[kernel] r14413 - in dists/lenny/linux-2.6: . debian debian/config debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 19 19:12:36 UTC 2009
Author: dannf
Date: Mon Oct 19 19:12:32 2009
New Revision: 14413
Log:
merge 2.6.26-19lenny1
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-llc-zero-sockaddr_llc-struct.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/net-llc-zero-sockaddr_llc-struct.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-use-hardware-auto-padding.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/r8169-use-hardware-auto-padding.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
dists/lenny/linux-2.6/debian/patches/series/19lenny1
- copied unchanged from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/series/19lenny1
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/config/config
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Mon Oct 19 18:57:06 2009 (r14412)
+++ dists/lenny/linux-2.6/debian/changelog Mon Oct 19 19:12:32 2009 (r14413)
@@ -47,6 +47,28 @@
-- Ben Hutchings <ben at decadent.org.uk> Fri, 21 Aug 2009 00:11:55 +0100
+linux-2.6 (2.6.26-19lenny1) stable-security; urgency=high
+
+ * appletalk: Fix skb leak when ipddp interface is not loaded
+ (CVE-2009-2903)
+ * KVM: x86: Disallow hypercalls for guest callers in rings > 0
+ (CVE-2009-3290)
+ * selinux: prevent local users from bypassing mmap_min_addr
+ in unconfined domains (CVE-2009-2695)
+ * fix information leak in llc_ui_getname (CVE-2009-3001)
+ * net: fix information leak due to uninitialized structures in
+ getname functions (CVE-2009-3002)
+ * eCryptfs: Prevent lower dentry from going negative during unlink
+ (CVE-2009-2908)
+ * net ax25: Fix signed comparison in the sockopt handler (CVE-2009-2909)
+ * x86: Don't leak 64-bit kernel register values to 32-bit processes
+ (CVE-2009-2910)
+ * NFSv4: move iattr & verf attributes of struct nfsd4_open out of the
+ union (CVE-2009-3286)
+ * r8169: use hardware auto padding (CVE-2009-3613)
+
+ -- dann frazier <dannf at debian.org> Sat, 17 Oct 2009 10:52:13 -0600
+
linux-2.6 (2.6.26-19) stable; urgency=high
[ Moritz Muehlenhoff ]
Modified: dists/lenny/linux-2.6/debian/config/config
==============================================================================
--- dists/lenny/linux-2.6/debian/config/config Mon Oct 19 18:57:06 2009 (r14412)
+++ dists/lenny/linux-2.6/debian/config/config Mon Oct 19 19:12:32 2009 (r14413)
@@ -2034,6 +2034,11 @@
# CONFIG_KGDB is not set
##
+## file: mm/Kconfig
+##
+CONFIG_DEFAULT_MMAP_MIN_ADDR=0
+
+##
## file: net/Kconfig
##
CONFIG_NET=y
@@ -2516,7 +2521,6 @@
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_FILE_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
-CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0
##
## file: security/selinux/Kconfig
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch)
@@ -0,0 +1,182 @@
+commit ffcfb8db540ff879c2a85bf7e404954281443414
+Author: Arnaldo Carvalho de Melo <acme at redhat.com>
+Date: Fri Sep 11 11:35:22 2009 -0700
+
+ Subject: [PATCH] appletalk: Fix skb leak when ipddp interface is not loaded
+
+ And also do a better job of returning proper NET_{RX,XMIT}_ values.
+
+ Based on a patch and suggestions by Mark Smith.
+
+ This fixes CVE-2009-2903
+
+ Reported-by: Mark Smith <lk-netdev at lk-netdev.nosense.org>
+ Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/appletalk/ipddp.c linux-source-2.6.26/drivers/net/appletalk/ipddp.c
+--- linux-source-2.6.26.orig/drivers/net/appletalk/ipddp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/net/appletalk/ipddp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -173,8 +173,7 @@ static int ipddp_xmit(struct sk_buff *sk
+ ((struct net_device_stats *) dev->priv)->tx_packets++;
+ ((struct net_device_stats *) dev->priv)->tx_bytes+=skb->len;
+
+- if(aarp_send_ddp(rt->dev, skb, &rt->at, NULL) < 0)
+- dev_kfree_skb(skb);
++ aarp_send_ddp(rt->dev, skb, &rt->at, NULL);
+
+ return 0;
+ }
+diff -urpN linux-source-2.6.26.orig/net/appletalk/aarp.c linux-source-2.6.26/net/appletalk/aarp.c
+--- linux-source-2.6.26.orig/net/appletalk/aarp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/aarp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -598,7 +598,7 @@ int aarp_send_ddp(struct net_device *dev
+
+ /* Non ELAP we cannot do. */
+ if (dev->type != ARPHRD_ETHER)
+- return -1;
++ goto free_it;
+
+ skb->dev = dev;
+ skb->protocol = htons(ETH_P_ATALK);
+@@ -633,7 +633,7 @@ int aarp_send_ddp(struct net_device *dev
+ if (!a) {
+ /* Whoops slipped... good job it's an unreliable protocol 8) */
+ write_unlock_bh(&aarp_lock);
+- return -1;
++ goto free_it;
+ }
+
+ /* Set up the queue */
+@@ -662,14 +662,19 @@ out_unlock:
+ write_unlock_bh(&aarp_lock);
+
+ /* Tell the ddp layer we have taken over for this frame. */
+- return 0;
++ goto sent;
+
+ sendit:
+ if (skb->sk)
+ skb->priority = skb->sk->sk_priority;
+- dev_queue_xmit(skb);
++ if (dev_queue_xmit(skb))
++ goto drop;
+ sent:
+- return 1;
++ return NET_XMIT_SUCCESS;
++free_it:
++ kfree_skb(skb);
++drop:
++ return NET_XMIT_DROP;
+ }
+
+ /*
+diff -urpN linux-source-2.6.26.orig/net/appletalk/ddp.c linux-source-2.6.26/net/appletalk/ddp.c
+--- linux-source-2.6.26.orig/net/appletalk/ddp.c 2009-09-16 00:03:02.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/ddp.c 2009-09-16 00:03:40.000000000 -0600
+@@ -1276,8 +1276,10 @@ static int handle_ip_over_ddp(struct sk_
+ struct net_device_stats *stats;
+
+ /* This needs to be able to handle ipddp"N" devices */
+- if (!dev)
+- return -ENODEV;
++ if (!dev) {
++ kfree_skb(skb);
++ return NET_RX_DROP;
++ }
+
+ skb->protocol = htons(ETH_P_IP);
+ skb_pull(skb, 13);
+@@ -1287,8 +1289,7 @@ static int handle_ip_over_ddp(struct sk_
+ stats = dev->priv;
+ stats->rx_packets++;
+ stats->rx_bytes += skb->len + 13;
+- netif_rx(skb); /* Send the SKB up to a higher place. */
+- return 0;
++ return netif_rx(skb); /* Send the SKB up to a higher place. */
+ }
+ #else
+ /* make it easy for gcc to optimize this test out, i.e. kill the code */
+@@ -1296,9 +1297,8 @@ static int handle_ip_over_ddp(struct sk_
+ #define handle_ip_over_ddp(skb) 0
+ #endif
+
+-static void atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+- struct ddpehdr *ddp, __u16 len_hops,
+- int origlen)
++static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
++ struct ddpehdr *ddp, __u16 len_hops, int origlen)
+ {
+ struct atalk_route *rt;
+ struct atalk_addr ta;
+@@ -1365,8 +1365,6 @@ static void atalk_route_packet(struct sk
+ /* 22 bytes - 12 ether, 2 len, 3 802.2 5 snap */
+ struct sk_buff *nskb = skb_realloc_headroom(skb, 32);
+ kfree_skb(skb);
+- if (!nskb)
+- goto out;
+ skb = nskb;
+ } else
+ skb = skb_unshare(skb, GFP_ATOMIC);
+@@ -1375,12 +1373,16 @@ static void atalk_route_packet(struct sk
+ * If the buffer didn't vanish into the lack of space bitbucket we can
+ * send it.
