkey_sendmsg() -> pfkey_process() -> pfkey_spdadd() -> parse_ipsecrequests() Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/key/af_key.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 857e093b0c208917ab38c9251b71c8ea3f712ef0 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f07d461b42dc443d9d909148f69a4e62ab261e1b Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a8274f87643dfb5dbc08c30d7a1b7947d2419463 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 17 10:52:15 2013 -0400 Backported version of: Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 82b9361dfb58aae965d82e52310acb5a4451b541 Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... <case ipv{4,6} XFRM_MODE_TUNNEL> net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Benjamin Poirier <bpoirier@suse.de> Cc: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Benjamin Poirier <bpoirier@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 37dcd45822cb5be56c9deeea40e5a81910b5965a Author: Eric Dumazet <edumazet@google.com> Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 99d235022ef6b4a40301bb285dbf6561e25dd8a0 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit 417e051f405ad586533ac9a0856c428f052373ff Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Conflicts: net/netfilter/nfnetlink_queue_core.c net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit e55c78bca09694350aed5690876dd018916a6e15 Author: Yuchung Cheng <ycheng@google.com> Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan <mcfchan@stanford.edu> Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit e2ea872bcfef59633a5600c1da2c4ea08bb70b57 Author: Johannes Berg <johannes.berg@intel.com> Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 820289eae39d1945d5fb84913c3dfc4e8c0e33d8 Author: Stephen Boyd <sboyd@codeaurora.org> Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu> Cc: <stable@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 4ab64e69bc1dc398e4f511e06a29dd2647f1f3ec Merge: 9e87b47 7653058 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 17 09:17:40 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/exec.c security/Kconfig commit 765305847a7259e4ca5d577e8c9a778c9f454aec Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 17 09:15:16 2013 -0400 Update to pax-linux-3.2.50-test115.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - disabled preemption when calling show_regs, reported by Corey Minyard arch/x86/include/asm/processor.h | 3 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- drivers/net/wireless/iwlwifi/iwl-debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 ++++++++++++++++++++++++--- fs/exec.c | 52 ++++++++++++++-------------- include/linux/math64.h | 2 +- include/linux/sched.h | 2 + security/Kconfig | 2 - 11 files changed, 85 insertions(+), 43 deletions(-) commit 9e87b47004741f7a5b4a9e3f4508ff1b0a4587df Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Conflicts: arch/arm/kernel/process.c fs/exec.c arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) commit 804a8eb5f0c84b00927bee2644d976c349ba9159 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 20fd4b46f7b4f0c43f6e5c58738c75c9c7693fbd Author: yonghua zheng <younghua.zheng@gmail.com> Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: fs/proc/task_mmu.c Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a07c5eedb6844c751a6148014846beaf83d1be7c Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 10 09:45:03 2013 -0400 Fix compilation of sparc64 hugetlbpage support as reported by @tweetkiba Also pass through the same offset from the main function instead of recomputing it for bottomup/topdown arch/sparc/mm/hugetlbpage.c | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) commit 6dcdcd3d6777018c50df4fbd17c279ccf4a27d24 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e615489ea0edd10937af2f818db3262e4c7c7bf6 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit bdd549716c40da0eb8962c9c81f42c0a828b68ed Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 5 19:00:24 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 6 +++++- grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 89 insertions(+), 39 deletions(-) commit 0062d20760262f571ea73d7552f3b988b1462d02 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 251569e894236166173f1428d0d1832fe796030b Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net> net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 94ae607f84326bd66b84e3e5b1609ba167886885 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f45d2cfb34e95d5b5c656df2b26613cb9d3d97ea Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 2 21:42:55 2013 -0400 Backport compat policy loading code grsecurity/Makefile | 4 + grsecurity/gracl.c | 409 ++++++++++++++++++++++++++---------------- grsecurity/gracl_compat.c | 269 +++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 ++++++++++++++++ 4 files changed, 686 insertions(+), 152 deletions(-) commit 9c7605f64b02c6b94db832f4a57290c38f72e54d Merge: 6fadc6a 1df70ea Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 2 21:31:12 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1df70eaa47fb609dbdec1960452b9482d59d54e0 Merge: 5bb2b04 401390f Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 2 21:31:02 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 6fadc6ac32eec19ee132b4edec3ed7f5243e7028 Merge: 68e0df3 5bb2b04 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 28 10:14:30 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/ubifs/dir.c commit 5bb2b04b9c745a794f2ed2d3e5b2130e302067c6 Merge: f76df1c 66421b2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 28 10:13:28 2013 -0400 Update to pax-linux-3.2.49-test113.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: crypto/algapi.c drivers/block/nbd.c commit 68e0df31eefcf4b051a84f8d3e6b52da64f7afdf Merge: a0dc481 f76df1c Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jul 26 13:05:11 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f76df1c7c91cdd37d8d7b71b6b4e276ca1bc306c Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jul 26 13:04:44 2013 -0400 Update to pax-linux-3.2.47-test113.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 +++ fs/buffer.c | 2 +- fs/dcache.c | 3 +- include/linux/slab.h | 16 +++++++++++++++ include/linux/slab_def.h | 4 +++ kernel/fork.c | 2 +- mm/mm_init.c | 11 ++++++++++ mm/rmap.c | 6 +++- mm/slab.c | 36 ++++++++++++++++++++++++++++++++-- mm/slob.c | 5 ++++ mm/slub.c | 8 +++++++ net/core/skbuff.c | 6 +++- security/Kconfig | 23 ++++++++++++++++----- 13 files changed, 110 insertions(+), 16 deletions(-) commit a0dc48125e39f7b495a1df2335207447fea46cc2 Merge: 9c4c539 189cbbf Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 25 19:58:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 189cbbf2e2a4b7688a23770c9dd9528599848333 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 25 19:57:01 2013 -0400 Update to pax-linux-3.2.47-test112.patch: - fixed an i386 regression with the lower address space gap on i386, reported by cnu arch/sparc/kernel/sys_sparc_64.c | 6 +++--- fs/exec.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) commit 9c4c5396a7d5d1fc90820fe2ed85c31e51051532 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 65937dd498b405c91885085f7de8af39282f1de1 Author: Xi Wang <xi.wang@gmail.com> Date: Thu May 31 16:26:04 2012 -0700 introduce SIZE_MAX ULONG_MAX is often used to check for integer overflow when calculating allocation size. While ULONG_MAX happens to work on most systems, there is no guarantee that `size_t' must be the same size as `long'. This patch introduces SIZE_MAX, the maximum value of `size_t', to improve portability and readability for allocation size validation. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alex Elder <elder@dreamhost.com> Cc: David Airlie <airlied@linux.ie> Cc: Pekka Enberg <penberg@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: fs/ceph/snap.c include/linux/slab.h include/drm/drm_mem_util.h | 4 ++-- include/linux/kernel.h | 1 + include/linux/slab.h | 3 +-- 3 files changed, 4 insertions(+), 4 deletions(-) commit 671c16c479adef3ba3f041e7a684896eafa030f4 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 03f98d656f32436ab6fdac890dfb7772db30245c Author: Tom Tucker <tom@ogc.us> Date: Wed Feb 15 11:30:00 2012 -0600 Upstream commit: cec56c8ff5e28f58ff13041dca7853738ae577a1 svcrdma: Cleanup sparse warnings in the svcrdma module The svcrdma transport was un-marshalling requests in-place. This resulted in sparse warnings due to __beXX data containing both NBO and HBO data. The code has been restructured to do byte-swapping as the header is parsed instead of when the header is validated immediately after receipt. Also moved extern declarations for the workqueue and memory pools to the private header file. Signed-off-by: Tom Tucker <tom@ogc.us> Signed-off-by: J. Bruce Fields <bfields@redhat.com> include/linux/sunrpc/svc_rdma.h | 2 +- net/sunrpc/xprtrdma/svc_rdma.c | 1 + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 66 +++++++---------------------- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 20 +++++---- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 26 ++++++----- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +---- net/sunrpc/xprtrdma/xprt_rdma.h | 7 +++ 7 files changed, 51 insertions(+), 81 deletions(-) commit 868ce42c85265f226d92eb8a4f7de2323cf909e6 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1260485ad5ba01ffbe8061990b016bbe4f5341a1 Author: Michal Schmidt <mschmidt@redhat.com> Date: Mon Jul 1 17:23:30 2013 +0200 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt <mschmidt@redhat.com> Reviewed-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit a4f05ca2e193b208add48dd0bf2102d5c9389ca2 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Date: Tue Jul 2 09:02:07 2013 +0800 l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net> net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1bc0c45722231b226f08ed71ad8a5366fe57743f Author: Benjamin Herrenschmidt <benh@kernel.crashing.org> Date: Sun Jun 30 14:37:11 2013 +1000 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit fee9f261fe65cb61c0469180ccb82a9348b03812 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Mon Jul 1 20:21:30 2013 +0200 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [<ffffffff8159a9aa>] skb_push+0x3a/0x40 [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0 [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140 [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0 [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20 [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0 [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0 [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40 [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20 [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0 [<ffffffff816f5d54>] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [<ffffffff816e759c>] skb_panic+0x63/0x65 RSP <ffff8801e6431de8> This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones <davej@redhat.com> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit 4c257cabf004ccfb84605d8fab7bba27aa4673b7 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Tue Jul 2 08:04:05 2013 +0200 ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0 [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90 [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0 [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0 [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0 [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180 [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240 [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP <ffff88003670da18> [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng <gaofeng@cn.fujitsu.com> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 51eda273360f39fb15e6b1ec548379d88046a780 Author: Tyler Hicks <tyhicks@canonical.com> Date: Thu Jun 20 13:13:59 2013 -0700 libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Chanam Park <chanam.park@hkpco.kr> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Sage Weil <sage@inktank.com> Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 27d9c8c8bc887a5a9eae1e420cb68bd226a305e1 Author: Eric Paris <eparis@redhat.com> Date: Wed Jul 3 15:08:29 2013 -0700 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris <eparis@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 49aae3c3a876328afdd7a94cda92b7bb906ce109 Author: Chen Gang <gang.chen@asianux.com> Date: Sat Jun 22 13:26:09 2013 +0800 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 7b838c7bb44f6ab7c39040d8421af2c40c466499 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 9 21:00:14 2013 -0400 increase requested size for module arguments, previous size was off-by-one but not an issue due to it being a fixed size in a larger fixed-size slab cache kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dca099b162dadc36cc39e44fd607ea06b5530cc9 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jul 5 00:02:38 2013 -0400 remove extra case we don't need to handle with RAND_THREADSTACK as we only act on ASLR-enabled binaries mm/mmap.c | 10 +++------- 1 files changed, 3 insertions(+), 7 deletions(-) commit 65505689cfb68197e5bb1ab9fe70149146eabac6 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 231d8e775ff3ba8d5364641f726f112428af6912 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 22:49:10 2013 -0400 move location of RAND_THREADSTACK handling in relation to the heap/stack gap code mm/mmap.c | 20 +++++++++++--------- 1 files changed, 11 insertions(+), 9 deletions(-) commit 64f38101ea14d7e72ef6004dbd409f21de9871fa Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 22:28:08 2013 -0400 compile fix mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 172164199f87ba97b6a84b082373dcf650388c11 Merge: bc5dba0 eac2752 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 22:23:28 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit bc5dba0401cc28f8fa9d6acedbc84a091b5b713e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 22:01:44 2013 -0400 Modify the probe addr in the new heap/stack gap code mm/mmap.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 40a20777f12984e72a98a28bc577e9503c5e59e4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 21:44:54 2013 -0400 Update GRKERNSEC_RAND_THREADSTACK for the new heap-stack gap code arch/alpha/kernel/osf_sys.c | 2 +- arch/arm/mm/mmap.c | 4 ++-- arch/frv/mm/elf-fdpic.c | 6 +++--- arch/ia64/kernel/sys_ia64.c | 2 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/mips/mm/mmap.c | 13 +++++++------ arch/parisc/kernel/sys_parisc.c | 4 ++-- arch/powerpc/mm/slice.c | 6 +++--- arch/sh/mm/mmap.c | 15 ++++++++------- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 15 ++++++++------- arch/sparc/mm/hugetlbpage.c | 13 +++++++------ arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/sys_i386_32.c | 15 ++++++++------- arch/x86/kernel/sys_x86_64.c | 10 +++++----- arch/x86/mm/hugetlbpage.c | 6 +++--- arch/x86/mm/init.c | 7 +++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ fs/hugetlbfs/inode.c | 2 +- include/linux/sched.h | 2 +- mm/mmap.c | 36 ++++++++++++++++++++++-------------- 24 files changed, 106 insertions(+), 84 deletions(-) commit eac2752de8a4e15d65bb08f9186e5171bc46c466 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 20:58:16 2013 -0400 Update to pax-linux-3.2.47-test110.patch: - fixed the heap-stack gap enforcement logic under STACK_GROWSUP, reported by spender - backported the EFI boot fix (https://bugs.gentoo.org/show_bug.cgi?id=471626) arch/alpha/kernel/osf_sys.c | 2 +- arch/arm/mm/mmap.c | 4 ++-- arch/frv/mm/elf-fdpic.c | 6 +++--- arch/ia64/kernel/sys_ia64.c | 2 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/mips/mm/mmap.c | 13 +++++++------ arch/parisc/kernel/sys_parisc.c | 4 ++-- arch/powerpc/mm/slice.c | 6 +++--- arch/sh/mm/mmap.c | 15 ++++++++------- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 15 ++++++++------- arch/sparc/mm/hugetlbpage.c | 13 +++++++------ arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/sys_i386_32.c | 15 ++++++++------- arch/x86/kernel/sys_x86_64.c | 10 +++++----- arch/x86/mm/hugetlbpage.c | 6 +++--- arch/x86/mm/init.c | 7 +++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ fs/hugetlbfs/inode.c | 2 +- include/linux/sched.h | 2 +- mm/mmap.c | 36 ++++++++++++++++++++++-------------- 24 files changed, 106 insertions(+), 84 deletions(-) commit 5116eda98f4fc1c2f8f05158950fcfccaade35d2 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons Conflicts: grsecurity/grsec_sig.c include/linux/grinternal.h grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit e1706f8c3936210478a8d6aa4fd2f4ecbb81f421 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f07120add1c9c50b6d2d2d754573386a4d69e3dd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 935d800c28279a4d17015038957584d6716ebe59 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 13:31:24 2013 -0400 update log arguments grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f2adf4ab53097ebb464339c8537f514a9dfb9b0d Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban grsecurity/grsec_sig.c | 2 +- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 1 deletions(-) commit d4d5bb0d8b7008c0bf328e6bd8ffab2887681204 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. Conflicts: fs/exec.c grsecurity/grsec_sig.c fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit b2b8faa9d72b5ec7c1c03df07e03432dde4f1328 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit bfe2238de5574cb5de1ce785ccfc50af30f2d92f Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Conflicts: fs/ubifs/dir.c fs/ubifs/dir.c | 34 +++++++++++++++++++++++++++++----- 1 files changed, 29 insertions(+), 5 deletions(-) commit f79f5b6bfa34cd409c1981be16afcf3732904ea1 Author: Stephane Eranian <eranian@google.com> Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian <eranian@google.com> Tested-by: Jiri Olsa <jolsa@redhat.com> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: <stable@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit cf2a89740a86b7c8ac8729f418481075b4395ee0 Merge: 9ffe336 e1d9efc Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 29 14:13:56 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit e1d9efc71e735c8b9c1295d3f1f6753a465bcbff Merge: 895dd8e c93f6a9 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 29 14:13:45 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 9ffe336a36a734e1981ec11511f2a54c8988a398 Author: Zefan Li <lizefan@huawei.com> Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280 [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0 [<ffffffff8118354a>] ? fget_light+0x3ea/0x490 [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80 [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Li Zefan <lizefan@huawei.com> Cc: stable@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit e2b9a5997ae75b9b21de26a2a1c89759752c57d8 Author: Zefan Li <lizefan@huawei.com> Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan <lizefan@huawei.com> Cc: stable@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 605dbdeebdde60826f427405fb83aa11dd5ed417 Author: Eric Dumazet <edumazet@google.com> Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones <davej@redhat.com> Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 0964a26ec130f2b3fbea72a82861e8831f993c4b Author: Anderson Lizardo <anderson.lizardo@openbossa.org> Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110 [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600 [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320 [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320 [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290 [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0 [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org> Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com> net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit bb971f8f82da9ff1de8f4eb5fd678d2e168f46c4 Author: Michael S. Tsirkin <mst@redhat.com> Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard <bhubbard@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit f970b222b0c93836dc7f808c9002b47db2356ea7 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause <minipli@googlemail.com> To: Steffen Klassert <steffen.klassert@secunet.com>, "David S. Miller" <davem@davemloft.net> Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au> Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Herbert Xu <herbert@gondor.apana.org.au> net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit a769864b55228b10420922319b039383eb978825 Merge: e0272f0 895dd8e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 26 18:36:21 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 895dd8ef5f161df49c4c9bb7f4a217a2bfe5de6a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 26 18:35:49 2013 -0400 Update to pax-linux-3.2.47-test109.patch: - fixed a regression on PARAVIRT/amd64 kernels arch/x86/kernel/entry_64.S | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit e0272f02cfe4cc20756485ce82f99ba8fae18dd5 Merge: ea55c83 7a64c90 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 25 19:03:39 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 7a64c90976856ef4d967c12257a74aa405b7217c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 25 19:02:48 2013 -0400 Updated to pax-linux-3.2.47-test108.patch: - fixed an ftrace regression on KERNEXEC/i386 - reverted the nmi changes, 3.2 doesn't need them - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - empty_zero_page can be read-only on amd64 as well arch/x86/kernel/entry_64.S | 61 ++++++++++++++++++++----------------------- arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/head_64.S | 1 - drivers/lguest/core.c | 2 +- include/linux/vmalloc.h | 2 +- 5 files changed, 32 insertions(+), 38 deletions(-) commit ea55c8335283c3f20b5cc6a5373382ae98cd8c3b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 257868861c1bd28e5162eacdcd1a836db01dde7d Merge: 4413dcd bd61657 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 21 17:00:02 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit bd6165733a5124425d675a6bb9f81026d14e73a6 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 21 16:57:05 2013 -0400 Update to pax-linux-3.2.47-test107.patch: - fixed some fallout detected by the checker plugin - removed a user-triggerable BUG_ON reported by spender, fixing it properly wasn't worth the effort - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 81 ++++++++++++++++------------- arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 2 +- drivers/base/attribute_container.c | 2 +- drivers/base/devtmpfs.c | 6 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 4 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/i2c/i2c-dev.c | 2 +- drivers/media/video/v4l2-compat-ioctl32.c | 4 +- drivers/media/video/v4l2-ioctl.c | 6 +- drivers/video/output.c | 2 +- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 2 +- fs/compat_ioctl.c | 4 +- fs/exec.