millerson.name/gentoo-overlay
1
0
Fork 0
Code Issues Pull Requests Releases Activity

sys-kernel/hardened-kernel: bump to v6.14.8

Browse Source 
Add restrict-fs-causes-bpf-verifier.patch:
systemd's restrict-fs causes bpf verifier to fail due to 32bit sign extend
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119731
This commit is contained in:
Alexander Miroshnichenko 2025-05-30 07:47:05 +03:00
parent 91b4834b90
commit d8d8808cad
Signed by: alex
GPG Key ID: E93720C6C73A77F4
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sys-kernel/hardened-kernel/Manifest
View File

@ -1,9 +1,9 @@
DIST genpatches-6.12-23.base.tar.xz 1435492 BLAKE2B ca65b4ead188bb8c561e47dd7aca29c2cb10d98ed28e78113cedd1bf9d9bf2a380bf12a807bcfc3cce3976621355e087cb8a2a5a06857660401eea0e9156830f SHA512 82fc23bb6e04227bcea2d29336d5a46a6e7f1649244b9ceae2869fac65e3f785e7512ea8d1e32f34281d48c76831223cc5c8b448452d2dd036445773a1329c6d
DIST genpatches-6.12-23.experimental.tar.xz 78500 BLAKE2B f7c0bbe38f90fe3c203725c83bae75f105de44ecc3b4bb5d262056936cc472f8678d50900587e51fd388ed54d95fefa624ba86642f5d12bfc650f0bb4a2a0e37 SHA512 9738997ec9056d66a0e56fb21bc1d6f06c198394993d2960c13acf29821b0f6f1e8b6637abca0abdd3e57ff25b734286a309d991c9614fe6b9ee1f8de59e25fc
DIST genpatches-6.12-23.extras.tar.xz 4056 BLAKE2B dc27e7f57ea95e678f08d3b6f791a26cec5b51e2204f3d527538f3c54333c8f25194981cdc68b7812973ee8baa95e0d5c575be26e918b25c160178d3bcf80769 SHA512 c7d92cc303dde284b5c1f31b87081167a1a8645e5611a65780d09ebc49f9cc2ded94007d10e1764d90e0d25e31fa73095227d381977c1ba13714654a328ac77f
DIST genpatches-6.14-8.base.tar.xz 707352 BLAKE2B 34edde67b70c11a911daaac12859b5c70708325eeb50694db276f4db877fe01e78cf2e4f431d17813b1b537f17b522f66f29611e59fb8a3835319b9416272468 SHA512 3bf757bec0226b0fceb6b9f36dec8e9bc216155886e1452eb417906ea623bcc99a47d3dde6f88bc91bde85a0523feb0478376f4d089669493f10ec6e6b9d21ba
DIST genpatches-6.14-8.experimental.tar.xz 79820 BLAKE2B c14deff3a3a80ed66c15541a4f270bc39ca3926f371ce4e736af65543f482688dda8c1cc217c6e103ccbc704c97f946cd2ddb8c9e66437b92af7b9798d98d02e SHA512 2b072527679855a740f88c8caf8cdf8614dccadbc8f5347a003c0806c94a1f7c491baf72cce7704386001fd42d4e544962ceb944f4d46f872d8a3810e7fe98e2
DIST genpatches-6.14-8.extras.tar.xz 4048 BLAKE2B 65e31008d0ac83016ca1033eae0910fbdfa0db2cc976ca9fd0fcb431f833ec38a1f3e7a9cc74f229f20f919c6715ecd8b49b2cca142bbdb3173b98ffd703f58c SHA512 42b3bb027ec5b5a4b0adc2d0991ea303862727b9f4473e495af45349b5aa31f8af0a9467a2414baf1bbfe53383ab267e63ecbbc76e34c16e7ac4705bbae48b34
DIST genpatches-6.14-9.base.tar.xz 751104 BLAKE2B 54247d1f3e1639761408bd622efd9ecb1311ec87f5b231ab6e243829b2ef0ab828b7743b38599b655684229875fb07127c931c2bb1de65c05318d54b832ba7a9 SHA512 de7fff5b69767c1fbe7d3dabc97be4777f22c90a47eb137a8a69756ed0fca36a9b962650215ec91b985ad35057bcca0e2a824c71b4d3cde0100e2b7e8e8edceb
DIST genpatches-6.14-9.experimental.tar.xz 79816 BLAKE2B f72de3acdeff2c48e01e488144befceea4e8cd7fbc94b1bd36078b998ca6da3f807db1e2368fb48a8f38fe80627d94583c9c26457f8f560a80642c18ecd437cb SHA512 d678dc235b5e120205e093ddaa86349dc2f2f6613596044a2fb18f94b29da15f4ecbd02fb14a4c61ab1e18b7fb43a494fe8f12d7de01efa45de27ac62bb0406c
DIST genpatches-6.14-9.extras.tar.xz 4056 BLAKE2B 431e8bd76cd1edce40f831c16c9971fd21ebdddb7720bca0028a70c42fdd97d483de920248eff645cb5902684df40b21a7b68ca6e714831b216792c4a2a910e8 SHA512 5e112f31f2b0ec5d25d2d19897ced19b3d3e632d272bac4ae1a27c701235e3c981eb7bd95c176f6a9f9cefbcb0304a1d48b99aea4d091222ac5781ce5dbd4682
DIST gentoo-kernel-config-g15.tar.gz 5746 BLAKE2B 2baef40e18cbf3bb975362d71ad674604ad80338d1e6914ffa2fc03af26f1b9c9cec66d39a56077693a7327060bc29bd5eb5787549857dd3779e841192cb2016 SHA512 45d609ee25a529988868b8c99c808f4e6abbde34ae501bf35523431ee85c9f3657663d6f938f2036a5f012a55a68965b32fd41fc44d8f6ca606a6fd38f952445
DIST gentoo-kernel-config-g16.tar.gz 5995 BLAKE2B cddb80d45169749c707d87efd186f7a981534aab2479b6c51790008ea61e9f9feac35d0d74b95dc18281e4b81771e09f259a1d9f216f5d7f806fa7cd6aeeb4d1 SHA512 f8114e645e1ab99e45703790b7e43c2fa9ee17b41a2265dccdd9187c122bf8b5a09ba918fbcf094aa899bb959f05d105ed474b75cdfa9a19c4d49fd138825647
DIST kernel-aarch64-fedora.config.6.12.8-gentoo 288081 BLAKE2B 08273a34c387621d0ccffcc325a0a34b40e0a8fbe78f2429c8a9efc73aa05f8fb563ed53e5fadb25662089f23ebafb61b2d08f91ea00b073e67e702798255e9c SHA512 58ea4f247aa9af6f7535ab5fe44dae2fbf286c7fbceeda86df532125807bbd4c25a89ddeeff4284592efefbaaef5022626abad7f1d1d64976e3040dc6e89251a
@ -17,4 +17,4 @@ DIST kernel-x86_64-fedora.config.6.14.5-gentoo 260496 BLAKE2B b68058a75bc02afcc3
DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
DIST linux-6.14.tar.xz 149408504 BLAKE2B 11835719804b406fe281ea1c276a84dc0cbaa808552ddcca9233d3eaeb1c001d0455c7205379b02de8e8db758c1bae6fe7ceb6697e63e3cf9ae7187dc7a9715e SHA512 71dcaa3772d8d9797c3ae30cae9c582b11a7047a3bbcb8dfd479a4dffb40ff0da74cf3d45175f50cc9992e338bcadd46c9c570f54054ca3bde6661768d3d22eb
DIST linux-hardened-v6.12.19-hardened1.patch 89621 BLAKE2B dcd5dace9b76852547e02ce79f98eb417ebe0290654f6f19d18655d873c868a4e84d72608714e0bf02ae71178726cf69bcee20c38b30b590ef44de9ba7b88470 SHA512 e96e7028303d2d7660d71de2e90a03ea467bafeb3af296c456d859235274d1c92b9f92b093bc3747f1f47d9f0a2ed2e501b05baf22a483b473dc00cb983433ed
DIST linux-hardened-v6.14.7-hardened1.patch 90843 BLAKE2B 1b05a1a1a9fe93c1c2e9a779ca42e82f61e8e427ae9a1bebe401705dc3ca1264b277bc332585ff5675457bfc53dbe24dd99b60585b516c7a7930e5997637c8df SHA512 30b4b1f8915caea9b896dfbd7eb8e78a9e3ebbfe2d2db7fea76fcad08cd0135512e94b601e2e3a4b414df1a18c8e600575159d88fb21b5ca6426f08e9663e2d6
DIST linux-hardened-v6.14.8-hardened1.patch 90843 BLAKE2B 9e1d570a0fc91ad249365b2821ffddfa24e822f251a82eede6db827951de799b45bef7223e9c8b7479eba9d130a1205f19750d7e92ffae9784d30563c9bd1789 SHA512 dcf7a7b5456de0d05b9821462d4a1aa20162314092a8a0a855aeac586bdde5d8e7d35b594abd0416c7a11bb0b28f851ab91c36d153565cd76a025e1f8bb81fb9