+ */
+- if (skb && aarp_send_ddp(rt->dev, skb, &ta, NULL) == -1)
+- goto free_it;
+-out:
+- return;
++ if (skb == NULL)
++ goto drop;
++
++ if (aarp_send_ddp(rt->dev, skb, &ta, NULL) == NET_XMIT_DROP)
++ return NET_RX_DROP;
++ return NET_XMIT_SUCCESS;
+ free_it:
+ kfree_skb(skb);
++drop:
++ return NET_RX_DROP;
+ }
+
+ /**
+@@ -1454,8 +1456,7 @@ static int atalk_rcv(struct sk_buff *skb
+ /* Not ours, so we route the packet via the correct
+ * AppleTalk iface
+ */
+- atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- return NET_RX_SUCCESS;
++ return atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1665,10 +1666,10 @@ static int atalk_sendmsg(struct kiocb *i
+ if (skb2) {
+ loopback = 1;
+ SOCK_DEBUG(sk, "SK %p: send out(copy).\n", sk);
+- if (aarp_send_ddp(dev, skb2,
+- &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb2);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb2, &usat->sat_addr, NULL);
+ }
+ }
+
+@@ -1698,9 +1699,10 @@ static int atalk_sendmsg(struct kiocb *i
+ usat = &gsat;
+ }
+
+- if (aarp_send_ddp(dev, skb, &usat->sat_addr, NULL) == -1)
+- kfree_skb(skb);
+- /* else queued/sent above in the aarp queue */
++ /*
++ * If it fails it is queued/sent above in the aarp queue
++ */
++ aarp_send_ddp(dev, skb, &usat->sat_addr, NULL);
+ }
+ SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch)
@@ -0,0 +1,99 @@
+commit 6885ffb3a1b4abf731fd0891a2c1544a83c2651d
+Author: Mark Smith <lk-netdev at lk-netdev.nosense.org>
+Date: Thu Aug 6 23:21:22 2009 +0000
+
+ Use correct NET_RX_* returns for atalk_rcv()
+
+ In all rx'd SKB cases, atalk_rcv() either eventually jumps to or falls through
+ to the label out:, which returns numeric 0. Numeric 0 corresponds to
+ NET_RX_SUCCESS, which is incorrect in failed SKB cases.
+
+ This patch makes atalk_rcv() provide the correct returns by:
+
+ o explicitly returning NET_RX_SUCCESS in the two success cases
+ o having the out: label return NET_RX_DROP, instead of numeric 0
+ o making the failed SKB labels and processing more consistent with other
+ _rcv() routines in the kernel, simplifying validation and removing a
+ backwards goto
+
+ Signed-off-by: Mark Smith <markzzzsmith at yahoo.com.au>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/net/appletalk/ddp.c linux-source-2.6.26/net/appletalk/ddp.c
+--- linux-source-2.6.26.orig/net/appletalk/ddp.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/appletalk/ddp.c 2009-09-15 22:35:19.000000000 -0600
+@@ -1406,7 +1406,7 @@ static int atalk_rcv(struct sk_buff *skb
+ __u16 len_hops;
+
+ if (dev_net(dev) != &init_net)
+- goto freeit;
++ goto drop;
+
+ /* Don't mangle buffer if shared */
+ if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
+@@ -1414,7 +1414,7 @@ static int atalk_rcv(struct sk_buff *skb
+
+ /* Size check and make sure header is contiguous */
+ if (!pskb_may_pull(skb, sizeof(*ddp)))
+- goto freeit;
++ goto drop;
+
+ ddp = ddp_hdr(skb);
+
+@@ -1432,7 +1432,7 @@ static int atalk_rcv(struct sk_buff *skb
+ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
+ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
+ "skb->len=%u)\n", len_hops & 1023, skb->len);
+- goto freeit;
++ goto drop;
+ }
+
+ /*
+@@ -1442,7 +1442,7 @@ static int atalk_rcv(struct sk_buff *skb
+ if (ddp->deh_sum &&
+ atalk_checksum(skb, len_hops & 1023) != ddp->deh_sum)
+ /* Not a valid AppleTalk frame - dustbin time */
+- goto freeit;
++ goto drop;
+
+ /* Check the packet is aimed at us */
+ if (!ddp->deh_dnet) /* Net 0 is 'this network' */
+@@ -1455,7 +1455,7 @@ static int atalk_rcv(struct sk_buff *skb
+ * AppleTalk iface
+ */
+ atalk_route_packet(skb, dev, ddp, len_hops, origlen);
+- goto out;
++ return NET_RX_SUCCESS;
+ }
+
+ /* if IP over DDP is not selected this code will be optimized out */
+@@ -1471,18 +1471,21 @@ static int atalk_rcv(struct sk_buff *skb
+
+ sock = atalk_search_socket(&tosat, atif);
+ if (!sock) /* But not one of our sockets */
+- goto freeit;
++ goto drop;
+
+ /* Queue packet (standard) */
+ skb->sk = sock;
+
+ if (sock_queue_rcv_skb(sock, skb) < 0)
+- goto freeit;
+-out:
+- return 0;
+-freeit:
++ goto drop;
++
++ return NET_RX_SUCCESS;
++
++drop:
+ kfree_skb(skb);
+- goto out;
++out:
++ return NET_RX_DROP;
++
+ }
+
+ /*
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch)
@@ -0,0 +1,27 @@
+commit e84b90ae5eb3c112d1f208964df1d8156a538289
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 20:27:04 2009 +0000
+
+ can: Fix raw_getname() leak
+
+ raw_getname() can leak 10 bytes of kernel memory to user
+
+ (two bytes hole between can_family and can_ifindex,
+ 8 bytes at the end of sockaddr_can structure)
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Acked-by: Oliver Hartkopp <oliver at hartkopp.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index f4cc445..db3152d 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -401,6 +401,7 @@ static int raw_getname(struct socket *sock, struct sockaddr *uaddr,
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(addr, 0, sizeof(*addr));
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = ro->ifindex;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch)
@@ -0,0 +1,91 @@
+commit 9c0d90103c7e0eb6e638e5b649e9f6d8d9c1b4b3
+Author: Eric Paris <eparis at redhat.com>
+Date: Fri Jul 31 12:53:58 2009 -0400
+
+ Capabilities: move cap_file_mmap to commoncap.c
+
+ Currently we duplicate the mmap_min_addr test in cap_file_mmap and in
+ security_file_mmap if !CONFIG_SECURITY. This patch moves cap_file_mmap
+ into commoncap.c and then calls that function directly from
+ security_file_mmap ifndef CONFIG_SECURITY like all of the other capability
+ checks are done.