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/namespace.c | 8 ++-- fs/nfs/callback.c | 4 +- fs/nfsd/nfscache.c | 3 +- fs/proc/vmcore.c | 12 +++-- include/linux/syscalls.h | 8 ++-- init/initramfs.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mlock.c | 1 - mm/slub.c | 2 +- mm/vmalloc.c | 15 ++--- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/checker_plugin.c | 1 + 51 files changed, 137 insertions(+), 129 deletions(-) commit 4413dcd8180864f36e0036c1c7edf3f06b727404 Merge: 4945f4f 30d75a2 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 19 17:45:40 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 30d75a248c66a76546683054768ddc6b1a1cfafa Merge: 7a96ff7 398cabc Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 19 17:45:34 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 4945f4fbcb3bccf03be6cc7cc1e7450263fcb576 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 18 16:45:39 2013 -0400 fix compile error in apparmor compat patch security/apparmor/apparmorfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 460085b551067106461d75913d655b393827588f Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 17 18:48:31 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 81d3b89d5990029633d5bdc5439feebffcb4ff36. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit 696689eb6fd63c678783a1281e879c90ddca41b4 Author: Al Viro <viro@ZenIV.linux.org.uk> Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: drivers/net/ethernet/brocade/bna/bnad_debugfs.c drivers/scsi/fnic/fnic_debugfs.c drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 5b28db552055eee1aa180a48cd58cc3a0c2ae978 Author: Neil Horman <nhorman@tuxdriver.com> Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com> CC: Vlad Yasevich <vyasevich@gmail.com> CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 41aa7d04ce71af7eb74fa71e09561db267a3ea1e Author: Guillaume Nault <g.nault@alphalink.fr> Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 319647551ef498b5b840bb977db749b502de72c8 Author: Guillaume Nault <g.nault@alphalink.fr> Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 18497f14a6f69a4c29fbb87c89c71e418d34384f Author: Daniel Borkmann <dborkman@redhat.com> Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 7bacaeb02c37d814d5fbfe1298bad3b5c36f47df Author: Kees Cook <keescook@chromium.org> Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com> drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9a59fa112e3421c7a80c21671745273aafa4ea64 Author: Mark A. Greer <mgreer@animalcreek.com> Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8) [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8) [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24) [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144) [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70) [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer <mgreer@animalcreek.com> Acked-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit fb7250a986652ac8f0ef176e24003bc31707bfe0 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 81d3b89d5990029633d5bdc5439feebffcb4ff36 Author: Robin Holt <holt@sgi.com> Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt <holt@sgi.com> Tested-by: Shawn Guo <shawn.guo@linaro.org> Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@elte.hu> Cc: Russ Anderson <rja@sgi.com> Cc: Robin Holt <holt@sgi.com> Cc: Russell King <linux@arm.linux.org.uk> Cc: Guan Xuetao <gxt@mprc.pku.edu.cn> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 5c9ad383676e3caf69be4bb7ca2868fc8600ecb2 Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp] [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0 [<ffffffff814df36e>] inet_create+0x2ae/0x350 [<ffffffff81455a6f>] __sock_create+0x11f/0x240 [<ffffffff81455bf0>] sock_create+0x30/0x40 [<ffffffff8145696c>] SyS_socket+0x4c/0xc0 [<ffffffff815403be>] ? do_page_fault+0xe/0x10 [<ffffffff8153cb32>] ? page_fault+0x22/0x30 [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp] RSP <ffff88007b569e08> CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit acb80176534ccb057aa7e51d288f14876c35d162 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 13 07:21:08 2013 -0400 Include apparmor compatibility patches include/linux/lsm_audit.h | 4 + security/apparmor/Kconfig | 9 + security/apparmor/Makefile | 20 ++- security/apparmor/apparmorfs-24.c | 287 ++++++++++++++++++++++++++++++++ security/apparmor/apparmorfs.c | 18 ++- security/apparmor/include/apparmorfs.h | 6 + security/apparmor/include/net.h | 40 +++++ security/apparmor/include/policy.h | 3 + security/apparmor/lsm.c | 112 +++++++++++++ security/apparmor/match.c | 17 ++ security/apparmor/net.c | 170 +++++++++++++++++++ security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 48 +++++- 13 files changed, 730 insertions(+), 5 deletions(-) commit e5d063dcb67baeeb5a653263e492cf00ed0146f9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 12 20:42:08 2013 -0400 compile fix drivers/rapidio/devices/tsi721.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7a6ba65dab9a09622cc9d42140ae84beada7e1b4 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f48fb8ff57789c37136a324529e0802e441bc530 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 18f8fde4c604473d31b7f99ba0a23c6587242aad Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5122ae69a3f6dc576c34fa790639036aa6a0453d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8de405dd1acb9edb19462af23e0d92a2c919dd7b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit cf9a55518e3ec8c15ae14b1c973ae2be1e018304 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit aaabbf8ef0eefecac0802518a318faa5daab0cf3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b98c7753401000d29c9e6e78dcfd0398581fb5d2 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b72f43b99b44835e3f92d34ef96ecfb72de62bc0 Author: Chen Gang <gang.chen@asianux.com> Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2e75234abba290b9e1271ad9de34789fe6294474 Author: Eric Dumazet <edumazet@google.com> Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Neal Cardwell <ncardwell@google.com> net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2f5d74b7b418d9bbdfb201cc7b84f83272f7910 Author: Eric Dumazet <edumazet@google.com> Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall <mischnal@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Bernhard Beck <bbeck@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit bdefc94992170319c687d21004953f47068bda0f Author: Jeff Mahoney <jeffm@jeffreymahoney.com> Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 569c1db757aaac584f4df9e0b206ecd553a7cf55 Author: Jeff Mahoney <jeffm@suse.com> Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cf9cf7713ce43c0f6e8656c1fae9dc06898c1cd9 Author: Jeff Mahoney <jeffm@suse.com> Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit d7bdf58f3629468378d20ccc78370e1a690dbe24 Author: Dave Chinner <dchinner@redhat.com> Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel <stable@vger.kernel.org> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Ben Myers <bpm@sgi.com> (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit aad838f744fe6dd7d33b3250bf89df4cb6adfd1b Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Conflicts: fs/nfs/nfs4proc.c fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be831ad596a7582eb067bec6ee448cf2c6944e11 Author: Chen Gang <gang.chen@asianux.com> Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang <gang.chen@asianux.com> Acked-by: Kyle McMartin <kyle@mcmartin.ca> Signed-off-by: Helge Deller <deller@gmx.de> arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0cb3d9db210606a12b30754f290472d17471ba3c Author: Chen Gang <gang.chen@asianux.com> Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Helge Deller <deller@gmx.de> arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2de5e49b6e0f7beca6e0727907a3451f22c0c2fb Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 91c8a2424087b7911379f269df64b596e6c1ad45 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit b020761abd650320700a7253bfda3830557101f7 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() Conflicts: mm/mlock.c mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit b755f62d899d6cfeebccb7b8f5f98565c36d8dc9 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook <keescook@chromium.org> Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2453666d1b0a5fed341ea80957105ffa4a8c3994 Merge: af153f5 7a96ff7 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 1 11:29:13 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/char/random.c commit 7a96ff72e1697e1765ee31fdd212c2929446bb67 Merge: ee5b3c4 a2d09e9 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 1 11:27:03 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/irq.c commit af153f5604a3c61e5fee6618c63d5dd66735e96b Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8bd4639abbd4d694d8d643555070ae7a35e98f80 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 29 20:43:47 2013 -0400 backport BUILD_BUG_ON() fix include/linux/kernel.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 202eb229439fb2f78da738f13d6a55a344d388b4 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 29 20:25:12 2013 -0400 backport some BUILD_BUG_ON() changes include/linux/compiler.h | 4 ++++ include/linux/kernel.h | 31 +++++++++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-) commit 9eef4295cf417370627622016dd3b8ea3d05bc45 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 29 20:10:58 2013 -0400 eliminate unused case arch/x86/net/bpf_jit_comp.c | 11 +++-------- 1 files changed, 3 insertions(+), 8 deletions(-) commit 763c4bb3f5033b4477be897d0e97ab0fa7315cf0 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 29 19:54:55 2013 -0400 BUILD_BUG() does not exist in 3.2, use BUILD_BUG_ON(1) instead arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 93f93cdc0fca0b6dfa02da00a1c13619fcb36d42 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 29 19:43:45 2013 -0400 fix typo arch/x86/net/bpf_jit_comp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7d6b07f5714338fa82e69eae4e3b46618dc7f34e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 Conflicts: arch/arm/kernel/vmlinux.lds.S arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 29ad510ef848c5afab671f4b86f84b0f90411057 Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cbc64d2ef1ecb4b80c71ae77cd028d193afbc441 Author: Brad Spengler <spender@grsecurity.net> Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c26bdbabafdc77f63793f490146f071da059ba8b Author: Brad Spengler <spender@grsecurity.net> Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c82b29f9dc7639d480113ed3573ac5cbf6378cb6 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5b7c5de5df05a7aef18f1996a453869a047193e9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text Conflicts: fs/exec.c fs/exec.c | 33 +++++++++++++++++++++++++++++---- 1 files changed, 29 insertions(+), 4 deletions(-) commit be6910ed9a42be5f57ff23ba0b8ba0a9c951c6f5 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 29 18:33:33 2013 -0400 defensively guard against BPF JIT additions by adding BUILD_BUG() to unhandled cases arch/x86/net/bpf_jit_comp.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit c2dfcdab89f09767b8839d5f77943895d6d48013 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 28 23:52:08 2013 -0400 remove tracepoint drivers/char/random.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit a65835c4273b02a8bf4b8b7ec8e76e54dc87d27e Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Cc: Hugh Dickins <hughd@google.com> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: Andrea Arcangeli <aarcange@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 0c0e0761dd558af8d47d30e667b13892e84eb4f1 Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl> Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 55cc5b0ea757afe52543135b2d658797fba02540 Author: Jarod Wilson <jarod@redhat.com> Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson <jarod@redhat.com> Tested-by: Jan Stancek <jstancek@redhat.com> Tested-by: Jan Stodola <jstodola@redhat.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Neil Horman <nhorman@tuxdriver.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Matt Mackall <mpm@selenic.com> Cc: "Theodore Ts'o" <tytso@mit.edu> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 6b6f31f49fafd14a54175a1aa17bedd2d8521def Author: Jiri Kosina <jkosina@suse.cz> Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina <jkosina@suse.cz> Cc: Theodore Ts'o <tytso@mit.edu> Cc: Greg KH <greg@kroah.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 96ff338de32b01effbac6c36c634afe44c528e68 Author: Theodore Ts'o <tytso@mit.edu> Date: Mon Mar 4 11:59:12 2013 -0500 Upstream commit: b980955236922ae6106774511c5c05003d3ad225 random: fix locking dependency with the tasklist_lock Commit 6133705494bb introduced a circular lock dependency because posix_cpu_timers_exit() is called by release_task(), which is holding a writer lock on tasklist_lock, and this can cause a deadlock since kill_fasync() gets called with nonblocking_pool.lock taken. There's no reason why kill_fasync() needs to be taken while the random pool is locked, so move it out to fix this locking dependency. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Reported-by: Russ Dill <Russ.Dill@gmail.com> Cc: stable@kernel.org drivers/char/random.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 466d8b9a7aa0e929c30095557a98b14e058b09db Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 23 18:41:33 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c28916388cc04e38e16536a4b24dbe7c2466cf1 Author: Oleg Nesterov <oleg@redhat.com> Date: Thu May 16 17:43:55 2013 +0200 Upstream commit: 264b83c07a84223f0efd0d1db9ccc66d6f88288f usermodehelper: check subprocess_info->path != NULL argv_split(empty_or_all_spaces) happily succeeds, it simply returns argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to check sub_info->path != NULL to avoid the crash. This is the minimal fix, todo: - perhaps we should change argv_split() to return NULL or change the callers. - kill or justify ->path[0] check - narrow the scope of helper_lock() Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-By: Lucas De Marchi <lucas.demarchi@intel.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/kmod.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit f9172f77b731f27cbafed27dee134b9f04eb13eb Author: Chen Gang <gang.chen@asianux.com> Date: Thu May 16 14:04:25 2013 -0500 Upstream commit: a5f2b3d6a738e7d4180012fe7b541172f8c8dcea drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow When calling memcpy, read_data and write_data need additional 2 bytes. write_data: for checking: "if (size > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)" read_data: for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)" Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/char/ipmi/ipmi_bt_sm.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ae433caec330f8527c9609bf3f9120e3582afb86 Merge: f1fb081 ee5b3c4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 23 18:18:32 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit ee5b3c47d06095052597ab0b52e80b8ef6dc3ede Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 23 18:17:54 2013 -0400 Update to pax-linux-3.2.45-test106.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/pgtable.h | 9 +++++- fs/jfs/super.c | 4 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/constify_plugin.c | 48 +++++++++++++++++++++++++++++++++++++-- tools/gcc/structleak_plugin.c | 3 +- 5 files changed, 57 insertions(+), 9 deletions(-) commit f1fb0815610c45f938f19c3868341d09ae657f9d Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 16 20:30:37 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit 9e7f7ca888e699d9081791fb60927042f0202e39 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 92c947dcfe310d0c4bcfb68f6f06ca43fcfdca19 Merge: 1979685 e16fea9 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 14 17:05:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/tty/tty_io.c net/ipv4/tcp_input.c commit e16fea9e43ae863fabe00f770e329a87575e98d0 Merge: 1ef16b8 88fd5f3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 14 17:01:35 2013 -0400 Update to pax-linux-3.2.45-test105.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/mm/init.c kernel/trace/trace_stack.c commit 197968500d67cfd144658613250837810b109025 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 13 20:10:59 2013 -0400 compile fix for PaX arch/x86/lib/usercopy_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a63fa11bbcb3f49cedd1057f9f7c7693f755a91a Merge: 63253e2 1ef16b8 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 13 11:03:12 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1ef16b89f336b44710a321b7afc7172873efaa82 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 13 11:01:58 2013 -0400 Update to pax-linux-3.2.44-test105.patch: - another fix for kprobes under KERNEXEC - enabled user.pax.flags access for non-readable executables, fixes https://bugs.gentoo.org/show_bug.cgi?id=463170#c21 - fixed some size overflow false positives, including the one in nfsd_cache_update - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- net/socket.c | 2 +- 19 files changed, 63 insertions(+), 30 deletions(-) commit 63253e283e46877c692d2f78c82b3b48f55226cd Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/tipc/link.c net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 51b67cb3637685f46c75a6e94b7780ec65ae9818 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3034fc8b9176afee27071b95c97544dbf5c50ef5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 12 20:22:50 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 6b33a780cf58cdfc61c36be566d8136a92d7f94c Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit 2a986549f6e0db61321d565ca5c9b88a6fc5b354 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 Conflicts: grsecurity/gracl.c fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit 68e0711ebaecaed5071acc4798c22154722be985 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 908bad69fe301caf37ef42d268b0db7d861e991e Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users Conflicts: grsecurity/grsec_chroot.c grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 706f9f987e260e56ff3e7850616967a12b99e367 Author: Eric Dumazet <edumazet@google.com> Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit 0dfbb30c4754e3c1e51dc1f207b764050941081d Author: Daniel Borkmann <dborkman@redhat.com> Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6fd34e3030e4e1521255bf6563795ff310f54dc Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit 162b6fbcca854849113574740e89d0df86d9002f Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3fbdd6071dbb0cee76b29eb12b7b79606a248a94 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e0966e03b7fd8f9b47b039e2576fc159259738d2 Merge: 1ecc5df fe7a9b2 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 29 18:54:49 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit fe7a9b2587887771bd585d060916d19ff7f8a2da Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 29 18:54:02 2013 -0400 Update to pax-linux-3.2.44-test104.patch: - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 10 files changed, 26 insertions(+), 11 deletions(-) commit 1ecc5dfab4c47eea0e0357243576023a6e41e53f Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 27 19:15:22 2013 -0400 Revert "Upstream commit: 9c603e53d380459fb62fec7cd085acb0b74ac18f" This reverts commit 28e7b00ea53db22a3b92d719c1e021ed852ec714. Conflicts: drivers/mtd/mtdchar.c drivers/mtd/mtdchar.c | 41 ++--------------------------------------- 1 files changed, 2 insertions(+), 39 deletions(-) commit 530893e5207bae101e817ba6ab2ef48d14ec8c3c Merge: 42c9be5 5de7ed2 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 26 22:12:15 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kvm/x86.c drivers/mtd/mtdchar.c commit 5de7ed2fff9bb3b17552237250cdcfd1c206a5cf Merge: 5707e86 7771ca8 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 26 22:11:11 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/paravirt.c commit 42c9be5fdf608055a57f2a92a6bbbc12b690cc9c Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e8fee09093c382486ee1c3278c97efe8f32c456a Author: Jiri Slaby <jslaby@suse.cz> Date: Fri Apr 26 13:48:53 2013 +0200 TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 9d29ed3eecbc0a798ca8c520937fefb6799516c9 Author: Jiri Slaby <jslaby@suse.cz> Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: stable <stable@vger.kernel.org> # after 3.9 is out Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e9eb3139908b27837f7b0500b856fd23943e9667 Author: John David Anglin <dave.anglin@bell.net> Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin <dave.anglin@bell.net> Cc: Helge Deller <deller@gmx.de> Signed-off-by: Helge Deller <deller@gmx.de> arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 82d0eec7c3686baedab4883c8bdc52cc0d1aae83 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 22 17:43:40 2013 -0400 Fix typo in KVM fix arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d23f8b0f7e082db3a761f053605069e7cd833a75 Author: David Woodhouse <David.Woodhouse@intel.com> Date: Tue Oct 9 15:08:10 2012 +0100 Upstream commit: f5cf8f07423b2677cebebcebc863af77223a4972 mtd: Disable mtdchar mmap on MMU systems This code was broken because it assumed that all MTD devices were map-based. Disable it for now, until it can be fixed properly for the next merge window. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> drivers/mtd/mtdchar.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 9a687b8f40800c7dcc014c1682658f594a560bef Author: Dmitry Popov <dp@highloadlab.com> Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov <dp@highloadlab.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1810425af631fcf556767742f0267d8b5c8a6247 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 6196ec48aa33bb128829ff029f201dd7670cc0af Author: Vyacheslav Dubeyko <slava@dubeyko.com> Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3634aee165fd35c7180e7fe4b0d9b4fb17ea3efe Author: Emese Revfy <re.emese@gmail.com> Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy <re.emese@gmail.com> Reviewed-by: PaX Team <pageexec@freemail.hu> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Serge Hallyn <serge.hallyn@canonical.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cb7e3814af19241d361b4e01c1f3038506336f63 Merge: 3a0b578 5707e86 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 17 20:13:23 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit 5707e86ddf7438639dd210a7bb6d144847e52b58 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 17 20:10:00 2013 -0400 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- security/Kconfig | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) commit 4b49d904b0132e7af83f9799c7814e37f881cbee Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3a0b578ba3c9bbc3f4d6c4f688961277a26847b0 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 15 19:01:09 2013 -0400 Check that address+len does not cross a page boundary instead of enforcing 32-byte alignment for compatibility with RHEL5 As suggested by Andrew Honig via email arch/x86/kvm/x86.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit e373e5698bf9f7fefc61f3afbe016dba92bce72e Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 15 18:54:44 2013 -0400 rom: Andy Honig <ahonig@google.com> Date: Wed, 20 Feb 2013 14:48:10 -0800 Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream. There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> [bwh: Backported to 3.2: - Adjust context - We do not implement the PVCLOCK_GUEST_STOPPED flag] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> arch/x86/include/asm/kvm_host.h | 4 ++-- arch/x86/kvm/x86.c | 39 ++++++++++++++------------------------- 2 files changed, 16 insertions(+), 27 deletions(-) commit 33eaaf68c9ba22cbb2e1a363cb6d05204b3e6964 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 14 21:43:23 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 6bb27b76b385e8f0efb17836b5ee3a8085da2bc8 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 14 13:36:33 2013 -0400 include linux/atomic.h instead include/linux/kref.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 25b19e54f94e5aa8fdbe60a6810f5a8fa0535f99 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 14 13:18:13 2013 -0400 include asm/atomic.h include/linux/kref.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit aaded14f791e07bfc297101e10c85c9cae320640 Author: Thomas Hellstrom <thellstrom@vmware.com> Date: Tue Nov 6 11:31:49 2012 +0000 Upstream commit: 4b20db3d kref: Implement kref_get_unless_zero v3 This function is intended to simplify locking around refcounting for objects that can be looked up from a lookup structure, and which are removed from that lookup structure in the object destructor. Operations on such objects require at least a read lock around lookup + kref_get, and a write lock around kref_put + remove from lookup structure. Furthermore, RCU implementations become extremely tricky. With a lookup followed by a kref_get_unless_zero *with return value check* locking in the kref_put path can be deferred to the actual removal from the lookup structure and RCU lookups become trivial. v2: Formatting fixes. v3: Invert the return value. Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Conflicts: include/linux/kref.h include/linux/kref.h | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) commit f03c3e83de84db3f6c4c3737a11a6ee50beb7825 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sat Apr 13 15:15:30 2013 -0700 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit b6491bfc44289a525a87f1ec7523f618f40a9e76 Author: Suleiman Souhlal <suleiman@google.com> Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal <suleiman@google.com> Signed-off-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92c34d083eb1173fccf1fdbabbfe124e1ee16708 Merge: 2c7f5fd 1b30816 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 12 19:21:50 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1b3081653b80d0562ac563f890064fa6d60dbd8e Author: Brad Spengler <spender@grsecurity.net> Date: Fri Apr 12 19:20:33 2013 -0400 Update to pax-linux-3.2.43-test103.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed the structleak plugin to compile for gcc 4.5-4.6 as well arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) commit 2c7f5fdcbd2788b193bf780f2cb4d12bc75a3534 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Tue Mar 12 18:27:41 2013 -0700 Upstream commit: fa7614dd fs: Readd the fs module aliases. I had assumed that the only use of module aliases for filesystems prior to "fs: Limit sys_mount to only request filesystem modules." was in request_module. It turns out I was wrong. At least mkinitcpio in Arch linux uses these aliases. So readd the preexising aliases, to keep from breaking userspace. Userspace eventually will have to follow and use the same aliases the kernel does. So at some point we may be delete these aliases without problems. However that day is not today. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Conflicts: fs/nfs/super.c fs/ext4/super.c | 2 ++ fs/freevxfs/vxfs_super.c | 1 + fs/isofs/inode.c | 1 + fs/nfs/super.c | 1 + fs/sysv/super.c | 1 + net/sunrpc/rpc_pipe.c | 1 + 6 files changed, 7 insertions(+), 0 deletions(-) commit e1ec1a6caeaffa29b412703642757ba3d6224bb5 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Mon Mar 11 07:05:42 2013 -0700 Upstream commit: 3e64fe5 fs: Limit sys_mount to only request filesystem modules. (Part 3) Somehow I failed to add the MODULE_ALIAS_FS for cifs, hostfs, hpfs, squashfs, and udf despite what I thought were my careful checks :( Add them now. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> fs/cifs/cifsfs.c | 1 + fs/hostfs/hostfs_kern.c | 1 + fs/hpfs/super.c | 1 + fs/squashfs/super.c | 1 + fs/udf/super.c | 1 + 5 files changed, 5 insertions(+), 0 deletions(-) commit de01bedefe0f655a15289b9e2b6c19b9b81286b1 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Thu Mar 7 01:08:55 2013 -0800 Upstream commit: 9141770 fs: Limit sys_mount to only request filesystem modules (Part 2). Add missing MODULE_ALIAS_FS("ocfs2") how did I miss that? Remove unnecessary MODULE_ALIAS_FS("devpts") devpts can not be modular. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> fs/devpts/inode.c | 1 - fs/ocfs2/super.c | 1 + 2 files changed, 1 insertions(+), 1 deletions(-) commit c1a56ee0c7821a507acb263b8fc52b75b8784abd Author: Eric W. Biederman <ebiederm@xmission.com> Date: Sat Mar 2 19:39:14 2013 -0800 Upstream commit: 7f78e03 (Not needed due to MODHARDEN, but doesn't hurt the !MODHARDEN case) fs: Limit sys_mount to only request filesystem modules. Modify the request_module to prefix the file system type with "fs-" and add aliases to all of the filesystems that can be built as modules to match. A common practice is to build all of the kernel code and leave code that is not commonly needed as modules, with the result that many users are exposed to any bug anywhere in the kernel. Looking for filesystems with a fs- prefix limits the pool of possible modules that can be loaded by mount to just filesystems trivially making things safer with no real cost. Using aliases means user space can control the policy of which filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf with blacklist and alias directives. Allowing simple, safe, well understood work-arounds to known problematic software. This also addresses a rare but unfortunate problem where the filesystem name is not the same as it's module name and module auto-loading would not work. While writing this patch I saw a handful of such cases. The most significant being autofs that lives in the module autofs4. This is relevant to user namespaces because we can reach the request module in get_fs_type() without having any special permissions, and people get uncomfortable when a user specified string (in this case the filesystem type) goes all of the way to request_module. After having looked at this issue I don't think there is any particular reason to perform any filtering or permission checks beyond making it clear in the module request that we want a filesystem module. The common pattern in the kernel is to call request_module() without regards to the users permissions. In general all a filesystem module does once loaded is call register_filesystem() and go to sleep. Which means there is not much attack surface exposed by loading a filesytem module unless the filesystem is mounted. In a user namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT, which most filesystems do not set today. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Reported-by: Kees Cook <keescook@google.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Conflicts: drivers/firmware/efivars.c drivers/staging/ccg/f_fs.c fs/f2fs/super.c fs/filesystems.c fs/gfs2/ops_fstype.c fs/nfs/super.c fs/qnx6/inode.c arch/ia64/kernel/perfmon.c | 1 + arch/powerpc/platforms/cell/spufs/inode.c | 1 + arch/s390/hypfs/inode.c | 1 + drivers/infiniband/hw/ipath/ipath_fs.c | 1 + drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/misc/ibmasm/ibmasmfs.c | 1 + drivers/mtd/mtdchar.c | 1 + drivers/oprofile/oprofilefs.c | 1 + drivers/usb/gadget/f_fs.c | 1 + drivers/usb/gadget/inode.c | 1 + drivers/xen/xenfs/super.c | 1 + fs/9p/vfs_super.c | 1 + fs/adfs/super.c | 1 + fs/affs/super.c | 1 + fs/afs/super.c | 1 + fs/autofs4/init.c | 1 + fs/befs/linuxvfs.c | 1 + fs/bfs/inode.c | 1 + fs/binfmt_misc.c | 1 + fs/btrfs/super.c | 1 + fs/ceph/super.c | 1 + fs/coda/inode.c | 1 + fs/configfs/mount.c | 1 + fs/cramfs/inode.c | 1 + fs/debugfs/inode.c | 1 + fs/devpts/inode.c | 1 + fs/ecryptfs/main.c | 1 + fs/efs/super.c | 1 + fs/exofs/super.c | 1 + fs/ext2/super.c | 1 + fs/ext3/super.c | 1 + fs/ext4/super.c | 5 +++-- fs/fat/namei_msdos.c | 1 + fs/fat/namei_vfat.c | 1 + fs/filesystems.c | 4 ++-- fs/freevxfs/vxfs_super.c | 2 +- fs/fuse/control.c | 1 + fs/fuse/inode.c | 2 ++ fs/gfs2/ops_fstype.c | 4 +++- fs/hfs/super.c | 1 + fs/hfsplus/super.c | 1 + fs/hppfs/hppfs.c | 1 + fs/hugetlbfs/inode.c | 1 + fs/isofs/inode.c | 3 +-- fs/jffs2/super.c | 1 + fs/jfs/super.c | 1 + fs/logfs/super.c | 1 + fs/minix/inode.c | 1 + fs/ncpfs/inode.c | 1 + fs/nfs/super.c | 4 ++-- fs/nfsd/nfsctl.c | 1 + fs/nilfs2/super.c | 1 + fs/ntfs/super.c | 1 + fs/ocfs2/dlmfs/dlmfs.c | 1 + fs/omfs/inode.c | 1 + fs/openpromfs/inode.c | 1 + fs/qnx4/inode.c | 1 + fs/reiserfs/super.c | 1 + fs/romfs/super.c | 1 + fs/sysv/super.c | 3 ++- fs/ubifs/super.c | 1 + fs/ufs/super.c | 1 + fs/xfs/xfs_super.c | 1 + include/linux/fs.h | 2 ++ net/sunrpc/rpc_pipe.c | 4 +--- 65 files changed, 74 insertions(+), 14 deletions(-) commit 8e627953f34cc19d7256ecb0374db2eede4d1322 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 91962806fe3f514525e4e202efb80405d2b9d37a Author: Namhyung Kim <namhyung.kim@lge.com> Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Namhyung Kim <namhyung.kim@lge.com> Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c236ac47c432fad0db9ecb6ecafd04b08c06251e Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable <stable@vger.kernel.org> # >= v3.2 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 6fdd44d115f9c6888d0dd467c534c200c143e3eb Merge: 382ecea 599997c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 10 20:29:34 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 599997cbbf8ec576f1ad62b2778827d55ddbc20b Merge: 5dab237 93dfb87 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 10 20:28:44 2013 -0400 Update to pax-linux-3.2.43-test102.patch: - forward port to 3.2.43 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: security/keys/keyctl.c commit 382ecea042ea79fd3fa332bd0779db629eb0efab Author: Trond Myklebust <Trond.Myklebust@netapp.com> Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit d0d863b56668a493ac19a760310a2d4deb61365d Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ef198eb8dac9f1d95677fc4f010a3c8abdc12738 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6a986136288577b9e3902d8cc639692e3386edbf Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7eed843ed74774c28c16a0bc2fdb22eba6d7656a Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 8c27a1f4bb64d955244986e67a638174aff04f5b Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 1d07aafca54b96e1b2ae95d4c3d3e4b45717a3c6 Merge: 37fca32 5dab237 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 9 17:20:20 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5dab2378fd342ff8660aa55ed9a833b0ea98bff9 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 9 17:19:35 2013 -0400 Update to pax-linux-3.2.42-test102.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 37fca32e3fda5f755fa583d2c6e60856fa0f88e8 Merge: 8d5c7f0 356f77d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 8 21:31:20 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/sparc/kernel/us3_cpufreq.c fs/proc/base.c commit 356f77d7ff0e77de3427b9c2d937f5aaa83b7337 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 8 21:20:54 2013 -0400 Update to pax-linux-3.2.42-test101.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/sparc/include/asm/uaccess.h | 7 --- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++--------------------- fs/proc/base.c | 4 +- fs/sysfs/bin.c | 6 +- include/linux/mm.h | 16 +++--- mm/memory.c | 24 +++++----- mm/nommu.c | 10 ++-- scripts/headers_install.pl | 1 + tools/gcc/structleak_plugin.c | 15 +++--- 13 files changed, 61 insertions(+), 101 deletions(-) commit 8d5c7f020311362114d3277387ce048b70f9375a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7546fbf0ac395d1887cef119f9e7e62075bda9d5 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit f202ef5319d8fa6378f8c4a88d3b8c44bfdba1f2 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit aa996193316fb0982ddaeee6a1075ed0ea9aec6f Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 65426c8d526fc5defac58420208cc1e5971cd173 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 3d91c631538e8555f4a0635ce700f97948502c3e Author: Gao feng <gaofeng@cn.fujitsu.com> Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit fa6be64c855d765934f77fb718ca53ad48f85763 Author: Veaceslav Falico <vfalico@redhat.com> Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc39b6e20764dadc51e037953604c55e4e79221c Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim <svenjoac@gmx.de> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7a5df42472eb5c890fdedec7e908d900056f5e07 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot <ksrot@redhat.com> Reported-by: Ding Tianhong <dingtianhong@huawei.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6b3784b0882efc88d2c1288172b0f7026520a207 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit da949a89aafce8033dfaf7426d3bf8c7086d82e9 Author: Paul Moore <pmoore@redhat.com> Date: Mon Mar 25 03:18:33 2013 +0000 Upstream commit: ded34e0fe8fe8c2d595bfa30626654e4b87621e0 unix: fix a race condition in unix_release() As reported by Jan, and others over the past few years, there is a race condition caused by unix_release setting the sock->sk pointer to NULL before properly marking the socket as dead/orphaned. This can cause a problem with the LSM hook security_unix_may_send() if there is another socket attempting to write to this partially released socket in between when sock->sk is set to NULL and it is marked as dead/orphaned. This patch fixes this by only setting sock->sk to NULL after the socket has been marked as dead; I also take the opportunity to make unix_release_sock() a void function as it only ever returned 0/success. Dave, I think this one should go on the -stable pile. Special thanks to Jan for coming up with a reproducer for this problem. Reported-by: Jan Stancek <jan.stancek@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/unix/af_unix.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit 93cd5f6a0d0b0804b743ca39b1a2bc467c6dbec5 Author: dingtianhong <dingtianhong@huawei.com> Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot <ksrot@redhat.com> Signed-off-by: Ding Tianhong <dingtianhong@huawei.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ae76e7e59f8e4fbb589a56922d3e253dde5d92e8 Author: Josef Bacik <jbacik@fusionio.com> Date: Fri Mar 29 08:09:34 2013 -0600 Upstream commit: d8fe29e9dea8d7d61fd140d8779326856478fc62 Btrfs: don't drop path when printing out tree errors in scrub A user reported a panic where we were panicing somewhere in tree_backref_for_extent from scrub_print_warning. He only captured the trace but looking at scrub_print_warning we drop the path right before we mess with the extent buffer to print out a bunch of stuff, which isn't right. So fix this by dropping the path after we use the eb if we need to. Thanks, Cc: stable@vger.kernel.org Signed-off-by: Josef Bacik <jbacik@fusionio.com> Signed-off-by: Chris Mason <chris.mason@fusionio.com> fs/btrfs/scrub.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 286d305aa7cedb85d0f203fbed2239453c1d0b8a Author: Jan Kara <jack@suse.cz> Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora <pzawora@gmail.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0b8487a7c1cbf9dcdab5e4d5e2817226bd28f5f2 Author: Jan Stancek <jstancek@redhat.com> Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek <jstancek@redhat.com> Acked-by: David Rientjes <rientjes@google.com> Signed-off-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/mmap.c mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit c5bc94bf305480ce97b24a43526e0557995902b9 Merge: 1394e00 0901c74 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 3 22:08:05 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 0901c7450d23a25abc48fb228d6dfbbb2f62dbab Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 3 22:07:33 2013 -0400 Update to pax-linux-3.2.42-test100.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) - fixed arm compilation (http://forums.grsecurity.net/viewtopic.php?f=3&t=3395) arch/arm/mm/fault.c | 27 +++++++++++++++++++++++++++ drivers/media/video/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 3 files changed, 34 insertions(+), 3 deletions(-) commit 1394e00fc64734987bbc62960b4f7823cffa13af Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 4af9aacb49432a1a7451c9907ccfb21d6c56fe07 Merge: a92e4b1 aa5bf79 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 2 17:44:58 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit aa5bf792226a1c147b2a2a29d793cea72bc5a48d Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 2 17:44:24 2013 -0400 Update to pax-linux-3.2.42-test99.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/crash_dump.h | 2 +- include/linux/kvm_host.h | 14 +++--- include/linux/moduleloader.h | 4 +- include/linux/oprofile.h | 2 +- include/linux/slab.h | 4 +- include/linux/slab_def.h | 1 - include/linux/slub_def.h | 1 - include/linux/vmalloc.h | 18 ++++---- tools/gcc/size_overflow_hash.data | 78 ++++++++++++++++++++++--------------- 10 files changed, 71 insertions(+), 59 deletions(-) commit a92e4b1ba8153d62b09df899b395ac96f5165537 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 06aa205d77be1ba3218b623089a67092c7c3bf2f Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 864a4bf49ef8af21d9646eb46fa259b0ea8edd2a Merge: ffb25c6 fa39c2b Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 29 18:53:18 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/ipv4/route.c commit fa39c2bb733c65011a252e6343994005258f5264 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 29 18:52:37 2013 -0400 Update to pax-linux-3.2.42-test98.patch: - fixed __net_initdata and CONSTIFY problems reported by spender drivers/net/loopback.c | 2 +- fs/proc/proc_net.c | 2 +- include/linux/netdevice.h | 2 +- net/core/dev.c | 6 +++--- net/core/dev_addr_lists.c | 2 +- net/core/sock.c | 2 +- net/ipv4/af_inet.c | 2 +- net/ipv4/devinet.c | 2 +- net/ipv4/icmp.c | 2 +- net/ipv4/proc.c | 2 +- net/ipv4/raw.c | 2 +- net/ipv4/route.c | 6 +++--- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv4/tcp_ipv4.c | 2 +- net/netlink/af_netlink.c | 2 +- net/xfrm/xfrm_policy.c | 2 +- 16 files changed, 20 insertions(+), 20 deletions(-) commit ffb25c6cd202919ea46af10acb85b069a5f1dd6b Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9ccef107c6da2de4e75044984c57de041a91471 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ae3c6b6fbcebf9d29694580cd95bd9a9a710dad4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 23:15:12 2013 -0400 fix pernet_operations markings net/ipv4/route.