[kernel] r13533 - in dists/etch/linux-2.6.24: . debian debian/patches/bugfix debian/patches/bugfix/all debian/patches/bugfix/all/CVE-2009-0029 debian/patches/bugfix/hppa debian/patches/bugfix/mips debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Sat May 2 18:19:22 UTC 2009
Author: dannf
Date: Sat May 2 18:19:21 2009
New Revision: 13533
Log:
merge 2.6.24-6~etchnhalf.8etch1
Added:
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/ (props changed)
- copied from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/CVE-2009-0029/
dists/etch/linux-2.6.24/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-readlink-result-before-use.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/ecryptfs-check-readlink-result-before-use.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/enforce-minimum-SG_IO-timeout.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/enforce-minimum-SG_IO-timeout.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/pid-extend+fix-pid_vnr.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/pid-extend+fix-pid_vnr.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/hppa/userspace-unwind-crash.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/hppa/userspace-unwind-crash.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/mips/fix-potential-dos.patch (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/mips/fix-potential-dos.patch
dists/etch/linux-2.6.24/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch
dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1 (props changed)
- copied unchanged from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/series/6~etchnhalf.8etch1
Modified:
dists/etch/linux-2.6.24/ (props changed)
dists/etch/linux-2.6.24/debian/changelog
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0001-Move-compat-system-call-declarations.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0002-Convert-all-system-calls-to-return-a.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0003-Rename-old_readdir-to-sys_old_readdi.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0004-Remove-__attribute__-weak-from-sy.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0004pre1-ia64-kill-sys32_pipe.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0005-Make-sys_pselect7-static.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0006-Make-sys_syslog-a-conditional-system.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0007-System-call-wrapper-infrastructure.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0008-powerpc-Enable-syscall-wrappers-for.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0009-s390-enable-system-call-wrappers.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0010-System-call-wrapper-special-cases.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0011-System-call-wrappers-part-01.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0012-System-call-wrappers-part-02.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0013-System-call-wrappers-part-03.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0014-System-call-wrappers-part-04.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0015-System-call-wrappers-part-05.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0016-System-call-wrappers-part-06.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0017-System-call-wrappers-part-07.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0018-System-call-wrappers-part-08.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0019-System-call-wrappers-part-09.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0020-System-call-wrappers-part-10.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0021-System-call-wrappers-part-11.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0022-System-call-wrappers-part-12.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0023-System-call-wrappers-part-13.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0024-System-call-wrappers-part-14.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0025-System-call-wrappers-part-15.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0026-System-call-wrappers-part-16.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0027-System-call-wrappers-part-17.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0028-System-call-wrappers-part-18.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0029-System-call-wrappers-part-19.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0030-System-call-wrappers-part-20.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0031-System-call-wrappers-part-21.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0032-System-call-wrappers-part-22.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0033-System-call-wrappers-part-23.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0034-System-call-wrappers-part-24.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0035-System-call-wrappers-part-25.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0036-System-call-wrappers-part-26.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0037-System-call-wrappers-part-27.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0037pre1-missing-include.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0038-System-call-wrappers-part-28.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0038pre1-missing-include.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0039-System-call-wrappers-part-29.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0040-System-call-wrappers-part-30.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0041-System-call-wrappers-part-31.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0042-System-call-wrappers-part-32.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0043-System-call-wrappers-part-33.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/CVE-2009-0029/0044-s390-specific-system-call-wrappers.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/cciss-p711m,p712m-add-ids.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/all/dont-allow-splice-to-files-opened-with-O_APPEND.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/cifs-fix-compiler-warning.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/hfsplus-check_read_mapping_page-return-value.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/hppa/parisc-disable-up-optimized-flush_tlb_mm.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch (props changed)
dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8 (props changed)
Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch/linux-2.6.24/debian/changelog Sat May 2 18:04:39 2009 (r13532)
+++ dists/etch/linux-2.6.24/debian/changelog Sat May 2 18:19:21 2009 (r13533)
@@ -5,6 +5,42 @@
-- Aurelien Jarnor <aurel32 at debian.org> Tue, 17 Mar 2009 12:17:07 +0100
+linux-2.6.24 (2.6.24-6~etchnhalf.8etch1) oldstable-security; urgency=high
+
+ * Fix DoS when calling svc_listen twice on the same socket while reading
+ /proc/net/atm/*vc (CVE-2008-5079)
+ * Fix buffer underflow in the ib700wdt watchdog driver (CVE-2008-5702)
+ * Set a minimum timeout for SG_IO requests (CVE-2008-5700)
+ * [mips] Fix potential DOS by untrusted user app (CVE-2008-5701)
+ * sctp: Fix memory overflow (CVE-2009-0065)
+ * nfs: Fix fcntl/close race (CVE-2008-4307)
+ * Fix sign-extend ABI issue w/ system calls on various 64-bit architectures
+ (CVE-2009-0029)
+ * security: introduce missing kfree (CVE-2009-0031)
+ * eCryptfs: check readlink result for error before use (CVE-2009-0269)
+ * dell_rbu: use scnprintf instead of less secure sprintf (CVE-2009-0322)
+ * [hppa] Fix system crash while unwinding a userspace process
+ (CVE-2008-5395)
+ * Fix sensitive memory leak in SO_BSDCOMPAT gsopt (CVE-2009-0676)
+ * copy_process: fix CLONE_PARENT && parent_exec_id interaction
+ (CVE-2009-0028)
+ * skfp: Fix inverted capabilities check logic (CVE-2009-0675)
+ * ext4: initialize the new group descriptor when resizing
+ (CVE-2009-0745)
+ * [amd64] syscall-audit: fix 32/64 syscall hole (CVE-2009-0834)
+ * shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
+ This issue does not effect pre-build Debian kernels.
+ * Fix an off-by-two memory error in console selection (CVE-2009-1046)
+ * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
+ * KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
+ * exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
+ * Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)
+ * agp: zero pages before sending to userspace (CVE-2009-1192)
+ * cifs: Fix memory overwrite when saving nativeFileSystem field during mount
+ (CVE-2009-1439)
+
+ -- dann frazier <dannf at debian.org> Wed, 29 Apr 2009 01:03:37 -0600
+
linux-2.6.24 (2.6.24-6~etchnhalf.8) stable; urgency=high
[ dann frazier ]
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch)
@@ -0,0 +1,61 @@
+commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
+Author: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Date: Fri Mar 27 00:28:21 2009 -0700
+
+ af_rose/x25: Sanity check the maximum user frame size
+
+ Otherwise we can wrap the sizes and end up sending garbage.
+
+ Closes #10423
+
+ Signed-off-by: Alan Cox <alan at lxorguk.ukuu.org.uk>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+--- a/net/netrom/af_netrom.c 2008-01-24 15:58:37.000000000 -0700
++++ b/net/netrom/af_netrom.c 2009-04-07 23:56:09.000000000 -0600
+@@ -1074,7 +1074,11 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
+
+- /* Build a packet */
++ /* Build a packet - the conventional user limit is 236 bytes. We can
++ do ludicrously large NetROM frames but must not overflow */
++ if (len > 65536)
++ return -EMSGSIZE;
++
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+
+diff -urpN a/net/rose/af_rose.c b/net/rose/af_rose.c
+--- a/net/rose/af_rose.c 2008-01-24 15:58:37.000000000 -0700
++++ b/net/rose/af_rose.c 2009-04-07 23:56:09.000000000 -0600
+@@ -1100,6 +1100,10 @@ static int rose_sendmsg(struct kiocb *io
+
+ /* Build a packet */
+ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
++ /* Sanity check the packet size */
++ if (len > 65535)
++ return -EMSGSIZE;
++
+ size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
+
+ if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
+diff -urpN a/net/x25/af_x25.c b/net/x25/af_x25.c
+--- a/net/x25/af_x25.c 2008-01-24 15:58:37.000000000 -0700
++++ b/net/x25/af_x25.c 2009-04-07 23:56:09.000000000 -0600
+@@ -1042,6 +1042,12 @@ static int x25_sendmsg(struct kiocb *ioc
+ sx25.sx25_addr = x25->dest_addr;
+ }
+
++ /* Sanity check the packet size */
++ if (len > 65535) {
++ rc = -EMSGSIZE;
++ goto out;
++ }
++
+ SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
+
+ /* Build a packet */
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch)
@@ -0,0 +1,27 @@
+commit 59de2bebabc5027f93df999d59cc65df591c3e6e
+Author: Shaohua Li <shaohua.li at intel.com>
+Date: Mon Apr 20 10:08:35 2009 +1000
+
+ agp: zero pages before sending to userspace
+
+ AGP pages might be mapped into userspace finally, so the pages should be
+ set to zero before userspace can use it. Otherwise there is potential
+ information leakage.
