Hi. Please review and commit the proposed release (patches/trunk can be found at http://brianw.org/kerframil/kernel). Noteworthy changes over -r5 release are: * Adds 2 patches to grsec which render it identical to the grsec-2.1.8-2.6.14.7-200602052251 snapshot. This fixes bugs 99413 (yay) and 121250. * Adds the single patch contained in the 2.6.15.3 release and every pending stable queue patch that's applicable/relevant. * Adds 2 further patches from Daniel's 2.6.15 tree closing another 2 bugs into the bargain. For more information see the following list as well as the comments in the 0000_README and the patches themselves: + 1415_15.3_ip_options_echo-extra-dst-release.patch + 1416_15.Q_scsi-flush-barriers.patch + 1417_15.Q_dm-crypt-zero-key.patch + 1418_15.Q_nfs-inode-leakage.patch + 1419_15.Q_seclvl-settime-fix.patch + 1420_15.Q_mousedev-memory-leak.patch + 1421_15.Q_grip-fix-crash.patch + 1422_15.Q_input-db9-possible-crash.patch + 1423_15.Q_input-iforce-usb-detection.patch + 1424_15.Q_sparc64-set-date-hang.patch (CVE-2006-0482) + 1425_15.Q_strnlen_user-keyctl-usage.patch + 1426_15.Q_pcmcia-m-hostap_cs-y-kconfig.patch + 1427_15.Q_selinux-slab-leak.patch + 1428_15.Q_hardware-rx-checksum.patch - 1715_dm-crypt-zero-key-material.patch + 2500_emu10k1-mixer-controls.patch (bug 120788) + 2720_dell-rbu-hang.patch (bug 121386) + 4906_grsec-2.1.8-disable_modules-fix.patch (bug 121250) + 4907_grsec-2.1.8-killall-workaround.patch (bug 99413)
This also seems to fix some horrific memory leakage (and rampant swap usage) on the 1G P4 EM64T/amd64 box I've been using for development just recently. I'll look into this further and try to determine for sure which patch introduced this most desirable change in behaviour.
Note: "1415_15.3_ip_options_echo-extra-dst-release.patch" addresses CVE-2006-0454 and closes bug 121890 too.
Here comes a little revision. Notable changes: * Add 1 further patch to grsec which, according to spender, fixes issues with policy recreation. This now renders the grsec implementation absolutely identical to the 2.1.8-2.6.14.7-200602072041 snapshot. It also needs >=gradm-2.1.8-200602071945 over in userland to stay abreast of this fix! * Added 4 more fixes from the stable queue and renamed patch #2500 to reflect the fact that it's now in the queue. + 1429_15.Q_x86_64-impossible-cpus-ref-per-cpu-data.patch + 1430_15.Q_x86_64-clear-more-state-in-srat-parsing.patch + 1431_15.Q_bridge-netfilter-races.patch + 1432_15.Q_bridge-fix-rcu-race.patch + 1433_15.Q_emu10k1-mixer-controls.patch - 2500_emu10k1-mixer-controls.patch + 4908_grsec-2.1.8-policy-recreation-fix.patch
Created attachment 79200 [details, diff] gradm2-2.1.8-200602071945-incr.patch Just for the record, this patch shows the changes between gradm-2.1.8-200601212342 and gradm2-2.1.8-200602071945 (which allow it to co-operate with the fix introduced by patch #4908 above).
