Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch)440
-rw-r--r--3.2.35/0000_README6
-rw-r--r--3.2.35/4420_grsecurity-2.9.1-3.2.35-201212271951.patch (renamed from 3.2.35/4420_grsecurity-2.9.1-3.2.35-201212151420.patch)425
-rw-r--r--3.2.35/4425_grsec_remove_EI_PAX.patch19
-rw-r--r--3.7.1/0000_README6
-rw-r--r--3.7.1/4420_grsecurity-2.9.1-3.7.1-201212271953.patch (renamed from 3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch)284
7 files changed, 1104 insertions, 78 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 118ed93..bfc0147 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch
index 182c7b6..ebf3a53 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212151417.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212271948.patch
@@ -229,6 +229,22 @@ index 14c7fb0..0f7d099 100644
pcbit= [HW,ISDN]
pcd. [PARIDE]
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index fbe427a..195ff43 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -479,6 +479,11 @@ tcp_dma_copybreak - INTEGER
+ and CONFIG_NET_DMA is enabled.
+ Default: 4096
+
++tcp_challenge_ack_limit - INTEGER
++ Limits number of Challenge ACK sent per second, as recommended
++ in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
++ Default: 100
++
+ UDP variables:
+
+ udp_mem - vector of 3 INTEGERs: min, pressure, max
diff --git a/MAINTAINERS b/MAINTAINERS
index 334258c..1e8f4ff 100644
--- a/MAINTAINERS
@@ -42636,7 +42652,7 @@ index 62f282e..e45c45c 100644
cdev_init(&ptmx_cdev, &ptmx_fops);
if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 446b20a..8657325 100644
+index 446b20a..d0e60f5 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -269,8 +269,13 @@
@@ -42671,7 +42687,15 @@ index 446b20a..8657325 100644
#if 0
/* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
{ 2048, 1638, 1231, 819, 411, 1 },
-@@ -524,8 +536,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -434,6 +446,7 @@ struct entropy_store {
+ int entropy_count;
+ int entropy_total;
+ unsigned int initialized:1;
++ bool last_data_init;
+ __u8 last_data[EXTRACT_SIZE];
+ };
+
+@@ -524,8 +537,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
input_rotate += i ? 7 : 14;
}
@@ -42682,7 +42706,7 @@ index 446b20a..8657325 100644
smp_wmb();
if (out)
-@@ -784,6 +796,17 @@ void add_disk_randomness(struct gendisk *disk)
+@@ -784,6 +797,17 @@ void add_disk_randomness(struct gendisk *disk)
}
#endif
@@ -42700,7 +42724,36 @@ index 446b20a..8657325 100644
/*********************************************************************
*
* Entropy extraction routines
-@@ -1015,7 +1038,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -942,6 +966,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ ssize_t ret = 0, i;
+ __u8 tmp[EXTRACT_SIZE];
+
++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
++ if (fips_enabled && !r->last_data_init)
++ nbytes += EXTRACT_SIZE;
++
+ xfer_secondary_pool(r, nbytes);
+ nbytes = account(r, nbytes, min, reserved);
+
+@@ -951,6 +979,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ if (fips_enabled) {
+ unsigned long flags;
+
++
++ /* prime last_data value if need be, per fips 140-2 */
++ if (!r->last_data_init) {
++ spin_lock_irqsave(&r->lock, flags);
++ memcpy(r->last_data, tmp, EXTRACT_SIZE);
++ r->last_data_init = true;
++ nbytes -= EXTRACT_SIZE;
++ spin_unlock_irqrestore(&r->lock, flags);
++ extract_buf(r, tmp);
++ }
++
+ spin_lock_irqsave(&r->lock, flags);
+ if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
+ panic("Hardware RNG duplicated output!\n");
+@@ -1015,7 +1054,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
*/
void get_random_bytes(void *buf, int nbytes)
{
@@ -42723,7 +42776,15 @@ index 446b20a..8657325 100644
}
EXPORT_SYMBOL(get_random_bytes);
-@@ -1322,7 +1359,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1068,6 +1121,7 @@ static void init_std_data(struct entropy_store *r)
+
+ r->entropy_count = 0;
+ r->entropy_total = 0;
++ r->last_data_init = false;
+ mix_pool_bytes(r, &now, sizeof(now), NULL);
+ for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_long(&rv))
+@@ -1322,7 +1376,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -42732,7 +42793,7 @@ index 446b20a..8657325 100644
static int max_write_thresh = INPUT_POOL_WORDS * 32;
static char sysctl_bootid[16];
-@@ -1397,6 +1434,7 @@ static int uuid_strategy(ctl_table *table,
+@@ -1397,6 +1451,7 @@ static int uuid_strategy(ctl_table *table,
}
static int sysctl_poolsize = INPUT_POOL_WORDS * 32;
@@ -42740,7 +42801,7 @@ index 446b20a..8657325 100644
ctl_table random_table[] = {
{
.ctl_name = RANDOM_POOLSIZE,
-@@ -1472,7 +1510,7 @@ late_initcall(random_int_secret_init);
+@@ -1472,7 +1527,7 @@ late_initcall(random_int_secret_init);
* value is not cryptographically secure but for several uses the cost of
* depleting entropy is too high
*/
@@ -74396,7 +74457,7 @@ index b4ea829..e63ef18 100644
}
diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
-index 136a0d6..cdff021 100644
+index 136a0d6..3330341 100644
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -60,7 +60,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes)
@@ -74425,7 +74486,7 @@ index 136a0d6..cdff021 100644
if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
+#ifdef CONFIG_GRKERNSEC_HIDESYM
+ /* this name does get written to userland via autofs4_write() */
-+ qstr.len = sprintf(name, "%08lx", atomic_inc_return_unchecked(&autofs_dummy_name_id));
++ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
+#else
qstr.len = sprintf(name, "%p", dentry);
+#endif
@@ -77839,6 +77900,18 @@ index 2a60541..7439d61 100644
sb->s_dirt = 1;
}
}
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index efe6363..f9e1b6e 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2179,6 +2179,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd,
+ index = logical >> (PAGE_CACHE_SHIFT - inode->i_blkbits);
+ end = (logical + blk_cnt - 1) >>
+ (PAGE_CACHE_SHIFT - inode->i_blkbits);
++ pagevec_init(&pvec, 0);
+ while (index <= end) {
+ nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE);
+ if (nr_pages == 0)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 42bac1b..0aab9d8 100644
--- a/fs/ext4/mballoc.c
@@ -80110,7 +80183,7 @@ index ec88ff3..b843a82 100644
cache->c_bucket_bits = bucket_bits;
#ifdef MB_CACHE_INDEXES_COUNT
diff --git a/fs/namei.c b/fs/namei.c
-index b0afbd4..78b0f63 100644
+index b0afbd4..2b96439 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask,
@@ -80240,7 +80313,7 @@ index b0afbd4..78b0f63 100644
+ if (unlikely(name[0] == '.')) {
+ if (len < 2 || (len == 2 && name[1] == '.'))
-+ return ERR_PTR(-EACCES);
++ return -EACCES;
+ }
+
hash = init_name_hash();
@@ -82917,6 +82990,19 @@ index 8f5c05d..c99c76d 100644
}
seq_putc(m, '\n');
+diff --git a/fs/read_write.c b/fs/read_write.c
+index b7f4a1f..d40066d 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -860,6 +860,8 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
+ if (retval > 0) {
+ add_rchar(current, retval);
+ add_wchar(current, retval);
++ fsnotify_access(in_file->f_path.dentry);
++ fsnotify_modify(out_file->f_path.dentry);
+ }
+
+ inc_syscr(current);
diff --git a/fs/readdir.c b/fs/readdir.c
index 7723401..30059a6 100644
--- a/fs/readdir.c
@@ -83952,7 +84038,7 @@ index e89734e..5e84d8d 100644
return 0;
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..5012f34
+index 0000000..7efd211
--- /dev/null
+++ b/grsecurity/Kconfig
@@ -0,0 +1,946 @@
@@ -84603,7 +84689,7 @@ index 0000000..5012f34
+ default y if GRKERNSEC_CONFIG_AUTO
+ help
+ If you say Y here, non-root users will not be able to use dmesg(8)
-+ to view up to the last 4kb of messages in the kernel's log buffer.
