r2523 - in trunk/kernel/source: kernel-source-2.6.10-2.6.10/debian kernel-source-2.6.10-2.6.10/debian/patches kernel-source-2.6.10-2.6.10/debian/patches/series kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Joshua Kwan
joshk@costa.debian.org
Sat, 19 Feb 2005 03:22:54 +0100
Author: joshk
Date: 2005-02-19 03:22:51 +0100 (Sat, 19 Feb 2005)
New Revision: 2523
Added:
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/ipv4-fragment-queues.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/nls-table-overflow.dpatch
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/setsid-race.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nls-table-overflow.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/ipv4-fragment-queues.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/nls-table-overflow.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/setsid-race.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/shmctl-restrictions.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6
Log:
whole lotta CAN
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/changelog 2005-02-19 02:22:51 UTC (rev 2523)
@@ -17,10 +17,19 @@
closes: #295628 (Joshua Kwan)
* sparc32-hypersparc-srmmu.dpatch: unbreak hypersparc by reverting a
- srmmu "fix", which should not have made it to 2.6.10 (Jurij Smakov)
+ srmmu "fix", which should not have made it to 2.6.10 (Jurij Smakov)
- -- Joshua Kwan <joshk@triplehelix.org> Wed, 16 Feb 2005 17:51:30 -0800
+ * nls-table-overflow.dpatch: [CAN-2005-0177] NLS ASCII table should be 256
+ entries, not 128! (Joshua Kwan)
+
+ * setsid-race.dpatch: [CAN-2005-0178] fix setsid() race that could lead
+ to a denial of service. (Joshua Kwan)
+ * ipv4-fragment-queues.dpatch: fix potential information leak by making
+ fragment queues private. (Joshua Kwan)
+
+ -- Joshua Kwan <joshk@triplehelix.org> Fri, 18 Feb 2005 18:14:38 -0800
+
kernel-source-2.6.10 (2.6.10-5) unstable; urgency=low
* Change $((exp) | exp) to $( (exp) | exp), so things work with dash
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/ipv4-fragment-queues.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/ipv4-fragment-queues.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/ipv4-fragment-queues.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,404 @@
+# origin: bk
+# key: 41f8843a8ZMCNuP3meYAYnnXd3CO_g (linux-2.5)
+# description: global availability of fragment queues allows information leak
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/26 22:03:38-08:00 kaber@trash.net
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/linux/netfilter_ipv4/ip_conntrack.h
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +1 -2
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/net/ip.h
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +14 -3
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_fragment.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +13 -20
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_input.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +2 -2
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ipvs/ip_vs_core.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +11 -8
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_conntrack_core.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +2 -9
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_conntrack_standalone.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +4 -7
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_nat_standalone.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +1 -1
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
+--- a/include/linux/netfilter_ipv4/ip_conntrack.h 2005-02-18 18:05:57 -08:00
++++ b/include/linux/netfilter_ipv4/ip_conntrack.h 2005-02-18 18:05:57 -08:00
+@@ -262,10 +262,9 @@
+ /* Fake conntrack entry for untracked connections */
+ extern struct ip_conntrack ip_conntrack_untracked;
+
+-extern int ip_ct_no_defrag;
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb);
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user);
+
+ /* Iterate over all conntracks: if iter returns true, it's deleted. */
+ extern void
+diff -Nru a/include/net/ip.h b/include/net/ip.h
+--- a/include/net/ip.h 2005-02-18 18:05:57 -08:00
++++ b/include/net/ip.h 2005-02-18 18:05:57 -08:00
+@@ -286,9 +286,20 @@
+ /*
+ * Functions provided by ip_fragment.o
+ */
+-
+-struct sk_buff *ip_defrag(struct sk_buff *skb);
+-extern void ipfrag_flush(void);
++
++enum ip_defrag_users
++{
++ IP_DEFRAG_LOCAL_DELIVER,
++ IP_DEFRAG_CALL_RA_CHAIN,
++ IP_DEFRAG_CONNTRACK_IN,
++ IP_DEFRAG_CONNTRACK_OUT,
++ IP_DEFRAG_NAT_OUT,
++ IP_DEFRAG_VS_IN,
++ IP_DEFRAG_VS_OUT,
++ IP_DEFRAG_VS_FWD
++};
++
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user);
+ extern int ip_frag_nqueues;
+ extern atomic_t ip_frag_mem;
+
+diff -Nru a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+--- a/net/ipv4/ip_fragment.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/ip_fragment.c 2005-02-18 18:05:57 -08:00
+@@ -73,6 +73,7 @@
+ struct ipq {
+ struct ipq *next; /* linked list pointers */
+ struct list_head lru_list; /* lru list member */
++ u32 user;
+ u32 saddr;
+ u32 daddr;
+ u16 id;
+@@ -243,13 +244,13 @@
+ /* Memory limiting on fragments. Evictor trashes the oldest
+ * fragment queue until we are back under the threshold.
+ */
+-static void __ip_evictor(int threshold)
++static void ip_evictor(void)
+ {
+ struct ipq *qp;
+ struct list_head *tmp;
+ int work;
+
+- work = atomic_read(&ip_frag_mem) - threshold;
++ work = atomic_read(&ip_frag_mem) - sysctl_ipfrag_low_thresh;
+ if (work <= 0)
+ return;
+
+@@ -274,11 +275,6 @@
+ }
+ }
+
+-static inline void ip_evictor(void)
+-{
+- __ip_evictor(sysctl_ipfrag_low_thresh);
+-}
+-
+ /*
+ * Oops, a fragment queue timed out. Kill it and send an ICMP reply.
+ */
+@@ -325,7 +321,8 @@
+ if(qp->id == qp_in->id &&
+ qp->saddr == qp_in->saddr &&
+ qp->daddr == qp_in->daddr &&
+- qp->protocol == qp_in->protocol) {
++ qp->protocol == qp_in->protocol &&
++ qp->user == qp_in->user) {
+ atomic_inc(&qp->refcnt);
+ write_unlock(&ipfrag_lock);
+ qp_in->last_in |= COMPLETE;
+@@ -352,7 +349,7 @@
+ }
+
+ /* Add an entry to the 'ipq' queue for a newly received IP datagram. */
+-static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph)
++static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph, u32 user)
+ {
+ struct ipq *qp;
+
+@@ -364,6 +361,7 @@
+ qp->id = iph->id;
+ qp->saddr = iph->saddr;
+ qp->daddr = iph->daddr;
++ qp->user = user;
+ qp->len = 0;
+ qp->meat = 0;
+ qp->fragments = NULL;
+@@ -386,7 +384,7 @@
+ /* Find the correct entry in the "incomplete datagrams" queue for
+ * this IP datagram, and create new one, if nothing is found.
