packages: kernel/kernel-grsec_full.patch, kernel/kernel-pax.config, kernel/...
mguevara
mguevara at pld-linux.org
Wed Aug 19 14:30:14 CEST 2009
Author: mguevara Date: Wed Aug 19 12:30:14 2009 GMT
Module: packages Tag: HEAD
---- Log message:
- up to 2.6.30.5-0.1, CVE-2009-2692
- kernel-vserver-2.3.patch updated to interdiff between
patch-2.6.30.5-vs2.3.0.36.14-pre5.diff and
patch-2.6.30.4-vs2.3.0.36.14-pre4.diff
- kernel-grsec_full.patch updated based on pax-linux-2.6.30.5-test22.patch
- enabled PAX_REFCOUNT and PAX_NOELFRELOCS in kernel-pax.config
(only for --with pax bcond)
- commented out patch250 kernel-intel-2009q2-against-2.6.30.1.patch
---- Files affected:
packages/kernel:
kernel-grsec_full.patch (1.9 -> 1.10) , kernel-pax.config (1.3 -> 1.4) , kernel-vserver-2.3.patch (1.13 -> 1.14) , kernel.spec (1.692 -> 1.693)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.9 packages/kernel/kernel-grsec_full.patch:1.10
--- packages/kernel/kernel-grsec_full.patch:1.9 Sun Aug 16 20:53:21 2009
+++ packages/kernel/kernel-grsec_full.patch Wed Aug 19 14:30:08 2009
@@ -37741,24 +37741,6 @@
#endif
#endif
-@@ -571,7 +599,7 @@ void mm_release(struct task_struct *tsk,
- if (tsk->clear_child_tid
- && !(tsk->flags & PF_SIGNALED)
- && atomic_read(&mm->mm_users) > 1) {
-- u32 __user * tidptr = tsk->clear_child_tid;
-+ pid_t __user * tidptr = tsk->clear_child_tid;
- tsk->clear_child_tid = NULL;
-
- /*
-@@ -579,7 +607,7 @@ void mm_release(struct task_struct *tsk,
- * not set up a proper pointer then tough luck.
- */
- put_user(0, tidptr);
-- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
-+ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
- }
- }
-
@@ -695,7 +723,7 @@ static int copy_fs(unsigned long clone_f
write_unlock(&fs->lock);
return -EAGAIN;
@@ -44525,18 +44507,6 @@
if (limit < 64*1024)
pack_descriptor(&d, base, limit, 0x80 | DESCTYPE_S | 0x3, 0x4);
else
-diff -u linux-2.6.30.4/arch/x86/kernel/vmi_32.c linux-2.6.30.4/arch/x86/kernel/vmi_32.c
---- linux-2.6.30.4/arch/x86/kernel/vmi_32.c 2009-07-30 09:48:09.962543704 -0400
-+++ linux-2.6.30.4/arch/x86/kernel/vmi_32.c 2009-08-12 21:15:21.104308164 -0400
-@@ -466,7 +466,7 @@
- ap.ds = __KERNEL_DS;
- ap.es = __KERNEL_DS;
- ap.fs = __KERNEL_PERCPU;
-- ap.gs = 0;
-+ ap.gs = __KERNEL_STACK_CANARY;
-
- ap.eflags = 0;
-
diff -u linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S
--- linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S 2009-07-30 19:56:23.500027109 -0400
+++ linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S 2009-08-01 08:46:06.438873305 -0400
@@ -44802,20 +44772,6 @@
/*
* NOTE: do not add new entries to this table unless you have read
* Documentation/sysctl/ctl_unnumbered.txt
-diff -u linux-2.6.30.4/net/socket.c linux-2.6.30.4/net/socket.c
---- linux-2.6.30.4/net/socket.c 2009-07-30 11:29:24.032618401 -0400
-+++ linux-2.6.30.4/net/socket.c 2009-08-13 20:40:32.961482335 -0400
-@@ -752,7 +752,7 @@
- if (more)
- flags |= MSG_MORE;
-
-- return sock->ops->sendpage(sock, page, offset, size, flags);
-+ return kernel_sendpage(sock, page, offset, size, flags);
- }
-
- static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
-only in patch2:
-unchanged:
--- linux-2.6.30.4/arch/x86/lguest/Kconfig 2009-07-24 17:47:51.000000000 -0400
+++ linux-2.6.30.4/arch/x86/lguest/Kconfig 2009-08-02 09:47:36.165378342 -0400
@@ -3,6 +3,7 @@ config LGUEST_GUEST
