commit 305f4cbad2688044110fee2bcb4be90d063fd964 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Thu Oct 14 10:08:38 2021 +0200 Backport patches 0001-compat-account-for-latest-c8s-backports.patch | 44 ++++++++++++ ...ount-for-grsecurity-backports-and-changes.patch | 84 ++++++++++++++++++++++ ...e25519-x86_64-solve-register-constraints-.patch | 47 ++++++++++++ 3 files changed, 175 insertions(+) --- diff --git a/0001-compat-account-for-latest-c8s-backports.patch b/0001-compat-account-for-latest-c8s-backports.patch new file mode 100644 index 0000000..c8136b1 --- /dev/null +++ b/0001-compat-account-for-latest-c8s-backports.patch @@ -0,0 +1,44 @@ +From 50dda8ce5ee691b97ae640aba4cbe55aa9b62085 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" <Jason(a)zx2c4.com&gt; +Date: Tue, 15 Jun 2021 01:13:41 +0200 +Subject: [PATCH 1/3] compat: account for latest c8s backports + +Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com&gt; +--- + src/compat/compat.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/compat/compat.h b/src/compat/compat.h +index 91d4388824ea..b2041327d85c 100644 +--- a/src/compat/compat.h ++++ b/src/compat/compat.h +@@ -16,7 +16,7 @@ + #define ISRHEL7 + #elif RHEL_MAJOR == 8 + #define ISRHEL8 +-#if RHEL_MINOR >= 4 ++#if RHEL_MINOR >= 5 + #define ISCENTOS8S + #endif + #endif +@@ -757,7 +757,7 @@ static inline void crypto_xor_cpy(u8 *dst, const u8 *src1, const u8 *src2, + #define hlist_add_behind(a, b) hlist_add_after(b, a) + #endif + +-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) && !defined(ISCENTOS8S) ++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) && !defined(ISRHEL8) + #define totalram_pages() totalram_pages + #endif + +@@ -849,7 +849,7 @@ static inline void skb_mark_not_on_list(struct sk_buff *skb) + #endif + #endif + +-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) ++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) && !defined(ISCENTOS8S) + #define genl_dumpit_info(cb) ({ \ + struct { struct nlattr **attrs; } *a = (void *)((u8 *)cb->args + offsetofend(struct dump_ctx, next_allowedip)); \ + BUILD_BUG_ON(sizeof(cb->args) < offsetofend(struct dump_ctx, next_allowedip) + sizeof(*a)); \ +-- +2.31.1 + diff --git a/0002-compat-account-for-grsecurity-backports-and-changes.patch b/0002-compat-account-for-grsecurity-backports-and-changes.patch new file mode 100644 index 0000000..e2582d3 --- /dev/null +++ b/0002-compat-account-for-grsecurity-backports-and-changes.patch @@ -0,0 +1,84 @@ +From 29747255f9672035ccf9cc310b7ff66b1f35f1d2 Mon Sep 17 00:00:00 2001 +From: Mathias Krause <minipli(a)grsecurity.net&gt; +Date: Tue, 6 Jul 2021 15:27:13 +0200 +Subject: [PATCH 2/3] compat: account for grsecurity backports and changes + +grsecurity kernels tend to carry additional backports and changes, like +commit b60b87fc2996 ("netlink: add ethernet address policy types") or +the SYM_FUNC_* changes. RAP nowadays hooks the latter, therefore no +diversion to RAP_ENTRY is needed any more. + +Instead of relying on the kernel version test, also test for the macros +we're about to define to not already be defined to account for these +additional changes in the grsecurity patch without breaking +compatibility to the older public ones. + +Also test for CONFIG_PAX instead of RAP_PLUGIN for the timer API related +changes as these don't depend on the RAP plugin to be enabled but just a +PaX/grsecurity patch to be applied. While there is no preprocessor knob +for the latter, use CONFIG_PAX as this will likely be enabled in every +kernel that uses the patch. + +Signed-off-by: Mathias Krause <minipli(a)grsecurity.net&gt; +[zx2c4: small changes to include a header nearby a macro def test] +Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com&gt; +--- + src/compat/compat-asm.h | 4 ++-- + src/compat/compat.h | 8 +++++++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/compat/compat-asm.h b/src/compat/compat-asm.h +index fde21dabba4f..5bfdb9410933 100644 +--- a/src/compat/compat-asm.h ++++ b/src/compat/compat-asm.h +@@ -22,7 +22,7 @@ + #endif + + /* PaX