+ */
+-static inline struct ipq *ip_find(struct iphdr *iph)
++static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
+ {
+ __u16 id = iph->id;
+ __u32 saddr = iph->saddr;
+@@ -400,7 +398,8 @@
+ if(qp->id == id &&
+ qp->saddr == saddr &&
+ qp->daddr == daddr &&
+- qp->protocol == protocol) {
++ qp->protocol == protocol &&
++ qp->user == user) {
+ atomic_inc(&qp->refcnt);
+ read_unlock(&ipfrag_lock);
+ return qp;
+@@ -408,7 +407,7 @@
+ }
+ read_unlock(&ipfrag_lock);
+
+- return ip_frag_create(hash, iph);
++ return ip_frag_create(hash, iph, user);
+ }
+
+ /* Add new segment to existing queue. */
+@@ -642,7 +641,7 @@
+ }
+
+ /* Process an incoming IP datagram fragment. */
+-struct sk_buff *ip_defrag(struct sk_buff *skb)
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user)
+ {
+ struct iphdr *iph = skb->nh.iph;
+ struct ipq *qp;
+@@ -657,7 +656,7 @@
+ dev = skb->dev;
+
+ /* Lookup (or create) queue header */
+- if ((qp = ip_find(iph)) != NULL) {
++ if ((qp = ip_find(iph, user)) != NULL) {
+ struct sk_buff *ret = NULL;
+
+ spin_lock(&qp->lock);
+@@ -689,10 +688,4 @@
+ add_timer(&ipfrag_secret_timer);
+ }
+
+-void ipfrag_flush(void)
+-{
+- __ip_evictor(0);
+-}
+-
+ EXPORT_SYMBOL(ip_defrag);
+-EXPORT_SYMBOL(ipfrag_flush);
+diff -Nru a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+--- a/net/ipv4/ip_input.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/ip_input.c 2005-02-18 18:05:57 -08:00
+@@ -172,7 +172,7 @@
+ (!sk->sk_bound_dev_if ||
+ sk->sk_bound_dev_if == skb->dev->ifindex)) {
+ if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, IP_DEFRAG_CALL_RA_CHAIN);
+ if (skb == NULL) {
+ read_unlock(&ip_ra_lock);
+ return 1;
+@@ -273,7 +273,7 @@
+ */
+
+ if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);
+ if (!skb)
+ return 0;
+ }
+diff -Nru a/net/ipv4/ipvs/ip_vs_core.c b/net/ipv4/ipvs/ip_vs_core.c
+--- a/net/ipv4/ipvs/ip_vs_core.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/ipvs/ip_vs_core.c 2005-02-18 18:05:57 -08:00
+@@ -544,9 +544,9 @@
+ }
+
+ static inline struct sk_buff *
+-ip_vs_gather_frags(struct sk_buff *skb)
++ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, user);
+ if (skb)
+ ip_send_check(skb->nh.iph);
+ return skb;
+@@ -620,7 +620,7 @@
+
+ /* reassemble IP fragments */
+ if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
+ if (!skb)
+ return NF_STOLEN;
+ *pskb = skb;
+@@ -759,7 +759,7 @@
+ /* reassemble IP fragments */
+ if (unlikely(iph->frag_off & __constant_htons(IP_MF|IP_OFFSET) &&
+ !pp->dont_defrag)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
+ if (!skb)
+ return NF_STOLEN;
+ iph = skb->nh.iph;
+@@ -839,7 +839,8 @@
+ * forward to the right destination host if relevant.
+ * Currently handles error types - unreachable, quench, ttl exceeded.
+ */
+-static int ip_vs_in_icmp(struct sk_buff **pskb, int *related)
++static int
++ip_vs_in_icmp(struct sk_buff **pskb, int *related, unsigned int hooknum)
+ {
+ struct sk_buff *skb = *pskb;
+ struct iphdr *iph;
+@@ -853,7 +854,9 @@
+
+ /* reassemble IP fragments */
+ if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb,
++ hooknum == NF_IP_LOCAL_IN ?
++ IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD);
+ if (!skb)
+ return NF_STOLEN;
+ *pskb = skb;
+@@ -962,7 +965,7 @@
+
+ iph = skb->nh.iph;
+ if (unlikely(iph->protocol == IPPROTO_ICMP)) {
+- int related, verdict = ip_vs_in_icmp(pskb, &related);
++ int related, verdict = ip_vs_in_icmp(pskb, &related, hooknum);
+
+ if (related)
+ return verdict;
+@@ -1057,7 +1060,7 @@
+ if ((*pskb)->nh.iph->protocol != IPPROTO_ICMP)
+ return NF_ACCEPT;
+
+- return ip_vs_in_icmp(pskb, &r);
++ return ip_vs_in_icmp(pskb, &r, hooknum);
+ }
+
+
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
+--- a/net/ipv4/netfilter/ip_conntrack_core.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_core.c 2005-02-18 18:05:57 -08:00
+@@ -936,29 +936,22 @@
+ }
+ }
+
+-int ip_ct_no_defrag;
+-
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb)
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ struct sock *sk = skb->sk;
+ #ifdef CONFIG_NETFILTER_DEBUG
+ unsigned int olddebug = skb->nf_debug;
+ #endif
+
+- if (unlikely(ip_ct_no_defrag)) {
+- kfree_skb(skb);
+- return NULL;
+- }
+-
+ if (sk) {
+ sock_hold(sk);
+ skb_orphan(skb);
+ }
+
+ local_bh_disable();
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, user);
+ local_bh_enable();
+
+ if (!skb) {
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-18 18:05:57 -08:00
+@@ -391,7 +391,10 @@
+
+ /* Gather fragments. */
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb,
++ hooknum == NF_IP_PRE_ROUTING ?