+
+ Signed-off-by: Eric Paris <eparis at redhat.com>
+ Acked-by: Serge Hallyn <serue at us.ibm.com>
+ Signed-off-by: James Morris <jmorris at namei.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/include/linux/security.h linux-source-2.6.26/include/linux/security.h
+--- linux-source-2.6.26.orig/include/linux/security.h 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/include/linux/security.h 2009-09-30 09:14:23.000000000 -0600
+@@ -58,6 +58,9 @@ extern int cap_inode_setxattr(struct den
+ extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
+ extern int cap_inode_need_killpriv(struct dentry *dentry);
+ extern int cap_inode_killpriv(struct dentry *dentry);
++extern int cap_file_mmap(struct file *file, unsigned long reqprot,
++ unsigned long prot, unsigned long flags,
++ unsigned long addr, unsigned long addr_only);
+ extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
+ extern void cap_task_reparent_to_init(struct task_struct *p);
+ extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+@@ -2135,9 +2138,7 @@ static inline int security_file_mmap(str
+ unsigned long addr,
+ unsigned long addr_only)
+ {
+- if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+- return -EACCES;
+- return 0;
++ return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ }
+
+ static inline int security_file_mprotect(struct vm_area_struct *vma,
+diff -urpN linux-source-2.6.26.orig/security/commoncap.c linux-source-2.6.26/security/commoncap.c
+--- linux-source-2.6.26.orig/security/commoncap.c 2009-08-18 23:15:10.000000000 -0600
++++ linux-source-2.6.26/security/commoncap.c 2009-09-30 09:17:19.000000000 -0600
+@@ -689,3 +689,31 @@ int cap_vm_enough_memory(struct mm_struc
+ return __vm_enough_memory(mm, pages, cap_sys_admin);
+ }
+
++/*
++ * cap_file_mmap - check if able to map given addr
++ * @file: unused
++ * @reqprot: unused
++ * @prot: unused
++ * @flags: unused
++ * @addr: address attempting to be mapped
++ * @addr_only: unused
++ *
++ * If the process is attempting to map memory below mmap_min_addr they need
++ * CAP_SYS_RAWIO. The other parameters to this function are unused by the
++ * capability security module. Returns 0 if this mapping should be allowed
++ * -EPERM if not.
++ */
++int cap_file_mmap(struct file *file, unsigned long reqprot,
++ unsigned long prot, unsigned long flags,
++ unsigned long addr, unsigned long addr_only)
++{
++ int ret = 0;
++
++ if (addr < dac_mmap_min_addr) {
++ ret = cap_capable(current, CAP_SYS_RAWIO);
++ /* set PF_SUPERPRIV if it turns out we allow the low mmap */
++ if (ret == 0)
++ current->flags |= PF_SUPERPRIV;
++ }
++ return ret;
++}
+diff -urpN linux-source-2.6.26.orig/security/dummy.c linux-source-2.6.26/security/dummy.c
+--- linux-source-2.6.26.orig/security/dummy.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/security/dummy.c 2009-09-30 09:14:23.000000000 -0600
+@@ -459,9 +459,7 @@ static int dummy_file_mmap (struct file
+ unsigned long addr,
+ unsigned long addr_only)
+ {
+- if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+- return -EACCES;
+- return 0;
++ return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ }
+
+ static int dummy_file_mprotect (struct vm_area_struct *vma,
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch)
@@ -0,0 +1,23 @@
+commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:48:36 2009 +0000
+
+ econet: Fix econet_getname() leak
+
+ econet_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 2e1f836..f0bbc57 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -520,6 +520,7 @@ static int econet_getname(struct socket *sock, struct sockaddr *uaddr,
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(sec, 0, sizeof(*sec));
+ mutex_lock(&econet_mutex);
+
+ sk = sock->sk;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch)
@@ -0,0 +1,53 @@
+commit 9c2d2056647790c5034d722bd24e9d913ebca73c
+Author: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+Date: Tue Sep 22 12:52:17 2009 -0500
+
+ eCryptfs: Prevent lower dentry from going negative during unlink
+
+ When calling vfs_unlink() on the lower dentry, d_delete() turns the
+ dentry into a negative dentry when the d_count is 1. This eventually
+ caused a NULL pointer deref when a read() or write() was done and the
+ negative dentry's d_inode was dereferenced in
+ ecryptfs_read_update_atime() or ecryptfs_getxattr().
+
+ Placing mutt's tmpdir in an eCryptfs mount is what initially triggered
+ the oops and I was able to reproduce it with the following sequence:
+
+ open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3
+ link("/tmp/upper/foo", "/tmp/upper/bar") = 0
+ unlink("/tmp/upper/foo") = 0
+ open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4
+ unlink("/tmp/upper/bar") = 0
+ write(4, "eCryptfs test\n"..., 14 <unfinished ...>
+ +++ killed by SIGKILL +++
+
+ https://bugs.launchpad.net/ecryptfs/+bug/387073
+
+ Reported-by: Loïc Minier <loic.minier at canonical.com>
+ Cc: Serge Hallyn <serue at us.ibm.com>
+ Cc: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+ Cc: ecryptfs-devel at lists.launchpad.net
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ecryptfs/inode.c linux-source-2.6.26/fs/ecryptfs/inode.c
+--- linux-source-2.6.26.orig/fs/ecryptfs/inode.c 2009-08-18 23:15:12.000000000 -0600
++++ linux-source-2.6.26/fs/ecryptfs/inode.c 2009-10-08 00:26:22.000000000 -0600
+@@ -422,6 +422,7 @@ static int ecryptfs_unlink(struct inode
+ struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+ struct dentry *lower_dir_dentry;
+
++ dget(lower_dentry);
+ lower_dir_dentry = lock_parent(lower_dentry);
+ rc = vfs_unlink(lower_dir_inode, lower_dentry);
+ if (rc) {
+@@ -435,6 +436,7 @@ static int ecryptfs_unlink(struct inode
+ d_drop(dentry);
+ out_unlock:
+ unlock_dir(lower_dir_dentry);
++ dput(lower_dentry);
+ return rc;
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch)
@@ -0,0 +1,23 @@
+commit 09384dfc76e526c3993c09c42e016372dc9dd22c
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:55:04 2009 +0000
+
+ irda: Fix irda_getname() leak
+
+ irda_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index cb762c8..3ec2b43 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -714,6 +714,7 @@ static int irda_getname(struct socket *sock, struct sockaddr *uaddr,
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+
++ memset(&saddr, 0, sizeof(saddr));
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch)
@@ -0,0 +1,54 @@
+From arjan at infradead.org Thu Oct 1 11:19:55 2009
+From: Arjan van de Ven <arjan at infradead.org>
+Date: Wed, 30 Sep 2009 13:51:11 +0200
+Subject: net ax25: Fix signed comparison in the sockopt handler
+To: davem at davemloft.net
+Cc: jakub at redhat.com, torvalds at linux-foundation.org, mingo at elte.hu, stable at kernel.org
+Message-ID: <20090930135111.64240d86 at infradead.org>
+
+
+From: Arjan van de Ven <arjan at linux.intel.com>
+
+fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
+
+The ax25 code tried to use
+
+ if (optlen < sizeof(int))
+ return -EINVAL;
+
+as a security check against optlen being negative (or zero) in the
+set socket option.
+
+Unfortunately, "sizeof(int)" is an unsigned property, with the
+result that the whole comparison is done in unsigned, letting
+negative values slip through.
+
+This patch changes this to
+
+ if (optlen < (int)sizeof(int))
+ return -EINVAL;
+
+so that the comparison is done as signed, and negative values
+get properly caught.
+
+Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: David S. Miller <davem at davemloft.net>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/ax25/af_ax25.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -538,7 +538,7 @@ static int ax25_setsockopt(struct socket
+ if (level != SOL_AX25)
+ return -ENOPROTOOPT;
+
+- if (optlen < sizeof(int))
++ if (optlen < (int)sizeof(int))
+ return -EINVAL;
+
+ if (get_user(opt, (int __user *)optval))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-llc-zero-sockaddr_llc-struct.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/net-llc-zero-sockaddr_llc-struct.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-llc-zero-sockaddr_llc-struct.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/net-llc-zero-sockaddr_llc-struct.patch)
@@ -0,0 +1,24 @@
+commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
+Author: Jiri Slaby <jirislaby at gmail.com>
+Date: Sun Aug 23 22:55:51 2009 -0700
+
+ NET: llc, zero sockaddr_llc struct
+
+ sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
+ before copying to the above layer's structure.