++ to view the contents of the kernel's circular log buffer.
+ The kernel's log buffer often contains kernel addresses and other
+ identifying information useful to an attacker in fingerprinting a
+ system for a targeted exploit.
@@ -98283,6 +98369,34 @@ index 5171639..7cf4235 100644
/** create a directory */
struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
+diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
+index 6b202b1..f451772 100644
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -362,7 +362,7 @@ static inline int PageCompound(struct page *page)
+ * pages on the LRU and/or pagecache.
+ */
+ TESTPAGEFLAG(Compound, compound)
+-__PAGEFLAG(Head, compound)
++__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound)
+
+ /*
+ * PG_reclaim is used in combination with PG_compound to mark the
+@@ -374,8 +374,14 @@ __PAGEFLAG(Head, compound)
+ * PG_compound & PG_reclaim => Tail page
+ * PG_compound & ~PG_reclaim => Head page
+ */
++#define PG_head_mask ((1L << PG_compound))
+ #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim))
+
++static inline int PageHead(struct page *page)
++{
++ return ((page->flags & PG_head_tail_mask) == PG_head_mask);
++}
++
+ static inline int PageTail(struct page *page)
+ {
+ return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask);
diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index 3c62ed4..8924c7c 100644
--- a/include/linux/pagemap.h
@@ -98464,7 +98578,7 @@ index 7456d7d..6c1cfc9 100644
static inline int ptrace_reparented(struct task_struct *child)
{
diff --git a/include/linux/random.h b/include/linux/random.h
-index 1864957..e98160a 100644
+index 1864957..b2ba8bf 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -49,6 +49,10 @@ extern void add_input_randomness(unsigned int type, unsigned int code,
@@ -98478,7 +98592,7 @@ index 1864957..e98160a 100644
extern void get_random_bytes(void *buf, int nbytes);
extern void get_random_bytes_arch(void *buf, int nbytes);
void generate_random_uuid(unsigned char uuid_out[16]);
-@@ -76,6 +80,24 @@ static inline int arch_get_random_int(unsigned int *v)
+@@ -76,6 +80,11 @@ static inline int arch_get_random_int(unsigned int *v)
}
#endif
@@ -98487,19 +98601,6 @@ index 1864957..e98160a 100644
+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
+}
+
-+#ifdef CONFIG_ARCH_RANDOM
-+# include <asm/archrandom.h>
-+#else
-+static inline int arch_get_random_long(unsigned long *v)
-+{
-+ return 0;
-+}
-+static inline int arch_get_random_int(unsigned int *v)
-+{
-+ return 0;
-+}
-+#endif
-+
#endif /* __KERNEL___ */
#endif /* _LINUX_RANDOM_H */
@@ -99331,6 +99432,27 @@ index 5ad70a6..108e1dc 100644
void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
#ifdef CONFIG_KMEMTRACE
+diff --git a/include/linux/snmp.h b/include/linux/snmp.h
+index 0f953fe..05d45da 100644
+--- a/include/linux/snmp.h
++++ b/include/linux/snmp.h
+@@ -208,7 +208,6 @@ enum
+ LINUX_MIB_TCPDSACKOFOSENT, /* TCPDSACKOfoSent */
+ LINUX_MIB_TCPDSACKRECV, /* TCPDSACKRecv */
+ LINUX_MIB_TCPDSACKOFORECV, /* TCPDSACKOfoRecv */
+- LINUX_MIB_TCPABORTONSYN, /* TCPAbortOnSyn */
+ LINUX_MIB_TCPABORTONDATA, /* TCPAbortOnData */
+ LINUX_MIB_TCPABORTONCLOSE, /* TCPAbortOnClose */
+ LINUX_MIB_TCPABORTONMEMORY, /* TCPAbortOnMemory */
+@@ -225,6 +224,8 @@ enum
+ LINUX_MIB_SACKSHIFTED,
+ LINUX_MIB_SACKMERGED,
+ LINUX_MIB_SACKSHIFTFALLBACK,
++ LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */
++ LINUX_MIB_TCPSYNCHALLENGE, /* TCPSYNChallenge */
+ __LINUX_MIB_MAX
+ };
+
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index 67ad11f..0bbd8af 100644
--- a/include/linux/sonet.h
@@ -100299,10 +100421,18 @@ index 78adf52..32bb160 100644
static inline struct page *sk_stream_alloc_page(struct sock *sk)
{
diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 6cfe18b..a0d06df 100644
+index 6cfe18b..24c05d6 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
-@@ -483,7 +483,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
+@@ -237,6 +237,7 @@ extern int sysctl_tcp_base_mss;
+ extern int sysctl_tcp_workaround_signed_windows;
+ extern int sysctl_tcp_slow_start_after_idle;
+ extern int sysctl_tcp_max_ssthresh;
++extern int sysctl_tcp_challenge_ack_limit;
+
+ extern atomic_t tcp_memory_allocated;
+ extern struct percpu_counter tcp_sockets_allocated;
+@@ -483,7 +484,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
extern void tcp_xmit_retransmit_queue(struct sock *);
extern void tcp_simple_retransmit(struct sock *);
extern int tcp_trim_head(struct sock *, struct sk_buff *, u32);
@@ -100311,7 +100441,7 @@ index 6cfe18b..a0d06df 100644
extern void tcp_send_probe0(struct sock *);
extern void tcp_send_partial(struct sock *);
-@@ -632,8 +632,8 @@ struct tcp_skb_cb {
+@@ -632,8 +633,8 @@ struct tcp_skb_cb {
struct inet6_skb_parm h6;
#endif
} header; /* For incoming frames */
@@ -100322,7 +100452,7 @@ index 6cfe18b..a0d06df 100644
__u32 when; /* used to compute rtt's */
__u8 flags; /* TCP header flags. */
-@@ -658,7 +658,7 @@ struct tcp_skb_cb {
+@@ -658,7 +659,7 @@ struct tcp_skb_cb {
#define TCPCB_EVER_RETRANS 0x80 /* Ever retransmitted frame */
#define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS)
@@ -100331,7 +100461,7 @@ index 6cfe18b..a0d06df 100644
};
#define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0]))
-@@ -1444,8 +1444,8 @@ enum tcp_seq_states {
+@@ -1444,8 +1445,8 @@ enum tcp_seq_states {
struct tcp_seq_afinfo {
char *name;
sa_family_t family;
@@ -104383,10 +104513,10 @@ index fce7198..4f23a7e 100644
{
struct pid *pid;
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
-index 5c9dc22..d271117 100644
+index 5c9dc22..7652dca 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
-@@ -6,6 +6,7 @@
+@@ -6,9 +6,11 @@
#include <linux/posix-timers.h>
#include <linux/errno.h>
#include <linux/math64.h>
@@ -104394,7 +104524,20 @@ index 5c9dc22..d271117 100644
#include <asm/uaccess.h>
#include <linux/kernel_stat.h>
#include <trace/events/timer.h>
-@@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(struct restart_block *restart_block)
++#include <linux/random.h>
+
+ /*
+ * Called after updating RLIMIT_CPU to set timer expiration if necessary.