++ IP_DEFRAG_CONNTRACK_IN :
++ IP_DEFRAG_CONNTRACK_OUT);
+ if (!*pskb)
+ return NF_STOLEN;
+ }
+@@ -823,12 +826,6 @@
+ cleanup_defraglocalops:
+ nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
+ cleanup_defragops:
+- /* Frag queues may hold fragments with skb->dst == NULL */
+- ip_ct_no_defrag = 1;
+- synchronize_net();
+- local_bh_disable();
+- ipfrag_flush();
+- local_bh_enable();
+ nf_unregister_hook(&ip_conntrack_defrag_ops);
+ cleanup_proc_stat:
+ #ifdef CONFIG_PROC_FS
+diff -Nru a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
+--- a/net/ipv4/netfilter/ip_nat_standalone.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/netfilter/ip_nat_standalone.c 2005-02-18 18:05:57 -08:00
+@@ -195,7 +195,7 @@
+ I'm starting to have nightmares about fragments. */
+
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb, IP_DEFRAG_NAT_OUT);
+
+ if (!*pskb)
+ return NF_STOLEN;
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/nls-table-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/nls-table-overflow.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/nls-table-overflow.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,67 @@
+# origin: bk
+# key: 41e2bfbeOiXFga62XrBhzm7Kv9QDmQ (linux-2.6)
+# description: NLS table should be 256 entries, not 128
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 09:47:42-08:00 hirofumi@mail.parknet.co.jp
+# [PATCH] NLS: Fix overflow of nls_ascii
+#
+# The nls_ascii conversion table is just for 128 entries, but should be
+# 256.
+#
+# Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/nls/nls_ascii.c
+# 2005/01/10 09:31:32-08:00 hirofumi@mail.parknet.co.jp +6 -6
+# NLS: Fix overflow of nls_ascii
+#
+diff -Nru a/fs/nls/nls_ascii.c b/fs/nls/nls_ascii.c
+--- a/fs/nls/nls_ascii.c 2005-02-18 18:12:27 -08:00
++++ b/fs/nls/nls_ascii.c 2005-02-18 18:12:27 -08:00
+@@ -13,7 +13,7 @@
+ #include <linux/nls.h>
+ #include <linux/errno.h>
+
+-static wchar_t charset2uni[128] = {
++static wchar_t charset2uni[256] = {
+ /* 0x00*/
+ 0x0000, 0x0001, 0x0002, 0x0003,
+ 0x0004, 0x0005, 0x0006, 0x0007,
+@@ -56,7 +56,7 @@
+ 0x007c, 0x007d, 0x007e, 0x007f,
+ };
+
+-static unsigned char page00[128] = {
++static unsigned char page00[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
+@@ -75,11 +75,11 @@
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
+ };
+
+-static unsigned char *page_uni2charset[128] = {
+- page00, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
++static unsigned char *page_uni2charset[256] = {
++ page00,
+ };
+
+-static unsigned char charset2lower[128] = {
++static unsigned char charset2lower[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
+@@ -98,7 +98,7 @@
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
+ };
+
+-static unsigned char charset2upper[128] = {
++static unsigned char charset2upper[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
Modified: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/series/2.6.10-6 2005-02-19 02:22:51 UTC (rev 2523)
@@ -2,3 +2,6 @@
+ skb-reset-ip_summed.dpatch
+ sparc64-nis-killer.dpatch
+ sparc32-hypersparc-srmmu.dpatch
++ setsid-race.dpatch
++ ipv4-fragment-queues.dpatch
++ nls-table-overflow.dpatch
Added: trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/setsid-race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/setsid-race.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.10-2.6.10/debian/patches/setsid-race.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,204 @@
+# origin: bk
+# key: 41ddda70CWJb5nNL71T4MOlG2sMG8A (linux-2.6)
+# description: fix setsid race [CAN-2005-0178]
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/06 16:40:16-08:00 alan@lxorguk.ukuu.org.uk
+# [PATCH] First cut at setsid/tty locking
+#
+# Use the existing "tty_sem" to protect against the process tty changes
+# too.
+#
+# drivers/char/tty_io.c
+# 2005/01/04 11:42:29-08:00 alan@lxorguk.ukuu.org.uk +29 -10
+# First cut at setsid/tty locking
+#
+# kernel/exit.c
+# 2005/01/04 10:45:27-08:00 alan@lxorguk.ukuu.org.uk +2 -0
+# First cut at setsid/tty locking
+#
+# kernel/sys.c
+# 2005/01/04 10:47:32-08:00 alan@lxorguk.ukuu.org.uk +2 -0
+# First cut at setsid/tty locking
+#
+diff -Nru a/drivers/char/tty_io.c b/drivers/char/tty_io.c
+--- a/drivers/char/tty_io.c 2005-02-18 17:33:57 -08:00
++++ b/drivers/char/tty_io.c 2005-02-18 17:33:57 -08:00
+@@ -918,9 +918,11 @@
+
+ lock_kernel();
+
++ down(&tty_sem);
+ tty = current->signal->tty;
+ if (tty) {
+ tty_pgrp = tty->pgrp;
++ up(&tty_sem);
+ if (on_exit && tty->driver->type != TTY_DRIVER_TYPE_PTY)
+ tty_vhangup(tty);
+ } else {
+@@ -928,6 +930,7 @@
+ kill_pg(current->signal->tty_old_pgrp, SIGHUP, on_exit);
+ kill_pg(current->signal->tty_old_pgrp, SIGCONT, on_exit);
+ }
++ up(&tty_sem);
+ unlock_kernel();
+ return;
+ }
+@@ -937,15 +940,19 @@
+ kill_pg(tty_pgrp, SIGCONT, on_exit);
+ }
+
++ /* Must lock changes to tty_old_pgrp */
++ down(&tty_sem);
+ current->signal->tty_old_pgrp = 0;
+ tty->session = 0;
+ tty->pgrp = -1;
+
++ /* Now clear signal->tty under the lock */
+ read_lock(&tasklist_lock);
+ do_each_task_pid(current->signal->session, PIDTYPE_SID, p) {
+ p->signal->tty = NULL;
+ } while_each_task_pid(current->signal->session, PIDTYPE_SID, p);
+ read_unlock(&tasklist_lock);
++ up(&tty_sem);
+ unlock_kernel();
+ }
+
+@@ -1172,12 +1179,6 @@
+ struct termios *ltp, **ltp_loc, *o_ltp, **o_ltp_loc;
+ int retval=0;
+
+- /*
+- * Check whether we need to acquire the tty semaphore to avoid
+- * race conditions. For now, play it safe.
+- */
+- down(&tty_sem);
+-
+ /* check whether we're reopening an existing tty */
+ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
+ tty = devpts_get_tty(idx);
+@@ -1366,7 +1367,6 @@
+
+ /* All paths come through here to release the semaphore */
+ end_init:
+- up(&tty_sem);
+ return retval;
+
+ /* Release locally allocated memory ... nothing placed in slots */
+@@ -1562,9 +1562,14 @@
+ * each iteration we avoid any problems.
