X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fgrsecurity-scrape.git;a=blobdiff_plain;f=test%2Fchangelog-test.txt;h=9b72dd5df4a5bc7237da9fae002dee19e60831a7;hp=cad277fb9bfc1f3c1899d41a374bfecc02e1197d;hb=e0a427e165a9e6c675707952e385b77cc672ff9d;hpb=f47c16b634dc56bea4746edfedcd6eae383199d7 diff --git a/test/changelog-test.txt b/test/changelog-test.txt index cad277f..9b72dd5 100644 --- a/test/changelog-test.txt +++ b/test/changelog-test.txt @@ -1,3 +1,1621 @@ +commit 4aa226b223ecb0156653486ddef74bf6b195f039 +Merge: 4050139 6f940b9 +Author: Brad Spengler +Date: Wed Apr 12 08:04:39 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 6f940b96af4889d08ee73047f46619fbc00e0f62 +Merge: 7ab0cba cf2586e +Author: Brad Spengler +Date: Wed Apr 12 08:04:29 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit 405013951323e2835d2924a6bbde752fcd04016c +Author: Brad Spengler +Date: Sun Apr 9 19:08:16 2017 -0400 + + Size overflow hash updates from Toralf Foerster + +commit b2168c65060c63a858a46fa1f767d7c55d437934 +Merge: 11e048d 7ab0cba +Author: Brad Spengler +Date: Sun Apr 9 18:04:04 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 7ab0cba9320696df7d9ce8030f04b31a07d1edc2 +Merge: aee169f 37feaf8 +Author: Brad Spengler +Date: Sun Apr 9 18:03:55 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit 11e048d628025e77052220e9bf3b69376ef87759 +Merge: bc8c377 aee169f +Author: Brad Spengler +Date: Fri Mar 31 07:32:33 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit aee169fb628479b4f664ffd0cb24fe633e416f22 +Merge: 469b2da f676772 +Author: Brad Spengler +Date: Fri Mar 31 07:32:15 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit bc8c377eb79dbdd3ec3fd073b419c4203b80fa28 +Author: Brad Spengler +Date: Thu Mar 30 08:46:32 2017 -0400 + + Fix size_overflow report from sol56 + +commit bf57ca14a95f44ca2a3e5664439840fabe79b83d +Author: Brad Spengler +Date: Thu Mar 30 08:22:13 2017 -0400 + + Fix size_overflow report from sol56 + +commit eef071abd212274d062412771dcf410d37a75f1d +Merge: 6abbeb8 469b2da +Author: Brad Spengler +Date: Thu Mar 30 08:19:36 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 469b2dad95eb958ee0253a18fc65d4e6b0eeb992 +Merge: 3097d09 c8e1316 +Author: Brad Spengler +Date: Thu Mar 30 08:19:28 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit 6abbeb8072ced7907c3a4294f5ec254313302279 +Merge: a22b234 3097d09 +Author: Brad Spengler +Date: Sun Mar 26 08:32:58 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 3097d09221297acf1b57a5d4dcd254de9d1087bc +Merge: 693fcec4 2a48626 +Author: Brad Spengler +Date: Sun Mar 26 08:32:46 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit a22b23469f57e80488a78689830a45cb27a020e3 +Merge: 0ce9a75 693fcec4 +Author: Brad Spengler +Date: Wed Mar 22 07:59:35 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 693fcec4eaafc0a87b26fedf680d925455233a5f +Merge: 28fc0cc c3825da +Author: Brad Spengler +Date: Wed Mar 22 07:59:28 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit 0ce9a7532015fd64e56ff017bac5448719c6caa8 +Merge: 3648fb5 28fc0cc +Author: Brad Spengler +Date: Sat Mar 18 07:41:49 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 28fc0cc540a02524aa7122c4b6518f46be150670 +Merge: 51fb02c 8a16224 +Author: Brad Spengler +Date: Sat Mar 18 07:41:36 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit 3648fb58cc16ec3a1c86269ffbdf6ee8f2ff857d +Author: Brad Spengler +Date: Wed Mar 15 00:10:53 2017 -0400 + + compile fix + +commit 5ae0984f1a67bddf7315c071b7df971e4b03072e +Merge: c9a77fb 51fb02c +Author: Brad Spengler +Date: Tue Mar 14 23:38:35 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 51fb02c0abebafc624a60da2e68b77a4dcad448f +Merge: 5fedde5 d962bf8 +Author: Brad Spengler +Date: Tue Mar 14 23:38:26 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit c9a77fb1a803a00e7ff0026ad9a87ccb7f9c3004 +Author: Brad Spengler +Date: Sun Mar 12 12:11:47 2017 -0400 + + Update size_overflow hash table + +commit 643aa0cade896df02b42428785e5cc6cb8bc2c9c +Author: Alexander Popov +Date: Tue Feb 28 19:54:40 2017 +0300 + + tty: n_hdlc: get rid of racy n_hdlc.tbuf + + Currently N_HDLC line discipline uses a self-made singly linked list for + data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after + an error. + + The commit be10eb7589337e5defbe214dae038a53dd21add8 + ("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf. + After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put + one data buffer to tx_free_buf_list twice. That causes double free in + n_hdlc_release(). + + Let's use standard kernel linked list and get rid of n_hdlc.tbuf: + in case of tx error put current data buffer after the head of tx_buf_list. + + Signed-off-by: Alexander Popov + Cc: stable + Signed-off-by: Greg Kroah-Hartman + +commit 0c801f1c89b85170505c8dac6c58df27155dbb1e +Merge: a0b31dd 5fedde5 +Author: Brad Spengler +Date: Sun Mar 12 08:18:58 2017 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5fedde5358a3a9625c4e21ff8a5b5b6d5bd5d125 +Merge: c8102ee d379ab2 +Author: Brad Spengler +Date: Sun Mar 12 08:18:48 2017 -0400 + + Merge branch 'linux-4.9.y' into pax-test + +commit a0b31ddd80510c595b1db203edd009a721e68cfa +Merge: f9c6bb9 c8102ee +Author: Brad Spengler +Date: Sun Mar 5 18:02:18 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit c8102eef049988a1905817e4dc4e859287c2923e +Author: Brad Spengler +Date: Sun Mar 5 18:01:22 2017 -0500 + + Update to pax-linux-4.9.13-test6.patch: + - fixed a regression where on amd64 STACKLEAK instrumented functions executed in IRQ context caused a preempt counter overdecrement, by Jason A. Donenfeld , reported by nail (https://forums.grsecurity.net/viewtopic.php?f=3&t=4668) + - fixed an unbalanced pax_open_kernel call that would trigger a BUG in the zt5550 driver + +commit f9c6bb92aa1205f0402085e363fa914ea34beceb +Author: Brad Spengler +Date: Mon Feb 27 06:55:25 2017 -0500 + + Fix softirq warnings reported by nail at: + https://forums.grsecurity.net/viewtopic.php?f=3&t=4668 + and reported and debugged by Jason Donenfeld. + + A stray put_cpu() was left in the pax_check_alloca code when + porting to Linux 4.9, which would cause a preempt imbalance + on interrupts making use of alloca() (either explicitly or through + variable length arrays). + +commit 8019276815d5d50fb57b4a1bd9f33af0c5cd7615 +Author: Brad Spengler +Date: Sun Feb 26 10:28:40 2017 -0500 + + Update size_overflow hash table, from Toralf Foerster + +commit 5996b10c778c1b3378219a3c29ae90b504482a50 +Merge: 1d6d9f9 ef547fe +Author: Brad Spengler +Date: Sun Feb 26 07:41:37 