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f3639a30adc8548d8e8352c8ef9980f2eedace9e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ada97e7d2617a175f83edc12764cffbd2b45746b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 884998737aec3b865a0fe79a98780bf0bf50a1cf Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 22:36:07 2013 -0400 make ip_rt_proc_ops initconst net/ipv4/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 70f5444e47818a5d702daca9afa2989b108fe1cd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 22:23:03 2013 -0400 Add constify config option Makefile | 4 +--- security/Kconfig | 20 +++++++++++++++++++- tools/gcc/Makefile | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) commit ea74e8e15ed91aff8b005a5cc28611d38c6edeaa Merge: f590e76 75e5da5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 22:15:16 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/binfmt_elf.c fs/proc/base.c include/linux/mm.h kernel/fork.c mm/mmap.c mm/page_alloc.c commit 75e5da5d09ca25aec80454c33297b110e6dc53dd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 22:08:32 2013 -0400 Update to pax-linux-3.2.42-test97.patch: fixed kprobes problem under KERNEXEC/i386, reported by Emese Revfy - fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com> - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. - added a small sanity check to kfree (spender's idea) - fixed a size overflow false positive (well, not really, it's bad zlib code) reported by slashbeast on irc - fixed ptrace compat bug found by the size overflow plugin - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by Marc Schiffbauer (https://bugzilla.redhat.com/show_bug.cgi?id=919315#c11) - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Documentation/dontdiff | 2 + Documentation/kernel-parameters.txt | 5 + Makefile | 5 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/pgalloc.h | 1 + arch/ia64/kernel/perfmon.c | 1 - arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/include/asm/x86_init.h | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 11 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/kprobes.c | 4 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/kernel/sys_i386_32.c | 5 +- arch/x86/mm/fault.c | 9 +- arch/x86/mm/ioremap.c | 3 + arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 18 +- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/powernow-k8.c | 7 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 2 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_drv.h | 2 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ring.c | 14 +- drivers/gpu/drm/radeon/radeon_ttm.c | 23 +- drivers/hwmon/acpi_power_meter.c | 6 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/industrialio-core.c | 2 +- drivers/usb/core/message.c | 2 +- drivers/usb/gadget/file_storage.c | 14 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- drivers/video/vesafb.c | 7 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 17 +- fs/exec.c | 10 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/base.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/drm/drmP.h | 12 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/byteorder/little_endian.h | 4 +- include/linux/compat.h | 4 +- include/linux/compiler.h | 41 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 3 +- include/linux/err.h | 4 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/math64.h | 6 +- include/linux/mm.h | 6 + include/linux/mm_types.h | 2 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/rculist.h | 16 + include/linux/sched.h | 4 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swab.h | 6 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysdev.h | 2 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/xattr.h | 2 +- include/linux/zlib.h | 3 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- init/main.c | 12 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 4 +- kernel/fork.c | 4 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/ptrace.c | 2 +- kernel/sched.c | 49 +- kernel/sysctl.c | 11 +- kernel/time.c | 2 +- kernel/timer.c | 2 +- kernel/utsname_sysctl.c | 2 +- lib/Kconfig.debug | 6 +- lib/div64.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 53 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/mmap.c | 20 +- mm/mremap.c | 2 - mm/page-writeback.c | 2 +- mm/page_alloc.c | 27 + mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 3 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 4 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock.c | 4 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 14 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 13 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/route.c | 19 +- net/ipv4/sysctl_net_ipv4.c | 36 +- net/ipv6/icmp.c | 2 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 19 +- net/socket.c | 2 + net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/package/builddeb | 1 + security/Kconfig | 21 + security/apparmor/lsm.c | 2 +- security/keys/key.c | 10 +- tools/gcc/Makefile | 6 +- tools/gcc/constify_plugin.c | 305 +- tools/gcc/latent_entropy_plugin.c | 14 +- tools/gcc/size_overflow_hash.data | 7594 ++++++++++++++++------------ tools/gcc/size_overflow_plugin.c | 1077 +++-- tools/gcc/structleak_plugin.c | 270 + tools/perf/util/include/linux/compiler.h | 8 + 275 files changed, 6519 insertions(+), 4314 deletions(-) commit 16dde5ac06cdc2f92734f3a8d321084c8c2dbb7e Merge: 79ba6d7 d27ba55 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 22:05:44 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/firmware/efivars.c drivers/gpu/drm/i915/i915_gem_execbuffer.c commit f590e7677834e93dd899daf30b8e6dc9380b5d75 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9ac8b20f9a8f5065a0c6e2285a1c5c5b541b8dad Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 26 21:11:47 2013 -0400 From: Tomas Hozza <thozza@redhat.com> commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream. The source code without this patch caused hypervkvpd to exit when it processed a spoofed Netlink packet which has been sent from an untrusted local user. Now Netlink messages with a non-zero nl_pid source address are ignored and a warning is printed into the syslog. Signed-off-by: Tomas Hozza <thozza@redhat.com> Acked-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> tools/hv/hv_kvp_daemon.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 18d804b7b4b6f2cf9c2654339ee99f45b2a77125 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields <bfields@redhat.com> Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster <toralf.foerster@gmx.de> Signed-off-by: J. Bruce Fields <bfields@redhat.com> fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 956c74cf59df8cf405fff11eb71c7e0f015d78fd Author: Jeff Layton <jlayton@redhat.com> Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess <jason@jacknife2.dns2go.com> Reported-by: Yan Li <elliot.li.tech@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Steve French <sfrench@us.ibm.com> fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 543c7402503dffa283406e2cbf2ea716cbb07253 Merge: b95a056 79ba6d7 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 25 18:12:56 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: crypto/crypto_user.c crypto/pcompress.c drivers/connector/cn_proc.c security/keys/compat.c commit 79ba6d79761c610e4b0cb5fdb2de8a5161be554c Merge: bbe3291 1c08ea4 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 25 18:11:26 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/gpu/drm/i915/intel_display.c security/keys/compat.c commit b95a0563ea160cdd78bbc53af33dc4ccf80beeef Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro <viro@ZenIV.linux.org.uk> To: Brad Spengler <spender@grsecurity.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler <spender@grsecurity.net> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Conflicts: fs/dcache.c grsecurity/gracl.c fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit 479616d267a2af603d698c8704b191a663cff0f6 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0b770a3bb12adcff9a330daa019a2dacb26aab30 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 9e358e315cb3b4280389e3d045b2e97dbd9f21d0 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) fs/binfmt_elf.c | 2 +- include/linux/mm.h | 1 - mm/mmap.c | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) commit 3b058d90a277f551c08ce6352e65b1b32104cafe Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 22 17:10:38 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit dd1a624c086ad516b39b84821df41e42821476c0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 21 22:44:55 2013 -0400 remove VM_ACCOUNT from backport mm/mmap.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit e3bf3f15b4c2ce6eccfdc3f84ea8254194a48497 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 21 23:01:57 2013 -0400 backport VM_NONE, use VM_RESERVED and don't account it fs/binfmt_elf.c | 2 +- include/linux/mm.h | 1 + mm/mmap.c | 3 +++ 3 files changed, 5 insertions(+), 1 deletions(-) commit 5594ae92569b13b99b20d8fe4ea7f10d6172cc76 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 21 22:32:39 2013 -0400 backport aslr_gap changes from 3.8 fs/binfmt_elf.c | 17 ++++++++--------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 4 ++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 27 insertions(+), 22 deletions(-) commit 9df2d0dad98873d1ee2831b42924d7e2390b0c39 Author: Huang Shijie <shijie8@gmail.com> Date: Tue Jul 31 16:41:49 2012 -0700 mm: account the total_vm in the vm_stat_account() vm_stat_account() accounts the shared_vm, stack_vm and reserved_vm now. But we can also account for total_vm in the vm_stat_account() which makes the code tidy. Even for mprotect_fixup(), we can get the right result in the end. Signed-off-by: Huang Shijie <shijie8@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/mmap.c arch/ia64/kernel/perfmon.c | 1 - include/linux/mm.h | 1 + kernel/fork.c | 4 +--- mm/mmap.c | 7 ++++--- mm/mremap.c | 2 -- 5 files changed, 6 insertions(+), 9 deletions(-) commit 685d5e7a9759b6a3718a9ea545295325fe609802 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 20 23:32:25 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook <keescook@chromium.org> Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) commit 4579d7a6f6f261d21954d59b3655a7c44ccb6cd8 Author: Andy Honig <ahonig@google.com> Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 14dc5fc373b2ed0506cd973c6bcea8515a01081b Author: Andy Honig <ahonig@google.com> Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 90174443d8c5f2ef16b5eb87d1dadae7996878f3 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Mar 16 12:48:11 2013 +0300 Upstream commit: 4502403dcf8f5c76abd4dbab8726c8e4ecb5cd34 selinux: use GFP_ATOMIC under spin_lock The call tree here is: sk_clone_lock() <- takes bh_lock_sock(newsk); xfrm_sk_clone_policy() __xfrm_sk_clone_policy() clone_policy() <- uses GFP_ATOMIC for allocations security_xfrm_policy_clone() security_ops->xfrm_policy_clone_security() selinux_xfrm_policy_clone() Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com> security/selinux/xfrm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 58a0d4c45563fa427de311a8305207463df4b250 Author: Lars-Peter Clausen <lars@metafoo.de> Date: Sat Mar 9 15:28:44 2013 +0100 Upstream commit: 8d0c2d10dd72c5292eda7a06231056a4c972e4cc ext3: Fix format string issues ext3_msg() takes the printk prefix as the second parameter and the format string as the third parameter. Two callers of ext3_msg omit the prefix and pass the format string as the second parameter and the first parameter to the format string as the third parameter. In both cases this string comes from an arbitrary source. Which means the string may contain format string characters, which will lead to undefined and potentially harmful behavior. The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages in ext3") and is fixed by this patch. CC: stable@vger.kernel.org Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jan Kara <jack@suse.cz> fs/ext3/super.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c09d37b10288cbd2c582f6884f0247c739de7a52 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 20 17:37:59 2013 -0400 fix compilation fs/binfmt_elf.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 3009ccfbdc747eaab8a6185f49fa2d7ab4dcd345 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 924f932884bf5a1a0dd1ede919659d762b58dbe5 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a808b42ef7cf425e62c61787b88c6f3eba0033a3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c92f78b25d5466bfa7335517441714e1a2f003b3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 19 17:51:24 2013 -0400 Replace brk_gap with aslr_gap, fix aslr_gap accounting as reported on the forums (Backported from latest PaX for 3.8) fs/binfmt_elf.c | 5 +++-- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- mm/mmap.c | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) commit 13e30907b2d2743bcf0610f1196bda39028247ee Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9163504c3caea4c4fcd795a01673f0dfd707a761 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 19 00:38:51 2013 -0400 compilation fix mm/page_alloc.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit becdf4a98cda62de95c81cc21f841db961d02ea5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 18 23:40:50 2013 -0400 update latent entropy plugin init/main.c | 4 ++-- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 3 files changed, 11 insertions(+), 8 deletions(-) commit 9e416cc77fbed4be231306c44e0a56114c8ef243 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 18 23:38:18 2013 -0400 update entropy plugin Documentation/kernel-parameters.txt | 5 +++++ init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 5 files changed, 42 insertions(+), 6 deletions(-) commit a6e63be203ab75615bf98de4e86d8fcec6895380 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00159647fe5be91a9b824e2b7b856a479e338bda Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 3c02d1bd65fb2eee551f04668f527306b8122079 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) commit 717e5cb4db079b6bc77e1d5ac8480ba6646b442a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 09249c10d8901eefc65e36baec5cc574609403d8 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 16 16:58:11 2013 -0400 make compat ptr const fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f18de77ec8ca9ee52de599f1c88302769a5dfe4a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 15 +++++++++++++++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 28 insertions(+), 15 deletions(-) commit b62dfd7dcca71eb6aa4098b9b3c9525d6612b8ce Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 24f726f1a688f93819ad2d5ed68e5a34f87d0b0f Author: Oliver Neukum <oneukum@suse.de> Date: Tue Mar 12 14:52:42 2013 +0100 USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum <oliver@neukum.org> CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/usb/class/cdc-wdm.c drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 6562baf632007d1e422363349e81f8684f0d607f Author: Rusty Russell <rusty@rustcorp.com.au> Date: Tue Mar 5 10:07:08 2013 +1030 Upstream commit: f7f154f1246ccc5a0a7e9ce50932627d60a0c878 hw_random: make buffer usable in scatterlist. virtio_rng feeds the randomness buffer handed by the core directly into the scatterlist, since commit bb347d98079a547e80bd4722dee1de61e4dca0e8. However, if CONFIG_HW_RANDOM=m, the static buffer isn't a linear address (at least on most archs). We could fix this in virtio_rng, but it's actually far easier to just do it in the core as virtio_rng would have to allocate a buffer every time (it doesn't know how much the core will want to read). Reported-by: Aurelien Jarno <aurelien@aurel32.net> Tested-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: stable@kernel.org drivers/char/hw_random/core.c | 19 ++++++++++++++++--- 1 files changed, 16 insertions(+), 3 deletions(-) commit 533cbb1392d6e3d1a28b28512f954f052f63c043 Author: Jeff Layton <jlayton@redhat.com> Date: Fri Feb 1 15:11:01 2013 -0500 Upstream commit: ce2ac52105aa663056dfc17966ebed1bf93e6e64 cifs: ensure that cifs_get_root() only traverses directories Kjell Braden reported this oops: [ 833.211970] BUG: unable to handle kernel NULL pointer dereference at (null) [ 833.212816] IP: [< (null)>] (null) [ 833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0 [ 833.213874] Oops: 0010 [#1] SMP [ 833.214344] CPU 0 [ 833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000 [ 833.215629] [ 833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9a0+ #18 innotek GmbH VirtualBox/VirtualBox [ 833.215629] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 833.215629] RSP: 0018:ffff8800119c9c50 EFLAGS: 00010282 [ 833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000 [ 833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8 [ 833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7 [ 833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8 [ 833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6 [ 833.215629] FS: 00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 [ 833.215629] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0 [ 833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0) [ 833.215629] Stack: [ 833.215629] ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286 [ 833.215629] 0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8 [ 833.215629] ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0 [ 833.215629] Call Trace: [ 833.215629] [<ffffffff8116a9b5>] ? d_alloc_and_lookup+0x45/0x90 [ 833.215629] [<ffffffff81178075>] ? d_lookup+0x35/0x60 [ 833.215629] [<ffffffff8116b06e>] __lookup_hash.part.14+0x9e/0xc0 [ 833.215629] [<ffffffff8116b1d6>] lookup_one_len+0x146/0x1e0 [ 833.215629] [<ffffffff815e4f7e>] ? _raw_spin_lock+0xe/0x20 [ 833.215629] [<ffffffffa01eef0d>] cifs_do_mount+0x26d/0x500 [cifs] [ 833.215629] [<ffffffff81163bd3>] mount_fs+0x43/0x1b0 [ 833.215629] [<ffffffff8117d41a>] vfs_kern_mount+0x6a/0xd0 [ 833.215629] [<ffffffff8117e584>] do_kern_mount+0x54/0x110 [ 833.215629] [<ffffffff8117fdc2>] do_mount+0x262/0x840 [ 833.215629] [<ffffffff81108a0e>] ? __get_free_pages+0xe/0x50 [ 833.215629] [<ffffffff8117f9ca>] ? copy_mount_options+0x3a/0x180 [ 833.215629] [<ffffffff8118075d>] sys_mount+0x8d/0xe0 [ 833.215629] [<ffffffff815ece82>] system_call_fastpath+0x16/0x1b [ 833.215629] Code: Bad RIP value. [ 833.215629] RIP [< (null)>] (null) [ 833.215629] RSP <ffff8800119c9c50> [ 833.215629] CR2: 0000000000000000 [ 833.238525] ---[ end trace ec00758b8d44f529 ]--- When walking down the path on the server, it's possible to hit a symlink. The path walking code assumes that the caller will handle that situation properly, but cifs_get_root() isn't set up for it. This patch prevents the oops by simply returning an error. A better solution would be to try and chase the symlinks here, but that's fairly complicated to handle. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=53221 Reported-and-tested-by: Kjell Braden <afflux@pentabarf.de> Cc: stable <stable@vger.kernel.org> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com> fs/cifs/cifsfs.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38d0728e4aee9a0b44f892ed01a55201f163638c Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon Feb 11 22:03:18 2013 +0300 Upstream commit: 208afec4f3be8c51ad6eebe6611dd6d2ad2fa298 [SCSI] dc395x: uninitialized variable in device_alloc() This bug was introduced back in bitkeeper days in 2003. We use "dcb->dev_mode" before it has been initialized. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Oliver Neukum <oliver@neukum.org> Cc: <stable@vger.kernel.org> Signed-off-by: James Bottomley <JBottomley@Parallels.com> drivers/scsi/dc395x.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9547aa21a6c0fc7c4fcd48f5fca4dd0e77002fba Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: security/keys/compat.c Conflicts: fs/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 40ee20019f37a4501efc4af876fc53bf800e2142 Author: Al Viro <viro@ZenIV.linux.org.uk> Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit dfa0882777e2638ddeeb67eae24e3578b38012ba Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 666be15906ab103bf34d136093e1989fad20ac67 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Mar 10 12:04:39 2013 -0400 backport fixed i386 mmap check (to allow non-fixed mmap requests to choose a bad range and let the allocator find the proper space) arch/x86/kernel/sys_i386_32.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 9433f474e3b7c9136f6df50d1d1431ed74e1bbde Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 9 15:54:24 2013 -0500 fix compilation error reported by djcool on IRC fs/proc/task_mmu.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 75fb8bb5b399ab3d1e38b692e878baf66f902c97 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause <minipli@googlemail.com> To: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>, Stephen Hemminger <stephen@networkplumber.org> Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> From: Mathias Krause <minipli@googlemail.com> To: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com> Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause <minipli@googlemail.com> From: Mathias Krause <minipli@googlemail.com> To: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com> Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause <minipli@googlemail.com> Conflicts: net/bridge/br_mdb.c net/dcb/dcbnl.c net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 7 +++++++ 2 files changed, 8 insertions(+), 0 deletions(-) commit 1b361b20cac7c1f94d4da20a08861ca61f73d745 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 8 18:47:43 2013 -0500 Allow copies to user from DECnet's NSP slab cache net/decnet/af_decnet.