From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 58F1C198005 for ; Tue, 12 Mar 2013 13:25:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 122D2E0268; Tue, 12 Mar 2013 13:25:49 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 883E4E0268 for ; Tue, 12 Mar 2013 13:25:48 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 715BD33BF5F for ; Tue, 12 Mar 2013 13:25:47 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 02B7AE4079 for ; Tue, 12 Mar 2013 13:25:46 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1363094693.5887bfa1ed303153a33e8909165ea760a787f68d.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.8.2/, 3.2.40/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch 3.2.40/0000_README 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch 3.8.2/0000_README 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch X-VCS-Directories: 2.6.32/ 3.8.2/ 3.2.40/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 5887bfa1ed303153a33e8909165ea760a787f68d X-VCS-Branch: master Date: Tue, 12 Mar 2013 13:25:46 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: aab2d414-2870-41f2-aa21-2a11614634ea X-Archives-Hash: 1b15c99c43f5cf6d6eda90ca5343fd0b commit: 5887bfa1ed303153a33e8909165ea760a787f68d Author: Anthony G. Basile gentoo org> AuthorDate: Tue Mar 12 13:24:53 2013 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Tue Mar 12 13:24:53 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=5887bfa1 Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303111845 --- ..._grsecurity-2.9.1-2.6.32.60-201303111841.patch} | 88 +++-- 3.2.40/0000_README | 2 +- ...420_grsecurity-2.9.1-3.2.40-201303111844.patch} | 136 +++++-- 3.8.2/0000_README | 2 +- ...4420_grsecurity-2.9.1-3.8.2-201303111845.patch} | 425 ++++++++++++++++---- 5 files changed, 508 insertions(+), 145 deletions(-) diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch similarity index 99% rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch index 0660165..844bced 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch @@ -22169,10 +22169,10 @@ index 3149032..14f1053 100644 return 0; /* 64-bit mode: REX prefix */ diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c -index dee1ff7..d0e3ef7 100644 +index dee1ff7..585a36b 100644 --- a/arch/x86/kernel/sys_i386_32.c +++ b/arch/x86/kernel/sys_i386_32.c -@@ -24,6 +24,21 @@ +@@ -24,6 +24,22 @@ #include @@ -22185,8 +22185,9 @@ index dee1ff7..d0e3ef7 100644 + pax_task_size = SEGMEXEC_TASK_SIZE; +#endif + -+ if (len > pax_task_size || addr > pax_task_size - len) -+ return -EINVAL; ++ if (flags & MAP_FIXED) ++ if (len > pax_task_size || addr > pax_task_size - len) ++ return -EINVAL; + + return 0; +} @@ -22194,7 +22195,7 @@ index dee1ff7..d0e3ef7 100644 /* * Perform the select(nd, in, out, ex, tv) and mmap() system * calls. Linux/i386 didn't use to be able to handle more than -@@ -58,6 +73,214 @@ out: +@@ -58,6 +74,214 @@ out: return err; } @@ -22409,7 +22410,7 @@ index dee1ff7..d0e3ef7 100644 struct sel_arg_struct { unsigned long n; -@@ -93,7 +316,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, +@@ -93,7 +317,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL); case SEMTIMEDOP: return sys_semtimedop(first, (struct sembuf __user *)ptr, second, @@ -22418,7 +22419,7 @@ index dee1ff7..d0e3ef7 100644 case SEMGET: return sys_semget(first, second, third); -@@ -140,7 +363,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, +@@ -140,7 +364,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, ret = do_shmat(first, (char __user *) ptr, second, &raddr); if (ret) return ret; @@ -22427,7 +22428,7 @@ index dee1ff7..d0e3ef7 100644 } case 1: /* iBCS2 emulator entry point */ if (!segment_eq(get_fs(), get_ds())) -@@ -207,17 +430,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name) +@@ -207,17 +431,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name) return error; } @@ -83601,7 +83602,7 @@ index b080b79..d957e63 100644 } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 3b7b82a..0655a0f 100644 +index 3b7b82a..43956d4 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -8,12 +8,19 @@ @@ -83624,7 +83625,7 @@ index 3b7b82a..0655a0f 100644 void task_mem(struct seq_file *m, struct mm_struct *mm) { unsigned long data, text, lib; -@@ -46,15 +53,27 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -46,15 +53,32 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) "VmStk:\t%8lu kB\n" "VmExe:\t%8lu kB\n" "VmLib:\t%8lu kB\n" @@ -83647,15 +83648,20 @@ index 3b7b82a..0655a0f 100644 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10 + +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP + , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base + , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit ++#else ++ , mm->context.user_cs_base ++ , mm->context.user_cs_limit ++#endif +#endif + + ); } unsigned long task_vsize(struct mm_struct *mm) -@@ -175,7 +194,8 @@ static void m_stop(struct seq_file *m, void *v) +@@ -175,7 +199,8 @@ static void m_stop(struct seq_file *m, void *v) struct proc_maps_private *priv = m->private; struct vm_area_struct *vma = v; @@ -83665,7 +83671,7 @@ index 3b7b82a..0655a0f 100644 if (priv->task) put_task_struct(priv->task); } -@@ -206,7 +226,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -206,7 +231,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) int flags = vma->vm_flags; unsigned long ino = 0; unsigned long long pgoff = 0; @@ -83673,7 +83679,7 @@ index 3b7b82a..0655a0f 100644 dev_t dev = 0; int len; -@@ -217,20 +236,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -217,20 +241,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; } @@ -83704,7 +83710,7 @@ index 3b7b82a..0655a0f 100644 MAJOR(dev), MINOR(dev), ino, &len); /* -@@ -239,7 +261,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -239,7 +266,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) */ if (file) { pad_len_spaces(m, len); @@ -83713,7 +83719,7 @@ index 3b7b82a..0655a0f 100644 } else { const char *name = arch_vma_name(vma); if (!name) { -@@ -247,8 +269,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -247,8 +274,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) { name = "[heap]"; @@ -83725,7 +83731,7 @@ index 3b7b82a..0655a0f 100644 name = "[stack]"; } } else { -@@ -269,6 +292,13 @@ static int show_map(struct seq_file *m, void *v) +@@ -269,6 +297,13 @@ static int show_map(struct