[kernel] r13663 - in dists/etch/linux-2.6: . debian debian/arch/alpha debian/arch/alpha/vserver debian/arch/arm debian/arch/hppa debian/patches debian/patches/bugfix debian/patches/bugfix/all debian/patches/bugfix/all/CVE-2009-0029 debian/patches/bugfix/hppa debian/patches/bugfix/mips debian/patches/features/all/vserver debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 20 19:56:05 UTC 2009
Author: dannf
Date: Wed May 20 19:56:03 2009
New Revision: 13663
Log:
merge 2.6.18.dfsg.1-24etch[1,2]
Added:
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/ (props changed)
- copied from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/CVE-2009-0029/
dists/etch/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch (props changed)
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/net-add-preempt-point-in-qdisc_run.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-add-preempt-point-in-qdisc_run.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch (props changed)
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch (props changed)
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
dists/etch/linux-2.6/debian/patches/bugfix/hppa/userspace-unwind-crash.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/hppa/userspace-unwind-crash.patch
dists/etch/linux-2.6/debian/patches/bugfix/mips/fix-potential-dos.patch (props changed)
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/mips/fix-potential-dos.patch
dists/etch/linux-2.6/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch
dists/etch/linux-2.6/debian/patches/series/24etch1 (props changed)
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/series/24etch1
dists/etch/linux-2.6/debian/patches/series/24etch2
- copied unchanged from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/series/24etch2
Modified:
dists/etch/linux-2.6/ (props changed)
dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-generic
dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-legacy
dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-smp
dists/etch/linux-2.6/debian/arch/alpha/vserver/abi-6.alpha
dists/etch/linux-2.6/debian/arch/arm/abi-6.footbridge
dists/etch/linux-2.6/debian/arch/arm/abi-6.iop32x
dists/etch/linux-2.6/debian/arch/arm/abi-6.ixp4xx
dists/etch/linux-2.6/debian/arch/arm/abi-6.rpc
dists/etch/linux-2.6/debian/arch/arm/abi-6.s3c2410
dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc
dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc-smp
dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64
dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64-smp
dists/etch/linux-2.6/debian/changelog
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0001-Move-compat-system-call-declarations.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0002-Convert-all-system-calls-to-return-a.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0003-Rename-old_readdir-to-sys_old_readdi.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0004-Remove-__attribute__-weak-from-sy.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0004pre1-ia64-kill-sys32_pipe.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0005-Make-sys_pselect7-static.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0006-Make-sys_syslog-a-conditional-system.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0007-System-call-wrapper-infrastructure.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0007pre1-create-arch-kconfig.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0008-powerpc-Enable-syscall-wrappers-for.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0009-s390-enable-system-call-wrappers.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0010-System-call-wrapper-special-cases.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0011-System-call-wrappers-part-01.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0012-System-call-wrappers-part-02.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0013-System-call-wrappers-part-03.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0014-System-call-wrappers-part-04.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0015-System-call-wrappers-part-05.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0016-System-call-wrappers-part-06.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0017-System-call-wrappers-part-07.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0018-System-call-wrappers-part-08.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0019-System-call-wrappers-part-09.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0020-System-call-wrappers-part-10.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0021-System-call-wrappers-part-11.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0022-System-call-wrappers-part-12.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0023-System-call-wrappers-part-13.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0024-System-call-wrappers-part-14.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0025-System-call-wrappers-part-15.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0026-System-call-wrappers-part-16.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0027-System-call-wrappers-part-17.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0028-System-call-wrappers-part-18.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0029-System-call-wrappers-part-19.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0030-System-call-wrappers-part-20.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0031-System-call-wrappers-part-21.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0032-System-call-wrappers-part-22.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0033-System-call-wrappers-part-23.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0034-System-call-wrappers-part-24.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0035-System-call-wrappers-part-25.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0036-System-call-wrappers-part-26.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0037-System-call-wrappers-part-27.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0038-System-call-wrappers-part-28.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0038pre1-missing-include.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0039-System-call-wrappers-part-29.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0040-System-call-wrappers-part-30.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0041-System-call-wrappers-part-31.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0042-System-call-wrappers-part-32.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0043-System-call-wrappers-part-33.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/0044-s390-specific-system-call-wrappers.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch (props changed)
dists/etch/linux-2.6/debian/patches/bugfix/sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch (props changed)
dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch
dists/etch/linux-2.6/debian/patches/hppa.patch
Modified: dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-generic
==============================================================================
--- dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-generic Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-generic Wed May 20 19:56:03 2009 (r13663)
@@ -4950,13 +4950,11 @@
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0xbf9dc5f7 sys_dup vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x12703a3e sys_read vmlinux EXPORT_SYMBOL_GPL
0x8563d95b sys_setsid vmlinux EXPORT_SYMBOL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x3c7eae23 sys_write vmlinux EXPORT_SYMBOL
0x13506484 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0xb9b118fa sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-legacy
==============================================================================
--- dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-legacy Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-legacy Wed May 20 19:56:03 2009 (r13663)
@@ -4950,13 +4950,11 @@
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0xbf9dc5f7 sys_dup vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x12703a3e sys_read vmlinux EXPORT_SYMBOL_GPL
0x8563d95b sys_setsid vmlinux EXPORT_SYMBOL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x3c7eae23 sys_write vmlinux EXPORT_SYMBOL
0x13506484 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0xb9b118fa sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-smp
==============================================================================
--- dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-smp Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/alpha/abi-6.alpha-smp Wed May 20 19:56:03 2009 (r13663)
@@ -4979,13 +4979,11 @@
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0xbf9dc5f7 sys_dup vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x12703a3e sys_read vmlinux EXPORT_SYMBOL_GPL
0x8563d95b sys_setsid vmlinux EXPORT_SYMBOL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x3c7eae23 sys_write vmlinux EXPORT_SYMBOL
0x44423cd3 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x4ce9cef5 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/alpha/vserver/abi-6.alpha
==============================================================================
--- dists/etch/linux-2.6/debian/arch/alpha/vserver/abi-6.alpha Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/alpha/vserver/abi-6.alpha Wed May 20 19:56:03 2009 (r13663)
@@ -4956,13 +4956,11 @@
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0xbf9dc5f7 sys_dup vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x12703a3e sys_read vmlinux EXPORT_SYMBOL_GPL
0x8563d95b sys_setsid vmlinux EXPORT_SYMBOL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x3c7eae23 sys_write vmlinux EXPORT_SYMBOL
0xf42f9caa sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x65806acd sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/arm/abi-6.footbridge
==============================================================================
--- dists/etch/linux-2.6/debian/arch/arm/abi-6.footbridge Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/arm/abi-6.footbridge Wed May 20 19:56:03 2009 (r13663)
@@ -3677,12 +3677,10 @@
0xb56fdbf8 synth_devs sound/oss/sound EXPORT_SYMBOL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0x09624f29 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x11ccf584 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/arm/abi-6.iop32x