+
+ Signed-off-by: Jiri Slaby <jirislaby at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 9208cf5..c45eee1 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -914,6 +914,7 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
+ struct llc_sock *llc = llc_sk(sk);
+ int rc = 0;
+
++ memset(&sllc, 0, sizeof(sllc));
+ lock_sock(sk);
+ if (sock_flag(sk, SOCK_ZAPPED))
+ goto out;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch)
@@ -0,0 +1,23 @@
+commit f6b97b29513950bfbf621a83d85b6f86b39ec8db
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:31:07 2009 +0000
+
+ netrom: Fix nr_getname() leak
+
+ nr_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index ce51ce0..ce1a34b 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -847,6 +847,7 @@ static int nr_getname(struct socket *sock, struct sockaddr *uaddr,
+ sax->fsa_ax25.sax25_family = AF_NETROM;
+ sax->fsa_ax25.sax25_ndigis = 1;
+ sax->fsa_ax25.sax25_call = nr->user_addr;
++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater));
+ sax->fsa_digipeater[0] = nr->dest_addr;
+ *uaddr_len = sizeof(struct full_sockaddr_ax25);
+ } else {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/nfsd4-de-union-iattr-and-verf.patch)
@@ -0,0 +1,29 @@
+un-union iattr & verf, from 79fb54abd285b442e1f30f851902f3ddf58e7704
+
+diff -urpN linux-source-2.6.26.orig/include/linux/nfsd/xdr4.h linux-source-2.6.26/include/linux/nfsd/xdr4.h
+--- linux-source-2.6.26.orig/include/linux/nfsd/xdr4.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/nfsd/xdr4.h 2009-10-15 23:55:47.000000000 -0600
+@@ -207,10 +207,8 @@ struct nfsd4_open {
+ u32 op_create; /* request */
+ u32 op_createmode; /* request */
+ u32 op_bmval[2]; /* request */
+- union { /* request */
+- struct iattr iattr; /* UNCHECKED4,GUARDED4 */
+- nfs4_verifier verf; /* EXCLUSIVE4 */
+- } u;
++ struct iattr iattr; /* UNCHECKED4, GUARDED4, EXCLUSIVE4_1 */
++ nfs4_verifier verf; /* EXCLUSIVE4 */
+ clientid_t op_clientid; /* request */
+ struct xdr_netobj op_owner; /* request */
+ u32 op_seqid; /* request */
+@@ -224,8 +222,8 @@ struct nfsd4_open {
+ struct nfs4_stateowner *op_stateowner; /* used during processing */
+ struct nfs4_acl *op_acl;
+ };
+-#define op_iattr u.iattr
+-#define op_verf u.verf
++#define op_iattr iattr
++#define op_verf verf
+
+ struct nfsd4_open_confirm {
+ stateid_t oc_req_stateid /* request */;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-use-hardware-auto-padding.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/r8169-use-hardware-auto-padding.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/r8169-use-hardware-auto-padding.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/r8169-use-hardware-auto-padding.patch)
@@ -0,0 +1,39 @@
+commit 97d477a914b146e7e6722ded21afa79886ae8ccd
+Author: françois romieu <romieu at fr.zoreil.com>
+Date: Sun Mar 15 01:09:54 2009 +0000
+
+ r8169: use hardware auto-padding.
+
+ It shortens the code and fixes the current pci_unmap leak with
+ padded skb reported by Dave Jones.
+
+ Signed-off-by: Francois Romieu <romieu at fr.zoreil.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/net/r8169.c linux-source-2.6.26/drivers/net/r8169.c
+--- linux-source-2.6.26.orig/drivers/net/r8169.c 2009-08-18 23:15:14.000000000 -0600
++++ linux-source-2.6.26/drivers/net/r8169.c 2009-10-16 16:21:15.000000000 -0600
+@@ -2565,13 +2565,6 @@ static int rtl8169_start_xmit(struct sk_
+ opts1 |= FirstFrag;
+ } else {
+ len = skb->len;
+-
+- if (unlikely(len < ETH_ZLEN)) {
+- if (skb_padto(skb, ETH_ZLEN))
+- goto err_update_stats;
+- len = ETH_ZLEN;
+- }
+-
+ opts1 |= FirstFrag | LastFrag;
+ tp->tx_skb[entry].skb = skb;
+ }
+@@ -2609,7 +2602,6 @@ out:
+ err_stop:
+ netif_stop_queue(dev);
+ ret = NETDEV_TX_BUSY;
+-err_update_stats:
+ dev->stats.tx_dropped++;
+ goto out;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch)
@@ -0,0 +1,23 @@
+commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:34:06 2009 +0000
+
+ rose: Fix rose_getname() leak
+
+ rose_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f0a76f6..e5f478c 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -954,6 +954,7 @@ static int rose_getname(struct socket *sock, struct sockaddr *uaddr,
+ struct rose_sock *rose = rose_sk(sk);
+ int n;
+
++ memset(srose, 0, sizeof(*srose));
+ if (peer != 0) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch)
@@ -0,0 +1,63 @@
+commit 1d9959734a1949ea4f2427bd2d8b21ede6b2441c
+Author: Eric Paris <eparis at redhat.com>
+Date: Fri Aug 7 14:53:57 2009 -0400
+
+ security: define round_hint_to_min in !CONFIG_SECURITY
+
+ Fix the header files to define round_hint_to_min() and to define
+ mmap_min_addr_handler() in the !CONFIG_SECURITY case.
+
+ Built and tested with !CONFIG_SECURITY
+
+ Signed-off-by: Eric Paris <eparis at redhat.com>
+ Signed-off-by: James Morris <jmorris at namei.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/include/linux/security.h linux-source-2.6.26/include/linux/security.h
+--- linux-source-2.6.26.orig/include/linux/security.h 2009-09-30 09:21:57.000000000 -0600
++++ linux-source-2.6.26/include/linux/security.h 2009-09-30 10:08:42.000000000 -0600
+@@ -115,6 +115,21 @@ struct request_sock;
+ #define LSM_UNSAFE_PTRACE 2
+ #define LSM_UNSAFE_PTRACE_CAP 4
+
++/*
++ * If a hint addr is less than mmap_min_addr change hint to be as
++ * low as possible but still greater than mmap_min_addr
++ */
++static inline unsigned long round_hint_to_min(unsigned long hint)
++{
++ hint &= PAGE_MASK;
++ if (((void *)hint != NULL) &&
++ (hint < mmap_min_addr))
++ return PAGE_ALIGN(mmap_min_addr);
++ return hint;
++}
++extern int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
++ void __user *buffer, size_t *lenp, loff_t *ppos);
++
+ #ifdef CONFIG_SECURITY
+
+ struct security_mnt_opts {
+@@ -143,21 +158,6 @@ static inline void security_free_mnt_opt
+ opts->num_mnt_opts = 0;
+ }
+
+-/*
+- * If a hint addr is less than mmap_min_addr change hint to be as
+- * low as possible but still greater than mmap_min_addr
+- */
+-static inline unsigned long round_hint_to_min(unsigned long hint)
+-{
+- hint &= PAGE_MASK;
+- if (((void *)hint != NULL) &&
+- (hint < mmap_min_addr))
+- return PAGE_ALIGN(mmap_min_addr);
+- return hint;
+-}
+-
+-extern int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+- void __user *buffer, size_t *lenp, loff_t *ppos);
+ /**
+ * struct security_operations - main security structure
+ *
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch)
@@ -0,0 +1,13 @@
+diff -urpN a/include/linux/security.h b/include/linux/security.h
+--- a/include/linux/security.h 2009-10-16 17:19:44.000000000 -0600
++++ b/include/linux/security.h 2009-10-16 17:23:16.000000000 -0600
+@@ -28,7 +28,9 @@
+ #include <linux/resource.h>
+ #include <linux/sem.h>
+ #include <linux/shm.h>
++#ifndef __GENKSYMS__
+ #include <linux/mm.h> /* PAGE_ALIGN */
++#endif
+ #include <linux/msg.h>
+ #include <linux/sched.h>
+ #include <linux/key.h>
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch)
@@ -0,0 +1,250 @@
+commit a2551df7ec568d87793d2eea4ca744e86318f205
+Author: Eric Paris <eparis at redhat.com>
+Date: Fri Jul 31 12:54:11 2009 -0400
+
+ Security/SELinux: seperate lsm specific mmap_min_addr
+
+ Currently SELinux enforcement of controls on the ability to map low memory
+ is determined by the mmap_min_addr tunable. This patch causes SELinux to
+ ignore the tunable and instead use a seperate Kconfig option specific to how
+ much space the LSM should protect.