+
+ Signed-off-by: Shaohua Li <shaohua.li at intel.com>
+ Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/drivers/char/agp/generic.c linux-source-2.6.24/drivers/char/agp/generic.c
+--- linux-source-2.6.24.orig/drivers/char/agp/generic.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/drivers/char/agp/generic.c 2009-04-27 22:08:01.000000000 -0600
+@@ -1166,7 +1166,7 @@ void *agp_generic_alloc_page(struct agp_
+ {
+ struct page * page;
+
+- page = alloc_page(GFP_KERNEL | GFP_DMA32);
++ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
+ if (page == NULL)
+ return NULL;
+
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch)
@@ -0,0 +1,37 @@
+commit 17b24b3c97498935a2ef9777370b1151dfed3f6f
+Author: Chas Williams <chas at cmf.nrl.navy.mil>
+Date: Thu Dec 4 14:58:13 2008 -0800
+
+ ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
+
+ As reported by Hugo Dias that it is possible to cause a local denial
+ of service attack by calling the svc_listen function twice on the same
+ socket and reading /proc/net/atm/*vc
+
+ Signed-off-by: Chas Williams <chas at cmf.nrl.navy.mil>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/atm/svc.c b/net/atm/svc.c
+index de1e4f2..8fb54dc 100644
+--- a/net/atm/svc.c
++++ b/net/atm/svc.c
+@@ -293,7 +293,10 @@ static int svc_listen(struct socket *sock,int backlog)
+ error = -EINVAL;
+ goto out;
+ }
+- vcc_insert_socket(sk);
++ if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
++ error = -EADDRINUSE;
++ goto out;
++ }
+ set_bit(ATM_VF_WAITING, &vcc->flags);
+ prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
+ sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
+@@ -307,6 +310,7 @@ static int svc_listen(struct socket *sock,int backlog)
+ goto out;
+ }
+ set_bit(ATM_VF_LISTEN,&vcc->flags);
++ vcc_insert_socket(sk);
+ sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
+ error = -sk->sk_err;
+ out:
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch)
@@ -0,0 +1,42 @@
+commit f083def68f84b04fe3f97312498911afce79609e
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Thu Apr 16 11:21:52 2009 -0400
+
+ cifs: fix buffer size for tcon->nativeFileSystem field
+
+ The buffer for this was resized recently to fix a bug. It's still
+ possible however that a malicious server could overflow this field
+ by sending characters in it that are >2 bytes in the local charset.
+ Double the size of the buffer to account for this possibility.
+
+ Also get rid of some really strange and seemingly pointless NULL
+ termination. It's NULL terminating the string in the source buffer,
+ but by the time that happens, we've already copied the string.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/cifs/connect.c linux-source-2.6.24/fs/cifs/connect.c
+--- linux-source-2.6.24.orig/fs/cifs/connect.c 2009-04-29 00:57:48.000000000 -0600
++++ linux-source-2.6.24/fs/cifs/connect.c 2009-04-29 00:59:27.000000000 -0600
+@@ -3421,16 +3421,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(2*(length + 1), GFP_KERNEL);
++ kzalloc((4 * length) + 2, GFP_KERNEL);
+ if (tcon->nativeFileSystem)
+ cifs_strfromUCS_le(
+ tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
+- bcc_ptr += 2 * length;
+- bcc_ptr[0] = 0; /* null terminate the string */
+- bcc_ptr[1] = 0;
+- bcc_ptr += 2;
++ bcc_ptr += (2 * length) + 2;
+ }
+ /* else do not bother copying these information fields*/
+ } else {
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch)
@@ -0,0 +1,29 @@
+commit b363b3304bcf68c4541683b2eff70b29f0446a5b
+Author: Steve French <sfrench at us.ibm.com>
+Date: Wed Mar 18 05:57:22 2009 +0000
+
+ [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount
+
+ CIFS can allocate a few bytes to little for the nativeFileSystem field
+ during tree connect response processing during mount. This can result
+ in a "Redzone overwritten" message to be logged.
+
+ Signed-off-by: Sridhar Vinay <vinaysridhar at in.ibm.com>
+ Acked-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+ CC: Stable <stable at kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/cifs/connect.c linux-source-2.6.24/fs/cifs/connect.c
+--- linux-source-2.6.24.orig/fs/cifs/connect.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/cifs/connect.c 2009-04-29 00:57:48.000000000 -0600
+@@ -3421,7 +3421,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(length + 2, GFP_KERNEL);
++ kzalloc(2*(length + 1), GFP_KERNEL);
+ if (tcon->nativeFileSystem)
+ cifs_strfromUCS_le(
+ tcon->nativeFileSystem,
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch)
@@ -0,0 +1,26 @@
+commit 22c9d52bc03b880045ab1081890a38f11b272ae7
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Thu Apr 16 13:48:49 2009 -0400
+
+ cifs: remove unneeded bcc_ptr update in CIFSTCon
+
+ This pointer isn't used again after this point. It's also not updated in
+ the ascii case, so there's no need to update it here.
+
+ Pointed-out-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/cifs/connect.c linux-source-2.6.24/fs/cifs/connect.c
+--- linux-source-2.6.24.orig/fs/cifs/connect.c 2009-04-29 00:59:27.000000000 -0600
++++ linux-source-2.6.24/fs/cifs/connect.c 2009-04-29 01:00:34.000000000 -0600
+@@ -3427,7 +3427,6 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
+- bcc_ptr += (2 * length) + 2;
+ }
+ /* else do not bother copying these information fields*/
+ } else {
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch)
@@ -0,0 +1,53 @@
+commit 2d5516cbb9daf7d0e342a2e3b0fc6f8c39a81205
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Mar 2 22:58:45 2009 +0100
+
+ copy_process: fix CLONE_PARENT && parent_exec_id interaction
+
+ CLONE_PARENT can fool the ->self_exec_id/parent_exec_id logic. If we
+ re-use the old parent, we must also re-use ->parent_exec_id to make
+ sure exit_notify() sees the right ->xxx_exec_id's when the CLONE_PARENT'ed
+ task exits.