==============================================================================
--- dists/etch/linux-2.6/debian/arch/arm/abi-6.iop32x Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/arm/abi-6.iop32x Wed May 20 19:56:03 2009 (r13663)
@@ -3531,12 +3531,10 @@
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0xf03496c7 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x56876c22 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/arm/abi-6.ixp4xx
==============================================================================
--- dists/etch/linux-2.6/debian/arch/arm/abi-6.ixp4xx Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/arm/abi-6.ixp4xx Wed May 20 19:56:03 2009 (r13663)
@@ -3569,12 +3569,10 @@
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0x09624f29 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x11ccf584 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/arm/abi-6.rpc
==============================================================================
--- dists/etch/linux-2.6/debian/arch/arm/abi-6.rpc Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/arm/abi-6.rpc Wed May 20 19:56:03 2009 (r13663)
@@ -2893,12 +2893,10 @@
0xb56fdbf8 synth_devs sound/oss/sound EXPORT_SYMBOL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0x09624f29 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x11ccf584 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/arm/abi-6.s3c2410
==============================================================================
--- dists/etch/linux-2.6/debian/arch/arm/abi-6.s3c2410 Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/arm/abi-6.s3c2410 Wed May 20 19:56:03 2009 (r13663)
@@ -2905,12 +2905,10 @@
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x111c2f22 sys_exit vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
0xcb38f681 sys_wait4 vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0x09624f29 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x11ccf584 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc
==============================================================================
--- dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc Wed May 20 19:56:03 2009 (r13663)
@@ -3654,11 +3654,9 @@
0x609f1c7e synchronize_net vmlinux EXPORT_SYMBOL
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0xf6a34cfc sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0xe78a12dc sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc-smp
==============================================================================
--- dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc-smp Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc-smp Wed May 20 19:56:03 2009 (r13663)
@@ -3713,11 +3713,9 @@
0x609f1c7e synchronize_net vmlinux EXPORT_SYMBOL
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x2efa450d sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
-0x69b233d3 sys_write vmlinux EXPORT_SYMBOL
0x9c579689 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0xc78f63b5 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64
==============================================================================
--- dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64 Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64 Wed May 20 19:56:03 2009 (r13663)
@@ -3677,11 +3677,9 @@
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x208ce54a sys_ioctl vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x12703a3e sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
-0x3c7eae23 sys_write vmlinux EXPORT_SYMBOL
0xdfe179db sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x42a9e582 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64-smp
==============================================================================
--- dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64-smp Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/arch/hppa/abi-6.parisc64-smp Wed May 20 19:56:03 2009 (r13663)
@@ -3736,11 +3736,9 @@
0x6091797f synchronize_rcu vmlinux EXPORT_SYMBOL_GPL
0xdcb0349b sys_close vmlinux EXPORT_SYMBOL
0x208ce54a sys_ioctl vmlinux EXPORT_SYMBOL
-0xec2107f8 sys_lseek vmlinux EXPORT_SYMBOL
0xe269ea1c sys_open vmlinux EXPORT_SYMBOL_GPL
0x12703a3e sys_read vmlinux EXPORT_SYMBOL_GPL
0xfe5d4bb2 sys_tz vmlinux EXPORT_SYMBOL
-0x3c7eae23 sys_write vmlinux EXPORT_SYMBOL
0x87646ac6 sysctl_intvec vmlinux EXPORT_SYMBOL
0xdbcd416e sysctl_ip_nonlocal_bind vmlinux EXPORT_SYMBOL
0x21f70c48 sysctl_jiffies vmlinux EXPORT_SYMBOL
Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/changelog Wed May 20 19:56:03 2009 (r13663)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.18.dfsg.1-26) oldstable; urgency=high
+
+ * Merge changes from 2.6.18.dfsg.1-24etch2
+
+ -- dann frazier <dannf at debian.org> Wed, 20 May 2009 13:51:28 -0600
+
linux-2.6 (2.6.18.dfsg.1-25) oldstable; urgency=high
[ Aurelien Jarno ]
@@ -8,6 +14,79 @@
-- dann fraizer <dannf at debian.org> Mon, 18 May 2009 23:52:52 -0600
+linux-2.6 (2.6.18.dfsg.1-24etch2) oldstable-security; urgency=high
+
+ * Fix mips FTBFS due to a missed rename of the mips-specific
+ sys_pipe symbol.
+
+ -- dann frazier <dannf at debian.org> Mon, 04 May 2009 10:59:06 -0600
+
+linux-2.6 (2.6.18.dfsg.1-24etch1) oldstable-security; urgency=high
+
+ * Fix buffer underflow in the ib700wdt watchdog driver:
+ - bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
+ See CVE-2008-5702
+ * nfs: Fix fcntl/close race
+ - bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
+ See CVE-2008-4307
+ * sctp: fix memory overflow
+ - bugfix/all/sctp-avoid-memory-overflow.patch
+ See CVE-2009-0065
+ * Fix sign-extend ABI issue w/ system calls on various 64-bit architectures
+ - bugfix/all/CVE-2009-0029/*
+ See CVE-2009-0029
+ * security: introduce missing kfree
+ - bugfix/all/security-keyctl-missing-kfree.patch
+ See CVE-2009-0031
+ * dell_rbu: use scnprintf instead of less secure sprintf
+ - bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
+ See CVE-2009-0322
+ * [hppa] Fix system crash while unwinding a userspace process
+ - bugfix/hppa/userspace-unwind-crash.patch
+ See CVE-2008-5395
+ * NET: Add preemption point in qdisc_run
+ - bugfix/all/net-add-preempt-point-in-qdisc_run.patch
+ See CVE-2008-5713
+ * [mips] Fix potential DOS by untrusted user app
+ - bugfix/mips/fix-potential-dos.patch
+ See CVE-2008-5701
+ * Fix sensitive memory leak in SO_BSDCOMPAT gsopt
+ - bugfix/all/net-SO_BSDCOMPAT-leak.patch
+ - bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
+ See CVE-2009-0676
+ * skfp: Fix inverted capabilities check logic
+ - bugfix/all/skfp-fix-inverted-cap-logic.patch
+ See CVE-2009-0675
+ * [amd64] syscall-audit: fix 32/64 syscall hole
+ - bugfix/syscall-audit-fix-32+64-syscall-hole.patch
+ See CVE-2009-0834
+ * shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
+ This issue does not effect pre-build Debian kernels.
+ - bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
+ See CVE-2009-0859
+ * copy_process: fix CLONE_PARENT && parent_exec_id interaction
+ - bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
+ See CVE-2009-0028
+ * af_rose/x25: Sanity check the maximum user frame size
+ - bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
+ See CVE-2009-1265
+ * NFS: fix an oops in encode_lookup()
+ - bugfix/all/nfs-fix-oops-in-encode_lookup.patch
+ See CVE-2009-1336
+ * exit_notify: kill the wrong capable(CAP_KILL) check
+ - bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
+ See CVE-2009-1337
+ * agp: zero pages before sending to userspace
+ - bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
+ See CVE-2009-1192
+ * cifs: Fix memory overwrite when saving nativeFileSystem field during mount
+ - bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
+ - bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
+ - bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
+ See CVE-2009-1439
+
+ -- dann frazier <dannf at debian.org> Sat, 02 May 2009 11:01:46 -0600
+
linux-2.6 (2.6.18.dfsg.1-24) stable; urgency=high
[ dann frazier ]
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch)
@@ -0,0 +1,61 @@
+commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
+Author: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Date: Fri Mar 27 00:28:21 2009 -0700
+
+ af_rose/x25: Sanity check the maximum user frame size
+
+ Otherwise we can wrap the sizes and end up sending garbage.
+
+ Closes #10423
+
+ Signed-off-by: Alan Cox <alan at lxorguk.ukuu.org.uk>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+--- a/net/netrom/af_netrom.c 2006-09-19 21:42:06.000000000 -0600
++++ b/net/netrom/af_netrom.c 2009-04-12 19:28:16.000000000 -0600
+@@ -1066,7 +1066,11 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
+
+- /* Build a packet */
++ /* Build a packet - the conventional user limit is 236 bytes. We can
++ do ludicrously large NetROM frames but must not overflow */
++ if (len > 65536)
++ return -EMSGSIZE;
++
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+
+diff -urpN a/net/rose/af_rose.c b/net/rose/af_rose.c
+--- a/net/rose/af_rose.c 2006-09-19 21:42:06.000000000 -0600
++++ b/net/rose/af_rose.c 2009-04-12 19:28:16.000000000 -0600
+@@ -1069,6 +1069,10 @@ static int rose_sendmsg(struct kiocb *io
+
+ /* Build a packet */
+ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
++ /* Sanity check the packet size */
++ if (len > 65535)
++ return -EMSGSIZE;
++
+ size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
+
+ if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
+diff -urpN a/net/x25/af_x25.c b/net/x25/af_x25.c
+--- a/net/x25/af_x25.c 2006-09-19 21:42:06.000000000 -0600
++++ b/net/x25/af_x25.c 2009-04-12 19:28:16.000000000 -0600
+@@ -1019,6 +1019,12 @@ static int x25_sendmsg(struct kiocb *ioc
+ sx25.sx25_addr = x25->dest_addr;
+ }
+
++ /* Sanity check the packet size */
++ if (len > 65535) {
++ rc = -EMSGSIZE;
++ goto out;
++ }
++
+ SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
+
+ /* Build a packet */
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/agp-zero-pages-before-sending-to-userspace.patch)
@@ -0,0 +1,27 @@
+commit 59de2bebabc5027f93df999d59cc65df591c3e6e
+Author: Shaohua Li <shaohua.li at intel.com>
+Date: Mon Apr 20 10:08:35 2009 +1000
+
+ agp: zero pages before sending to userspace
+
+ AGP pages might be mapped into userspace finally, so the pages should be
+ set to zero before userspace can use it. Otherwise there is potential
+ information leakage.
