Skip to content
Permalink
Browse files

update to new grsec - merged

Merge remote-tracking branch '0x20c24/master'
  • Loading branch information...
rfree-mempo
rfree-mempo committed Feb 6, 2015
2 parents 53a0818 + 156e5bf commit 019e088492d5662bc611cb6cc5eee44c14429706
@@ -1,3 +1,9 @@
linux-image (linux-3.2.66-mempo-0.2.106) UNRELEASED; urgency=high
* grsec: pax and upstream fixes
* v0.2.106-001-rc

-- mempo <mempo@mempo.org> Fri, 06 Feb 2015 09:15:00 +0200

linux-image (linux-3.2.66-mempo-0.2.105) UNRELEASED; urgency=high
* grsec: fix rcu lock imbalance upstream bug
* v0.2.105-001-rc
@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.desk.0.2.105"
CONFIG_LOCALVERSION="-mempo.desk.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.deskmax.0.2.105"
CONFIG_LOCALVERSION="-mempo.deskmax.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.deskmaxdbg.0.2.105"
CONFIG_LOCALVERSION="-mempo.deskmaxdbg.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -62,11 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
<<<<<<< HEAD:kernel-build/linux-mempo/configs-kernel/deb7-insecuregrsoff.kernel-config
CONFIG_LOCALVERSION="-mempo.insecuregrsoff.0.2.104"
=======
CONFIG_LOCALVERSION="-mempo.INSECUREgrsOFF.0.2.105"
>>>>>>> 0x20c24/master:kernel-build/linux-mempo/configs-kernel/deb7-INSECUREgrsOFF.kernel-config
CONFIG_LOCALVERSION="-mempo.insecuregrsoff.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.serv.0.2.105"
CONFIG_LOCALVERSION="-mempo.serv.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.servmax.0.2.105"
CONFIG_LOCALVERSION="-mempo.servmax.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -62,7 +62,7 @@ CONFIG_IRQ_WORK=y
CONFIG_EXPERIMENTAL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.servmaxdbg.0.2.105"
CONFIG_LOCALVERSION="-mempo.servmaxdbg.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -58,7 +58,7 @@ CONFIG_EXPERIMENTAL=y
CONFIG_BROKEN_ON_SMP=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_CROSS_COMPILE=""
CONFIG_LOCALVERSION="-mempo.zero.0.2.105"
CONFIG_LOCALVERSION="-mempo.zero.0.2.106"
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
@@ -1,5 +1,5 @@
# place for STATIC settings for release. [autogenerated]
export kernel_general_version="3.2.66" # base version (should match the one is sourcecode.list)
export KERNEL_DATE='2015-02-05 17:41:37' # UTC time of mempo version. This is > then max(kernel,grsec,patches) times
export CURRENT_SEED='7e7d82398c3e00474ce640916210297fb31bdb435c7cdfda9f5327795275b1f9' # litecoin block 724068 (*)
export KERNEL_DATE='2015-02-06 08:34:44' # UTC time of mempo version. This is > then max(kernel,grsec,patches) times
export CURRENT_SEED='5c4852c394bd645e4bd8534516742ef3aa8a16fdaa49e9d802dd0a1340746f58' # litecoin block 724450 (*)
export DEBIAN_REVISION='001' # see README.md how to update it on git tag, on rc and final releases
@@ -1,4 +1,4 @@
V,ID_kernel_vanilla_ID,x,kernel,linux-3.2.66.tar,sha256,49268e647ea9a8732cc6afc949dea2d77a2956653ae0f65e22f7279b3035f9d4,./
P,ID_grsecurity_main_ID,x,grsecurity,grsecurity-3.0-3.2.66-201502050848.patch,sha256,cae3e7c9c8574548443bb406785504b181366025520dd9b13e276c10180631c4,./tmp-path/
P,ID_grsecurity_main_ID,x,grsecurity,grsecurity-3.0-3.2.66-201502052350.patch,sha256,b7deea10576f5d107750ffd3d451498e8e0546ab136afd490b05b65063948852,./tmp-path/
P,ID_mempo_grsec_ID,x,mempo,grsecurity-3.0-3.2.55-201402152203-mempo-extra.patch,sha256,a8e81062e44ea899af688a326aaebcfd86d759da69b39f6ed66b7a8e7bcf9a8d,./tmp-path/
P,ID_mempo_determ_ID,x,mempo,linux-3.2.57-grsec-deterministic-build.patch,sha256,aca4001855c4c822c78aee90acc8706a3ffb3b5e4d42f07b4ffe827190d77d59,./tmp-path/
@@ -1,3 +1,161 @@
commit 379b0a4d3e2ae5095796d2def99e47b5253fac19
Merge: ad89d65 307172b
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 5 22:31:35 2015 -0500

