[kernel] r16859 - in dists/lenny/linux-2.6: . debian debian/config debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/debian debian/patches/features/all/openvz debian/patches/features/all/xen debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jan 31 00:21:54 UTC 2011
Author: dannf
Date: Mon Jan 31 00:21:49 2011
New Revision: 16859
Log:
merge 2.6.26-26lenny[1,2]
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2010-4526.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/CVE-2010-4526.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/CVE-2010-4527.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-coalesced-iovec.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-coalesced-iovec.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-crash-in-aun_incoming.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-fix-crash-in-aun_incoming.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
dists/lenny/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
dists/lenny/linux-2.6/debian/patches/debian/exec-Get-rid-of-linux_binprm-vma_pages.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/debian/exec-Get-rid-of-linux_binprm-vma_pages.patch
dists/lenny/linux-2.6/debian/patches/features/all/xen/CVE-2010-3699.patch
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/features/all/xen/CVE-2010-3699.patch
dists/lenny/linux-2.6/debian/patches/series/25lenny1
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/25lenny1
dists/lenny/linux-2.6/debian/patches/series/26lenny1
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny1
dists/lenny/linux-2.6/debian/patches/series/26lenny2
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny2
dists/lenny/linux-2.6/debian/patches/series/26lenny2-extra
- copied unchanged from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny2-extra
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/config/defines
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Sun Jan 30 23:26:56 2011 (r16858)
+++ dists/lenny/linux-2.6/debian/changelog Mon Jan 31 00:21:49 2011 (r16859)
@@ -8,6 +8,85 @@
-- Ben Hutchings <ben at decadent.org.uk> Mon, 29 Nov 2010 02:01:24 +0000
+linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high
+
+ [ dann frazier ]
+ * filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
+ * bio: take care not overflow page count when mapping/copying user data
+ (CVE-2010-4162)
+ * block: check for proper length of iov entries in blk_rq_map_user_iov()
+ (CVE-2010-4163)
+ * bluetooth: Fix missing NULL check (CVE-2010-4242)
+ * posix-cpu-timers: workaround to suppress the problems with mt exec
+ (CVE-2010-4248)
+ * KVM: VMX: fix vmx null pointer dereference on debug register access
+ (CVE-2010-0435)
+ * exec: make argv/envp memory visible to oom-killer (CVE-2010-4243)
+ * af_unix: limit unix_tot_inflight (CVE-2010-4249)
+ * do_exit(): make sure that we run with get_fs() == USER_DS (CVE-2010-4258)
+ * econet: Disable auto-loading as mitigation against local exploits. This
+ module has been shown to be broken, so this risk of this affecting
+ real users is insignificant.
+ * econet: Fix crash in aun_incoming() (CVE-2010-4342)
+ * install_special_mapping skips security_file_mmap check (CVE-2010-4346)
+ * CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565)
+ * IB/uverbs: Handle large number of entries in poll CQ (CVE-2010-4649)
+ * block: check for proper length of iov entries earlier in
+ blk_rq_map_user_iov() (CVE-2010-4668)
+ * av7110: check for negative array offset (CVE-2011-0521)
+ * usb: iowarrior: don't trust report_size for buffer size (CVE-2010-4656)
+
+ [ Moritz Muehlenhoff ]
+ * blkback/blktap/netback: Fix CVE-2010-3699
+ * sctp: Fix a race between ICMP protocol unreachable and connect()
+ (CVE-2010-4526)
+ * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
+ * irda: prevent integer underflow in IRLMP_ENUMDEVICES (CVE-2010-4529)
+
+ -- dann frazier <dannf at debian.org> Mon, 24 Jan 2011 23:46:35 -0600
+
+linux-2.6 (2.6.26-26lenny1) stable-security; urgency=high
+
+ * net sched: fix kernel leak in act_police (CVE-2010-3477)
+ * aio: check for multiplication overflow in do_io_submit (CVE-2010-3067)
+ * cxgb3: prevent reading uninitialized stack memory (CVE-2010-3296)
+ * eql: prevent reading uninitialized stack memory (CVE-2010-3297)
+ * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
+ * sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
+ * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
+ * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
+ * thinkpad-acpi: lock down video output state access (CVE-2010-3448)
+ * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
+ * setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)
+ * X.25: memory corruption in X.25 facilities parsing (CVE-2010-3873)
+ * sys_semctl: fix kernel stack leakage (CVE-2010-4083)
+ * ALSA: rme9652: prevent reading uninitialized stack memory
+ (CVE-2010-4080, CVE-2010-4081)
+ * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory (CVE-2010-4079)
+ * video/sis: prevent reading uninitialized stack memory (CVE-2010-4078)
+ * X.25: Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
+ * v4l1: fix 32-bit compat microcode loading translation (CVE-2010-2963)
+ * net: Mitigate overflow issues
+ - Truncate recvfrom and sendto length to INT_MAX.
+ - Limit socket I/O iovec total length to INT_MAX.
+ - Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
+ * net: ax25: fix information leak to userland (CVE-2010-3875)
+ * can-bcm: fix minor heap overflow (CVE-2010-3874)
+ * net: packet: fix information leak to userland (CVE-2010-3876)
+ * net: tipc: fix information leak to userland (CVE-2010-3877)
+ * inet_diag: Make sure we actually run the same bytecode we audited
+ (CVE-2010-3880)
+ * ipc: shm: fix information leak to userland (CVE-2010-4072)
+ * ipc: initialize structure memory to zero for compat functions
+ (CVE-2010-4073)
+ * USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
+ * [SCSI] gdth: integer overflow in ioctl (CVE-2010-4157)
+ * econet: Avoid stack overflow w/ large msgiovlen (CVE-2010-3848)
+ * econet: disallow NULL remote addr for sendmsg() (CVE-2010-3849)
+ * econet: Add mising CAP_NET_ADMIN check in SIOCSIFADDR (CVE-2010-3850)
+
+ -- dann frazier <dannf at debian.org> Wed, 24 Nov 2010 17:46:00 -0700
+
linux-2.6 (2.6.26-26) stable; urgency=high
[ Ben Hutchings ]
@@ -20,6 +99,19 @@
-- dann frazier <dannf at debian.org> Sat, 20 Nov 2010 15:30:51 -0700
+linux-2.6 (2.6.26-25lenny1) stable-security; urgency=high
+
+ * irda: Correctly clean up self->ias_obj on irda_bind() failure.
+ (CVE-2010-2954)
+ * compat: Make compat_alloc_user_space() incorporate the access_ok()
+ (CVE-2010-3081)
+ * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+ (CVE-2010-3080)
+ * xfs: prevent reading uninitialized stack memory (CVE-2010-3078)
+ * ecryptfs: Bugfix for error related to ecryptfs_hash_buckets (CVE-2010-2492)
+
+ -- dann frazier <dannf at debian.org> Thu, 16 Sep 2010 09:38:09 -0600
+
linux-2.6 (2.6.26-25) stable; urgency=high
[ Ben Hutchings ]
Modified: dists/lenny/linux-2.6/debian/config/defines
==============================================================================
--- dists/lenny/linux-2.6/debian/config/defines Sun Jan 30 23:26:56 2011 (r16858)
+++ dists/lenny/linux-2.6/debian/config/defines Mon Jan 31 00:21:49 2011 (r16859)
@@ -1,6 +1,6 @@
[abi]
abiname: 2
-ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add
+ignore-changes: cn_add_callback gfn_* kvm_* __kvm_* emulate_instruction emulator_read_std emulator_write_emulated fx_init load_pdptrs saa7134_* saa_dsp_writel ub_sock_snd_queue_add __scm_* scm_*
[base]
arches:
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2010-4526.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/CVE-2010-4526.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2010-4526.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/CVE-2010-4526.patch)
@@ -0,0 +1,185 @@
+From 50b5d6ad63821cea324a5a7a19854d4de1a0a819 Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Thu, 6 May 2010 00:56:07 -0700
+Subject: [PATCH] sctp: Fix a race between ICMP protocol unreachable and connect()
+
+ICMP protocol unreachable handling completely disregarded
+the fact that the user may have locked the socket. It proceeded
+to destroy the association, even though the user may have
+held the lock and had a ref on the association. This resulted
+in the following:
+
+Attempt to release alive inet socket f6afcc00
+
+=========================
+[ BUG: held lock freed! ]
+-------------------------
+somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
+there!
+ (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
+1 lock held by somenu/2672:
+ #0: (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
+
+stack backtrace:
+Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
+Call Trace:
+ [<c1232266>] ? printk+0xf/0x11
+ [<c1038553>] debug_check_no_locks_freed+0xce/0xff
+ [<c10620b4>] kmem_cache_free+0x21/0x66
+ [<c1185f25>] __sk_free+0x9d/0xab
+ [<c1185f9c>] sk_free+0x1c/0x1e
+ [<c1216e38>] sctp_association_put+0x32/0x89
+ [<c1220865>] __sctp_connect+0x36d/0x3f4
+ [<c122098a>] ? sctp_connect+0x13/0x4c
+ [<c102d073>] ? autoremove_wake_function+0x0/0x33
+ [<c12209a8>] sctp_connect+0x31/0x4c
+ [<c11d1e80>] inet_dgram_connect+0x4b/0x55
+ [<c11834fa>] sys_connect+0x54/0x71
+ [<c103a3a2>] ? lock_release_non_nested+0x88/0x239
+ [<c1054026>] ? might_fault+0x42/0x7c
+ [<c1054026>] ? might_fault+0x42/0x7c
+ [<c11847ab>] sys_socketcall+0x6d/0x178
+ [<c10da994>] ? trace_hardirqs_on_thunk+0xc/0x10
+ [<c1002959>] syscall_call+0x7/0xb
+
+This was because the sctp_wait_for_connect() would aqcure the socket
+lock and then proceed to release the last reference count on the
+association, thus cause the fully destruction path to finish freeing
+the socket.
+
+The simplest solution is to start a very short timer in case the socket
+is owned by user. When the timer expires, we can do some verification
+and be able to do the release properly.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/net/sctp/sm.h | 1 +
+ include/net/sctp/structs.h | 3 +++
+ net/sctp/input.c | 22 ++++++++++++++++++----
+ net/sctp/sm_sideeffect.c | 35 +++++++++++++++++++++++++++++++++++
+ net/sctp/transport.c | 2 ++
+ 5 files changed, 59 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
+index 851c813..61d73e3 100644
+--- a/include/net/sctp/sm.h
++++ b/include/net/sctp/sm.h
+@@ -279,6 +279,7 @@ int sctp_do_sm(sctp_event_t event_type, sctp_subtype_t subtype,
+ /* 2nd level prototypes */
+ void sctp_generate_t3_rtx_event(unsigned long peer);
+ void sctp_generate_heartbeat_event(unsigned long peer);
++void sctp_generate_proto_unreach_event(unsigned long peer);
+
+ void sctp_ootb_pkt_free(struct sctp_packet *);
+
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 597f8e2..219043a 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -1010,6 +1010,9 @@ struct sctp_transport {
+ /* Heartbeat timer is per destination. */
+ struct timer_list hb_timer;
+
++ /* Timer to handle ICMP proto unreachable envets */
++ struct timer_list proto_unreach_timer;
++
+ /* Since we're using per-destination retransmission timers
+ * (see above), we're also using per-destination "transmitted"
+ * queues. This probably ought to be a private struct
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 2a57018..ea21924 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -440,11 +440,25 @@ void sctp_icmp_proto_unreachable(struct sock *sk,
+ {
+ SCTP_DEBUG_PRINTK("%s\n", __func__);
+
+- sctp_do_sm(SCTP_EVENT_T_OTHER,
+- SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH),
+- asoc->state, asoc->ep, asoc, t,
+- GFP_ATOMIC);
++ if (sock_owned_by_user(sk)) {
++ if (timer_pending(&t->proto_unreach_timer))
++ return;
++ else {
++ if (!mod_timer(&t->proto_unreach_timer,
++ jiffies + (HZ/20)))
++ sctp_association_hold(asoc);
++ }
++
++ } else {
++ if (timer_pending(&t->proto_unreach_timer) &&
++ del_timer(&t->proto_unreach_timer))
++ sctp_association_put(asoc);
+
++ sctp_do_sm(SCTP_EVENT_T_OTHER,
++ SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH),
++ asoc->state, asoc->ep, asoc, t,
++ GFP_ATOMIC);
++ }
+ }
+
+ /* Common lookup code for icmp/icmpv6 error handler. */
+diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
+index d5ae450..eb1f42f 100644
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -397,6 +397,41 @@ out_unlock:
+ sctp_transport_put(transport);
+ }
+
++/* Handle the timeout of the ICMP protocol unreachable timer. Trigger
++ * the correct state machine transition that will close the association.