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ef547fea89fc7818dec64af7db1c7528fc3c1436 +Merge: bce7062 3737a5f +Author: Brad Spengler +Date: Sun Feb 26 07:41:28 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit 1d6d9f9363ebed20318f0c047dccb5a39a4441e7 +Author: Brad Spengler +Date: Fri Feb 24 07:11:39 2017 -0500 + + Silence a compiler warning, reported by Etienne Buira + +commit e47311b356a178a1652c88cf47aea011f0211061 +Author: Brad Spengler +Date: Thu Feb 23 18:25:41 2017 -0500 + + Update size_overflow hash table + +commit 7852bd5868a61b1a9c4210c0214ef8c1d3e0e7e2 +Merge: 15fc570 bce7062 +Author: Brad Spengler +Date: Thu Feb 23 17:41:07 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit bce7062ee9c933a4188dec2691155442df3a79e8 +Merge: b26ab25 ae7d431 +Author: Brad Spengler +Date: Thu Feb 23 17:40:59 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit 15fc5704b74ec1d5c4a9ecd00c9e24e9955a1e24 +Author: Brad Spengler +Date: Thu Feb 23 17:35:05 2017 -0500 + + Fix !GRKERNSEC_KMEM && GRKERNSEC_SYSFS_RESTRICT incompatibility with + KVM, reported at https://bugs.gentoo.org/show_bug.cgi?id=597554 + by Christian Roessner, Miro Rovis, and Étienne Buira + +commit c26d7750fb91d084a1ba3fbf84fa892cabf2cee9 +Merge: f0e6f87 b26ab25 +Author: Brad Spengler +Date: Wed Feb 22 20:46:04 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b26ab25c73a41147b14a8edb35eec6a08fafd927 +Author: Brad Spengler +Date: Wed Feb 22 20:45:31 2017 -0500 + + Update to pax-linux-4.9.10-test5.patch: + - fixed resume regression on i386/UDEREF caused by upstream commit ffa64eff956a25548cad0391dbc14c672827be7b, reported by corsac + - fixed compile regression on i386/XEN, reported by bugmenot (https://forums.grsecurity.net/viewtopic.php?f=3&t=4677) + - worked around an intentional integer overflow caused by the amdgpu driver that was caught by the size overflow plugin, reported by foxxx0 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4667) + - made better use of upstream's idea of invpcid + +commit f0e6f87d2d7d767eba1534fd8c1fa4e8e26e00c8 +Author: Andrey Konovalov +Date: Thu Feb 16 17:22:46 2017 +0100 + + dccp: fix freeing skb too early for IPV6_RECVPKTINFO + + In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet + is forcibly freed via __kfree_skb in dccp_rcv_state_process if + dccp_v6_conn_request successfully returns. + + However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb + is saved to ireq->pktopts and the ref count for skb is incremented in + dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed + in dccp_rcv_state_process. + + Fix by calling consume_skb instead of doing goto discard and therefore + calling __kfree_skb. + + Similar fixes for TCP: + + fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. + 0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now + simply consumed + + Signed-off-by: Andrey Konovalov + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 9f575ef66df46cb78f751e0d8d509171afe3933e +Author: Brad Spengler +Date: Sat Feb 18 13:09:26 2017 -0500 + + Update size_overflow hash table + +commit e927308508ef20392a61e493bc411e73d597682f +Merge: 55d2e75 d711991 +Author: Brad Spengler +Date: Sat Feb 18 11:35:11 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d711991b1628e84076fde9b2c94d25920cca7882 +Merge: 70fbe2f eee1550 +Author: Brad Spengler +Date: Sat Feb 18 11:34:56 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit 55d2e7501a1db909073644bb1b5c58effb627754 +Author: Brad Spengler +Date: Thu Feb 16 19:47:51 2017 -0500 + + Allow symbol printing for softirq change + +commit e489c2948bc9e1d9643c84667bf81ac8387293e0 +Merge: d7b63ba 70fbe2f +Author: Brad Spengler +Date: Thu Feb 16 19:47:37 2017 -0500 + + Merge branch 'pax-test' into grsec-test + + n why this merge is necessary, + +commit 70fbe2fc1540632d2cc67e770d826f9637b5b73f +Author: Brad Spengler +Date: Thu Feb 16 19:46:55 2017 -0500 + + Update to pax-linux-4.9.10-test4.patch: + - worked around a gcc induced integer truncation that triggered a size overflow, reported by René Korthaus (https://bugs.gentoo.org/show_bug.cgi?id=609500) + - disabled size overflow checking on qdisc_tree_reduce_backlog for good as newer gcc is smart enough to get around the previous workaround, reported by craftyguy (https://forums.grsecurity.net/viewtopic.php?f=3&t=4640) + - fixed a SEGMEXEC/vma mirroring regression, reported by osea (https://forums.grsecurity.net/viewtopic.php?f=3&t=4643) + +commit d7b63bad761e0ca8897ec9c5df4482483aa20201 +Merge: d310a9c b6296dc +Author: Brad Spengler +Date: Wed Feb 15 20:18:47 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b6296dc3544b4a4543a45777a5cc1ecb2ce51042 +Author: Brad Spengler +Date: Wed Feb 15 20:16:32 2017 -0500 + + Update to pax-linux-4.9.9-test3.patch: + - fixed a compile error on i386 with X86_CMPXCHG64=n, by Natanael Copa + - Emese fixed a few section mismatches and compile errors caused by the initify plugin, reported by Kees Cook, hunger and Valdis Kletnieks + - fixed a compile error caused by type mismatches on i386, reported by spender + +commit d310a9c0ab751121a5f97196857bfe4e90d86adf +Author: Brad Spengler +Date: Wed Feb 15 20:03:55 2017 -0500 + + compile fix, reported by ncopa + +commit f6fed850d763aca4162bc24b29afe5bb23d49d91 +Merge: c3fff1a 1971888 +Author: Brad Spengler +Date: Wed Feb 15 17:21:00 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 19718886c80977af99f8181fe8e91b0f6f1fb5f7 +Merge: b608a1f 390caee +Author: Brad Spengler +Date: Wed Feb 15 17:20:51 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit c3fff1a653824ad47021d536dec50e8c937e6347 +Merge: 57a5c6d b608a1f +Author: Brad Spengler +Date: Sun Feb 12 20:14:55 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b608a1f8eadf8287e6accf031da5f5e26964e79a +Author: Brad Spengler +Date: Sun Feb 12 20:14:47 2017 -0500 + + compile fix + +commit 57a5c6d747cce4a1dd99e3677ddb564c47c5305a +Merge: f1a2106 0851ca2 +Author: Brad Spengler +Date: Sun Feb 12 20:13:15 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 0851ca2f75213d1f9aabe2d10f98553bf642e024 +Author: Brad Spengler +Date: Sun Feb 12 20:13:02 2017 -0500 + + compile fix + +commit f1a2106f030f628edd9d729e8a4cf7a7cbaffe70 +Merge: fb5b3e7 5cff6ef +Author: Brad Spengler +Date: Sun Feb 12 20:05:35 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5cff6ef64e73635a287a5635ed89db37b4860336 +Author: Brad Spengler +Date: Sun Feb 12 20:05:28 2017 -0500 + + compile fix + +commit fb5b3e71be3a859d01a3e935762125808f8dcff4 +Merge: 005e22e a85c589 +Author: Brad Spengler +Date: Sun Feb 12 19:54:55 