+
+ Signed-off-by: Shaohua Li <shaohua.li at intel.com>
+ Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/drivers/char/agp/generic.c linux-source-2.6.18/drivers/char/agp/generic.c
+--- linux-source-2.6.18.orig/drivers/char/agp/generic.c 2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/drivers/char/agp/generic.c 2009-04-27 22:17:55.000000000 -0600
+@@ -1042,7 +1042,7 @@ void *agp_generic_alloc_page(struct agp_
+ {
+ struct page * page;
+
+- page = alloc_page(GFP_KERNEL | GFP_DMA32);
++ page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
+ if (page == NULL)
+ return NULL;
+
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch)
@@ -0,0 +1,40 @@
+commit f083def68f84b04fe3f97312498911afce79609e
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Thu Apr 16 11:21:52 2009 -0400
+
+ cifs: fix buffer size for tcon->nativeFileSystem field
+
+ The buffer for this was resized recently to fix a bug. It's still
+ possible however that a malicious server could overflow this field
+ by sending characters in it that are >2 bytes in the local charset.
+ Double the size of the buffer to account for this possibility.
+
+ Also get rid of some really strange and seemingly pointless NULL
+ termination. It's NULL terminating the string in the source buffer,
+ but by the time that happens, we've already copied the string.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/connect.c linux-source-2.6.18/fs/cifs/connect.c
+--- linux-source-2.6.18.orig/fs/cifs/connect.c 2009-04-29 01:20:52.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/connect.c 2009-04-29 01:22:47.000000000 -0600
+@@ -3151,14 +3151,11 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(2*(length + 1), GFP_KERNEL);
++ kzalloc((4 * length) + 2, GFP_KERNEL);
+ cifs_strfromUCS_le(tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
+- bcc_ptr += 2 * length;
+- bcc_ptr[0] = 0; /* null terminate the string */
+- bcc_ptr[1] = 0;
+- bcc_ptr += 2;
++ bcc_ptr += (2 * length) + 2;
+ }
+ /* else do not bother copying these informational fields */
+ } else {
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch)
@@ -0,0 +1,29 @@
+commit b363b3304bcf68c4541683b2eff70b29f0446a5b
+Author: Steve French <sfrench at us.ibm.com>
+Date: Wed Mar 18 05:57:22 2009 +0000
+
+ [CIFS] Fix memory overwrite when saving nativeFileSystem field during mount
+
+ CIFS can allocate a few bytes to little for the nativeFileSystem field
+ during tree connect response processing during mount. This can result
+ in a "Redzone overwritten" message to be logged.
+
+ Signed-off-by: Sridhar Vinay <vinaysridhar at in.ibm.com>
+ Acked-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+ CC: Stable <stable at kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/connect.c linux-source-2.6.18/fs/cifs/connect.c
+--- linux-source-2.6.18.orig/fs/cifs/connect.c 2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/fs/cifs/connect.c 2009-04-29 01:20:52.000000000 -0600
+@@ -3151,7 +3151,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ BCC(smb_buffer_response)) {
+ kfree(tcon->nativeFileSystem);
+ tcon->nativeFileSystem =
+- kzalloc(length + 2, GFP_KERNEL);
++ kzalloc(2*(length + 1), GFP_KERNEL);
+ cifs_strfromUCS_le(tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch)
@@ -0,0 +1,26 @@
+commit 22c9d52bc03b880045ab1081890a38f11b272ae7
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Thu Apr 16 13:48:49 2009 -0400
+
+ cifs: remove unneeded bcc_ptr update in CIFSTCon
+
+ This pointer isn't used again after this point. It's also not updated in
+ the ascii case, so there's no need to update it here.
+
+ Pointed-out-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/connect.c linux-source-2.6.18/fs/cifs/connect.c
+--- linux-source-2.6.18.orig/fs/cifs/connect.c 2009-04-29 01:22:47.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/connect.c 2009-04-29 01:23:59.000000000 -0600
+@@ -3155,7 +3155,6 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ cifs_strfromUCS_le(tcon->nativeFileSystem,
+ (__le16 *) bcc_ptr,
+ length, nls_codepage);
+- bcc_ptr += (2 * length) + 2;
+ }
+ /* else do not bother copying these informational fields */
+ } else {
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch)
@@ -0,0 +1,54 @@
+commit 2d5516cbb9daf7d0e342a2e3b0fc6f8c39a81205
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Mar 2 22:58:45 2009 +0100
+
+ copy_process: fix CLONE_PARENT && parent_exec_id interaction
+
+ CLONE_PARENT can fool the ->self_exec_id/parent_exec_id logic. If we
+ re-use the old parent, we must also re-use ->parent_exec_id to make
+ sure exit_notify() sees the right ->xxx_exec_id's when the CLONE_PARENT'ed
+ task exits.
+
+ Also, move down the "p->parent_exec_id = p->self_exec_id" thing, to place
+ two different cases together.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: Roland McGrath <roland at redhat.com>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: David Howells <dhowells at redhat.com>
+ Cc: Serge E. Hallyn <serge at hallyn.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN a/kernel/fork.c b/kernel/fork.c
+--- a/kernel/fork.c 2009-04-12 18:39:00.000000000 -0600
++++ b/kernel/fork.c 2009-04-12 19:22:00.000000000 -0600
+@@ -1137,11 +1137,6 @@ static struct task_struct *copy_process(
+ clear_tsk_thread_flag(p, TIF_SYSCALL_EMU);
+ #endif
+
+- /* Our parent execution domain becomes current domain
+- These must match for thread signalling to apply */
+-
+- p->parent_exec_id = p->self_exec_id;
+-
+ /* ok, now we should be set up.. */
+ p->exit_signal = (clone_flags & CLONE_THREAD) ? -1 : (clone_flags & CSIGNAL);
+ p->pdeath_signal = 0;
+@@ -1177,10 +1172,13 @@ static struct task_struct *copy_process(
+ set_task_cpu(p, smp_processor_id());
+
+ /* CLONE_PARENT re-uses the old parent */
+- if (clone_flags & (CLONE_PARENT|CLONE_THREAD))
++ if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {
+ p->real_parent = current->real_parent;
+- else
++ p->parent_exec_id = current->parent_exec_id;
++ } else {
+ p->real_parent = current;
++ p->parent_exec_id = current->self_exec_id;
++ }
+ p->parent = p->real_parent;
+
+ spin_lock(¤t->sighand->siglock);
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch)
@@ -0,0 +1,36 @@
+commit 81156928f8fe31621e467490b9d441c0285998c3
+Author: Pavel Roskin <proski at gnu.org>
+Date: Sat Jan 17 13:33:03 2009 -0500
+
+ dell_rbu: use scnprintf() instead of less secure sprintf()
+
+ Reading 0 bytes from /sys/devices/platform/dell_rbu/image_type or
+ /sys/devices/platform/dell_rbu/packet_size by an ordinary user causes an
+ oops.
+
+ Signed-off-by: Pavel Roskin <proski at gnu.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/drivers/firmware/dell_rbu.c linux-source-2.6.18/drivers/firmware/dell_rbu.c
+--- linux-source-2.6.18.orig/drivers/firmware/dell_rbu.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/firmware/dell_rbu.c 2009-02-09 23:23:28.000000000 -0700
+@@ -596,7 +596,7 @@ static ssize_t read_rbu_image_type(struc
+ {
+ int size = 0;
+ if (!pos)
+- size = sprintf(buffer, "%s\n", image_type);
++ size = scnprintf(buffer, count, "%s\n", image_type);
+ return size;
+ }
+
+@@ -666,7 +666,7 @@ static ssize_t read_rbu_packet_size(stru
+ int size = 0;
+ if (!pos) {
+ spin_lock(&rbu_data.lock);
+- size = sprintf(buffer, "%lu\n", rbu_data.packetsize);
++ size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
+ spin_unlock(&rbu_data.lock);
+ }
+ return size;
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch)
@@ -0,0 +1,31 @@
+commit 432870dab85a2f69dc417022646cb9a70acf7f94
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Apr 6 16:16:02 2009 +0200
+
+ exit_notify: kill the wrong capable(CAP_KILL) check
+
+ The CAP_KILL check in exit_notify() looks just wrong, kill it.