++ */
++void sctp_generate_proto_unreach_event(unsigned long data)
++{
++ struct sctp_transport *transport = (struct sctp_transport *) data;
++ struct sctp_association *asoc = transport->asoc;
++
++ sctp_bh_lock_sock(asoc->base.sk);
++ if (sock_owned_by_user(asoc->base.sk)) {
++ SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
++
++ /* Try again later. */
++ if (!mod_timer(&transport->proto_unreach_timer,
++ jiffies + (HZ/20)))
++ sctp_association_hold(asoc);
++ goto out_unlock;
++ }
++
++ /* Is this structure just waiting around for us to actually
++ * get destroyed?
++ */
++ if (asoc->base.dead)
++ goto out_unlock;
++
++ sctp_do_sm(SCTP_EVENT_T_OTHER,
++ SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH),
++ asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC);
++
++out_unlock:
++ sctp_bh_unlock_sock(asoc->base.sk);
++ sctp_association_put(asoc);
++}
++
++
+ /* Inject a SACK Timeout event into the state machine. */
+ static void sctp_generate_sack_event(unsigned long data)
+ {
+diff --git a/net/sctp/transport.c b/net/sctp/transport.c
+index be4d63d..4a36803 100644
+--- a/net/sctp/transport.c
++++ b/net/sctp/transport.c
+@@ -108,6 +108,8 @@ static struct sctp_transport *sctp_transport_init(struct sctp_transport *peer,
+ (unsigned long)peer);
+ setup_timer(&peer->hb_timer, sctp_generate_heartbeat_event,
+ (unsigned long)peer);
++ setup_timer(&peer->proto_unreach_timer,
++ sctp_generate_proto_unreach_event, (unsigned long)peer);
+
+ /* Initialize the 64-bit random nonce sent with heartbeat. */
+ get_random_bytes(&peer->hb_nonce, sizeof(peer->hb_nonce));
+--
+1.7.3.5
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/CVE-2010-4527.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2010-4527.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/CVE-2010-4527.patch)
@@ -0,0 +1,47 @@
+From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sat, 25 Dec 2010 16:23:40 -0500
+Subject: [PATCH] sound: Prevent buffer overflow in OSS load_mixer_volumes
+
+The load_mixer_volumes() function, which can be triggered by
+unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+a buffer overflow. Because the provided "name" argument isn't
+guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+to overflow past the end of the last element in the mixer_vols array.
+Further exploitation can result in an arbitrary kernel write (via
+subsequent calls to load_mixer_volumes()) leading to privilege
+escalation, or arbitrary kernel reads via get_mixer_levels(). In
+addition, the strcmp() may leak bytes beyond the mixer_vols array.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: stable <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/oss/soundcard.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
+index 46c0d03..fcb14a09 100644
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ int i, n;
+
+ for (i = 0; i < num_mixer_volumes; i++) {
+- if (strcmp(name, mixer_vols[i].name) == 0) {
++ if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ if (present)
+ mixer_vols[i].num = i;
+ return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ }
+ n = num_mixer_volumes++;
+
+- strcpy(mixer_vols[n].name, name);
++ strncpy(mixer_vols[n].name, name, 32);
+
+ if (present)
+ mixer_vols[n].num = n;
+--
+1.7.3.5
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/af_unix-limit-unix_tot_inflight.patch)
@@ -0,0 +1,47 @@
+commit 39bc12da78776f253bf5ce7415a8b533856f7706
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Wed Nov 24 09:15:27 2010 -0800
+
+ af_unix: limit unix_tot_inflight
+
+ Vegard Nossum found a unix socket OOM was possible, posting an exploit
+ program.
+
+ My analysis is we can eat all LOWMEM memory before unix_gc() being
+ called from unix_release_sock(). Moreover, the thread blocked in
+ unix_gc() can consume huge amount of time to perform cleanup because of
+ huge working set.
+
+ One way to handle this is to have a sensible limit on unix_tot_inflight,
+ tested from wait_for_unix_gc() and to force a call to unix_gc() if this
+ limit is hit.
+
+ This solves the OOM and also reduce overall latencies, and should not
+ slowdown normal workloads.
+
+ Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: Adjusted to apply to Debian's 2.6.26]
+
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index dbc8e46..7437742 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -260,9 +260,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
+ }
+
+ static bool gc_in_progress = false;
++#define UNIX_INFLIGHT_TRIGGER_GC 16000
+
+ void wait_for_unix_gc(void)
+ {
++ /*
++ * If number of inflight sockets is insane,
++ * force a garbage collect right now.
++ */
++ if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
++ unix_gc();
+ wait_event(unix_gc_wait, gc_in_progress == false);
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch)
@@ -0,0 +1,41 @@
+commit 0565f633733ae622c6c9c6b85f36b5bdf4d10085
+Author: Jeff Moyer <jmoyer at redhat.com>
+Date: Fri Sep 10 14:16:00 2010 -0700
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ aio: check for multiplication overflow in do_io_submit
+
+ Tavis Ormandy pointed out that do_io_submit does not do proper bounds
+ checking on the passed-in iocb array:
+
+ if (unlikely(nr < 0))
+ return -EINVAL;
+
+ if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
+ return -EFAULT; ^^^^^^^^^^^^^^^^^^
+
+ The attached patch checks for overflow, and if it is detected, the
+ number of iocbs submitted is scaled down to a number that will fit in
+ the long. This is an ok thing to do, as sys_io_submit is documented as
+ returning the number of iocbs submitted, so callers should handle a
+ return value of less than the 'nr' argument passed in.
+
+ Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Signed-off-by: Jeff Moyer <jmoyer at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 8ed807d..f1c7b64 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1662,6 +1662,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
+ if (unlikely(nr < 0))
+ return -EINVAL;
+
++ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
++ nr = LONG_MAX/sizeof(*iocbpp);
++
+ if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
+ return -EFAULT;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch)
@@ -0,0 +1,45 @@
+commit 67457795003ba0ca32157a893827e456ad45c420
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Tue Sep 28 14:18:20 2010 -0400
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ ALSA: prevent heap corruption in snd_ctl_new()
+
+ The snd_ctl_new() function in sound/core/control.c allocates space for a
+ snd_kcontrol struct by performing arithmetic operations on a
+ user-provided size without checking for integer overflow. If a user
+ provides a large enough size, an overflow will occur, the allocated
+ chunk will be too small, and a second user-influenced value will be
+ written repeatedly past the bounds of this chunk. This code is
+ reachable by unprivileged users who have permission to open
+ a /dev/snd/controlC* device (on many distros, this is group "audio") via
+ the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 7ac4bbb..8618aa0 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS 32
++#define MAX_CONTROL_COUNT 1028
+
+ struct snd_kctl_ioctl {
+ struct list_head list; /* list of all ioctls */
+@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
+
+ snd_assert(control != NULL, return NULL);
+ snd_assert(control->count > 0, return NULL);
++
++ if (control->count > MAX_CONTROL_COUNT)
++ return NULL;
++
+ kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ if (kctl == NULL) {
+ snd_printk(KERN_ERR "Cannot allocate control instance\n");
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch)
@@ -0,0 +1,51 @@
+commit d05884ad376194189162c72b060d02024abfdcf6
+Author: Takashi Iwai <tiwai at suse.de>
+Date: Mon Sep 6 09:13:45 2010 +0200
+
+ ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+
+ The error handling in snd_seq_oss_open() has several bad codes that
+ do dereferecing released pointers and double-free of kmalloc'ed data.
+ The object dp is release in free_devinfo() that is called via
+ private_free callback. The rest shouldn't touch this object any more.
+
+ The patch changes delete_port() to call kfree() in any case, and gets
+ rid of unnecessary calls of destructors in snd_seq_oss_open().
+
+ Fixes CVE-2010-3080.
+
+ Reported-and-tested-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
+index d0d721c..1f133fe 100644
+--- a/sound/core/seq/oss/seq_oss_init.c
++++ b/sound/core/seq/oss/seq_oss_init.c
+@@ -280,13 +280,10 @@ snd_seq_oss_open(struct file *file, int level)
+ return 0;
+
+ _error:
+- snd_seq_oss_writeq_delete(dp->writeq);
+- snd_seq_oss_readq_delete(dp->readq);
+ snd_seq_oss_synth_cleanup(dp);
+ snd_seq_oss_midi_cleanup(dp);
+- delete_port(dp);
+ delete_seq_queue(dp->queue);
+- kfree(dp);
++ delete_port(dp);
+
+ return rc;
+ }
+@@ -349,8 +346,10 @@ create_port(struct seq_oss_devinfo *dp)
+ static int
+ delete_port(struct seq_oss_devinfo *dp)
+ {
+- if (dp->port < 0)
++ if (dp->port < 0) {
++ kfree(dp);
+ return 0;
++ }
+
+ debug_printk(("delete_port %i\n", dp->port));
+ return snd_seq_event_port_detach(dp->cseq, dp->port);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch)
@@ -0,0 +1,25 @@
+commit cb26a24ee9706473f31d34cc259f4dcf45cd0644
+Author: Dan Carpenter <error27 at gmail.com>
+Date: Fri Jan 7 16:41:54 2011 -0300
+
+ [media] [v3,media] av7110: check for negative array offset
+
+ info->num comes from the user. It's type int. If the user passes
+ in a negative value that would cause memory corruption.
+
+ Signed-off-by: Dan Carpenter <error27 at gmail.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
+index 122c728..9fc1dd0 100644
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
+ {
+ ca_slot_info_t *info=(ca_slot_info_t *)parg;
+
+- if (info->num > 1)
++ if (info->num < 0 || info->num > 1)
+ return -EINVAL;
+ av7110->ci_slot[info->num].num = info->num;
+ av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch)
@@ -0,0 +1,55 @@
+commit d00622b90e24782726fbb4d6f647c8cdbf51cacc
+Author: Jens Axboe <jaxboe at fusionio.com>
+Date: Wed Nov 10 14:36:25 2010 +0100
+
+ bio: take care not overflow page count when mapping/copying user data
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
+ to overflow, we could end up attempting to map a huge number of
+ pages. Check for this invalid input type.
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/fs/bio.c b/fs/bio.c
+index 7db618c..3df12b1 100644
+--- a/fs/bio.c
++++ b/fs/bio.c
+@@ -588,6 +588,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, struct sg_iovec *iov,
+ end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ start = uaddr >> PAGE_SHIFT;
+
++ /*
++ * Overflow, abort
++ */
++ if (end < start)
++ return ERR_PTR(-EINVAL);
++
+ nr_pages += end - start;
+ len += iov[i].iov_len;
+ }
+@@ -686,6 +692,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
+ unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ unsigned long start = uaddr >> PAGE_SHIFT;
+
++ /*
++ * Overflow, abort
++ */
++ if (end < start)
++ return ERR_PTR(-EINVAL);
++
+ nr_pages += end - start;
+ /*
+ * buffer must be aligned to at least hardsector size for now
+@@ -713,7 +725,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
+ unsigned long start = uaddr >> PAGE_SHIFT;
+ const int local_nr_pages = end - start;
+ const int page_limit = cur_page + local_nr_pages;
+-
++
+ down_read(¤t->mm->mmap_sem);
+ ret = get_user_pages(current, current->mm, uaddr,
+ local_nr_pages,
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch)
@@ -0,0 +1,35 @@
+commit d124b50925d1e4f9eb8465f017e30ba84815aceb
+Author: Xiaotian Feng <dfeng at redhat.com>
+Date: Mon Nov 29 10:03:55 2010 +0100
+
+ block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+
+ commit 9284bcf checks for proper length of iov entries in
+ blk_rq_map_user_iov(). But if the map is unaligned, kernel
+ will break out the loop without checking for the proper length.