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 65b208809043a835524a2a6e64bfd8dbe07ca76a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 7 22:00:21 2013 -0500 fix ARM compilation reported on IRC arch/arm/include/asm/pgalloc.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4e3bdb314d3e4677edc35af62b551984a55d377b Author: Kees Cook <keescook@chromium.org> Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Evgeniy Polyakov <zbr@ioremap.net> Cc: Matt Helsley <matthltc@us.ibm.com> Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov <zbr@ioremap.net> Acked-by: Matt Helsley <matthltc@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: drivers/connector/cn_proc.c drivers/connector/cn_proc.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 1d10a77bb5eecdc14415d5443dbd11641b03ed26 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 562feb38bda7bf16725723bb2f98150d16caea34 Author: Guillaume Nault <g.nault@alphalink.fr> Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e696b07a8a40c2a80c62585e2038be7c356f0fbd Author: Cong Wang <amwang@redhat.com> Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds] [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds] [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40 [<ffffffff81567f30>] sys_sendto+0x130/0x180 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones <davej@redhat.com> Cc: Dave Jones <davej@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: Cong Wang <amwang@redhat.com> Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c6c2318ae34d1b2846b05a889a1bb98463269db Author: Cong Wang <amwang@redhat.com> Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich <vyasevich@gmail.com> Cc: Sridhar Samudrala <sri@us.ibm.com> Cc: Neil Horman <nhorman@tuxdriver.com> Cc: David S. Miller <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 62019622ddb34af1a7491b8910a1f13f1519ba08 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ae14eb6c28a45c21e055b9720afb3c9d7ee85bc7 Merge: c5d126f bbe3291 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 7 17:45:11 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/mm/fault.c kernel/kmod.c commit bbe329188b69a8a42d0d422664ca52fa1c686713 Merge: ef7d861 733c794 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 7 17:31:20 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/mm/fault.c commit c5d126fcabd2d29bd3049c230185affe3d0ff7f1 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit c5fec05036e409c7331f15be8332dde8f3ecdf98 Author: H. Peter Anvin <hpa@linux.intel.com> Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart <dvhart@linux.intel.com> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Cc: Matt Fleming <matt.fleming@intel.com> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 959e94223933bd41b03d15d37dd90ba6da2d0a2f Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Cc: Maxim Levitsky <maximlevitsky@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a11e3c3f7c35c7b8131537c3364c659cefe591e9 Author: Xi Wang <xi.wang@gmail.com> Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8b5d5fabb5a5aa862bd76a8454489483649605e8 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit ac8de3b2811460dbe4ce7fe1d873f98f4e76e7d2 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 53b50ef22e0493baea9a04f9106d4dbe3f7ab770 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 27 18:14:21 2013 -0500 check for CAP_SYSLOG on /dev/kmsg write drivers/char/mem.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695b80c298392e89d34a6bc9f2be1b5a12707d22 Author: Anderson Lizardo <anderson.lizardo@openbossa.org> Date: Sun Jan 6 18:28:53 2013 -0400 Upstream commit: 0a9ab9bdb3e891762553f667066190c1d22ad62b (fix two additional copy lengths as well -spender) Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() The length parameter should be sizeof(req->name) - 1 because there is no guarantee that string provided by userspace will contain the trailing '\0'. Can be easily reproduced by manually setting req->name to 128 non-zero bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on input subsystem: $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" field in struct hid_device due to overflow.) Cc: stable@vger.kernel.org Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> Conflicts: net/bluetooth/hidp/core.c net/bluetooth/hidp/core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 31123145b542970da371c0af442300421fb61027 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Cc: Joel Becker <jlbec@evilplan.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 1ebb7feb18aaca110dea90adf3c641cd9f3e5d98 Author: Alan Stern <stern@rowland.harvard.edu> Date: Thu Nov 17 16:42:19 2011 -0500 Upstream commit: 0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd NLS: improve UTF8 -> UTF16 string conversion routine The utf8s_to_utf16s conversion routine needs to be improved. Unlike its utf16s_to_utf8s sibling, it doesn't accept arguments specifying the maximum length of the output buffer or the endianness of its 16-bit output. This patch (as1501) adds the two missing arguments, and adjusts the only two places in the kernel where the function is called. A follow-on patch will add a third caller that does utilize the new capabilities. The two conversion routines are still annoyingly inconsistent in the way they handle invalid byte combinations. But that's a subject for a different patch. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> drivers/hv/hv_kvp.c | 10 ++++++---- fs/fat/namei_vfat.c | 3 ++- fs/nls/nls_base.c | 43 +++++++++++++++++++++++++++++++++---------- include/linux/nls.h | 5 +++-- 4 files changed, 44 insertions(+), 17 deletions(-) commit ca0366a73b4228ca47f24712112bd5d005371f92 Author: Greg Thelen <gthelen@google.com> Date: Fri Feb 22 16:36:01 2013 -0800 Upstream commit: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen <gthelen@google.com> Acked-by: Hugh Dickins <hughd@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit ecfc3ccfab1b520c294a676cbe5db18f383b5ad2 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 21 22:53:40 2013 -0500 remove kcalloc_error, only a minor performance improvement we've fixed all upstream callers by now, though some out-of-tree callers with swapped args may still exist no point in failing such builds simply for this include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 78ae2e2503c12f6772494e26c41e2dc731a9075f Author: Eric Dumazet <edumazet@google.com> Date: Thu Jan 10 16:18:47 2013 +0000 tcp: accept RST without ACK flag commit c3ae62af8e755 (tcp: should drop incoming frames without ACK flag set) added a regression on the handling of RST messages. RST should be allowed to come even without ACK bit set. We validate the RST by checking the exact sequence, as requested by RFC 793 and 5961 3.2, in tcp_validate_incoming() Reported-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Tested-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/tcp_input.c net/ipv4/tcp_input.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 40daaf07ee2aa6efeb9a7c55dfaebd8305e399c8 Merge: 583fdbb ef7d861 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 20 19:10:38 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: Makefile commit ef7d861a59549935594f086ac5cd7b33403f127c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 20 19:09:41 2013 -0500 Update to pax-linux-3.2.39-test96.patch: - some more struct notifier_block constification Makefile | 4 ++++ arch/arm/kernel/hw_breakpoint.c | 2 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/topology.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/appldata/appldata_base.c | 2 +- arch/s390/kernel/smp.c | 2 +- arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sparc/kernel/sysfs.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 2 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/tboot.c | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/xen/enlighten.c | 2 +- block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/shdma.c | 2 +- drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/infiniband/hw/ehca/ehca_irq.c | 2 +- drivers/net/ethernet/ibm/emac/core.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/oprofile/timer_int.c | 2 +- include/linux/cpu.h | 2 +- include/linux/perf_event.h | 2 +- kernel/hrtimer.c | 2 +- kernel/sched.c | 2 +- kernel/smp.c | 2 +- kernel/softirq.c | 4 ++-- kernel/stop_machine.c | 2 +- kernel/timer.c | 2 +- kernel/watchdog.c | 2 +- mm/page-writeback.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 2 +- mm/vmstat.c | 2 +- net/iucv/iucv.c | 2 +- scripts/gcc-plugin.sh | 2 +- 53 files changed, 58 insertions(+), 52 deletions(-) commit 583fdbb82026b27d4c81a4d968a07d464ee08b11 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Mon Feb 18 09:58:02 2013 -0800 Upstream commit: 7c45512df987c5619db041b5c9b80d281e26d3db mm: fix pageblock bitmap allocation Commit c060f943d092 ("mm: use aligned zone start for pfn_to_bitidx calculation") fixed out calculation of the index into the pageblock bitmap when a !SPARSEMEM zome was not aligned to pageblock_nr_pages. However, the _allocation_ of that bitmap had never taken this alignment requirement into accout, so depending on the exact size and alignment of the zone, the use of that index could then access past the allocation, resulting in some very subtle memory corruption. This was reported (and bisected) by Ingo Molnar: one of his random config builds would hang with certain very specific kernel command line options. In the meantime, commit c060f943d092 has been marked for stable, so this fix needs to be back-ported to the stable kernels that backported the commit to use the right alignment. Bisected-and-tested-by: Ingo Molnar <mingo@kernel.org> Acked-by: Mel Gorman <mgorman@suse.de> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/page_alloc.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) commit 12201122b593e48e7fa148ff26171bb2da248f41 Merge: c114821 d89f727 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 20 17:32:05 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit d89f7279207eb9571207cfa05f5634915d0f3dfe Merge: 964588c cd1b44e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 20 17:31:53 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/xen/xen-asm_32.S commit c114821371117bc7a0c4fdbfc6b998cac7955da7 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Feb 19 18:31:42 2013 -0500 Apply patch: "arp: fix possible crash in arp_rcv()" from Eric Dumazet net/ipv4/arp.c | 21 +++++++++++---------- 1 files changed, 11 insertions(+), 10 deletions(-) commit b1bacd472771b30d50603a76f718f55c8e34747e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 17:36:28 2013 -0500 Fix radeon driver crash reported on forums drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f2913da4a4fc467a41bfe5a62ced209b962a22b0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 17:00:52 2013 -0500 From b834b19a076b1d1448d903cf4e7e69a4bd83d8d9 Mon Sep 17 00:00:00 2001 From: Mathias Krause <minipli@googlemail.com> Date: Tue, 5 Feb 2013 17:56:37 +0100 Subject: [PATCH 3/3] crypto: user - ensure user supplied strings are nul-terminated To avoid misuse, ensure cru_name and cru_driver_name are always nul-terminated strings. Signed-off-by: Mathias Krause <minipli@googlemail.com> crypto/crypto_user.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 198571fd4e8955b9851e3e59c198e7d65fe3fbfe Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 16:58:52 2013 -0500 From 7061588328f144624e58857ab07de8c589d6924a Mon Sep 17 00:00:00 2001 From: Mathias Krause <minipli@googlemail.com> Date: Sat, 2 Feb 2013 16:42:34 +0100 Subject: [PATCHv2 2/3] crypto: user - fix empty string test in report API The current test for empty strings fails because it is testing the address of a field, not a pointer. So the test will always be true. Test the first character in the string to not be null instead. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> --- v2: - switched to simple character test, as suggested by Herbert Xu crypto/crypto_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 413e1cc8257ebc81725bc53c24ef1989b7998774 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 16:57:47 2013 -0500 From f70baf464631ee8d6d67d13a9982d61b3c8e12c5 Mon Sep 17 00:00:00 2001 From: Mathias Krause <minipli@googlemail.com> Date: Wed, 30 Jan 2013 12:14:18 +0100 Subject: [PATCHv2 1/3] crypto: user - fix info leaks in report API Three errors resulting in kernel memory disclosure: 1/ The structures used for the netlink based crypto algorithm report API are located on the stack. As snprintf() does not fill the remainder of the buffer with null bytes, those stack bytes will be disclosed to users of the API. Switch to strncpy() to fix this. 2/ crypto_report_one() does not initialize all field of struct crypto_user_alg. Fix this to fix the heap info leak. 3/ For the module name we should copy only as many bytes as module_name() returns -- not as much as the destination buffer could hold. But the current code does not and therefore copies random data from behind the end of the module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME. Also switch to use strncpy() to copy the algorithm's name and driver_name. They are strings, after all. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> crypto/ablkcipher.c | 12 ++++++------ crypto/aead.c | 9 ++++----- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +++--- crypto/crypto_user.c | 20 +++++++++++--------- crypto/pcompress.c | 2 +- crypto/rng.c | 2 +- crypto/shash.c | 3 ++- 8 files changed, 29 insertions(+), 27 deletions(-) commit b1cf339860eabcbe6393b89ec034e38b12fdd0df Author: Jan Beulich <JBeulich@suse.com> Date: Thu Jan 24 13:11:10 2013 +0000 Upstream commit: afb7b3a2bd406586ed4aebc1e159352e588b991e x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS. commit 13d2b4d11d69a92574a55bfd985cfb0ca77aebdc upstream. This fixes CVE-2013-0228 / XSA-42 Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user in 32bit PV guest can use to crash the > guest with the panic like this: ------------- general protection fault: 0000 [#1] SMP last sysfs file: /sys/devices/vbd-51712/block/xvda/dev Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4 mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1 EIP: 0061:[<c0407462>] EFLAGS: 00010086 CPU: 0 EIP is at xen_iret+0x12/0x2b EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010 ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0 DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069 Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000) Stack: 00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000 Call Trace: Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00 8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40 10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02 EIP: [<c0407462>] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0 general protection fault: 0000 [#2] ---[ end trace ab0d29a492dcd330 ]--- Kernel panic - not syncing: Fatal exception Pid: 1250, comm: r Tainted: G D --------------- 2.6.32-356.el6.i686 #1 Call Trace: [<c08476df>] ? panic+0x6e/0x122 [<c084b63c>] ? oops_end+0xbc/0xd0 [<c084b260>] ? do_general_protection+0x0/0x210 [<c084a9b7>] ? error_code+0x73/ ------------- Petr says: " I've analysed the bug and I think that xen_iret() cannot cope with mangled DS, in this case zeroed out (null selector/descriptor) by either xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT entry was invalidated by the reproducer. " Jan took a look at the preliminary patch and came up a fix that solves this problem: "This code gets called after all registers other than those handled by IRET got already restored, hence a null selector in %ds or a non-null one that got loaded from a code or read-only data descriptor would cause a kernel mode fault (with the potential of crashing the kernel as a whole, if panic_on_oops is set)." The way to fix this is to realize that the we can only relay on the registers that IRET restores. The two that are guaranteed are the %cs and %ss as they are always fixed GDT selectors. Also they are inaccessible from user mode - so they cannot be altered. This is the approach taken in this patch. Another alternative option suggested by Jan would be to relay on the subtle realization that using the %ebp or %esp relative references uses the %ss segment. In which case we could switch from using %eax to %ebp and would not need the %ss over-rides. That would also require one extra instruction to compensate for the one place where the register is used as scaled index. However Andrew pointed out that is too subtle and if further work was to be done in this code-path it could escape folks attention and lead to accidents. Reviewed-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Petr Matousek <pmatouse@redhat.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: arch/x86/xen/xen-asm_32.S arch/x86/xen/xen-asm_32.S | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit c8159ee5edb29750e7f41bf41e44fb87e7156dff Merge: 4e76bfd 964588c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 16:33:11 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/net/ethernet/mellanox/mlx4/eq.c commit 964588cb0830ac56f245b09f5a926cc63c1bdacf Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 16:29:19 2013 -0500 Update to pax-linux-3.2.38-test94.patch: - reverted/rewrote some of the recent constification changes as gcc proved to be a bit too smart in optimizing constified function pointer dereferences that in turn broke special cases where such pointers did have to be modified, reported by gaima (http://forums.grsecurity.net/viewtopic.php?f=3&t=3276) arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/include/asm/paravirt_types.h | 10 ++-- arch/x86/include/asm/reboot.h | 2 +- arch/x86/include/asm/smp.h | 2 +- arch/x86/include/asm/x86_init.h | 10 ++-- arch/x86/kernel/acpi/boot.c | 2 +- arch/x86/kernel/amd_gart_64.c | 2 +- arch/x86/kernel/aperture_64.c | 2 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/numaq_32.c | 19 ++++----- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 2 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 6 +- arch/x86/kernel/cpu/vmware.c | 2 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/kvm.c | 8 ++-- arch/x86/kernel/kvmclock.c | 14 +++--- arch/x86/kernel/paravirt.c | 8 ++-- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/ptrace.c | 8 ++-- arch/x86/kernel/reboot.c | 2 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/vsmp_64.c | 2 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/lguest/boot.c | 64 +++++++++++++++--------------- arch/x86/pci/acpi.c | 2 +- arch/x86/pci/xen.c | 14 +++--- arch/x86/platform/efi/efi.c | 4 +- arch/x86/platform/mrst/mrst.c | 40 ++++++++++---------- arch/x86/platform/mrst/vrtc.c | 4 +- arch/x86/xen/enlighten.c | 46 +++++++++++----------- arch/x86/xen/irq.c | 2 +- arch/x86/xen/mmu.c | 6 +- arch/x86/xen/smp.c | 12 +++--- arch/x86/xen/spinlock.c | 12 +++--- arch/x86/xen/time.c | 26 ++++++------ drivers/firmware/efivars.c | 8 ++-- drivers/gpu/drm/radeon/radeon_ttm.c | 8 +-- drivers/iommu/amd_iommu_init.c | 4 +- drivers/iommu/dmar.c | 2 +- drivers/net/ethernet/mellanox/mlx4/eq.c | 4 +- include/linux/efi.h | 1 + include/linux/interrupt.h | 2 +- include/linux/mm.h | 1 + include/linux/regset.h | 1 + kernel/softirq.c | 8 +-- kernel/trace/trace_events.c | 8 ++-- net/core/rtnetlink.c | 16 +++----- virt/kvm/kvm_main.c | 12 +++--- 53 files changed, 217 insertions(+), 224 deletions(-) commit 4e76bfd90156e59670b812d2b90a2be3537b9b82 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 17 13:28:08 2013 -0500 add security_capable_noaudit for CONFIG_SECURITY security/security.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 12b830c785b1d32521538addec8a5d827a8482ef Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 16 13:54:20 2013 -0500 add security_capable_noaudit include/linux/security.h | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit bfca3ea61b28f8b94b663ccdce4895cfc23d549f Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 16 13:32:42 2013 -0500 Make capable_nolog call security_capable_noaudit so that SELinux doesn't complain about capabilities that aren't necessarily used. Patch from Luis Ressel Conflicts: kernel/capability.c kernel/capability.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2634834999db26c366dde3408b7520d18892f016 Author: Oleg Nesterov <oleg@redhat.com> Date: Mon Jan 21 20:47:41 2013 +0100 Upstream commit: 910ffdb18a6408e14febbb6e4b6840fd2c928c82 ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() Cleanup and preparation for the next change. signal_wake_up(resume => true) is overused. None of ptrace/jctl callers actually want to wakeup a TASK_WAKEKILL task, but they can't specify the necessary mask. Turn signal_wake_up() into signal_wake_up_state(state), reintroduce signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up() which adds __TASK_TRACED. This way ptrace_signal_wake_up() can work "inside" ptrace_request() even if the tracee doesn't have the TASK_WAKEKILL bit set. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> include/linux/sched.h | 11 ++++++++++- kernel/ptrace.c | 8 ++++---- kernel/signal.c | 14 ++++---------- 3 files changed, 18 insertions(+), 15 deletions(-) commit 67e0216cdffd10fa6677ae497c55abb37584fa91 Author: Mel Gorman <mgorman@suse.de> Date: Mon Feb 11 14:52:36 2013 +0000 Upstream commit: 0ee364eb316348ddf3e0dfcd986f5f13f528f821 x86/mm: Check if PUD is large when validating a kernel address A user reported the following oops when a backup process reads /proc/kcore: BUG: unable to handle kernel paging request at ffffbb00ff33b000 IP: [<ffffffff8103157e>] kern_addr_valid+0xbe/0x110 [...] Call Trace: [<ffffffff811b8aaa>] read_kcore+0x17a/0x370 [<ffffffff811ad847>] proc_reg_read+0x77/0xc0 [<ffffffff81151687>] vfs_read+0xc7/0x130 [<ffffffff811517f3>] sys_read+0x53/0xa0 [<ffffffff81449692>] system_call_fastpath+0x16/0x1b Investigation determined that the bug triggered when reading system RAM at the 4G mark. On this system, that was the first address using 1G pages for the virt->phys direct mapping so the PUD is pointing to a physical address, not a PMD page. The problem is that the page table walker in kern_addr_valid() is not checking pud_large() and treats the physical address as if it was a PMD. If it happens to look like pmd_none then it'll silently fail, probably returning zeros instead of real data. If the data happens to look like a present PMD though, it will be walked resulting in the oops above. This patch adds the necessary pud_large() check. Unfortunately the problem was not readily reproducible and now they are running the backup program without accessing /proc/kcore so the patch has not been validated but I think it makes sense. Signed-off-by: Mel Gorman <mgorman@suse.de> Reviewed-by: Rik van Riel <riel@redhat.coM> Reviewed-by: Michal Hocko <mhocko@suse.cz> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: stable@vger.kernel.org Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.de Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/include/asm/pgtable.h | 5 +++++ arch/x86/mm/init_64.c | 3 +++ 2 files changed, 8 insertions(+), 0 deletions(-) commit d24d1ceeb5503748089ee29c4700a60c3fee8f05 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 11 23:12:57 2013 -0500 fix kcalloc order drivers/net/ethernet/mellanox/mlx4/eq.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d0ff201ea8f7fb8b3abf46f726d0fb2db1094089 Merge: 27dd4e1 290edfa Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 11 23:06:28 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 290edfa0f945c0f1ed924e76cbb3e712adf038e1 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 11 22:18:23 2013 -0500 Update to pax-linux-3.2.38-test93.patch: - gcc plugins should now work with gcc 4.8 as well tools/gcc/colorize_plugin.c | 7 ++++- tools/gcc/constify_plugin.c | 24 ++++++++++++++------ tools/gcc/kallocstat_plugin.c | 7 ++++- tools/gcc/kernexec_plugin.c | 43 ++++++++++++++++++++++++++++++++---- tools/gcc/latent_entropy_plugin.c | 30 ++++++++++++++++++++++++- tools/gcc/size_overflow_plugin.c | 15 +++++++++++- tools/gcc/stackleak_plugin.c | 28 ++++++++++++++++++------ 7 files changed, 127 insertions(+), 27 deletions(-) commit 27dd4e1b110f498e70a6bcc86fdc334c6bffef2c Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Feb 7 00:55:37 2013 +0000 Upstream commit: 586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53 net: sctp: sctp_auth_key_put: use kzfree instead of kfree For sensitive data like keying material, it is common practice to zero out keys before returning the memory back to the allocator. Thus, use kzfree instead of kfree. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/auth.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7ca8f40141488f934670b8dedc6f989f17db4420 Author: Phil Sutter <phil.sutter@viprinet.com> Date: Fri Feb 1 07:21:41 2013 +0000 Upstream commit: 9665d5d62487e8e7b1f546c00e11107155384b9a packet: fix leakage of tx_ring memory When releasing a packet socket, the routine packet_set_ring() is reused to free rings instead of allocating them. But when calling it for the first time, it fills req->tp_block_nr with the value of rb->pg_vec_len which in the second invocation makes it bail out since req->tp_block_nr is greater zero but req->tp_block_size is zero. This patch solves the problem by passing a zeroed auto-variable to packet_set_ring() upon each invocation from packet_release(). As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING and packet mmap), i.e. the original inclusion of TX ring support into af_packet, but applies only to sockets with both RX and TX ring allocated, which is probably why this was unnoticed all the time. Signed-off-by: Phil Sutter <phil.sutter@viprinet.com> Cc: Johann Baudy <johann.baudy@gnu-log.net> Cc: Daniel Borkmann <dborkman@redhat.com> Acked-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/packet/af_packet.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 436d8e15705c772daab7eaeeeacc66e57dcba52f Author: Bjørn Mork <bjorn@mork.no> Date: Mon Jan 28 23:51:28 2013 +0000 Upstream commit: 70c37bf97f2a91accba76080db69144f3b69f736 net: usbnet: prevent buggy devices from killing us A device sending 0 length frames as fast as it can has been observed killing the host system due to the resulting memory pressure. Temporarily disable RX skb allocation and URB submission when the current error ratio is high, preventing us from trying to allocate an infinite number of skbs. Reenable as soon as we are finished processing the done queue, allowing the device to continue working after short error bursts. Signed-off-by: Bjørn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: include/linux/usb/usbnet.h Conflicts: drivers/net/usb/usbnet.c include/linux/usb/usbnet.h drivers/net/usb/usbnet.c | 25 +++++++++++++++++++++++++ include/linux/usb/usbnet.h | 3 +++ 2 files changed, 28 insertions(+), 0 deletions(-) commit 2c233aa4f38da2c2a8b7b04266656113a76eb43e Author: Daniel Borkmann <dborkman@redhat.com> Date: Fri Feb 8 03:04:35 2013 +0000 Upstream commit: b5c37fe6e24eec194bb29d22fdd55d73bcc709bf net: sctp: sctp_endpoint_free: zero out secret key data On sctp_endpoint_destroy, previously used sensitive keying material should be zeroed out before the memory is returned, as we already do with e.g. auth keys when released. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/endpointola.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 6bb72fb746f2d67a729cb8e7af7984ea3b329926 Author: Daniel Borkmann <dborkman@redhat.com> Date: Fri Feb 8 03:04:34 2013 +0000 Upstream commit: 6ba542a291a5e558603ac51cda9bded347ce7627 net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree In sctp_setsockopt_auth_key, we create a temporary copy of the user passed shared auth key for the endpoint or association and after internal setup, we free it right away. Since it's sensitive data, we should zero out the key before returning the memory back to the allocator. Thus, use kzfree instead of kfree, just as we do in sctp_auth_key_put(). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 70d5ff46e17b3ccef091db3ad370ad89b370fba5 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 9 20:36:25 2013 -0500 fix kcalloc arg order net/rxrpc/ar-key.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 99ce66f80f778a54352e9edda73d33be83a12544 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 9 20:01:09 2013 -0500 Add missing offsets to calls to check_heap_stack_gap Conflicts: fs/hugetlbfs/inode.c mm/mmap.c fs/hugetlbfs/inode.c | 8 +++++--- mm/mmap.c | 14 ++++++++------ 2 files changed, 13 insertions(+), 9 deletions(-) commit e10dca0b57eeaea0b47bc9e4ef6789a630af2e0a Merge: 7513c23 eaa0192 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 9 20:09:33 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/Kconfig arch/x86/mm/fault.c security/Kconfig commit eaa0192c2e5a4a821b8b2463209ad38f62082383 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Feb 9 20:04:04 2013 -0500 Update to pax-linux-3.2.38-test92.patch: - added compile time detection for non-optimal use of kmalloc_array/kcalloc - reworked the USERCOPY interface a bit to make checking for constant copy sizes easier - various ASLR cleanups - enabled it for hugetlb (x86 and generic) - made arm/mips/powerpc/sparc ignore PF_RANDOMIZE as x86 does - added a fix for http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/ arch/arm/include/asm/uaccess.h | 8 ++------ arch/arm/kernel/module.c | 2 ++ arch/arm/mm/mmap.c | 5 +++++ arch/mips/mm/mmap.c | 16 ++++++++++++++++ arch/powerpc/mm/mmap_64.c | 4 ++++ arch/sparc/kernel/sys_sparc_64.c | 4 ++++ arch/x86/Kconfig | 1 + arch/x86/include/asm/pgtable.h | 4 ++-- arch/x86/include/asm/uaccess.h | 2 -- arch/x86/include/asm/uaccess_32.h | 15 +++++++-------- arch/x86/include/asm/uaccess_64.h | 19 +++++++++---------- arch/x86/kernel/module.c | 2 +- arch/x86/kernel/setup.c | 1 + arch/x86/kernel/traps.c | 4 ++-- arch/x86/mm/fault.c | 6 ++++-- arch/x86/mm/hugetlbpage.c | 4 ++++ drivers/acpi/proc.c | 7 +++++-- drivers/mfd/mfd-core.c | 2 +- drivers/staging/iio/dac/ad5360.c | 4 ++-- fs/exec.c | 4 ++-- fs/hugetlbfs/inode.c | 12 ++++++++---- include/linux/sched.h | 1 - include/linux/slab.h | 10 ++++++++++ include/linux/thread_info.h | 7 +++++++ include/video/omapdss.h | 2 +- kernel/module.c | 4 ++-- security/Kconfig | 8 ++++---- 27 files changed, 106 insertions(+), 52 deletions(-) commit 7513c2357e5c96dc16cb3846561847c6b0e72328 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 7 17:47:47 2013 -0500 It was "suggested by" Kees Cook to rewrite my previous patch in exactly and only the ways in which I pasted code for. Include these changes! arch/x86/mm/fault.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8979ec479f18d6ba1f06c66c73ece44e91efc892 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 7 17:39:27 2013 -0500 Allow printing of symbols in kernel backtraces arch/arm/kernel/process.c | 4 ++-- arch/arm/kernel/traps.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit ecbe93d5b63d35ee7607ec51659ef52df4c33d99 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 6 18:14:13 2013 -0500 Kill yet another useless technique from Dan Rosenberg (already unaffected due to GRKERNSEC_DMESG) arch/x86/mm/fault.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 3773f1ade09ecb5820615790f2cad67d61669232 Merge: e735315 b04b168 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 6 17:49:30 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit b04b168209b65d80382c26476c5c34e409b1172c Merge: 50a402d 8eedd520 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 6 17:49:19 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/setup.c arch/x86/kernel/traps.c commit e73531596fb9c17bac850d66f4aabe476d87de04 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 4 20:38:36 2013 -0500 remove unused gr_handle_chroot_rawio(), its functionality is in gr_handle_rawio() grsecurity/grsec_chroot.c | 11 ----------- security/Kconfig | 6 ++++++ 2 files changed, 6 insertions(+), 11 deletions(-) commit aa037a363fafd32161a74f3ba401eecc2ff12ceb Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 31 18:06:01 2013 -0500 when GRKERNSEC_KMEM is enabled, X86_MSR should be disabled arch/x86/Kconfig | 1 + grsecurity/Kconfig | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) commit 6c7cdce33427d7c2b119a87000d0831bd13617f7 Author: Alan Cox <alan@linux.intel.com> Date: Thu Nov 15 13:06:22 2012 +0000 Upstream commit: c903f0456bc69176912dee6dd25c6a66ee1aed00 x86/msr: Add capabilities check At the moment the MSR driver only relies upon file system checks. This means that anything as root with any capability set can write to MSRs. Historically that wasn't very interesting but on modern processors the MSRs are such that writing to them provides several ways to execute arbitary code in kernel space. Sample code and documentation on doing this is circulating and MSR attacks are used on Windows 64bit rootkits already. In the Linux case you still need to be able to open the device file so the impact is fairly limited and reduces the security of some capability and security model based systems down towards that of a generic "root owns the box" setup. Therefore they should require CAP_SYS_RAWIO to prevent an elevation of capabilities. The impact of this is fairly minimal on most setups because they don't have heavy use of capabilities. Those using SELinux, SMACK or AppArmor rules might want to consider if their rulesets on the MSR driver could be tighter. Signed-off-by: Alan Cox <alan@linux.intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Horses <stable@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/msr.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 9c90088b1efd8fb46d568fb5111fd4e3584cabef Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 29 18:29:41 2013 -0500 Update config help based on report from tgs3 on #grsecurity GRKERNSEC_AUDIT_GROUP never applied to mount/unmount logging, which were always logged unconditionally grsecurity/Kconfig | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 8e13f300300bb4fd2e1bd100606a8bd6cb4e5244 Author: Steven Rostedt <srostedt@redhat.com> Date: Fri Dec 14 09:48:15 2012 -0500 Upstream commit: c1bf08ac26e92122faab9f6c32ea8aba94612dae ftrace: Be first to run code modification on modules If some other kernel subsystem has a module notifier, and adds a kprobe to a ftrace mcount point (now that kprobes work on ftrace points), when the ftrace notifier runs it will fail and disable ftrace, as well as kprobes that are attached to ftrace points. Here's the error: WARNING: at kernel/trace/ftrace.c:1618 ftrace_bug+0x239/0x280() Hardware name: Bochs Modules linked in: fat(+) stap_56d28a51b3fe546293ca0700b10bcb29__8059(F) nfsv4 auth_rpcgss nfs dns_resolver fscache xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack lockd sunrpc ppdev parport_pc parport microcode virtio_net i2c_piix4 drm_kms_helper ttm drm i2c_core [last unloaded: bid_shared] Pid: 8068, comm: modprobe Tainted: GF 3.7.0-0.rc8.git0.1.fc19.x86_64 #1 Call Trace: [<ffffffff8105e70f>] warn_slowpath_common+0x7f/0xc0 [<ffffffff81134106>] ? __probe_kernel_read+0x46/0x70 [<ffffffffa0180000>] ? 0xffffffffa017ffff [<ffffffffa0180000>] ? 0xffffffffa017ffff [<ffffffff8105e76a>] warn_slowpath_null+0x1a/0x20 [<ffffffff810fd189>] ftrace_bug+0x239/0x280 [<ffffffff810fd626>] ftrace_process_locs+0x376/0x520 [<ffffffff810fefb7>] ftrace_module_notify+0x47/0x50 [<ffffffff8163912d>] notifier_call_chain+0x4d/0x70 [<ffffffff810882f8>] __blocking_notifier_call_chain+0x58/0x80 [<ffffffff81088336>] blocking_notifier_call_chain+0x16/0x20 [<ffffffff810c2a23>] sys_init_module+0x73/0x220 [<ffffffff8163d719>] system_call_fastpath+0x16/0x1b ---[ end trace 9ef46351e53bbf80 ]--- ftrace failed to modify [<ffffffffa0180000>] init_once+0x0/0x20 [fat] actual: cc:bb:d2:4b:e1 A kprobe was added to the init_once() function in the fat module on load. But this happened before ftrace could have touched the code. As ftrace didn't run yet, the kprobe system had no idea it was a ftrace point and simply added a breakpoint to the code (0xcc in the cc:bb:d2:4b:e1). Then when ftrace went to modify the location from a call to mcount/fentry into a nop, it didn't see a call op, but instead it saw the breakpoint op and not knowing what to do with it, ftrace shut itself down. The solution is to simply give the ftrace module notifier the max priority. This should have been done regardless, as the core code ftrace modification also happens very early on in boot up. This makes the module modification closer to core modification. Link: http://lkml.kernel.org/r/20130107140333.593683061@goodmis.org Cc: stable@vger.kernel.org Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> Reported-by: Frank Ch. Eigler <fche@redhat.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/ftrace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1a370c37a0312e30906c3d060fcefec4d601624e Author: Oleg Nesterov <oleg@redhat.com> Date: Mon Jan 21 20:48:00 2013 +0100 Upstream commit: 9899d11f654474d2d54ea52ceaa2a1f4db3abd68 ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL putreg() assumes that the tracee is not running and pt_regs_access() can safely play with its stack. However a killed tracee can return from ptrace_stop() to the low-level asm code and do RESTORE_REST, this means that debugger can actually read/modify the kernel stack until the tracee does SAVE_REST again. set_task_blockstep() can race with SIGKILL too and in some sense this race is even worse, the very fact the tracee can be woken up breaks the logic. As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace() call, this ensures that nobody can ever wakeup the tracee while the debugger looks at it. Not only this fixes the mentioned problems, we can do some cleanups/simplifications in arch_ptrace() paths. Probably ptrace_unfreeze_traced() needs more callers, for example it makes sense to make the tracee killable for oom-killer before access_process_vm(). While at it, add the comment into may_ptrace_stop() to explain why ptrace_stop() still can't rely on SIGKILL and signal_pending_state(). Reported-by: Salman Qazi <sqazi@google.com> Reported-by: Suleiman Souhlal <suleiman@google.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: arch/x86/kernel/step.c kernel/ptrace.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++-------- kernel/signal.c | 5 ++++ 2 files changed, 59 insertions(+), 10 deletions(-) commit 78c89832a236be4851a161755fb2b59e45b5424d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 28 18:52:04 2013 -0500 Upstream commit: 9067ac85d533651b98c2ff903182a20cbb361fcb wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task author Oleg Nesterov <oleg@redhat.com> Mon, 21 Jan 2013 19:48:17 +0000 (20:48 +0100) committer Linus Torvalds <torvalds@linux-foundation.org> Tue, 22 Jan 2013 18:08:17 +0000 (10:08 -0800) wake_up_process() should never wakeup a TASK_STOPPED/TRACED task. Change it to use TASK_NORMAL and add the WARN_ON(). TASK_ALL has no other users, probably can be killed. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/sched.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 052ce0ce9105b35513efbacc2bfea32ce57a414c Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 28 18:45:07 2013 -0500 compile fix on mips arch/mips/mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 02bbcab824f5420d29d34d4c9f0d90a63b002885 Merge: 9be01de 50a402d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 28 18:40:00 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 50a402dd59b2423422249f5a27d1915fd2013e4d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 28 18:38:54 2013 -0500 Update to pax-linux-3.2.37-test91.patch: - mips got more heap-stack gap enforcement - added countermeasure against attacks that reduce ASLR by exhausting the address space on 32 bit userland see kingcope's post for the windows version http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/ arch/mips/mm/mmap.c | 10 ++++------ arch/x86/kernel/ptrace.c | 2 +- drivers/misc/sgi-xp/xpc_main.c | 2 +- fs/binfmt_elf.c | 2 +- fs/exec.c | 22 ++++++++++++++++++++++ 5 files changed, 29 insertions(+), 9 deletions(-) commit 9be01dec0fdb1551a4d8e79bf7e077d5cf092621 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 28 06:08:12 2013 -0500 make kmemleak user-readonly mm/kmemleak.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f253825359cb8eb5b90b802f891fee64289a8cb Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 28 06:06:43 2013 -0500 allow kmemleak, it's a debugfs-only file marked user-readonly mm/kmemleak.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 71ec63a2a964b1f34e2b45a1086cd9521d076a9f Merge: 51b2579 9044324 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 22 22:08:19 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 9044324b82b19ffcec59c3a169018bf9f7851ba3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 22 22:07:43 2013 -0500 Update to pax-linux-3.2.37-test90.patch: - fixed some more constification fallout (e.g., https://bugs.gentoo.org/show_bug.cgi?id=453216) - fixed a pointless alloca in Xen that interfered with STACKLEAK arch/arm/include/asm/ptrace.h | 2 +- arch/x86/xen/enlighten.c | 6 ++---- kernel/trace/trace_output.c | 2 ++ 3 files changed, 5 insertions(+), 5 deletions(-) commit 51b257955f24402f2d1e16a2b01453ec037438f9 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 19 17:37:10 2013 -0500 fix typo grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 995b535aa3a096dfebc405b21f524c0b19ccf62f Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 19 10:56:50 2013 -0500 fix typo in documentation grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6ccce0d9b59cf6dc90e6e221147d9c12ae38eee6 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 19 02:31:15 2013 -0500 Choose "between" wording to cover both topdown and bottom-up allocators grsecurity/Kconfig | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 61a4b6d1ddc303a84fb3a6cac780685ddfc85a69 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 18 19:47:09 2013 -0500 compile fix mm/mmap.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d9f22f2bf0884e07d9eb77da19d1d153bce6d8b Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 18 19:31:24 2013 -0500 compile fixes arch/x86/kernel/sys_x86_64.c | 2 +- fs/stat.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 50c552046f0e5574cf7c96d2d11a7ba45115e79a Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 18 19:22:11 2013 -0500 depend on PAX_RANDMMAP instead and make disabled version inline grsecurity/Kconfig | 2 +- include/linux/sched.