+
+ The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
+ permissions will always protect the amount of low memory designated by
+ CONFIG_LSM_MMAP_MIN_ADDR.
+
+ This allows users who need to disable the mmap_min_addr controls (usual reason
+ being they run WINE as a non-root user) to do so and still have SELinux
+ controls preventing confined domains (like a web server) from being able to
+ map some area of low memory.
+
+ Signed-off-by: Eric Paris <eparis at redhat.com>
+ Signed-off-by: James Morris <jmorris at namei.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/include/linux/mm.h linux-source-2.6.26/include/linux/mm.h
+--- linux-source-2.6.26.orig/include/linux/mm.h 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/include/linux/mm.h 2009-09-30 09:21:57.000000000 -0600
+@@ -33,8 +33,6 @@ extern int sysctl_legacy_va_layout;
+ #define sysctl_legacy_va_layout 0
+ #endif
+
+-extern unsigned long mmap_min_addr;
+-
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+@@ -558,19 +556,6 @@ static inline void set_page_links(struct
+ }
+
+ /*
+- * If a hint addr is less than mmap_min_addr change hint to be as
+- * low as possible but still greater than mmap_min_addr
+- */
+-static inline unsigned long round_hint_to_min(unsigned long hint)
+-{
+- hint &= PAGE_MASK;
+- if (((void *)hint != NULL) &&
+- (hint < mmap_min_addr))
+- return PAGE_ALIGN(mmap_min_addr);
+- return hint;
+-}
+-
+-/*
+ * Some inline functions in vmstat.h depend on page_zone()
+ */
+ #include <linux/vmstat.h>
+diff -urpN linux-source-2.6.26.orig/include/linux/security.h linux-source-2.6.26/include/linux/security.h
+--- linux-source-2.6.26.orig/include/linux/security.h 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/include/linux/security.h 2009-09-30 09:21:57.000000000 -0600
+@@ -28,6 +28,7 @@
+ #include <linux/resource.h>
+ #include <linux/sem.h>
+ #include <linux/shm.h>
++#include <linux/mm.h> /* PAGE_ALIGN */
+ #include <linux/msg.h>
+ #include <linux/sched.h>
+ #include <linux/key.h>
+@@ -84,6 +88,7 @@ extern int cap_netlink_send(struct sock
+ extern int cap_netlink_recv(struct sk_buff *skb, int cap);
+
+ extern unsigned long mmap_min_addr;
++extern unsigned long dac_mmap_min_addr;
+ /*
+ * Values used in the task_security_ops calls
+ */
+@@ -138,6 +143,21 @@ static inline void security_free_mnt_opt
+ opts->num_mnt_opts = 0;
+ }
+
++/*
++ * If a hint addr is less than mmap_min_addr change hint to be as
++ * low as possible but still greater than mmap_min_addr
++ */
++static inline unsigned long round_hint_to_min(unsigned long hint)
++{
++ hint &= PAGE_MASK;
++ if (((void *)hint != NULL) &&
++ (hint < mmap_min_addr))
++ return PAGE_ALIGN(mmap_min_addr);
++ return hint;
++}
++
++extern int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
++ void __user *buffer, size_t *lenp, loff_t *ppos);
+ /**
+ * struct security_operations - main security structure
+ *
+diff -urpN linux-source-2.6.26.orig/kernel/sysctl.c linux-source-2.6.26/kernel/sysctl.c
+--- linux-source-2.6.26.orig/kernel/sysctl.c 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/kernel/sysctl.c 2009-09-30 09:21:57.000000000 -0600
+@@ -1096,10 +1096,10 @@ static struct ctl_table vm_table[] = {
+ {
+ .ctl_name = CTL_UNNUMBERED,
+ .procname = "mmap_min_addr",
+- .data = &mmap_min_addr,
+- .maxlen = sizeof(unsigned long),
++ .data = &dac_mmap_min_addr,
++ .maxlen = sizeof(unsigned long),
+ .mode = 0644,
+- .proc_handler = &proc_doulongvec_minmax,
++ .proc_handler = &mmap_min_addr_handler,
+ },
+ #ifdef CONFIG_NUMA
+ {
+diff -urpN linux-source-2.6.26.orig/mm/Kconfig linux-source-2.6.26/mm/Kconfig
+--- linux-source-2.6.26.orig/mm/Kconfig 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/mm/Kconfig 2009-09-30 09:21:57.000000000 -0600
+@@ -217,9 +217,9 @@ config DEFAULT_MMAP_MIN_ADDR
+ For most ia64, ppc64 and x86 users with lots of address space
+ a value of 65536 is reasonable and should cause no problems.
+ On arm and other archs it should not be higher than 32768.
+- Programs which use vm86 functionality would either need additional
+- permissions from either the LSM or the capabilities module or have
+- this protection disabled.
++ Programs which use vm86 functionality or have some need to map
++ this low address space will need CAP_SYS_RAWIO or disable this
++ protection by setting the value to 0.
+
+ This value can be changed after boot using the
+ /proc/sys/vm/mmap_min_addr tunable.
+diff -urpN linux-source-2.6.26.orig/mm/mmap.c linux-source-2.6.26/mm/mmap.c
+--- linux-source-2.6.26.orig/mm/mmap.c 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/mm/mmap.c 2009-09-30 09:21:57.000000000 -0600
+@@ -82,9 +82,6 @@ int sysctl_overcommit_ratio = 50; /* def
+ int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
+ atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
+
+-/* amount of vm to protect from userspace access */
+-unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+-
+ /*
+ * Check that a process has enough memory to allocate a new virtual
+ * mapping. 0 means there is enough memory for the allocation to
+diff -urpN linux-source-2.6.26.orig/security/Kconfig linux-source-2.6.26/security/Kconfig
+--- linux-source-2.6.26.orig/security/Kconfig 2009-09-30 09:13:56.000000000 -0600
++++ linux-source-2.6.26/security/Kconfig 2009-09-30 09:21:57.000000000 -0600
+@@ -104,6 +104,22 @@ config SECURITY_ROOTPLUG
+
+ If you are unsure how to answer this question, answer N.
+
++config LSM_MMAP_MIN_ADDR
++ int "Low address space for LSM to from user allocation"
++ depends on SECURITY && SECURITY_SELINUX
++ default 65535
++ help
++ This is the portion of low virtual memory which should be protected
++ from userspace allocation. Keeping a user from writing to low pages
++ can help reduce the impact of kernel NULL pointer bugs.
++
++ For most ia64, ppc64 and x86 users with lots of address space
++ a value of 65536 is reasonable and should cause no problems.