+
+ Also, move down the "p->parent_exec_id = p->self_exec_id" thing, to place
+ two different cases together.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: David Howells <dhowells at redhat.com>
+ Cc: Serge E. Hallyn <serge at hallyn.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/kernel/fork.c b/kernel/fork.c
+--- a/kernel/fork.c 2009-04-05 19:32:23.000000000 -0600
++++ b/kernel/fork.c 2009-04-05 21:46:39.000000000 -0600
+@@ -1197,10 +1197,6 @@ static struct task_struct *copy_process(
+ clear_tsk_thread_flag(p, TIF_SYSCALL_EMU);
+ #endif
+
+- /* Our parent execution domain becomes current domain
+- These must match for thread signalling to apply */
+- p->parent_exec_id = p->self_exec_id;
+-
+ /* ok, now we should be set up.. */
+ p->exit_signal = (clone_flags & CLONE_THREAD) ? -1 : (clone_flags & CSIGNAL);
+ p->pdeath_signal = 0;
+@@ -1242,10 +1238,13 @@ static struct task_struct *copy_process(
+ set_task_cpu(p, smp_processor_id());
+
+ /* CLONE_PARENT re-uses the old parent */
+- if (clone_flags & (CLONE_PARENT|CLONE_THREAD))
++ if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {
+ p->real_parent = current->real_parent;
+- else
++ p->parent_exec_id = current->parent_exec_id;
++ } else {
+ p->real_parent = current;
++ p->parent_exec_id = current->self_exec_id;
++ }
+ p->parent = p->real_parent;
+
+ spin_lock(¤t->sighand->siglock);
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch)
@@ -0,0 +1,36 @@
+commit 81156928f8fe31621e467490b9d441c0285998c3
+Author: Pavel Roskin <proski at gnu.org>
+Date: Sat Jan 17 13:33:03 2009 -0500
+
+ dell_rbu: use scnprintf() instead of less secure sprintf()
+
+ Reading 0 bytes from /sys/devices/platform/dell_rbu/image_type or
+ /sys/devices/platform/dell_rbu/packet_size by an ordinary user causes an
+ oops.
+
+ Signed-off-by: Pavel Roskin <proski at gnu.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/firmware/dell_rbu.c linux-source-2.6.26/drivers/firmware/dell_rbu.c
+--- linux-source-2.6.26.orig/drivers/firmware/dell_rbu.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/firmware/dell_rbu.c 2009-02-09 21:44:12.000000000 -0700
+@@ -598,7 +598,7 @@ static ssize_t read_rbu_image_type(struc
+ {
+ int size = 0;
+ if (!pos)
+- size = sprintf(buffer, "%s\n", image_type);
++ size = scnprintf(buffer, count, "%s\n", image_type);
+ return size;
+ }
+
+@@ -670,7 +670,7 @@ static ssize_t read_rbu_packet_size(stru
+ int size = 0;
+ if (!pos) {
+ spin_lock(&rbu_data.lock);
+- size = sprintf(buffer, "%lu\n", rbu_data.packetsize);
++ size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
+ spin_unlock(&rbu_data.lock);
+ }
+ return size;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-readlink-result-before-use.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/ecryptfs-check-readlink-result-before-use.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-readlink-result-before-use.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/ecryptfs-check-readlink-result-before-use.patch)
@@ -0,0 +1,36 @@
+commit a17d5232de7b53d34229de79ec22f4bb04adb7e4
+Author: Duane Griffin <duaneg at dghda.com>
+Date: Fri Dec 19 20:47:10 2008 +0000
+
+ eCryptfs: check readlink result was not an error before using it
+
+ The result from readlink is being used to index into the link name
+ buffer without checking whether it is a valid length. If readlink
+ returns an error this will fault or cause memory corruption.
+
+ Cc: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+ Cc: Dustin Kirkland <kirkland at canonical.com>
+ Cc: ecryptfs-devel at lists.launchpad.net
+ Signed-off-by: Duane Griffin <duaneg at dghda.com>
+ Acked-by: Michael Halcrow <mhalcrow at us.ibm.com>
+ Acked-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/ecryptfs/inode.c linux-source-2.6.24/fs/ecryptfs/inode.c
+--- linux-source-2.6.24.orig/fs/ecryptfs/inode.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/ecryptfs/inode.c 2009-02-09 22:57:01.000000000 -0700
+@@ -660,10 +660,11 @@ static void *ecryptfs_follow_link(struct
+ ecryptfs_printk(KERN_DEBUG, "Calling readlink w/ "
+ "dentry->d_name.name = [%s]\n", dentry->d_name.name);
+ rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
+- buf[rc] = '\0';
+ set_fs(old_fs);
+ if (rc < 0)
+ goto out_free;
++ else
++ buf[rc] = '\0';
+ rc = 0;
+ nd_set_link(nd, buf);
+ goto out;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/enforce-minimum-SG_IO-timeout.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/enforce-minimum-SG_IO-timeout.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/enforce-minimum-SG_IO-timeout.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/enforce-minimum-SG_IO-timeout.patch)
@@ -0,0 +1,59 @@
+commit f2f1fa78a155524b849edf359e42a3001ea652c0
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Dec 5 14:49:18 2008 -0800
+
+ Enforce a minimum SG_IO timeout
+
+ There's no point in having too short SG_IO timeouts, since if the
+ command does end up timing out, we'll end up through the reset sequence
+ that is several seconds long in order to abort the command that timed
+ out.
+
+ As a result, shorter timeouts than a few seconds simply do not make
+ sense, as the recovery would be longer than the timeout itself.
+
+ Add a BLK_MIN_SG_TIMEOUT to match the existign BLK_DEFAULT_SG_TIMEOUT.
+
+ Suggested-by: Alan Cox <alan at lxorguk.ukuu.org.uk>
+ Acked-by: Tejun Heo <tj at kernel.org>
+ Acked-by: Jens Axboe <jens.axboe at oracle.com>
+ Cc: Jeff Garzik <jeff at garzik.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.26.orig/block/bsg.c linux-source-2.6.26/block/bsg.c
+--- linux-source-2.6.26.orig/block/bsg.c 2009-01-08 16:43:12.000000000 -0700
++++ linux-source-2.6.26/block/bsg.c 2009-01-09 18:03:55.000000000 -0700
+@@ -201,6 +201,8 @@ static int blk_fill_sgv4_hdr_rq(struct r
+ rq->timeout = q->sg_timeout;
+ if (!rq->timeout)
+ rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
++ if (rq->timeout < BLK_MIN_SG_TIMEOUT)
++ rq->timeout = BLK_MIN_SG_TIMEOUT;
+
+ return 0;
+ }
+diff -urpN linux-source-2.6.26.orig/block/scsi_ioctl.c linux-source-2.6.26/block/scsi_ioctl.c
+--- linux-source-2.6.26.orig/block/scsi_ioctl.c 2009-01-08 16:43:12.000000000 -0700
++++ linux-source-2.6.26/block/scsi_ioctl.c 2009-01-09 18:03:55.000000000 -0700
+@@ -232,6 +232,8 @@ static int blk_fill_sghdr_rq(struct requ
+ rq->timeout = q->sg_timeout;
+ if (!rq->timeout)
+ rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
++ if (rq->timeout < BLK_MIN_SG_TIMEOUT)
++ rq->timeout = BLK_MIN_SG_TIMEOUT;
+
+ return 0;
+ }
+diff -urpN linux-source-2.6.26.orig/include/linux/blkdev.h linux-source-2.6.26/include/linux/blkdev.h
+--- linux-source-2.6.26.orig/include/linux/blkdev.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/blkdev.h 2009-01-09 18:03:55.000000000 -0700
+@@ -585,6 +585,7 @@ extern unsigned long blk_max_low_pfn, bl
+ * default timeout for SG_IO if none specified
+ */
+ #define BLK_DEFAULT_SG_TIMEOUT (60 * HZ)
++#define BLK_MIN_SG_TIMEOUT (7 * HZ)
+
+ #ifdef CONFIG_BOUNCE
+ extern int init_emergency_isa_pool(void);
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch)
@@ -0,0 +1,31 @@
+commit 432870dab85a2f69dc417022646cb9a70acf7f94
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Apr 6 16:16:02 2009 +0200
+
+ exit_notify: kill the wrong capable(CAP_KILL) check
+
+ The CAP_KILL check in exit_notify() looks just wrong, kill it.
