update to new grsec - merged

Merge remote-tracking branch '0x20c24/master'

changelog

@@ -1,3 +1,9 @@
+linux-image (linux-3.2.66-mempo-0.2.106) UNRELEASED; urgency=high
+  * grsec: pax and upstream fixes
+  * v0.2.106-001-rc
+
+ -- mempo <mempo@mempo.org>  Fri, 06 Feb 2015 09:15:00 +0200
+
 linux-image (linux-3.2.66-mempo-0.2.105) UNRELEASED; urgency=high
   * grsec: fix rcu lock imbalance upstream bug
   * v0.2.105-001-rc

kernel-build/linux-mempo/configs-kernel/deb7-desk.kernel-config

@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.desk.0.2.105"
+CONFIG_LOCALVERSION="-mempo.desk.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-deskmax.kernel-config

@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.deskmax.0.2.105"
+CONFIG_LOCALVERSION="-mempo.deskmax.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-deskmaxdbg.kernel-config

@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.deskmaxdbg.0.2.105"
+CONFIG_LOCALVERSION="-mempo.deskmaxdbg.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config

@@ -62,11 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-<<<<<<< HEAD:kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config
-CONFIG_LOCALVERSION="-mempo.insecuregrsoff.0.2.104"
-=======
-CONFIG_LOCALVERSION="-mempo.INSECUREgrsOFF.0.2.105"
->>>>>>> 0x20c24/master:kernel-build/linux-mempo/configs-kernel/deb7-INSECUREgrsOFF.kernel-config
+CONFIG_LOCALVERSION="-mempo.insecuregrsoff.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-serv.kernel-config

@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.serv.0.2.105"
+CONFIG_LOCALVERSION="-mempo.serv.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-servmax.kernel-config

@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.servmax.0.2.105"
+CONFIG_LOCALVERSION="-mempo.servmax.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-servmaxdbg.kernel-config

@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
 CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.servmaxdbg.0.2.105"
+CONFIG_LOCALVERSION="-mempo.servmaxdbg.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/configs-kernel/deb7-zero.kernel-config

@@ -58,7 +58,7 @@ CONFIG_EXPERIMENTAL=y
 CONFIG_BROKEN_ON_SMP=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
-CONFIG_LOCALVERSION="-mempo.zero.0.2.105"
+CONFIG_LOCALVERSION="-mempo.zero.0.2.106"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y

kernel-build/linux-mempo/env-data.sh

@@ -1,5 +1,5 @@
 # place for STATIC settings for release. [autogenerated] 
 export kernel_general_version="3.2.66" # base version (should match the one is sourcecode.list)
-export KERNEL_DATE='2015-02-05 17:41:37' # UTC time of mempo version. This is > then max(kernel,grsec,patches) times
-export CURRENT_SEED='7e7d82398c3e00474ce640916210297fb31bdb435c7cdfda9f5327795275b1f9' # litecoin block 724068 (*)
+export KERNEL_DATE='2015-02-06 08:34:44' # UTC time of mempo version. This is > then max(kernel,grsec,patches) times
+export CURRENT_SEED='5c4852c394bd645e4bd8534516742ef3aa8a16fdaa49e9d802dd0a1340746f58' # litecoin block 724450 (*)
 export DEBIAN_REVISION='001' # see README.md how to update it on git tag, on rc and final releases

kernel-build/linux-mempo/sourcecode.list

@@ -1,4 +1,4 @@
 V,ID_kernel_vanilla_ID,x,kernel,linux-3.2.66.tar,sha256,49268e647ea9a8732cc6afc949dea2d77a2956653ae0f65e22f7279b3035f9d4,./
-P,ID_grsecurity_main_ID,x,grsecurity,grsecurity-3.0-3.2.66-201502050848.patch,sha256,cae3e7c9c8574548443bb406785504b181366025520dd9b13e276c10180631c4,./tmp-path/
+P,ID_grsecurity_main_ID,x,grsecurity,grsecurity-3.0-3.2.66-201502052350.patch,sha256,b7deea10576f5d107750ffd3d451498e8e0546ab136afd490b05b65063948852,./tmp-path/
 P,ID_mempo_grsec_ID,x,mempo,grsecurity-3.0-3.2.55-201402152203-mempo-extra.patch,sha256,a8e81062e44ea899af688a326aaebcfd86d759da69b39f6ed66b7a8e7bcf9a8d,./tmp-path/
 P,ID_mempo_determ_ID,x,mempo,linux-3.2.57-grsec-deterministic-build.patch,sha256,aca4001855c4c822c78aee90acc8706a3ffb3b5e4d42f07b4ffe827190d77d59,./tmp-path/