+ */
+ while (1) {
++ /* Guard against races with tty->count changes elsewhere and
++ opens on /dev/tty */
++
++ down(&tty_sem);
+ tty_closing = tty->count <= 1;
+ o_tty_closing = o_tty &&
+ (o_tty->count <= (pty_master ? 1 : 0));
++ up(&tty_sem);
+ do_sleep = 0;
+
+ if (tty_closing) {
+@@ -1600,6 +1605,8 @@
+ * both sides, and we've completed the last operation that could
+ * block, so it's safe to proceed with closing.
+ */
++
++ down(&tty_sem);
+ if (pty_master) {
+ if (--o_tty->count < 0) {
+ printk(KERN_WARNING "release_dev: bad pty slave count "
+@@ -1613,7 +1620,8 @@
+ tty->count, tty_name(tty, buf));
+ tty->count = 0;
+ }
+-
++ up(&tty_sem);
++
+ /*
+ * We've decremented tty->count, so we need to remove this file
+ * descriptor off the tty->tty_files list; this serves two
+@@ -1760,10 +1768,14 @@
+ noctty = filp->f_flags & O_NOCTTY;
+ index = -1;
+ retval = 0;
++
++ down(&tty_sem);
+
+ if (device == MKDEV(TTYAUX_MAJOR,0)) {
+- if (!current->signal->tty)
++ if (!current->signal->tty) {
++ up(&tty_sem);
+ return -ENXIO;
++ }
+ driver = current->signal->tty->driver;
+ index = current->signal->tty->index;
+ filp->f_flags |= O_NONBLOCK; /* Don't let /dev/tty block */
+@@ -1788,14 +1800,18 @@
+ noctty = 1;
+ goto got_driver;
+ }
++ up(&tty_sem);
+ return -ENODEV;
+ }
+
+ driver = get_tty_driver(device, &index);
+- if (!driver)
++ if (!driver) {
++ up(&tty_sem);
+ return -ENODEV;
++ }
+ got_driver:
+ retval = init_dev(driver, index, &tty);
++ up(&tty_sem);
+ if (retval)
+ return retval;
+
+@@ -1881,7 +1897,10 @@
+ }
+ up(&allocated_ptys_lock);
+
++ down(&tty_sem);
+ retval = init_dev(ptm_driver, index, &tty);
++ up(&tty_sem);
++
+ if (retval)
+ goto out;
+
+diff -Nru a/kernel/exit.c b/kernel/exit.c
+--- a/kernel/exit.c 2005-02-18 17:33:57 -08:00
++++ b/kernel/exit.c 2005-02-18 17:33:57 -08:00
+@@ -332,7 +332,9 @@
+ exit_mm(current);
+
+ set_special_pids(1, 1);
++ down(&tty_sem);
+ current->signal->tty = NULL;
++ up(&tty_sem);
+
+ /* Block and flush all signals */
+ sigfillset(&blocked);
+diff -Nru a/kernel/sys.c b/kernel/sys.c
+--- a/kernel/sys.c 2005-02-18 17:33:57 -08:00
++++ b/kernel/sys.c 2005-02-18 17:33:57 -08:00
+@@ -1075,6 +1075,7 @@
+ if (!thread_group_leader(current))
+ return -EINVAL;
+
++ down(&tty_sem);
+ write_lock_irq(&tasklist_lock);
+
+ pid = find_pid(PIDTYPE_PGID, current->pid);
+@@ -1088,6 +1089,7 @@
+ err = process_group(current);
+ out:
+ write_unlock_irq(&tasklist_lock);
++ up(&tty_sem);
+ return err;
+ }
+
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-02-19 02:22:51 UTC (rev 2523)
@@ -45,6 +45,9 @@
all untracked processes would magically be given root capabilities.
Backport from 2.6.10's kernel-source. (Joshua Kwan)
+ * setsid-race.dpatch: [CAN-2005-0178] fix setsid() race that could lead
+ to a denial of service. (Joshua Kwan)
+
-- Joshua Kwan <joshk@triplehelix.org> Thu, 17 Feb 2005 15:15:00 -0800
kernel-source-2.6.8 (2.6.8-13) unstable; urgency=high
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nls-table-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nls-table-overflow.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nls-table-overflow.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,67 @@
+# origin: bk
+# key: 41e2bfbeOiXFga62XrBhzm7Kv9QDmQ (linux-2.6)
+# description: NLS table should be 256 entries, not 128
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 09:47:42-08:00 hirofumi@mail.parknet.co.jp
+# [PATCH] NLS: Fix overflow of nls_ascii
+#
+# The nls_ascii conversion table is just for 128 entries, but should be
+# 256.
+#
+# Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/nls/nls_ascii.c
+# 2005/01/10 09:31:32-08:00 hirofumi@mail.parknet.co.jp +6 -6
+# NLS: Fix overflow of nls_ascii
+#
+diff -Nru a/fs/nls/nls_ascii.c b/fs/nls/nls_ascii.c
+--- a/fs/nls/nls_ascii.c 2005-02-18 18:12:27 -08:00
++++ b/fs/nls/nls_ascii.c 2005-02-18 18:12:27 -08:00
+@@ -13,7 +13,7 @@
+ #include <linux/nls.h>
+ #include <linux/errno.h>
+
+-static wchar_t charset2uni[128] = {
++static wchar_t charset2uni[256] = {
+ /* 0x00*/
+ 0x0000, 0x0001, 0x0002, 0x0003,
+ 0x0004, 0x0005, 0x0006, 0x0007,
+@@ -56,7 +56,7 @@
+ 0x007c, 0x007d, 0x007e, 0x007f,
+ };
+
+-static unsigned char page00[128] = {
++static unsigned char page00[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
+@@ -75,11 +75,11 @@
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
+ };
+
+-static unsigned char *page_uni2charset[128] = {
+- page00, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
++static unsigned char *page_uni2charset[256] = {
++ page00,
+ };
+
+-static unsigned char charset2lower[128] = {
++static unsigned char charset2lower[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
+@@ -98,7 +98,7 @@
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
+ };
+
+-static unsigned char charset2upper[128] = {
++static unsigned char charset2upper[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-14 2005-02-19 02:22:51 UTC (rev 2523)
@@ -11,3 +11,4 @@
+ proc-cmdline-mmput-leak.dpatch
+ 025-track_dummy_capability.dpatch
+ 027-track_dummy_capability-2.dpatch
++ nls-table-overflow.dpatch
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-02-19 02:22:51 UTC (rev 2523)
@@ -36,15 +36,27 @@
closes: #295627 (Joshua Kwan)
* proc-cmdline-mmput-leak.dpatch: [CAN-2004-1058] fix race that could allow user processes to read environment data from processes in the middle of spawning. (Joshua Kwan)
-
+
* 025-track_dummy_capability.dpatch, 027-track_dummy_capability.dpatch:
[CAN-2004-1337] The dummy capabilities module wasn't keeping track of
processes capabilities; so, when a capabilities module was loaded,
all untracked processes would magically be given root capabilities.