+ So we need to check the proper length before the unalign check.
+
+ Signed-off-by: Xiaotian Feng <dfeng at redhat.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 71e102e..92e4cba 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -187,12 +187,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ for (i = 0; i < iov_count; i++) {
+ unsigned long uaddr = (unsigned long)iov[i].iov_base;
+
++ if (!iov[i].iov_len)
++ return -EINVAL;
++
+ if (uaddr & queue_dma_alignment(q)) {
+ unaligned = 1;
+ break;
+ }
+- if (!iov[i].iov_len)
+- return -EINVAL;
+ }
+
+ if (unaligned || (q->dma_pad_mask & len))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch)
@@ -0,0 +1,26 @@
+commit fcd208f71b3319044829ef1b384bf2c7a28b449b
+Author: Jens Axboe <jaxboe at fusionio.com>
+Date: Fri Oct 29 08:10:18 2010 -0600
+
+ block: check for proper length of iov entries in blk_rq_map_user_iov()
+
+ Ensure that we pass down properly validated iov segments before
+ calling into the mapping or copy functions.
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 0b1af5a..71e102e 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -191,6 +191,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ unaligned = 1;
+ break;
+ }
++ if (!iov[i].iov_len)
++ return -EINVAL;
+ }
+
+ if (unaligned || (q->dma_pad_mask & len))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/bluetooth-fix-missing-NULL-check.patch)
@@ -0,0 +1,35 @@
+commit 85a3a63a7ec6b1025897f3df5d59b295fab7681e
+Author: Alan Cox <alan at linux.intel.com>
+Date: Fri Oct 22 14:11:26 2010 +0100
+
+ bluetooth: Fix missing NULL check
+
+ Fortunately this is only exploitable on very unusual hardware.
+
+ [Reported a while ago but nothing happened so just fixing it]
+
+ Signed-off-by: Alan Cox <alan at linux.intel.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index e5cd856..8325dbc 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -263,9 +263,16 @@ static int hci_uart_tty_open(struct tty_struct *tty)
+
+ BT_DBG("tty %p", tty);
+
++ /* FIXME: This btw is bogus, nothing requires the old ldisc to clear
++ the pointer */
+ if (hu)
+ return -EEXIST;
+
++ /* Error if the tty has no write op instead of leaving an exploitable
++ hole */
++ if (tty->ops->write == NULL)
++ return -EOPNOTSUPP;
++
+ if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
+ BT_ERR("Can't allocate control structure");
+ return -ENFILE;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch)
@@ -0,0 +1,31 @@
+commit c90009b2c4900984bcb1220d67c0b03c5fa19322
+Author: Oliver Hartkopp <socketcan at hartkopp.net>
+Date: Tue Aug 17 08:59:14 2010 +0000
+
+ can-bcm: fix minor heap overflow
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ On 64-bit platforms the ASCII representation of a pointer may be up to 17
+ bytes long. This patch increases the length of the buffer accordingly.
+
+ http://marc.info/?l=linux-netdev&m=128872251418192&w=2
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Oliver Hartkopp <socketcan at hartkopp.net>
+ CC: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 4d21e40..061df5e 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -120,7 +120,7 @@ struct bcm_sock {
+ struct list_head tx_ops;
+ unsigned long dropped_usr_msgs;
+ struct proc_dir_entry *bcm_proc_read;
+- char procname [9]; /* pointer printed in ASCII with \0 */
++ char procname [20]; /* pointer printed in ASCII with \0 */
+ };
+
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch)
@@ -0,0 +1,39 @@
+commit cb67a94a5ba37e5f01e254d29bc6ba5dcea70607
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sun Dec 26 06:54:53 2010 +0000
+
+ CAN: Use inode instead of kernel address for /proc file
+
+ Since the socket address is just being used as a unique identifier, its
+ inode number is an alternative that does not leak potentially sensitive
+ information.
+
+ CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Acked-by: Oliver Hartkopp <socketcan at hartkopp.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: adjusted to apply to Debian's 2.6.26]
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 061df5e..6e2a64c 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -120,7 +120,7 @@ struct bcm_sock {
+ struct list_head tx_ops;
+ unsigned long dropped_usr_msgs;
+ struct proc_dir_entry *bcm_proc_read;
+- char procname [20]; /* pointer printed in ASCII with \0 */
++ char procname [32]; /* inode number in decimal with \0 */
+ };
+
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+@@ -1478,7 +1478,7 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
+
+ if (proc_dir) {
+ /* unique socket address as filename */
+- sprintf(bo->procname, "%p", sock);
++ sprintf(bo->procname, "%lu", sock_i_ino(sk));
+ bo->bcm_proc_read = create_proc_read_entry(bo->procname, 0644,
+ proc_dir,
+ bcm_read_proc, sk);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch)
@@ -0,0 +1,185 @@
+commit 95590fa4258743702d64cd89214013ec2a0537ee
+Author: H. Peter Anvin <hpa at linux.intel.com>
+Date: Tue Sep 7 16:16:18 2010 -0700
+
+ compat: Make compat_alloc_user_space() incorporate the access_ok()
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ compat_alloc_user_space() expects the caller to independently call
+ access_ok() to verify the returned area. A missing call could
+ introduce problems on some architectures.
+
+ This patch incorporates the access_ok() check into
+ compat_alloc_user_space() and also adds a sanity check on the length.
+ The existing compat_alloc_user_space() implementations are renamed
+ arch_compat_alloc_user_space() and are used as part of the
+ implementation of the new global function.
+
+ This patch assumes NULL will cause __get_user()/__put_user() to either
+ fail or access userspace on all architectures. This should be
+ followed by checking the return value of compat_access_user_space()
+ for NULL in the callers, at which time the access_ok() in the callers
+ can also be removed.
+
+ Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+ Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+ Acked-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+ Acked-by: Chris Metcalf <cmetcalf at tilera.com>
+ Acked-by: David S. Miller <davem at davemloft.net>
+ Acked-by: Ingo Molnar <mingo at elte.hu>
+ Acked-by: Thomas Gleixner <tglx at linutronix.de>
+ Acked-by: Tony Luck <tony.luck at intel.com>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: Arnd Bergmann <arnd at arndb.de>
+ Cc: Fenghua Yu <fenghua.yu at intel.com>
+ Cc: H. Peter Anvin <hpa at zytor.com>
+ Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+ Cc: Helge Deller <deller at gmx.de>
+ Cc: James Bottomley <jejb at parisc-linux.org>
+ Cc: Kyle McMartin <kyle at mcmartin.ca>
+ Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+ Cc: Paul Mackerras <paulus at samba.org>
+ Cc: Ralf Baechle <ralf at linux-mips.org>
+ Cc: <stable at kernel.org>
+
+diff --git a/include/asm-ia64/compat.h b/include/asm-ia64/compat.h
+index dfcf75b..c8662cd 100644
+--- a/include/asm-ia64/compat.h
++++ b/include/asm-ia64/compat.h
+@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr)
+ }
+
+ static __inline__ void __user *
+-compat_alloc_user_space (long len)
++arch_compat_alloc_user_space (long len)
+ {
+ struct pt_regs *regs = task_pt_regs(current);
+ return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
+diff --git a/include/asm-mips/compat.h b/include/asm-mips/compat.h
+index 6c5b409..8df5cee 100644
+--- a/include/asm-mips/compat.h
++++ b/include/asm-mips/compat.h
+@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = (struct pt_regs *)
+ ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
+diff --git a/include/asm-parisc/compat.h b/include/asm-parisc/compat.h
+index 7f32611..7c77fa9 100644
+--- a/include/asm-parisc/compat.h
++++ b/include/asm-parisc/compat.h
+@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static __inline__ void __user *compat_alloc_user_space(long len)
++static __inline__ void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = ¤t->thread.regs;
+ return (void __user *)regs->gr[30];
+diff --git a/include/asm-powerpc/compat.h b/include/asm-powerpc/compat.h
+index 4774c2f..8d0fff3 100644
+--- a/include/asm-powerpc/compat.h
++++ b/include/asm-powerpc/compat.h
+@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = current->thread.regs;
+ unsigned long usp = regs->gpr[1];
+diff --git a/include/asm-s390/compat.h b/include/asm-s390/compat.h
+index de065b3..307cac1 100644
+--- a/include/asm-s390/compat.h
++++ b/include/asm-s390/compat.h
+@@ -163,7 +163,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ unsigned long stack;
+
+diff --git a/include/asm-sparc64/compat.h b/include/asm-sparc64/compat.h
+index 0e70625..612bb38 100644
+--- a/include/asm-sparc64/compat.h
++++ b/include/asm-sparc64/compat.h
+@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = current_thread_info()->kregs;
+ unsigned long usp = regs->u_regs[UREG_I6];
+diff --git a/include/asm-x86/compat.h b/include/asm-x86/compat.h
+index 1793ac3..8b1b00e 100644
+--- a/include/asm-x86/compat.h
++++ b/include/asm-x86/compat.h
+@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr)
+ return (u32)(unsigned long)uptr;
+ }
+
+-static inline void __user *compat_alloc_user_space(long len)
++static inline void __user *arch_compat_alloc_user_space(long len)
+ {
+ struct pt_regs *regs = task_pt_regs(current);
+ return (void __user *)regs->sp - len;
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 275b9bd..8cb2fcf 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -291,5 +291,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename,
+ asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename,
+ int flags, int mode);
+
++extern void __user *compat_alloc_user_space(unsigned long len);
++
+ #endif /* CONFIG_COMPAT */
+ #endif /* _LINUX_COMPAT_H */
+diff --git a/kernel/compat.c b/kernel/compat.c
+index 32c254a..0c56d52 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -22,6 +22,7 @@
+ #include <linux/security.h>
+ #include <linux/timex.h>
+ #include <linux/migrate.h>
++#include <linux/module.h>
+ #include <linux/posix-timers.h>
+
+ #include <asm/uaccess.h>
+@@ -1081,3 +1082,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info)
+
+ return 0;
+ }
++
++/*
++ * Allocate user-space memory for the duration of a single system call,
++ * in order to marshall parameters inside a compat thunk.
++ */
++void __user *compat_alloc_user_space(unsigned long len)
++{
++ void __user *ptr;
++
++ /* If len would occupy more than half of the entire compat space... */
++ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
++ return NULL;
++
++ ptr = arch_compat_alloc_user_space(len);
++
++ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
++ return NULL;
++
++ return ptr;
++}
++EXPORT_SYMBOL_GPL(compat_alloc_user_space);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,30 @@
+commit a10473c752b8aeb945c7b551560172038ccb4848
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 15 11:43:12 2010 +0000
+
+ drivers/net/cxgb3/cxgb3_main.c: prevent reading uninitialized stack memory
+
+ Fixed formatting (tabs and line breaks).
+
+ The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read
+ 4 bytes of uninitialized stack memory, because the "addr" member of the
+ ch_reg struct declared on the stack in cxgb_extension_ioctl() is not
+ altered or zeroed before being copied back to the user. This patch
+ takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/cxgb3/cxgb3_main.c b/drivers/net/cxgb3/cxgb3_main.c
+index 3a31272..95f913e 100644
+--- a/drivers/net/cxgb3/cxgb3_main.c
++++ b/drivers/net/cxgb3/cxgb3_main.c
+@@ -1890,6 +1890,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ case CHELSIO_GET_QSET_NUM:{
+ struct ch_reg edata;
+
++ memset(&edata, 0, sizeof(struct ch_reg));
++
+ edata.cmd = CHELSIO_GET_QSET_NUM;
+ edata.val = pi->nqsets;
+ if (copy_to_user(useraddr, &edata, sizeof(edata)))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch)
@@ -0,0 +1,51 @@
+commit dc42e95471410095dd1367660b59d463a082bd9f
+Author: Nelson Elhage <nelhage at ksplice.com>
+Date: Thu Dec 2 14:31:21 2010 -0800
+
+ do_exit(): make sure that we run with get_fs() == USER_DS
+
+ If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
+ otherwise reset before do_exit(). do_exit may later (via mm_release in
+ fork.c) do a put_user to a user-controlled address, potentially allowing
+ a user to leverage an oops into a controlled write into kernel memory.