++ On arm and other archs it should not be higher than 32768.
++ Programs which use vm86 functionality or have some need to map
++ this low address space will need the permission specific to the
++ systems running LSM.
++
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+
+diff -urpN linux-source-2.6.26.orig/security/Makefile linux-source-2.6.26/security/Makefile
+--- linux-source-2.6.26.orig/security/Makefile 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/security/Makefile 2009-09-30 09:33:07.000000000 -0600
+@@ -6,10 +6,7 @@ obj-$(CONFIG_KEYS) += keys/
+ subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+ subdir-$(CONFIG_SECURITY_SMACK) += smack
+
+-# if we don't select a security model, use the default capabilities
+-ifneq ($(CONFIG_SECURITY),y)
+-obj-y += commoncap.o
+-endif
++obj-y += commoncap.o min_addr.o # Is it ok to enable commoncap when CONFIG_SECURITY=y? have to now that we moved cap_file_mmap there
+
+ # Object file lists
+ obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o
+diff -urpN linux-source-2.6.26.orig/security/min_addr.c linux-source-2.6.26/security/min_addr.c
+--- linux-source-2.6.26.orig/security/min_addr.c 1969-12-31 17:00:00.000000000 -0700
++++ linux-source-2.6.26/security/min_addr.c 2009-09-30 09:21:57.000000000 -0600
+@@ -0,0 +1,49 @@
++#include <linux/init.h>
++#include <linux/mm.h>
++#include <linux/security.h>
++#include <linux/sysctl.h>
++
++/* amount of vm to protect from userspace access by both DAC and the LSM*/
++unsigned long mmap_min_addr;
++/* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
++unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
++/* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
++
++/*
++ * Update mmap_min_addr = max(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR)
++ */
++static void update_mmap_min_addr(void)
++{
++#ifdef CONFIG_LSM_MMAP_MIN_ADDR
++ if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
++ mmap_min_addr = dac_mmap_min_addr;
++ else
++ mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
++#else
++ mmap_min_addr = dac_mmap_min_addr;
++#endif
++}
++
++/*
++ * sysctl handler which just sets dac_mmap_min_addr = the new value and then
++ * calls update_mmap_min_addr() so non MAP_FIXED hints get rounded properly
++ */
++int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
++ void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++ int ret;
++
++ ret = proc_doulongvec_minmax(table, write, filp, buffer, lenp, ppos);
++
++ update_mmap_min_addr();
++
++ return ret;
++}
++
++int __init init_mmap_min_addr(void)
++{
++ update_mmap_min_addr();
++
++ return 0;
++}
++pure_initcall(init_mmap_min_addr);
+diff -urpN linux-source-2.6.26.orig/security/selinux/hooks.c linux-source-2.6.26/security/selinux/hooks.c
+--- linux-source-2.6.26.orig/security/selinux/hooks.c 2009-09-30 09:14:01.000000000 -0600
++++ linux-source-2.6.26/security/selinux/hooks.c 2009-09-30 09:21:57.000000000 -0600
+@@ -2951,7 +2951,7 @@ static int selinux_file_mmap(struct file
+ * at bad behaviour/exploit that we always want to get the AVC, even
+ * if DAC would have also denied the operation.
+ */
+- if (addr < mmap_min_addr) {
++ if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
+ rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
+ MEMPROTECT__MMAP_ZERO, NULL);
+ if (rc)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch)
@@ -0,0 +1,152 @@
+commit e0a94c2a63f2644826069044649669b5e7ca75d3
+Author: Christoph Lameter <cl at linux-foundation.org>
+Date: Wed Jun 3 16:04:31 2009 -0400
+
+ security: use mmap_min_addr indepedently of security models
+
+ This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
+ It also sets a default mmap_min_addr of 4096.
+
+ mmapping of addresses below 4096 will only be possible for processes
+ with CAP_SYS_RAWIO.
+
+ Signed-off-by: Christoph Lameter <cl at linux-foundation.org>
+ Acked-by: Eric Paris <eparis at redhat.com>
+ Looks-ok-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: James Morris <jmorris at namei.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/include/linux/mm.h linux-source-2.6.26/include/linux/mm.h
+--- linux-source-2.6.26.orig/include/linux/mm.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/mm.h 2009-09-29 23:26:05.000000000 -0600
+@@ -563,12 +563,10 @@ static inline void set_page_links(struct
+ */
+ static inline unsigned long round_hint_to_min(unsigned long hint)
+ {
+-#ifdef CONFIG_SECURITY
+ hint &= PAGE_MASK;
+ if (((void *)hint != NULL) &&
+ (hint < mmap_min_addr))
+ return PAGE_ALIGN(mmap_min_addr);
+-#endif
+ return hint;
+ }
+
+diff -urpN linux-source-2.6.26.orig/include/linux/security.h linux-source-2.6.26/include/linux/security.h
+--- linux-source-2.6.26.orig/include/linux/security.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/security.h 2009-09-29 23:26:05.000000000 -0600
+@@ -2135,6 +2135,8 @@ static inline int security_file_mmap(str
+ unsigned long addr,
+ unsigned long addr_only)
+ {
++ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
++ return -EACCES;
+ return 0;
+ }
+
+diff -urpN linux-source-2.6.26.orig/kernel/sysctl.c linux-source-2.6.26/kernel/sysctl.c
+--- linux-source-2.6.26.orig/kernel/sysctl.c 2009-08-18 23:15:11.000000000 -0600
++++ linux-source-2.6.26/kernel/sysctl.c 2009-09-29 23:26:05.000000000 -0600
+@@ -1093,7 +1093,6 @@ static struct ctl_table vm_table[] = {
+ .strategy = &sysctl_jiffies,
+ },
+ #endif
+-#ifdef CONFIG_SECURITY
+ {
+ .ctl_name = CTL_UNNUMBERED,
+ .procname = "mmap_min_addr",
+@@ -1102,7 +1101,6 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = &proc_doulongvec_minmax,
+ },
+-#endif
+ #ifdef CONFIG_NUMA
+ {
+ .ctl_name = CTL_UNNUMBERED,
+diff -urpN linux-source-2.6.26.orig/mm/Kconfig linux-source-2.6.26/mm/Kconfig
+--- linux-source-2.6.26.orig/mm/Kconfig 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/mm/Kconfig 2009-09-29 23:28:51.000000000 -0600
+@@ -205,3 +205,23 @@ config NR_QUICK
+ config VIRT_TO_BUS
+ def_bool y
+ depends on !ARCH_NO_VIRT_TO_BUS
++
++config DEFAULT_MMAP_MIN_ADDR
++ int "Low address space to protect from user allocation"
++ default 4096
++ help
++ This is the portion of low virtual memory which should be protected
++ from userspace allocation. Keeping a user from writing to low pages
++ can help reduce the impact of kernel NULL pointer bugs.
++
++ For most ia64, ppc64 and x86 users with lots of address space
++ a value of 65536 is reasonable and should cause no problems.
++ On arm and other archs it should not be higher than 32768.
++ Programs which use vm86 functionality would either need additional
++ permissions from either the LSM or the capabilities module or have
++ this protection disabled.
++
++ This value can be changed after boot using the
++ /proc/sys/vm/mmap_min_addr tunable.