+
+ Whatever logic we have to reset ->exit_signal, the malicious user
+ can bypass it if it execs the setuid application before exiting.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: Serge Hallyn <serue at us.ibm.com>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/kernel/exit.c linux-source-2.6.24/kernel/exit.c
+--- linux-source-2.6.24.orig/kernel/exit.c 2009-04-11 14:35:49.000000000 -0600
++++ linux-source-2.6.24/kernel/exit.c 2009-04-18 14:49:36.000000000 -0600
+@@ -813,8 +813,7 @@ static void exit_notify(struct task_stru
+ */
+ if (tsk->exit_signal != SIGCHLD && tsk->exit_signal != -1 &&
+ ( tsk->parent_exec_id != t->self_exec_id ||
+- tsk->self_exec_id != tsk->parent_exec_id)
+- && !capable(CAP_KILL))
++ tsk->self_exec_id != tsk->parent_exec_id))
+ tsk->exit_signal = SIGCHLD;
+
+
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch)
@@ -0,0 +1,45 @@
+From tytso at mit.edu Wed Feb 18 11:14:37 2009
+From: "Theodore Ts'o" <tytso at mit.edu>
+Date: Tue, 17 Feb 2009 10:58:44 -0500
+Subject: ext4: Initialize the new group descriptor when resizing the filesystem
+To: stable at kernel.org
+Cc: linux-ext4 at vger.kernel.org, "Theodore Ts'o" <tytso at mit.edu>
+Message-ID: <1234886324-15105-25-git-send-email-tytso at mit.edu>
+
+From: "Theodore Ts'o" <tytso at mit.edu>
+
+(cherry picked from commit fdff73f094e7220602cc3f8959c7230517976412)
+
+Make sure all of the fields of the group descriptor are properly
+initialized. Previously, we allowed bg_flags field to be contain
+random garbage, which could trigger non-deterministic behavior,
+including a kernel OOPS.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=12433
+
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/ext4/resize.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/fs/ext4/resize.c b/fs/ext4/resize.c
+--- a/fs/ext4/resize.c 2008-01-24 15:58:37.000000000 -0700
++++ b/fs/ext4/resize.c 2009-04-05 22:09:24.000000000 -0600
+@@ -859,11 +859,13 @@ int ext4_group_add(struct super_block *s
+ /* Update group descriptor block for new group */
+ gdp = (struct ext4_group_desc *)primary->b_data + gdb_off;
+
++ memset(gdp, 0, EXT4_DESC_SIZE(sb));
+ ext4_block_bitmap_set(sb, gdp, input->block_bitmap); /* LV FIXME */
+ ext4_inode_bitmap_set(sb, gdp, input->inode_bitmap); /* LV FIXME */
+ ext4_inode_table_set(sb, gdp, input->inode_table); /* LV FIXME */
+ gdp->bg_free_blocks_count = cpu_to_le16(input->free_blocks_count);
+ gdp->bg_free_inodes_count = cpu_to_le16(EXT4_INODES_PER_GROUP(sb));
++ gdp->bg_flags = cpu_to_le16(EXT4_BG_INODE_ZEROED);
+ gdp->bg_checksum = ext4_group_desc_csum(sbi, input->group, gdp);
+
+ /*
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/fix-off-by-2-error-in-console-selection.patch)
@@ -0,0 +1,35 @@
+commit 878b8619f711280fd05845e21956434b5e588cc4
+Author: Mikulas Patocka <mpatocka at redhat.com>
+Date: Fri Jan 30 15:27:14 2009 -0500
+
+ Fix memory corruption in console selection
+
+ Fix an off-by-two memory error in console selection.
+
+ The loop below goes from sel_start to sel_end (inclusive), so it writes
+ one more character. This one more character was added to the allocated
+ size (+1), but it was not multiplied by an UTF-8 multiplier.
+
+ This patch fixes a memory corruption when UTF-8 console is used and the
+ user selects a few characters, all of them 3-byte in UTF-8 (for example
+ a frame line).
+
+ When memory redzones are enabled, a redzone corruption is reported.
+ When they are not enabled, trashing of random memory occurs.
+
+ Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/char/selection.c b/drivers/char/selection.c
+index f29fbe9..cb8ca56 100644
+--- a/drivers/char/selection.c
++++ b/drivers/char/selection.c
+@@ -268,7 +268,7 @@ int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
+
+ /* Allocate a new buffer before freeing the old one ... */
+ multiplier = use_unicode ? 3 : 1; /* chars can take up to 3 bytes */
+- bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
++ bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
+ if (!bp) {
+ printk(KERN_WARNING "selection: kmalloc() failed\n");
+ clear_selection();
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch)
@@ -0,0 +1,37 @@
+commit d25141a818383b3c3b09f065698c544a7a0ec6e7
+Author: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+Date: Wed Oct 29 14:01:11 2008 -0700
+
+ 'kill sig -1' must only apply to caller's namespace
+
+ Currently "kill <sig> -1" kills processes in all namespaces and breaks the
+ isolation of namespaces. Earlier attempt to fix this was discussed at:
+
+ http://lkml.org/lkml/2008/7/23/148
+
+ As suggested by Oleg Nesterov in that thread, use "task_pid_vnr() > 1"
+ check since task_pid_vnr() returns 0 if process is outside the caller's
+ namespace.
+
+ Signed-off-by: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+ Acked-by: Eric W. Biederman <ebiederm at xmission.com>
+ Tested-by: Daniel Hokka Zakrisson <daniel at hozac.com>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/kernel/signal.c linux-source-2.6.24/kernel/signal.c
+--- linux-source-2.6.24.orig/kernel/signal.c 2009-04-11 14:35:50.000000000 -0600
++++ linux-source-2.6.24/kernel/signal.c 2009-04-18 14:52:22.000000000 -0600
+@@ -1150,7 +1150,8 @@ static int kill_something_info(int sig,
+
+ read_lock(&tasklist_lock);
+ for_each_process(p) {
+- if (p->pid > 1 && !same_thread_group(p, current)) {
++ if (task_pid_vnr(p) > 1 &&
++ !same_thread_group(p, current)) {
+ int err = group_send_sig_info(sig, info, p);
+ ++count;
+ if (err != -EPERM)
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch)
@@ -0,0 +1,32 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/core/sock.c linux-source-2.6.24/net/core/sock.c
+--- linux-source-2.6.24.orig/net/core/sock.c 2009-02-24 23:20:47.000000000 -0700
++++ linux-source-2.6.24/net/core/sock.c 2009-02-24 23:22:41.000000000 -0700
+@@ -691,7 +691,7 @@ int sock_getsockopt(struct socket *sock,
+ if (len < 0)
+ return -EINVAL;
+
+- v.val = 0;
++ memset(&v, 0, sizeof(v));
+
+ switch(optname) {
+ case SO_DEBUG:
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch)
@@ -0,0 +1,43 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date: Thu Feb 12 16:59:09 2009 -0800
+
+ net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+
+ In function sock_getsockopt() located in net/core/sock.c, optval v.val
+ is not correctly initialized and directly returned in userland in case
+ we have SO_BSDCOMPAT option set.
+
+ This dummy code should trigger the bug:
+
+ int main(void)
+ {
+ unsigned char buf[4] = { 0, 0, 0, 0 };
+ int len;
+ int sock;
+ sock = socket(33, 2, 2);
+ getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+ printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+ close(sock);
+ }
+
+ Here is a patch that fix this bug by initalizing v.val just after its
+ declaration.