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a85c5893051fbbc5b97ab6504747f60d9359dabe +Author: Brad Spengler +Date: Sun Feb 12 19:54:47 2017 -0500 + + compile fix + +commit 005e22eb6f5f0630dc47c5bf4c37fe72cb8d5afa +Merge: 230f6cf e376f96 +Author: Brad Spengler +Date: Sun Feb 12 19:49:23 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit e376f965ed749044bc294004f16b36f4ca7fab28 +Author: Brad Spengler +Date: Sun Feb 12 19:49:16 2017 -0500 + + compile fix + +commit 230f6cf74a165b342fdc05c8202422e8e243b528 +Merge: a60f9ee f4cbdea +Author: Brad Spengler +Date: Sun Feb 12 19:38:05 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit f4cbdeaa06cfd3658346f94abb5b6e11fe025961 +Author: Brad Spengler +Date: Sun Feb 12 19:37:57 2017 -0500 + + compile fix + +commit a60f9eef51ff4133c0a713bc89c5e2137999e74c +Merge: dc07488 d545a4c +Author: Brad Spengler +Date: Sun Feb 12 19:24:32 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d545a4c83b3191aeee56ebda071a8476a046eb40 +Author: Brad Spengler +Date: Sun Feb 12 19:22:21 2017 -0500 + + Update to pax-linux-4.9.8-test2.patch: + - switched to upstream commit 76bee23411f8510fbf5fc5641bae2c203b726eb6 to fix LTO builds + - fixed the symbol export of cpu_gdt_table on x86, by corsac + - fixed a bunch of compile warnings, by Mathias Krause + - fixed PARAVIRT/RAP boot problems, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4663) and Rhett M. Bowen (https://bugs.archlinux.org/task/52881#comment155215), tested by pierrecap@yahoo.fr + - fixed KERNEXEC/UEFI boot problems, reported by anoteros (https://bugs.gentoo.org/show_bug.cgi?id=608680) and Clayton Craft (https://bugs.archlinux.org/task/52881#comment155250) + +commit dc07488c378373e2bf6b60df31709da5ff767afd +Author: Sean Rees +Date: Wed Feb 8 14:30:59 2017 -0800 + + Another bug from this pointless mitigation + see also: https://twitter.com/halvarflake/status/827613317296508928 + + mm/slub.c: fix random_seq offset destruction + + Commit 210e7a43fa90 ("mm: SLUB freelist randomization") broke USB hub + initialisation as described in + + https://bugzilla.kernel.org/show_bug.cgi?id=177551. + + Bail out early from init_cache_random_seq if s->random_seq is already + initialised. This prevents destroying the previously computed + random_seq offsets later in the function. + + If the offsets are destroyed, then shuffle_freelist will truncate + page->freelist to just the first object (orphaning the rest). + + Fixes: 210e7a43fa90 ("mm: SLUB freelist randomization") + Link: http://lkml.kernel.org/r/20170207140707.20824-1-sean@erifax.org + Signed-off-by: Sean Rees + Reported-by: + Cc: Christoph Lameter + Cc: Pekka Enberg + Cc: David Rientjes + Cc: Joonsoo Kim + Cc: Thomas Garnier + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 7bb22c6cffa5d31bd953b6161db96000edd9eb23 +Merge: a86976a8 9d73aa5 +Author: Brad Spengler +Date: Thu Feb 9 07:22:12 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9d73aa5a4dee061781926c89c592a7d447804e7d +Merge: 709a650 d2e4b66 +Author: Brad Spengler +Date: Thu Feb 9 07:22:05 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit a86976a86e06bb353a436c2486b1ccfb471f9c50 +Author: Brad Spengler +Date: Tue Feb 7 08:31:41 2017 -0500 + + compile fix + +commit 6261adb89e218739e07dc2e55fc87534ea2da325 +Author: Brad Spengler +Date: Tue Feb 7 07:43:30 2017 -0500 + + Relax /proc/pid/auxv check to match what was present in previous patches. + Many thanks to M. Vefa Bicakci for the report and fix! + +commit cabfb9cbd9201438006865d5e67d10105d8430bc +Author: Brad Spengler +Date: Tue Feb 7 07:31:48 2017 -0500 + + Cleanup from Mathias Krause + +commit 24cf8c373075b002719617a16a180bcd1c281c83 +Author: Brad Spengler +Date: Tue Feb 7 07:28:52 2017 -0500 + + Fix driver error case that we had correct but which broke when merging + upstream's ripoff of our code, reported by Mathias Krause + +commit d467970a05a441b364d247d5b4366913e44ad7ef +Merge: cd0b761 709a650 +Author: Brad Spengler +Date: Sun Feb 5 10:00:34 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 709a650aee15f96f6f564e8f4753ce4d2ce4d666 +Author: Brad Spengler +Date: Sun Feb 5 10:00:20 2017 -0500 + + Update to pax-linux-4.9.8-test1x.patch + +commit cd0b7618163bb40398b593d3649920ded2e1af33 +Author: Brad Spengler +Date: Sat Feb 4 15:58:39 2017 -0500 + + Update size_overflow hash table + +commit a6ac7f5e6378cef84c4c00a051725c023a63021b +Author: Brad Spengler +Date: Sat Feb 4 14:58:33 2017 -0500 + + Update size_overflow hash tables + +commit ae5d77fb41c008fcc8b504c350fe3556b43c3973 +Author: Brad Spengler +Date: Sat Feb 4 12:35:54 2017 -0500 + + Update size_overflow hash table + +commit 25a2af42cf8bd480755fb946623e868e297a3136 +Author: Brad Spengler +Date: Sat Feb 4 12:25:45 2017 -0500 + + Initial import of grsecurity 3.1 for Linux 4.9.8 + +commit e3932cb3abbbcfa7e0c7414541fdbd0a27453d4d +Author: Brad Spengler +Date: Sat Feb 4 11:52:14 2017 -0500 + + Update to pax-linux-4.9.8-test1.patch + +commit 979bddf15aa0dbb73dcd418d18ff2fd30ff1b38e +Merge: d93b949 c8ea2f3 +Author: Brad Spengler +Date: Sat Feb 4 04:27:39 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit d93b94991428cb11d0f66e209c070b1ba884bf83 +Author: Brad Spengler +Date: Thu Feb 2 17:26:16 2017 -0500 + + Update to pax-linux-4.9.6-test1xxxxxy.patch + +commit c5ecf5720061b63b90eb0ae6dcac9a7b88edd723 +Author: Brad Spengler +Date: Wed Feb 1 21:22:36 2017 -0500 + + Update to pax-linux-4.9.6-test1xxxxx.patch + +commit aede64e292980acc6c5784bb18864cd7fabec093 +Author: Brad Spengler +Date: Wed Feb 1 20:34:33 2017 -0500 + + Update to pax-linux-4.9.6-test1xxxx.patch + +commit 24a41127f3313bba134e0b68ab9da40f2b0f1ab5 +Author: Brad Spengler +Date: Wed Feb 1 19:32:39 2017 -0500 + + Update to pax-linux-4.9.6-test1xxx.patch + +commit 5ed38e522dd7df25d0102f9faf97fca62ba84102 +Merge: a2e84e3 fd2ffe5 +Author: Brad Spengler +Date: Wed Feb 1 08:14:15 2017 -0500 + + Merge branch 'linux-4.9.y' into pax-test + +commit a2e84e35dd4c940ddf23d70de6b29a48cbcaa39c +Author: Brad Spengler +Date: Wed Feb 1 07:40:25 2017 -0500 + + Update to pax-linux-4.9.6-test1xx.patch + +commit a06453c00dca1885a8f638b5a4e0dfa703a2094f +Author: Brad Spengler +Date: Tue Jan 31 19:50:03 2017 -0500 + + Update to pax-linux-4.9.6-test1x.patch + +commit a78566f6da3985944fee653782344976e37a5dea +Author: Brad Spengler +Date: Fri Jan 27 21:41:39 2017 -0500 + + Initial import of pax-linux-4.9.6-test1.patch +commit e5800118f68fd1553ac02b1f05bc3d567a884e22 +Author: Brad Spengler +Date: Sun Jan 15 15:50:04 2017 -0500 + + Fix size_overflow FP with gcc 6 reported by craftyguy at: + https://forums.grsecurity.net/viewtopic.php?f=3&t=4640 + + scripts/gcc-plugins/size_overflow_plugin/disable.data | 1 + + scripts/gcc-plugins/size_overflow_plugin/e_fields.data | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +commit 5861d0ad8a1c929257f1eda7f97dadbc1818112f +Author: Brad Spengler +Date: Sun Jan 15 14:17:09 2017 -0500 + + Initify plugin updates from Emese Revfy: + + Fixed a logical error that caused a section mismatch + Forgot to handle callees from a caller that is marked by BOTH. + + WARNING: vmlinux.o(.text.unlikely+0x1b1): Section mismatch in + reference from the function uncore_pci_exit.part.22() to the function + .init.text:uncore_free_pcibus_map() + The function uncore_pci_exit.part.22() references + the function __init uncore_free_pcibus_map(). + This is often because uncore_pci_exit.part.22 lacks a __init + annotation or the annotation of uncore_free_pcibus_map is wrong. + + Reported-by: Kees Cook + + Examine all clones as well for __init/__exit eligibility + WARNING: vmlinux.o(.text+0x1087e7): Section mismatch in reference from + the function rebind_subsystems() to the variable + .init.rodata.str:__func__.4400 + The function rebind_subsystems() references + the variable __initconst __func__.4400. + This is often because rebind_subsystems lacks a __initconst + annotation or the annotation of __func__.4400 is wrong. + + Reported-by: Kees Cook + + scripts/gcc-plugins/initify_plugin.c | 76 ++++++++++++++++++++++++------------ + 1 file changed, 51 insertions(+), 25 deletions(-) + +commit 08e03c1434f26e9b56f00a6ce8236320bd557494 +Author: Brad Spengler +Date: Sun Jan 15 14:08:04 2017 -0500 + + After over a year of hard work, KSPP has finally released its first + ever contribution back to grsecurity, the project from which KSPP + plagiarizes^Wobtains every useful improvement to Linux security. We are proud to + announce in this joint release the fruits of their hard work: a typo fix + to change 'unkown' to 'unknown' when reporting incorrect GCC plugin + command line arguments. Many thanks to Kees Cook and KSPP for this + innovation in spell check, and we look forward to many future + contributions of the same ilk from their capable hands. 'This + contribution of a typo fix confirms the high level of respect and + commitment to long-term sustainability KSPP has for grsecurity and its + innovative efforts over the past 16 years in producing the state of the + art in Linux security' said Brad Spengler, President of Open Source + Security Inc. + + "Based on a patch by Kees Cook" (since like much upstream efforts this + one was incomplete in that it missed the rap and size_overflow typos + as they existed in separate directories). + + scripts/gcc-plugins/checker_plugin.c | 2 +- + scripts/gcc-plugins/colorize_plugin.c | 2 +- + scripts/gcc-plugins/constify_plugin.c | 2 +- + scripts/gcc-plugins/initify_plugin.c | 2 +- + scripts/gcc-plugins/kernexec_plugin.c | 2 +- + scripts/gcc-plugins/latent_entropy_plugin.c | 2 +- + scripts/gcc-plugins/randomize_layout_plugin.c | 2 +- + scripts/gcc-plugins/rap_plugin/rap_plugin.c | 2 +- + scripts/gcc-plugins/sancov_plugin.c | 2 +- + scripts/gcc-plugins/size_overflow_plugin/size_overflow_plugin.c | 2 +- + scripts/gcc-plugins/stackleak_plugin.c | 2 +- + scripts/gcc-plugins/structleak_plugin.c | 2 +- + 12 files changed, 12 insertions(+), 12 deletions(-) + +commit 9b4ad0aa5ee41a03f02a928e2fd9679044048bde +Author: Brad Spengler +Date: Sun Jan 15 12:18:18 2017 -0500 + + Fix boot hang on 32-bit 4.8 kernels with SEGMEXEC enabled, reported by + osea at: + https://forums.grsecurity.net/viewtopic.php?f=3&t=4643 + + mm/memory.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +commit 2c93d3e0efb5b3d413cf2c0c5ac56faf47fa3e2d +Author: Brad Spengler +Date: Sun Jan 15 08:52:57 2017 -0500 + + Allow USERCOPY to be disabled, was a bug in PaX that somehow slipped through + the holiday cracks + + Reported by Chris Henhawke at: + https://bugs.gentoo.org/show_bug.cgi?id=603188 + + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit e86618efec929cb7f77480f35b21154368f2e7d1 +Author: John Sperbeck +Date: Tue Jan 10 16:58:24 2017 -0800 + + From the team that brought you useless improvements to the useless KASLR: + Useless mitigation causing likely privesc, with one of the worst commit messages + of all time (that wasn't written by an upstream developer for once -- to his credit, + Andrew Morton actually demanded more info (albeit receiving it in vague quality), + without which this commit message would have been even more sparse. + + Someone should request a CVE for this: + + mm/slab.c: fix SLAB freelist randomization duplicate entries + + This patch fixes a bug in the freelist randomization code. When a high + random number is used, the freelist will contain duplicate entries. It + will result in different allocations sharing the same chunk. + + It will result in odd behaviours and crashes. It should be uncommon but + it depends on the machines. We saw it happening more often on some + machines (every few hours of running tests). + + Fixes: c7ce4f60ac19 ("mm: SLAB freelist randomization") + Link: http://lkml.kernel.org/r/20170103181908.143178-1-thgarnie@google.com + Signed-off-by: John Sperbeck + Signed-off-by: Thomas Garnier + Cc: Christoph Lameter + Cc: Pekka Enberg + Cc: David Rientjes + Cc: Joonsoo Kim + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/slab.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +commit f7abe91bbcb4950f9c611fadd813b6dbe68db74b +Merge: 124f515 006324d +Author: Brad Spengler +Date: Mon Jan 9 07:22:15 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 006324d50d856bb254eb375407bc0478f8ae95eb +Merge: 2f6e197 3d8f8d0 +Author: Brad Spengler +Date: Mon Jan 9 07:22:06 2017 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 124f5155ead017e547c2a3736a312762870d4b0d +Author: Brad Spengler +Date: Fri Jan 6 18:03:39 2017 -0500 + + compile fix + + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 655fffef715aff25550a3a90eaf4a7d06426ed8f +Author: Brad Spengler +Date: Fri Jan 6 17:57:28 2017 -0500 + + compile fix + + fs/exec.c | 2 +- + kernel/ptrace.