+
+ Whatever logic we have to reset ->exit_signal, the malicious user
+ can bypass it if it execs the setuid application before exiting.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: Serge Hallyn <serue at us.ibm.com>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/exit.c linux-source-2.6.18/kernel/exit.c
+--- linux-source-2.6.18.orig/kernel/exit.c 2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/kernel/exit.c 2009-04-18 18:46:03.000000000 -0600
+@@ -806,8 +806,7 @@ static void exit_notify(struct task_stru
+
+ if (tsk->exit_signal != SIGCHLD && tsk->exit_signal != -1 &&
+ ( tsk->parent_exec_id != t->self_exec_id ||
+- tsk->self_exec_id != tsk->parent_exec_id)
+- && !capable(CAP_KILL))
++ tsk->self_exec_id != tsk->parent_exec_id))
+ tsk->exit_signal = SIGCHLD;
+
+
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak-2.patch)
@@ -0,0 +1,32 @@
+From: Eugene Teo <eugeneteo at kernel.sg>
+Date: Mon, 23 Feb 2009 23:38:41 +0000 (-0800)
+Subject: net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=50fee1dec5d71b8a14c1b82f2f42e16adc227f8b
+
+net: amend the fix for SO_BSDCOMPAT gsopt infoleak
+
+The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note
+that the same problem of leaking kernel memory will reappear if someone
+on some architecture uses struct timeval with some internal padding (for
+example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to
+leak the padded bytes to userspace.
+
+Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+Reported-by: Mikulas Patocka <mpatocka at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/core/sock.c linux-source-2.6.18/net/core/sock.c
+--- linux-source-2.6.18.orig/net/core/sock.c 2009-02-24 23:34:38.000000000 -0700
++++ linux-source-2.6.18/net/core/sock.c 2009-02-24 23:36:44.000000000 -0700
+@@ -656,7 +656,7 @@ int sock_getsockopt(struct socket *sock,
+ if(len < 0)
+ return -EINVAL;
+
+- v.val = 0;
++ memset(&v, 0, sizeof(v));
+
+ switch(optname)
+ {
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-SO_BSDCOMPAT-leak.patch)
@@ -0,0 +1,43 @@
+commit df0bca049d01c0ee94afb7cd5dfd959541e6c8da
+Author: Clément Lecigne <clement.lecigne at netasq.com>
+Date: Thu Feb 12 16:59:09 2009 -0800
+
+ net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
+
+ In function sock_getsockopt() located in net/core/sock.c, optval v.val
+ is not correctly initialized and directly returned in userland in case
+ we have SO_BSDCOMPAT option set.
+
+ This dummy code should trigger the bug:
+
+ int main(void)
+ {
+ unsigned char buf[4] = { 0, 0, 0, 0 };
+ int len;
+ int sock;
+ sock = socket(33, 2, 2);
+ getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
+ printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
+ close(sock);
+ }
+
+ Here is a patch that fix this bug by initalizing v.val just after its
+ declaration.
+
+ Signed-off-by: Clément Lecigne <clement.lecigne at netasq.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/core/sock.c linux-source-2.6.18/net/core/sock.c
+--- linux-source-2.6.18.orig/net/core/sock.c 2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/net/core/sock.c 2009-02-24 23:34:38.000000000 -0700
+@@ -656,6 +656,8 @@ int sock_getsockopt(struct socket *sock,
+ if(len < 0)
+ return -EINVAL;
+
++ v.val = 0;
++
+ switch(optname)
+ {
+ case SO_DEBUG:
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/net-add-preempt-point-in-qdisc_run.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-add-preempt-point-in-qdisc_run.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/net-add-preempt-point-in-qdisc_run.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/net-add-preempt-point-in-qdisc_run.patch)
@@ -0,0 +1,52 @@
+commit 2ba2506ca7ca62c56edaa334b0fe61eb5eab6ab0
+Author: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Fri Mar 28 16:25:26 2008 -0700
+
+ [NET]: Add preemption point in qdisc_run
+
+ The qdisc_run loop is currently unbounded and runs entirely in a
+ softirq. This is bad as it may create an unbounded softirq run.
+
+ This patch fixes this by calling need_resched and breaking out if
+ necessary.
+
+ It also adds a break out if the jiffies value changes since that would
+ indicate we've been transmitting for too long which starves other
+ softirqs.
+
+ Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backport from Jiri Pirko for RHEL5.
+
+diff -urpN linux-source-2.6.18.orig/net/sched/sch_generic.c linux-source-2.6.18/net/sched/sch_generic.c
+--- linux-source-2.6.18.orig/net/sched/sch_generic.c 2008-12-25 14:04:12.000000000 -0700
++++ linux-source-2.6.18/net/sched/sch_generic.c 2009-02-22 23:09:57.000000000 -0700
+@@ -183,11 +183,25 @@ requeue:
+
+ void __qdisc_run(struct net_device *dev)
+ {
++ unsigned long start_time = jiffies;
++
+ if (unlikely(dev->qdisc == &noop_qdisc))
+ goto out;
+
+- while (qdisc_restart(dev) < 0 && !netif_queue_stopped(dev))
+- /* NOTHING */;
++ while (qdisc_restart(dev) < 0) {
++ if (netif_queue_stopped(dev))
++ break;
++
++ /*
++ * Postpone processing if
++ * 1. another process needs the CPU;
++ * 2. we've been doing it for too long.
++ */
++ if (need_resched() || jiffies != start_time) {
++ netif_schedule(dev);
++ break;
++ }
++ }
+
+ out:
+ clear_bit(__LINK_STATE_QDISC_RUNNING, &dev->state);
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch)
@@ -0,0 +1,56 @@
+commit 54af3bb543c071769141387a42deaaab5074da55
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Fri Sep 28 12:27:41 2007 -0400
+
+ NFS: Fix an Oops in encode_lookup()
+
+ It doesn't look as if the NFS file name limit is being initialised correctly
+ in the struct nfs_server. Make sure that we limit whatever is being set in
+ nfs_probe_fsinfo() and nfs_init_server().
+
+ Also ensure that readdirplus and nfs4_path_walk respect our file name
+ limits.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+Based upon the RHEL4 backport by Sachin Prabhu
+
+diff -urpN linux-source-2.6.18.orig/fs/nfs/dir.c linux-source-2.6.18/fs/nfs/dir.c
+--- linux-source-2.6.18.orig/fs/nfs/dir.c 2008-12-25 14:04:12.000000000 -0700
++++ linux-source-2.6.18/fs/nfs/dir.c 2009-04-18 15:49:55.000000000 -0600
+@@ -1113,6 +1113,8 @@ static struct dentry *nfs_readdir_lookup
+ return dentry;
+ if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR))
+ return NULL;
++ if (name.len > NFS_SERVER(dir)->namelen)
++ return NULL;
+ /* Note: caller is already holding the dir->i_mutex! */
+ dentry = d_alloc(parent, &name);
+ if (dentry == NULL)
+diff -urpN linux-source-2.6.18.orig/fs/nfs/nfs4proc.c linux-source-2.6.18/fs/nfs/nfs4proc.c
+--- linux-source-2.6.18.orig/fs/nfs/nfs4proc.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/nfs4proc.c 2009-04-18 15:53:22.000000000 -0600
+@@ -1437,6 +1437,8 @@ static int nfs4_proc_get_root(struct nfs
+ while (*p && (*p != '/'))
+ p++;
+ q.len = p - q.name;
++ if (q.len > NFS4_MAXNAMLEN)
++ return -ENAMETOOLONG;
+
+ do {
+ nfs_fattr_init(fattr);
+diff -urpN linux-source-2.6.18.orig/fs/nfs/super.c linux-source-2.6.18/fs/nfs/super.c
+--- linux-source-2.6.18.orig/fs/nfs/super.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/super.c 2009-04-18 15:52:24.000000000 -0600
+@@ -1254,6 +1254,9 @@ static int nfs4_fill_super(struct super_
+ goto out_fail;
+ }
+
++ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
++ server->namelen = NFS4_MAXNAMLEN;
++
+ sb->s_time_gran = 1;
+
+ sb->s_op = &nfs4_sops;
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch)
@@ -0,0 +1,36 @@
+commit c4d7c402b788b73dc24f1e54a57f89d3dc5eb7bc
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Tue Apr 1 20:26:52 2008 -0400
+
+ NFS: Remove the buggy lock-if-signalled case from do_setlk()
+
+ Both NLM and NFSv4 should be able to clean up adequately in the case where
+ the user interrupts the RPC call...