+@@ -516,6 +518,8 @@ static void cleanup_timers(struct list_head *head,
+ */
+ void posix_cpu_timers_exit(struct task_struct *tsk)
+ {
++ add_device_randomness((const void*) &tsk->se.sum_exec_runtime,
++ sizeof(unsigned long long));
+ cleanup_timers(tsk->cpu_timers,
+ tsk->utime, tsk->stime, tsk->se.sum_exec_runtime);
+
+@@ -1697,7 +1701,7 @@ static long thread_cpu_nsleep_restart(struct restart_block *restart_block)
static __init int init_posix_cpu_timers(void)
{
@@ -104403,7 +104546,7 @@ index 5c9dc22..d271117 100644
.clock_getres = process_cpu_clock_getres,
.clock_get = process_cpu_clock_get,
.clock_set = do_posix_clock_nosettime,
-@@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(void)
+@@ -1705,7 +1709,7 @@ static __init int init_posix_cpu_timers(void)
.nsleep = process_cpu_nsleep,
.nsleep_restart = process_cpu_nsleep_restart,
};
@@ -112912,6 +113055,27 @@ index 0606db1..2f32531 100644
break;
case IPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index f25542c..5a0b902 100644
+--- a/net/ipv4/proc.c
++++ b/net/ipv4/proc.c
+@@ -232,7 +232,6 @@ static const struct snmp_mib snmp4_net_list[] = {
+ SNMP_MIB_ITEM("TCPDSACKOfoSent", LINUX_MIB_TCPDSACKOFOSENT),
+ SNMP_MIB_ITEM("TCPDSACKRecv", LINUX_MIB_TCPDSACKRECV),
+ SNMP_MIB_ITEM("TCPDSACKOfoRecv", LINUX_MIB_TCPDSACKOFORECV),
+- SNMP_MIB_ITEM("TCPAbortOnSyn", LINUX_MIB_TCPABORTONSYN),
+ SNMP_MIB_ITEM("TCPAbortOnData", LINUX_MIB_TCPABORTONDATA),
+ SNMP_MIB_ITEM("TCPAbortOnClose", LINUX_MIB_TCPABORTONCLOSE),
+ SNMP_MIB_ITEM("TCPAbortOnMemory", LINUX_MIB_TCPABORTONMEMORY),
+@@ -249,6 +248,8 @@ static const struct snmp_mib snmp4_net_list[] = {
+ SNMP_MIB_ITEM("TCPSackShifted", LINUX_MIB_SACKSHIFTED),
+ SNMP_MIB_ITEM("TCPSackMerged", LINUX_MIB_SACKMERGED),
+ SNMP_MIB_ITEM("TCPSackShiftFallback", LINUX_MIB_SACKSHIFTFALLBACK),
++ SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
++ SNMP_MIB_ITEM("TCPSYNChallenge", LINUX_MIB_TCPSYNCHALLENGE),
+ SNMP_MIB_SENTINEL
+ };
+
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index ab996f9..3da5f96 100644
--- a/net/ipv4/raw.c
@@ -113017,6 +113181,24 @@ index 58f141b..b759702 100644
(int) ((num_physpages ^ (num_physpages>>8)) ^
(jiffies ^ (jiffies >> 7))));
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 2dcf04d..4656638 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -638,6 +638,13 @@ static struct ctl_table ipv4_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec
+ },
++ {
++ .procname = "tcp_challenge_ack_limit",
++ .data = &sysctl_tcp_challenge_ack_limit,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec
++ },
+ #ifdef CONFIG_NET_DMA
+ {
+ .ctl_name = NET_TCP_DMA_COPYBREAK,
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b9644d8..537313b 100644
--- a/net/ipv4/tcp.c
@@ -113061,10 +113243,61 @@ index 1eba160b..c35d91f 100644
}
}
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index db755c4..04481e4 100644
+index db755c4..fbca78e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
-@@ -4528,7 +4528,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -82,6 +82,9 @@ int sysctl_tcp_dsack __read_mostly = 1;
+ int sysctl_tcp_app_win __read_mostly = 31;
+ int sysctl_tcp_adv_win_scale __read_mostly = 2;
+
++/* rfc5961 challenge ack rate limiting */
++int sysctl_tcp_challenge_ack_limit = 100;
++
+ int sysctl_tcp_stdurg __read_mostly;
+ int sysctl_tcp_rfc1337 __read_mostly;
+ int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
+@@ -3564,6 +3567,24 @@ static int tcp_process_frto(struct sock *sk, int flag)
+ return 0;
+ }
+
++/* RFC 5961 7 [ACK Throttling] */
++static void tcp_send_challenge_ack(struct sock *sk)
++{
++ /* unprotected vars, we dont care of overwrites */
++ static u32 challenge_timestamp;
++ static unsigned int challenge_count;
++ u32 now = jiffies / HZ;
++
++ if (now != challenge_timestamp) {
++ challenge_timestamp = now;
++ challenge_count = 0;
++ }
++ if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
++ tcp_send_ack(sk);
++ }
++}
++
+ /* This routine deals with incoming acks, but not outgoing ones. */
+ static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag)
+ {
+@@ -3580,8 +3601,14 @@ static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag)
+ /* If the ack is older than previous acks
+ * then we can probably ignore it.
+ */
+- if (before(ack, prior_snd_una))
++ if (before(ack, prior_snd_una)) {
++ /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
++ if (before(ack, prior_snd_una - tp->max_window)) {
++ tcp_send_challenge_ack(sk);
++ return -1;
++ }
+ goto old_ack;
++ }
+
+ /* If the ack includes data we haven't sent yet, discard
+ * this segment (RFC793 Section 3.9).
+@@ -4528,7 +4555,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -113073,7 +113306,105 @@ index db755c4..04481e4 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
-@@ -5634,7 +5634,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5069,8 +5096,8 @@ out:
+ /* Does PAWS and seqno based validation of an incoming segment, flags will
+ * play significant role here.
+ */
+-static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+- struct tcphdr *th, int syn_inerr)
++static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
++ const struct tcphdr *th, int syn_inerr)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+
+@@ -5100,7 +5127,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+
+ /* Step 2: check RST bit */
+ if (th->rst) {
+- tcp_reset(sk);
++ /* RFC 5961 3.2 :
++ * If sequence number exactly matches RCV.NXT, then
++ * RESET the connection
++ * else
++ * Send a challenge ACK
++ */
++ if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt)
++ tcp_reset(sk);
++ else
++ tcp_send_challenge_ack(sk);
+ goto discard;
+ }
+
+@@ -5111,20 +5147,22 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+
+ /* step 3: check security and precedence [ignored] */
+
+- /* step 4: Check for a SYN in window. */
+- if (th->syn && !before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
++ /* step 4: Check for a SYN
++ * RFC 5691 4.2 : Send a challenge ack
++ */
++ if (th->syn) {
+ if (syn_inerr)
+ TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);
+- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN);
+- tcp_reset(sk);
+- return -1;
++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNCHALLENGE);
++ tcp_send_challenge_ack(sk);
++ goto discard;
+ }
+
+- return 1;
++ return true;
+
+ discard:
+ __kfree_skb(skb);
+- return 0;
++ return false;
+ }
+
+ /*
+@@ -5154,7 +5192,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+ struct tcphdr *th, unsigned len)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+- int res;
+
+ /*
+ * Header prediction.
+@@ -5330,16 +5367,18 @@ slow_path:
+ if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
+ goto csum_error;
+
++ if (!th->ack)
++ goto discard;
++
+ /*
+ * Standard slow path.