+
+ This is only triggerable in the presence of another bug, but this
+ potentially turns a lot of DoS bugs into privilege escalations, so it's
+ worth fixing. I have proof-of-concept code which uses this bug along
+ with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
+ I've tested that this is not theoretical.
+
+ A more logical place to put this fix might be when we know an oops has
+ occurred, before we call do_exit(), but that would involve changing
+ every architecture, in multiple places.
+
+ Let's just stick it in do_exit instead.
+
+ [akpm at linux-foundation.org: update code comment]
+ Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: Adjusted to apply to Debian's 2.6.26]
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index b3b6377..ec900a7 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -976,6 +976,15 @@ NORET_TYPE void do_exit(long code)
+ if (unlikely(!tsk->pid))
+ panic("Attempted to kill the idle task!");
+
++ /*
++ * If do_exit is called because this processes oopsed, it's possible
++ * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
++ * continuing. Amongst other possible reasons, this is to prevent
++ * mm_release()->clear_child_tid() from writing to a user-controlled
++ * kernel address.
++ */
++ set_fs(USER_DS);
++
+ if (unlikely(current->ptrace & PT_TRACE_EXIT)) {
+ current->ptrace_message = code;
+ ptrace_notify((PTRACE_EVENT_EXIT << 8) | SIGTRAP);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch)
@@ -0,0 +1,25 @@
+commit 8e8560a6d914929ab059233a6ecdc19e6898f299
+Author: Phil Blundell <philb at gnu.org>
+Date: Wed Nov 24 11:49:53 2010 -0800
+
+ econet: fix CVE-2010-3850
+
+ Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
+
+ Signed-off-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index e622331..1d96608 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -663,6 +663,9 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
+ err = 0;
+ switch (cmd) {
+ case SIOCSIFADDR:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ edev = dev->ec_ptr;
+ if (edev == NULL) {
+ /* Magic up a new one. */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-coalesced-iovec.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-coalesced-iovec.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-coalesced-iovec.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-coalesced-iovec.patch)
@@ -0,0 +1,150 @@
+commit 30c2fd5716be0792008fb599b077894455664df5
+Author: Phil Blundell <philb at gnu.org>
+Date: Wed Nov 24 11:51:47 2010 -0800
+
+ econet: fix CVE-2010-3848
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ Don't declare variable sized array of iovecs on the stack since this
+ could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
+ the user-supplied data into a new buffer and use a single iovec for it.
+
+ Signed-off-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 1d96608..a101190 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -30,6 +30,7 @@
+ #include <linux/wireless.h>
+ #include <linux/skbuff.h>
+ #include <linux/udp.h>
++#include <linux/vmalloc.h>
+ #include <net/sock.h>
+ #include <net/inet_common.h>
+ #include <linux/stat.h>
+@@ -275,12 +276,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ #endif
+ #ifdef CONFIG_ECONET_AUNUDP
+ struct msghdr udpmsg;
+- struct iovec iov[msg->msg_iovlen+1];
++ struct iovec iov[2];
+ struct aunhdr ah;
+ struct sockaddr_in udpdest;
+ __kernel_size_t size;
+- int i;
+ mm_segment_t oldfs;
++ char *userbuf;
+ #endif
+
+ /*
+@@ -318,17 +319,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ }
+ }
+
+- if (len + 15 > dev->mtu) {
+- mutex_unlock(&econet_mutex);
+- return -EMSGSIZE;
+- }
+-
+ if (dev->type == ARPHRD_ECONET) {
+ /* Real hardware Econet. We're not worthy etc. */
+ #ifdef CONFIG_ECONET_NATIVE
+ unsigned short proto = 0;
+ int res;
+
++ if (len + 15 > dev->mtu) {
++ mutex_unlock(&econet_mutex);
++ return -EMSGSIZE;
++ }
++
+ dev_hold(dev);
+
+ skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
+@@ -404,6 +405,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ return -ENETDOWN; /* No socket - can't send */
+ }
+
++ if (len > 32768) {
++ err = -E2BIG;
++ goto error;
++ }
++
+ /* Make up a UDP datagram and hand it off to some higher intellect. */
+
+ memset(&udpdest, 0, sizeof(udpdest));
+@@ -435,36 +441,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+
+ /* tack our header on the front of the iovec */
+ size = sizeof(struct aunhdr);
+- /*
+- * XXX: that is b0rken. We can't mix userland and kernel pointers
+- * in iovec, since on a lot of platforms copy_from_user() will
+- * *not* work with the kernel and userland ones at the same time,
+- * regardless of what we do with set_fs(). And we are talking about
+- * econet-over-ethernet here, so "it's only ARM anyway" doesn't
+- * apply. Any suggestions on fixing that code? -- AV
+- */
+ iov[0].iov_base = (void *)&ah;
+ iov[0].iov_len = size;
+- for (i = 0; i < msg->msg_iovlen; i++) {
+- void __user *base = msg->msg_iov[i].iov_base;
+- size_t iov_len = msg->msg_iov[i].iov_len;
+- /* Check it now since we switch to KERNEL_DS later. */
+- if (!access_ok(VERIFY_READ, base, iov_len)) {
+- mutex_unlock(&econet_mutex);
+- return -EFAULT;
+- }
+- iov[i+1].iov_base = base;
+- iov[i+1].iov_len = iov_len;
+- size += iov_len;
++
++ userbuf = vmalloc(len);
++ if (userbuf == NULL) {
++ err = -ENOMEM;
++ goto error;
+ }
+
++ iov[1].iov_base = userbuf;
++ iov[1].iov_len = len;
++ err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
++ if (err)
++ goto error_free_buf;
++
+ /* Get a skbuff (no data, just holds our cb information) */
+ if ((skb = sock_alloc_send_skb(sk, 0,
+ msg->msg_flags & MSG_DONTWAIT,
+- &err)) == NULL) {
+- mutex_unlock(&econet_mutex);
+- return err;
+- }
++ &err)) == NULL)
++ goto error_free_buf;
+
+ eb = (struct ec_cb *)&skb->cb;
+
+@@ -480,7 +476,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ udpmsg.msg_name = (void *)&udpdest;
+ udpmsg.msg_namelen = sizeof(udpdest);
+ udpmsg.msg_iov = &iov[0];
+- udpmsg.msg_iovlen = msg->msg_iovlen + 1;
++ udpmsg.msg_iovlen = 2;
+ udpmsg.msg_control = NULL;
+ udpmsg.msg_controllen = 0;
+ udpmsg.msg_flags=0;
+@@ -488,9 +484,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
+ err = sock_sendmsg(udpsock, &udpmsg, size);
+ set_fs(oldfs);
++
++error_free_buf:
++ vfree(userbuf);
+ #else
+ err = -EPROTOTYPE;
+ #endif
++ error:
+ mutex_unlock(&econet_mutex);
+
+ return err;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch)
@@ -0,0 +1,56 @@
+commit 698c3311c8a79606b12661867e6fa97c171cb495
+Author: Phil Blundell <philb at gnu.org>
+Date: Wed Nov 24 11:49:19 2010 -0800
+
+ econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
+
+ Later parts of econet_sendmsg() rely on saddr != NULL, so return early
+ with EINVAL if NULL was passed otherwise an oops may occur.
+
+ Signed-off-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 4b11a36..e622331 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -296,23 +296,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+
+ mutex_lock(&econet_mutex);
+
+- if (saddr == NULL) {
+- struct econet_sock *eo = ec_sk(sk);
+-
+- addr.station = eo->station;
+- addr.net = eo->net;
+- port = eo->port;
+- cb = eo->cb;
+- } else {
+- if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+- mutex_unlock(&econet_mutex);
+- return -EINVAL;
+- }
+- addr.station = saddr->addr.station;
+- addr.net = saddr->addr.net;
+- port = saddr->port;
+- cb = saddr->cb;
+- }
++ if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
++ mutex_unlock(&econet_mutex);
++ return -EINVAL;
++ }
++ addr.station = saddr->addr.station;
++ addr.net = saddr->addr.net;
++ port = saddr->port;
++ cb = saddr->cb;
+
+ /* Look for a device with the right network number. */
+ dev = net2dev_map[addr.net];
+@@ -350,7 +341,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+
+ eb = (struct ec_cb *)&skb->cb;
+
+- /* BUG: saddr may be NULL */
+ eb->cookie = saddr->cookie;
+ eb->sec = *saddr;
+ eb->sent = ec_tx_done;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-crash-in-aun_incoming.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-fix-crash-in-aun_incoming.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-crash-in-aun_incoming.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-fix-crash-in-aun_incoming.patch)
@@ -0,0 +1,36 @@
+commit 993a857ec1b32e3cd917020231e46bc502226960
+Author: David S. Miller <davem at davemloft.net>
+Date: Wed Dec 8 18:42:23 2010 -0800
+
+ econet: Fix crash in aun_incoming().
+
+ Unconditional use of skb->dev won't work here,
+ try to fetch the econet device via skb_dst()->dev
+ instead.
+
+ Suggested by Eric Dumazet.
+
+ Reported-by: Nelson Elhage <nelhage at ksplice.com>
+ Tested-by: Nelson Elhage <nelhage at ksplice.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: adjusted to apply to Debian's 2.6.26]
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 70a161f..745e4c6 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -847,9 +847,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
+ {
+ struct iphdr *ip = ip_hdr(skb);
+ unsigned char stn = ntohl(ip->saddr) & 0xff;
++ struct dst_entry *dst = skb->dst;
++ struct ec_device *edev = NULL;
+ struct sock *sk;
+ struct sk_buff *newskb;
+- struct ec_device *edev = skb->dev->ec_ptr;
++
++ if (dst)
++ edev = dst->dev->ec_ptr;
+
+ if (! edev)
+ goto bad;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/econet-fix-redeclaration-of-symbol-len.patch)
@@ -0,0 +1,36 @@
+commit d7d6869fcc572ee794123407dce7f1b16e3c917f
+Author: Hagen Paul Pfeifer <hagen at jauu.net>
+Date: Wed Oct 7 14:43:04 2009 -0700
+
+ econet: Fix redeclaration of symbol len
+
+ Function argument len was redeclarated within the
+ function. This patch fix the redeclaration of symbol 'len'.
+
+ Signed-off-by: Hagen Paul Pfeifer <hagen at jauu.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 9972814..4b11a36 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -457,15 +457,15 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ iov[0].iov_len = size;
+ for (i = 0; i < msg->msg_iovlen; i++) {
+ void __user *base = msg->msg_iov[i].iov_base;
+- size_t len = msg->msg_iov[i].iov_len;
++ size_t iov_len = msg->msg_iov[i].iov_len;
+ /* Check it now since we switch to KERNEL_DS later. */
+- if (!access_ok(VERIFY_READ, base, len)) {
++ if (!access_ok(VERIFY_READ, base, iov_len)) {
+ mutex_unlock(&econet_mutex);
+ return -EFAULT;
+ }
+ iov[i+1].iov_base = base;
+- iov[i+1].iov_len = len;
+- size += len;
++ iov[i+1].iov_len = iov_len;
++ size += iov_len;
+ }
+
+ /* Get a skbuff (no data, just holds our cb information) */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch)
@@ -0,0 +1,69 @@
+commit 9eaef901260e63dd2a80fcca8f0a7fd18364f6a3
+Author: Andre Osterhues <aosterhues at escrypt.com>
+Date: Tue Jul 13 15:59:17 2010 -0500
+
+ ecryptfs: Bugfix for error related to ecryptfs_hash_buckets
+
+ The function ecryptfs_uid_hash wrongly assumes that the
+ second parameter to hash_long() is the number of hash
+ buckets instead of the number of hash bits.
+ This patch fixes that and renames the variable
+ ecryptfs_hash_buckets to ecryptfs_hash_bits to make it
+ clearer.