Backport from 2.6.10's kernel-source. (Joshua Kwan)
- -- Joshua Kwan <joshk@triplehelix.org> Thu, 17 Feb 2005 15:21:40 -0800
+ * ipv4-fragment-queues.dpatch: fix potential information leak by making
+ fragment queues private. (Joshua Kwan)
+
+ * shmctl-restrictions.dpatch: [CAN-2005-0176] do not allow any old process
+ to SHM_LOCK/SHM_UNLOCK; check capabilities correctly. (Joshua Kwan)
+ * nls-table-overflow.dpatch: [CAN-2005-0177] NLS ASCII table should be 256
+ entries, not 128! (Joshua Kwan)
+
+ * setsid-race.dpatch: [CAN-2005-0178] fix setsid() race that could lead
+ to a denial of service. (Joshua Kwan)
+
+ -- Joshua Kwan <joshk@triplehelix.org> Fri, 18 Feb 2005 18:19:40 -0800
+
kernel-source-2.6.9 (2.6.9-5) unstable; urgency=low
* [powerpc] Added a couple of powermac patches from Benjamin Herrenschmidt :
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/ipv4-fragment-queues.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/ipv4-fragment-queues.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/ipv4-fragment-queues.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,404 @@
+# origin: bk
+# key: 41f8843a8ZMCNuP3meYAYnnXd3CO_g (linux-2.5)
+# description: global availability of fragment queues allows information leak
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/26 22:03:38-08:00 kaber@trash.net
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/linux/netfilter_ipv4/ip_conntrack.h
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +1 -2
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# include/net/ip.h
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +14 -3
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_fragment.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +13 -20
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ip_input.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +2 -2
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/ipvs/ip_vs_core.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +11 -8
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_conntrack_core.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +2 -9
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_conntrack_standalone.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +4 -7
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+# net/ipv4/netfilter/ip_nat_standalone.c
+# 2005/01/26 22:03:17-08:00 kaber@trash.net +1 -1
+# [IPV4]: Keep fragment queues private to each user.
+#
+# Signed-off-by: Patrick McHardy <kaber@trash.net>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
+--- a/include/linux/netfilter_ipv4/ip_conntrack.h 2005-02-18 18:05:57 -08:00
++++ b/include/linux/netfilter_ipv4/ip_conntrack.h 2005-02-18 18:05:57 -08:00
+@@ -262,10 +262,9 @@
+ /* Fake conntrack entry for untracked connections */
+ extern struct ip_conntrack ip_conntrack_untracked;
+
+-extern int ip_ct_no_defrag;
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb);
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user);
+
+ /* Iterate over all conntracks: if iter returns true, it's deleted. */
+ extern void
+diff -Nru a/include/net/ip.h b/include/net/ip.h
+--- a/include/net/ip.h 2005-02-18 18:05:57 -08:00
++++ b/include/net/ip.h 2005-02-18 18:05:57 -08:00
+@@ -286,9 +286,20 @@
+ /*
+ * Functions provided by ip_fragment.o
+ */
+-
+-struct sk_buff *ip_defrag(struct sk_buff *skb);
+-extern void ipfrag_flush(void);
++
++enum ip_defrag_users
++{
++ IP_DEFRAG_LOCAL_DELIVER,
++ IP_DEFRAG_CALL_RA_CHAIN,
++ IP_DEFRAG_CONNTRACK_IN,
++ IP_DEFRAG_CONNTRACK_OUT,
++ IP_DEFRAG_NAT_OUT,
++ IP_DEFRAG_VS_IN,
++ IP_DEFRAG_VS_OUT,
++ IP_DEFRAG_VS_FWD
++};
++
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user);
+ extern int ip_frag_nqueues;
+ extern atomic_t ip_frag_mem;
+
+diff -Nru a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+--- a/net/ipv4/ip_fragment.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/ip_fragment.c 2005-02-18 18:05:57 -08:00
+@@ -73,6 +73,7 @@
+ struct ipq {
+ struct ipq *next; /* linked list pointers */
+ struct list_head lru_list; /* lru list member */
++ u32 user;
+ u32 saddr;
+ u32 daddr;
+ u16 id;
+@@ -243,13 +244,13 @@
+ /* Memory limiting on fragments. Evictor trashes the oldest
+ * fragment queue until we are back under the threshold.
+ */
+-static void __ip_evictor(int threshold)
++static void ip_evictor(void)
+ {
+ struct ipq *qp;
+ struct list_head *tmp;
+ int work;
+
+- work = atomic_read(&ip_frag_mem) - threshold;
++ work = atomic_read(&ip_frag_mem) - sysctl_ipfrag_low_thresh;
+ if (work <= 0)
+ return;
+
+@@ -274,11 +275,6 @@
+ }
+ }
+
+-static inline void ip_evictor(void)
+-{
+- __ip_evictor(sysctl_ipfrag_low_thresh);
+-}
+-
+ /*
+ * Oops, a fragment queue timed out. Kill it and send an ICMP reply.
+ */
+@@ -325,7 +321,8 @@
+ if(qp->id == qp_in->id &&
+ qp->saddr == qp_in->saddr &&
+ qp->daddr == qp_in->daddr &&
+- qp->protocol == qp_in->protocol) {
++ qp->protocol == qp_in->protocol &&
++ qp->user == qp_in->user) {
+ atomic_inc(&qp->refcnt);
+ write_unlock(&ipfrag_lock);
+ qp_in->last_in |= COMPLETE;
+@@ -352,7 +349,7 @@
+ }
+
+ /* Add an entry to the 'ipq' queue for a newly received IP datagram. */
+-static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph)
++static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph, u32 user)
+ {
+ struct ipq *qp;
+
+@@ -364,6 +361,7 @@
+ qp->id = iph->id;
+ qp->saddr = iph->saddr;
+ qp->daddr = iph->daddr;
++ qp->user = user;
+ qp->len = 0;
+ qp->meat = 0;
+ qp->fragments = NULL;
+@@ -386,7 +384,7 @@
+ /* Find the correct entry in the "incomplete datagrams" queue for
+ * this IP datagram, and create new one, if nothing is found.