+ */
+
+- res = tcp_validate_incoming(sk, skb, th, 1);
+- if (res <= 0)
+- return -res;
++ if (!tcp_validate_incoming(sk, skb, th, 1))
++ return 0;
+
+ step5:
+- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
++ if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
+ goto discard;
+
+ tcp_rcv_rtt_measure_ts(sk, skb);
+@@ -5618,7 +5657,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ int queued = 0;
+- int res;
+
+ tp->rx_opt.saw_tstamp = 0;
+
+@@ -5634,7 +5672,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -113082,6 +113413,35 @@ index db755c4..04481e4 100644
goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
+@@ -5673,12 +5711,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ return 0;
+ }
+
+- res = tcp_validate_incoming(sk, skb, th, 0);
+- if (res <= 0)
+- return -res;
++ if (!th->ack)
++ goto discard;
++
++ if (!tcp_validate_incoming(sk, skb, th, 0))
++ return 0;
+
+ /* step 5: check the ACK field */
+- if (th->ack) {
++ if (true) {
+ int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
+
+ switch (sk->sk_state) {
+@@ -5789,8 +5829,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ }
+ break;
+ }
+- } else
+- goto discard;
++ }
+
+ /* step 6: check the URG bit */
+ tcp_urg(sk, skb, th);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 6a4e832..7eb316b 100644
--- a/net/ipv4/tcp_ipv4.c
diff --git a/3.2.35/0000_README b/3.2.35/0000_README
index 293283e..a99f868 100644
--- a/3.2.35/0000_README
+++ b/3.2.35/0000_README
@@ -58,10 +58,14 @@ Patch: 1034_linux-3.2.35.patch
From: http://www.kernel.org
Desc: Linux 3.2.35
-Patch: 4420_grsecurity-2.9.1-3.2.35-201212151420.patch
+Patch: 4420_grsecurity-2.9.1-3.2.35-201212271951.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 4425_grsec_remove_EI_PAX.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Remove EI_PAX option and force off
+
Patch: 4430_grsec-remove-localversion-grsec.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Removes grsecurity's localversion-grsec file
diff --git a/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212151420.patch b/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212271951.patch
index 865521c..7f795bd 100644
--- a/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212151420.patch
+++ b/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212271951.patch
@@ -221,6 +221,22 @@ index 81c287f..8c5ad74 100644
pcbit= [HW,ISDN]
pcd. [PARIDE]
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index a4399f5..3b979c6 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -524,6 +524,11 @@ tcp_thin_dupack - BOOLEAN
+ Documentation/networking/tcp-thin.txt
+ Default: 0
+
++tcp_challenge_ack_limit - INTEGER
++ Limits number of Challenge ACK sent per second, as recommended
++ in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
++ Default: 100
++
+ UDP variables:
+
+ udp_mem - vector of 3 INTEGERs: min, pressure, max
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
index 88fd7f5..b318a78 100644
--- a/Documentation/sysctl/fs.txt
@@ -30430,7 +30446,7 @@ index da3cfee..a5a6606 100644
*ppos = i;
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 8ae9235..1f76227 100644
+index 8ae9235..0cbaf55 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -269,8 +269,13 @@
@@ -30465,7 +30481,15 @@ index 8ae9235..1f76227 100644
#if 0
/* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
{ 2048, 1638, 1231, 819, 411, 1 },
-@@ -524,8 +536,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -434,6 +446,7 @@ struct entropy_store {
+ int entropy_count;
+ int entropy_total;
+ unsigned int initialized:1;
++ bool last_data_init;
+ __u8 last_data[EXTRACT_SIZE];
+ };
+
+@@ -524,8 +537,8 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
input_rotate += i ? 7 : 14;
}
@@ -30476,7 +30500,7 @@ index 8ae9235..1f76227 100644
smp_wmb();
if (out)
-@@ -821,6 +833,17 @@ void add_disk_randomness(struct gendisk *disk)
+@@ -821,6 +834,17 @@ void add_disk_randomness(struct gendisk *disk)
}
#endif
@@ -30494,7 +30518,36 @@ index 8ae9235..1f76227 100644
/*********************************************************************
*
* Entropy extraction routines
-@@ -1028,7 +1051,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -979,6 +1003,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ ssize_t ret = 0, i;
+ __u8 tmp[EXTRACT_SIZE];
+
++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
++ if (fips_enabled && !r->last_data_init)
++ nbytes += EXTRACT_SIZE;
++
+ xfer_secondary_pool(r, nbytes);
+ nbytes = account(r, nbytes, min, reserved);
+
+@@ -988,6 +1016,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ if (fips_enabled) {
+ unsigned long flags;
+
++
++ /* prime last_data value if need be, per fips 140-2 */
++ if (!r->last_data_init) {
++ spin_lock_irqsave(&r->lock, flags);
++ memcpy(r->last_data, tmp, EXTRACT_SIZE);
++ r->last_data_init = true;
++ nbytes -= EXTRACT_SIZE;
++ spin_unlock_irqrestore(&r->lock, flags);
++ extract_buf(r, tmp);
++ }
++
+ spin_lock_irqsave(&r->lock, flags);
+ if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
+ panic("Hardware RNG duplicated output!\n");
+@@ -1028,7 +1067,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -30503,7 +30556,15 @@ index 8ae9235..1f76227 100644
ret = -EFAULT;
break;
}
-@@ -1379,7 +1402,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1105,6 +1144,7 @@ static void init_std_data(struct entropy_store *r)
+
+ r->entropy_count = 0;
+ r->entropy_total = 0;
++ r->last_data_init = false;
+ mix_pool_bytes(r, &now, sizeof(now), NULL);
+ for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_long(&rv))
+@@ -1379,7 +1419,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -43589,7 +43650,7 @@ index b8f55c4..4c2b80c 100644
goto out_sig;
if (offset > inode->i_sb->s_maxbytes)
diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
-index e1fbdee..87eb5fc 100644
+index e1fbdee..69291a4 100644
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -60,7 +60,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes)
@@ -43618,7 +43679,7 @@ index e1fbdee..87eb5fc 100644
if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
+#ifdef CONFIG_GRKERNSEC_HIDESYM
+ /* this name does get written to userland via autofs4_write() */
-+ qstr.len = sprintf(name, "%08lx", atomic_inc_return_unchecked(&autofs_dummy_name_id));
++ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
+#else
qstr.len = sprintf(name, "%p", dentry);
+#endif
@@ -46631,6 +46692,18 @@ index 8cb184c..09ff6c4 100644
atomic_t s_lock_busy;
/* locality groups */
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index bac2330..8424dda 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1422,6 +1422,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd)
+
+ index = mpd->first_page;
+ end = mpd->next_page - 1;
++ pagevec_init(&pvec, 0);
+ while (index <= end) {
+ nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE);
+ if (nr_pages == 0)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 1d07c12..9965aec 100644
--- a/fs/ext4/mballoc.c
@@ -46748,6 +46821,18 @@ index 1d07c12..9965aec 100644
trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
return 0;
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index f8d5fce..c411c11 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3163,7 +3163,6 @@ int ext4_calculate_overhead(struct super_block *sb)
+ ext4_fsblk_t overhead = 0;
+ char *buf = (char *) get_zeroed_page(GFP_KERNEL);
+
+- memset(buf, 0, PAGE_SIZE);
+ if (!buf)
+ return -ENOMEM;
+
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 22764c7..86372c9 100644
--- a/fs/fcntl.c
@@ -51213,6 +51298,19 @@ index d67908b..d13f6a6 100644
&quota_genl_family, 0, QUOTA_NL_C_WARNING);
if (!msg_head) {
printk(KERN_ERR
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 5ad4248..492b277 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -956,6 +956,8 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
+ if (retval > 0) {
+ add_rchar(current, retval);
+ add_wchar(current, retval);
++ fsnotify_access(in_file);
++ fsnotify_modify(out_file);
+ }
+
+ inc_syscr(current);
diff --git a/fs/readdir.c b/fs/readdir.c
index 356f715..c918d38 100644
--- a/fs/readdir.c
@@ -51873,7 +51971,7 @@ index 87323f1..dab9d00 100644
ip = issum ? mp->m_rsumip : mp->m_rbmip;
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..b0d5e22
+index 0000000..70183d8
--- /dev/null
+++ b/grsecurity/Kconfig
@@ -0,0 +1,964 @@
@@ -52542,7 +52640,7 @@ index 0000000..b0d5e22
+ default y if GRKERNSEC_CONFIG_AUTO
+ help
+ If you say Y here, non-root users will not be able to use dmesg(8)
-+ to view up to the last 4kb of messages in the kernel's log buffer.