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +commit a4f3d168f78cb8d84eaabba7dd501799b1f6e5a1 +Merge: c86a12c 2f6e197 +Author: Brad Spengler +Date: Fri Jan 6 09:01:05 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 2f6e19780747cdf28176251e19d15c2741b58813 +Merge: a685c6f c65ed08 +Author: Brad Spengler +Date: Fri Jan 6 08:01:20 2017 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit c86a12c6f8a8551a0025ad531abe9d383e7388d2 +Author: Brad Spengler +Date: Tue Jan 3 17:37:11 2017 -0500 + + Fix an off-by-one in reporting some denied socket families, as reported by + Blub + + grsecurity/gracl_ip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 85f6681653925320e2040a772aa9526d7bdbe083 +Merge: 9d7ca54 a685c6f +Author: Brad Spengler +Date: Tue Jan 3 17:18:37 2017 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a685c6fc603aac945ce129adfcbeb9b05b0aba62 +Author: Brad Spengler +Date: Tue Jan 3 17:18:07 2017 -0500 + + Update to pax-linux-4.8.15-test9.patch: + - fixed a few compiler warnings due to KERNEXEC and constification, reported by spender + - made a few micro-optimizations to lretq usage on amd64 and BUG_ON + - updated gcc-common.h and the plugins to eliminate some code bloat in pass registration + - fixed the use of build_string in all gcc plugins as it doesn't set TREE_TYPE itself + + arch/x86/kernel/head_64.S | 6 +- + drivers/hv/hv.c | 2 +- + drivers/net/ethernet/amd/xgbe/xgbe.h | 6 +- + include/asm-generic/bug.h | 2 +- + scripts/gcc-plugins/checker_plugin.c | 15 +-- + scripts/gcc-plugins/colorize_plugin.c | 8 +- + scripts/gcc-plugins/constify_plugin.c | 9 +- + scripts/gcc-plugins/cyc_complexity_plugin.c | 8 +- + scripts/gcc-plugins/gcc-common.h | 106 ++++++++++++++++++--- + scripts/gcc-plugins/initify_plugin.c | 12 +-- + scripts/gcc-plugins/kallocstat_plugin.c | 8 +- + scripts/gcc-plugins/kernexec_plugin.c | 28 ++---- + scripts/gcc-plugins/latent_entropy_plugin.c | 10 +- + scripts/gcc-plugins/rap_plugin/rap_plugin.c | 24 ++--- + scripts/gcc-plugins/sancov_plugin.c | 14 ++- + .../insert_size_overflow_asm.c | 6 +- + .../size_overflow_plugin/size_overflow_ipa.c | 2 +- + .../size_overflow_plugin/size_overflow_plugin.c | 26 ++--- + .../size_overflow_plugin/size_overflow_transform.c | 4 +- + .../size_overflow_transform_core.c | 20 +--- + scripts/gcc-plugins/stackleak_plugin.c | 18 +--- + scripts/gcc-plugins/structleak_plugin.c | 8 +- + 22 files changed, 164 insertions(+), 178 deletions(-) + +commit 9d7ca543b94c0203affd278739c77992ccaa7ba6 +Author: Brad Spengler +Date: Fri Dec 30 18:21:59 2016 -0500 + + Fix virtualbox host compatibility as reported by aurelf at: + https://forums.grsecurity.net/viewtopic.php?f=3&t=4634 + + This will be reverted once the VirtualBox devs stop disabling + SMAP unnecessarily, which seems like it will happen never. + Anyone who cares about security of their host system shouldn't + use VirtualBox, as it already precludes the use of KERNEXEC, UDEREF, + and RANDKSTACK. + + arch/x86/include/asm/irqflags.h | 4 ++++ + 1 file changed, 4 insertions(+) + +commit cec0b19f2d7ac2d8f8357aee654dddd4418086b8 +Author: Brad Spengler +Date: Thu Dec 22 22:19:33 2016 -0500 + + Make HIDESYM select PAX_USERCOPY instead of the now nonexistent PAX_USERCOPY_SLABS + + grsecurity/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 61c3fa5b25ecc4a7c4f3d531a5cc76adeb89336c +Author: Brad Spengler +Date: Thu Dec 15 18:36:17 2016 -0500 + + Update size_overflow hash table + + scripts/gcc-plugins/size_overflow_plugin/e_fns.data | 1 + + 1 file changed, 1 insertion(+) + +commit 58e3f480aa38ec2007ec86afdbe668cf30238cd2 +Author: Linus Torvalds +Date: Wed Dec 14 12:45:25 2016 -0800 + + vfs,mm: fix return value of read() at s_maxbytes + + We truncated the possible read iterator to s_maxbytes in commit + c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()"), + but our end condition handling was wrong: it's not an error to try to + read at the end of the file. + + Reading past the end should return EOF (0), not EINVAL. + + See for example + + https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1649342 + http://lists.gnu.org/archive/html/bug-coreutils/2016-12/msg00008.html + + where a md5sum of a maximally sized file fails because the final read is + exactly at s_maxbytes. + + Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") + Reported-by: Joseph Salisbury + Cc: Wei Fang + Cc: Christoph Hellwig + Cc: Dave Chinner + Cc: Al Viro + Cc: Andrew Morton + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + mm/filemap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 70975981c11bc45fd4ad44e9a6f5e8c2210a14f6 +Merge: 3a0285a 224c7ab +Author: Brad Spengler +Date: Thu Dec 15 17:43:49 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 224c7ab2cacdcf25cc319978f7fbe64f519f03f0 +Merge: ccbe963 8bba2e2 +Author: Brad Spengler +Date: Thu Dec 15 17:43:37 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 3a0285abbc886698581f682e6d269143c1709031 +Merge: eec49c3 ccbe963 +Author: Brad Spengler +Date: Sat Dec 10 17:49:55 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ccbe96350259e7d78fb4178ab1e5ece026641816 +Merge: dd08da6 7b8c57c +Author: Brad Spengler +Date: Sat Dec 10 17:49:17 2016 -0500 + + Update to pax-linux-4.8.14-test8.patch: + - fixed hyperv hypercall page handling when compiled as a module, reported by Kyle Spiers (kyle@atomicorp.com) + - fixed a logic error in initify that initified some ineligible functions triggering a boot crash under hyperv, reported by Kyle Spiers (kyle@atomicorp.com) + - Emese turned the compile time error checking of the nocapture attribute into a warning instead + - prototypes were missing for make_*_pass(), reported by Andrew Donnellan + + Merge branch 'linux-4.8.y' into pax-test + +commit eec49c307bcebdfb24cd0c9d1d69282490d30e90 +Merge: 2fd4ed6 dd08da6 +Author: Brad Spengler +Date: Thu Dec 8 20:03:08 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit dd08da6af044ecb2b82a0be6bb57a8814637a10e +Author: Brad Spengler +Date: Thu Dec 8 20:02:44 2016 -0500 + + Forward-port some PaX changes: + - fixed hyperv hypercall page handling when compiled as a module, reported by Kyle Spiers (kyle@atomicorp.com) + - fixed a logic error in initify that initified some ineligible functions triggering a boot crash under hyperv, reported by Kyle Spiers (kyle@atomicorp.com) + - Emese turned the compile time error checking of the nocapture attribute into a warning instead + + drivers/hv/hv.c | 2 +- + scripts/gcc-plugins/initify_plugin.c | 14 ++++++-------- + 2 files changed, 7 insertions(+), 9 deletions(-) + +commit 2fd4ed677eead793deb99095d0fea1014947fc1f +Author: David Ahern +Date: Sun Nov 27 18:52:53 2016 -0800 + + net: handle no dst on skb in icmp6_send + + Andrey reported the following while fuzzing the kernel with syzkaller: + + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN + Modules linked in: + CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + task: ffff8800666d4200 task.stack: ffff880067348000 + RIP: 