diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-23 06:45:11 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-03 13:59:40 +0000 |
commit | 9c577e498442db707d92db0b6733a4f6bff21cae (patch) | |
tree | 9e82c74e7e1f1e216a15659136c0f261d4dcca0d | |
parent | f29d6acbeed4be719f013fc9b0900f7c0c4388af (diff) | |
download | alpine_aports-9c577e498442db707d92db0b6733a4f6bff21cae.tar.bz2 alpine_aports-9c577e498442db707d92db0b6733a4f6bff21cae.tar.xz alpine_aports-9c577e498442db707d92db0b6733a4f6bff21cae.zip |
main/linux-grsec: fix gre+xfrm+gso crashes
fixes #1925
(cherry picked from commit 55bed09ef364d3268dad8a067181f00a0e0c8789)
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 44 |
2 files changed, 49 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index dda2694820..215678fa53 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD | |||
@@ -7,7 +7,7 @@ case $pkgver in | |||
7 | *.*.*) _kernver=${pkgver%.*};; | 7 | *.*.*) _kernver=${pkgver%.*};; |
8 | *.*) _kernver=${pkgver};; | 8 | *.*) _kernver=${pkgver};; |
9 | esac | 9 | esac |
10 | pkgrel=0 | 10 | pkgrel=1 |
11 | pkgdesc="Linux kernel with grsecurity" | 11 | pkgdesc="Linux kernel with grsecurity" |
12 | url=http://grsecurity.net | 12 | url=http://grsecurity.net |
13 | depends="mkinitfs linux-firmware" | 13 | depends="mkinitfs linux-firmware" |
@@ -21,6 +21,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz | |||
21 | 21 | ||
22 | v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 22 | v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
23 | leds-leds-gpio-reserve-gpio-before-using-it.patch | 23 | leds-leds-gpio-reserve-gpio-before-using-it.patch |
24 | ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | ||
24 | 25 | ||
25 | kernelconfig.x86 | 26 | kernelconfig.x86 |
26 | kernelconfig.x86_64 | 27 | kernelconfig.x86_64 |
@@ -149,6 +150,7 @@ md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz | |||
149 | e881cf0db639205660f237ceea58f708 grsecurity-2.9.1-3.9.3-201305201732.patch | 150 | e881cf0db639205660f237ceea58f708 grsecurity-2.9.1-3.9.3-201305201732.patch |
150 | 699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 151 | 699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
151 | 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch | 152 | 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch |
153 | ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | ||
152 | fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86 | 154 | fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86 |
153 | fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" | 155 | fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" |
154 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz | 156 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz |
@@ -156,6 +158,7 @@ sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 li | |||
156 | c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c grsecurity-2.9.1-3.9.3-201305201732.patch | 158 | c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c grsecurity-2.9.1-3.9.3-201305201732.patch |
157 | 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 159 | 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
158 | 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch | 160 | 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch |
161 | ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | ||
159 | b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86 | 162 | b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86 |
160 | 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" | 163 | 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" |
161 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz | 164 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz |
@@ -163,5 +166,6 @@ ae2bca3f0d274281d7ae88bb835d129a036350dfd3e9e941d7a0175194b2cbccffb5f8b5a20e5a74 | |||
163 | d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec57f42538513d3ccb42de41c8cc721b9b85d8cfbaef7ab85d5 grsecurity-2.9.1-3.9.3-201305201732.patch | 166 | d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec57f42538513d3ccb42de41c8cc721b9b85d8cfbaef7ab85d5 grsecurity-2.9.1-3.9.3-201305201732.patch |
164 | 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 167 | 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
165 | 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch | 168 | 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch |
169 | 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | ||
166 | 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86 | 170 | 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86 |
167 | 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64" | 171 | 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64" |
diff --git a/main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch b/main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch new file mode 100644 index 0000000000..7cb0dade7c --- /dev/null +++ b/main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From patchwork Wed May 22 11:40:47 2013 | ||
2 | Content-Type: text/plain; charset="utf-8" | ||
3 | MIME-Version: 1.0 | ||
4 | Content-Transfer-Encoding: 8bit | ||
5 | Subject: [ipsec] xfrm: properly handle invalid states as an error | ||
6 | Date: Wed, 22 May 2013 01:40:47 -0000 | ||
7 | From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi> | ||
8 | X-Patchwork-Id: 245594 | ||
9 | Message-Id: <1369222847-8542-1-git-send-email-timo.teras@iki.fi> | ||
10 | To: netdev@vger.kernel.org | ||
11 | Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>, | ||
12 | Li RongQing <roy.qing.li@gmail.com>, | ||
13 | Steffen Klassert <steffen.klassert@secunet.com> | ||
14 | |||
15 | The error exit path needs err explicitly set. Otherwise it | ||
16 | returns success and the only caller, xfrm_output_resume(), | ||
17 | would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is | ||
18 | NULL. | ||
19 | |||
20 | Bug introduced in commit bb65a9cb (xfrm: removes a superfluous | ||
21 | check and add a statistic). | ||
22 | |||
23 | Signed-off-by: Timo Teräs <timo.teras@iki.fi> | ||
24 | Cc: Li RongQing <roy.qing.li@gmail.com> | ||
25 | Cc: Steffen Klassert <steffen.klassert@secunet.com> | ||
26 | |||
27 | --- | ||
28 | Should go also to 3.9-stable. | ||
29 | |||
30 | net/xfrm/xfrm_output.c | 1 + | ||
31 | 1 file changed, 1 insertion(+) | ||
32 | |||
33 | diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c | ||
34 | index bcfda89..0cf003d 100644 | ||
35 | --- a/net/xfrm/xfrm_output.c | ||
36 | +++ b/net/xfrm/xfrm_output.c | ||
37 | @@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err) | ||
38 | |||
39 | if (unlikely(x->km.state != XFRM_STATE_VALID)) { | ||
40 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID); | ||
41 | + err = -EINVAL; | ||
42 | goto error; | ||
43 | } | ||
44 | |||