+
+ Fixes: CVE-2010-2492
+
+ Signed-off-by: Andre Osterhues <aosterhues at escrypt.com>
+ Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
+index 1b5c200..517bd46 100644
+--- a/fs/ecryptfs/messaging.c
++++ b/fs/ecryptfs/messaging.c
+@@ -30,9 +30,9 @@ static struct mutex ecryptfs_msg_ctx_lists_mux;
+
+ static struct hlist_head *ecryptfs_daemon_hash;
+ struct mutex ecryptfs_daemon_hash_mux;
+-static int ecryptfs_hash_buckets;
++static int ecryptfs_hash_bits;
+ #define ecryptfs_uid_hash(uid) \
+- hash_long((unsigned long)uid, ecryptfs_hash_buckets)
++ hash_long((unsigned long)uid, ecryptfs_hash_bits)
+
+ static u32 ecryptfs_msg_counter;
+ static struct ecryptfs_msg_ctx *ecryptfs_msg_ctx_arr;
+@@ -599,18 +599,19 @@ int ecryptfs_init_messaging(unsigned int transport)
+ }
+ mutex_init(&ecryptfs_daemon_hash_mux);
+ mutex_lock(&ecryptfs_daemon_hash_mux);
+- ecryptfs_hash_buckets = 1;
+- while (ecryptfs_number_of_users >> ecryptfs_hash_buckets)
+- ecryptfs_hash_buckets++;
++ ecryptfs_hash_bits = 1;
++ while (ecryptfs_number_of_users >> ecryptfs_hash_bits)
++ ecryptfs_hash_bits++;
+ ecryptfs_daemon_hash = kmalloc((sizeof(struct hlist_head)
+- * ecryptfs_hash_buckets), GFP_KERNEL);
++ * (1 << ecryptfs_hash_bits)),
++ GFP_KERNEL);
+ if (!ecryptfs_daemon_hash) {
+ rc = -ENOMEM;
+ printk(KERN_ERR "%s: Failed to allocate memory\n", __func__);
+ mutex_unlock(&ecryptfs_daemon_hash_mux);
+ goto out;
+ }
+- for (i = 0; i < ecryptfs_hash_buckets; i++)
++ for (i = 0; i < (1 << ecryptfs_hash_bits); i++)
+ INIT_HLIST_HEAD(&ecryptfs_daemon_hash[i]);
+ mutex_unlock(&ecryptfs_daemon_hash_mux);
+ ecryptfs_msg_ctx_arr = kmalloc((sizeof(struct ecryptfs_msg_ctx)
+@@ -680,7 +681,7 @@ void ecryptfs_release_messaging(unsigned int transport)
+ int i;
+
+ mutex_lock(&ecryptfs_daemon_hash_mux);
+- for (i = 0; i < ecryptfs_hash_buckets; i++) {
++ for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
+ int rc;
+
+ hlist_for_each_entry(daemon, elem,
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch)
@@ -0,0 +1,148 @@
+commit 56b0121a596775ab05388211fcfeafc3b7c77ae3
+Author: dann frazier <dann.frazier at canonical.com>
+Date: Wed Jan 12 22:28:23 2011 -0700
+
+ From 114279be2120a916e8a04feeb2ac976a10016f2f Mon Sep 17 00:00:00 2001
+ From: Oleg Nesterov <oleg at redhat.com>
+ Date: Tue, 30 Nov 2010 20:56:02 +0100
+ Subject: exec: copy-and-paste the fixes into compat_do_execve() paths
+
+ From: Oleg Nesterov <oleg at redhat.com>
+
+ commit 114279be2120a916e8a04feeb2ac976a10016f2f upstream.
+
+ Note: this patch targets 2.6.37 and tries to be as simple as possible.
+ That is why it adds more copy-and-paste horror into fs/compat.c and
+ uglifies fs/exec.c, this will be cleanuped later.
+
+ compat_copy_strings() plays with bprm->vma/mm directly and thus has
+ two problems: it lacks the RLIMIT_STACK check and argv/envp memory
+ is not visible to oom killer.
+
+ Export acct_arg_size() and get_arg_page(), change compat_copy_strings()
+ to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0)
+ as do_execve() does.
+
+ Add the fatal_signal_pending/cond_resched checks into compat_count() and
+ compat_copy_strings(), this matches the code in fs/exec.c and certainly
+ makes sense.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ Signed-off-by: Andi Kleen <ak at linux.intel.com>
+ [dannf: Backported to Debian's 2.6.26]
+
+diff --git a/fs/compat.c b/fs/compat.c
+index b9efeb1..ed8008c 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -1237,6 +1237,10 @@ static int compat_count(compat_uptr_t __user *argv, int max)
+ argv++;
+ if(++i > max)
+ return -E2BIG;
++
++ if (fatal_signal_pending(current))
++ return -ERESTARTNOHAND;
++ cond_resched();
+ }
+ }
+ return i;
+@@ -1278,6 +1282,12 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv,
+ while (len > 0) {
+ int offset, bytes_to_copy;
+
++ if (fatal_signal_pending(current)) {
++ ret = -ERESTARTNOHAND;
++ goto out;
++ }
++ cond_resched();
++
+ offset = pos % PAGE_SIZE;
+ if (offset == 0)
+ offset = PAGE_SIZE;
+@@ -1294,18 +1304,8 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv,
+ if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
+ struct page *page;
+
+-#ifdef CONFIG_STACK_GROWSUP
+- ret = expand_stack_downwards(bprm->vma, pos);
+- if (ret < 0) {
+- /* We've exceed the stack rlimit. */
+- ret = -E2BIG;
+- goto out;
+- }
+-#endif
+- ret = get_user_pages(current, bprm->mm, pos,
+- 1, 1, 1, &page, NULL);
+- if (ret <= 0) {
+- /* We've exceed the stack rlimit. */
++ page = get_arg_page(bprm, pos, 1);
++ if (!page) {
+ ret = -E2BIG;
+ goto out;
+ }
+@@ -1414,8 +1414,10 @@ out:
+ security_bprm_free(bprm);
+
+ out_mm:
+- if (bprm->mm)
++ if (bprm->mm) {
++ acct_arg_size(bprm, 0);
+ mmput(bprm->mm);
++ }
+
+ out_file:
+ if (bprm->file) {
+diff --git a/fs/exec.c b/fs/exec.c
+index 6ff42ad..ab1bada 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -159,7 +159,7 @@ exit:
+
+ #ifdef CONFIG_MMU
+
+-static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
+ {
+ struct mm_struct *mm = current->mm;
+ long diff = (long)(pages - bprm->vma_pages);
+@@ -174,7 +174,7 @@ static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
+ up_write(&mm->mmap_sem);
+ }
+
+-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write)
+ {
+ struct page *page;
+@@ -294,11 +294,11 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
+
+ #else
+
+-static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
+ {
+ }
+
+-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write)
+ {
+ struct page *page;
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index e700d00..b7b836e 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -52,6 +52,10 @@ struct linux_binprm{
+ unsigned long loader, exec;
+ };
+
++extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages);
++extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
++ int write);
++
+ #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
+ #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch)
@@ -0,0 +1,121 @@
+commit 91a54ac90fc513b39118a67b0114f83e878a5ca2
+Author: dann frazier <dann.frazier at canonical.com>
+Date: Wed Jan 12 22:23:19 2011 -0700
+
+ From Oleg Nesterov <oleg at redhat.com>
+ Subject: [PATCH 2.6.35] exec: make argv/envp memory visible to oom-killer
+
+ From: Oleg Nesterov <oleg at redhat.com>
+
+ commit 3c77f845722158206a7209c45ccddc264d19319c upstream.
+
+ Brad Spengler published a local memory-allocation DoS that
+ evades the OOM-killer (though not the virtual memory RLIMIT):
+ http://www.grsecurity.net/~spender/64bit_dos.c
+
+ execve()->copy_strings() can allocate a lot of memory, but
+ this is not visible to oom-killer, nobody can see the nascent
+ bprm->mm and take it into account.
+
+ With this patch get_arg_page() increments current's MM_ANONPAGES
+ counter every time we allocate the new page for argv/envp. When
+ do_execve() succeds or fails, we change this counter back.
+
+ Technically this is not 100% correct, we can't know if the new
+ page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but
+ I don't think this really matters and everything becomes correct
+ once exec changes ->mm or fails.
+
+ Compared to upstream:
+
+ before 2.6.36 kernel, oom-killer's badness() takes
+ mm->total_vm into account and nothing else. So
+ acct_arg_size() has to play with this counter too.
+
+ Reported-by: Brad Spengler <spender at grsecurity.net>
+ Signed-off-by: Andi Kleen <ak at linux.intel.com>
+ Reviewed-and-discussed-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: Backported to Debian's 2.6.26]
+
+diff --git a/fs/exec.c b/fs/exec.c
+index d490980..6ff42ad 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -159,6 +159,21 @@ exit:
+
+ #ifdef CONFIG_MMU
+
++static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++{
++ struct mm_struct *mm = current->mm;
++ long diff = (long)(pages - bprm->vma_pages);
++
++ if (!mm || !diff)
++ return;
++
++ bprm->vma_pages = pages;
++
++ down_write(&mm->mmap_sem);
++ mm->total_vm += diff;
++ up_write(&mm->mmap_sem);
++}
++
+ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write)
+ {
+@@ -181,6 +196,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
+ struct rlimit *rlim;
+
++ acct_arg_size(bprm, size / PAGE_SIZE);
++
+ /*
+ * We've historically supported up to 32 pages (ARG_MAX)
+ * of argument strings even with small stacks
+@@ -277,6 +294,10 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
+
+ #else
+
++static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++{
++}
++
+ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write)
+ {
+@@ -967,6 +988,7 @@ int flush_old_exec(struct linux_binprm * bprm)
+ /*
+ * Release all of the old mmap stuff
+ */
++ acct_arg_size(bprm, 0);
+ retval = exec_mmap(bprm->mm);
+ if (retval)
+ goto out;
+@@ -1356,8 +1378,10 @@ out:
+ security_bprm_free(bprm);
+
+ out_mm:
+- if (bprm->mm)
+- mmput (bprm->mm);
++ if (bprm->mm) {
++ acct_arg_size(bprm, 0);
++ mmput(bprm->mm);
++ }
+
+ out_file:
+ if (bprm->file) {
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index 6076864..e700d00 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -28,6 +28,7 @@ struct linux_binprm{
+ char buf[BINPRM_BUF_SIZE];
+ #ifdef CONFIG_MMU
+ struct vm_area_struct *vma;
++ unsigned long vma_pages;
+ #else
+ # define MAX_ARG_PAGES 32
+ struct page *page[MAX_ARG_PAGES];
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch)
@@ -0,0 +1,232 @@
+commit 11e32a1db45790296123d8b5cbd8f98665c982da
+Author: David S. Miller <davem at davemloft.net>
+Date: Wed Nov 10 10:38:24 2010 -0800
+
+ filter: make sure filters dont read uninitialized memory
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ There is a possibility malicious users can get limited information about
+ uninitialized stack mem array. Even if sk_run_filter() result is bound
+ to packet length (0 .. 65535), we could imagine this can be used by
+ hostile user.
+
+ Initializing mem[] array, like Dan Rosenberg suggested in his patch is
+ expensive since most filters dont even use this array.
+
+ Its hard to make the filter validation in sk_chk_filter(), because of
+ the jumps. This might be done later.
+
+ In this patch, I use a bitmap (a single long var) so that only filters
+ using mem[] loads/stores pay the price of added security checks.
+
+ For other filters, additional cost is a single instruction.
+
+ [ Since we access fentry->k a lot now, cache it in a local variable
+ and mark filter entry pointer as const. -DaveM ]
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index df37443..506a7d1 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -111,39 +111,41 @@ EXPORT_SYMBOL(sk_filter);
+ */
+ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
+ {
+- struct sock_filter *fentry; /* We walk down these */
+ void *ptr;
+ u32 A = 0; /* Accumulator */
+ u32 X = 0; /* Index Register */
+ u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
++ unsigned long memvalid = 0;
+ u32 tmp;
+ int k;
+ int pc;
+
++ BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
+ /*
+ * Process array of filter instructions.