0010:[] [] + icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451 + RSP: 0018:ffff88006734f2c0 EFLAGS: 00010206 + RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018 + RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003 + R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000 + R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0 + FS: 00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0 + Stack: + ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460 + ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046 + ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000 + Call Trace: + [] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557 + [< inline >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88 + [] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157 + [] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663 + [] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191 + ... + + icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both + cases the dst->dev should be preferred for determining the L3 domain + if the dst has been set on the skb. Fallback to the skb->dev if it has + not. This covers the case reported here where icmp6_send is invoked on + Rx before the route lookup. + + Fixes: 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain") + Reported-by: Andrey Konovalov + Signed-off-by: David Ahern + Signed-off-by: David S. Miller + + net/ipv6/icmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +commit 15977cda939cb4a2072de08f265d2d95a97c5c9c +Merge: 4d51197 5d6499b +Author: Brad Spengler +Date: Thu Dec 8 19:56:26 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5d6499bbf52429aee789035bda61df32919293e0 +Merge: f3f4924 55d64c0 +Author: Brad Spengler +Date: Thu Dec 8 19:56:19 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 4d51197ad44024df9dcb2f8f3bc871d5cc185808 +Author: Philip Pettersson +Date: Wed Nov 30 14:55:36 2016 -0800 + + Not unpriv privilege escalation on any version of grsecurity -- + (contrary to copy+pasted Arch Linux security advisories) + we've disabled unprivileged userns ever since it existed. + + packet: fix race condition in packet_set_ring + + When packet_set_ring creates a ring buffer it will initialize a + struct timer_list if the packet version is TPACKET_V3. This value + can then be raced by a different thread calling setsockopt to + set the version to TPACKET_V1 before packet_set_ring has finished. + + This leads to a use-after-free on a function pointer in the + struct timer_list when the socket is closed as the previously + initialized timer will not be deleted. + + The bug is fixed by taking lock_sock(sk) in packet_setsockopt when + changing the packet version while also taking the lock at the start + of packet_set_ring. + + Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") + Signed-off-by: Philip Pettersson + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/packet/af_packet.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +commit 8fb1a916b99396cae8f6961d1734ea51c333e8ae +Merge: 54050b7 f3f4924 +Author: Brad Spengler +Date: Tue Dec 6 21:42:51 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit f3f49240500f0393101d222410f48f68c481959b +Author: Brad Spengler +Date: Tue Dec 6 21:42:28 2016 -0500 + + Update to pax-linux-4.8.12-test7.patch: + - fixed non-executable HIBERNATION resume code on amd64, reported and partially fixed by Arseny Solokha + - fixed USERCOPY compile regression with old gcc versions, reported by André Ferraz + - fixed ENDPROC use on atomic functions on sparc64 + - fixed return value checking of convert_ip_to_linear + - fixed a few function types for RAP + + arch/arm64/include/asm/processor.h | 7 ------- + arch/sparc/lib/atomic_64.S | 8 ++++---- + arch/x86/kernel/step.c | 2 +- + arch/x86/mm/fault.c | 5 ++++- + arch/x86/power/cpu.c | 4 ++++ + arch/x86/power/hibernate_64.c | 11 +++++------ + drivers/misc/lkdtm_core.c | 2 +- + drivers/staging/wlan-ng/p80211netdev.c | 2 +- + include/linux/init_task.h | 1 - + 9 files changed, 20 insertions(+), 22 deletions(-) + +commit 54050b78ed9dc52e72180f178a38474606a09d5c +Merge: 736e717 34c61d4 +Author: Brad Spengler +Date: Sat Dec 3 09:14:47 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 34c61d446390e30aa6b5c6940618a500c894a397 +Merge: 99257a4 356ccf6 +Author: Brad Spengler +Date: Sat Dec 3 09:14:32 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 736e717e33565dd4e71870b60d310e1d5aa3d0cd +Merge: 6e1844a 99257a4 +Author: Brad Spengler +Date: Sun Nov 27 11:33:24 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 99257a4169235bbe2576eb44ce2e0ce640070a17 +Author: Brad Spengler +Date: Sun Nov 27 11:32:06 2016 -0500 + + Update to pax-linux-4.8.11-test6.patch: + - fixed harmless compile warning introduced by a previous fix, reported by Matt Turner (https://bugs.gentoo.org/show_bug.cgi?id=599320#c11) + - removed unnecessary objtree use in generating the size overflow hash tables + - Emese worked around a size overflow false positive in drbd, reported by rot (https://forums.grsecurity.net/viewtopic.php?f=3&t=4526) + + drivers/block/drbd/drbd_int.h | 2 +- + kernel/trace/trace_printk.c | 6 ------ + scripts/gcc-plugins/size_overflow_plugin/Makefile | 4 ++-- + 3 files changed, 3 insertions(+), 9 deletions(-) + +commit 6e1844aa17930704e360cd231fa5d12f3aadda1b +Author: Ard Biesheuvel +Date: Mon Oct 17 15:05:33 2016 +0100 + + mac80211: move struct aead_req off the stack + + Some crypto implementations (such as the generic CCM wrapper in crypto/) + use scatterlists to map fields of private data in their struct aead_req. + This means these data structures cannot live in the vmalloc area, which + means that they cannot live on the stack (with CONFIG_VMAP_STACK.) + + This currently occurs only with the generic software implementation, but + the private data and usage is implementation specific, so move the whole + data structures off the stack into heap by allocating every time we need + to use them. + + In addition, take care not to put any of our own stack allocations into + scatterlists. This involves reserving some extra room when allocating the + aead_request structures, and referring to those allocations in the scatter- + lists (while copying the data from the stack before the crypto operation) + + Signed-off-by: Ard Biesheuvel + Signed-off-by: Johannes Berg + + net/mac80211/aes_ccm.c | 46 ++++++++++++++++++++++++++++++---------------- + net/mac80211/aes_ccm.h | 8 +++++--- + net/mac80211/aes_gcm.c | 43 ++++++++++++++++++++++++++++--------------- + net/mac80211/aes_gcm.h | 6 ++++-- + net/mac80211/aes_gmac.c | 26 +++++++++++++------------- + net/mac80211/aes_gmac.h | 4 ++++ + net/mac80211/wpa.c | 22 +++++++++------------- + 7 files changed, 93 insertions(+), 62 deletions(-) + +commit c10e1633c41d5418e6eedc665582418a5befbb4f +Author: Brad Spengler +Date: Sun Nov 27 10:27:05 2016 -0500 + + Work around drbd size_overflow FP when SIZE_OVERFLOW_EXTRA is enabled, reported by rot at: + https://forums.grsecurity.net/viewtopic.php?f=3&t=4526 + + drivers/block/drbd/drbd_int.