+ */
+-static inline struct ipq *ip_find(struct iphdr *iph)
++static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
+ {
+ __u16 id = iph->id;
+ __u32 saddr = iph->saddr;
+@@ -400,7 +398,8 @@
+ if(qp->id == id &&
+ qp->saddr == saddr &&
+ qp->daddr == daddr &&
+- qp->protocol == protocol) {
++ qp->protocol == protocol &&
++ qp->user == user) {
+ atomic_inc(&qp->refcnt);
+ read_unlock(&ipfrag_lock);
+ return qp;
+@@ -408,7 +407,7 @@
+ }
+ read_unlock(&ipfrag_lock);
+
+- return ip_frag_create(hash, iph);
++ return ip_frag_create(hash, iph, user);
+ }
+
+ /* Add new segment to existing queue. */
+@@ -642,7 +641,7 @@
+ }
+
+ /* Process an incoming IP datagram fragment. */
+-struct sk_buff *ip_defrag(struct sk_buff *skb)
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user)
+ {
+ struct iphdr *iph = skb->nh.iph;
+ struct ipq *qp;
+@@ -657,7 +656,7 @@
+ dev = skb->dev;
+
+ /* Lookup (or create) queue header */
+- if ((qp = ip_find(iph)) != NULL) {
++ if ((qp = ip_find(iph, user)) != NULL) {
+ struct sk_buff *ret = NULL;
+
+ spin_lock(&qp->lock);
+@@ -689,10 +688,4 @@
+ add_timer(&ipfrag_secret_timer);
+ }
+
+-void ipfrag_flush(void)
+-{
+- __ip_evictor(0);
+-}
+-
+ EXPORT_SYMBOL(ip_defrag);
+-EXPORT_SYMBOL(ipfrag_flush);
+diff -Nru a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+--- a/net/ipv4/ip_input.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/ip_input.c 2005-02-18 18:05:57 -08:00
+@@ -172,7 +172,7 @@
+ (!sk->sk_bound_dev_if ||
+ sk->sk_bound_dev_if == skb->dev->ifindex)) {
+ if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, IP_DEFRAG_CALL_RA_CHAIN);
+ if (skb == NULL) {
+ read_unlock(&ip_ra_lock);
+ return 1;
+@@ -273,7 +273,7 @@
+ */
+
+ if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);
+ if (!skb)
+ return 0;
+ }
+diff -Nru a/net/ipv4/ipvs/ip_vs_core.c b/net/ipv4/ipvs/ip_vs_core.c
+--- a/net/ipv4/ipvs/ip_vs_core.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/ipvs/ip_vs_core.c 2005-02-18 18:05:57 -08:00
+@@ -544,9 +544,9 @@
+ }
+
+ static inline struct sk_buff *
+-ip_vs_gather_frags(struct sk_buff *skb)
++ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, user);
+ if (skb)
+ ip_send_check(skb->nh.iph);
+ return skb;
+@@ -620,7 +620,7 @@
+
+ /* reassemble IP fragments */
+ if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
+ if (!skb)
+ return NF_STOLEN;
+ *pskb = skb;
+@@ -759,7 +759,7 @@
+ /* reassemble IP fragments */
+ if (unlikely(iph->frag_off & __constant_htons(IP_MF|IP_OFFSET) &&
+ !pp->dont_defrag)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb, IP_DEFRAG_VS_OUT);
+ if (!skb)
+ return NF_STOLEN;
+ iph = skb->nh.iph;
+@@ -839,7 +839,8 @@
+ * forward to the right destination host if relevant.
+ * Currently handles error types - unreachable, quench, ttl exceeded.
+ */
+-static int ip_vs_in_icmp(struct sk_buff **pskb, int *related)
++static int
++ip_vs_in_icmp(struct sk_buff **pskb, int *related, unsigned int hooknum)
+ {
+ struct sk_buff *skb = *pskb;
+ struct iphdr *iph;
+@@ -853,7 +854,9 @@
+
+ /* reassemble IP fragments */
+ if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+- skb = ip_vs_gather_frags(skb);
++ skb = ip_vs_gather_frags(skb,
++ hooknum == NF_IP_LOCAL_IN ?
++ IP_DEFRAG_VS_IN : IP_DEFRAG_VS_FWD);
+ if (!skb)
+ return NF_STOLEN;
+ *pskb = skb;
+@@ -962,7 +965,7 @@
+
+ iph = skb->nh.iph;
+ if (unlikely(iph->protocol == IPPROTO_ICMP)) {
+- int related, verdict = ip_vs_in_icmp(pskb, &related);
++ int related, verdict = ip_vs_in_icmp(pskb, &related, hooknum);
+
+ if (related)
+ return verdict;
+@@ -1057,7 +1060,7 @@
+ if ((*pskb)->nh.iph->protocol != IPPROTO_ICMP)
+ return NF_ACCEPT;
+
+- return ip_vs_in_icmp(pskb, &r);
++ return ip_vs_in_icmp(pskb, &r, hooknum);
+ }
+
+
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
+--- a/net/ipv4/netfilter/ip_conntrack_core.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_core.c 2005-02-18 18:05:57 -08:00
+@@ -936,29 +936,22 @@
+ }
+ }
+
+-int ip_ct_no_defrag;
+-
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb)
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ struct sock *sk = skb->sk;
+ #ifdef CONFIG_NETFILTER_DEBUG
+ unsigned int olddebug = skb->nf_debug;
+ #endif
+
+- if (unlikely(ip_ct_no_defrag)) {
+- kfree_skb(skb);
+- return NULL;
+- }
+-
+ if (sk) {
+ sock_hold(sk);
+ skb_orphan(skb);
+ }
+
+ local_bh_disable();
+- skb = ip_defrag(skb);
++ skb = ip_defrag(skb, user);
+ local_bh_enable();
+
+ if (!skb) {
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-18 18:05:57 -08:00
+@@ -391,7 +391,10 @@
+
+ /* Gather fragments. */
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb,
++ hooknum == NF_IP_PRE_ROUTING ?