+ */
+ for (pc = 0; pc < flen; pc++) {
+- fentry = &filter[pc];
++ const struct sock_filter *fentry = &filter[pc];
++ u32 f_k = fentry->k;
+
+ switch (fentry->code) {
+ case BPF_ALU|BPF_ADD|BPF_X:
+ A += X;
+ continue;
+ case BPF_ALU|BPF_ADD|BPF_K:
+- A += fentry->k;
++ A += f_k;
+ continue;
+ case BPF_ALU|BPF_SUB|BPF_X:
+ A -= X;
+ continue;
+ case BPF_ALU|BPF_SUB|BPF_K:
+- A -= fentry->k;
++ A -= f_k;
+ continue;
+ case BPF_ALU|BPF_MUL|BPF_X:
+ A *= X;
+ continue;
+ case BPF_ALU|BPF_MUL|BPF_K:
+- A *= fentry->k;
++ A *= f_k;
+ continue;
+ case BPF_ALU|BPF_DIV|BPF_X:
+ if (X == 0)
+@@ -151,49 +153,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
+ A /= X;
+ continue;
+ case BPF_ALU|BPF_DIV|BPF_K:
+- A /= fentry->k;
++ A /= f_k;
+ continue;
+ case BPF_ALU|BPF_AND|BPF_X:
+ A &= X;
+ continue;
+ case BPF_ALU|BPF_AND|BPF_K:
+- A &= fentry->k;
++ A &= f_k;
+ continue;
+ case BPF_ALU|BPF_OR|BPF_X:
+ A |= X;
+ continue;
+ case BPF_ALU|BPF_OR|BPF_K:
+- A |= fentry->k;
++ A |= f_k;
+ continue;
+ case BPF_ALU|BPF_LSH|BPF_X:
+ A <<= X;
+ continue;
+ case BPF_ALU|BPF_LSH|BPF_K:
+- A <<= fentry->k;
++ A <<= f_k;
+ continue;
+ case BPF_ALU|BPF_RSH|BPF_X:
+ A >>= X;
+ continue;
+ case BPF_ALU|BPF_RSH|BPF_K:
+- A >>= fentry->k;
++ A >>= f_k;
+ continue;
+ case BPF_ALU|BPF_NEG:
+ A = -A;
+ continue;
+ case BPF_JMP|BPF_JA:
+- pc += fentry->k;
++ pc += f_k;
+ continue;
+ case BPF_JMP|BPF_JGT|BPF_K:
+- pc += (A > fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A > f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JGE|BPF_K:
+- pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A >= f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JEQ|BPF_K:
+- pc += (A == fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A == f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JSET|BPF_K:
+- pc += (A & fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A & f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JGT|BPF_X:
+ pc += (A > X) ? fentry->jt : fentry->jf;
+@@ -208,7 +210,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
+ pc += (A & X) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_LD|BPF_W|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_w:
+ ptr = load_pointer(skb, k, 4, &tmp);
+ if (ptr != NULL) {
+@@ -217,7 +219,7 @@ load_w:
+ }
+ break;
+ case BPF_LD|BPF_H|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_h:
+ ptr = load_pointer(skb, k, 2, &tmp);
+ if (ptr != NULL) {
+@@ -226,7 +228,7 @@ load_h:
+ }
+ break;
+ case BPF_LD|BPF_B|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_b:
+ ptr = load_pointer(skb, k, 1, &tmp);
+ if (ptr != NULL) {
+@@ -241,32 +243,34 @@ load_b:
+ X = skb->len;
+ continue;
+ case BPF_LD|BPF_W|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_w;
+ case BPF_LD|BPF_H|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_h;
+ case BPF_LD|BPF_B|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_b;
+ case BPF_LDX|BPF_B|BPF_MSH:
+- ptr = load_pointer(skb, fentry->k, 1, &tmp);
++ ptr = load_pointer(skb, f_k, 1, &tmp);
+ if (ptr != NULL) {
+ X = (*(u8 *)ptr & 0xf) << 2;
+ continue;
+ }
+ return 0;
+ case BPF_LD|BPF_IMM:
+- A = fentry->k;
++ A = f_k;
+ continue;
+ case BPF_LDX|BPF_IMM:
+- X = fentry->k;
++ X = f_k;
+ continue;
+ case BPF_LD|BPF_MEM:
+- A = mem[fentry->k];
++ A = (memvalid & (1UL << f_k)) ?
++ mem[f_k] : 0;
+ continue;
+ case BPF_LDX|BPF_MEM:
+- X = mem[fentry->k];
++ X = (memvalid & (1UL << f_k)) ?
++ mem[f_k] : 0;
+ continue;
+ case BPF_MISC|BPF_TAX:
+ X = A;
+@@ -275,14 +279,16 @@ load_b:
+ A = X;
+ continue;
+ case BPF_RET|BPF_K:
+- return fentry->k;
++ return f_k;
+ case BPF_RET|BPF_A:
+ return A;
+ case BPF_ST:
+- mem[fentry->k] = A;
++ memvalid |= 1UL << f_k;
++ mem[f_k] = A;
+ continue;
+ case BPF_STX:
+- mem[fentry->k] = X;
++ memvalid |= 1UL << f_k;
++ mem[f_k] = X;
+ continue;
+ default:
+ WARN_ON(1);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch)
@@ -0,0 +1,34 @@
+commit 20176a70251000e8d0cb2138ba2f9bd607739c34
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon Sep 27 12:30:28 2010 -0400
+
+ Fix pktcdvd ioctl dev_minor range check
+
+ The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+ pktcdvd_device from the global pkt_devs array. The index into this
+ array is provided directly by the user and is a signed integer, so the
+ comparison to ensure that it falls within the bounds of this array will
+ fail when provided with a negative index.
+
+ This can be used to read arbitrary kernel memory or cause a crash due to
+ an invalid pointer dereference. This can be exploited by users with
+ permission to open /dev/pktcdvd/control (on many distributions, this is
+ readable by group "cdrom").
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ [ Rather than add a cast, just make the function take the right type -Linus ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index 3ba1df9..7f0734b 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2405,7 +2405,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
+ pkt_shrink_pktlist(pd);
+ }
+
+-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
++static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
+ {
+ if (dev_minor >= MAX_WRITERS)
+ return NULL;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/gdth-integer-overflow-in-ioctl.patch)
@@ -0,0 +1,38 @@
+commit 544a3052a7c5a0b21776d78b6773d6ad28d5434c
+Author: Dan Carpenter <error27 at gmail.com>
+Date: Fri Oct 8 09:03:07 2010 +0200
+
+ [SCSI] gdth: integer overflow in ioctl
+
+ gdth_ioctl_alloc() takes the size variable as an int.
+ copy_from_user() takes the size variable as an unsigned long.
+ gen.data_len and gen.sense_len are unsigned longs.
+ On x86_64 longs are 64 bit and ints are 32 bit.
+
+ We could pass in a very large number and the allocation would truncate
+ the size to 32 bits and allocate a small buffer. Then when we do the
+ copy_from_user(), it would result in a memory corruption.
+
+ CC: stable at kernel.org
+ Signed-off-by: Dan Carpenter <error27 at gmail.com>
+ Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+
+diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
+index 31b78d8..2c61f82 100644
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -4152,6 +4152,14 @@ static int ioc_general(void __user *arg, char *cmnd)
+ ha = gdth_find_ha(gen.ionode);
+ if (!ha)
+ return -EFAULT;
++
++ if (gen.data_len > INT_MAX)
++ return -EINVAL;
++ if (gen.sense_len > INT_MAX)
++ return -EINVAL;
++ if (gen.data_len + gen.sense_len > INT_MAX)
++ return -EINVAL;
++
+ if (gen.data_len + gen.sense_len != 0) {
+ if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
+ FALSE, &paddr)))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch)
@@ -0,0 +1,158 @@
+commit 6c4ff74fe922494252bb112aa86359b9559cef10
+Author: Dan Carpenter <error27 at gmail.com>
+Date: Wed Oct 13 09:13:12 2010 +0000
+
+ IB/uverbs: Handle large number of entries in poll CQ
+
+ In ib_uverbs_poll_cq() code there is a potential integer overflow if
+ userspace passes in a large cmd.ne. The calls to kmalloc() would
+ allocate smaller buffers than intended, leading to memory corruption.
+ There iss also an information leak if resp wasn't all used.
+ Unprivileged userspace may call this function, although only if an
+ RDMA device that uses this function is present.
+
+ Fix this by copying CQ entries one at a time, which avoids the
+ allocation entirely, and also by moving this copying into a function
+ that makes sure to initialize all memory copied to userspace.
+
+ Special thanks to Jason Gunthorpe <jgunthorpe at obsidianresearch.com>
+ for his help and advice.
+
+ Cc: <stable at kernel.org>
+ Signed-off-by: Dan Carpenter <error27 at gmail.com>
+
+ [ Monkey around with things a bit to avoid bad code generation by gcc
+ when designated initializers are used. - Roland ]
+
+ Signed-off-by: Roland Dreier <rolandd at cisco.com>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index 2c3bff5..6c788a1 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -877,68 +877,81 @@ out:
+ return ret ? ret : in_len;
+ }
+
++static int copy_wc_to_user(void __user *dest, struct ib_wc *wc)
++{
++ struct ib_uverbs_wc tmp;
++
++ tmp.wr_id = wc->wr_id;
++ tmp.status = wc->status;
++ tmp.opcode = wc->opcode;
++ tmp.vendor_err = wc->vendor_err;
++ tmp.byte_len = wc->byte_len;
++ tmp.imm_data = (__u32 __force) wc->imm_data;
++ tmp.qp_num = wc->qp->qp_num;
++ tmp.src_qp = wc->src_qp;
++ tmp.wc_flags = wc->wc_flags;
++ tmp.pkey_index = wc->pkey_index;
++ tmp.slid = wc->slid;
++ tmp.sl = wc->sl;
++ tmp.dlid_path_bits = wc->dlid_path_bits;
++ tmp.port_num = wc->port_num;
++ tmp.reserved = 0;
++
++ if (copy_to_user(dest, &tmp, sizeof tmp))
++ return -EFAULT;
++
++ return 0;
++}
++
+ ssize_t ib_uverbs_poll_cq(struct ib_uverbs_file *file,
+ const char __user *buf, int in_len,
+ int out_len)
+ {
+ struct ib_uverbs_poll_cq cmd;
+- struct ib_uverbs_poll_cq_resp *resp;
++ struct ib_uverbs_poll_cq_resp resp;
++ u8 __user *header_ptr;
++ u8 __user *data_ptr;
+ struct ib_cq *cq;
+- struct ib_wc *wc;
+- int ret = 0;
+- int i;
+- int rsize;
++ struct ib_wc wc;
++ int ret;
+
+ if (copy_from_user(&cmd, buf, sizeof cmd))
+ return -EFAULT;
+
+- wc = kmalloc(cmd.ne * sizeof *wc, GFP_KERNEL);
+- if (!wc)
+- return -ENOMEM;
+-
+- rsize = sizeof *resp + cmd.ne * sizeof(struct ib_uverbs_wc);
+- resp = kmalloc(rsize, GFP_KERNEL);
+- if (!resp) {
+- ret = -ENOMEM;
+- goto out_wc;
+- }
+-
+ cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0);
+- if (!cq) {
+- ret = -EINVAL;
+- goto out;
+- }
++ if (!cq)
++ return -EINVAL;
+
+- resp->count = ib_poll_cq(cq, cmd.ne, wc);
++ /* we copy a struct ib_uverbs_poll_cq_resp to user space */
++ header_ptr = (void __user *)(unsigned long) cmd.response;
++ data_ptr = header_ptr + sizeof resp;
+
+- put_cq_read(cq);
++ memset(&resp, 0, sizeof resp);
++ while (resp.count < cmd.ne) {
++ ret = ib_poll_cq(cq, 1, &wc);
++ if (ret < 0)
++ goto out_put;
++ if (!ret)
++ break;
++
++ ret = copy_wc_to_user(data_ptr, &wc);
++ if (ret)
++ goto out_put;
+
+- for (i = 0; i < resp->count; i++) {
+- resp->wc[i].wr_id = wc[i].wr_id;
+- resp->wc[i].status = wc[i].status;
+- resp->wc[i].opcode = wc[i].opcode;
+- resp->wc[i].vendor_err = wc[i].vendor_err;
+- resp->wc[i].byte_len = wc[i].byte_len;
+- resp->wc[i].imm_data = (__u32 __force) wc[i].imm_data;
+- resp->wc[i].qp_num = wc[i].qp->qp_num;
+- resp->wc[i].src_qp = wc[i].src_qp;
+- resp->wc[i].wc_flags = wc[i].wc_flags;
+- resp->wc[i].pkey_index = wc[i].pkey_index;
+- resp->wc[i].slid = wc[i].slid;
+- resp->wc[i].sl = wc[i].sl;
+- resp->wc[i].dlid_path_bits = wc[i].dlid_path_bits;
+- resp->wc[i].port_num = wc[i].port_num;
++ data_ptr += sizeof(struct ib_uverbs_wc);
++ ++resp.count;
+ }
+
+- if (copy_to_user((void __user *) (unsigned long) cmd.response, resp, rsize))
++ if (copy_to_user(header_ptr, &resp, sizeof resp)) {
+ ret = -EFAULT;
++ goto out_put;
++ }
+
+-out:
+- kfree(resp);
++ ret = in_len;
+
+-out_wc:
+- kfree(wc);
+- return ret ? ret : in_len;
++out_put:
++ put_cq_read(cq);
++ return ret;
+ }
+
+ ssize_t ib_uverbs_req_notify_cq(struct ib_uverbs_file *file,
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch)
@@ -0,0 +1,102 @@
+commit bbeac6cc190a5978d9fb0cdaadc4275073fbc65e
+Author: Nelson Elhage <nelhage at ksplice.com>
+Date: Wed Nov 3 16:35:41 2010 +0000
+
+ inet_diag: Make sure we actually run the same bytecode we audited.