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 249d9232cebd4152a203680c63759332cdac13cb +Merge: 18d46a8 b01d05b +Author: Brad Spengler +Date: Sat Nov 26 08:07:35 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b01d05b77234043e071a10852c021c594531af1b +Merge: 41ec71c 36bd5bf +Author: Brad Spengler +Date: Sat Nov 26 08:07:28 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 18d46a8fa74de2cb68fb5e6678959e5e61c6fea6 +Author: Brad Spengler +Date: Fri Nov 25 08:37:05 2016 -0500 + + Mark __phys_addr_nodebug() on x64 as always-inlined + + arch/x86/include/asm/page_64.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 5dd906f677c6d649efad1b01da6d6965e15ac3db +Author: Andrey Ryabinin +Date: Thu Nov 24 13:23:10 2016 +0000 + + mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] + + This fixes CVE-2016-8650. + + If mpi_powm() is given a zero exponent, it wants to immediately return + either 1 or 0, depending on the modulus. However, if the result was + initalised with zero limb space, no limbs space is allocated and a + NULL-pointer exception ensues. + + Fix this by allocating a minimal amount of limb space for the result when + the 0-exponent case when the result is 1 and not touching the limb space + when the result is 0. + + This affects the use of RSA keys and X.509 certificates that carry them. + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] mpi_powm+0x32/0x7e6 + PGD 0 + Oops: 0002 [#1] SMP + Modules linked in: + CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 + Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 + task: ffff8804011944c0 task.stack: ffff880401294000 + RIP: 0010:[] [] mpi_powm+0x32/0x7e6 + RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 + RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 + RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 + RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 + R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 + FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 + Stack: + ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 + 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 + ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 + Call Trace: + [] ? __sg_page_iter_next+0x43/0x66 + [] ? sg_miter_get_next_page+0x1b/0x5d + [] ? sg_miter_next+0x17/0xbd + [] ? mpi_read_raw_from_sgl+0xf2/0x146 + [] rsa_verify+0x9d/0xee + [] ? pkcs1pad_sg_set_buf+0x2e/0xbb + [] pkcs1pad_verify+0xc0/0xe1 + [] public_key_verify_signature+0x1b0/0x228 + [] x509_check_for_self_signed+0xa1/0xc4 + [] x509_cert_parse+0x167/0x1a1 + [] x509_key_preparse+0x21/0x1a1 + [] asymmetric_key_preparse+0x34/0x61 + [] key_create_or_update+0x145/0x399 + [] SyS_add_key+0x154/0x19e + [] do_syscall_64+0x80/0x191 + [] entry_SYSCALL64_slow_path+0x25/0x25 + Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f + RIP [] mpi_powm+0x32/0x7e6 + RSP + CR2: 0000000000000000 + ---[ end trace d82015255d4a5d8d ]--- + + Basically, this is a backport of a libgcrypt patch: + + http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 + + Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)") + Signed-off-by: Andrey Ryabinin + Signed-off-by: David Howells + cc: Dmitry Kasatkin + cc: linux-ima-devel@lists.sourceforge.net + cc: stable@vger.kernel.org + Signed-off-by: James Morris + + lib/mpi/mpi-pow.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +commit 218b2fc710bd61f32c7c0cf4556aa628bccf0382 +Author: Andrey Ryabinin +Date: Thu Nov 24 13:23:03 2016 +0000 + + X.509: Fix double free in x509_cert_parse() [ver #3] + + We shouldn't free cert->pub->key in x509_cert_parse() because + x509_free_certificate() also does this: + BUG: Double free or freeing an invalid pointer + ... + Call Trace: + [] dump_stack+0x63/0x83 + [] kasan_object_err+0x21/0x70 + [] kasan_report_double_free+0x49/0x60 + [] kasan_slab_free+0x9d/0xc0 + [] kfree+0x8a/0x1a0 + [] public_key_free+0x1f/0x30 + [] x509_free_certificate+0x24/0x90 + [] x509_cert_parse+0x2bc/0x300 + [] x509_key_preparse+0x3e/0x330 + [] asymmetric_key_preparse+0x6f/0x100 + [] key_create_or_update+0x260/0x5f0 + [] SyS_add_key+0x199/0x2a0 + [] entry_SYSCALL_64_fastpath+0x1e/0xad + Object at ffff880110bd1900, in cache kmalloc-512 size: 512 + .... + Freed: + PID = 2579 + [] save_stack_trace+0x1b/0x20 + [] save_stack+0x46/0xd0 + [] kasan_slab_free+0x73/0xc0 + [] kfree+0x8a/0x1a0 + [] x509_cert_parse+0x2a3/0x300 + [] x509_key_preparse+0x3e/0x330 + [] asymmetric_key_preparse+0x6f/0x100 + [] key_create_or_update+0x260/0x5f0 + [] SyS_add_key+0x199/0x2a0 + [] entry_SYSCALL_64_fastpath+0x1e/0xad + + Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") + Signed-off-by: Andrey Ryabinin + Cc: + Signed-off-by: David Howells + Signed-off-by: James Morris + + crypto/asymmetric_keys/x509_cert_parser.c | 1 - + 1 file changed, 1 deletion(-) + +commit 7ab38a1d2f20a0ee1646c61f69c5628868e36e1c +Author: Brad Spengler +Date: Fri Nov 25 15:04:31 2016 -0500 + + Mark RANDSTRUCT as depending on GCC_PLUGINS + + grsecurity/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +commit 4b779f90caef66bc904533a068e82ed7929a741f +Author: Brad Spengler +Date: Wed Nov 23 22:22:22 2016 -0500 + + whitespace cleanup + + mm/usercopy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit fa8c4d8069e8a83b3a30bedbb7b5281cc035722e +Author: Brad Spengler +Date: Wed Nov 23 21:36:42 2016 -0500 + + Fix regression on i386 KERNEXEC introduced by KSPP ripoff of USERCOPY + + mm/usercopy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +commit 7bde68e909b1592b4de453d16d9efd544fdcf5d7 +Merge: 104123c 41ec71c +Author: Brad Spengler +Date: Wed Nov 23 19:59:44 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41ec71c4866375c87ea6d28341bfb980ec5805f3 +Author: Brad Spengler +Date: Wed Nov 23 19:58:53 2016 -0500 + + Update to pax-linux-4.8.10-test5.patch: + - worked around a false positive initify report with KMEMCHECK, reported by spender + - fixed a compile error of the initify plugin with gcc 4.5 + - Emese fixed an infinite recursion bug in the initify plugin that triggered with certain gcc versions, reported