++
++
+diff -urpN linux-source-2.6.26.orig/mm/mmap.c linux-source-2.6.26/mm/mmap.c
+--- linux-source-2.6.26.orig/mm/mmap.c 2009-08-18 23:15:11.000000000 -0600
++++ linux-source-2.6.26/mm/mmap.c 2009-09-29 23:26:05.000000000 -0600
+@@ -82,6 +82,9 @@ int sysctl_overcommit_ratio = 50; /* def
+ int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
+ atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
+
++/* amount of vm to protect from userspace access */
++unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
++
+ /*
+ * Check that a process has enough memory to allocate a new virtual
+ * mapping. 0 means there is enough memory for the allocation to
+diff -urpN linux-source-2.6.26.orig/security/Kconfig linux-source-2.6.26/security/Kconfig
+--- linux-source-2.6.26.orig/security/Kconfig 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/security/Kconfig 2009-09-29 23:26:05.000000000 -0600
+@@ -101,28 +101,8 @@ config SECURITY_ROOTPLUG
+
+ See <http://www.linuxjournal.com/article.php?sid=6279> for
+ more information about this module.
+-
+- If you are unsure how to answer this question, answer N.
+-
+-config SECURITY_DEFAULT_MMAP_MIN_ADDR
+- int "Low address space to protect from user allocation"
+- depends on SECURITY
+- default 0
+- help
+- This is the portion of low virtual memory which should be protected
+- from userspace allocation. Keeping a user from writing to low pages
+- can help reduce the impact of kernel NULL pointer bugs.
+-
+- For most ia64, ppc64 and x86 users with lots of address space
+- a value of 65536 is reasonable and should cause no problems.
+- On arm and other archs it should not be higher than 32768.
+- Programs which use vm86 functionality would either need additional
+- permissions from either the LSM or the capabilities module or have
+- this protection disabled.
+-
+- This value can be changed after boot using the
+- /proc/sys/vm/mmap_min_addr tunable.
+
++ If you are unsure how to answer this question, answer N.
+
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+diff -urpN linux-source-2.6.26.orig/security/security.c linux-source-2.6.26/security/security.c
+--- linux-source-2.6.26.orig/security/security.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/security/security.c 2009-09-29 23:26:05.000000000 -0600
+@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se
+
+ struct security_operations *security_ops; /* Initialized to NULL */
+
+-/* amount of vm to protect from userspace access */
+-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
+-
+ static inline int verify(struct security_operations *ops)
+ {
+ /* verify the security_operations structure exists */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch)
@@ -0,0 +1,44 @@
+commit 8cf948e744e0218af604c32edecde10006dc8e9e
+Author: Eric Paris <eparis at redhat.com>
+Date: Fri Jul 31 12:54:05 2009 -0400
+
+ SELinux: call cap_file_mmap in selinux_file_mmap
+
+ Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook. This
+ means there is no DAC check on the ability to mmap low addresses in the
+ memory space. This function adds the DAC check for CAP_SYS_RAWIO while
+ maintaining the selinux check on mmap_zero. This means that processes
+ which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will
+ NOT need the SELinux sys_rawio capability.
+
+ Signed-off-by: Eric Paris <eparis at redhat.com>
+ Signed-off-by: James Morris <jmorris at namei.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/security/selinux/hooks.c linux-source-2.6.26/security/selinux/hooks.c
+--- linux-source-2.6.26.orig/security/selinux/hooks.c 2009-08-18 23:15:14.000000000 -0600
++++ linux-source-2.6.26/security/selinux/hooks.c 2009-09-29 23:38:01.000000000 -0600
+@@ -2945,9 +2945,21 @@ static int selinux_file_mmap(struct file
+ int rc = 0;
+ u32 sid = ((struct task_security_struct *)(current->security))->sid;
+
+- if (addr < mmap_min_addr)
++ /*
++ * notice that we are intentionally putting the SELinux check before
++ * the secondary cap_file_mmap check. This is such a likely attempt
++ * at bad behaviour/exploit that we always want to get the AVC, even
++ * if DAC would have also denied the operation.
++ */
++ if (addr < mmap_min_addr) {
+ rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
+ MEMPROTECT__MMAP_ZERO, NULL);
++ if (rc)
++ return rc;
++ }
++
++ /* do DAC check on address space usage */
++ rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ if (rc || addr_only)
+ return rc;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch)
@@ -0,0 +1,103 @@
+From cebbert at redhat.com Fri Oct 9 15:37:09 2009
+From: Jan Beulich <JBeulich at novell.com>
+Date: Wed, 7 Oct 2009 17:34:09 -0400
+Subject: x86: Don't leak 64-bit kernel register values to 32-bit processes
+To: stable at kernel.org
+Cc: Jan Beulich <jbeulich at novell.com>
+Message-ID: <20091007173409.2d4978d9 at katamari.usersys.redhat.com>
+
+From: Jan Beulich <JBeulich at novell.com>
+
+commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream
+
+x86: Don't leak 64-bit kernel register values to 32-bit processes
+
+While 32-bit processes can't directly access R8...R15, they can
+gain access to these registers by temporarily switching themselves
+into 64-bit mode.
+
+Therefore, registers not preserved anyway by called C functions
+(i.e. R8...R11) must be cleared prior to returning to user mode.
+
+Signed-off-by: Jan Beulich <jbeulich at novell.com>
+LKML-Reference: <4AC34D73020000780001744A at vpn.id2.novell.com>
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Cc: Chuck Ebbert <cebbert at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-10-15 22:15:48.000000000 -0600
++++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2009-10-15 23:03:06.000000000 -0600
+@@ -29,12 +29,12 @@
+ .endm
+
+ /* clobbers %eax */
+- .macro CLEAR_RREGS _r9=rax
++ .macro CLEAR_RREGS offset=0, _r9=rax
+ xorl %eax,%eax
+- movq %rax,R11(%rsp)
+- movq %rax,R10(%rsp)
+- movq %\_r9,R9(%rsp)
+- movq %rax,R8(%rsp)
++ movq %rax,\offset+R11(%rsp)
++ movq %rax,\offset+R10(%rsp)
++ movq %\_r9,\offset+R9(%rsp)
++ movq %rax,\offset+R8(%rsp)
+ .endm
+
+ .macro LOAD_ARGS32 offset, _r9=0
+@@ -143,6 +143,10 @@ sysenter_do_call:
+ movl RIP-R11(%rsp),%edx /* User %eip */
+ CFI_REGISTER rip,rdx
+ RESTORE_ARGS 1,24,1,1,1,1
++ xorq %r8,%r8
++ xorq %r9,%r9
++ xorq %r10,%r10
++ xorq %r11,%r11
+ popfq
+ CFI_ADJUST_CFA_OFFSET -8
+ /*CFI_RESTORE rflags*/
+@@ -247,6 +251,9 @@ cstar_do_call:
+ CFI_REGISTER rip,rcx
+ movl EFLAGS-ARGOFFSET(%rsp),%r11d
+ /*CFI_REGISTER rflags,r11*/
++ xorq %r10,%r10
++ xorq %r9,%r9
++ xorq %r8,%r8
+ TRACE_IRQS_ON
+ movl RSP-ARGOFFSET(%rsp),%esp
+ CFI_RESTORE rsp
+@@ -257,7 +264,7 @@ cstar_tracesys:
+ CFI_RESTORE_STATE
+ xchgl %r9d,%ebp
+ SAVE_REST
+- CLEAR_RREGS r9
++ CLEAR_RREGS 0, r9
+ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+@@ -328,6 +335,7 @@ ia32_do_call:
+ call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
+ ia32_sysret:
+ movq %rax,RAX-ARGOFFSET(%rsp)
++ CLEAR_RREGS -ARGOFFSET
+ jmp int_ret_from_sys_call
+
+ ia32_tracesys:
+@@ -345,8 +353,8 @@ END(ia32_syscall)
+
+ ia32_badsys:
+ movq $0,ORIG_RAX-ARGOFFSET(%rsp)
+- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
+- jmp int_ret_from_sys_call
++ movq $-ENOSYS,%rax
++ jmp ia32_sysret
+
+ quiet_ni_syscall:
+ movq $-ENOSYS,%rax
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch)
@@ -0,0 +1,55 @@
+commit 07708c4af1346ab1521b26a202f438366b7bcffd
+Author: Jan Kiszka <jan.kiszka at siemens.com>
+Date: Mon Aug 3 18:43:28 2009 +0200
+
+ KVM: x86: Disallow hypercalls for guest callers in rings > 0
+
+ So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
+ hypercalls. Normally, such callers cannot provide any hand-crafted MMU
+ command structure as it has to be passed by its physical address, but
+ they can still crash the guest kernel by passing random addresses.