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ We were using nlmsg_find_attr() to look up the bytecode by attribute when
+ auditing, but then just using the first attribute when actually running
+ bytecode. So, if we received a message with two attribute elements, where only
+ the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
+ bytecode strings.
+
+ Fix this by consistently using nlmsg_find_attr everywhere.
+
+ Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+ Signed-off-by: Thomas Graf <tgraf at infradead.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index da97695..dc68bb1 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -495,9 +495,11 @@ static int inet_csk_diag_dump(struct sock *sk,
+ {
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ struct inet_diag_entry entry;
+- struct rtattr *bc = (struct rtattr *)(r + 1);
++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++ sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+ struct inet_sock *inet = inet_sk(sk);
+
+ entry.family = sk->sk_family;
+@@ -517,7 +519,7 @@ static int inet_csk_diag_dump(struct sock *sk,
+ entry.dport = ntohs(inet->dport);
+ entry.userlocks = sk->sk_userlocks;
+
+- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ return 0;
+ }
+
+@@ -532,9 +534,11 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ {
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ struct inet_diag_entry entry;
+- struct rtattr *bc = (struct rtattr *)(r + 1);
++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++ sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+
+ entry.family = tw->tw_family;
+ #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+@@ -553,7 +557,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ entry.dport = ntohs(tw->tw_dport);
+ entry.userlocks = 0;
+
+- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ return 0;
+ }
+
+@@ -623,7 +627,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct listen_sock *lopt;
+- struct rtattr *bc = NULL;
++ const struct nlattr *bc = NULL;
+ struct inet_sock *inet = inet_sk(sk);
+ int j, s_j;
+ int reqnum, s_reqnum;
+@@ -643,8 +647,9 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ if (!lopt || !lopt->qlen)
+ goto out;
+
+- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+- bc = (struct rtattr *)(r + 1);
++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
++ bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
++ INET_DIAG_REQ_BYTECODE);
+ entry.sport = inet->num;
+ entry.userlocks = sk->sk_userlocks;
+ }
+@@ -677,8 +682,8 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ &ireq->rmt_addr;
+ entry.dport = ntohs(ireq->rmt_port);
+
+- if (!inet_diag_bc_run(RTA_DATA(bc),
+- RTA_PAYLOAD(bc), &entry))
++ if (!inet_diag_bc_run(nla_data(bc),
++ nla_len(bc), &entry))
+ continue;
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch)
@@ -0,0 +1,88 @@
+commit 8eb68500689d218d4ae85b9d0adf9f02938a3b20
+Author: Tavis Ormandy <taviso at cmpxchg8b.com>
+Date: Thu Dec 9 15:29:42 2010 +0100
+
+ install_special_mapping skips security_file_mmap check.
+
+ The install_special_mapping routine (used, for example, to setup the
+ vdso) skips the security check before insert_vm_struct, allowing a local
+ attacker to bypass the mmap_min_addr security restriction by limiting
+ the available pages for special mappings.
+
+ bprm_mm_init() also skips the check, and although I don't think this can
+ be used to bypass any restrictions, I don't see any reason not to have
+ the security check.
+
+ $ uname -m
+ x86_64
+ $ cat /proc/sys/vm/mmap_min_addr
+ 65536
+ $ cat install_special_mapping.s
+ section .bss
+ resb BSS_SIZE
+ section .text
+ global _start
+ _start:
+ mov eax, __NR_pause
+ int 0x80
+ $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
+ $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
+ $ ./install_special_mapping &
+ [1] 14303
+ $ cat /proc/14303/maps
+ 0000f000-00010000 r-xp 00000000 00:00 0 [vdso]
+ 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping
+ 00011000-ffffe000 rwxp 00000000 00:00 0 [stack]
+
+ It's worth noting that Red Hat are shipping with mmap_min_addr set to
+ 4096.
+
+ Signed-off-by: Tavis Ormandy <taviso at google.com>
+ Acked-by: Kees Cook <kees at ubuntu.com>
+ Acked-by: Robert Swiecki <swiecki at google.com>
+ [ Changed to not drop the error code - akpm ]
+ Reviewed-by: James Morris <jmorris at namei.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 6b7c7dd..cd50a93 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -266,6 +266,13 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
+
+ vma->vm_flags = VM_STACK_FLAGS;
+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
++
++ err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
++ if (err) {
++ up_write(&mm->mmap_sem);
++ goto err;
++ }
++
+ err = insert_vm_struct(mm, vma);
+ if (err) {
+ up_write(&mm->mmap_sem);
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 0c137e5..1181cf8 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2245,6 +2245,7 @@ int install_special_mapping(struct mm_struct *mm,
+ unsigned long addr, unsigned long len,
+ unsigned long vm_flags, struct page **pages)
+ {
++ int ret;
+ struct vm_area_struct *vma;
+
+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
+@@ -2261,6 +2262,10 @@ int install_special_mapping(struct mm_struct *mm,
+ vma->vm_ops = &special_mapping_vmops;
+ vma->vm_private_data = pages;
+
++ ret = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
++ if (ret)
++ return ret;
++
+ if (unlikely(insert_vm_struct(mm, vma))) {
+ kmem_cache_free(vm_area_cachep, vma);
+ return -ENOMEM;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch)
@@ -0,0 +1,70 @@
+commit 4587b49a223733b4e43662b273e8e33abaae378d
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Oct 27 15:34:17 2010 -0700
+
+ ipc: initialize structure memory to zero for compat functions
+
+ This takes care of leaking uninitialized kernel stack memory to
+ userspace from non-zeroed fields in structs in compat ipc functions.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: Manfred Spraul <manfred at colorfullife.com>
+ Cc: Arnd Bergmann <arnd at arndb.de>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/ipc/compat.c b/ipc/compat.c
+index ab76fb0..5e3e3a1 100644
+--- a/ipc/compat.c
++++ b/ipc/compat.c
+@@ -242,6 +242,8 @@ long compat_sys_semctl(int first, int second, int third, void __user *uptr)
+ struct semid64_ds __user *up64;
+ int version = compat_ipc_parse_version(&third);
+
++ memset(&s64, 0, sizeof(s64));
++
+ if (!uptr)
+ return -EINVAL;
+ if (get_user(pad, (u32 __user *) uptr))
+@@ -422,6 +424,8 @@ long compat_sys_msgctl(int first, int second, void __user *uptr)
+ int version = compat_ipc_parse_version(&second);
+ void __user *p;
+
++ memset(&m64, 0, sizeof(m64));
++
+ switch (second & (~IPC_64)) {
+ case IPC_INFO:
+ case IPC_RMID:
+@@ -595,6 +599,8 @@ long compat_sys_shmctl(int first, int second, void __user *uptr)
+ int err, err2;
+ int version = compat_ipc_parse_version(&second);
+
++ memset(&s64, 0, sizeof(s64));
++
+ switch (second & (~IPC_64)) {
+ case IPC_RMID:
+ case SHM_LOCK:
+diff --git a/ipc/compat_mq.c b/ipc/compat_mq.c
+index d8d1e9f..380ea4f 100644
+--- a/ipc/compat_mq.c
++++ b/ipc/compat_mq.c
+@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const char __user *u_name,
+ void __user *p = NULL;
+ if (u_attr && oflag & O_CREAT) {
+ struct mq_attr attr;
++
++ memset(&attr, 0, sizeof(attr));
++
+ p = compat_alloc_user_space(sizeof(attr));
+ if (get_compat_mq_attr(&attr, u_attr) ||
+ copy_to_user(p, &attr, sizeof(attr)))
+@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr(mqd_t mqdes,
+ struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
+ long ret;
+
++ memset(&mqstat, 0, sizeof(mqstat));
++
+ if (u_mqstat) {
+ if (get_compat_mq_attr(&mqstat, u_mqstat) ||
+ copy_to_user(p, &mqstat, sizeof(mqstat)))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ipc-shm-fix-information-leak-to-userland.patch)
@@ -0,0 +1,27 @@
+commit 5204c15eac79d9cfbbcb2cfff36f1d631f7bfef6
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date: Sat Oct 30 18:22:49 2010 +0400
+
+ ipc: shm: fix information leak to userland
+
+ The shmid_ds structure is copied to userland with shm_unused{,2,3}
+ fields unitialized. It leads to leaking of contents of kernel stack
+ memory.
+
+ Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+ Acked-by: Al Viro <viro at ZenIV.linux.org.uk>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/ipc/shm.c b/ipc/shm.c
+index 38b4711..584b344 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -483,6 +483,7 @@ static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_
+ {
+ struct shmid_ds out;
+
++ memset(&out, 0, sizeof(out));
+ ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
+ out.shm_segsz = in->shm_segsz;
+ out.shm_atime = in->shm_atime;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch)
@@ -0,0 +1,35 @@
+commit 7fd526535d7e6134ec40c2a48d5f42463bee6622
+Author: David S. Miller <davem at davemloft.net>
+Date: Mon Aug 30 18:35:24 2010 -0700
+
+ irda: Correctly clean up self->ias_obj on irda_bind() failure.
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ If irda_open_tsap() fails, the irda_bind() code tries to destroy
+ the ->ias_obj object by hand, but does so wrongly.
+
+ In particular, it fails to a) release the hashbin attached to the
+ object and b) reset the self->ias_obj pointer to NULL.
+
+ Fix both problems by using irias_delete_object() and explicitly
+ setting self->ias_obj to NULL, just as irda_release() does.
+
+ Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index b28409c..ca31e1d 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -809,8 +809,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+
+ err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ if (err < 0) {
+- kfree(self->ias_obj->name);
+- kfree(self->ias_obj);
++ irias_delete_object(self->ias_obj);
++ self->ias_obj = NULL;
+ return err;
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch)
@@ -0,0 +1,50 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value. While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures. In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[dannf: Backport to 2.6.32]
+---
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2164,6 +2164,14 @@ static int irda_getsockopt(struct socket
+
+ switch (optname) {
+ case IRLMP_ENUMDEVICES:
++
++ /* Offset to first device entry */
++ offset = sizeof(struct irda_device_list) -
++ sizeof(struct irda_device_info);
++
++ if (len < offset)
++ return -EINVAL;
++
+ /* Ask lmp for the current discovery log */
+ discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ self->nslots);
+@@ -2173,15 +2181,9 @@ static int irda_getsockopt(struct socket
+ err = 0;
+
+ /* Write total list length back to client */
+- if (copy_to_user(optval, &list,
+- sizeof(struct irda_device_list) -
+- sizeof(struct irda_device_info)))
++ if (copy_to_user(optval, &list, offset))
+ err = -EFAULT;
+
+- /* Offset to first device entry */
+- offset = sizeof(struct irda_device_list) -
+- sizeof(struct irda_device_info);
+-
+ /* Copy the list itself - watch for overflow */
+ if(list.len > 2048)
+ {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,28 @@
+commit 66635f73f2223eceebc61c88135b5817b97b4235
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 15 18:44:22 2010 -0300
+
+ V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
+
+ The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
+ bytes of uninitialized stack memory, because the "reserved" member of
+ the fb_vblank struct declared on the stack is not altered or zeroed
+ before being copied back to the user. This patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Signed-off-by: Andy Walls <awalls at md.metrocast.net>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
+index 73be154..96ed111 100644
+--- a/drivers/media/video/ivtv/ivtvfb.c
++++ b/drivers/media/video/ivtv/ivtvfb.c
+@@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
+ struct fb_vblank vblank;
+ u32 trace;
+
++ memset(&vblank, 0, sizeof(struct fb_vblank));
++
+ vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
+ FB_VBLANK_HAVE_VSYNC;
+ trace = read_reg(0x028c0) >> 16;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch)
@@ -0,0 +1,34 @@
+commit 4b162edbd50eafb140fb25446822974ae611344f
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date: Wed Nov 10 10:14:33 2010 -0800
+
+ net: ax25: fix information leak to userland
+
+ Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
+ field of fsa struct, also the struct has padding bytes between
+ sax25_call and sax25_ndigis fields. This structure is then copied to
+ userland. It leads to leaking of contents of kernel stack memory.