++ to view the contents of the kernel's circular log buffer.
+ The kernel's log buffer often contains kernel addresses and other
+ identifying information useful to an attacker in fingerprinting a
+ system for a targeted exploit.
@@ -65365,6 +65463,34 @@ index 4633b2f..988bc08 100644
atomic_t reorder_objects;
atomic_t refcnt;
unsigned int max_seq_nr;
+diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
+index e90a673..8d9b903 100644
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -360,7 +360,7 @@ static inline void ClearPageCompound(struct page *page)
+ * pages on the LRU and/or pagecache.
+ */
+ TESTPAGEFLAG(Compound, compound)
+-__PAGEFLAG(Head, compound)
++__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound)
+
+ /*
+ * PG_reclaim is used in combination with PG_compound to mark the
+@@ -372,8 +372,14 @@ __PAGEFLAG(Head, compound)
+ * PG_compound & PG_reclaim => Tail page
+ * PG_compound & ~PG_reclaim => Head page
+ */
++#define PG_head_mask ((1L << PG_compound))
+ #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim))
+
++static inline int PageHead(struct page *page)
++{
++ return ((page->flags & PG_head_tail_mask) == PG_head_mask);
++}
++
+ static inline int PageTail(struct page *page)
+ {
+ return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask);
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index b669be6..8335421 100644
--- a/include/linux/perf_event.h
@@ -66329,6 +66455,27 @@ index a32bcfd..c3991fb 100644
static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
{
if (__builtin_constant_p(size) &&
+diff --git a/include/linux/snmp.h b/include/linux/snmp.h
+index e16557a..64f5ca7 100644
+--- a/include/linux/snmp.h
++++ b/include/linux/snmp.h
+@@ -209,7 +209,6 @@ enum
+ LINUX_MIB_TCPDSACKOFOSENT, /* TCPDSACKOfoSent */
+ LINUX_MIB_TCPDSACKRECV, /* TCPDSACKRecv */
+ LINUX_MIB_TCPDSACKOFORECV, /* TCPDSACKOfoRecv */
+- LINUX_MIB_TCPABORTONSYN, /* TCPAbortOnSyn */
+ LINUX_MIB_TCPABORTONDATA, /* TCPAbortOnData */
+ LINUX_MIB_TCPABORTONCLOSE, /* TCPAbortOnClose */
+ LINUX_MIB_TCPABORTONMEMORY, /* TCPAbortOnMemory */
+@@ -233,6 +232,8 @@ enum
+ LINUX_MIB_TCPTIMEWAITOVERFLOW, /* TCPTimeWaitOverflow */
+ LINUX_MIB_TCPREQQFULLDOCOOKIES, /* TCPReqQFullDoCookies */
+ LINUX_MIB_TCPREQQFULLDROP, /* TCPReqQFullDrop */
++ LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */
++ LINUX_MIB_TCPSYNCHALLENGE, /* TCPSYNChallenge */
+ __LINUX_MIB_MAX
+ };
+
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index de8832d..0147b46 100644
--- a/include/linux/sonet.h
@@ -67144,10 +67291,18 @@ index ddf523c..1f06685 100644
static inline struct page *sk_stream_alloc_page(struct sock *sk)
{
diff --git a/include/net/tcp.h b/include/net/tcp.h
-index bb18c4d..27c458f 100644
+index bb18c4d..3a158c4 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
-@@ -469,7 +469,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
+@@ -251,6 +251,7 @@ extern int sysctl_tcp_max_ssthresh;
+ extern int sysctl_tcp_cookie_size;
+ extern int sysctl_tcp_thin_linear_timeouts;
+ extern int sysctl_tcp_thin_dupack;
++extern int sysctl_tcp_challenge_ack_limit;
+
+ extern atomic_long_t tcp_memory_allocated;
+ extern struct percpu_counter tcp_sockets_allocated;
+@@ -469,7 +470,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
extern void tcp_xmit_retransmit_queue(struct sock *);
extern void tcp_simple_retransmit(struct sock *);
extern int tcp_trim_head(struct sock *, struct sk_buff *, u32);
@@ -67156,7 +67311,7 @@ index bb18c4d..27c458f 100644
extern void tcp_send_probe0(struct sock *);
extern void tcp_send_partial(struct sock *);
-@@ -632,8 +632,8 @@ struct tcp_skb_cb {
+@@ -632,8 +633,8 @@ struct tcp_skb_cb {
struct inet6_skb_parm h6;
#endif
} header; /* For incoming frames */
@@ -67167,7 +67322,7 @@ index bb18c4d..27c458f 100644
__u32 when; /* used to compute rtt's */
__u8 tcp_flags; /* TCP header flags. (tcp[13]) */
__u8 sacked; /* State flags for SACK/FACK. */
-@@ -646,7 +646,7 @@ struct tcp_skb_cb {
+@@ -646,7 +647,7 @@ struct tcp_skb_cb {
#define TCPCB_EVER_RETRANS 0x80 /* Ever retransmitted frame */
#define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS)
@@ -67176,7 +67331,7 @@ index bb18c4d..27c458f 100644
};
#define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0]))
-@@ -1409,7 +1409,7 @@ struct tcp_seq_afinfo {
+@@ -1409,7 +1410,7 @@ struct tcp_seq_afinfo {
char *name;
sa_family_t family;
const struct file_operations *seq_fops;
@@ -70752,10 +70907,10 @@ index fa5f722..0c93e57 100644
{
struct pid *pid;
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
-index e7cb76d..75eceb3 100644
+index e7cb76d..f396a93 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
-@@ -6,6 +6,7 @@
+@@ -6,9 +6,11 @@
#include <linux/posix-timers.h>
#include <linux/errno.h>
#include <linux/math64.h>
@@ -70763,7 +70918,20 @@ index e7cb76d..75eceb3 100644
#include <asm/uaccess.h>
#include <linux/kernel_stat.h>
#include <trace/events/timer.h>
-@@ -1606,14 +1607,14 @@ struct k_clock clock_posix_cpu = {
++#include <linux/random.h>
+
+ /*
+ * Called after updating RLIMIT_CPU to run cpu timer and update
+@@ -511,6 +513,8 @@ static void cleanup_timers(struct list_head *head,
+ */
+ void posix_cpu_timers_exit(struct task_struct *tsk)
+ {
++ add_device_randomness((const void*) &tsk->se.sum_exec_runtime,
++ sizeof(unsigned long long));
+ cleanup_timers(tsk->cpu_timers,
+ tsk->utime, tsk->stime, tsk->se.sum_exec_runtime);
+
+@@ -1606,14 +1610,14 @@ struct k_clock clock_posix_cpu = {
static __init int init_posix_cpu_timers(void)
{
@@ -79824,6 +79992,27 @@ index 43d4c3b..1914409 100644
}
static int ping_seq_show(struct seq_file *seq, void *v)
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index 466ea8b..f7fdbe9 100644
+--- a/net/ipv4/proc.c
++++ b/net/ipv4/proc.c
+@@ -233,7 +233,6 @@ static const struct snmp_mib snmp4_net_list[] = {
+ SNMP_MIB_ITEM("TCPDSACKOfoSent", LINUX_MIB_TCPDSACKOFOSENT),
+ SNMP_MIB_ITEM("TCPDSACKRecv", LINUX_MIB_TCPDSACKRECV),
+ SNMP_MIB_ITEM("TCPDSACKOfoRecv", LINUX_MIB_TCPDSACKOFORECV),
+- SNMP_MIB_ITEM("TCPAbortOnSyn", LINUX_MIB_TCPABORTONSYN),
+ SNMP_MIB_ITEM("TCPAbortOnData", LINUX_MIB_TCPABORTONDATA),
+ SNMP_MIB_ITEM("TCPAbortOnClose", LINUX_MIB_TCPABORTONCLOSE),
+ SNMP_MIB_ITEM("TCPAbortOnMemory", LINUX_MIB_TCPABORTONMEMORY),
+@@ -257,6 +256,8 @@ static const struct snmp_mib snmp4_net_list[] = {
+ SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
+ SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES),
+ SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP),
++ SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
++ SNMP_MIB_ITEM("TCPSYNChallenge", LINUX_MIB_TCPSYNCHALLENGE),
+ SNMP_MIB_SENTINEL
+ };
+
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index e1d4f30..d7a97b3 100644
--- a/net/ipv4/raw.c
@@ -79916,11 +80105,80 @@ index 94cdbc5..0cb0063 100644
if (peer->tcp_ts_stamp) {
ts = peer->tcp_ts;
tsage = get_seconds() - peer->tcp_ts_stamp;
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 69fd720..5485077 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -552,6 +552,13 @@ static struct ctl_table ipv4_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec
+ },
++ {
++ .procname = "tcp_challenge_ack_limit",
++ .data = &sysctl_tcp_challenge_ack_limit,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec
++ },
+ #ifdef CONFIG_NET_DMA
+ {
+ .procname = "tcp_dma_copybreak",
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index a08a621..a1ca37e 100644
+index a08a621..92b6be7 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
-@@ -4700,7 +4700,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -86,6 +86,9 @@ int sysctl_tcp_app_win __read_mostly = 31;
+ int sysctl_tcp_adv_win_scale __read_mostly = 1;
+ EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+
++/* rfc5961 challenge ack rate limiting */
++int sysctl_tcp_challenge_ack_limit = 100;
++
+ int sysctl_tcp_stdurg __read_mostly;
+ int sysctl_tcp_rfc1337 __read_mostly;
+ int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
+@@ -3700,6 +3703,24 @@ static int tcp_process_frto(struct sock *sk, int flag)
+ return 0;
+ }
+
++/* RFC 5961 7 [ACK Throttling] */
++static void tcp_send_challenge_ack(struct sock *sk)
++{
++ /* unprotected vars, we dont care of overwrites */
++ static u32 challenge_timestamp;
++ static unsigned int challenge_count;
++ u32 now = jiffies / HZ;
++
++ if (now != challenge_timestamp) {
++ challenge_timestamp = now;
++ challenge_count = 0;
++ }
++ if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
++ tcp_send_ack(sk);
++ }
++}
++
+ /* This routine deals with incoming acks, but not outgoing ones. */
+ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
+ {
+@@ -3718,8 +3739,14 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
+ /* If the ack is older than previous acks
+ * then we can probably ignore it.
+ */
+- if (before(ack, prior_snd_una))
++ if (before(ack, prior_snd_una)) {
++ /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
++ if (before(ack, prior_snd_una - tp->max_window)) {
++ tcp_send_challenge_ack(sk);
++ return -1;
++ }
+ goto old_ack;
++ }
+
+ /* If the ack includes data we haven't sent yet, discard
+ * this segment (RFC793 Section 3.9).
+@@ -4700,7 +4727,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -79929,7 +80187,105 @@ index a08a621..a1ca37e 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
-@@ -5838,7 +5838,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5243,8 +5270,8 @@ out:
+ /* Does PAWS and seqno based validation of an incoming segment, flags will
+ * play significant role here.
+ */
+-static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+- const struct tcphdr *th, int syn_inerr)
++static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
++ const struct tcphdr *th, int syn_inerr)
+ {
+ const u8 *hash_location;
+ struct tcp_sock *tp = tcp_sk(sk);
+@@ -5276,7 +5303,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+
+ /* Step 2: check RST bit */
+ if (th->rst) {
+- tcp_reset(sk);
++ /* RFC 5961 3.2 :
++ * If sequence number exactly matches RCV.NXT, then
++ * RESET the connection
++ * else
++ * Send a challenge ACK
++ */
++ if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt)
++ tcp_reset(sk);
++ else
++ tcp_send_challenge_ack(sk);
+ goto discard;
+ }
+
+@@ -5287,20 +5323,22 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+
+ /* step 3: check security and precedence [ignored] */
+
+- /* step 4: Check for a SYN in window. */
+- if (th->syn && !before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
++ /* step 4: Check for a SYN
++ * RFC 5691 4.2 : Send a challenge ack
++ */
++ if (th->syn) {
+ if (syn_inerr)
+ TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);
+- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN);
+- tcp_reset(sk);
+- return -1;
++ NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNCHALLENGE);
++ tcp_send_challenge_ack(sk);
++ goto discard;
+ }
+
+- return 1;
++ return true;
+
+ discard:
+ __kfree_skb(skb);
+- return 0;
++ return false;
+ }
+
+ /*
+@@ -5330,7 +5368,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+ const struct tcphdr *th, unsigned int len)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+- int res;
+
+ /*
+ * Header prediction.
+@@ -5506,16 +5543,18 @@ slow_path:
+ if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
+ goto csum_error;
+
++ if (!th->ack)
++ goto discard;
++
+ /*
+ * Standard slow path.
+ */
+
+- res = tcp_validate_incoming(sk, skb, th, 1);
+- if (res <= 0)
+- return -res;
++ if (!tcp_validate_incoming(sk, skb, th, 1))
++ return 0;
+
+ step5:
+- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
++ if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
+ goto discard;
+
+ tcp_rcv_rtt_measure_ts(sk, skb);
+@@ -5822,7 +5861,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ int queued = 0;
+- int res;
+
+ tp->rx_opt.saw_tstamp = 0;
+
+@@ -5838,7 +5876,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -79938,6 +80294,35 @@ index a08a621..a1ca37e 100644
goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
+@@ -5877,12 +5915,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ return 0;
+ }
+
+- res = tcp_validate_incoming(sk, skb, th, 0);
+- if (res <= 0)
+- return -res;
++ if (!th->ack)
++ goto discard;
++
++ if (!tcp_validate_incoming(sk, skb, th, 0))
++ return 0;
+
+ /* step 5: check the ACK field */
+- if (th->ack) {
++ if (true) {
+ int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
+
+ switch (sk->sk_state) {
+@@ -5987,8 +6027,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ }
+ break;
+ }
+- } else
+- goto discard;
++ }
+
+ /* step 6: check the URG bit */
+ tcp_urg(sk, skb, th);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 58c09a0..b62df0b 100644
--- a/net/ipv4/tcp_ipv4.c
diff --git a/3.2.35/4425_grsec_remove_EI_PAX.patch b/3.2.35/4425_grsec_remove_EI_PAX.patch
new file mode 100644
index 0000000..97e6951
--- /dev/null
+++ b/3.2.35/4425_grsec_remove_EI_PAX.patch
@@ -0,0 +1,19 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Deprecate EI_PAX.