+
+ Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/core/sock.c linux-source-2.6.24/net/core/sock.c
+--- linux-source-2.6.24.orig/net/core/sock.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/core/sock.c 2009-02-24 23:20:47.000000000 -0700
+@@ -691,6 +691,8 @@ int sock_getsockopt(struct socket *sock,
+ if (len < 0)
+ return -EINVAL;
+
++ v.val = 0;
++
+ switch(optname) {
+ case SO_DEBUG:
+ v.val = sock_flag(sk, SOCK_DBG);
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch)
@@ -0,0 +1,36 @@
+commit c4d7c402b788b73dc24f1e54a57f89d3dc5eb7bc
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Tue Apr 1 20:26:52 2008 -0400
+
+ NFS: Remove the buggy lock-if-signalled case from do_setlk()
+
+ Both NLM and NFSv4 should be able to clean up adequately in the case where
+ the user interrupts the RPC call...
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/nfs/file.c linux-source-2.6.24/fs/nfs/file.c
+--- linux-source-2.6.24.orig/fs/nfs/file.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/nfs/file.c 2009-01-13 21:52:35.000000000 -0700
+@@ -578,17 +578,9 @@ static int do_setlk(struct file *filp, i
+
+ lock_kernel();
+ /* Use local locking if mounted with "-onolock" */
+- if (!(NFS_SERVER(inode)->flags & NFS_MOUNT_NONLM)) {
++ if (!(NFS_SERVER(inode)->flags & NFS_MOUNT_NONLM))
+ status = NFS_PROTO(inode)->lock(filp, cmd, fl);
+- /* If we were signalled we still need to ensure that
+- * we clean up any state on the server. We therefore
+- * record the lock call as having succeeded in order to
+- * ensure that locks_remove_posix() cleans it out when
+- * the process exits.
+- */
+- if (status == -EINTR || status == -ERESTARTSYS)
+- do_vfs_lock(filp, fl);
+- } else
++ else
+ status = do_vfs_lock(filp, fl);
+ unlock_kernel();
+ if (status < 0)
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/pid-extend+fix-pid_vnr.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/pid-extend+fix-pid_vnr.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/pid-extend+fix-pid_vnr.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/pid-extend+fix-pid_vnr.patch)
@@ -0,0 +1,92 @@
+commit 44c4e1b2581f7273ab14ef30b6430618801c57b1
+Author: Eric W. Biederman <ebiederm at xmission.com>
+Date: Fri Feb 8 04:19:15 2008 -0800
+
+ pid: Extend/Fix pid_vnr
+
+ pid_vnr returns the user space pid with respect to the pid namespace the
+ struct pid was allocated in. What we want before we return a pid to user
+ space is the user space pid with respect to the pid namespace of current.
+
+ pid_vnr is a very nice optimization but because it isn't quite what we want
+ it is easy to use pid_vnr at times when we aren't certain the struct pid
+ was allocated in our pid namespace.
+
+ Currently this describes at least tiocgpgrp and tiocgsid in ttyio.c the
+ parent process reported in the core dumps and the parent process in
+ get_signal_to_deliver.
+
+ So unless the performance impact is huge having an interface that does what
+ we want instead of always what we want should be much more reliable and
+ much less error prone.
+
+ Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
+ Cc: Oleg Nesterov <oleg at tv-sign.ru>
+ Acked-by: Pavel Emelyanov <xemul at openvz.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/include/linux/pid.h linux-source-2.6.24/include/linux/pid.h
+--- linux-source-2.6.24.orig/include/linux/pid.h 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/include/linux/pid.h 2009-04-20 21:28:24.000000000 -0600
+@@ -127,9 +127,8 @@ extern void zap_pid_ns_processes(struct
+ * the helpers to get the pid's id seen from different namespaces
+ *
+ * pid_nr() : global id, i.e. the id seen from the init namespace;
+- * pid_vnr() : virtual id, i.e. the id seen from the namespace this pid
+- * belongs to. this only makes sence when called in the
+- * context of the task that belongs to the same namespace;
++ * pid_vnr() : virtual id, i.e. the id seen from the pid namespace of
++ * current.
+ * pid_nr_ns() : id seen from the ns specified.
+ *
+ * see also task_xid_nr() etc in include/linux/sched.h
+@@ -144,14 +143,7 @@ static inline pid_t pid_nr(struct pid *p
+ }
+
+ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns);
+-
+-static inline pid_t pid_vnr(struct pid *pid)
+-{
+- pid_t nr = 0;
+- if (pid)
+- nr = pid->numbers[pid->level].nr;
+- return nr;
+-}
++pid_t pid_vnr(struct pid *pid);
+
+ #define do_each_pid_task(pid, type, task) \
+ do { \
+diff -urpN linux-source-2.6.24.orig/include/linux/sched.h linux-source-2.6.24/include/linux/sched.h
+--- linux-source-2.6.24.orig/include/linux/sched.h 2009-04-11 14:35:47.000000000 -0600
++++ linux-source-2.6.24/include/linux/sched.h 2009-04-20 21:28:24.000000000 -0600
+@@ -1252,9 +1252,8 @@ struct pid_namespace;
+ * from various namespaces
+ *
+ * task_xid_nr() : global id, i.e. the id seen from the init namespace;
+- * task_xid_vnr() : virtual id, i.e. the id seen from the namespace the task
+- * belongs to. this only makes sence when called in the
+- * context of the task that belongs to the same namespace;
++ * task_xid_vnr() : virtual id, i.e. the id seen from the pid namespace of
++ * current.
+ * task_xid_nr_ns() : id seen from the ns specified;
+ *
+ * set_task_vxid() : assigns a virtual id to a task;
+diff -urpN linux-source-2.6.24.orig/kernel/pid.c linux-source-2.6.24/kernel/pid.c
+--- linux-source-2.6.24.orig/kernel/pid.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/kernel/pid.c 2009-04-20 21:28:24.000000000 -0600
+@@ -443,6 +443,12 @@ pid_t pid_nr_ns(struct pid *pid, struct
+ return nr;
+ }
+
++pid_t pid_vnr(struct pid *pid)
++{
++ return pid_nr_ns(pid, current->nsproxy->pid_ns);
++}
++EXPORT_SYMBOL_GPL(pid_vnr);
++
+ pid_t task_pid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)
+ {
+ return pid_nr_ns(task_pid(tsk), ns);
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch)
@@ -0,0 +1,74 @@
+commit 9fcb95a105758b81ef0131cd18e2db5149f13e95
+Author: Wei Yongjun <yjwei at cn.fujitsu.com>
+Date: Thu Dec 25 16:58:11 2008 -0800
+
+ sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
+
+ If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
+ validity check, this may cause memory overflow when overwrite the TSN of
+ the stream ID.
+
+ The FORWARD-TSN chunk is like this:
+
+ FORWARD-TSN chunk
+ Type = 192
+ Flags = 0
+ Length = 172
+ NewTSN = 99
+ Stream = 10000
+ StreamSequence = 0xFFFF
+
+ This patch fix this problem by discard the chunk if stream ID is not
+ less than MIS.
+
+ Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/sctp/sm_statefuns.c linux-source-2.6.24/net/sctp/sm_statefuns.c
+--- linux-source-2.6.24.orig/net/sctp/sm_statefuns.c 2008-12-24 18:58:51.000000000 -0700
++++ linux-source-2.6.24/net/sctp/sm_statefuns.c 2009-01-21 13:01:02.000000000 -0700
+@@ -3569,6 +3569,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3598,6 +3599,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto discard_noforce;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3629,6 +3636,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3658,6 +3666,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch)
@@ -0,0 +1,27 @@
+commit 0d54ee1c7850a954026deec4cd4885f331da35cc
+Author: Vegard Nossum <vegard.nossum at gmail.com>
+Date: Sat Jan 17 17:45:45 2009 +0100
+
+ security: introduce missing kfree
+
+ Plug this leak.