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/nfs/file.c linux-source-2.6.18/fs/nfs/file.c
+--- linux-source-2.6.18.orig/fs/nfs/file.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/file.c 2009-01-13 22:10:12.000000000 -0700
+@@ -471,17 +471,9 @@ static int do_setlk(struct file *filp, i
+
+ lock_kernel();
+ /* Use local locking if mounted with "-onolock" */
+- if (!(NFS_SERVER(inode)->flags & NFS_MOUNT_NONLM)) {
++ if (!(NFS_SERVER(inode)->flags & NFS_MOUNT_NONLM))
+ status = NFS_PROTO(inode)->lock(filp, cmd, fl);
+- /* If we were signalled we still need to ensure that
+- * we clean up any state on the server. We therefore
+- * record the lock call as having succeeded in order to
+- * ensure that locks_remove_posix() cleans it out when
+- * the process exits.
+- */
+- if (status == -EINTR || status == -ERESTARTSYS)
+- do_vfs_lock(filp, fl);
+- } else
++ else
+ status = do_vfs_lock(filp, fl);
+ unlock_kernel();
+ if (status < 0)
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch)
@@ -0,0 +1,74 @@
+commit 9fcb95a105758b81ef0131cd18e2db5149f13e95
+Author: Wei Yongjun <yjwei at cn.fujitsu.com>
+Date: Thu Dec 25 16:58:11 2008 -0800
+
+ sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
+
+ If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
+ validity check, this may cause memory overflow when overwrite the TSN of
+ the stream ID.
+
+ The FORWARD-TSN chunk is like this:
+
+ FORWARD-TSN chunk
+ Type = 192
+ Flags = 0
+ Length = 172
+ NewTSN = 99
+ Stream = 10000
+ StreamSequence = 0xFFFF
+
+ This patch fix this problem by discard the chunk if stream ID is not
+ less than MIS.
+
+ Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/sctp/sm_statefuns.c linux-source-2.6.18/net/sctp/sm_statefuns.c
+--- linux-source-2.6.18.orig/net/sctp/sm_statefuns.c 2008-12-25 14:04:12.000000000 -0700
++++ linux-source-2.6.18/net/sctp/sm_statefuns.c 2009-02-02 11:51:26.000000000 -0700
+@@ -3406,6 +3406,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3435,6 +3436,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto discard_noforce;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto discard_noforce;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3466,6 +3473,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ struct sctp_chunk *chunk = arg;
+ struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++ struct sctp_fwdtsn_skip *skip;
+ __u16 len;
+ __u32 tsn;
+
+@@ -3495,6 +3503,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ goto gen_shutdown;
+
++ /* Silently discard the chunk if stream-id is not valid */
++ sctp_walk_fwdtsn(skip, chunk) {
++ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++ goto gen_shutdown;
++ }
++
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ if (len > sizeof(struct sctp_fwdtsn_hdr))
+ sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/security-keyctl-missing-kfree.patch)
@@ -0,0 +1,27 @@
+commit 0d54ee1c7850a954026deec4cd4885f331da35cc
+Author: Vegard Nossum <vegard.nossum at gmail.com>
+Date: Sat Jan 17 17:45:45 2009 +0100
+
+ security: introduce missing kfree
+
+ Plug this leak.
+
+ Acked-by: David Howells <dhowells at redhat.com>
+ Cc: James Morris <jmorris at namei.org>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Vegard Nossum <vegard.nossum at gmail.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/security/keys/keyctl.c linux-source-2.6.24/security/keys/keyctl.c
+--- linux-source-2.6.24.orig/security/keys/keyctl.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/security/keys/keyctl.c 2009-02-09 22:43:52.000000000 -0700
+@@ -253,6 +253,7 @@ long keyctl_join_session_keyring(const c
+
+ /* join the session */
+ ret = join_session_keyring(name);
++ kfree(name);
+
+ error:
+ return ret;
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch)
@@ -0,0 +1,46 @@
+commit a68e61e8ff2d46327a37b69056998b47745db6fa
+Author: Tony Battersby <tonyb at cybernetics.com>
+Date: Wed Feb 4 15:12:04 2009 -0800
+
+ shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
+
+ shm_get_stat() assumes that the inode is a "struct shmem_inode_info",
+ which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c:
+ ramfs_get_inode() vs. mm/shmem.c: shmem_get_inode()).
+
+ This bad assumption can cause shmctl(SHM_INFO) to lockup when
+ shm_get_stat() tries to spin_lock(&info->lock). Users of !CONFIG_SHMEM
+ may encounter this lockup simply by invoking the 'ipcs' command.
+
+ Reported by Jiri Olsa back in February 2008:
+ http://lkml.org/lkml/2008/2/29/74
+
+ Signed-off-by: Tony Battersby <tonyb at cybernetics.com>
+ Cc: Jiri Kosina <jkosina at suse.cz>
+ Reported-by: Jiri Olsa <olsajiri at gmail.com>
+ Cc: Hugh Dickins <hugh at veritas.com>
+ Cc: <stable at kernel.org> [2.6.everything]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org
+
+diff -urpN a/ipc/shm.c b/ipc/shm.c
+--- a/ipc/shm.c 2009-04-13 22:39:09.000000000 -0600
++++ b/ipc/shm.c 2009-04-13 22:39:32.000000000 -0600
+@@ -416,11 +416,15 @@ static void shm_get_stat(unsigned long *
+ struct address_space *mapping = inode->i_mapping;
+ *rss += (HPAGE_SIZE/PAGE_SIZE)*mapping->nrpages;
+ } else {
++#ifdef CONFIG_SHMEM
+ struct shmem_inode_info *info = SHMEM_I(inode);
+ spin_lock(&info->lock);
+ *rss += inode->i_mapping->nrpages;
+ *swp += info->swapped;
+ spin_unlock(&info->lock);
++#else
++ *rss += inode->i_mapping->nrpages;
++#endif
+ }
+ }
+ }
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/skfp-fix-inverted-cap-logic.patch)
@@ -0,0 +1,28 @@
+commit c25b9abbc2c2c0da88e180c3933d6e773245815a
+Author: Roel Kluin <roel.kluin at gmail.com>
+Date: Thu Jan 29 17:32:20 2009 -0800
+
+ drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic
+
+ Fix inverted logic
+
+ Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/drivers/net/skfp/skfddi.c b/drivers/net/skfp/skfddi.c
+--- a/drivers/net/skfp/skfddi.c 2008-01-24 15:58:37.000000000 -0700
++++ b/drivers/net/skfp/skfddi.c 2009-04-05 21:58:20.000000000 -0600
+@@ -998,9 +998,9 @@ static int skfp_ioctl(struct net_device
+ break;
+ case SKFP_CLR_STATS: /* Zero out the driver statistics */
+ if (!capable(CAP_NET_ADMIN)) {
+- memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+- } else {
+ status = -EPERM;
++ } else {
++ memset(&lp->MacStat, 0, sizeof(lp->MacStat));
+ }
+ break;
+ default:
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch)
@@ -0,0 +1,31 @@
+commit 7c2500f17d65092d93345f3996cf82ebca17e9ff
+Author: Wim Van Sebroeck <wim at iguana.be>
+Date: Wed Oct 15 08:53:06 2008 +0000
+
+ [WATCHDOG] ib700wdt.c - fix buffer_underflow bug
+
+ This fixes Bug 11399:
+ if ibwdt_set_heartbeat(int t) is called with value 30 then
+ the check "if ((t < 0) || (t > 30))" in ibwdt_set_heartbeat
+ is not going to fail because t == 30, but in the loop, the
+ check wd_times[i] > t is never going to be true because
+ none of the wd_times are greater than the value of t (i.e. 30).