++ IP_DEFRAG_CONNTRACK_IN :
++ IP_DEFRAG_CONNTRACK_OUT);
+ if (!*pskb)
+ return NF_STOLEN;
+ }
+@@ -823,12 +826,6 @@
+ cleanup_defraglocalops:
+ nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
+ cleanup_defragops:
+- /* Frag queues may hold fragments with skb->dst == NULL */
+- ip_ct_no_defrag = 1;
+- synchronize_net();
+- local_bh_disable();
+- ipfrag_flush();
+- local_bh_enable();
+ nf_unregister_hook(&ip_conntrack_defrag_ops);
+ cleanup_proc_stat:
+ #ifdef CONFIG_PROC_FS
+diff -Nru a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
+--- a/net/ipv4/netfilter/ip_nat_standalone.c 2005-02-18 18:05:57 -08:00
++++ b/net/ipv4/netfilter/ip_nat_standalone.c 2005-02-18 18:05:57 -08:00
+@@ -195,7 +195,7 @@
+ I'm starting to have nightmares about fragments. */
+
+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+- *pskb = ip_ct_gather_frags(*pskb);
++ *pskb = ip_ct_gather_frags(*pskb, IP_DEFRAG_NAT_OUT);
+
+ if (!*pskb)
+ return NF_STOLEN;
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/nls-table-overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/nls-table-overflow.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/nls-table-overflow.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,67 @@
+# origin: bk
+# key: 41e2bfbeOiXFga62XrBhzm7Kv9QDmQ (linux-2.6)
+# description: NLS table should be 256 entries, not 128
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 09:47:42-08:00 hirofumi@mail.parknet.co.jp
+# [PATCH] NLS: Fix overflow of nls_ascii
+#
+# The nls_ascii conversion table is just for 128 entries, but should be
+# 256.
+#
+# Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# fs/nls/nls_ascii.c
+# 2005/01/10 09:31:32-08:00 hirofumi@mail.parknet.co.jp +6 -6
+# NLS: Fix overflow of nls_ascii
+#
+diff -Nru a/fs/nls/nls_ascii.c b/fs/nls/nls_ascii.c
+--- a/fs/nls/nls_ascii.c 2005-02-18 18:12:27 -08:00
++++ b/fs/nls/nls_ascii.c 2005-02-18 18:12:27 -08:00
+@@ -13,7 +13,7 @@
+ #include <linux/nls.h>
+ #include <linux/errno.h>
+
+-static wchar_t charset2uni[128] = {
++static wchar_t charset2uni[256] = {
+ /* 0x00*/
+ 0x0000, 0x0001, 0x0002, 0x0003,
+ 0x0004, 0x0005, 0x0006, 0x0007,
+@@ -56,7 +56,7 @@
+ 0x007c, 0x007d, 0x007e, 0x007f,
+ };
+
+-static unsigned char page00[128] = {
++static unsigned char page00[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
+@@ -75,11 +75,11 @@
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
+ };
+
+-static unsigned char *page_uni2charset[128] = {
+- page00, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
++static unsigned char *page_uni2charset[256] = {
++ page00,
+ };
+
+-static unsigned char charset2lower[128] = {
++static unsigned char charset2lower[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
+@@ -98,7 +98,7 @@
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
+ };
+
+-static unsigned char charset2upper[128] = {
++static unsigned char charset2upper[256] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-6 2005-02-19 02:22:51 UTC (rev 2523)
@@ -7,3 +7,7 @@
+ proc-cmdline-mmput-leak.dpatch
+ 025-track_dummy_capability.dpatch
+ 027-track_dummy_capability-2.dpatch
++ setsid-race.dpatch
++ ipv4-fragment-queues.dpatch
++ nls-table-overflow.dpatch
++ shmctl-restrictions.dpatch
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/setsid-race.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/setsid-race.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/setsid-race.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,204 @@
+# origin: bk
+# key: 41ddda70CWJb5nNL71T4MOlG2sMG8A (linux-2.6)
+# description: fix setsid race [CAN-2005-0178]
+# inclusion: 2.6.11?
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/06 16:40:16-08:00 alan@lxorguk.ukuu.org.uk
+# [PATCH] First cut at setsid/tty locking
+#
+# Use the existing "tty_sem" to protect against the process tty changes
+# too.
+#
+# drivers/char/tty_io.c
+# 2005/01/04 11:42:29-08:00 alan@lxorguk.ukuu.org.uk +29 -10
+# First cut at setsid/tty locking
+#
+# kernel/exit.c
+# 2005/01/04 10:45:27-08:00 alan@lxorguk.ukuu.org.uk +2 -0
+# First cut at setsid/tty locking
+#
+# kernel/sys.c
+# 2005/01/04 10:47:32-08:00 alan@lxorguk.ukuu.org.uk +2 -0
+# First cut at setsid/tty locking
+#
+diff -Nru a/drivers/char/tty_io.c b/drivers/char/tty_io.c
+--- a/drivers/char/tty_io.c 2005-02-18 17:33:57 -08:00
++++ b/drivers/char/tty_io.c 2005-02-18 17:33:57 -08:00
+@@ -918,9 +918,11 @@
+
+ lock_kernel();
+
++ down(&tty_sem);
+ tty = current->signal->tty;
+ if (tty) {
+ tty_pgrp = tty->pgrp;
++ up(&tty_sem);
+ if (on_exit && tty->driver->type != TTY_DRIVER_TYPE_PTY)
+ tty_vhangup(tty);
+ } else {
+@@ -928,6 +930,7 @@
+ kill_pg(current->signal->tty_old_pgrp, SIGHUP, on_exit);
+ kill_pg(current->signal->tty_old_pgrp, SIGCONT, on_exit);
+ }
++ up(&tty_sem);
+ unlock_kernel();
+ return;
+ }
+@@ -937,15 +940,19 @@
+ kill_pg(tty_pgrp, SIGCONT, on_exit);
+ }
+
++ /* Must lock changes to tty_old_pgrp */
++ down(&tty_sem);
+ current->signal->tty_old_pgrp = 0;
+ tty->session = 0;
+ tty->pgrp = -1;
+
++ /* Now clear signal->tty under the lock */
+ read_lock(&tasklist_lock);
+ do_each_task_pid(current->signal->session, PIDTYPE_SID, p) {
+ p->signal->tty = NULL;
+ } while_each_task_pid(current->signal->session, PIDTYPE_SID, p);
+ read_unlock(&tasklist_lock);
++ up(&tty_sem);
+ unlock_kernel();
+ }
+
+@@ -1172,12 +1179,6 @@
+ struct termios *ltp, **ltp_loc, *o_ltp, **o_ltp_loc;
+ int retval=0;
+
+- /*
+- * Check whether we need to acquire the tty semaphore to avoid
+- * race conditions. For now, play it safe.