+
+ Acked-by: David Howells <dhowells at redhat.com>
+ Cc: James Morris <jmorris at namei.org>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Vegard Nossum <vegard.nossum at gmail.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/security/keys/keyctl.c linux-source-2.6.24/security/keys/keyctl.c
+--- linux-source-2.6.24.orig/security/keys/keyctl.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/security/keys/keyctl.c 2009-02-09 22:43:52.000000000 -0700
+@@ -253,6 +253,7 @@ long keyctl_join_session_keyring(const c
+
+ /* join the session */
+ ret = join_session_keyring(name);
++ kfree(name);
+
+ error:
+ return ret;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch)
@@ -0,0 +1,46 @@
+commit a68e61e8ff2d46327a37b69056998b47745db6fa
+Author: Tony Battersby <tonyb at cybernetics.com>
+Date: Wed Feb 4 15:12:04 2009 -0800
+
+ shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
+
+ shm_get_stat() assumes that the inode is a "struct shmem_inode_info",
+ which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c:
+ ramfs_get_inode() vs. mm/shmem.c: shmem_get_inode()).
+
+ This bad assumption can cause shmctl(SHM_INFO) to lockup when
+ shm_get_stat() tries to spin_lock(&info->lock). Users of !CONFIG_SHMEM
+ may encounter this lockup simply by invoking the 'ipcs' command.
+
+ Reported by Jiri Olsa back in February 2008:
+ http://lkml.org/lkml/2008/2/29/74
+
+ Signed-off-by: Tony Battersby <tonyb at cybernetics.com>
+ Cc: Jiri Kosina <jkosina at suse.cz>
+ Reported-by: Jiri Olsa <olsajiri at gmail.com>
+ Cc: Hugh Dickins <hugh at veritas.com>
+ Cc: <stable at kernel.org> [2.6.everything]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org
+
+diff -urpN a/ipc/shm.c b/ipc/shm.c
+--- a/ipc/shm.c 2009-04-05 19:32:23.000000000 -0600
++++ b/ipc/shm.c 2009-04-06 00:01:41.000000000 -0600
+@@ -630,11 +630,15 @@ static void shm_get_stat(struct ipc_name
+ struct address_space *mapping = inode->i_mapping;
+ *rss += (HPAGE_SIZE/PAGE_SIZE)*mapping->nrpages;
+ } else {
++#ifdef CONFIG_SHMEM
+ struct shmem_inode_info *info = SHMEM_I(inode);
+ spin_lock(&info->lock);
+ *rss += inode->i_mapping->nrpages;
+ *swp += info->swapped;
+ spin_unlock(&info->lock);
++#else
++ *rss += inode->i_mapping->nrpages;
++#endif
+ }
+
+ total++;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch)
@@ -0,0 +1,28 @@
+commit c25b9abbc2c2c0da88e180c3933d6e773245815a
+Author: Roel Kluin <roel.kluin at gmail.com>
+Date: Thu Jan 29 17:32:20 2009 -0800
+
+ drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic
+
+ Fix inverted logic
+
+ Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/drivers/net/skfp/skfddi.c b/drivers/net/skfp/skfddi.c
+--- a/drivers/net/skfp/skfddi.c 2008-01-24 15:58:37.000000000 -0700
++++ b/drivers/net/skfp/skfddi.c 2009-04-05 21:58:20.000000000 -0600
+@@ -998,9 +998,9 @@ static int skfp_ioctl(struct net_device
+ break;
+ case SKFP_CLR_STATS: /* Zero out the driver statistics */
+ if (!capable(CAP_NET_ADMIN)) {
+- memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+- } else {
+ status = -EPERM;
++ } else {
++ memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+ }
+ break;
+ default:
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch)
@@ -0,0 +1,31 @@
+commit 7c2500f17d65092d93345f3996cf82ebca17e9ff
+Author: Wim Van Sebroeck <wim at iguana.be>
+Date: Wed Oct 15 08:53:06 2008 +0000
+
+ [WATCHDOG] ib700wdt.c - fix buffer_underflow bug
+
+ This fixes Bug 11399:
+ if ibwdt_set_heartbeat(int t) is called with value 30 then
+ the check "if ((t < 0) || (t > 30))" in ibwdt_set_heartbeat
+ is not going to fail because t == 30, but in the loop, the
+ check wd_times[i] > t is never going to be true because
+ none of the wd_times are greater than the value of t (i.e. 30).
+ So we are exiting the loop with i == -1 and therefore setting
+ wd_margin to -1 which is wrong.
+
+ Reported-by: Zvonimir Rakamaric <zrakamar at cs.ubc.ca>
+ Signed-off-by: Wim Van Sebroeck <wim at iguana.be>
+
+diff --git a/drivers/watchdog/ib700wdt.c b/drivers/watchdog/ib700wdt.c
+index 05a2810..8782ec1 100644
+--- a/drivers/watchdog/ib700wdt.c
++++ b/drivers/watchdog/ib700wdt.c
+@@ -154,7 +154,7 @@ static int ibwdt_set_heartbeat(int t)
+ return -EINVAL;
+
+ for (i = 0x0F; i > -1; i--)
+- if (wd_times[i] > t)
++ if (wd_times[i] >= t)
+ break;
+ wd_margin = i;
+ return 0;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/hppa/userspace-unwind-crash.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/hppa/userspace-unwind-crash.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/hppa/userspace-unwind-crash.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/hppa/userspace-unwind-crash.patch)
@@ -0,0 +1,116 @@
+commit 7a3f5134a8f5bd7fa38b5645eef05e8a4eb62951
+Author: Helge Deller <deller at gmx.de>
+Date: Wed Nov 26 12:46:22 2008 -0800
+
+ parisc: fix kernel crash when unwinding a userspace process
+
+ Any user on existing parisc 32- and 64bit-kernels can easily crash
+ the kernel and as such enforce a DSO.
+ A simple testcase is available here:
+ http://gsyprf10.external.hp.com/~deller/crash.tgz
+
+ The problem is introduced by the fact, that the handle_interruption()
+ crash handler calls the show_regs() function, which in turn tries to
+ unwind the stack by calling parisc_show_stack(). Since the stack contains
+ userspace addresses, a try to unwind the stack is dangerous and useless
+ and leads to the crash.
+
+ The fix is trivial: For userspace processes
+ a) avoid to unwind the stack, and
+ b) avoid to resolve userspace addresses to kernel symbol names.
+
+ While touching this code, I converted print_symbol() to %pS
+ printk formats and made parisc_show_stack() static.
+
+ An initial patch for this was written by Kyle McMartin back in August:
+ http://marc.info/?l=linux-parisc&m=121805168830283&w=2
+
+ Compile and run-tested with a 64bit parisc kernel.