+ So we are exiting the loop with i == -1 and therefore setting
+ wd_margin to -1 which is wrong.
+
+ Reported-by: Zvonimir Rakamaric <zrakamar at cs.ubc.ca>
+ Signed-off-by: Wim Van Sebroeck <wim at iguana.be>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+--- linux-source-2.6.18/drivers/char/watchdog/ib700wdt.c.orig 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/char/watchdog/ib700wdt.c 2008-12-25 14:44:26.000000000 -0700
+@@ -188,7 +188,7 @@ ibwdt_ioctl(struct inode *inode, struct
+ if ((new_margin < 0) || (new_margin > 30))
+ return -EINVAL;
+ for (i = 0x0F; i > -1; i--)
+- if (wd_times[i] > new_margin)
++ if (wd_times[i] >= new_margin)
+ break;
+ wd_margin = i;
+ ibwdt_ping();
Copied: dists/etch/linux-2.6/debian/patches/bugfix/hppa/userspace-unwind-crash.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/hppa/userspace-unwind-crash.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/hppa/userspace-unwind-crash.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/hppa/userspace-unwind-crash.patch)
@@ -0,0 +1,116 @@
+commit 7a3f5134a8f5bd7fa38b5645eef05e8a4eb62951
+Author: Helge Deller <deller at gmx.de>
+Date: Wed Nov 26 12:46:22 2008 -0800
+
+ parisc: fix kernel crash when unwinding a userspace process
+
+ Any user on existing parisc 32- and 64bit-kernels can easily crash
+ the kernel and as such enforce a DSO.
+ A simple testcase is available here:
+ http://gsyprf10.external.hp.com/~deller/crash.tgz
+
+ The problem is introduced by the fact, that the handle_interruption()
+ crash handler calls the show_regs() function, which in turn tries to
+ unwind the stack by calling parisc_show_stack(). Since the stack contains
+ userspace addresses, a try to unwind the stack is dangerous and useless
+ and leads to the crash.
+
+ The fix is trivial: For userspace processes
+ a) avoid to unwind the stack, and
+ b) avoid to resolve userspace addresses to kernel symbol names.
+
+ While touching this code, I converted print_symbol() to %pS
+ printk formats and made parisc_show_stack() static.
+
+ An initial patch for this was written by Kyle McMartin back in August:
+ http://marc.info/?l=linux-parisc&m=121805168830283&w=2
+
+ Compile and run-tested with a 64bit parisc kernel.
+
+ Signed-off-by: Helge Deller <deller at gmx.de>
+ Cc: Grant Grundler <grundler at parisc-linux.org>
+ Cc: Matthew Wilcox <matthew at wil.cx>
+ Cc: <stable at kernel.org> [2.6.25.x, 2.6.26.x, 2.6.27.x, earlier...]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Kyle McMartin <kyle at mcmartin.ca>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/parisc/kernel/traps.c linux-source-2.6.18/arch/parisc/kernel/traps.c
+--- linux-source-2.6.18.orig/arch/parisc/kernel/traps.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/parisc/kernel/traps.c 2009-02-19 00:49:17.000000000 -0700
+@@ -24,7 +24,6 @@
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
+ #include <linux/console.h>
+-#include <linux/kallsyms.h>
+
+ #include <asm/assembly.h>
+ #include <asm/system.h>
+@@ -115,18 +114,19 @@ static void print_fr(char *level, struct
+
+ void show_regs(struct pt_regs *regs)
+ {
+- int i;
++ int i, user;
+ char *level;
+ unsigned long cr30, cr31;
+
+- level = user_mode(regs) ? KERN_DEBUG : KERN_CRIT;
++ user = user_mode(regs);
++ level = user ? KERN_DEBUG : KERN_CRIT;
+
+ print_gr(level, regs);
+
+ for (i = 0; i < 8; i += 4)
+ PRINTREGS(level, regs->sr, "sr", RFMT, i);
+
+- if (user_mode(regs))
++ if (user)
+ print_fr(level, regs);
+
+ cr30 = mfctl(30);
+@@ -139,12 +139,16 @@ void show_regs(struct pt_regs *regs)
+ printk("%s CPU: %8d CR30: " RFMT " CR31: " RFMT "\n",
+ level, current_thread_info()->cpu, cr30, cr31);
+ printk("%s ORIG_R28: " RFMT "\n", level, regs->orig_r28);
+- printk(level);
+- print_symbol(" IAOQ[0]: %s\n", regs->iaoq[0]);
+- printk(level);
+- print_symbol(" IAOQ[1]: %s\n", regs->iaoq[1]);
+- printk(level);
+- print_symbol(" RP(r2): %s\n", regs->gr[2]);
++
++ if (user) {
++ printk("%s IAOQ[0]: " RFMT "\n", level, regs->iaoq[0]);
++ printk("%s IAOQ[1]: " RFMT "\n", level, regs->iaoq[1]);
++ printk("%s RP(r2): " RFMT "\n", level, regs->gr[2]);
++ } else {
++ printk("%s IAOQ[0]: %pS\n", level, (void *) regs->iaoq[0]);
++ printk("%s IAOQ[1]: %pS\n", level, (void *) regs->iaoq[1]);
++ printk("%s RP(r2): %pS\n", level, (void *) regs->gr[2]);
++ }
+ }
+
+
+@@ -165,17 +169,12 @@ static void do_show_stack(struct unwind_
+ break;
+
+ if (__kernel_text_address(info->ip)) {
+- printk(" [<" RFMT ">] ", info->ip);
+-#ifdef CONFIG_KALLSYMS
+- print_symbol("%s\n", info->ip);
+-#else
+- if ((i & 0x03) == 0)
+- printk("\n");
+-#endif
++ printk(KERN_CRIT " [<" RFMT ">] %pS\n",
++ info->ip, (void *) info->ip);
+ i++;
+ }
+ }
+- printk("\n");
++ printk(KERN_CRIT "\n");
+ }
+
+ void show_stack(struct task_struct *task, unsigned long *s)
Copied: dists/etch/linux-2.6/debian/patches/bugfix/mips/fix-potential-dos.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/mips/fix-potential-dos.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/mips/fix-potential-dos.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/mips/fix-potential-dos.patch)
@@ -0,0 +1,69 @@
+From: Vlad Malov <Vlad.Malov at caviumnetworks.com>
+Date: Tue, 18 Nov 2008 23:05:46 +0000 (-0800)
+Subject: MIPS: Fix potential DOS by untrusted user app.
+X-Git-Url: http://www.linux-mips.org/git?p=linux.git;a=commitdiff_plain;h=9718dcd85e604007fcacfe9c6cf71f8a2ddb1c37
+
+MIPS: Fix potential DOS by untrusted user app.
+
+On a 64 bit kernel if an o32 syscall was made with a syscall number less
+than 4000, we would read the function from outside of the bounds of the
+syscall table. This led to non-deterministic behavior including system
+crashes.
+
+While we were at it we reworked the 32 bit version as well to use fewer
+instructions. Both 32 and 64 bit versions are use the same code now.
+
+Signed-off-by: Vlad Malov <Vlad.Malov at caviumnetworks.com>
+Signed-off-by: David Daney <ddaney at caviumnetworks.com>
+Signed-off-by: Ralf Baechle <ralf at linux-mips.org>
+(cherry picked from commit 24f8c295c60d135ba058eecf9b85a521ed2d50a3)
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <danf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/mips/kernel/scall32-o32.S linux-source-2.6.18/arch/mips/kernel/scall32-o32.S
+--- linux-source-2.6.18.orig/arch/mips/kernel/scall32-o32.S 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/mips/kernel/scall32-o32.S 2009-02-22 23:45:02.000000000 -0700
+@@ -281,18 +281,11 @@ bad_alignment:
+ subu t0, a0, __NR_O32_Linux # check syscall number
+ sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ #endif
++ beqz t0, einval # do not recurse
+ sll t1, t0, 3
+ beqz v0, einval
+-
+ lw t2, sys_call_table(t1) # syscall routine
+
+-#if defined(CONFIG_BINFMT_IRIX)
+- li v1, 4000 # nr of sys_syscall
+-#else
+- li v1, 4000 - __NR_O32_Linux # index of sys_syscall
+-#endif
+- beq t0, v1, einval # do not recurse
+-
+ /* Some syscalls like execve get their arguments from struct pt_regs
+ and claim zero arguments in the syscall table. Thus we have to
+ assume the worst case and shuffle around all potential arguments.