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 565f6738248381b5737b9d3dc5d2697d36d18875 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 18 19:09:04 2013 -0500 add CONFIG_GRKERNSEC_RAND_THREADSTACK Conflicts: arch/arm/mm/mmap.c arch/x86/kernel/sys_x86_64.c arch/x86/mm/hugetlbpage.c arch/alpha/kernel/osf_sys.c | 14 +++++++------- arch/arm/mm/mmap.c | 6 +++--- arch/frv/mm/elf-fdpic.c | 7 ++++--- arch/ia64/kernel/sys_ia64.c | 3 ++- arch/ia64/mm/hugetlbpage.c | 3 ++- arch/mips/mm/mmap.c | 9 +++++---- arch/parisc/kernel/sys_parisc.c | 19 +++++++++++-------- arch/powerpc/mm/slice.c | 8 ++++---- arch/sh/mm/mmap.c | 14 ++++++++------ arch/sparc/kernel/sys_sparc_32.c | 3 ++- arch/sparc/kernel/sys_sparc_64.c | 14 ++++++++------ arch/sparc/mm/hugetlbpage.c | 13 ++++++++----- arch/x86/kernel/sys_i386_32.c | 14 ++++++++------ arch/x86/kernel/sys_x86_64.c | 12 +++++++----- arch/x86/mm/hugetlbpage.c | 11 +++++++---- grsecurity/Kconfig | 20 ++++++++++++++++++++ include/linux/sched.h | 14 ++++++++++++-- mm/mmap.c | 26 ++++++++++++++++++++++---- 18 files changed, 140 insertions(+), 70 deletions(-) commit fc7fad5e0682f797b9aeb41e0db931650be6654a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 16 11:14:17 2012 -0500 Fix compilation error reported on forums grsecurity/gracl.c | 32 ++++++++++++++++---------------- include/linux/gracl.h | 8 ++++---- 2 files changed, 20 insertions(+), 20 deletions(-) commit b0d2b598920692738fabe56e2861a7849a4780a5 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 18 16:24:58 2013 -0500 Add GRKERNSEC_DEVICE_SIDECHANNEL Conflicts: include/linux/fs.h fs/stat.c | 19 +++++++++++++++---- grsecurity/Kconfig | 13 +++++++++++++ include/linux/fs.h | 10 ++++++++++ include/linux/fsnotify.h | 6 ++++++ 4 files changed, 44 insertions(+), 4 deletions(-) commit 4d258955a8d8c2a024515674b713a551d284109e Merge: e5b00e5 1996678 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 17 21:13:26 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit 199667850497bb7e96cad5fb6331124de5758d99 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 17 21:12:26 2013 -0500 remove ARM_LPAE, doesn't exist here security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e5b00e5010cae356eb8e8e52551364df823bb4bb Merge: 54107cf b09d192 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 17 20:55:03 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit b09d19282bd5bb8bd718de07dfe64b7ee994f2a0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 17 20:54:04 2013 -0500 revert set_pgd_batched() change arch/x86/include/asm/pgtable_64.h | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 54107cf38a3c4a6ff218849f6469573c66304ff4 Merge: bb16456 cf3a81f Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 16 19:20:57 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit cf3a81f6c589a92b12babf1712e5d7656c149201 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 16 19:18:10 2013 -0500 Update to pax-linux-3.2.37-test88.patch: - more constification based on stats supplied by Larry H of Subreption - ported USERCOPY to ia64 based on the discussion with Dennis Schridde at https://bugs.gentoo.org/show_bug.cgi?id=432100 - simplified the latent entropy code a bit - added some list handling wrappers for KERNEXEC/LIST_DEBUG to minimize the exposure of an open kernel - some constification work - smarter plugin allowed the removal of many no_const attrs - function pointer array fields are recognized as well - KERNEXEC compatibility fix for native_set_pgd_batched - new size overflow plugin from Emese to fix some false positives (http://forums.grsecurity.net/viewtopic.php?f=3&t=3208) arch/arm/include/asm/pgalloc.h | 1 - arch/arm/kernel/head.S | 4 +- arch/arm/kernel/setup.c | 6 +- arch/arm/mach-omap2/smartreflex.h | 2 +- arch/arm/mm/fault.c | 34 -------- arch/ia64/include/asm/uaccess.h | 28 ++++++- arch/x86/include/asm/io.h | 2 +- arch/x86/include/asm/paravirt_types.h | 12 ++-- arch/x86/include/asm/pgtable_64.h | 2 + arch/x86/include/asm/reboot.h | 2 +- arch/x86/include/asm/smp.h | 2 +- arch/x86/include/asm/x86_init.h | 26 +++--- arch/x86/kernel/acpi/boot.c | 2 +- arch/x86/kernel/amd_gart_64.c | 2 +- arch/x86/kernel/aperture_64.c | 2 +- arch/x86/kernel/apic/numaq_32.c | 16 ++-- arch/x86/kernel/apic/x2apic_uv_x.c | 4 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 ++++++++---- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/vmware.c | 2 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/kvm.c | 8 +- arch/x86/kernel/kvmclock.c | 14 ++-- arch/x86/kernel/paravirt.c | 8 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/ptrace.c | 10 +- arch/x86/kernel/vsmp_64.c | 2 +- arch/x86/lguest/boot.c | 52 ++++++------ arch/x86/mm/ioremap.c | 2 +- arch/x86/mm/mmio-mod.c | 4 +- arch/x86/pci/acpi.c | 2 +- arch/x86/pci/xen.c | 14 ++-- arch/x86/platform/efi/efi.c | 4 +- arch/x86/platform/mrst/mrst.c | 40 +++++----- arch/x86/platform/mrst/vrtc.c | 4 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/xen/enlighten.c | 30 ++++---- arch/x86/xen/irq.c | 2 +- arch/x86/xen/mmu.c | 6 +- arch/x86/xen/smp.c | 14 ++-- arch/x86/xen/spinlock.c | 12 ++-- arch/x86/xen/time.c | 26 +++--- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/random.c | 11 --- drivers/firmware/efivars.c | 6 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/intel_display.c | 12 ++- drivers/gpu/drm/radeon/evergreen.c | 4 +- drivers/gpu/drm/radeon/ni.c | 4 +- drivers/gpu/drm/radeon/r100.c | 6 +- drivers/gpu/drm/radeon/r300.c | 6 +- drivers/gpu/drm/radeon/r600.c | 4 +- drivers/gpu/drm/radeon/radeon.h | 4 +- drivers/gpu/drm/radeon/radeon_asic.c | 28 ++++--- drivers/gpu/drm/radeon/rv770.c | 4 +- drivers/i2c/i2c-mux.c | 2 +- drivers/iommu/amd_iommu_init.c | 4 +- drivers/iommu/dmar.c | 2 +- drivers/isdn/hardware/eicon/divasync.h | 2 +- drivers/isdn/hardware/eicon/xdi_adapter.h | 2 +- drivers/md/persistent-data/dm-space-map-disk.c | 2 +- drivers/md/persistent-data/dm-space-map-metadata.c | 2 +- drivers/media/dvb/dvb-core/dvb_demux.h | 2 +- drivers/media/video/au0828/au0828.h | 2 +- drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h | 2 +- drivers/media/video/timblogiw.c | 4 +- drivers/mfd/abx500-core.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 5 +- drivers/net/ethernet/intel/e1000e/80003es2lan.c | 13 ++-- drivers/net/ethernet/intel/e1000e/82571.c | 39 +++++----- drivers/net/ethernet/intel/e1000e/hw.h | 9 +-- drivers/net/ethernet/intel/igb/e1000_hw.h | 12 +-- drivers/net/ethernet/intel/igbvf/vf.h | 6 +- drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 12 +-- drivers/net/ethernet/intel/ixgbevf/vf.h | 6 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/neterion/vxge/vxge-config.h | 2 +- drivers/net/ethernet/neterion/vxge/vxge-traffic.h | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/wireless/ath/ath.h | 1 - drivers/net/wireless/ath/ath9k/hw.h | 2 +- .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.h | 4 +- .../net/wireless/brcm80211/brcmsmac/phy/phy_int.h | 2 +- drivers/net/wireless/mwifiex/main.h | 2 +- drivers/net/wireless/wl1251/sdio.c | 12 ++- drivers/net/wireless/wl1251/wl1251.h | 2 +- drivers/pci/hotplug/cpci_hotplug.h | 2 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 ++- drivers/power/bq27x00_battery.c | 2 +- drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/bfa/bfa_fcpim.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 5 +- drivers/scsi/ips.h | 2 +- drivers/scsi/qla2xxx/qla_def.h | 2 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/staging/usbip/usbip_common.h | 2 +- drivers/staging/wlan-ng/hfa384x_usb.c | 2 +- drivers/tty/serial/samsung.c | 9 +- drivers/xen/xen-pciback/conf_space.h | 6 +- fs/exec.c | 2 +- fs/nfs/blocklayout/blocklayout.c | 2 +- fs/seq_file.c | 2 +- include/acpi/acpi_bus.h | 2 +- include/crypto/algapi.h | 2 +- include/drm/drm_crtc_helper.h | 2 +- include/linux/cdrom.h | 1 - include/linux/efi.h | 2 +- include/linux/firewire.h | 2 +- include/linux/fsnotify_backend.h | 1 - include/linux/ftrace_event.h | 2 +- include/linux/hid.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/intel-iommu.h | 2 +- include/linux/kobject.h | 2 +- include/linux/list.h | 3 + include/linux/memory.h | 2 +- include/linux/mfd/abx500.h | 1 - include/linux/mmiotrace.h | 4 +- include/linux/module.h | 1 + include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/of_pdt.h | 2 +- include/linux/preempt.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 4 - include/linux/regset.h | 2 +- include/linux/rfkill.h | 1 - include/linux/slab.h | 2 +- include/linux/sunrpc/sched.h | 1 - include/linux/sysrq.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/media/saa7146_vv.h | 2 +- include/media/v4l2-dev.h | 1 - include/media/v4l2-ioctl.h | 1 - include/net/caif/caif_hsi.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/irda/ircomm_core.h | 2 +- include/net/netfilter/nf_queue.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/structs.h | 4 +- include/net/tcp.h | 2 +- include/net/udp.h | 2 +- include/net/xfrm.h | 2 +- include/sound/ak4xxx-adda.h | 2 +- include/sound/hwdep.h | 2 +- include/sound/info.h | 2 +- include/sound/pcm.h | 1 - include/sound/sb16_csp.h | 2 +- include/sound/soc.h | 2 +- include/target/target_core_base.h | 2 +- include/video/omapdss.h | 2 +- init/main.c | 8 ++- kernel/notifier.c | 17 +++- kernel/timer.c | 2 +- kernel/trace/ftrace.c | 7 +- kernel/trace/trace_output.c | 8 +- lib/Makefile | 2 +- lib/cpu-notifier-error-inject.c | 4 +- lib/dma-debug.c | 2 +- lib/list_debug.c | 65 ++++++++++++++- mm/slab.c | 2 +- mm/slob.c | 2 +- mm/slub.c | 2 +- net/8021q/vlan.c | 2 +- net/atm/mpc.h | 2 +- net/can/af_can.c | 2 +- net/can/gw.c | 8 +- net/core/rtnetlink.c | 16 +++-- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/tipc/eth_media.c | 8 +- net/wireless/core.h | 2 +- net/xfrm/xfrm_state.c | 4 +- security/Kconfig | 4 +- sound/isa/cmi8330.c | 2 +- sound/pci/hda/hda_codec.h | 7 +- sound/pci/ice1712/ice1712.h | 4 +- sound/soc/soc-pcm.c | 18 +++-- tools/gcc/constify_plugin.c | 82 ++++++++++++-------- tools/gcc/size_overflow_plugin.c | 82 +++++++++++-------- virt/kvm/kvm_main.c | 10 ++- 188 files changed, 713 insertions(+), 591 deletions(-) commit bb16456b78d9bda4d8cfdbf6a69de9d28d0c9e60 Merge: 6c6b091 b2a1b39 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 16 16:33:08 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/ipv4/tcp_input.c commit b2a1b3930f77f97a3d3be05ca5ff3a69e8416fdd Merge: 4137111 2d18772 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 16 16:31:07 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 commit 6c6b091e94649c02a478d6ea0f6e12a36d9e722f Author: Xi Wang <xi.wang@gmail.com> Date: Fri Jan 11 14:31:48 2013 -0800 Upstream commit: 6d92d4f6a74766cc885b18218268e0c47fbca399 fs/exec.c: work around icc miscompilation The tricky problem is this check: if (i++ >= max) icc (mis)optimizes this check as: if (++i > max) The check now becomes a no-op since max is MAX_ARG_STRINGS (0x7FFFFFFF). This is "allowed" by the C standard, assuming i++ never overflows, because signed integer overflow is undefined behavior. This optimization effectively reverts the previous commit 362e6663ef23 ("exec.c, compat.c: fix count(), compat_count() bounds checking") that tries to fix the check. This patch simply moves ++ after the check. Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: Jason Baron <jbaron@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/exec.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit acaa2f68ead06598824abcffdeabceac6c260bf5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 14 23:13:34 2013 -0500 Fix dup_mm() OOPS caused by exec_file refcnt imbalance, as reported at: http://forums.grsecurity.net/viewtopic.php?f=3&t=3230 fs/fs_struct.c | 4 ---- grsecurity/gracl_fs.c | 10 ++-------- kernel/exit.c | 1 + kernel/fork.c | 8 +++++--- 4 files changed, 8 insertions(+), 15 deletions(-) commit a1a1d9f316d1917b59e3c520fca822d634cc5b95 Author: Xi Wang <xi.wang@gmail.com> Date: Sat Jan 5 11:19:24 2013 +0000 Upstream commit: c7e2e1d72ed7707239d20525e0ebcad7e3303659 ipv4: fix NULL checking in devinet_ioctl() The NULL pointer check `!ifa' should come before its first use. [ Bug origin : commit fd23c3b31107e2fc483301ee923d8a1db14e53f4 (ipv4: Add hash table of interface addresses) in linux-2.6.39 ] Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/devinet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 71d39f6f80de0b939713f632ea0a1eb46fcec714 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 5 13:47:47 2013 -0500 Add a feature from Willy Tarreau to disable TCP Simultaneous Connect. I've eliminated the sysctl and enabled the feature by default in all automatic configurations. Willy's original commit message is below: >From 61abc5ef6c3bc210c63036b5f36cc96a7802b605 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <w@1wt.eu> Date: Wed, 8 Oct 2008 10:00:42 +0200 Subject: [PATCH] TCP: add a sysctl to disable simultaneous connection opening. Strict implementation of RFC793 (TCP) requires support for a feature called "simultaneous connect", which allows two clients to connect to each other without anyone entering a listening state. While almost never used, and supported by few OSes, Linux supports this feature. However, it introduces a weakness in the protocol which makes it very easy for an attacker to prevent a client from connecting to a known server. The attacker only has to guess the source port to shut down the client connection during its establishment. The impact is limited, but it may be used to prevent an antivirus or IPS from fetching updates and not detecting an attack, or to prevent an SSL gateway from fetching a CRL for example. This patch provides a new sysctl "tcp_simult_connect" to enable or disable support for this useless feature. It comes disabled by default. Hundreds of systems running with that feature disabled for more than 4 years have never encountered an application which requires it. It is almost never supported by firewalls BTW. Signed-off-by: Willy Tarreau <w@1wt.eu> grsecurity/Kconfig | 18 ++++++++++++++++++ net/ipv4/tcp_input.c | 2 ++ 2 files changed, 20 insertions(+), 0 deletions(-) commit b622422c80ce58f64db0b2199a4bd2da35489ff9 Author: Hugh Dickins <hughd@google.com> Date: Wed Jan 2 02:01:33 2013 -0800 Upstream commit: f2a07f40dbc603c15f8b06e6ec7f768af67b424f tmpfs mempolicy: fix /proc/mounts corrupting memory Recently I suggested using "mount -o remount,mpol=local /tmp" in NUMA mempolicy testing. Very nasty. Reading /proc/mounts, /proc/pid/mounts or /proc/pid/mountinfo may then corrupt one bit of kernel memory, often in a page table (causing "Bad swap" or "Bad page map" warning or "Bad pagetable" oops), sometimes in a vm_area_struct or rbnode or somewhere worse. "mpol=prefer" and "mpol=prefer:Node" are equally toxic. Recent NUMA enhancements are not to blame: this dates back to 2.6.35, when commit e17f74af351c "mempolicy: don't call mpol_set_nodemask() when no_context" skipped mpol_parse_str()'s call to mpol_set_nodemask(), which used to initialize v.preferred_node, or set MPOL_F_LOCAL in flags. With slab poisoning, you can then rely on mpol_to_str() to set the bit for node 0x6b6b, probably in the next page above the caller's stack. mpol_parse_str() is only called from shmem_parse_options(): no_context is always true, so call it unused for now, and remove !no_context code. Set v.nodes or v.preferred_node or MPOL_F_LOCAL as mpol_to_str() might expect. Then mpol_to_str() can ignore its no_context argument also, the mpol being appropriately initialized whether contextualized or not. Rename its no_context unused too, and let subsequent patch remove them (that's not needed for stable backporting, which would involve rejects). I don't understand why MPOL_LOCAL is described as a pseudo-policy: it's a reasonable policy which suffers from a confusing implementation in terms of MPOL_PREFERRED with MPOL_F_LOCAL. I believe this would be much more robust if MPOL_LOCAL were recognized in switch statements throughout, MPOL_F_LOCAL deleted, and MPOL_PREFERRED use the (possibly empty) nodes mask like everyone else, instead of its preferred_node variant (I presume an optimization from the days before MPOL_LOCAL). But that would take me too long to get right and fully tested. Signed-off-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/mempolicy.c | 64 ++++++++++++++++++++++--------------------------------- 1 files changed, 26 insertions(+), 38 deletions(-) commit d13f2bb8896829482d284efb34de811c10e5a77d Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 3 18:30:42 2013 -0500 GR_NESTED is an outdated flag -- nested subjects don't exist in hash tables these days and are directly attached to objects. Remove it. grsecurity/gracl.c | 17 ----------------- include/linux/grdefs.h | 2 +- 2 files changed, 1 insertions(+), 18 deletions(-) commit 9944161825aca755a9dd8020229c2d12e9818309 Merge: cb91e70 4137111 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 3 17:13:01 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 4137111085e54b6088adc9d90ec9c7b8cbeee4f7 Merge: a52d4ca 37701d1 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jan 3 17:12:45 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: mm/memory.c commit cb91e70c91d91215769cfdc8972da7a9c0a99f14 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 1 14:05:19 2013 -0500 Fix warning (from HIDESYM) on reading /proc/vmallocinfo Thanks to Allan Wegan for the report mm/vmalloc.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 55d7ef1bdb3c968e87cd70c08856e47f57f1f446 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Dec 31 20:15:51 2012 -0500 Fix compiler warning lib/vsprintf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2ca98a512ccf373ff2aeb53f0a89bcd375b7b0c3 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 27 19:02:18 2012 -0500 Resolve compiler warning fs/autofs4/waitq.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0110a5c2f8e9c71f7c0ac0de60538f8c61691dfa Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 27 18:53:28 2012 -0500 compile fix net/ipv4/tcp_input.c | 17 ----------------- 1 files changed, 0 insertions(+), 17 deletions(-) commit f3ef92528e8b1303fef7edc081fd90a1a102b4c9 Author: Eric Dumazet <edumazet@google.com> Date: Tue Jul 17 01:41:30 2012 +0000 Upstream commit: 0c24604b tcp: implement RFC 5961 4.2 Implement the RFC 5691 mitigation against Blind Reset attack using SYN bit. Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop incoming packet, instead of resetting the session. Add a new SNMP counter to count number of challenge acks sent in response to SYN packets. (netstat -s | grep TCPSYNChallenge) Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session because of a SYN flag. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Kiran Kumar Kella <kkiran@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/tcp_input.c include/linux/snmp.h | 2 +- net/ipv4/proc.c | 2 +- net/ipv4/tcp_input.c | 32 +++++++++++++++----------------- 3 files changed, 17 insertions(+), 19 deletions(-) commit 409c8c24917728cc628480988a69e2b08275e4af Author: Eric Dumazet <edumazet@google.com> Date: Tue Jul 17 10:13:05 2012 +0200 Upstream commit: 282f23c6ee343126156dd41218b22ece96d747e3 tcp: implement RFC 5961 3.2 Implement the RFC 5691 mitigation against Blind Reset attack using RST bit. Idea is to validate incoming RST sequence, to match RCV.NXT value, instead of previouly accepted window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND) If sequence is in window but not an exact match, send a "challenge ACK", so that the other part can resend an RST with the appropriate sequence. Add a new sysctl, tcp_challenge_ack_limit, to limit number of challenge ACK sent per second. Add a new SNMP counter to count number of challenge acks sent. (netstat -s | grep TCPChallengeACK) Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Kiran Kumar Kella <kkiran@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: Documentation/networking/ip-sysctl.txt include/linux/snmp.h include/net/tcp.h net/ipv4/proc.c net/ipv4/sysctl_net_ipv4.c Conflicts: Documentation/networking/ip-sysctl.txt include/linux/snmp.h include/net/tcp.h net/ipv4/proc.c Documentation/networking/ip-sysctl.txt | 5 +++++ include/linux/snmp.h | 1 + include/net/tcp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 7 +++++++ net/ipv4/tcp_input.c | 31 ++++++++++++++++++++++++++++++- 6 files changed, 45 insertions(+), 1 deletions(-) commit 2a1606ece92fd78dfdd0735532a9e38b6261c275 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 27 18:20:59 2012 -0500 Clarify documentation for GRKERNSEC_DMESG based on Twitter discussion grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b53211d24c27efb270c97e1141f8d5d1e342a1a6 Author: Jarod Wilson <jarod@redhat.com> Date: Tue Nov 6 10:42:42 2012 -0500 Upstream commit: ec8f02da9ea500474417d1d31fa3d46a562ab366 random: prime last_data value per fips requirements The value stored in last_data must be primed for FIPS 140-2 purposes. Upon first use, either on system startup or after an RNDCLEARPOOL ioctl, we need to take an initial random sample, store it internally in last_data, then pass along the value after that to the requester, so that consistency checks aren't being run against stale and possibly known data. CC: Herbert Xu <herbert@gondor.apana.org.au> CC: "David S. Miller" <davem@davemloft.net> CC: Matt Mackall <mpm@selenic.com> CC: linux-crypto@vger.kernel.org Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Conflicts: drivers/char/random.c drivers/char/random.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit 7987ebd47faefdbbcb062d6e48319128c416279d Author: Nick Kossifidis <mickflemm@gmail.com> Date: Sun Dec 16 22:18:11 2012 -0500 Upstream commit: 6133705494bb02953e1e2cc3018a4373981b3c97 random: Mix cputime from each thread that exits to the pool When a thread exits mix its cputime (userspace + kernelspace) to the entropy pool. We don't know how "random" this is, so we use add_device_randomness that doesn't mess with entropy count. Signed-off-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> kernel/posix-cpu-timers.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit d90be10e65fba2d0520ab4b1261207a023724253 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 27 18:06:58 2012 -0500 Backport upstream commit: a68c2f12b4b28994aaf622bbe5724b7258cc2fcf sendfile: allows bypassing of notifier events author Scott Wolchok <swolchok@umich.edu> do_sendfile() in fs/read_write.c does not call the fsnotify functions, unlike its neighbors. This manifests as a lack of inotify ACCESS events when a file is sent using sendfile(2). Addresses https://bugzilla.kernel.org/show_bug.cgi?id=12812 fs/read_write.