+
+ Signed-off-by: Helge Deller <deller at gmx.de>
+ Cc: Grant Grundler <grundler at parisc-linux.org>
+ Cc: Matthew Wilcox <matthew at wil.cx>
+ Cc: <stable at kernel.org> [2.6.25.x, 2.6.26.x, 2.6.27.x, earlier...]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Kyle McMartin <kyle at mcmartin.ca>
+
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/arch/parisc/kernel/traps.c linux-source-2.6.24/arch/parisc/kernel/traps.c
+--- linux-source-2.6.24.orig/arch/parisc/kernel/traps.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/arch/parisc/kernel/traps.c 2009-02-19 00:02:55.000000000 -0700
+@@ -24,7 +24,6 @@
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
+ #include <linux/console.h>
+-#include <linux/kallsyms.h>
+ #include <linux/bug.h>
+
+ #include <asm/assembly.h>
+@@ -118,18 +117,19 @@ static void print_fr(char *level, struct
+
+ void show_regs(struct pt_regs *regs)
+ {
+- int i;
++ int i, user;
+ char *level;
+ unsigned long cr30, cr31;
+
+- level = user_mode(regs) ? KERN_DEBUG : KERN_CRIT;
++ user = user_mode(regs);
++ level = user ? KERN_DEBUG : KERN_CRIT;
+
+ print_gr(level, regs);
+
+ for (i = 0; i < 8; i += 4)
+ PRINTREGS(level, regs->sr, "sr", RFMT, i);
+
+- if (user_mode(regs))
++ if (user)
+ print_fr(level, regs);
+
+ cr30 = mfctl(30);
+@@ -142,12 +142,16 @@ void show_regs(struct pt_regs *regs)
+ printk("%s CPU: %8d CR30: " RFMT " CR31: " RFMT "\n",
+ level, current_thread_info()->cpu, cr30, cr31);
+ printk("%s ORIG_R28: " RFMT "\n", level, regs->orig_r28);
+- printk(level);
+- print_symbol(" IAOQ[0]: %s\n", regs->iaoq[0]);
+- printk(level);
+- print_symbol(" IAOQ[1]: %s\n", regs->iaoq[1]);
+- printk(level);
+- print_symbol(" RP(r2): %s\n", regs->gr[2]);
++
++ if (user) {
++ printk("%s IAOQ[0]: " RFMT "\n", level, regs->iaoq[0]);
++ printk("%s IAOQ[1]: " RFMT "\n", level, regs->iaoq[1]);
++ printk("%s RP(r2): " RFMT "\n", level, regs->gr[2]);
++ } else {
++ printk("%s IAOQ[0]: %pS\n", level, (void *) regs->iaoq[0]);
++ printk("%s IAOQ[1]: %pS\n", level, (void *) regs->iaoq[1]);
++ printk("%s RP(r2): %pS\n", level, (void *) regs->gr[2]);
++ }
+ }
+
+
+@@ -168,17 +172,12 @@ static void do_show_stack(struct unwind_
+ break;
+
+ if (__kernel_text_address(info->ip)) {
+- printk("%s [<" RFMT ">] ", (i&0x3)==1 ? KERN_CRIT : "", info->ip);
+-#ifdef CONFIG_KALLSYMS
+- print_symbol("%s\n", info->ip);
+-#else
+- if ((i & 0x03) == 0)
+- printk("\n");
+-#endif
++ printk(KERN_CRIT " [<" RFMT ">] %pS\n",
++ info->ip, (void *) info->ip);
+ i++;
+ }
+ }
+- printk("\n");
++ printk(KERN_CRIT "\n");
+ }
+
+ void show_stack(struct task_struct *task, unsigned long *s)
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch)
@@ -0,0 +1,36 @@
+commit 16175a796d061833aacfbd9672235f2d2725df65
+Author: Avi Kivity <avi at redhat.com>
+Date: Mon Mar 23 22:13:44 2009 +0200
+
+ KVM: VMX: Don't allow uninhibited access to EFER on i386
+
+ vmx_set_msr() does not allow i386 guests to touch EFER, but they can still
+ do so through the default: label in the switch. If they set EFER_LME, they
+ can oops the host.
+
+ Fix by having EFER access through the normal channel (which will check for
+ EFER_LME) even on i386.
+
+ Reported-and-tested-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+ Cc: stable at kernel.org
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/drivers/kvm/vmx.c b/drivers/kvm/vmx.c
+--- a/drivers/kvm/vmx.c 2008-01-24 15:58:37.000000000 -0700
++++ b/drivers/kvm/vmx.c 2009-04-08 22:46:00.000000000 -0600
+@@ -709,12 +709,12 @@ static int vmx_set_msr(struct kvm_vcpu *
+ int ret = 0;
+
+ switch (msr_index) {
+-#ifdef CONFIG_X86_64
+ case MSR_EFER:
+ ret = kvm_set_msr_common(vcpu, msr_index, data);
+ if (vmx->host_state.loaded)
+ load_transition_efer(vmx);
+ break;
++#ifdef CONFIG_X86_64
+ case MSR_FS_BASE:
+ vmcs_writel(GUEST_FS_BASE, data);
+ break;
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/mips/fix-potential-dos.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/mips/fix-potential-dos.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/mips/fix-potential-dos.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/mips/fix-potential-dos.patch)
@@ -0,0 +1,69 @@
+From: Vlad Malov <Vlad.Malov at caviumnetworks.com>
+Date: Tue, 18 Nov 2008 23:05:46 +0000 (-0800)
+Subject: MIPS: Fix potential DOS by untrusted user app.
+X-Git-Url: http://www.linux-mips.org/git?p=linux.git;a=commitdiff_plain;h=9718dcd85e604007fcacfe9c6cf71f8a2ddb1c37
+
+MIPS: Fix potential DOS by untrusted user app.
+
+On a 64 bit kernel if an o32 syscall was made with a syscall number less
+than 4000, we would read the function from outside of the bounds of the
+syscall table. This led to non-deterministic behavior including system
+crashes.
+
+While we were at it we reworked the 32 bit version as well to use fewer
+instructions. Both 32 and 64 bit versions are use the same code now.
+
+Signed-off-by: Vlad Malov <Vlad.Malov at caviumnetworks.com>
+Signed-off-by: David Daney <ddaney at caviumnetworks.com>
+Signed-off-by: Ralf Baechle <ralf at linux-mips.org>
+(cherry picked from commit 24f8c295c60d135ba058eecf9b85a521ed2d50a3)
+---
+
+diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
+index 6aa1400..fb116bf 100644
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -270,18 +270,11 @@ bad_alignment:
+ subu t0, a0, __NR_O32_Linux # check syscall number
+ sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ #endif
++ beqz t0, einval # do not recurse
+ sll t1, t0, 3
+ beqz v0, einval
+-
+ lw t2, sys_call_table(t1) # syscall routine
+
+-#if defined(CONFIG_BINFMT_IRIX)
+- li v1, 4000 # nr of sys_syscall
+-#else
+- li v1, 4000 - __NR_O32_Linux # index of sys_syscall
+-#endif
+- beq t0, v1, einval # do not recurse
+-
+ /* Some syscalls like execve get their arguments from struct pt_regs
+ and claim zero arguments in the syscall table. Thus we have to
+ assume the worst case and shuffle around all potential arguments.
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index 9a275ef..8dce4c2 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -174,14 +174,12 @@ not_o32_scall:
+ END(handle_sys)
+
+ LEAF(sys32_syscall)
+- sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
++ subu t0, a0, __NR_O32_Linux # check syscall number
++ sltiu v0, t0, __NR_O32_Linux_syscalls + 1
++ beqz t0, einval # do not recurse
++ dsll t1, t0, 3
+ beqz v0, einval
+-
+- dsll v0, a0, 3
+- ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
+-
+- li v1, 4000 # indirect syscall number
+- beq a0, v1, einval # do not recurse
++ ld t2, sys_call_table(t1) # syscall routine
+
+ move a0, a1 # shift argument registers
+ move a1, a2
Copied: dists/etch/linux-2.6.24/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch)
@@ -0,0 +1,33 @@
+commit ccbe495caa5e604b04d5a31d7459a6f6a76a756c
+Author: Roland McGrath <roland at redhat.com>
+Date: Fri Feb 27 19:03:24 2009 -0800
+
+ x86-64: syscall-audit: fix 32/64 syscall hole
+
+ On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
+ ljmp, and then use the "syscall" instruction to make a 64-bit system
+ call. A 64-bit process make a 32-bit system call with int $0x80.