+diff -urpN linux-source-2.6.18.orig/arch/mips/kernel/scall64-o32.S linux-source-2.6.18/arch/mips/kernel/scall64-o32.S
+--- linux-source-2.6.18.orig/arch/mips/kernel/scall64-o32.S 2008-12-25 14:04:12.000000000 -0700
++++ linux-source-2.6.18/arch/mips/kernel/scall64-o32.S 2009-02-22 23:45:02.000000000 -0700
+@@ -174,14 +174,12 @@ not_o32_scall:
+ END(handle_sys)
+
+ LEAF(sys32_syscall)
+- sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
++ subu t0, a0, __NR_O32_Linux # check syscall number
++ sltiu v0, t0, __NR_O32_Linux_syscalls + 1
++ beqz t0, einval # do not recurse
++ dsll t1, t0, 3
+ beqz v0, einval
+-
+- dsll v0, a0, 3
+- ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
+-
+- li v1, 4000 # indirect syscall number
+- beq a0, v1, einval # do not recurse
++ ld t2, sys_call_table(t1) # syscall routine
+
+ move a0, a1 # shift argument registers
+ move a1, a2
Copied: dists/etch/linux-2.6/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/bugfix/syscall-audit-fix-32+64-syscall-hole.patch)
@@ -0,0 +1,33 @@
+commit ccbe495caa5e604b04d5a31d7459a6f6a76a756c
+Author: Roland McGrath <roland at redhat.com>
+Date: Fri Feb 27 19:03:24 2009 -0800
+
+ x86-64: syscall-audit: fix 32/64 syscall hole
+
+ On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
+ ljmp, and then use the "syscall" instruction to make a 64-bit system
+ call. A 64-bit process make a 32-bit system call with int $0x80.
+
+ In both these cases, audit_syscall_entry() will use the wrong system
+ call number table and the wrong system call argument registers. This
+ could be used to circumvent a syscall audit configuration that filters
+ based on the syscall numbers or argument details.
+
+ Signed-off-by: Roland McGrath <roland at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+Based on Eugene Teo's backport for RHEL5
+
+diff -urpN a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
+--- a/arch/x86_64/kernel/ptrace.c 2009-04-12 18:38:52.000000000 -0600
++++ b/arch/x86_64/kernel/ptrace.c 2009-04-12 19:01:15.000000000 -0600
+@@ -604,7 +604,7 @@ asmlinkage void syscall_trace_enter(stru
+ syscall_trace(regs);
+
+ if (unlikely(current->audit_context)) {
+- if (test_thread_flag(TIF_IA32)) {
++ if (is_compat_task()) {
+ audit_syscall_entry(AUDIT_ARCH_I386,
+ regs->orig_rax,
+ regs->rbx, regs->rcx,
Modified: dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch
==============================================================================
--- dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch Wed May 20 19:56:03 2009 (r13663)
@@ -100,9 +100,9 @@
break;
}
up_read(&uts_sem);
-@@ -607,30 +612,30 @@ osf_sigstack(struct sigstack __user *uss
- asmlinkage long
- osf_sysinfo(int command, char __user *buf, long count)
+@@ -601,30 +606,30 @@ SYSCALL_DEFINE2(osf_sigstack, struct sig
+
+ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
{
- static char * sysinfo_table[] = {
- system_utsname.sysname,
@@ -661,13 +661,13 @@
PTR sys_add_key
--- linux-2.6.18.5/arch/mips/kernel/scall64-o32.S 2006-09-20 16:57:58 +0200
+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/mips/kernel/scall64-o32.S 2006-09-20 17:01:44 +0200
-@@ -482,7 +482,7 @@ sys_call_table:
+@@ -480,7 +480,7 @@ sys_call_table:
PTR compat_sys_mq_timedreceive
PTR compat_sys_mq_notify /* 4275 */
PTR compat_sys_mq_getsetattr
- PTR sys_ni_syscall /* sys_vserver */
+ PTR sys32_vserver
- PTR sys32_waitid
+ PTR sys_32_waitid
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key /* 4280 */
--- linux-2.6.18.5/arch/mips/kernel/syscall.c 2006-09-20 16:57:58 +0200
@@ -680,17 +680,17 @@
#include <asm/branch.h>
#include <asm/cachectl.h>
-@@ -231,7 +232,7 @@ out:
+@@ -238,7 +239,7 @@ out:
*/
- asmlinkage int sys_uname(struct old_utsname __user * name)
+ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
{
- if (name && !copy_to_user(name, &system_utsname, sizeof (*name)))
+ if (name && !copy_to_user(name, vx_new_utsname(), sizeof (*name)))
return 0;
return -EFAULT;
}
-@@ -242,21 +243,23 @@ asmlinkage int sys_uname(struct old_utsn
- asmlinkage int sys_olduname(struct oldold_utsname __user * name)
+@@ -249,21 +250,23 @@ SYSCALL_DEFINE1(uname, struct old_utsnam
+ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
{
int error;
+ struct new_utsname *ptr;
@@ -1041,7 +1041,7 @@
SYSCALL(sys_clock_nanosleep,sys_clock_nanosleep,sys32_clock_nanosleep_wrapper)
-NI_SYSCALL /* reserved for vserver */
+SYSCALL(sys_vserver,sys_vserver,sys32_vserver)
- SYSCALL(s390_fadvise64_64,sys_ni_syscall,sys32_fadvise64_64_wrapper)
+ SYSCALL(sys_s390_fadvise64_64,sys_ni_syscall,sys32_fadvise64_64_wrapper)
SYSCALL(sys_statfs64,sys_statfs64,compat_sys_statfs64_wrapper)
SYSCALL(sys_fstatfs64,sys_fstatfs64,compat_sys_fstatfs64_wrapper)
--- linux-2.6.18.5/arch/sh/Kconfig 2006-09-20 16:58:01 +0200
@@ -13840,25 +13840,25 @@
/**
* sys_getpid - return the thread group id of the current process
-@@ -1320,7 +1316,7 @@ asmlinkage unsigned long sys_alarm(unsig
+@@ -1320,7 +1316,7 @@ SYSCALL_DEFINE1(alarm, unsigned int, sec
*/
- asmlinkage long sys_getpid(void)
+ SYSCALL_DEFINE0(getpid)
{
- return current->tgid;
+ return vx_map_tgid(current->tgid);
}
/*
-@@ -1336,10 +1332,23 @@ asmlinkage long sys_getppid(void)
+@@ -1336,10 +1332,23 @@ SYSCALL_DEFINE0(getppid)
rcu_read_lock();
pid = rcu_dereference(current->real_parent)->tgid;
rcu_read_unlock();
+ return vx_map_pid(pid);
+}
++
++#ifdef __alpha__
- return pid;
-+#ifdef __alpha__
-+
+/*
+ * The Alpha uses getxpid, getxuid, and getxgid instead.
