grsecurity-3.1-4.3.4-20160129220620160129

2 files changed, 179 insertions, 27 deletions

diff --git a/4.3.4/0000_README b/4.3.4/0000_README
index 158f0b1..ce73e44 100644
--- a/4.3.4/0000_README
+++ b/4.3.4/0000_README
@@ -6,7 +6,7 @@ Patch:	1003_linux-4.3.4.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.3.4
 
-Patch:	4420_grsecurity-3.1-4.3.4-201601261954.patch
+Patch:	4420_grsecurity-3.1-4.3.4-201601292206.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch b/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch
index f866bc7..92cf754 100644
--- a/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch
+++ b/4.3.4/4420_grsecurity-3.1-4.3.4-201601292206.patch
@@ -75860,14 +75860,17 @@ index 155f842..89922d8 100644
  
  	file = aio_private_file(ctx, nr_pages);
 diff --git a/fs/attr.c b/fs/attr.c
-index 6530ced..4a827e2 100644
+index 6530ced..559e5e6 100644
 --- a/fs/attr.c
 +++ b/fs/attr.c
-@@ -102,6 +102,7 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
+@@ -102,6 +102,10 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
  		unsigned long limit;
  
  		limit = rlimit(RLIMIT_FSIZE);
-+		gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
++		if (offset > ULONG_MAX)
++			gr_learn_resource(current, RLIMIT_FSIZE, ULONG_MAX, 1);
++		else if (offset > 0)
++			gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
  		if (limit != RLIM_INFINITY && offset > limit)
  			goto out_sig;
  		if (offset > inode->i_sb->s_maxbytes)
@@ -77631,7 +77634,7 @@ index b406a32..243eb1c 100644
  GLOBAL_EXTERN atomic_t smBufAllocCount;
  GLOBAL_EXTERN atomic_t midCount;
 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
-index 62203c3..93267bf 100644
+index 62203c3..fa2d9b3 100644
 --- a/fs/cifs/file.c
 +++ b/fs/cifs/file.c
 @@ -2054,10 +2054,14 @@ static int cifs_writepages(struct address_space *mapping,
@@ -77652,6 +77655,15 @@ index 62203c3..93267bf 100644
  		scanned = true;
  	}
  	server = cifs_sb_master_tcon(cifs_sb)->ses->server;
+@@ -2531,7 +2535,7 @@ cifs_write_from_iter(loff_t offset, size_t len, struct iov_iter *from,
+ 		wdata->pid = pid;
+ 		wdata->bytes = cur_len;
+ 		wdata->pagesz = PAGE_SIZE;
+-		wdata->tailsz = cur_len - ((nr_pages - 1) * PAGE_SIZE);
++		wdata->tailsz = cur_len - nr_pages * PAGE_SIZE + PAGE_SIZE;
+ 		wdata->credits = credits;
+ 
+ 		if (!wdata->cfile->invalidHandle ||
 diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
 index 8442b8b..ea6986f 100644
 --- a/fs/cifs/misc.c
@@ -82037,6 +82049,19 @@ index ebb5e37..beae05b 100644
  			do_wakeup = 1;
  	}
  
+diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
+index cf4ab89..5a00960 100644
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -781,7 +781,7 @@ static void calc_max_reserv(struct gfs2_inode *ip, loff_t *len,
+ {
+ 	loff_t max = *len;
+ 	const struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
+-	unsigned int tmp, max_data = max_blocks - 3 * (sdp->sd_max_height - 1);
++	unsigned int tmp, max_data = max_blocks - 3 * sdp->sd_max_height + 3;
+ 
+ 	for (tmp = max_data; tmp > sdp->sd_diptrs;) {
+ 		tmp = DIV_ROUND_UP(tmp, sdp->sd_inptrs);
 diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
 index 9bd1244..b8c82d9 100644
 --- a/fs/gfs2/glock.c
@@ -112918,6 +112943,46 @@ index 6d2a119..ac24f34 100644
  