OK, it's time for an update on what the present situation is I think. I've been hard at work bringing my tree into parity with 2.6.15.6 and testing/fixing things. To avoid confusion I'm going to show here a full report on what's changed between the existing hardened-sources-2.6.14-r5 release and my tree (which I'm proposing for a 2.6.14-r6 release) rather than describing the changes since my last comment in an "incremental" fashion as I have been doing. + = Added U = Updated - = Removed genpatches-base-2.6.14-10 -> genpatches-base-2.6.14-11 ------------------------------------------------------ U 1402_15.1_ppc-ml300-ep405-boot.patch (updated: fixed fuzz) + 1415_15.3_dst-release.patch (bug 121890 - CVE-2006-0454) + 1416_15.4_scsi-barrier-leak.patch + 1417_15.4_dm-crypt-zero-key.patch + 1418_15.4_nfs-inode-leakage.patch + 1419_15.4_seclvl-settime.patch + 1420_15.4_mousedev-leak.patch + 1421_15.4_grip-crash.patch + 1422_15.4_db9-crash.patch + 1423_15.4_iforce-usb.patch + 1424_15.4_sparc64-settime-stub.patch (CVE-2006-0482) + 1425_15.4_keyctl-strlen.patch + 1426_15.4_pcmcia-hostap-compile.patch + 1427_15.4_selinux-slab-leak.patch + 1428_15.4_ppp-rx-csum.patch + 1429_15.4_x86_64-cpu-refs.patch + 1430_15.4_x86_64-pxm-boot-failure.patch + 1431_15.4_bridge-netfilter-race.patch + 1432_15.4_bridge-rcu-race.patch + 1433_15.4_emu10k1-mixer.patch (bug 120788) + 1434_15.4_cmpxchg-inline.patch + 1435_15.5_shmdt-non-aligned-segment.patch + 1436_15.5_netfilter-has_bridge_parent.patch + 1437_15.5_move-early-intel-workaround.patch + 1438_15.5_reiserfs-disable-autoenable-inode-attrs.patch (might fix bug 122018 ?) + 1439_15.5_reallow-recursive-skb-frag-lists.patch + 1440_15.5_sys_signal-init-sa_mask.patch + 1441_15.5_cleanup-sa_mask-before-do_sigaction.patch + 1442_15.5_sys32_signal-init-sa_mask.patch + 1443_15.5_s390-build-failure.patch + 1444_15.5_br_stp_disable_bridge-deadlock.patch + 1445_15.5_zap_thread-ptrace.patch + 1446_15.5_ext2-deadlock.patch + 1447_15.5_sys_mbind-sanity-checking.patch + 1448_15.5_it87-oops-on-removal.patch + 1449_15.5_it87-probe-restriction.patch + 1450_15.5_usb-audio-32bit-compat.patch + 1451_15.5_alsa-bogus-snd_device-free.patch + 1452_15.5_cfi-init-wait-queue.patch + 1453_15.5_gbefb-4M-default.patch + 1454_15.5_dm-bdev-release.patch + 1455_15.5_dm-free-minor-after-del_gendisk.patch + 1456_15.5_ramfs-dir-mtime-ctime.patch + 1457_15.5_gbefb-depth-change.patch + 1458_15.5_x86_64-bad-elf-entry-addr.patch (bug 125436 - CVE-2006-0741) + 1459_15.5_netlink-severe-bug.patch + 1460_15.5_sd-memory-corruption.patch + 1461_15.5_sbp2-fix-deadlock.patch + 1462_15.5_xfs-ftruncate-stale-data.patch (bug 125437 - CVE-2006-0554) + 1463_15.5_nfs-client-directio-panic.patch (bug 125438 - CVE-2006-0555) + 1464_15.6_dont-reset-rskq_defer_accept.patch + 1465_15.6_die_if_kernel-can-return.patch (bug 125439 - CVE-2006-0742) + 1466_15.6_nfs-client-directio-panic-compile-fix.patch (bug 125438 also) + 1467_15.6_mempolicy-compile-fix.patch (bug 124666) - 1715_dm-crypt-zero-key-material.patch (moved to 1417_15.4) U 1805_ppc-powerbook-5-8.patch (fixed fuzz) + 2100_skge-driver-v1.3.patch (*) + 2720_dell-rbu-hang.patch (bug 121386) + 2725_cpufreq-frequency-change.patch + 2900_bt3c-cs-crash.patch (*) This is a revision of the skge driver. It rolls up 4 stable-tree patches (1 from 2.6.15.1 which was not previously applied and 3 from 2.6.15.5) which would otherwise have been a pain to backport. Please see the comments in the patch for more details. hardened-patches-2.6.14-5 -> hardened-patches-2.6.14-6 ------------------------------------------------------ The following patches render the grsec implementation identical to spender's 2.1.8-2.6.14.7-200602072041 snapshot: + 4906_grsec-2.1.8-disable_modules-fix.patch (bug 121250) + 4907_grsec-2.1.8-killall-workaround.patch (bug 99413) + 4908_grsec-2.1.8-policy-recreation-fix.patch I will attempt to co-ordinate with solar in terms of making sure that gradm-2.1.8 (which is currently marked stable only on x86) is capable of accommodating this kernel and will also double-check that there are no more worthy fixes to go into grsec. I really think this tree is in good shape and that we need to push a new release out fairly soon. I am particularly concerned that bug 121890 has still not been attended to ... in retrospect I think the ebuild should have been bumped for this reason alone in the interim. NOTE #1: I have not fully updated the 0000_README in the tarball yet! I will do so ASAP. NOTE #2: A grsec-2.1.9 snapshot is available now. I am not paying any attention to this yet as I feel that that would push the pace of development too far (we need to stay synced with solar's 2.4 implementation and we share sys-apps/gradm. Also, I have accommodated the most important fixes in 2.1.8 already). Hope that makes everything clear. Additional testing/feedback welcome ...
This has now been committed to portage in the "testing" branch (keywords: ~alpha ~amd64 ~ppc ~x86). Thanks John.