seq_file *m, void *v) struct proc_maps_private *priv = m->private; struct task_struct *task = priv->task; @@ -83739,7 +83745,7 @@ index 3b7b82a..0655a0f 100644 show_map_vma(m, vma); if (m->count < m->size) /* vma is copied successfully */ -@@ -390,10 +420,23 @@ static int show_smap(struct seq_file *m, void *v) +@@ -390,10 +425,23 @@ static int show_smap(struct seq_file *m, void *v) .private = &mss, }; @@ -83766,7 +83772,7 @@ index 3b7b82a..0655a0f 100644 show_map_vma(m, vma); -@@ -409,7 +452,11 @@ static int show_smap(struct seq_file *m, void *v) +@@ -409,7 +457,11 @@ static int show_smap(struct seq_file *m, void *v) "Swap: %8lu kB\n" "KernelPageSize: %8lu kB\n" "MMUPageSize: %8lu kB\n", @@ -106892,7 +106898,7 @@ index 0591df8..dcf3f9f 100644 if (cpu != group_first_cpu(sd->groups)) return; diff --git a/kernel/signal.c b/kernel/signal.c -index 2494827..02e4288 100644 +index 2494827..3087914 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -41,12 +41,12 @@ @@ -106929,7 +106935,17 @@ index 2494827..02e4288 100644 if (override_rlimit || atomic_read(&user->sigpending) <= t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) -@@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) +@@ -320,6 +323,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +@@ -327,7 +333,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) int unhandled_signal(struct task_struct *tsk, int sig) { @@ -106938,7 +106954,7 @@ index 2494827..02e4288 100644 if (is_global_init(tsk)) return 1; if (handler != SIG_IGN && handler != SIG_DFL) -@@ -513,23 +516,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) +@@ -513,23 +519,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) * No need to set need_resched since signal event passing * goes through ->blocked */ @@ -106965,7 +106981,7 @@ index 2494827..02e4288 100644 kick_process(t); } -@@ -627,6 +624,13 @@ static int check_kill_permission(int sig, struct siginfo *info, +@@ -627,6 +627,13 @@ static int check_kill_permission(int sig, struct siginfo *info, } } @@ -106979,7 +106995,7 @@ index 2494827..02e4288 100644 return security_task_kill(t, info, sig, 0); } -@@ -968,7 +972,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -968,7 +975,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) return send_signal(sig, info, p, 1); } @@ -106988,7 +107004,7 @@ index 2494827..02e4288 100644 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1005,6 +1009,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1005,6 +1012,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) unsigned long int flags; int ret, blocked, ignored; struct k_sigaction *action; @@ -106996,7 +107012,7 @@ index 2494827..02e4288 100644 spin_lock_irqsave(&t->sighand->siglock, flags); action = &t->sighand->action[sig-1]; -@@ -1019,9 +1024,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1019,9 +1027,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) } if (action->sa.sa_handler == SIG_DFL) t->signal->flags &= ~SIGNAL_UNKILLABLE; @@ -107015,7 +107031,7 @@ index 2494827..02e4288 100644 return ret; } -@@ -1081,8 +1095,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1081,8 +1098,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) { int ret = check_kill_permission(sig, info, p); @@ -107028,7 +107044,7 @@ index 2494827..02e4288 100644 return ret; } -@@ -1530,6 +1547,10 @@ static inline int may_ptrace_stop(void) +@@ -1530,6 +1550,10 @@ static inline int may_ptrace_stop(void) * If SIGKILL was already sent before the caller unlocked * ->siglock we must see ->core_state != NULL. Otherwise it * is safe to enter schedule(). @@ -107039,7 +107055,7 @@ index 2494827..02e4288 100644 */ if (unlikely(current->mm->core_state) && unlikely(current->mm == current->parent->mm)) -@@ -1611,6 +1632,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info) +@@ -1611,6 +1635,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info) * By the time we got the lock, our tracer went away. * Don't drop the lock yet, another tracer may come. */ @@ -107048,7 +107064,7 @@ index 2494827..02e4288 100644 __set_current_state(TASK_RUNNING); if (clear_code) current->exit_code = 0; -@@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code) +@@ -1644,6 +1670,8 @@ void ptrace_notify(int exit_code) { siginfo_t info; @@ -107057,7 +107073,7 @@ index 2494827..02e4288 100644 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP); memset(&info, 0, sizeof info); -@@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2275,7 +2303,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -114315,6 +114331,18 @@ index 4538a34..d53ed34 100644 } EXPORT_SYMBOL(sock_init_data); +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index ac1205d..813fe4b 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -307,6 +307,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb, + dcb->dcb_family = AF_UNSPEC; + dcb->cmd = DCB_CMD_GPERM_HWADDR; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c index 34dcc79..f51ed45 100644 --- a/net/dccp/ccids/ccid3.c diff --git a/3.2.40/0000_README b/3.2.40/0000_README index fd368e5..173a1e3 100644 --- a/3.2.40/0000_README +++ b/3.2.40/0000_README @@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch From: http://www.kernel.org Desc: Linux 3.2.40 -Patch: 4420_grsecurity-2.9.1-3.2.40-201303082037.patch +Patch: 4420_grsecurity-2.9.1-3.2.40-201303111844.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch similarity index 99% rename from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch rename to 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch index 774963f..94cafc4 100644 --- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch +++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch @@ -20387,10 +20387,10 @@ index d4f278e..86c58c0 100644 for (i = 0; i < copied; i++) { switch (opcode[i]) { diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c -index 0b0cb5f..26bb1af 100644 +index 0b0cb5f..207bec6 100644 --- a/arch/x86/kernel/sys_i386_32.c +++ b/arch/x86/kernel/sys_i386_32.c -@@ -24,17 +24,226 @@ +@@ -24,17 +24,227 @@ #include @@ -20415,8 +20415,9 @@ index 0b0cb5f..26bb1af 100644 + pax_task_size = SEGMEXEC_TASK_SIZE; +#endif + -+ if (len > pax_task_size || addr > pax_task_size - len) -+ return -EINVAL; ++ if (flags & MAP_FIXED) ++ if (len > pax_task_size || addr > pax_task_size - len) ++ return -EINVAL; + + return 0; +} @@ -52514,7 +52515,7 @@ index 03102d9..4ae347e 100644 } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 3efa725..6d85d94 100644 +index 3efa725..27582ca 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -11,12 +11,19 @@ @@ -52553,7 +52554,7 @@ index 3efa725..6d85d94 100644 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10), mm->locked_vm << (PAGE_SHIFT-10), mm->pinned_vm << (PAGE_SHIFT-10), -@@ -62,7 +74,14 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -62,7 +74,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) data << (PAGE_SHIFT-10), mm->stack_vm << (PAGE_SHIFT-10), text, lib, (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10, @@ -52561,15 +52562,20 @@ index 3efa725..6d85d94 100644 + swap << (PAGE_SHIFT-10) + +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP + , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base + , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit ++#else ++ , mm->context.user_cs_base ++ , mm->context.user_cs_limit ++#endif +#endif + + ); } unsigned long task_vsize(struct mm_struct *mm) -@@ -125,7 +144,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) +@@ -125,7 +149,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) if (!priv->task) return ERR_PTR(-ESRCH); @@ -52578,7 +52584,7 @@ index 3efa725..6d85d94 100644 if (!mm || IS_ERR(mm)) return mm; down_read(&mm->mmap_sem); -@@ -227,13 +246,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -227,13 +251,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; } @@ -52597,7 +52603,7 @@ index 3efa725..6d85d94 100644 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n", start, -@@ -242,7 +261,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -242,7 +266,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) flags & VM_WRITE ? 'w' : '-', flags & VM_EXEC ? 'x' : '-', flags & VM_MAYSHARE ? 's' : 'p', @@ -52609,7 +52615,7 @@ index 3efa725..6d85d94 100644 MAJOR(dev), MINOR(dev), ino, &len); /* -@@ -251,7 +274,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -251,7 +279,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) */ if (file) { pad_len_spaces(m, len); @@ -52618,7 +52624,7 @@ index 3efa725..6d85d94 100644 } else { const char *name = arch_vma_name(vma); if (!name) { -@@ -259,8 +282,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -259,8 +287,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) { name = "[heap]"; @@ -52630,7 +52636,7 @@ index 3efa725..6d85d94 100644 name = "[stack]"; } } else { -@@ -281,6 +305,13 @@ static int show_map(struct seq_file *m, void *v) +@@ -281,6 +310,13 @@ static int show_map(struct seq_file *m, void *v) struct proc_maps_private *priv = m->private; struct task_struct *task = priv->task; @@ -52644,7 +52650,7 @@ index 3efa725..6d85d94 100644 show_map_vma(m, vma); if (m->count < m->size) /* vma is copied successfully */ -@@ -437,12 +468,23 @@ static int show_smap(struct seq_file *m, void *v) +@@ -437,12 +473,23 @@ static int show_smap(struct seq_file *m, void *v) .private = &mss, }; @@ -52673,7 +52679,7 @@ index 3efa725..6d85d94 100644 show_map_vma(m, vma); seq_printf(m, -@@ -460,7 +502,11 @@ static int show_smap(struct seq_file *m, void *v) +@@ -460,7 +507,11 @@ static int show_smap(struct seq_file *m, void *v) "KernelPageSize: %8lu kB\n" "MMUPageSize: %8lu kB\n" "Locked: %8lu kB\n", @@ -52685,7 +52691,7 @@ index 3efa725..6d85d94 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, -@@ -798,7 +844,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, +@@ -798,7 +849,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, if (!pm.buffer) goto out_task; @@ -52694,7 +52700,7 @@ index 3efa725..6d85d94 100644 ret = PTR_ERR(mm); if (!mm || IS_ERR(mm)) goto out_free; -@@ -1024,6 +1070,13 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1024,6 +1075,13 @@ static int show_numa_map(struct seq_file *m, void *v) int n; char buffer[50]; @@ -52708,7 +52714,7 @@ index 3efa725..6d85d94 100644 if (!mm) return 0; -@@ -1041,11 +1094,15 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1041,11 +1099,15 @@ static int show_numa_map(struct seq_file *m, void *v) mpol_to_str(buffer, sizeof(buffer), pol, 0); mpol_cond_put(pol); @@ -73568,7 +73574,7 @@ index 66e4576..d05c6d5 100644 int this_cpu = smp_processor_id(); struct rq *this_rq = cpu_rq(this_cpu); diff --git a/kernel/signal.c b/kernel/signal.c -index d2f55ea..4dc47a0 100644 +index d2f55ea..5725e4f 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -73605,7 +73611,17 @@ index d2f55ea..4dc47a0 100644 if (override_rlimit || atomic_read(&user->sigpending) <= task_rlimit(t, RLIMIT_SIGPENDING)) { -@@ -488,7 +491,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) +@@ -481,6 +484,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +@@ -488,7 +494,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) int unhandled_signal(struct task_struct *tsk, int sig) { @@ -73614,7 +73630,7 @@ index d2f55ea..4dc47a0 100644 if (is_global_init(tsk)) return 1; if (handler != SIG_IGN && handler != SIG_DFL) -@@ -809,6 +812,13 @@ static int check_kill_permission(int sig, struct siginfo *info, +@@ -809,6 +815,13 @@ static int check_kill_permission(int sig, struct siginfo *info, } } @@ -73628,7 +73644,7 @@ index d2f55ea..4dc47a0 100644 return security_task_kill(t, info, sig, 0); } -@@ -1159,7 +1169,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1159,7 +1172,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) return send_signal(sig, info, p, 1); } @@ -73637,7 +73653,7 @@ index d2f55ea..4dc47a0 100644 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1196,6 +1206,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1196,6 +1209,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) unsigned long int flags; int ret, blocked, ignored; struct k_sigaction *action; @@ -73645,7 +73661,7 @@ index d2f55ea..4dc47a0 100644 spin_lock_irqsave(&t->sighand->siglock, flags); action = &t->sighand->action[sig-1]; -@@ -1210,9 +1221,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1210,9 +1224,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) } if (action->sa.sa_handler == SIG_DFL) t->signal->flags &= ~SIGNAL_UNKILLABLE; @@ -73664,7 +73680,7 @@ index d2f55ea..4dc47a0 100644 return ret; } -@@ -1279,8 +1299,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1279,8 +1302,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) ret = check_kill_permission(sig, info, p); rcu_read_unlock(); @@ -73677,7 +73693,7 @@ index d2f55ea..4dc47a0 100644 return ret; } -@@ -2762,7 +2785,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2762,7 +2788,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -81453,7 +81469,7 @@ index c40f27e..7f49254 100644 m->msg_iov = iov; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 5229c7f..6cb13fa 100644 +index 5229c7f..d5c2289 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -57,7 +57,7 @@ struct rtnl_link { @@ -81465,6 +81481,14 @@ index 5229c7f..6cb13fa 100644 static DEFINE_MUTEX(rtnl_mutex); +@@ -973,6 +973,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, + * report anything. + */ + ivi.spoofchk = -1; ++ memset(ivi.mac, 0, sizeof(ivi.mac)); + if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) + break; + vf_mac.vf = diff --git a/net/core/scm.c b/net/core/scm.c index ff52ad0..aff1c0f 100644 --- a/net/core/scm.c @@ -81610,6 +81634,66 @@ index 1e8a882..af175b4 100644 } EXPORT_SYMBOL(sock_init_data); +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index d860530..2f9517d 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb, + dcb->dcb_family = AF_UNSPEC; + dcb->cmd = DCB_CMD_GPERM_HWADDR; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), +@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_getets(netdev, &ets); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets); +@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc); +@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + /* get peer info if available */ + if (ops->ieee_peer_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_peer_getets(netdev, &ets); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets); +@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_peer_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_peer_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc); +@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev) + /* peer info if available */ + if (ops->cee_peer_getpg) { + struct cee_pg pg; ++ memset(&pg, 0, sizeof(pg)); + err = ops->cee_peer_getpg(netdev, &pg); + if (!err) + NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg); +@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->cee_peer_getpfc) { + struct cee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->cee_peer_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc); diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c index 19acd00..dcb43f2 100644 --- a/net/decnet/af_decnet.c diff --git a/3.8.2/0000_README b/3.8.2/0000_README index ff4a56d..3b4b3f3 100644 --- a/3.8.2/0000_README +++ b/3.8.2/0000_README @@ -6,7 +6,7 @@ Patch: 1001_linux-3.8.1.patch From: http://www.kernel.org Desc: Linux 3.8.1 -Patch: 4420_grsecurity-2.9.1-3.8.2-201303082215.patch +Patch: 4420_grsecurity-2.9.1-3.8.2-201303111845.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch b/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch similarity index 99% rename from 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch rename to 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch index 6e0e897..e088f8a 100644 --- a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch +++ b/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch @@ -225,7 +225,7 @@ index b89a739..b47493f 100644 +zconf.lex.c zoffset.h diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 986614d..0afd461 100644 +index 986614d..e8bfedc 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -922,6 +922,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. @@ -239,7 +239,7 @@ index 986614d..0afd461 100644 hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -2121,6 +2125,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2121,6 +2125,18 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -250,6 +250,11 @@ index 986614d..0afd461 100644 + + pax_softmode= 0/1 to disable/enable PaX softmode on boot already. + ++ pax_extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ pcbit= [HW,ISDN] pcd. [PARIDE] @@ -2798,6 +2803,26 @@ index 1e9be5d..03edbc2 100644 #endif int +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c +index 07314af..c46655c 100644 +--- a/arch/arm/kernel/patch.c ++++ b/arch/arm/kernel/patch.c +@@ -18,6 +18,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn) + bool thumb2 = IS_ENABLED(CONFIG_THUMB2_KERNEL); + int size; + ++ pax_open_kernel(); + if (thumb2 && __opcode_is_thumb16(insn)) { + *(u16 *)addr = __opcode_to_mem_thumb16(insn); + size = sizeof(u16); +@@ -39,6 +40,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn) + *(u32 *)addr = insn; + size = sizeof(u32); + } ++ pax_close_kernel(); + + flush_icache_range((uintptr_t)(addr), + (uintptr_t)(addr) + size); diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c index 5f66206..dce492f 100644 --- a/arch/arm/kernel/perf_event_cpu.c @@ -22328,10 +22353,10 @@ index 9b4d51d..5d28b58 100644 switch (opcode[i]) { diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c new file mode 100644 -index 0000000..26bb1af +index 0000000..207bec6 --- /dev/null +++ b/arch/x86/kernel/sys_i386_32.c -@@ -0,0 +1,249 @@ +@@ -0,0 +1,250 @@ +/* + * This file contains various random system calls that + * have a non-standard calling sequence on the Linux/i386 @@ -22367,8 +22392,9 @@ index 0000000..26bb1af + pax_task_size = SEGMEXEC_TASK_SIZE; +#endif + -+ if (len > pax_task_size || addr > pax_task_size - len) -+ return -EINVAL; ++ if (flags & MAP_FIXED) ++ if (len > pax_task_size || addr > pax_task_size - len) ++ return -EINVAL; + + return 0; +} @@ -31370,9 +31396,18 @@ index be60399..778b33e8 100644 bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj); if (!bgrt_kobj) diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c -index cb96296..2d6082b 100644 +index cb96296..b81293b 100644 --- a/drivers/acpi/blacklist.c +++ b/drivers/acpi/blacklist.c +@@ -52,7 +52,7 @@ struct acpi_blacklist_item { + u32 is_critical_error; + }; + +-static struct dmi_system_id acpi_osi_dmi_table[] __initdata; ++static const struct dmi_system_id acpi_osi_dmi_table[] __initconst; + + /* + * POLICY: If *anything* doesn't work, put it on the blacklist. @@ -193,7 +193,7 @@ static int __init dmi_disable_osi_win7(const struct dmi_system_id *d) return 0; } @@ -43843,10 +43878,18 @@ index 4f27fdc..d3537e6 100644 } diff --git a/drivers/video/aty/mach64_cursor.c b/drivers/video/aty/mach64_cursor.c -index 95ec042..ae33e7a 100644 +index 