+
+X-Gentoo-Bug: 445600
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
+
+diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
+--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
++++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
+@@ -263,7 +263,7 @@
+
+ config PAX_EI_PAX
+ bool 'Use legacy ELF header marking'
+- default y if GRKERNSEC_CONFIG_AUTO
++ depends on BROKEN
+ help
+ Enabling this option will allow you to control PaX features on
+ a per executable basis via the 'chpax' utility available at
diff --git a/3.7.1/0000_README b/3.7.1/0000_README
index 84caa16..a6b83fa 100644
--- a/3.7.1/0000_README
+++ b/3.7.1/0000_README
@@ -2,10 +2,14 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.7.1-201212171734.patch
+Patch: 4420_grsecurity-2.9.1-3.7.1-201212271953.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 4425_grsec_remove_EI_PAX.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Remove EI_PAX option and force off
+
Patch: 4430_grsec-remove-localversion-grsec.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Removes grsecurity's localversion-grsec file
diff --git a/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch b/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212271953.patch
index 18a4557..269fc82 100644
--- a/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch
+++ b/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212271953.patch
@@ -1535,7 +1535,7 @@ index 943504f..bf8d667 100644
#endif /* CONFIG_ARM_LPAE */
diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
-index 8477b4c..c651b08 100644
+index 8477b4c..801a6a9 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -151,6 +151,12 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
@@ -1559,7 +1559,7 @@ index 8477b4c..c651b08 100644
/* Checks for any syscall work in entry-common.S */
-#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
-+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT \
++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT | \
+ _TIF_GRSEC_SETXID)
/*
@@ -5056,6 +5056,62 @@ index afeb710..d1d1289 100644
bottomup:
/*
+diff --git a/arch/sparc/crypto/aes_asm.S b/arch/sparc/crypto/aes_asm.S
+index 23f6cbb..1cda8aa 100644
+--- a/arch/sparc/crypto/aes_asm.S
++++ b/arch/sparc/crypto/aes_asm.S
+@@ -1024,7 +1024,11 @@ ENTRY(aes_sparc64_ecb_encrypt_256)
+ add %o2, 0x20, %o2
+ brlz,pt %o3, 11f
+ nop
+-10: ldx [%o1 + 0x00], %g3
++10: ldd [%o0 + 0xd0], %f56
++ ldd [%o0 + 0xd8], %f58
++ ldd [%o0 + 0xe0], %f60
++ ldd [%o0 + 0xe8], %f62
++ ldx [%o1 + 0x00], %g3
+ ldx [%o1 + 0x08], %g7
+ xor %g1, %g3, %g3
+ xor %g2, %g7, %g7
+@@ -1128,9 +1132,9 @@ ENTRY(aes_sparc64_ecb_decrypt_256)
+ /* %o0=&key[key_len], %o1=input, %o2=output, %o3=len */
+ ldx [%o0 - 0x10], %g1
+ subcc %o3, 0x10, %o3
++ ldx [%o0 - 0x08], %g2
+ be 10f
+- ldx [%o0 - 0x08], %g2
+- sub %o0, 0xf0, %o0
++ sub %o0, 0xf0, %o0
+ 1: ldx [%o1 + 0x00], %g3
+ ldx [%o1 + 0x08], %g7
+ ldx [%o1 + 0x10], %o4
+@@ -1154,7 +1158,11 @@ ENTRY(aes_sparc64_ecb_decrypt_256)
+ add %o2, 0x20, %o2
+ brlz,pt %o3, 11f
+ nop
+-10: ldx [%o1 + 0x00], %g3
++10: ldd [%o0 + 0x18], %f56
++ ldd [%o0 + 0x10], %f58
++ ldd [%o0 + 0x08], %f60
++ ldd [%o0 + 0x00], %f62
++ ldx [%o1 + 0x00], %g3
+ ldx [%o1 + 0x08], %g7
+ xor %g1, %g3, %g3
+ xor %g2, %g7, %g7
+@@ -1511,11 +1519,11 @@ ENTRY(aes_sparc64_ctr_crypt_256)
+ add %o2, 0x20, %o2
+ brlz,pt %o3, 11f
+ nop
+- ldd [%o0 + 0xd0], %f56
++10: ldd [%o0 + 0xd0], %f56
+ ldd [%o0 + 0xd8], %f58
+ ldd [%o0 + 0xe0], %f60
+ ldd [%o0 + 0xe8], %f62
+-10: xor %g1, %g3, %o5
++ xor %g1, %g3, %o5
+ MOVXTOD_O5_F0
+ xor %g2, %g7, %o5
+ MOVXTOD_O5_F2
diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
index be56a24..443328f 100644
--- a/arch/sparc/include/asm/atomic_64.h
@@ -30260,7 +30316,7 @@ index 21721d2..4e98777 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index b86eae9..4192a7a 100644
+index b86eae9..3f539ae 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -272,8 +272,13 @@
@@ -30295,7 +30351,15 @@ index b86eae9..4192a7a 100644
#if 0
/* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
{ 2048, 1638, 1231, 819, 411, 1 },
-@@ -527,8 +539,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -437,6 +449,7 @@ struct entropy_store {
+ int entropy_count;
+ int entropy_total;
+ unsigned int initialized:1;
++ bool last_data_init;
+ __u8 last_data[EXTRACT_SIZE];
+ };
+
+@@ -527,8 +540,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
input_rotate += i ? 7 : 14;
}
@@ -30306,7 +30370,7 @@ index b86eae9..4192a7a 100644
smp_wmb();
if (out)
-@@ -799,6 +811,17 @@ void add_disk_randomness(struct gendisk *disk)
+@@ -799,6 +812,17 @@ void add_disk_randomness(struct gendisk *disk)
}
#endif
@@ -30324,7 +30388,36 @@ index b86eae9..4192a7a 100644
/*********************************************************************
*
* Entropy extraction routines
-@@ -1008,7 +1031,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -957,6 +981,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ ssize_t ret = 0, i;
+ __u8 tmp[EXTRACT_SIZE];
+
++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
++ if (fips_enabled && !r->last_data_init)
++ nbytes += EXTRACT_SIZE;
++
+ trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
+ xfer_secondary_pool(r, nbytes);
+ nbytes = account(r, nbytes, min, reserved);
+@@ -967,6 +995,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ if (fips_enabled) {
+ unsigned long flags;
+
++
++ /* prime last_data value if need be, per fips 140-2 */
++ if (!r->last_data_init) {
++ spin_lock_irqsave(&r->lock, flags);
++ memcpy(r->last_data, tmp, EXTRACT_SIZE);
++ r->last_data_init = true;
++ nbytes -= EXTRACT_SIZE;
++ spin_unlock_irqrestore(&r->lock, flags);
++ extract_buf(r, tmp);
++ }
++
+ spin_lock_irqsave(&r->lock, flags);
+ if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
+ panic("Hardware RNG duplicated output!\n");
+@@ -1008,7 +1047,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -30333,7 +30426,15 @@ index b86eae9..4192a7a 100644
ret = -EFAULT;
break;
}
-@@ -1342,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1086,6 +1125,7 @@ static void init_std_data(struct entropy_store *r)
+
+ r->entropy_count = 0;
+ r->entropy_total = 0;
++ r->last_data_init = false;
+ mix_pool_bytes(r, &now, sizeof(now), NULL);
+ for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_long(&rv))
+@@ -1342,7 +1382,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -42680,7 +42781,7 @@ index cce7df5..eaa2731 100644
goto out_sig;
if (offset > inode->i_sb->s_maxbytes)
diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
-index dce436e..378404b 100644
+index dce436e..55e670d 100644
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -61,7 +61,7 @@ static int autofs4_write(struct autofs_sb_info *sbi,
@@ -42709,7 +42810,7 @@ index dce436e..378404b 100644
if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
+#ifdef CONFIG_GRKERNSEC_HIDESYM
+ /* this name does get written to userland via autofs4_write() */
-+ qstr.len = sprintf(name, "%08lx", atomic_inc_return_unchecked(&autofs_dummy_name_id));
++ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
+#else