================================================================
Index: packages/kernel/kernel-pax.config
diff -u packages/kernel/kernel-pax.config:1.3 packages/kernel/kernel-pax.config:1.4
--- packages/kernel/kernel-pax.config:1.3 Fri Jul 31 12:02:33 2009
+++ packages/kernel/kernel-pax.config Wed Aug 19 14:30:08 2009
@@ -24,7 +24,8 @@
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ETEXECRELOCS=y
# CONFIG_PAX_EMUPLT is not set
-# CONFIG_PAX_NOELFRELOCS is not set
+CONFIG_PAX_NOELFRELOCS=y
+CONFIG_PAX_KERNEXEC=y
#
# Address Space Layout Randomization
@@ -38,8 +39,6 @@
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
-# CONFIG_PAX_REFCOUNT is not set
+CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
CONFIG_PAX_MEMORY_UDEREF=y
-
-CONFIG_PAX_KERNEXEC=y
================================================================
Index: packages/kernel/kernel-vserver-2.3.patch
diff -u packages/kernel/kernel-vserver-2.3.patch:1.13 packages/kernel/kernel-vserver-2.3.patch:1.14
--- packages/kernel/kernel-vserver-2.3.patch:1.13 Tue Jul 28 10:58:19 2009
+++ packages/kernel/kernel-vserver-2.3.patch Wed Aug 19 14:30:08 2009
@@ -10710,7 +10710,7 @@
diff -NurpP --minimal linux-2.6.30.2/include/linux/vserver/limit_cmd.h linux-2.6.30.2-vs2.3.0.36.14-pre4/include/linux/vserver/limit_cmd.h
--- linux-2.6.30.2/include/linux/vserver/limit_cmd.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.30.2-vs2.3.0.36.14-pre4/include/linux/vserver/limit_cmd.h 2009-07-04 01:11:39.000000000 +0200
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,71 @@
+#ifndef _VX_LIMIT_CMD_H
+#define _VX_LIMIT_CMD_H
+
@@ -10720,6 +10720,7 @@
+#define VCMD_get_rlimit VC_CMD(RLIMIT, 1, 0)
+#define VCMD_set_rlimit VC_CMD(RLIMIT, 2, 0)
+#define VCMD_get_rlimit_mask VC_CMD(RLIMIT, 3, 0)
++#define VCMD_reset_hits VC_CMD(RLIMIT, 7, 0)
+#define VCMD_reset_minmax VC_CMD(RLIMIT, 9, 0)
+
+struct vcmd_ctx_rlimit_v0 {
@@ -10767,6 +10768,7 @@
+extern int vc_get_rlimit_mask(uint32_t, void __user *);
+extern int vc_get_rlimit(struct vx_info *, void __user *);
+extern int vc_set_rlimit(struct vx_info *, void __user *);
++extern int vc_reset_hits(struct vx_info *, void __user *);
+extern int vc_reset_minmax(struct vx_info *, void __user *);
+
+extern int vc_rlimit_stat(struct vx_info *, void __user *);
@@ -20027,7 +20029,7 @@
diff -NurpP --minimal linux-2.6.30.2/kernel/vserver/limit.c linux-2.6.30.2-vs2.3.0.36.14-pre4/kernel/vserver/limit.c
--- linux-2.6.30.2/kernel/vserver/limit.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.30.2-vs2.3.0.36.14-pre4/kernel/vserver/limit.c 2009-07-04 01:11:39.000000000 +0200
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,333 @@
+/*
+ * linux/kernel/vserver/limit.c
+ *
@@ -20233,6 +20235,21 @@
+}
+
+
++static inline void vx_reset_hits(struct _vx_limit *limit)
++{
++ int lim;
++
++ for (lim = 0; lim < NUM_LIMITS; lim++) {
++ atomic_set(&__rlim_lhit(limit, lim), 0);
++ }
++}
++
++int vc_reset_hits(struct vx_info *vxi, void __user *data)
++{
++ vx_reset_hits(&vxi->limit);
++ return 0;
++}
++
+static inline void vx_reset_minmax(struct _vx_limit *limit)
+{
+ rlim_t value;
@@ -23627,7 +23644,7 @@
diff -NurpP --minimal linux-2.6.30.2/kernel/vserver/switch.c linux-2.6.30.2-vs2.3.0.36.14-pre4/kernel/vserver/switch.c
--- linux-2.6.30.2/kernel/vserver/switch.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.30.2-vs2.3.0.36.14-pre4/kernel/vserver/switch.c 2009-07-04 01:11:39.000000000 +0200