95ec042..e6affdd 100644 --- a/drivers/video/aty/mach64_cursor.c +++ b/drivers/video/aty/mach64_cursor.c -@@ -208,7 +208,9 @@ int aty_init_cursor(struct fb_info *info) +@@ -7,6 +7,7 @@ + #include + + #include ++#include + + #ifdef __sparc__ + #include +@@ -208,7 +209,9 @@ int aty_init_cursor(struct fb_info *info) info->sprite.buf_align = 16; /* and 64 lines tall. */ info->sprite.flags = FB_PIXMAP_IO; @@ -47369,7 +47412,7 @@ index 6043567..16a9239 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 0c42cdb..f4be023 100644 +index 0c42cdb..9551bb8 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -33,6 +33,7 @@ @@ -47866,7 +47909,7 @@ index 0c42cdb..f4be023 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -715,11 +1050,81 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -715,11 +1050,82 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; /* OK, This is the point of no return */ @@ -47887,6 +47930,7 @@ index 0c42cdb..f4be023 100644 +#ifdef CONFIG_PAX_ASLR + current->mm->delta_mmap = 0UL; + current->mm->delta_stack = 0UL; ++ current->mm->aslr_gap = 0UL; +#endif + + current->mm->def_flags = 0; @@ -47949,7 +47993,7 @@ index 0c42cdb..f4be023 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -810,6 +1215,20 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -810,6 +1216,20 @@ static int load_elf_binary(struct linux_binprm *bprm) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -47970,7 +48014,7 @@ index 0c42cdb..f4be023 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -842,9 +1261,9 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -842,9 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -47983,7 +48027,7 @@ index 0c42cdb..f4be023 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -883,17 +1302,44 @@ static int load_elf_binary(struct linux_binprm *bprm) +@@ -883,17 +1303,44 @@ static int load_elf_binary(struct linux_binprm *bprm) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -48009,7 +48053,7 @@ index 0c42cdb..f4be023 100644 + unsigned long prot = PROT_NONE; + + up_read(¤t->mm->mmap_sem); -+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ current->mm->aslr_gap += PAGE_ALIGN(size) >> PAGE_SHIFT; +// if (current->personality & ADDR_NO_RANDOMIZE) +// prot = PROT_READ; + start = vm_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0); @@ -48034,7 +48078,7 @@ index 0c42cdb..f4be023 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1115,7 +1561,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) +@@ -1115,7 +1562,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -48043,7 +48087,7 @@ index 0c42cdb..f4be023 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1152,7 +1598,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1152,7 +1599,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -48052,7 +48096,7 @@ index 0c42cdb..f4be023 100644 goto whole; /* -@@ -1374,9 +1820,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1374,9 +1821,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -48064,7 +48108,7 @@ index 0c42cdb..f4be023 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -2006,14 +2452,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -2006,14 +2453,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -48081,7 +48125,7 @@ index 0c42cdb..f4be023 100644 return size; } -@@ -2107,7 +2553,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2107,7 +2554,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -48090,7 +48134,7 @@ index 0c42cdb..f4be023 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -2121,10 +2567,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2121,10 +2568,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -48103,7 +48147,7 @@ index 0c42cdb..f4be023 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -2138,7 +2586,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2138,7 +2587,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -48112,7 +48156,7 @@ index 0c42cdb..f4be023 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2149,6 +2597,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2149,6 +2598,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -48120,7 +48164,7 @@ index 0c42cdb..f4be023 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2173,7 +2622,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2173,7 +2623,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -48129,7 +48173,7 @@ index 0c42cdb..f4be023 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2182,6 +2631,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2182,6 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -48137,7 +48181,7 @@ index 0c42cdb..f4be023 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2199,6 +2649,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2199,6 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -48145,7 +48189,7 @@ index 0c42cdb..f4be023 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2219,6 +2670,97 @@ out: +@@ -2219,6 +2671,97 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -49502,7 +49546,7 @@ index b2a34a1..162fa69 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 20df02c..9b8f78d 100644 +index 20df02c..81c9e78 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,6 +55,17 @@ @@ -49767,7 +49811,7 @@ index 20df02c..9b8f78d 100644 /* mprotect_fixup is overkill to remove the temporary stack flags */ vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP; -@@ -737,6 +776,27 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -737,6 +776,30 @@ int setup_arg_pages(struct linux_binprm *bprm, #endif current->mm->start_stack = bprm->p; ret = expand_stack(vma, stack_base); @@ -49784,8 +49828,11 @@ index 20df02c..9b8f78d 100644 + +#ifdef CONFIG_X86 + if (!ret) { ++ current->mm->aslr_gap += size >> PAGE_SHIFT; + size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT)); + ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0); ++ if (!ret) ++ current->mm->aslr_gap += size >> PAGE_SHIFT; + } +#endif + @@ -49795,7 +49842,7 @@ index 20df02c..9b8f78d 100644 if (ret) ret = -EFAULT; -@@ -772,6 +832,8 @@ struct file *open_exec(const char *name) +@@ -772,6 +835,8 @@ struct file *open_exec(const char *name) fsnotify_open(file); @@ -49804,7 +49851,7 @@ index 20df02c..9b8f78d 100644 err = deny_write_access(file); if (err) goto exit; -@@ -795,7 +857,7 @@ int kernel_read(struct file *file, loff_t offset, +@@ -795,7 +860,7 @@ int kernel_read(struct file *file, loff_t offset, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -49813,7 +49860,7 @@ index 20df02c..9b8f78d 100644 set_fs(old_fs); return result; } -@@ -1247,7 +1309,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1247,7 +1312,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -49822,7 +49869,7 @@ index 20df02c..9b8f78d 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1447,6 +1509,28 @@ int search_binary_handler(struct linux_binprm *bprm) +@@ -1447,6 +1512,28 @@ int search_binary_handler(struct linux_binprm *bprm) EXPORT_SYMBOL(search_binary_handler); @@ -49851,7 +49898,7 @@ index 20df02c..9b8f78d 100644 /* * sys_execve() executes a new program. */ -@@ -1454,6 +1538,11 @@ static int do_execve_common(const char *filename, +@@ -1454,6 +1541,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr argv, struct user_arg_ptr envp) { @@ -49863,7 +49910,7 @@ index 20df02c..9b8f78d 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1461,6 +1550,8 @@ static int do_execve_common(const char *filename, +@@ -1461,6 +1553,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -49872,7 +49919,7 @@ index 20df02c..9b8f78d 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1501,12 +1592,27 @@ static int do_execve_common(const char *filename, +@@ -1501,12 +1595,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -49900,7 +49947,7 @@ index 20df02c..9b8f78d 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1523,24 +1629,65 @@ static int do_execve_common(const char *filename, +@@ -1523,24 +1632,65 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -49970,7 +50017,7 @@ index 20df02c..9b8f78d 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1549,6 +1696,14 @@ static int do_execve_common(const char *filename, +@@ -1549,6 +1699,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -49985,7 +50032,7 @@ index 20df02c..9b8f78d 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1697,3 +1852,253 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1697,3 +1855,253 @@ asmlinkage long compat_sys_execve(const char __user * filename, return error; } #endif @@ -68780,7 +68827,7 @@ index 66e2f7c..ea88001 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index f8f5162..6276a36 100644 +index f8f5162..a039af9 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -288,6 +288,8 @@ struct vm_area_struct { @@ -68797,7 +68844,7 @@ index f8f5162..6276a36 100644 unsigned long nr_ptes; /* Page table pages */ unsigned long start_code, end_code, start_data, end_data; - unsigned long start_brk, brk, start_stack; -+ unsigned long brk_gap, start_brk, brk, start_stack; ++ unsigned long aslr_gap, start_brk, brk, start_stack; unsigned long arg_start, arg_end, env_start, env_end; unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ @@ -72264,7 +72311,7 @@ index 84c6bf1..8899338 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index cee4b5c..9c267d9 100644 +index cee4b5c..6a3402b 100644 --- a/init/main.c +++ b/init/main.c @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } @@ -72366,18 +72413,7 @@ index cee4b5c..9c267d9 100644 } return ret; -@@ -743,6 +801,10 @@ static char *initcall_level_names[] __initdata = { - "late", - }; - -+#ifdef CONFIG_PAX_LATENT_ENTROPY -+u64 latent_entropy; -+#endif -+ - static void __init do_initcall_level(int level) - { - extern const struct kernel_param __start___param[], __stop___param[]; -@@ -755,8 +817,14 @@ static void __init do_initcall_level(int level) +@@ -755,8 +813,14 @@ static void __init do_initcall_level(int level) level, level, &repair_env_string); @@ -72386,14 +72422,14 @@ index cee4b5c..9c267d9 100644 do_one_initcall(*fn); + +#ifdef CONFIG_PAX_LATENT_ENTROPY -+ add_device_randomness(&latent_entropy, sizeof(latent_entropy)); ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +#endif + + } } static void __init do_initcalls(void) -@@ -790,8 +858,14 @@ static void __init do_pre_smp_initcalls(void) +@@ -790,8 +854,14 @@ static void __init do_pre_smp_initcalls(void) { initcall_t *fn; @@ -72402,14 +72438,14 @@ index cee4b5c..9c267d9 100644 do_one_initcall(*fn); + +#ifdef CONFIG_PAX_LATENT_ENTROPY -+ add_device_randomness(&latent_entropy, sizeof(latent_entropy)); ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +#endif + + } } static int run_init_process(const char *init_filename) -@@ -877,7 +951,7 @@ static noinline void __init kernel_init_freeable(void) +@@ -877,7 +947,7 @@ static noinline void __init kernel_init_freeable(void) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -72418,7 +72454,7 @@ index cee4b5c..9c267d9 100644 printk(KERN_WARNING "Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -890,11 +964,13 @@ static noinline void __init kernel_init_freeable(void) +@@ -890,11 +960,13 @@ static noinline void __init kernel_init_freeable(void) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -72508,7 +72544,7 @@ index 71a3ca1..cc330ee 100644 if (u->mq_bytes + mq_bytes < u->mq_bytes || u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) { diff --git a/ipc/msg.c b/ipc/msg.c -index 950572f..266c15f 100644 +index 950572f..362ea07 100644 --- a/ipc/msg.c +++ b/ipc/msg.c @@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) @@ -72536,6 +72572,40 @@ index 950572f..266c15f 100644 msg_params.key = key; msg_params.flg = msgflg; +@@ -820,15 +821,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, + struct msg_msg *copy = NULL; + unsigned long copy_number = 0; + ++ ns = current->nsproxy->ipc_ns; ++ + if (msqid < 0 || (long) bufsz < 0) + return -EINVAL; + if (msgflg & MSG_COPY) { +- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number); ++ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax), ++ msgflg, &msgtyp, ©_number); + if (IS_ERR(copy)) + return PTR_ERR(copy); + } + mode = convert_mode(&msgtyp, msgflg); +- ns = current->nsproxy->ipc_ns; + + msq = msg_lock_check(ns, msqid); + if (IS_ERR(msq)) { +diff --git a/ipc/msgutil.c b/ipc/msgutil.c +index ebfcbfa..5df8e4b 100644 +--- a/ipc/msgutil.c ++++ b/ipc/msgutil.c +@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) + if (alen > DATALEN_MSG) + alen = DATALEN_MSG; + +- dst->next = NULL; +- dst->security = NULL; +- + memcpy(dst + 1, src + 1, alen); + + len -= alen; diff --git a/ipc/sem.c b/ipc/sem.c index 58d31f1..cce7a55 100644 --- a/ipc/sem.c @@ -76688,7 +76758,7 @@ index 81fa536..6ccf96a 100644 int this_cpu = smp_processor_id(); struct rq *this_rq = cpu_rq(this_cpu); diff --git a/kernel/signal.c b/kernel/signal.c -index 3d09cf6..a67d2c6 100644 +index 3d09cf6..8988390 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -50,12 +50,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -76725,7 +76795,17 @@ index 3d09cf6..a67d2c6 100644 if (override_rlimit || atomic_read(&user->sigpending) <= task_rlimit(t, RLIMIT_SIGPENDING)) { -@@ -492,7 +495,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) +@@ -485,6 +488,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +@@ -492,7 +498,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) int unhandled_signal(struct task_struct *tsk, int sig) { @@ -76734,7 +76814,7 @@ index 3d09cf6..a67d2c6 100644 if (is_global_init(tsk)) return 1; if (handler != SIG_IGN && handler != SIG_DFL) -@@ -812,6 +815,13 @@ static int check_kill_permission(int sig, struct siginfo *info, +@@ -812,6 +818,13 @@ static int check_kill_permission(int sig, struct siginfo *info, } } @@ -76748,7 +76828,7 @@ index 3d09cf6..a67d2c6 100644 return security_task_kill(t, info, sig, 0); } -@@ -1194,7 +1204,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1194,7 +1207,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) return send_signal(sig, info, p, 1); } @@ -76757,7 +76837,7 @@ index 3d09cf6..a67d2c6 100644 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1231,6 +1241,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1231,6 +1244,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) unsigned long int flags; int ret, blocked, ignored; struct k_sigaction *action; @@ -76765,7 +76845,7 @@ index 3d09cf6..a67d2c6 100644 spin_lock_irqsave(&t->sighand->siglock, flags); action = &t->sighand->action[sig-1]; -@@ -1245,9 +1256,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) +@@ -1245,9 +1259,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t) } if (action->sa.sa_handler == SIG_DFL) t->signal->flags &= ~SIGNAL_UNKILLABLE; @@ -76784,7 +76864,7 @@ index 3d09cf6..a67d2c6 100644 return ret; } -@@ -1314,8 +1334,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) +@@ -1314,8 +1337,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p) ret = check_kill_permission(sig, info, p); rcu_read_unlock(); @@ -76797,7 +76877,7 @@ index 3d09cf6..a67d2c6 100644 return ret; } -@@ -2852,7 +2875,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) +@@ -2852,7 +2878,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) int error = -ESRCH; rcu_read_lock(); @@ -76814,7 +76894,7 @@ index 3d09cf6..a67d2c6 100644 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { error = check_kill_permission(sig, info, p); /* -@@ -3135,8 +3166,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, +@@ -3135,8 +3169,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, } seg = get_fs(); set_fs(KERNEL_DS); @@ -80133,7 +80213,7 @@ index c9bd528..da8d069 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 8832b87..7d36e4f 100644 +index 8832b87..20500c1 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -32,6 +32,7 @@ @@ -81299,7 +81379,7 @@ index 8832b87..7d36e4f 100644 +#ifdef CONFIG_PAX_RANDMMAP + if (mm->pax_flags & MF_PAX_RANDMMAP) -+ cur -= mm->brk_gap; ++ cur -= mm->aslr_gap; +#endif + + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1); @@ -81717,10 +81797,18 @@ index 0713bfb..e3774e0 100644 .next = NULL, }; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 6a83cd3..bc2dcb6 100644 +index 6a83cd3..3ab04ef 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -338,7 +338,7 @@ out: +@@ -58,6 +58,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -338,7 +339,7 @@ out: * This usage means that zero-order pages may not be compound. */ @@ -81729,7 +81817,7 @@ index 6a83cd3..bc2dcb6 100644 { __free_pages_ok(page, compound_order(page)); } -@@ -693,6 +693,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order) +@@ -693,6 +694,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order) int i; int bad = 0; @@ -81740,7 +81828,7 @@ index 6a83cd3..bc2dcb6 100644 trace_mm_page_free(page, order); kmemcheck_free_shadow(page, order); -@@ -708,6 +712,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order) +@@ -708,6 +713,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order) debug_check_no_obj_freed(page_address(page), PAGE_SIZE << order); } @@ -81753,7 +81841,47 @@ index 6a83cd3..bc2dcb6 100644 arch_free_page(page, order); kernel_map_pages(page, 1 << order, 0); -@@ -861,8 +871,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags) +@@ -730,6 +741,19 @@ static void __free_pages_ok(struct page *page, unsigned int order) + local_irq_restore(flags); + } + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_pax_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy); ++ ++volatile u64 latent_entropy; ++#endif ++ + /* + * Read access to zone->managed_pages is safe because it's unsigned long, + * but we still need to serialize writers. Currently all callers of +@@ -752,6 +776,19 @@ void __meminit __free_pages_bootmem(struct page *page, unsigned int order) + set_page_count(p, 0); + } + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ u64 hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const u64 *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++ } ++#endif ++ + page_zone(page)->managed_pages += 1 << order; + set_page_refcounted(page); + __free_pages(page, order); +@@ -861,8 +898,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags) arch_alloc_page(page, order); kernel_map_pages(page, 1 << order, 1); @@ -81764,7 +81892,7 @@ index 6a83cd3..bc2dcb6 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); -@@ -3752,7 +3764,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn) +@@ -3752,7 +3791,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn) unsigned long pfn; for (pfn = start_pfn; pfn < end_pfn; pfn++) { @@ -83712,6 +83840,42 @@ index bd6fd0f..6492cba 100644 spin_unlock_irqrestore(&dev->port.lock, flags); if (dev->tty_dev->parent) device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST); +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index acc9f4c..2897e40 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb, + port = p->port; + if (port) { + struct br_mdb_entry e; ++ memset(&e, 0, sizeof(e)); + e.ifindex = port->dev->ifindex; + e.state = p->state; + if (p->addr.proto == htons(ETH_P_IP)) +@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb) + break; + + bpm = nlmsg_data(nlh); ++ memset(bpm, 0, sizeof(*bpm)); + bpm->ifindex = dev->ifindex; + if (br_mdb_fill_info(skb, cb, dev) < 0) + goto out; +@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + + bpm = nlmsg_data(nlh); ++ memset(bpm, 0, sizeof(*bpm)); + bpm->family = AF_BRIDGE; + bpm->ifindex = dev->ifindex; + nest = nla_nest_start(skb, MDBA_MDB); +@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port, + { + struct br_mdb_entry entry; + ++ memset(&entry, 0, sizeof(entry)); + entry.ifindex = port->dev->ifindex; + entry.addr.proto = group->proto; + entry.addr.u.ip4 = group->u.ip4; diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5fe2ff3..121d696 100644 --- a/net/bridge/netfilter/ebtables.c @@ -84216,7 +84380,7 @@ index 8acce01..2e306bb 100644 return error; } diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 1868625..b1b1284 100644 +index 1868625..e2261f5 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -58,7 +58,7 @@ struct rtnl_link { @@ -84254,6 +84418,14 @@ index 1868625..b1b1284 100644 } EXPORT_SYMBOL_GPL(__rtnl_link_unregister); +@@ -976,6 +979,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev, + * report anything. + */ + ivi.spoofchk = -1; ++ memset(ivi.mac, 0, sizeof(ivi.mac)); + if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) + break; + vf_mac.vf = diff --git a/net/core/scm.c b/net/core/scm.c index 905dcc6..14ee2d6 100644 --- a/net/core/scm.c @@ -84551,6 +84723,74 @@ index d1b0804..4aed0a5 100644 .init = sysctl_core_net_init, .exit = sysctl_core_net_exit, }; +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index 1b588e2..21291f1 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh, + if (!netdev->dcbnl_ops->getpermhwaddr) + return -EOPNOTSUPP; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr); +@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_getets(netdev, &ets); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets)) +@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getmaxrate) { + struct ieee_maxrate maxrate; ++ memset(&maxrate, 0, sizeof(maxrate)); + err = ops->ieee_getmaxrate(netdev, &maxrate); + if (!err) { + err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE, +@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc)) +@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + /* get peer info if available */ + if (ops->ieee_peer_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_peer_getets(netdev, &ets); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets)) +@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->ieee_peer_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_peer_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc)) +@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev) + /* peer info if available */ + if (ops->cee_peer_getpg) { + struct cee_pg pg; ++ memset(&pg, 0, sizeof(pg)); + err = ops->cee_peer_getpg(netdev, &pg); + if (!err && + nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg)) +@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev) + + if (ops->cee_peer_getpfc) { + struct cee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->cee_peer_getpfc(netdev, &pfc); + if (!err && + nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc)) diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c index 307c322..78a4c6f 100644 --- a/net/decnet/af_decnet.c @@ -89156,10 +89396,10 @@ index e4fd45b..2eeb5c4 100644 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff)); shstrtab_sec = shdr + r2(&ehdr->e_shstrndx); diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..da94e8b 100644 +index e9c6ac7..952353c 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,920 @@ +@@ -4,6 +4,925 @@ menu "Security options" @@ -90060,6 +90300,11 @@ index e9c6ac7..da94e8b 100644 + there is little 'natural' source of entropy normally. The cost + is some slowdown of the boot process. + ++ When pax_extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that the implementation requires a gcc with plugin support, + i.e., gcc 4.5 or newer. You may need to install the supporting + headers explicitly in addition to the normal gcc package. @@ -90080,7 +90325,7 @@ index e9c6ac7..da94e8b 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1017,7 @@ config INTEL_TXT +@@ -103,7 +1022,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -92708,10 +92953,10 @@ index 0000000..0408e06 +} diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c new file mode 100644 -index 0000000..1276616 +index 0000000..b5395ba --- /dev/null +++ b/tools/gcc/latent_entropy_plugin.c -@@ -0,0 +1,321 @@ +@@ -0,0 +1,327 @@ +/* + * Copyright 2012-2013 by the PaX Team + * Licensed under the GPL v2 @@ -92752,6 +92997,7 @@ index 0000000..1276616 +#include "rtl.h" +#include "emit-rtl.h" +#include "tree-flow.h" ++#include "langhooks.h" + +#if BUILDING_GCC_VERSION >= 4008 +#define TODO_dump_func 0 @@ -92762,7 +93008,7 @@ index 0000000..1276616 +static tree latent_entropy_decl; + +static struct plugin_info latent_entropy_plugin_info = { -+ .version = "201302112000", ++ .version = "201303102320", + .help = NULL +}; + @@ -92986,6 +93232,8 @@ index 0000000..1276616 + +static void start_unit_callback(void *gcc_data, void *user_data) +{ ++ tree latent_entropy_type; ++ +#if BUILDING_GCC_VERSION >= 4007 + seed = get_random_seed(false); +#else @@ -92996,16 +93244,19 @@ index 0000000..1276616 + if (in_lto_p) + return; + -+ // extern u64 latent_entropy -+ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), unsigned_intDI_type_node); ++ // extern volatile u64 latent_entropy ++ gcc_assert(TYPE_PRECISION(long_long_unsigned_type_node) == 64); ++ latent_entropy_type = build_qualified_type(long_long_unsigned_type_node, TYPE_QUALS(long_long_unsigned_type_node) | TYPE_QUAL_VOLATILE); ++ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), latent_entropy_type); + + TREE_STATIC(latent_entropy_decl) = 1; + TREE_PUBLIC(latent_entropy_decl) = 1; + TREE_USED(latent_entropy_decl) = 1; + TREE_THIS_VOLATILE(latent_entropy_decl) = 1; + DECL_EXTERNAL(latent_entropy_decl) = 1; -+ DECL_ARTIFICIAL(latent_entropy_decl) = 0; ++ DECL_ARTIFICIAL(latent_entropy_decl) = 1; + DECL_INITIAL(latent_entropy_decl) = NULL; ++ lang_hooks.decls.pushdecl(latent_entropy_decl); +// DECL_ASSEMBLER_NAME(latent_entropy_decl); +// varpool_finalize_decl(latent_entropy_decl); +// varpool_mark_needed_node(latent_entropy_decl);