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c85cb9a260726afb138cd5360c2127b101d5cfbc Author: Vahram Martirosyan <vmartirosyan@gmail.com> Date: Wed Nov 28 12:44:16 2012 -0500 Upstream commit: 766f44d46a726cb59f52a75c5c87425a10c4bade ext4: fixed potential NULL dereference in ext4_calculate_overhead() The memset operation before check can cause a BUG if the memory allocation failed. Since we are using get_zeroed_age, there is no need to use memset anyway. Found by the Spruce system in cooperation with the KEDR Framework. Signed-off-by: Vahram Martirosyan <vmartirosyan@linuxtesting.org> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> fs/ext4/super.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit a20d4dc627e376988da7d0f8b8af7130cbe28a8e Author: Eric Sandeen <sandeen@redhat.com> Date: Wed Nov 14 22:22:05 2012 -0500 Upstream commit: 66bea92c69477a75a5d37b9bfed5773c92a3c4b4 ext4: init pagevec in ext4_da_block_invalidatepages ext4_da_block_invalidatepages is missing a pagevec_init(), which means that pvec->cold contains random garbage. This affects whether the page goes to the front or back of the LRU when ->cold makes it to free_hot_cold_page() Reviewed-by: Lukas Czerner <lczerner@redhat.com> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Cc: stable@vger.kernel.org Conflicts: fs/ext4/inode.c fs/ext4/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 32382ab46b8f20ede9deabb0480d4c20ff5aee12 Author: Christoffer Dall <cdall@cs.columbia.edu> Date: Fri Dec 21 13:03:50 2012 -0500 Upstream commit: ad4b3fb7ff9940bcdb1e4cd62bd189d10fa636ba mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED Unfortunately with !CONFIG_PAGEFLAGS_EXTENDED, (!PageHead) is false, and (PageHead) is true, for tail pages. If this is indeed the intended behavior, which I doubt because it breaks cache cleaning on some ARM systems, then the nomenclature is highly problematic. This patch makes sure PageHead is only true for head pages and PageTail is only true for tail pages, and neither is true for non-compound pages. [ This buglet seems ancient - seems to have been introduced back in Apr 2008 in commit 6a1e7f777f61: "pageflags: convert to the use of new macros". And the reason nobody noticed is because the PageHead() tests are almost all about just sanity-checking, and only used on pages that are actual page heads. The fact that the old code returned true for tail pages too was thus not really noticeable. - Linus ] Signed-off-by: Christoffer Dall <cdall@cs.columbia.edu> Acked-by: Andrea Arcangeli <aarcange@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Will Deacon <Will.Deacon@arm.com> Cc: Steve Capper <Steve.Capper@arm.com> Cc: Christoph Lameter <cl@linux.com> Cc: stable@kernel.org # 2.6.26+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> include/linux/page-flags.h | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 85a9264c0384512097f1899cfa7f06779d57d41d Author: Eric Dumazet <edumazet@google.com> Date: Wed Dec 26 12:44:34 2012 +0000 Upstream commit: c3ae62af8e755ea68380fb5ce682e60079a4c388 tcp: should drop incoming frames without ACK flag set In commit 96e0bf4b5193d (tcp: Discard segments that ack data not yet sent) John Dykstra enforced a check against ack sequences. In commit 354e4aa391ed5 (tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation) I added more safety tests. But we missed fact that these tests are not performed if ACK bit is not set. RFC 793 3.9 mandates TCP should drop a frame without ACK flag set. " fifth check the ACK field, if the ACK bit is off drop the segment and return" Not doing so permits an attacker to only guess an acceptable sequence number, evading stronger checks. Many thanks to Zhiyun Qian for bringing this issue to our attention. See : http://web.eecs.umich.edu/~zhiyunq/pub/ccs12_TCP_sequence_number_inference.pdf Reported-by: Zhiyun Qian <zhiyunq@umich.edu> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Nandita Dukkipati <nanditad@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/tcp_input.c net/ipv4/tcp_input.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) commit 086efa46d6d699664e68fef9a1a3335b91af0b6d Author: Eric Dumazet <edumazet@google.com> Date: Sun Oct 21 19:57:11 2012 +0000 Upstream commit: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] All TCP stacks MAY implement the following mitigation. TCP stacks that implement this mitigation MUST add an additional input check to any incoming segment. The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward declaration. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Jerry Chu <hkchu@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp_input.c | 26 +++++++++++++++++++++++++- 1 files changed, 25 insertions(+), 1 deletions(-) commit 8ded7a2148a5f68d514f1fba0e35a01334bb077e Merge: c5916b2 a52d4ca Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 15 13:12:17 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit a52d4ca1dd5e965610ec305fc3972b8d94c7e368 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 15 13:11:19 2012 -0500 Update to pax-linux-3.2.35-test87.patch: - size overflow plugin update from Emese (new hashtable format, small fixes) - introduced local_unchecked_t and related wrappers to handle exceptional cases of non-refcounting local_t variables - fixed ftrace/kgdb/kprobes for i386/KERNEXEC arch/x86/include/asm/local.h | 66 + arch/x86/kernel/ftrace.c | 6 +- arch/x86/kernel/kgdb.c | 15 +- arch/x86/kernel/kprobes.c | 18 +- arch/x86/mm/pageattr.c | 2 +- drivers/misc/kgdbts.c | 4 +- include/asm-generic/atomic-long.h | 21 + include/asm-generic/local.h | 12 + kernel/trace/ring_buffer.c | 74 +- security/Kconfig | 2 +- tools/gcc/generate_size_overflow_hash.sh | 12 +- tools/gcc/size_overflow_hash.data | 6768 +++++++++++++++--------------- tools/gcc/size_overflow_plugin.c | 107 +- 13 files changed, 3633 insertions(+), 3474 deletions(-) commit c5916b296e273fce1caeeb45d4e4d3867deec87e Author: Brad Spengler <spender@grsecurity.net> Date: Fri Dec 7 15:40:59 2012 -0500 compile fix grsecurity/grsec_sig.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ee1c61148459011ca589a4e4c0713ac0b901f60a Author: Brad Spengler <spender@grsecurity.net> Date: Fri Dec 7 15:16:19 2012 -0500 Improve usability of GRKERNSEC_BRUTE, sponsorship work for Exonet: Log when activating bruteforce protection against a network daemon Expire the bruteforce protection in 30 minutes if no new crashes occur Check sysctl option at time of stalling forks so that flagged processes don't still delay when the feature is disabled and require a service restart Conflicts: grsecurity/grsec_sig.c include/linux/sched.h fs/exec.c | 2 +- grsecurity/grsec_sig.c | 19 ++++++++++++++++--- include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 2 +- include/linux/sched.h | 1 + 5 files changed, 20 insertions(+), 5 deletions(-) commit abd28eb0c0348df8d14a951adc5b9dc367e00549 Author: Mel Gorman <mgorman@suse.de> Date: Wed Dec 5 14:01:41 2012 -0800 Upstream commit: 18a2f371f5edf41810f6469cb9be39931ef9deb9 tmpfs: fix shared mempolicy leak This fixes a regression in 3.7-rc, which has since gone into stable. Commit 00442ad04a5e ("mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma()") changed get_vma_policy() to raise the refcount on a shmem shared mempolicy; whereas shmem_alloc_page() went on expecting alloc_page_vma() to drop the refcount it had acquired. This deserves a rework: but for now fix the leak in shmem_alloc_page(). Hugh: shmem_swapin() did not need a fix, but surely it's clearer to use the same refcounting there as in shmem_alloc_page(), delete its onstack mempolicy, and the strange mpol_cond_copy() and __mpol_cond_copy() - those were invented to let swapin_readahead() make an unknown number of calls to alloc_pages_vma() with one mempolicy; but since 00442ad04a5e, alloc_pages_vma() has kept refcount in balance, so now no problem. Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: Mel Gorman <mgorman@suse.de> Signed-off-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> include/linux/mempolicy.h | 16 ---------------- mm/mempolicy.c | 22 ---------------------- mm/shmem.c | 26 ++++++++++++++++---------- 3 files changed, 16 insertions(+), 48 deletions(-) commit 86f90506694f57b63088c0d2830a4a832cc1b02f Merge: 34d98a8 19185bb Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 6 18:07:29 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 19185bba4d966a0558f7ac906387f32ccc5591ce Merge: e621524 20c7bbd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 6 18:07:11 2012 -0500 Update to pax-linux-3.2.35-test86.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/mm/init.c commit 34d98a8122b0074dce27c120c0c3edc21436c9e1 Merge: 58f5c17 e621524 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 4 19:02:00 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e621524e2124443b09c8dae6a0b8f983b737bbff Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 4 19:01:02 2012 -0500 Update to pax-linux-3.2.34-test86.patch: - removed old cruft - fixed i386/fpu regression introduced by a previous backport, thanks to Kevin Chadwick for reporting it arch/x86/include/asm/i387.h | 9 ++++++++- arch/x86/kernel/traps.c | 2 +- arch/x86/power/cpu.c | 4 ---- 3 files changed, 9 insertions(+), 6 deletions(-) commit 58f5c17182d8bf32d3036187ae4af2cadef612ee Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Nov 29 22:17:21 2012 -0500 Upstream commit: 21d8a15ac333b05f1fecdf9fdc30996be2e11d60 lookup_one_len: don't accept . and .. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Conflicts: fs/namei.c fs/namei.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 5da6dd34fda33e4ec8fd8205ab20d925a3c5682b Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Nov 29 22:11:06 2012 -0500 Upstream commit: 0903a0c8491c1e987dfc6eb294199a36760398bc cifs: get rid of blind d_drop() in readdir Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/cifs/readdir.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ab72d7098e8f37f2d2da74a25155bab9ab09c299 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Nov 29 22:04:36 2012 -0500 Upstream commit: c44600c9d1de64314c2bd58103f15acb53e10073 nfs_lookup_revalidate(): fix a leak We are leaking fattr and fhandle if we decide that dentry is not to be invalidated, after all (e.g. happens to be a mountpoint). Just free both before that... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/nfs/dir.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 29cef27ba3d92da2c1f4bab82d69e49a2e5dba1b Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Nov 29 22:00:51 2012 -0500 Upstream commit: 696199f8ccf7fc6d17ef89c296ad3b6c78c52d9c don't do blind d_drop() in nfs_prime_dcache() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/nfs/dir.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 970c1ac809323ee3b8313250adbbe758a81f48d2 Author: H. Peter Anvin <hpa@linux.intel.com> Date: Wed Nov 21 14:41:21 2012 -0800 Upstream commit: cb7cb2864e758a1b040040bc55e404c677c911cb x86, kvm: Remove incorrect redundant assembly constraint In __emulate_1op_rax_rdx, we use "+a" and "+d" which are input/output constraints, and *then* use "a" and "d" as input constraints. This is incorrect, but happens to work on some versions of gcc. However, it breaks gcc with -O0 and icc, and may break on future versions of gcc. Reported-and-tested-by: Melanie Blower <melanie.blower@intel.com> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/r/B3584E72CFEBED439A3ECA9BCE67A4EF1B17AF90@FMSMSX107.amr.corp.intel.com Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Acked-by: Marcelo Tosatti <mtosatti@redhat.com> arch/x86/kvm/emulate.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit b1c117eadf2b219c51680c3a844e94ee97b3f719 Author: Mike Galbraith <mgalbraith@suse.de> Date: Wed Nov 28 07:17:18 2012 +0100 Upstream commit: 412d32e6c98527078779e5b515823b2810e40324 workqueue: exit rescuer_thread() as TASK_RUNNING A rescue thread exiting TASK_INTERRUPTIBLE can lead to a task scheduling off, never to be seen again. In the case where this occurred, an exiting thread hit reiserfs homebrew conditional resched while holding a mutex, bringing the box to its knees. PID: 18105 TASK: ffff8807fd412180 CPU: 5 COMMAND: "kdmflush" #0 [ffff8808157e7670] schedule at ffffffff8143f489 #1 [ffff8808157e77b8] reiserfs_get_block at ffffffffa038ab2d [reiserfs] #2 [ffff8808157e79a8] __block_write_begin at ffffffff8117fb14 #3 [ffff8808157e7a98] reiserfs_write_begin at ffffffffa0388695 [reiserfs] #4 [ffff8808157e7ad8] generic_perform_write at ffffffff810ee9e2 #5 [ffff8808157e7b58] generic_file_buffered_write at ffffffff810eeb41 #6 [ffff8808157e7ba8] __generic_file_aio_write at ffffffff810f1a3a #7 [ffff8808157e7c58] generic_file_aio_write at ffffffff810f1c88 #8 [ffff8808157e7cc8] do_sync_write at ffffffff8114f850 #9 [ffff8808157e7dd8] do_acct_process at ffffffff810a268f [exception RIP: kernel_thread_helper] RIP: ffffffff8144a5c0 RSP: ffff8808157e7f58 RFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8107af60 RDI: ffff8803ee491d18 RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 Signed-off-by: Mike Galbraith <mgalbraith@suse.de> Signed-off-by: Tejun Heo <tj@kernel.org> Cc: stable@vger.kernel.org kernel/workqueue.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 5ac46de6182d0b680d2874fb5cc20fd2246f9a4f Author: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Date: Thu Nov 29 13:54:34 2012 -0800 Upstream commit: 783657a7dc20e5c0efbc9a09a9dd38e238a723da mm: soft offline: split thp at the beginning of soft_offline_page() When we try to soft-offline a thp tail page, put_page() is called on the tail page unthinkingly and VM_BUG_ON is triggered in put_compound_page(). This patch splits thp before going into the main body of soft-offlining. Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Cc: Andi Kleen <andi@firstfloor.org> Cc: Tony Luck <tony.luck@intel.com> Cc: Andi Kleen <andi.kleen@intel.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/memory-failure.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 3c50c636930bae6199f27596f7db63f98a0d1542 Author: Jianguo Wu <wujianguo@huawei.com> Date: Thu Nov 29 13:54:21 2012 -0800 Upstream commit: ae64ffcac35de0db628ba9631edf8ff34c5cd7ac mm/vmemmap: fix wrong use of virt_to_page I enable CONFIG_DEBUG_VIRTUAL and CONFIG_SPARSEMEM_VMEMMAP, when doing memory hotremove, there is a kernel BUG at arch/x86/mm/physaddr.c:20. It is caused by free_section_usemap()->virt_to_page(), virt_to_page() is only used for kernel direct mapping address, but sparse-vmemmap uses vmemmap address, so it is going wrong here. ------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:20! invalid opcode: 0000 [#1] SMP Modules linked in: acpihp_drv acpihp_slot edd cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq mperf fuse vfat fat loop dm_mod coretemp kvm crc32c_intel ipv6 ixgbe igb iTCO_wdt i7core_edac edac_core pcspkr iTCO_vendor_support ioatdma microcode joydev sr_mod i2c_i801 dca lpc_ich mfd_core mdio tpm_tis i2c_core hid_generic tpm cdrom sg tpm_bios rtc_cmos button ext3 jbd mbcache usbhid hid uhci_hcd ehci_hcd usbcore usb_common sd_mod crc_t10dif processor thermal_sys hwmon scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic ata_piix libata megaraid_sas scsi_mod CPU 39 Pid: 6454, comm: sh Not tainted 3.7.0-rc1-acpihp-final+ #45 QCI QSSC-S4R/QSSC-S4R RIP: 0010:[<ffffffff8103c908>] [<ffffffff8103c908>] __phys_addr+0x88/0x90 RSP: 0018:ffff8804440d7c08 EFLAGS: 00010006 RAX: 0000000000000006 RBX: ffffea0012000000 RCX: 000000000000002c ... Signed-off-by: Jianguo Wu <wujianguo@huawei.com> Signed-off-by: Jiang Liu <jiang.liu@huawei.com> Reviewd-by: Wen Congyang <wency@cn.fujitsu.com> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Reviewed-by: Michal Hocko <mhocko@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/sparse.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 053df3aac0287316519822981cfd5f1ef4a91d0e Merge: 4b3f03c b01ae0b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Dec 3 17:25:01 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit b01ae0beceb65c6adcbeab3bd664ae62d38235b9 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Dec 3 17:24:38 2012 -0500 Update to pax-linux-3.2.34-test85.patch: - fixed a refcount false positive in the USB stack, thanks to Christian Perle for reporting it drivers/usb/core/hcd.c | 4 ++-- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- include/linux/usb.h | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) commit 4b3f03c2e7867a82605463dc55f19b2f522e14ac Author: Oliver Hartkopp <socketcan@hartkopp.net> Date: Mon Nov 26 22:24:23 2012 +0100 Upstream commit: 81b401100c01d2357031e874689f89bd788d13cd can: bcm: initialize ifindex for timeouts without previous frame reception Set in the rx_ifindex to pass the correct interface index in the case of a message timeout detection. Usually the rx_ifindex value is set at receive time. But when no CAN frame has been received the RX_TIMEOUT notification did not contain a valid value. Cc: linux-stable <stable@vger.kernel.org> Reported-by: Andre Naujoks <nautsch2@googlemail.com> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> net/can/bcm.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 557bb5a74e935f43720867efc2a67eae80dc78c5 Author: Eric Dumazet <edumazet@google.com> Date: Sun Nov 25 09:44:29 2012 +0000 Upstream commit: b49d3c1e1c948d76d64790abe9acffa9fa747d19 net: ipmr: limit MRT_TABLE identifiers Name of pimreg devices are built from following format : char name[IFNAMSIZ]; // IFNAMSIZ == 16 sprintf(name, "pimreg%u", mrt->id); We must therefore limit mrt->id to 9 decimal digits or risk a buffer overflow and a crash. Restrict table identifiers in [0 ... 999999999] interval. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ipmr.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 0c9309648d93c5fd45e46205866a0656885fbb7f Author: Schoch Christian <e0326715@student.tuwien.ac.at> Date: Wed Nov 28 05:18:29 2012 +0000 Upstream commit: 92d64c261e77cb2a6117887617e2a629fea6b67c sctp: Error in calculation of RTTvar The calculation of RTTVAR involves the subtraction of two unsigned numbers which may causes rollover and results in very high values of RTTVAR when RTT > SRTT. With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at 4 times the clock granularity. Change Notes: v2) *Replaced abs() by abs64() and long by __s64, changed patch description. Signed-off-by: Christian Schoch <e0326715@student.tuwien.ac.at> CC: Vlad Yasevich <vyasevich@gmail.com> CC: Sridhar Samudrala <sri@us.ibm.com> CC: Neil Horman <nhorman@tuxdriver.com> CC: linux-sctp@vger.kernel.org Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/sctp/transport.c net/sctp/transport.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0b5be1ad7d4041f743d726dcf26bb3c1558afc1a Author: Michael S. Tsirkin <mst@redhat.com> Date: Mon Nov 26 05:57:27 2012 +0000 Upstream commit: bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 vhost: fix length for cross region descriptor If a single descriptor crosses a region, the second chunk length should be decremented by size translated so far, instead it includes the full descriptor length. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/vhost/vhost.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0de4c83b06af082237ce8f17d15acbd92d5b9511 Author: Florian Westphal <fw@strlen.de> Date: Thu Nov 22 01:32:45 2012 +0000 Upstream commit: 4a6dd664eba59488c9e56b51a594396d7706eb08 netfilter: ipset: fix netiface set name overflow attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/netfilter/ipset/ip_set_hash_netiface.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5e6be5b576c6d2c54bb5a238ab598d7cc6e0f078 Author: Tommi Rantala <tt.rantala@gmail.com> Date: Mon Nov 26 04:16:44 2012 +0000 Upstream commit: c3b2c2581988d304127c2aa218430b5fca88ce56 irda: irttp: fix memory leak in irttp_open_tsap() error path Cleanup the memory we allocated earlier in irttp_open_tsap() when we hit this error path. The leak goes back to at least 1da177e4 ("Linux-2.6.12-rc2"). Discovered with Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/irda/irttp.c net/irda/irttp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 133b51eac82695af4acf8df4cabcd01968b1897f Author: Tommi Rantala <tt.rantala@gmail.com> Date: Tue Nov 27 04:01:46 2012 +0000 Upstream commit: be364c8c0f17a3dd42707b5a090b318028538eb9 sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails Trinity (the syscall fuzzer) discovered a memory leak in SCTP, reproducible e.g. with the sendto() syscall by passing invalid user space pointer in the second argument: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } As far as I can tell, the leak has been around since ~2003. Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/chunk.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit b869ac767054bf5bc1517b909be22245baefd3b0 Merge: 31fd091 d82afa7 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 1 11:11:12 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit d82afa74be4ef92c3ba77374156b8e6bde1e47dd Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 1 11:10:28 2012 -0500 Updated to pax-linux-3.2.34-test84.patch: - simplified/synchronized some UDEREF/amd64 logic based on the 3.7 forward port arch/x86/include/asm/futex.h | 2 +- arch/x86/include/asm/i387.h | 18 +++------ arch/x86/include/asm/uaccess_64.h | 79 +++++------------------------------- arch/x86/include/asm/xsave.h | 20 ++++------ arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/process_32.c | 2 +- arch/x86/kernel/xsave.c | 5 +- arch/x86/lib/csum-wrappers_64.c | 16 +------- arch/x86/lib/usercopy_64.c | 21 +-------- 11 files changed, 37 insertions(+), 132 deletions(-) commit 31fd091aba4bf457f22a4deb9cd82bf9acff3db0 Author: Darren Hart <dvhart@linux.intel.com> Date: Mon Nov 26 16:29:56 2012 -0800 Upstream commit: aa10990e028cac3d5e255711fb9fb47e00700e35 futex: avoid wake_futex() for a PI futex_q Dave Jones reported a bug with futex_lock_pi() that his trinity test exposed. Sometime between queue_me()