-@@ -0,0 +1,543 @@
+@@ -0,0 +1,546 @@
+/*
+ * linux/kernel/vserver/switch.c
+ *
@@ -23752,6 +23769,8 @@
+#endif
+ case VCMD_get_rlimit_mask:
+ return vc_get_rlimit_mask(id, data);
++ case VCMD_reset_hits:
++ return vc_reset_hits(vxi, data);
+ case VCMD_reset_minmax:
+ return vc_reset_minmax(vxi, data);
+
@@ -23950,6 +23969,7 @@
+
+ /* info commands */
+ __VCMD(task_xid, 2, VCA_NONE, 0);
++ __VCMD(reset_hits, 2, VCA_VXI, 0);
+ __VCMD(reset_minmax, 2, VCA_VXI, 0);
+ __VCMD(vx_info, 3, VCA_VXI, VCF_INFO);
+ __VCMD(get_bcaps, 3, VCA_VXI, VCF_INFO);
@@ -25316,7 +25336,7 @@
/*
* Increment the counter in the same struct proto as the master
* sock (sk_refcnt_debug_inc uses newsk->sk_prot->socks, that
-@@ -1794,6 +1813,11 @@ void sock_init_data(struct socket *sock,
+@@ -1794,6 +1813,12 @@ void sock_init_data(struct socket *sock,
sk->sk_stamp = ktime_set(-1L, 0);
@@ -25325,9 +25345,10 @@
+ vx_sock_inc(sk);
+ set_nx_info(&sk->sk_nx_info, current->nx_info);
+ sk->sk_nid = nx_current_nid();
- atomic_set(&sk->sk_refcnt, 1);
- atomic_set(&sk->sk_drops, 0);
- }
++
+ /*
+ * Before updating sk_refcnt, we must commit prior changes to memory
+ * (Documentation/RCU/rculist_nulls.txt for details)
diff -NurpP --minimal linux-2.6.30.2/net/ipv4/af_inet.c linux-2.6.30.2-vs2.3.0.36.14-pre4/net/ipv4/af_inet.c
--- linux-2.6.30.2/net/ipv4/af_inet.c 2009-06-11 17:13:29.000000000 +0200
+++ linux-2.6.30.2-vs2.3.0.36.14-pre4/net/ipv4/af_inet.c 2009-07-04 01:11:39.000000000 +0200
================================================================
Index: packages/kernel/kernel.spec
diff -u packages/kernel/kernel.spec:1.692 packages/kernel/kernel.spec:1.693
--- packages/kernel/kernel.spec:1.692 Sun Aug 16 20:53:42 2009
+++ packages/kernel/kernel.spec Wed Aug 19 14:30:08 2009
@@ -113,8 +113,8 @@
%endif
%define basever 2.6.30
-%define postver .4
-%define rel 0.3
+%define postver .5
+%define rel 0.1
%define _enable_debug_packages 0
@@ -158,7 +158,7 @@
# Source0-md5: 7a80058a6382e5108cdb5554d1609615
%if "%{postver}" != "%{nil}"
Source1: http://www.kernel.org/pub/linux/kernel/v2.6/patch-%{version}.bz2
-# Source1-md5: d0fc44b54ba5953140b3f2aa9a1f2580
+# Source1-md5: 47841c7ff5c81a7b349a79f2fa8e9138
%endif
Source3: kernel-autoconf.h
@@ -895,7 +895,8 @@
#patch200 -p1
%endif
-%patch250 -p1
+# intel stuff - all included in 2.6.30.5 ?
+#patch250 -p1
# routes
%patch300 -p1
@@ -1576,6 +1577,16 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.693 2009/08/19 12:30:08 mguevara
+- up to 2.6.30.5-0.1, CVE-2009-2692
+- kernel-vserver-2.3.patch updated to interdiff between
+ patch-2.6.30.5-vs2.3.0.36.14-pre5.diff and
+ patch-2.6.30.4-vs2.3.0.36.14-pre4.diff
+- kernel-grsec_full.patch updated based on pax-linux-2.6.30.5-test22.patch
+- enabled PAX_REFCOUNT and PAX_NOELFRELOCS in kernel-pax.config
+ (only for --with pax bcond)
+- commented out patch250 kernel-intel-2009q2-against-2.6.30.1.patch
+
Revision 1.692 2009/08/16 18:53:42 arekm
- apply interdiff to grsecurity-2.1.14-2.6.30.4-200908132040.patch
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.9&r2=1.10&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-pax.config?r1=1.3&r2=1.4&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-vserver-2.3.patch?r1=1.13&r2=1.14&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel.spec?r1=1.692&r2=1.693&f=u
More information about the pld-cvs-commit
mailing list