  static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
  {
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 5bd4779..6bf906d 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -316,24 +316,24 @@ static inline void seccomp_sync_threads(void)
+ 		put_seccomp_filter(thread);
+ 		smp_store_release(&thread->seccomp.filter,
+ 				  caller->seccomp.filter);
++
++		/*
++		 * Don't let an unprivileged task work around
++		 * the no_new_privs restriction by creating
++		 * a thread that sets it up, enters seccomp,
++		 * then dies.
++		 */
++		if (task_no_new_privs(caller))
++			task_set_no_new_privs(thread);
++
+ 		/*
+ 		 * Opt the other thread into seccomp if needed.
+ 		 * As threads are considered to be trust-realm
+ 		 * equivalent (see ptrace_may_access), it is safe to
+ 		 * allow one thread to transition the other.
+ 		 */
+-		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) {
+-			/*
+-			 * Don't let an unprivileged task work around
+-			 * the no_new_privs restriction by creating
+-			 * a thread that sets it up, enters seccomp,
+-			 * then dies.
+-			 */
+-			if (task_no_new_privs(caller))
+-				task_set_no_new_privs(thread);
+-
++		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
+ 			seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
+-		}
+ 	}
+ }
+ 
 diff --git a/kernel/signal.c b/kernel/signal.c
 index 0f6bbbe..4791c7d 100644
 --- a/kernel/signal.c
@@ -150284,10 +150349,10 @@ index 0000000..cc20d48
 +#endif
 diff --git a/tools/gcc/size_overflow_plugin/intentional_overflow.c b/tools/gcc/size_overflow_plugin/intentional_overflow.c
 new file mode 100644
-index 0000000..7d9135d
+index 0000000..bd18a67
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/intentional_overflow.c
-@@ -0,0 +1,1032 @@
+@@ -0,0 +1,1116 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -150495,9 +150560,6 @@ index 0000000..7d9135d
 +	switch (TREE_CODE(node)) {
 +	case COMPONENT_REF:
 +		cur_decl = search_field_decl(node);
-+		// !!! temporarily ignore bitfield types
-+		if (DECL_BIT_FIELD_TYPE(cur_decl))
-+			return MARK_YES;
 +		if (is_turn_off_intentional_attr(cur_decl))
 +			return MARK_TURN_OFF;
 +		if (is_end_intentional_intentional_attr(cur_decl))
@@ -150526,9 +150588,6 @@ index 0000000..7d9135d
 +		break;
 +	}
 +	case FIELD_DECL:
-+		// !!! temporarily ignore bitfield types
-+		if (DECL_BIT_FIELD_TYPE(node))
-+			return MARK_YES;
 +	case VAR_DECL:
 +		if (is_end_intentional_intentional_attr(node))
 +			return MARK_END_INTENTIONAL;
@@ -151320,6 +151379,96 @@ index 0000000..7d9135d
 +	add_rhs2 = gimple_assign_rhs2(add_stmt);
 +	return check_add_stmt(add_rhs2);
 +}
++
++/* True:
++ * _25 = (<unnamed-unsigned:1>) _24;
++ * r_5(D)->stereo = _25;
++ */
++bool is_bitfield_unnamed_cast(const_tree decl, gassign *assign)
++{
++	const_tree rhs, type;
++	gimple def_stmt;
++
++	if (TREE_CODE(decl) != FIELD_DECL)
++		return false;
++	if (!DECL_BIT_FIELD_TYPE(decl))
++		return false;
++	if (gimple_num_ops(assign) != 2)
++		return false;
++
++	rhs = gimple_assign_rhs1(assign);
++	if (is_gimple_constant(rhs))
++		return false;
++	type = TREE_TYPE(rhs);
++	if (TREE_CODE(type) == BOOLEAN_TYPE)
++		return false;
++
++	def_stmt = get_def_stmt(rhs);
++	if (!gimple_assign_cast_p(def_stmt))
++		return false;
++	return TYPE_PRECISION(type) < CHAR_TYPE_SIZE;
++}
++
++static bool is_mult_const(const_tree lhs)
++{
++	const_gimple def_stmt;
++	const_tree rhs1, rhs2;
++
++	def_stmt = get_def_stmt(lhs);
++	if (!def_stmt || gimple_assign_rhs_code(def_stmt) != MULT_EXPR)
++		return false;
++
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	rhs2 = gimple_assign_rhs2(def_stmt);
++	if (is_gimple_constant(rhs1))
++		return !is_lt_signed_type_max(rhs1);
++	else if (is_gimple_constant(rhs2))
++		return !is_lt_signed_type_max(rhs2);
++	return false;
++}
++
++/* True:
++ * fs/cifs/file.c cifs_write_from_iter()
++ * u32 = u64 - (u64 - constant) * constant
++ * wdata->tailsz = cur_len - (nr_pages - 1) * PAGE_SIZE;
++ *
++ * _51 = _50 * 4294963200;
++ * _52 = _49 + _51;
++ * _53 = _52 + 4096;
++ */
++
++bool uconst_neg_intentional_overflow(struct visited *visited, const gassign *stmt)
++{
++	const_gimple def_stmt;
++	const_tree noconst_rhs;
++	tree rhs1, rhs2;
++
++	// _53 = _52 + const;
++	if (gimple_assign_rhs_code(stmt) != PLUS_EXPR)