+- */
+- down(&tty_sem);
+-
+ /* check whether we're reopening an existing tty */
+ if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
+ tty = devpts_get_tty(idx);
+@@ -1366,7 +1367,6 @@
+
+ /* All paths come through here to release the semaphore */
+ end_init:
+- up(&tty_sem);
+ return retval;
+
+ /* Release locally allocated memory ... nothing placed in slots */
+@@ -1562,9 +1562,14 @@
+ * each iteration we avoid any problems.
+ */
+ while (1) {
++ /* Guard against races with tty->count changes elsewhere and
++ opens on /dev/tty */
++
++ down(&tty_sem);
+ tty_closing = tty->count <= 1;
+ o_tty_closing = o_tty &&
+ (o_tty->count <= (pty_master ? 1 : 0));
++ up(&tty_sem);
+ do_sleep = 0;
+
+ if (tty_closing) {
+@@ -1600,6 +1605,8 @@
+ * both sides, and we've completed the last operation that could
+ * block, so it's safe to proceed with closing.
+ */
++
++ down(&tty_sem);
+ if (pty_master) {
+ if (--o_tty->count < 0) {
+ printk(KERN_WARNING "release_dev: bad pty slave count "
+@@ -1613,7 +1620,8 @@
+ tty->count, tty_name(tty, buf));
+ tty->count = 0;
+ }
+-
++ up(&tty_sem);
++
+ /*
+ * We've decremented tty->count, so we need to remove this file
+ * descriptor off the tty->tty_files list; this serves two
+@@ -1760,10 +1768,14 @@
+ noctty = filp->f_flags & O_NOCTTY;
+ index = -1;
+ retval = 0;
++
++ down(&tty_sem);
+
+ if (device == MKDEV(TTYAUX_MAJOR,0)) {
+- if (!current->signal->tty)
++ if (!current->signal->tty) {
++ up(&tty_sem);
+ return -ENXIO;
++ }
+ driver = current->signal->tty->driver;
+ index = current->signal->tty->index;
+ filp->f_flags |= O_NONBLOCK; /* Don't let /dev/tty block */
+@@ -1788,14 +1800,18 @@
+ noctty = 1;
+ goto got_driver;
+ }
++ up(&tty_sem);
+ return -ENODEV;
+ }
+
+ driver = get_tty_driver(device, &index);
+- if (!driver)
++ if (!driver) {
++ up(&tty_sem);
+ return -ENODEV;
++ }
+ got_driver:
+ retval = init_dev(driver, index, &tty);
++ up(&tty_sem);
+ if (retval)
+ return retval;
+
+@@ -1881,7 +1897,10 @@
+ }
+ up(&allocated_ptys_lock);
+
++ down(&tty_sem);
+ retval = init_dev(ptm_driver, index, &tty);
++ up(&tty_sem);
++
+ if (retval)
+ goto out;
+
+diff -Nru a/kernel/exit.c b/kernel/exit.c
+--- a/kernel/exit.c 2005-02-18 17:33:57 -08:00
++++ b/kernel/exit.c 2005-02-18 17:33:57 -08:00
+@@ -332,7 +332,9 @@
+ exit_mm(current);
+
+ set_special_pids(1, 1);
++ down(&tty_sem);
+ current->signal->tty = NULL;
++ up(&tty_sem);
+
+ /* Block and flush all signals */
+ sigfillset(&blocked);
+diff -Nru a/kernel/sys.c b/kernel/sys.c
+--- a/kernel/sys.c 2005-02-18 17:33:57 -08:00
++++ b/kernel/sys.c 2005-02-18 17:33:57 -08:00
+@@ -1075,6 +1075,7 @@
+ if (!thread_group_leader(current))
+ return -EINVAL;
+
++ down(&tty_sem);
+ write_lock_irq(&tasklist_lock);
+
+ pid = find_pid(PIDTYPE_PGID, current->pid);
+@@ -1088,6 +1089,7 @@
+ err = process_group(current);
+ out:
+ write_unlock_irq(&tasklist_lock);
++ up(&tty_sem);
+ return err;
+ }
+
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/shmctl-restrictions.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/shmctl-restrictions.dpatch 2005-02-18 20:30:32 UTC (rev 2522)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/shmctl-restrictions.dpatch 2005-02-19 02:22:51 UTC (rev 2523)
@@ -0,0 +1,62 @@
+# origin: bk
+# key: 41bdc399fjcFowgsJH5ZMZ8eP-YcwA (linux-2.5)
+# description: lock down ability to freely SHM_LOCK/SHM_UNLOCK
+# inclusion: 2.6.10
+# revision date: 2005-02-18
+
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/13 08:30:17-08:00 hugh@veritas.com
+# [PATCH] shmctl SHM_LOCK perms
+#
+# Michael Kerrisk has observed that at present any process can SHM_LOCK any
+# shm segment of size within process RLIMIT_MEMLOCK, despite having no
+# permissions on the segment: surprising, though not obviously evil. And any
+# process can SHM_UNLOCK any shm segment, despite no permissions on it: that
+# is surely wrong.
+#
+# Unless CAP_IPC_LOCK, restrict both SHM_LOCK and SHM_UNLOCK to when the
+# process euid matches the shm owner or creator: that seems the least
+# surprising behaviour, which could be relaxed if a need appears later.
+#
+# Signed-off-by: Hugh Dickins <hugh@veritas.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# ipc/shm.c
+# 2004/12/13 02:47:27-08:00 hugh@veritas.com +10 -5
+# shmctl SHM_LOCK perms
+#
+diff -Nru a/ipc/shm.c b/ipc/shm.c
+--- a/ipc/shm.c 2005-02-18 18:17:40 -08:00
++++ b/ipc/shm.c 2005-02-18 18:17:41 -08:00
+@@ -511,11 +511,6 @@
+ case SHM_LOCK:
+ case SHM_UNLOCK:
+ {
+- /* Allow superuser to lock segment in memory */
+- if (!can_do_mlock() && cmd == SHM_LOCK) {
+- err = -EPERM;
+- goto out;
+- }
+ shp = shm_lock(shmid);
+ if(shp==NULL) {
+ err = -EINVAL;
+@@ -524,6 +519,16 @@
+ err = shm_checkid(shp,shmid);
+ if(err)
+ goto out_unlock;
++
++ if (!capable(CAP_IPC_LOCK)) {
++ err = -EPERM;
++ if (current->euid != shp->shm_perm.uid &&
++ current->euid != shp->shm_perm.cuid)
++ goto out_unlock;
++ if (cmd == SHM_LOCK &&
++ !current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur)
++ goto out_unlock;
++ }
+
+ err = security_shm_shmctl(shp, cmd);
+ if (err)