compatibility */ +-#if defined(RAP_PLUGIN) ++#if defined(RAP_PLUGIN) && defined(RAP_ENTRY) + #undef ENTRY + #define ENTRY RAP_ENTRY + #endif +@@ -51,7 +51,7 @@ + #undef pull + #endif + +-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76) && !defined(ISCENTOS8S) ++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76) && !defined(ISCENTOS8S) && !defined(SYM_FUNC_START) + #define SYM_FUNC_START ENTRY + #define SYM_FUNC_END ENDPROC + #endif +diff --git a/src/compat/compat.h b/src/compat/compat.h +index b2041327d85c..ee45a3cc7457 100644 +--- a/src/compat/compat.h ++++ b/src/compat/compat.h +@@ -831,10 +831,16 @@ static inline void skb_mark_not_on_list(struct sk_buff *skb) + #endif + + #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 20, 0) && !defined(ISRHEL8) ++#include <net/netlink.h> ++#ifndef NLA_POLICY_EXACT_LEN + #define NLA_POLICY_EXACT_LEN(_len) { .type = NLA_UNSPEC, .len = _len } + #endif ++#endif + #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 2, 0) && !defined(ISRHEL8) ++#include <net/netlink.h> ++#ifndef NLA_POLICY_MIN_LEN + #define NLA_POLICY_MIN_LEN(_len) { .type = NLA_UNSPEC, .len = _len } ++#endif + #define COMPAT_CANNOT_INDIVIDUAL_NETLINK_OPS_POLICY + #endif + +@@ -1127,7 +1133,7 @@ static const struct header_ops ip_tunnel_header_ops = { .parse_protocol = ip_tun + #undef __read_mostly + #define __read_mostly + #endif +-#if (defined(RAP_PLUGIN) || defined(CONFIG_CFI_CLANG)) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0) ++#if (defined(CONFIG_PAX) || defined(CONFIG_CFI_CLANG)) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0) + #include <linux/timer.h> + #define wg_expired_retransmit_handshake(a) wg_expired_retransmit_handshake(unsigned long timer) + #define wg_expired_send_keepalive(a) wg_expired_send_keepalive(unsigned long timer) +-- +2.31.1 + diff --git a/0003-crypto-curve25519-x86_64-solve-register-constraints-.patch b/0003-crypto-curve25519-x86_64-solve-register-constraints-.patch new file mode 100644 index 0000000..773d3e2 --- /dev/null +++ b/0003-crypto-curve25519-x86_64-solve-register-constraints-.patch @@ -0,0 +1,47 @@ +From 8118c247a75ae95169f0a9a539dfc661ffda8bc5 Mon Sep 17 00:00:00 2001 +From: Mathias Krause <minipli(a)grsecurity.net&gt; +Date: Tue, 6 Jul 2021 15:27:14 +0200 +Subject: [PATCH 3/3] crypto: curve25519-x86_64: solve register constraints + with reserved registers + +The register constraints for the inline assembly in fsqr() and fsqr2() +are pretty tight on what the compiler may assign to the remaining three +register variables. The clobber list only allows the following to be +used: RDI, RSI, RBP and R12. With RAP reserving R12 and a kernel having +CONFIG_FRAME_POINTER=y, claiming RBP, there are only two registers left +so the compiler rightfully complains about impossible constraints. + +Provide alternatives that'll allow a memory reference for 'out' to solve +the allocation constraint dilemma for this configuration. + +Signed-off-by: Mathias Krause <minipli(a)grsecurity.net&gt; +Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com&gt; +--- + src/crypto/zinc/curve25519/curve25519-x86_64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/crypto/zinc/curve25519/curve25519-x86_64.c b/src/crypto/zinc/curve25519/curve25519-x86_64.c +index 79716c425b0c..67f55affcf88 100644 +--- a/src/crypto/zinc/curve25519/curve25519-x86_64.c ++++ b/src/crypto/zinc/curve25519/curve25519-x86_64.c +@@ -581,7 +581,7 @@ static inline void fsqr(u64 *out, const u64 *f, u64 *tmp) + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%0);" +- : "+&r" (tmp), "+&r" (f), "+&r" (out) ++ : "+&r,&r" (tmp), "+&r,&r" (f), "+&r,m" (out) + : + : "%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "%r15", "memory", "cc" + ); +@@ -743,7 +743,7 @@ static inline void fsqr2(u64 *out, const u64 *f, u64 *tmp) + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%0);" +- : "+&r" (tmp), "+&r" (f), "+&r" (out) ++ : "+&r,&r" (tmp), "+&r,&r" (f), "+&r,m" (out) + : + : "%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "%r15", "memory", "cc" + ); +-- +2.31.1 +