diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-03-05 08:16:27 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-03-05 08:16:27 -0500 |
| commit | 584439568f0ccda6210b6378829df23910a6b699 (patch) | |
| tree | 70643eedff1b648d6e48cbb68e68c9952b94595e | |
| parent | Grsec/PaX: 3.0-{3.2.55,3.13.5}-201403031445 (diff) | |
| download | hardened-patchset-20140304.tar.gz hardened-patchset-20140304.tar.bz2 hardened-patchset-20140304.zip | |
Grsec/PaX: 3.0-{3.2.55,3.13.5}-20140304193820140304
| -rw-r--r-- | 3.13.5/0000_README | 2 | ||||
| -rw-r--r-- | 3.13.5/4420_grsecurity-3.0-3.13.5-201403041938.patch (renamed from 3.13.5/4420_grsecurity-3.0-3.13.5-201403031445.patch) | 52 | ||||
| -rw-r--r-- | 3.2.55/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.55/4420_grsecurity-3.0-3.2.55-201403041936.patch (renamed from 3.2.55/4420_grsecurity-3.0-3.2.55-201403022154.patch) | 18 |
4 files changed, 72 insertions, 2 deletions
diff --git a/3.13.5/0000_README b/3.13.5/0000_README index 838ac74..c20a3d4 100644 --- a/3.13.5/0000_README +++ b/3.13.5/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.13.5-201403031445.patch +Patch: 4420_grsecurity-3.0-3.13.5-201403041938.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.13.5/4420_grsecurity-3.0-3.13.5-201403031445.patch b/3.13.5/4420_grsecurity-3.0-3.13.5-201403041938.patch index eaf708f..9efbd6a 100644 --- a/3.13.5/4420_grsecurity-3.0-3.13.5-201403031445.patch +++ b/3.13.5/4420_grsecurity-3.0-3.13.5-201403041938.patch @@ -97152,6 +97152,23 @@ index fc0e649..febfa65 100644 EXPORT_SYMBOL(sysctl_local_reserved_ports); void inet_get_local_port_range(struct net *net, int *low, int *high) +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index bb075fc..322dceb 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -278,9 +278,10 @@ static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf, + + atomic_inc(&qp->refcnt); + hlist_add_head(&qp->list, &hb->chain); +- spin_unlock(&hb->chain_lock); +- read_unlock(&f->lock); + inet_frag_lru_add(nf, qp); ++ spin_unlock(&hb->chain_lock); ++ read_unlock(&f->lock); ++ + return qp; + } + diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 8b9cf27..0d8d592 100644 --- a/net/ipv4/inet_hashtables.c @@ -100566,6 +100583,24 @@ index 1a6eef3..17e898f 100644 NULL, sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index a26065b..af7be05 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, + struct sctp_chunk auth; + sctp_ierror_t ret; + ++ /* Make sure that we and the peer are AUTH capable */ ++ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { ++ kfree_skb(chunk->auth_chunk); ++ sctp_association_free(new_asoc); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ } ++ + /* set-up our fake chunk so that we can process it */ + auth.skb = chunk->auth_chunk; + auth.asoc = chunk->asoc; diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 42b709c..e7d09ac 100644 --- a/net/sctp/socket.c @@ -103517,6 +103552,23 @@ index cee72ce..e46074a 100644 err: if (iov != iovstack) kfree(iov); +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index d46cbc5..2fb2576 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1000,7 +1000,11 @@ static int keyring_detect_cycle_iterator(const void *object, + + kenter("{%d}", key->serial); + +- BUG_ON(key != ctx->match_data); ++ /* We might get a keyring with matching index-key that is nonetheless a ++ * different keyring. */ ++ if (key != ctx->match_data) ++ return 0; ++ + ctx->result = ERR_PTR(-EDEADLK); + return 1; + } diff --git a/security/min_addr.c b/security/min_addr.c index f728728..6457a0c 100644 --- a/security/min_addr.c diff --git a/3.2.55/0000_README b/3.2.55/0000_README index e75270d..6e1b2f5 100644 --- a/3.2.55/0000_README +++ b/3.2.55/0000_README @@ -138,7 +138,7 @@ Patch: 1054_linux-3.2.55.patch From: http://www.kernel.org Desc: Linux 3.2.55 -Patch: 4420_grsecurity-3.0-3.2.55-201403022154.patch +Patch: 4420_grsecurity-3.0-3.2.55-201403041936.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.55/4420_grsecurity-3.0-3.2.55-201403022154.patch b/3.2.55/4420_grsecurity-3.0-3.2.55-201403041936.patch index 5e79266..5a6b289 100644 --- a/3.2.55/4420_grsecurity-3.0-3.2.55-201403022154.patch +++ b/3.2.55/4420_grsecurity-3.0-3.2.55-201403041936.patch @@ -101674,6 +101674,24 @@ index 76388b0..a967f68 100644 NULL, sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index cb1c430..f131caf 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -747,6 +747,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, + struct sctp_chunk auth; + sctp_ierror_t ret; + ++ /* Make sure that we and the peer are AUTH capable */ ++ if (!sctp_auth_enable || !new_asoc->peer.auth_capable) { ++ kfree_skb(chunk->auth_chunk); ++ sctp_association_free(new_asoc); ++ return sctp_sf_pdiscard(ep, asoc, type, arg, commands); ++ } ++ + /* set-up our fake chunk so that we can process it */ + auth.skb = chunk->auth_chunk; + auth.asoc = chunk->asoc; diff --git a/net/sctp/socket.c b/net/sctp/socket.c index c53d01e..9659111 100644 --- a/net/sctp/socket.c |