+ */
@@ -13871,7 +13871,7 @@
+#else /* _alpha_ */
+
- asmlinkage long sys_getuid(void)
+ SYSCALL_DEFINE0(getuid)
{
/* Only we change this so SMP safe */
@@ -1500,6 +1509,8 @@ asmlinkage long sys_sysinfo(struct sysin
@@ -20347,7 +20347,7 @@
ret = -EAGAIN;
@@ -123,7 +124,7 @@ static int do_mlock(unsigned long start,
- asmlinkage long sys_mlock(unsigned long start, size_t len)
+ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
{
- unsigned long locked;
+ unsigned long locked, grow;
Modified: dists/etch/linux-2.6/debian/patches/hppa.patch
==============================================================================
--- dists/etch/linux-2.6/debian/patches/hppa.patch Wed May 20 19:49:42 2009 (r13662)
+++ dists/etch/linux-2.6/debian/patches/hppa.patch Wed May 20 19:56:03 2009 (r13663)
@@ -3201,14 +3201,14 @@
index 8b5df98..eeca660 100644
--- a/arch/parisc/kernel/sys_parisc.c
+++ b/arch/parisc/kernel/sys_parisc.c
-@@ -31,6 +31,8 @@ #include <linux/mman.h>
+@@ -31,6 +31,8 @@
#include <linux/shm.h>
#include <linux/smp_lock.h>
#include <linux/syscalls.h>
+#include <linux/utsname.h>
+#include <linux/personality.h>
- int sys_pipe(int __user *fildes)
+ static unsigned long get_unshared_area(unsigned long addr, unsigned long len)
{
@@ -248,3 +250,46 @@ asmlinkage int sys_free_hugepages(unsign
{
Copied: dists/etch/linux-2.6/debian/patches/series/24etch1 (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/series/24etch1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/series/24etch1 Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/series/24etch1)
@@ -0,0 +1,84 @@
++ bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
++ bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
++ bugfix/all/sctp-avoid-memory-overflow.patch
++ bugfix/all/CVE-2009-0029/0001-Move-compat-system-call-declarations.patch
++ bugfix/all/CVE-2009-0029/0002-Convert-all-system-calls-to-return-a.patch
++ bugfix/all/CVE-2009-0029/0003-Rename-old_readdir-to-sys_old_readdi.patch
++ bugfix/all/CVE-2009-0029/0004pre1-ia64-kill-sys32_pipe.patch
++ bugfix/all/CVE-2009-0029/0004pre2-unify-sys_pipe.patch
++ bugfix/all/CVE-2009-0029/0004pre3-kill-redundant-sys_pipe-protos.patch
++ bugfix/all/CVE-2009-0029/0004-Remove-__attribute__-weak-from-sy.patch
++ bugfix/all/CVE-2009-0029/0005-Make-sys_pselect7-static.patch
++ bugfix/all/CVE-2009-0029/0006-Make-sys_syslog-a-conditional-system.patch
++ bugfix/all/CVE-2009-0029/0007pre1-create-arch-kconfig.patch
++ bugfix/all/CVE-2009-0029/0007-System-call-wrapper-infrastructure.patch
++ bugfix/all/CVE-2009-0029/0008-powerpc-Enable-syscall-wrappers-for.patch
++ bugfix/all/CVE-2009-0029/0009-s390-enable-system-call-wrappers.patch
++ bugfix/all/CVE-2009-0029/0010-System-call-wrapper-special-cases.patch
++ bugfix/all/CVE-2009-0029/0011-System-call-wrappers-part-01.patch
++ bugfix/all/CVE-2009-0029/0012-System-call-wrappers-part-02.patch
++ bugfix/all/CVE-2009-0029/0013-System-call-wrappers-part-03.patch
++ bugfix/all/CVE-2009-0029/0014-System-call-wrappers-part-04.patch
++ bugfix/all/CVE-2009-0029/0015-System-call-wrappers-part-05.patch
++ bugfix/all/CVE-2009-0029/0016-System-call-wrappers-part-06.patch
++ bugfix/all/CVE-2009-0029/0017-System-call-wrappers-part-07.patch
++ bugfix/all/CVE-2009-0029/0018-System-call-wrappers-part-08.patch
++ bugfix/all/CVE-2009-0029/0019-System-call-wrappers-part-09.patch
++ bugfix/all/CVE-2009-0029/0020-System-call-wrappers-part-10.patch
++ bugfix/all/CVE-2009-0029/0021-System-call-wrappers-part-11.patch
++ bugfix/all/CVE-2009-0029/0022-System-call-wrappers-part-12.patch
++ bugfix/all/CVE-2009-0029/0023-System-call-wrappers-part-13.patch
++ bugfix/all/CVE-2009-0029/0024-System-call-wrappers-part-14.patch
++ bugfix/all/CVE-2009-0029/0025-System-call-wrappers-part-15.patch
++ bugfix/all/CVE-2009-0029/0026-System-call-wrappers-part-16.patch
++ bugfix/all/CVE-2009-0029/0027-System-call-wrappers-part-17.patch
++ bugfix/all/CVE-2009-0029/0028-System-call-wrappers-part-18.patch
++ bugfix/all/CVE-2009-0029/0029-System-call-wrappers-part-19.patch
++ bugfix/all/CVE-2009-0029/0030-System-call-wrappers-part-20.patch
++ bugfix/all/CVE-2009-0029/0031-System-call-wrappers-part-21.patch
++ bugfix/all/CVE-2009-0029/0032-System-call-wrappers-part-22.patch
++ bugfix/all/CVE-2009-0029/0033-System-call-wrappers-part-23.patch
++ bugfix/all/CVE-2009-0029/0034-System-call-wrappers-part-24.patch
++ bugfix/all/CVE-2009-0029/0035-System-call-wrappers-part-25.patch
++ bugfix/all/CVE-2009-0029/0036-System-call-wrappers-part-26.patch
++ bugfix/all/CVE-2009-0029/0037pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0037-System-call-wrappers-part-27.patch
++ bugfix/all/CVE-2009-0029/0038pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0038pre2-missing-include.patch
++ bugfix/all/CVE-2009-0029/0038-System-call-wrappers-part-28.patch
++ bugfix/all/CVE-2009-0029/0039-System-call-wrappers-part-29.patch
++ bugfix/all/CVE-2009-0029/0040-System-call-wrappers-part-30.patch
++ bugfix/all/CVE-2009-0029/0041-System-call-wrappers-part-31.patch
++ bugfix/all/CVE-2009-0029/0042-System-call-wrappers-part-32.patch
++ bugfix/all/CVE-2009-0029/0043pre1-missing-include.patch
++ bugfix/all/CVE-2009-0029/0043-System-call-wrappers-part-33.patch
++ bugfix/all/CVE-2009-0029/0044pre1-system-call-cleanup.patch
++ bugfix/all/CVE-2009-0029/0044-s390-specific-system-call-wrappers.patch
++ bugfix/all/CVE-2009-0029/0091-avoid-abi-change.patch
++ bugfix/all/security-keyctl-missing-kfree.patch
++ bugfix/all/dell_rbu-use-scnprintf-instead-of-sprintf.patch
++ bugfix/hppa/userspace-unwind-crash.patch
++ bugfix/all/net-add-preempt-point-in-qdisc_run.patch
++ bugfix/mips/fix-potential-dos.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak.patch
++ bugfix/all/net-SO_BSDCOMPAT-leak-2.patch
++ bugfix/all/CVE-2009-0029/mips-rename-sys_pipe.patch
++ bugfix/all/CVE-2009-0029/mips-enable-syscall-wrappers.patch
++ bugfix/all/CVE-2009-0029/mips-enable-syscall-wrappers-no-abi-change.patch
++ bugfix/all/CVE-2009-0029/alpha-use-syscall-wrappers.patch
++ bugfix/all/CVE-2009-0029/compat-zero-upper-32bits-of-offset_high-and-offset_low.patch
++ bugfix/all/CVE-2009-0029/fix-uml-compile.patch
++ bugfix/all/CVE-2009-0029/sparc64-use-syscall-wrappers.patch
++ bugfix/all/CVE-2009-0029/sparc64-wrap-arch-specific-syscalls.patch
++ bugfix/all/skfp-fix-inverted-cap-logic.patch
++ bugfix/syscall-audit-fix-32+64-syscall-hole.patch
++ bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
++ bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
++ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
++ bugfix/all/nfs-fix-oops-in-encode_lookup.patch
++ bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
++ bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
++ bugfix/all/cifs-fix-memory-overwrite-when-saving-nativeFileSystem-field-during-mount.patch
++ bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
++ bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
++ bugfix/all/CVE-2009-0029/drop-sys_write-sys_lseek-exports.patch
Copied: dists/etch/linux-2.6/debian/patches/series/24etch2 (from r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/series/24etch2)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/series/24etch2 Wed May 20 19:56:03 2009 (r13663, copy of r13662, releases/linux-2.6/2.6.18.dfsg.1-24etch2/debian/patches/series/24etch2)
@@ -0,0 +1 @@
++ bugfix/all/CVE-2009-0029/mips-rename-sys_pipe-2.patch
More information about the Kernel-svn-changes
mailing list