+
+ In both these cases, audit_syscall_entry() will use the wrong system
+ call number table and the wrong system call argument registers. This
+ could be used to circumvent a syscall audit configuration that filters
+ based on the syscall numbers or argument details.
+
+ Signed-off-by: Roland McGrath <roland at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+Based on Eugene Teo's backport for RHEL5
+
+diff -urpN a/arch/x86/kernel/ptrace_64.c b/arch/x86/kernel/ptrace_64.c
+--- a/arch/x86/kernel/ptrace_64.c 2008-01-24 15:58:37.000000000 -0700
++++ b/arch/x86/kernel/ptrace_64.c 2009-04-05 23:54:55.000000000 -0600
+@@ -595,7 +595,7 @@ asmlinkage void syscall_trace_enter(stru
+ syscall_trace(regs);
+
+ if (unlikely(current->audit_context)) {
+- if (test_thread_flag(TIF_IA32)) {
++ if (is_compat_task()) {
+ audit_syscall_entry(AUDIT_ARCH_I386,
+ regs->orig_rax,
+ regs->rbx, regs->rcx,
Copied: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1 (from r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/series/6~etchnhalf.8etch1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1 Sat May 2 18:19:21 2009 (r13533, copy of r13532, releases/linux-2.6.24/2.6.24-6~etchnhalf.8etch1/debian/patches/series/6~etchnhalf.8etch1)
@@ -0,0 +1,88 @@
++ bugfix/all/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
++ bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
++ bugfix/all/enforce-minimum-SG_IO-timeout.patch
++ bugfix/mips/fix-potential-dos.patch
++ bugfix/all/sctp-avoid-memory-overflow.patch
++ bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
++ bugfix/all/CVE-2009-0029/0001-Move-compat-system-call-declarations.patch
++ bugfix/all/CVE-2009-0029/0002-Convert-all-system-calls-to-return-a.patch
++ bugfix/all/CVE-2009-0029/0003-Rename-old_readdir-to-sys_old_readdi.patch
++ bugfix/all/CVE-2009-0029/0004pre1-ia64-kill-sys32_pipe.patch
++ bugfix/all/CVE-2009-0029/0004pre2-unify-sys_pipe.patch
++ bugfix/all/CVE-2009-0029/0004-Remove-__attribute__-weak-from-sy.patch
++ bugfix/all/CVE-2009-0029/0005-Make-sys_pselect7-static.patch
++ bugfix/all/CVE-2009-0029/0006-Make-sys_syslog-a-conditional-system.patch
++ bugfix/all/CVE-2009-0029/0007pre1-create-arch-kconfig.patch
++ bugfix/all/CVE-2009-0029/0007-System-call-wrapper-infrastructure.patch
++ bugfix/all/CVE-2009-0029/0008-powerpc-Enable-syscall-wrappers-for.patch
++ bugfix/all/CVE-2009-0029/0009-s390-enable-system-call-wrappers.patch
++ bugfix/all/CVE-2009-0029/0010-System-call-wrapper-special-cases.patch
++ bugfix/all/CVE-2009-0029/0011-System-call-wrappers-part-01.patch
++ bugfix/all/CVE-2009-0029/0012-System-call-wrappers-part-02.patch
++ bugfix/all/CVE-2009-0029/0013-System-call-wrappers-part-03.patch
++ bugfix/all/CVE-2009-0029/0014-System-call-wrappers-part-04.patch
++ bugfix/all/CVE-2009-0029/0015-System-call-wrappers-part-05.patch
++ bugfix/all/CVE-2009-0029/0016-System-call-wrappers-part-06.patch
++ bugfix/all/CVE-2009-0029/0017-System-call-wrappers-part-07.patch
++ bugfix/all/CVE-2009-0029/0018-System-call-wrappers-part-08.patch
++ bugfix/all/CVE-2009-0029/0019pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0019-System-call-wrappers-part-09.patch
++ bugfix/all/CVE-2009-0029/0020-System-call-wrappers-part-10.patch
++ bugfix/all/CVE-2009-0029/0021-System-call-wrappers-part-11.patch
++ bugfix/all/CVE-2009-0029/0022-System-call-wrappers-part-12.patch
++ bugfix/all/CVE-2009-0029/0023-System-call-wrappers-part-13.patch
++ bugfix/all/CVE-2009-0029/0024-System-call-wrappers-part-14.patch
++ bugfix/all/CVE-2009-0029/0025-System-call-wrappers-part-15.patch
++ bugfix/all/CVE-2009-0029/0026-System-call-wrappers-part-16.patch
++ bugfix/all/CVE-2009-0029/0027-System-call-wrappers-part-17.patch
++ bugfix/all/CVE-2009-0029/0028-System-call-wrappers-part-18.patch
++ bugfix/all/CVE-2009-0029/0029-System-call-wrappers-part-19.patch
++ bugfix/all/CVE-2009-0029/0030-System-call-wrappers-part-20.patch
++ bugfix/all/CVE-2009-0029/0031-System-call-wrappers-part-21.patch
++ bugfix/all/CVE-2009-0029/0032-System-call-wrappers-part-22.patch
++ bugfix/all/CVE-2009-0029/0033-System-call-wrappers-part-23.patch
++ bugfix/all/CVE-2009-0029/0034-System-call-wrappers-part-24.patch
++ bugfix/all/CVE-2009-0029/0035-System-call-wrappers-part-25.patch
++ bugfix/all/CVE-2009-0029/0036-System-call-wrappers-part-26.patch
++ bugfix/all/CVE-2009-0029/0037pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0037-System-call-wrappers-part-27.patch
++ bugfix/all/CVE-2009-0029/0038pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0038-System-call-wrappers-part-28.patch
++ bugfix/all/CVE-2009-0029/0039-System-call-wrappers-part-29.patch
++ bugfix/all/CVE-2009-0029/0040-System-call-wrappers-part-30.patch
++ bugfix/all/CVE-2009-0029/0041pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0041-System-call-wrappers-part-31.patch
++ bugfix/all/CVE-2009-0029/0042pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0042-System-call-wrappers-part-32.patch
++ bugfix/all/CVE-2009-0029/0043pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0043-System-call-wrappers-part-33.patch
++ bugfix/all/CVE-2009-0029/0044-s390-specific-system-call-wrappers.patch
++ bugfix/all/security-keyctl-missing-kfree.patch
++ bugfix/all/ecryptfs-check-readlink-result-before-use.patch
++ bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
++ bugfix/hppa/userspace-unwind-crash.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
++ bugfix/all/CVE-2009-0029/mips-rename-sys_pipe.patch
++ bugfix/all/CVE-2009-0029/alpha-use-syscall-wrappers.patch
++ bugfix/all/CVE-2009-0029/sparc64-use-syscall-wrappers.patch
++ bugfix/all/CVE-2009-0029/mips-enable-syscall-wrappers.patch
++ bugfix/all/CVE-2009-0029/mips-enable-syscall-wrappers-no-abi-change.patch
++ bugfix/all/CVE-2009-0029/sparc64-wrap-arch-specific-syscalls.patch
++ bugfix/all/CVE-2009-0029/fix-uml-compile.patch
++ bugfix/all/CVE-2009-0029/compat-zero-upper-32bits-of-offset_high-and-offset_low.patch
++ bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
++ bugfix/all/skfp-fix-inverted-cap-logic.patch
++ bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
++ bugfix/syscall-audit-fix-32+64-syscall-hole.patch
++ bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
++ bugfix/all/fix-off-by-2-error-in-console-selection.patch
++ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
++ bugfix/kvm-vmx-inhibit-EFER-access.patch
++ bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
++ bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
++ bugfix/all/pid-extend+fix-pid_vnr.patch
++ bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
++ bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
++ bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
++ bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
More information about the Kernel-svn-changes
mailing list