23
sys-kernel/hardened-kernel/files/linux-6.14/1189_restrict-fs-causes-bpf-verifier.patch Normal file
View File

@ -0,0 +1,23 @@
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9000806ee..206cf1fb5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -14029,11 +14029,13 @@ static void scalar_min_max_arsh(struct bpf_reg_state *dst_reg,
dst_reg->umin_value = 0;
dst_reg->umax_value = U64_MAX;
- /* Its not easy to operate on alu32 bounds here because it depends
- * on bits being shifted in from upper 32-bits. Take easy way out
- * and mark unbounded so we can recalculate later from tnum.
- */
- __mark_reg32_unbounded(dst_reg);
+ /* When shifting, we track the signed 32bit values as the new value of 64bit values. */
+ dst_reg->s32_min_value = dst_reg->smin_value;
+ dst_reg->s32_max_value = dst_reg->smax_value;
+
+ /* If the truncation of the min/max for 32bit is different, just mark it as unbounded. */
+ if (dst_reg->s32_min_value != dst_reg->smin_value || dst_reg->s32_max_value != dst_reg->smax_value)
+ __mark_reg32_unbounded (dst_reg);
__update_reg_bounds(dst_reg);
}

2
sys-kernel/hardened-kernel/hardened-kernel-6.14.7.ebuild → sys-kernel/hardened-kernel/hardened-kernel-6.14.8.ebuild
View File

@ -56,7 +56,7 @@ SRC_URI+="
S=${WORKDIR}/${MY_P}
KEYWORDS="amd64 ~arm arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~sparc x86"
IUSE="debug +experimental"
IUSE="+debug +experimental"
REQUIRED_USE="
arm? ( savedconfig )
hppa? ( savedconfig )