qstr.len = sprintf(name, "%p", dentry);
+#endif
@@ -45676,6 +45777,38 @@ index 3c20de1..6ff2460 100644
atomic_t s_lock_busy;
/* locality groups */
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 3a100e7..c7efa88 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -762,7 +762,6 @@ got:
+
+ BUFFER_TRACE(block_bitmap_bh, "dirty block bitmap");
+ err = ext4_handle_dirty_metadata(handle, NULL, block_bitmap_bh);
+- brelse(block_bitmap_bh);
+
+ /* recheck and clear flag under lock if we still need to */
+ ext4_lock_group(sb, group);
+@@ -775,6 +774,7 @@ got:
+ ext4_group_desc_csum_set(sb, group, gdp);
+ }
+ ext4_unlock_group(sb, group);
++ brelse(block_bitmap_bh);
+
+ if (err)
+ goto fail;
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index b3c243b..772c318 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1503,6 +1503,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd)
+
+ index = mpd->first_page;
+ end = mpd->next_page - 1;
++ pagevec_init(&pvec, 0);
+ while (index <= end) {
+ nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE);
+ if (nr_pages == 0)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 526e553..3f2de85 100644
--- a/fs/ext4/mballoc.c
@@ -45793,6 +45926,18 @@ index 526e553..3f2de85 100644
trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
return 0;
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 80928f7..c3f2b1f 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3202,7 +3202,6 @@ int ext4_calculate_overhead(struct super_block *sb)
+ ext4_fsblk_t overhead = 0;
+ char *buf = (char *) get_zeroed_page(GFP_KERNEL);
+
+- memset(buf, 0, PAGE_SIZE);
+ if (!buf)
+ return -ENOMEM;
+
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 71a600a..20d87b1 100644
--- a/fs/fcntl.c
@@ -49958,6 +50103,19 @@ index 16e8abb..2dcf914 100644
&quota_genl_family, 0, QUOTA_NL_C_WARNING);
if (!msg_head) {
printk(KERN_ERR
+diff --git a/fs/read_write.c b/fs/read_write.c
+index d065348..8e2b43d 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -935,6 +935,8 @@ ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, size_t count,
+ if (retval > 0) {
+ add_rchar(current, retval);
+ add_wchar(current, retval);
++ fsnotify_access(in.file);
++ fsnotify_modify(out.file);
+ }
+
+ inc_syscr(current);
diff --git a/fs/readdir.c b/fs/readdir.c
index 5e69ef5..e5d9099 100644
--- a/fs/readdir.c
@@ -50601,7 +50759,7 @@ index 4e00cf0..3374374 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..10c36fb
+index 0000000..3900064
--- /dev/null
+++ b/grsecurity/Kconfig
@@ -0,0 +1,964 @@
@@ -51270,7 +51428,7 @@ index 0000000..10c36fb
+ default y if GRKERNSEC_CONFIG_AUTO
+ help
+ If you say Y here, non-root users will not be able to use dmesg(8)
-+ to view up to the last 4kb of messages in the kernel's log buffer.
++ to view the contents of the kernel's circular log buffer.
+ The kernel's log buffer often contains kernel addresses and other
+ identifying information useful to an attacker in fingerprinting a
+ system for a targeted exploit.
@@ -63738,6 +63896,34 @@ index a4c5624..79d6d88 100644
/** create a directory */
struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
+diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
+index b5d1384..70473da 100644
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -362,7 +362,7 @@ static inline void ClearPageCompound(struct page *page)
+ * pages on the LRU and/or pagecache.
+ */
+ TESTPAGEFLAG(Compound, compound)
+-__PAGEFLAG(Head, compound)
++__SETPAGEFLAG(Head, compound) __CLEARPAGEFLAG(Head, compound)
+
+ /*
+ * PG_reclaim is used in combination with PG_compound to mark the
+@@ -374,8 +374,14 @@ __PAGEFLAG(Head, compound)
+ * PG_compound & PG_reclaim => Tail page
+ * PG_compound & ~PG_reclaim => Head page
+ */
++#define PG_head_mask ((1L << PG_compound))
+ #define PG_head_tail_mask ((1L << PG_compound) | (1L << PG_reclaim))
+
++static inline int PageHead(struct page *page)
++{
++ return ((page->flags & PG_head_tail_mask) == PG_head_mask);
++}
++
+ static inline int PageTail(struct page *page)
+ {
+ return ((page->flags & PG_head_tail_mask) == PG_head_tail_mask);
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 6bfb2faa..1204767 100644
--- a/include/linux/perf_event.h
@@ -69147,10 +69333,10 @@ index aebd4f5..1693c13 100644
{
struct pid *pid;
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
-index 125cb67..a4d1c30 100644
+index 125cb67..2e5c8ad 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
-@@ -6,6 +6,7 @@
+@@ -6,9 +6,11 @@
#include <linux/posix-timers.h>
#include <linux/errno.h>
#include <linux/math64.h>
@@ -69158,7 +69344,20 @@ index 125cb67..a4d1c30 100644
#include <asm/uaccess.h>
#include <linux/kernel_stat.h>
#include <trace/events/timer.h>
-@@ -1578,14 +1579,14 @@ struct k_clock clock_posix_cpu = {
++#include <linux/random.h>
+
+ /*
+ * Called after updating RLIMIT_CPU to run cpu timer and update
+@@ -494,6 +496,8 @@ static void cleanup_timers(struct list_head *head,
+ */
+ void posix_cpu_timers_exit(struct task_struct *tsk)
+ {
++ add_device_randomness((const void*) &tsk->se.sum_exec_runtime,
++ sizeof(unsigned long long));
+ cleanup_timers(tsk->cpu_timers,
+ tsk->utime, tsk->stime, tsk->se.sum_exec_runtime);
+
+@@ -1578,14 +1582,14 @@ struct k_clock clock_posix_cpu = {
static __init int init_posix_cpu_timers(void)
{
@@ -77590,7 +77789,7 @@ index df25142..e92a82a 100644
sizeof(net->ipv4.dev_addr_genid));
return 0;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 181fc82..57da08d 100644
+index 181fc82..f211869 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4704,7 +4704,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
@@ -77602,6 +77801,61 @@ index 181fc82..57da08d 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
+@@ -5536,6 +5536,9 @@ slow_path:
+ if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
+ goto csum_error;
+
++ if (!th->ack)
++ goto discard;
++
+ /*
+ * Standard slow path.
+ */
+@@ -5544,7 +5547,7 @@ slow_path:
+ return 0;
+
+ step5:
+- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
++ if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
+ goto discard;
+
+ /* ts_recent update must be made after we are sure that the packet
+@@ -5930,7 +5933,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ goto discard;
+
+ if (th->syn) {
+- if (th->fin)
++ if (th->fin || th->urg || th->psh)
+ goto discard;
+ if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
+ return 1;
+@@ -5977,11 +5980,15 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ if (tcp_check_req(sk, skb, req, NULL, true) == NULL)
+ goto discard;
+ }
++
++ if (!th->ack)
++ goto discard;
++
+ if (!tcp_validate_incoming(sk, skb, th, 0))
+ return 0;
+
+ /* step 5: check the ACK field */
+- if (th->ack) {
++ if (true) {
+ int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
+
+ switch (sk->sk_state) {
+@@ -6131,8 +6138,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ }
+ break;
+ }
+- } else
+- goto discard;
++ }
+
+ /* ts_recent update must be made after we are sure that the packet
+ * is in window.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0c4a643..e584990 100644
--- a/net/ipv4/tcp_ipv4.c