+
+ To close the hole, this patch considers hypercalls valid only if issued
+ from guest ring 0. This may still be relaxed on a per-hypercall base in
+ the future once required.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86.c linux-source-2.6.26/arch/x86/kvm/x86.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86.c 2009-08-18 23:15:14.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kvm/x86.c 2009-09-24 11:40:09.000000000 -0600
+@@ -2532,6 +2532,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ a3 &= 0xFFFFFFFF;
+ }
+
++ if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++ ret = -KVM_EPERM;
++ goto out;
++ }
++
+ switch (nr) {
+ case KVM_HC_VAPIC_POLL_IRQ:
+ ret = 0;
+@@ -2543,6 +2548,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ ret = -KVM_ENOSYS;
+ break;
+ }
++out:
+ vcpu->arch.regs[VCPU_REGS_RAX] = ret;
+ kvm_x86_ops->decache_regs(vcpu);
+ ++vcpu->stat.hypercalls;
+diff -urpN linux-source-2.6.26.orig/include/linux/kvm_para.h linux-source-2.6.26/include/linux/kvm_para.h
+--- linux-source-2.6.26.orig/include/linux/kvm_para.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/kvm_para.h 2009-09-24 11:37:19.000000000 -0600
+@@ -13,6 +13,7 @@
+ #define KVM_ENOSYS 1000
+ #define KVM_EFAULT EFAULT
+ #define KVM_E2BIG E2BIG
++#define KVM_EPERM EPERM
+
+ #define KVM_HC_VAPIC_POLL_IRQ 1
+ #define KVM_HC_MMU_OP 2
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch)
@@ -0,0 +1,122 @@
+From cebbert at redhat.com Fri Oct 9 15:36:28 2009
+From: Jan Beulich <jbeulich at novell.com>
+Date: Wed, 7 Oct 2009 17:33:08 -0400
+Subject: x86-64: slightly stream-line 32-bit syscall entry code
+To: stable at kernel.org
+Cc: Jan Beulich <jbeulich at novell.com>
+Message-ID: <20091007173308.1e56746f at katamari.usersys.redhat.com>
+
+From: Jan Beulich <jbeulich at novell.com>
+
+commit 295286a89107c353b9677bc604361c537fd6a1c0 upstream
+
+x86-64: slightly stream-line 32-bit syscall entry code
+
+[ required for following patch to apply properly ]
+
+Avoid updating registers or memory twice as well as needlessly loading
+or copying registers.
+
+Signed-off-by: Jan Beulich <jbeulich at novell.com>
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Cc: Chuck Ebbert <cebbert at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-08-18 23:15:13.000000000 -0600
++++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2009-10-15 22:15:48.000000000 -0600
+@@ -29,19 +29,18 @@
+ .endm
+
+ /* clobbers %eax */
+- .macro CLEAR_RREGS
++ .macro CLEAR_RREGS _r9=rax
+ xorl %eax,%eax
+ movq %rax,R11(%rsp)
+ movq %rax,R10(%rsp)
+- movq %rax,R9(%rsp)
++ movq %\_r9,R9(%rsp)
+ movq %rax,R8(%rsp)
+ .endm
+
+- .macro LOAD_ARGS32 offset
+- movl \offset(%rsp),%r11d
+- movl \offset+8(%rsp),%r10d
++ .macro LOAD_ARGS32 offset, _r9=0
++ .if \_r9
+ movl \offset+16(%rsp),%r9d
+- movl \offset+24(%rsp),%r8d
++ .endif
+ movl \offset+40(%rsp),%ecx
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+@@ -118,7 +117,7 @@ ENTRY(ia32_sysenter_target)
+ SAVE_ARGS 0,0,1
+ /* no need to do an access_ok check here because rbp has been
+ 32bit zero extended */
+-1: movl (%rbp),%r9d
++1: movl (%rbp),%ebp
+ .section __ex_table,"a"
+ .quad 1b,ia32_badarg
+ .previous
+@@ -130,7 +129,7 @@ ENTRY(ia32_sysenter_target)
+ sysenter_do_call:
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja ia32_badsys
+- IA32_ARG_FIXUP 1
++ IA32_ARG_FIXUP
+ call *ia32_sys_call_table(,%rax,8)
+ movq %rax,RAX-ARGOFFSET(%rsp)
+ GET_THREAD_INFO(%r10)
+@@ -158,16 +157,13 @@ sysenter_do_call:
+
+ sysenter_tracesys:
+ CFI_RESTORE_STATE
+- xchgl %r9d,%ebp
+ SAVE_REST
+ CLEAR_RREGS
+- movq %r9,R9(%rsp)
+ movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+- xchgl %ebp,%r9d
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+ jmp sysenter_do_call
+@@ -234,9 +230,9 @@ ENTRY(ia32_cstar_target)
+ testl $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%r10)
+ CFI_REMEMBER_STATE
+ jnz cstar_tracesys
+-cstar_do_call:
+ cmpl $IA32_NR_syscalls-1,%eax
+ ja ia32_badsys
++cstar_do_call:
+ IA32_ARG_FIXUP 1
+ call *ia32_sys_call_table(,%rax,8)
+ movq %rax,RAX-ARGOFFSET(%rsp)
+@@ -261,15 +257,13 @@ cstar_tracesys:
+ CFI_RESTORE_STATE
+ xchgl %r9d,%ebp
+ SAVE_REST
+- CLEAR_RREGS
+- movq %r9,R9(%rsp)
++ CLEAR_RREGS r9
+ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
++ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+ xchgl %ebp,%r9d
+- movl RSP-ARGOFFSET(%rsp), %r8d
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+ jmp cstar_do_call
Copied: dists/lenny/linux-2.6/debian/patches/series/19lenny1 (from r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/series/19lenny1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/19lenny1 Mon Oct 19 19:12:32 2009 (r14413, copy of r14412, releases/linux-2.6/2.6.26-19lenny1/debian/patches/series/19lenny1)
@@ -0,0 +1,21 @@
++ bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
++ bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
++ bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch
++ bugfix/all/security-use-mmap_min_addr-independently-of-security-models.patch
++ bugfix/all/selinux-call-cap_file_mmap-in-selinux_file_mmap.patch
++ bugfix/all/capabilities-move-cap_file_mmap-to-commoncap.c.patch
++ bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch
++ bugfix/all/security-seperate-lsm-specific-mmap_min_addr-abi.patch
++ bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch
++ bugfix/all/net-llc-zero-sockaddr_llc-struct.patch
++ bugfix/all/irda-fix-irda_getname-leak.patch
++ bugfix/all/rose-fix-rose_getname-leak.patch
++ bugfix/all/econet-fix-econet_getname-leak.patch
++ bugfix/all/can-fix-raw_getname-leak.patch
++ bugfix/all/netrom-fix-nr_getname-leak.patch
++ bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
++ bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
++ bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
++ bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
++ bugfix/all/nfsd4-de-union-iattr-and-verf.patch
++ bugfix/all/r8169-use-hardware-auto-padding.patch
More information about the Kernel-svn-changes
mailing list