Merge branch 'pax-stable' into grsec-stable

commit 307172b4c08144555935a189c6599a681cb7a24c
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 5 22:30:49 2015 -0500

Update to pax-linux-3.2.66-test164.patch:
- fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121)
- fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist
- fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.
- bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces
- fixed rcu lock imbalance in have_submounts, by Steven Rostedt <rostedt@goodmis.org> (https://lkml.org/lkml/2015/1/17/71), reported by rfree@mempo.org

arch/x86/kernel/dumpstack_64.c | 2 +-
arch/x86/kernel/entry_32.S | 1 +
arch/x86/kernel/entry_64.S | 1 +
arch/x86/kernel/process_32.c | 2 +-
arch/x86/kernel/process_64.c | 2 +-
arch/x86/xen/enlighten.c | 3 +++
fs/dcache.c | 4 +++-
fs/exec.c | 2 +-
scripts/Kbuild.include | 2 +-
9 files changed, 13 insertions(+), 6 deletions(-)

commit ad89d65da4bfbea5fa820fe56ed5e70fabc8247d
Author: Giel van Schijndel <me@mortis.eu>
Date: Tue Jan 6 22:37:00 2015 +0100

cifs: use memzero_explicit to clear stack buffer

When leaving a function use memzero_explicit instead of memset(0) to
clear stack allocated buffers. memset(0) may be optimized away.

This particular buffer is highly likely to contain sensitive data which
we shouldn't leak (it's named 'passwd' after all).

Signed-off-by: Giel van Schijndel <me@mortis.eu>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-at: http://www.viva64.com/en/b/0299/
Reported-by: Andrey Karpov
Reported-by: Svyatoslav Razmyslov
Signed-off-by: Steve French <steve.french@primarydata.com>

fs/cifs/smbencrypt.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

commit 896d0cda0f8bceefe92052c5dfd7ea5d4f51e5ad
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Jan 15 16:34:35 2015 +0100

net: sctp: fix race for one-to-many sockets in sendmsg's auto associate

I.e. one-to-many sockets in SCTP are not required to explicitly
call into connect(2) or sctp_connectx(2) prior to data exchange.
Instead, they can directly invoke sendmsg(2) and the SCTP stack
will automatically trigger connection establishment through 4WHS
via sctp_primitive_ASSOCIATE(). However, this in its current
implementation is racy: INIT is being sent out immediately (as
it cannot be bundled anyway) and the rest of the DATA chunks are
queued up for later xmit when connection is established, meaning
sendmsg(2) will return successfully. This behaviour can result
in an undesired side-effect that the kernel made the application
think the data has already been transmitted, although none of it
has actually left the machine, worst case even after close(2)'ing
the socket.

Instead, when the association from client side has been shut down
e.g. first gracefully through SCTP_EOF and then close(2), the
client could afterwards still receive the server's INIT_ACK due
to a connection with higher latency. This INIT_ACK is then considered
out of the blue and hence responded with ABORT as there was no
alive assoc found anymore. This can be easily reproduced f.e.
with sctp_test application from lksctp. One way to fix this race
is to wait for the handshake to actually complete.

The fix defers waiting after sctp_primitive_ASSOCIATE() and
sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
from sctp_sendmsg() have already been placed into the output
queue through the side-effect interpreter, and therefore can then
be bundeled together with COOKIE_ECHO control chunks.

strace from example application (shortened):

socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
close(3) = 0

tcpdump before patch (fooling the application):

22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]

tcpdump after patch:

14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]

Looks like this bug is from the pre-git history museum. ;)

Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Conflicts:

net/sctp/socket.c

Conflicts:

net/sctp/socket.c

net/sctp/socket.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)

commit 28e7551a10df3b00676519fa269fc9f21562eefd
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Tue Feb 3 08:55:58 2015 -0500

net: rds: use correct size for max unacked packets and bytes

Max unacked packets/bytes is an int while sizeof(long) was used in the
sysctl table.

This means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/rds/sysctl.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

commit ebb75bc888f1613c4e332a48b883b463e492ed63
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 5 08:09:18 2015 -0500
Binary file not shown.

0 comments on commit 019e088

Please sign in to comment.
You can’t perform that action at this time.