++		return false;
++	rhs1 = gimple_assign_rhs1(stmt);
++	rhs2 = gimple_assign_rhs2(stmt);
++	if (is_gimple_constant(rhs1))
++		noconst_rhs = rhs2;
++	else if (is_gimple_constant(rhs2))
++		noconst_rhs = rhs1;
++	else
++		return false;
++	def_stmt = get_def_stmt(noconst_rhs);
++
++	// _52 = _49 + _51;
++	if (!def_stmt)
++		return false;
++	if (gimple_assign_rhs_code(def_stmt) != PLUS_EXPR)
++		return false;
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	rhs2 = gimple_assign_rhs2(def_stmt);
++	if (is_gimple_constant(rhs1) || is_gimple_constant(rhs2))
++		return false;
++
++	// _51 = _50 * gt signed type max;
++	return is_mult_const(rhs1) || is_mult_const(rhs2);
++}
 diff --git a/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c b/tools/gcc/size_overflow_plugin/remove_unnecessary_dup.c
 new file mode 100644
 index 0000000..5622b51
@@ -151465,10 +151614,10 @@ index 0000000..5622b51
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h b/tools/gcc/size_overflow_plugin/size_overflow.h
 new file mode 100644
-index 0000000..5fd6c28
+index 0000000..ee57a00
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow.h
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,325 @@
 +#ifndef SIZE_OVERFLOW_H
 +#define SIZE_OVERFLOW_H
 +
@@ -151673,6 +151822,8 @@ index 0000000..5fd6c28
 +extern enum intentional_overflow_type add_mul_intentional_overflow(const gassign *stmt);
 +extern void unsigned_signed_cast_intentional_overflow(struct visited *visited, gassign *stmt);
 +extern bool neg_short_add_intentional_overflow(gassign *stmt);
++extern bool is_bitfield_unnamed_cast(const_tree decl, gassign *assign);
++extern bool uconst_neg_intentional_overflow(struct visited *visited, const gassign *stmt);
 +
 +
 +// insert_size_overflow_asm.c
@@ -175586,12 +175737,12 @@ index 0000000..6075e8f
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 new file mode 100644
-index 0000000..f1cc040
+index 0000000..f50c635
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 @@ -0,0 +1,318 @@
 +/*
-+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
++ * Copyright 2011-2016 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
 + *
 + * Homepage:
@@ -175621,7 +175772,7 @@ index 0000000..f1cc040
 +tree size_overflow_type_TI;
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20151201",
++	.version	= "20160128",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -176268,10 +176419,10 @@ index 0000000..317cd6c
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform.c b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
 new file mode 100644
-index 0000000..8f42c7e
+index 0000000..f9de78e
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
-@@ -0,0 +1,749 @@
+@@ -0,0 +1,745 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -176457,9 +176608,6 @@ index 0000000..8f42c7e
 +
 +	if (skip_types(orig_node))
 +		return head;
-+	// !!! temporarily ignore bitfield types
-+	if (orig_code == FIELD_DECL && DECL_BIT_FIELD_TYPE(orig_node))
-+		return head;
 +
 +	// find a defining marked caller argument or struct field for arg
 +	if (check_intentional_size_overflow_asm_and_attribute(orig_node) != MARK_NO)
@@ -176818,8 +176966,7 @@ index 0000000..8f42c7e
 +	if (DECL_NAME(decl) == NULL_TREE)
 +		return head;
 +
-+	// !!! temporarily ignore bitfield types
-+	if (TREE_CODE(decl) == FIELD_DECL && DECL_BIT_FIELD_TYPE(decl))
++	if (is_bitfield_unnamed_cast(decl, assign))
 +		return head;
 +
 +	next_node = get_interesting_function_next_node(decl, 0);
@@ -177023,10 +177170,10 @@ index 0000000..8f42c7e
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
 new file mode 100644
-index 0000000..8a30b3b
+index 0000000..2ab3b9e
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
-@@ -0,0 +1,1010 @@
+@@ -0,0 +1,1015 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -177945,6 +178092,11 @@ index 0000000..8a30b3b
 +	if (TREE_CODE_CLASS(gimple_assign_rhs_code(def_stmt)) == tcc_comparison)
 +		return handle_comparison_code_class(visited, expand_from, def_stmt, new_rhs1, new_rhs2);
 +
++	if (uconst_neg_intentional_overflow(visited, def_stmt)) {
++		inform(gimple_location(def_stmt), "%s: gcc intentional overflow", __func__);
++		gcc_unreachable();
++	}
++
 +	return dup_assign(visited, def_stmt, lhs, new_rhs1, new_rhs2, NULL_TREE);
 +}
 +