kernel-sources/grsecurity/changelog-stable.txt

@@ -1,3 +1,161 @@
+commit 379b0a4d3e2ae5095796d2def99e47b5253fac19
+Merge: ad89d65 307172b
+Author: Brad Spengler <spender@grsecurity.net>
+Date:   Thu Feb 5 22:31:35 2015 -0500
+
+    Merge branch 'pax-stable' into grsec-stable
+
+commit 307172b4c08144555935a189c6599a681cb7a24c
+Author: Brad Spengler <spender@grsecurity.net>
+Date:   Thu Feb 5 22:30:49 2015 -0500
+
+    Update to pax-linux-3.2.66-test164.patch:
+    - fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121)
+    - fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist
+    - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.
+    - bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces
+    - fixed rcu lock imbalance in have_submounts, by Steven Rostedt <rostedt@goodmis.org> (https://lkml.org/lkml/2015/1/17/71), reported by rfree@mempo.org
+
+ arch/x86/kernel/dumpstack_64.c |    2 +-
+ arch/x86/kernel/entry_32.S     |    1 +
+ arch/x86/kernel/entry_64.S     |    1 +
+ arch/x86/kernel/process_32.c   |    2 +-
+ arch/x86/kernel/process_64.c   |    2 +-
+ arch/x86/xen/enlighten.c       |    3 +++
+ fs/dcache.c                    |    4 +++-
+ fs/exec.c                      |    2 +-
+ scripts/Kbuild.include         |    2 +-
+ 9 files changed, 13 insertions(+), 6 deletions(-)
+
+commit ad89d65da4bfbea5fa820fe56ed5e70fabc8247d
+Author: Giel van Schijndel <me@mortis.eu>
+Date:   Tue Jan 6 22:37:00 2015 +0100
+
+    cifs: use memzero_explicit to clear stack buffer
+
+    When leaving a function use memzero_explicit instead of memset(0) to
+    clear stack allocated buffers. memset(0) may be optimized away.
+
+    This particular buffer is highly likely to contain sensitive data which
+    we shouldn't leak (it's named 'passwd' after all).
+
+    Signed-off-by: Giel van Schijndel <me@mortis.eu>
+    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+    Reported-at: http://www.viva64.com/en/b/0299/
+    Reported-by: Andrey Karpov
+    Reported-by: Svyatoslav Razmyslov
+    Signed-off-by: Steve French <steve.french@primarydata.com>
+
+ fs/cifs/smbencrypt.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 896d0cda0f8bceefe92052c5dfd7ea5d4f51e5ad
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date:   Thu Jan 15 16:34:35 2015 +0100
+
+    net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
+
+    I.e. one-to-many sockets in SCTP are not required to explicitly
+    call into connect(2) or sctp_connectx(2) prior to data exchange.
+    Instead, they can directly invoke sendmsg(2) and the SCTP stack
+    will automatically trigger connection establishment through 4WHS
+    via sctp_primitive_ASSOCIATE(). However, this in its current
+    implementation is racy: INIT is being sent out immediately (as
+    it cannot be bundled anyway) and the rest of the DATA chunks are
+    queued up for later xmit when connection is established, meaning
+    sendmsg(2) will return successfully. This behaviour can result
+    in an undesired side-effect that the kernel made the application
+    think the data has already been transmitted, although none of it
+    has actually left the machine, worst case even after close(2)'ing
+    the socket.
+
+    Instead, when the association from client side has been shut down
+    e.g. first gracefully through SCTP_EOF and then close(2), the
+    client could afterwards still receive the server's INIT_ACK due
+    to a connection with higher latency. This INIT_ACK is then considered
+    out of the blue and hence responded with ABORT as there was no
+    alive assoc found anymore. This can be easily reproduced f.e.
+    with sctp_test application from lksctp. One way to fix this race
+    is to wait for the handshake to actually complete.
+
+    The fix defers waiting after sctp_primitive_ASSOCIATE() and
+    sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
+    from sctp_sendmsg() have already been placed into the output
+    queue through the side-effect interpreter, and therefore can then
+    be bundeled together with COOKIE_ECHO control chunks.
+
+    strace from example application (shortened):
+
+    socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
+    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
+               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
+    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
+               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
+    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
+               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
+    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
+               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
+    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
+               msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
+               msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
+    close(3) = 0
+
+    tcpdump before patch (fooling the application):
+
+    22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
+    22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
+    22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
+
+    tcpdump after patch:
+
+    14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
+    14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
+    14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
+    14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
+    14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
+    14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
+    14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
+    14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
+    14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
+    14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
+    14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
+
+    Looks like this bug is from the pre-git history museum. ;)
+
+    Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
+    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+    Signed-off-by: David S. Miller <davem@davemloft.net>
+
+    Conflicts:
+
+    	net/sctp/socket.c
+
+    Conflicts:
+
+    	net/sctp/socket.c
+
+ net/sctp/socket.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 28e7551a10df3b00676519fa269fc9f21562eefd
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date:   Tue Feb 3 08:55:58 2015 -0500
+
+    net: rds: use correct size for max unacked packets and bytes
+
+    Max unacked packets/bytes is an int while sizeof(long) was used in the
+    sysctl table.
+
+    This means that when they were getting read we'd also leak kernel memory
+    to userspace along with the timeout values.
+
+    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+    Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/sysctl.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
 commit ebb75bc888f1613c4e332a48b883b463e492ed63
 Author: Brad Spengler <spender@grsecurity.net>
 Date:   Thu Feb 5 08:09:18 2015 -0500