by spender + - worked around a false positive initify report with KMEMCHECK, reported by spender + - fixed a compile error of the initify plugin with gcc 4.5 + - Emese fixed an infinite recursion bug in the initify plugin that triggered with certain gcc versions, reported by spender + + fs/exofs/super.c | 7 +- + kernel/trace/trace_printk.c | 11 +- + net/netfilter/nf_log.c | 2 +- + .../size_overflow_plugin/size_overflow.h | 8 +- + .../size_overflow_plugin/size_overflow_debug.c | 4 +- + .../size_overflow_plugin/size_overflow_ipa.c | 143 ++++++++++++++------- + .../size_overflow_plugin/size_overflow_plugin.c | 2 +- + .../size_overflow_plugin_hash.c | 40 +++--- + .../size_overflow_plugin/size_overflow_transform.c | 6 +- + 9 files changed, 136 insertions(+), 87 deletions(-) + +commit 104123c7083b4b405c3d94e5cbcf8d82a3c1bf3b +Author: Joerg Roedel +Date: Wed Sep 14 11:41:59 2016 +0200 + + iommu/amd: Don't put completion-wait semaphore on stack + + The semaphore used by the AMD IOMMU to signal command + completion lived on the stack until now, which was safe as + the driver busy-waited on the semaphore with IRQs disabled, + so the stack can't go away under the driver. + + But the recently introduced vmap-based stacks break this as + the physical address of the semaphore can't be determinded + easily anymore. The driver used the __pa() macro, but that + only works in the direct-mapping. The result were + Completion-Wait timeout errors seen by the IOMMU driver, + breaking system boot. + + Since putting the semaphore on the stack is bad design + anyway, move the semaphore into 'struct amd_iommu'. It is + protected by the per-iommu lock and now in the direct + mapping again. This fixes the Completion-Wait timeout errors + and makes AMD IOMMU systems boot again with vmap-based + stacks enabled. + + Reported-by: Borislav Petkov + Signed-off-by: Joerg Roedel + Cc: H. Peter Anvin + Cc: Linus Torvalds + Cc: Peter Zijlstra + Cc: Thomas Gleixner + Signed-off-by: Ingo Molnar + + drivers/iommu/amd_iommu.c | 51 ++++++++++++++++++++++++++++------------- + drivers/iommu/amd_iommu_types.h | 2 ++ + 2 files changed, 37 insertions(+), 16 deletions(-) + +commit fb4681fbb3ac4fbfc38c4d878a769d9521b2cadc +Merge: 5c7c04f7 2eb064c +Author: Brad Spengler +Date: Mon Nov 21 07:32:06 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 2eb064cd06070c433afb5bbe06f2912c6fe4c0ca +Merge: ec40a67 cf5ae29 +Author: Brad Spengler +Date: Mon Nov 21 07:31:48 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 5c7c04f7c8fcb7a3730b34db41a0842ef0dbed51 +Author: Brad Spengler +Date: Sat Nov 19 19:50:51 2016 -0500 + + compile fix + + drivers/platform/x86/toshiba-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 05eb3d0ec6643c60f794937ba562fea97f5be897 +Author: Brad Spengler +Date: Sat Nov 19 19:32:09 2016 -0500 + + compile fix + + net/netfilter/nf_log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit fb9517eef2f4321b99e1427728ea81e7beb6709e +Author: Brad Spengler +Date: Sat Nov 19 19:26:19 2016 -0500 + + compile fix + + drivers/platform/x86/toshiba-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit d7be8fc340893cb7a61f295adf357433684c1412 +Author: Brad Spengler +Date: Sat Nov 19 18:50:43 2016 -0500 + + Fix an instance of DMA on stack reported by jotik + + drivers/tty/hvc/hvc_console.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +commit 491d119de68bd80666a5e0c9a45538b03a7e0359 +Merge: d06ab17 ec40a67 +Author: Brad Spengler +Date: Sat Nov 19 09:49:17 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ec40a67f38da6771cc50d21b8bdfef7fe85c13f9 +Merge: d10440d 8765773 +Author: Brad Spengler +Date: Sat Nov 19 09:48:59 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit d06ab1776f143f4c0f040b37b5d4be02fb4c2b2f +Author: Brad Spengler +Date: Wed Nov 16 20:06:47 2016 -0500 + + Move location of GRKERNSEC_BRUTE call, otherwise on systems with suid + dumping enabled, the crash of a suid/fscapped binary will not produce a + coredump as a SIGKILL to the other threads of the process will trigger + a group exit. Thanks to Michael Hu and Meenakshi Selvaraj for the report! + + fs/coredump.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit 2deb6e90bf515a547273218c9e5e80362cedf5f4 +Merge: 538290f d10440d +Author: Brad Spengler +Date: Tue Nov 15 07:22:21 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d10440da199a8c4601cf572c85c240b391d7ff1c +Author: Brad Spengler +Date: Tue Nov 15 07:21:39 2016 -0500 + + Forward-port PaX INITIFY updates: + - Emese fixed an infinite recursion bug in the initify plugin that triggered with certain gcc versions, reported by spender + - fixed a copy-paste error in the previous initify compile error fix + + scripts/gcc-plugins/initify_plugin.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +commit 538290f125d86e96ca1cb58ec6b6dc42c6df94f5 +Merge: 29790c8 0651bb9 +Author: Brad Spengler +Date: Tue Nov 15 07:16:37 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 0651bb9a29497614f2ac8907576e13c25d14417d +Merge: 3dccfc8 61385cc +Author: Brad Spengler +Date: Tue Nov 15 07:16:23 2016 -0500 + + Merge branch 'linux-4.8.y' into pax-test + +commit 29790c808b36fed3643adb45a52ddd1eaf215d5a +Merge: 884f7d7 3dccfc8 +Author: Brad Spengler +Date: Mon Nov 14 21:55:00 2016 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3dccfc8eb94c31bb44f90f2d5673867d47ceeae1 +Author: Brad Spengler +Date: Mon Nov 14 21:53:56 2016 -0500 + + Forward-ported PaX updates (so all patches can be released tonight): + - worked around a false positive initify report with KMEMCHECK, reported by spender + - fixed a compile error of the initify plugin with gcc 4.5 + + lib/Kconfig.kmemcheck | 1 + + scripts/gcc-plugins/initify_plugin.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +commit 884f7d7137f2cb388491c398a22b555c9e04bd3b +Author: Brad Spengler +Date: Mon Nov 14 08:52:36 2016 -0500 + + re-enable INITIFY + + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +commit 1199c8fee72e0204eef6e517acf1d17e1edb35d0 +Author: Brad Spengler +Date: Sat Nov 12 09:28:52 2016 -0500 + + always clear after restore + + kernel/power/snapshot.c | 2 -- + 1 file changed, 2 deletions(-) + +commit 6ee3a03e6b4610d3a4c8536222e613c9381d310a +Author: Brad Spengler +Date: Sat Nov 12 07:48:59 2016 -0500 + + Remove duplicate function definition caused by bad git merge + Thanks to Toralf Foerster for the report + + kernel/power/snapshot.c | 20 -------------------- + 1 file changed, 20 deletions(-) + commit 972fc7c4ab01bed5011f92621c0235a29b964321 Merge: b797a7f 179609c Author: Brad Spengler