+
+ Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 3c10a11..1fa11ab 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1385,6 +1385,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ ax25_cb *ax25;
+ int err = 0;
+
++ memset(fsa, 0, sizeof(fsa));
+ lock_sock(sk);
+ ax25 = ax25_sk(sk);
+
+@@ -1396,7 +1397,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+
+ fsa->fsa_ax25.sax25_family = AF_AX25;
+ fsa->fsa_ax25.sax25_call = ax25->dest_addr;
+- fsa->fsa_ax25.sax25_ndigis = 0;
+
+ if (ax25->digipeat != NULL) {
+ ndigi = ax25->digipeat->ndigi;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,30 @@
+commit fbbc65f0bc5c6efae9da937b615159b90e47d169
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 15 11:43:04 2010 +0000
+
+ drivers/net/eql.c: prevent reading uninitialized stack memory
+
+ Fixed formatting (tabs and line breaks).
+
+ The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
+ bytes of uninitialized stack memory, because the "master_name" member of
+ the master_config_t struct declared on the stack in eql_g_master_cfg()
+ is not altered or zeroed before being copied back to the user. This
+ patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/eql.c b/drivers/net/eql.c
+index 18f1364..a7ae37c 100644
+--- a/drivers/net/eql.c
++++ b/drivers/net/eql.c
+@@ -546,6 +546,8 @@ static int eql_g_master_cfg(struct net_device *dev, master_config_t __user *mcp)
+ equalizer_t *eql;
+ master_config_t mc;
+
++ memset(&mc, 0, sizeof(master_config_t));
++
+ if (eql_is_master(dev)) {
+ eql = netdev_priv(dev);
+ mc.max_slaves = eql->max_slaves;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch)
@@ -0,0 +1,76 @@
+commit a71f23d2ad52dbd9b3aa6b8b8089260130e4f57f
+Author: David S. Miller <davem at davemloft.net>
+Date: Thu Oct 28 11:41:55 2010 -0700
+
+ net: Limit socket I/O iovec total length to INT_MAX.
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This helps protect us from overflow issues down in the
+ individual protocol sendmsg/recvmsg handlers. Once
+ we hit INT_MAX we truncate out the rest of the iovec
+ by setting the iov_len members to zero.
+
+ This works because:
+
+ 1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
+ writes are allowed and the application will just continue
+ with another write to send the rest of the data.
+
+ 2) For datagram oriented sockets, where there must be a
+ one-to-one correspondance between write() calls and
+ packets on the wire, INT_MAX is going to be far larger
+ than the packet size limit the protocol is going to
+ check for and signal with -EMSGSIZE.
+
+ Based upon a patch by Linus Torvalds.
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/compat.c b/net/compat.c
+index c823f6f..24b40c1 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
+ compat_size_t len;
+
+ if (get_user(len, &uiov32->iov_len) ||
+- get_user(buf, &uiov32->iov_base)) {
+- tot_len = -EFAULT;
+- break;
+- }
++ get_user(buf, &uiov32->iov_base))
++ return -EFAULT;
++
++ if (len > INT_MAX - tot_len)
++ len = INT_MAX - tot_len;
++
+ tot_len += len;
+ kiov->iov_base = compat_ptr(buf);
+ kiov->iov_len = (__kernel_size_t) len;
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index 755c37f..7f1fb83 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -60,14 +60,13 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int mode)
+ err = 0;
+
+ for (ct = 0; ct < m->msg_iovlen; ct++) {
+- err += iov[ct].iov_len;
+- /*
+- * Goal is not to verify user data, but to prevent returning
+- * negative value, which is interpreted as errno.
+- * Overflow is still possible, but it is harmless.
+- */
+- if (err < 0)
+- return -EMSGSIZE;
++ size_t len = iov[ct].iov_len;
++
++ if (len > INT_MAX - err) {
++ len = INT_MAX - err;
++ iov[ct].iov_len = len;
++ }
++ err += len;
+ }
+
+ return err;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-packet-fix-information-leak-to-userland.patch)
@@ -0,0 +1,40 @@
+commit 9a3e5ca92a4d5d61e9e65f61112e7bf194c16022
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date: Wed Nov 10 12:09:10 2010 -0800
+
+ net: packet: fix information leak to userland
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ packet_getname_spkt() doesn't initialize all members of sa_data field of
+ sockaddr struct if strlen(dev->name) < 13. This structure is then copied
+ to userland. It leads to leaking of contents of kernel stack memory.
+ We have to fully fill sa_data with strncpy() instead of strlcpy().
+
+ The same with packet_getname(): it doesn't initialize sll_pkttype field of
+ sockaddr_ll. Set it to zero.
+
+ Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2cee87d..49ef3e6 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1137,7 +1137,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ uaddr->sa_family = AF_PACKET;
+ dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex);
+ if (dev) {
+- strlcpy(uaddr->sa_data, dev->name, 15);
++ strlcpy(uaddr->sa_data, dev->name, 14);
+ dev_put(dev);
+ } else
+ memset(uaddr->sa_data, 0, 14);
+@@ -1160,6 +1160,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ sll->sll_family = AF_PACKET;
+ sll->sll_ifindex = po->ifindex;
+ sll->sll_protocol = po->num;
++ sll->sll_pkttype = 0;
+ dev = dev_get_by_index(sock_net(sk), po->ifindex);
+ if (dev) {
+ sll->sll_hatype = dev->type;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch)
@@ -0,0 +1,56 @@
+commit a284ebb1d9862fe94b3c693e55f60ef3587a3855
+Author: Jeff Mahoney <jeffm at suse.com>
+Date: Tue Aug 31 13:21:42 2010 +0000
+
+ net sched: fix kernel leak in act_police
+
+ While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+ audited other users of tc_action_ops->dump for information leaks.
+
+ That commit covered almost all of them but act_police still had a leak.
+
+ opt.limit and opt.capab aren't zeroed out before the structure is
+ passed out.
+
+ This patch uses the C99 initializers to zero everything unused out.
+
+ Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+ Acked-by: Jeff Mahoney <jeffm at suse.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sched/act_police.c b/net/sched/act_police.c
+index 0898120..85d8315 100644
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -320,22 +320,19 @@ tcf_act_police_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_police *police = a->priv;
+- struct tc_police opt;
+-
+- opt.index = police->tcf_index;
+- opt.action = police->tcf_action;
+- opt.mtu = police->tcfp_mtu;
+- opt.burst = police->tcfp_burst;
+- opt.refcnt = police->tcf_refcnt - ref;
+- opt.bindcnt = police->tcf_bindcnt - bind;
++ struct tc_police opt = {
++ .index = police->tcf_index,
++ .action = police->tcf_action,
++ .mtu = police->tcfp_mtu,
++ .burst = police->tcfp_burst,
++ .refcnt = police->tcf_refcnt - ref,
++ .bindcnt = police->tcf_bindcnt - bind,
++ };
++
+ if (police->tcfp_R_tab)
+ opt.rate = police->tcfp_R_tab->rate;
+- else
+- memset(&opt.rate, 0, sizeof(opt.rate));
+ if (police->tcfp_P_tab)
+ opt.peakrate = police->tcfp_P_tab->rate;
+- else
+- memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ if (police->tcfp_result)
+ NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch)
@@ -0,0 +1,25 @@
+commit cff130bf33f85cc3ab24f6584feaa227048c0738
+Author: Kulikov Vasiliy <segooon at gmail.com>
+Date: Sun Oct 31 07:10:32 2010 +0000
+
+ net: tipc: fix information leak to userland
+
+ Structure sockaddr_tipc is copied to userland with padding bytes after
+ "id" field in union field "name" unitialized. It leads to leaking of
+ contents of kernel stack memory. We have to initialize them to zero.
+
+ Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 230f9ca..296e28a 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -390,6 +390,7 @@ static int get_name(struct socket *sock, struct sockaddr *uaddr,
+ u32 portref = tipc_sk_port(sock->sk)->ref;
+ u32 res;
+
++ memset(addr, 0, sizeof(*addr));
+ if (peer) {
+ res = tipc_peer(portref, &addr->addr.id);
+ if (res)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch)
@@ -0,0 +1,31 @@
+commit 94b149862dbac09f015484e892776bcd047da532
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat Oct 30 16:43:10 2010 -0700
+
+ net: Truncate recvfrom and sendto length to INT_MAX.
+
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/socket.c b/net/socket.c
+index 8aaa05b..f701190 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1596,6 +1596,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ struct iovec iov;
+ int fput_needed;
+
++ if (len > INT_MAX)
++ len = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1653,6 +1655,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ int err, err2;
+ int fput_needed;
+
++ if (size > INT_MAX)
++ size = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch)
@@ -0,0 +1,55 @@
+commit ce9f93e8b9de16fedcf73d7f88f3d2352354b102
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Fri Nov 5 16:53:42 2010 +0100
+
+ posix-cpu-timers: workaround to suppress the problems with mt exec
+
+ posix-cpu-timers.c correctly assumes that the dying process does
+ posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
+ timers from signal->cpu_timers list.
+
+ But, it also assumes that timer->it.cpu.task is always the group
+ leader, and thus the dead ->task means the dead thread group.
+
+ This is obviously not true after de_thread() changes the leader.
+ After that almost every posix_cpu_timer_ method has problems.
+
+ It is not simple to fix this bug correctly. First of all, I think
+ that timer->it.cpu should use struct pid instead of task_struct.
+ Also, the locking should be reworked completely. In particular,
+ tasklist_lock should not be used at all. This all needs a lot of
+ nontrivial and hard-to-test changes.
+
+ Change __exit_signal() to do posix_cpu_timers_exit_group() when
+ the old leader dies during exec. This is not the fix, just the
+ temporary hack to hide the problem for 2.6.37 and stable. IOW,
+ this is obviously wrong but this is what we currently have anyway:
+ cpu timers do not work after mt exec.
+
+ In theory this change adds another race. The exiting leader can
+ detach the timers which were attached to the new leader. However,
+ the window between de_thread() and release_task() is small, we
+ can pretend that sys_timer_create() was called before de_thread().
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 2bd672d..b3b6377 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -93,6 +93,14 @@ static void __exit_signal(struct task_struct *tsk)
+ posix_cpu_timers_exit_group(tsk);
+ else {
+ /*
++ * This can only happen if the caller is de_thread().
++ * FIXME: this is the temporary hack, we should teach
++ * posix-cpu-timers to handle this case correctly.
++ */
++ if (unlikely(has_group_leader_pid(tsk)))
++ posix_cpu_timers_exit_group(tsk);
++
++ /*
+ * If there is any task waiting for the group exit
+ * then notify it:
+ */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,43 @@
+commit 1179687599395e64f39fe85c45a90c0ef9993948
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sat Sep 25 11:07:27 2010 -0400
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
+
+ The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
+ SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
+ unprivileged users to read uninitialized kernel stack memory, because
+ several fields of the hdsp{m}_config_info structs declared on the stack
+ are not altered or zeroed before being copied back to the user. This
+ patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index 4d6fbb3..cee643e 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -4569,6 +4569,7 @@ static int snd_hdsp_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigne
+ snd_printk(KERN_ERR "Hammerfall-DSP: Firmware needs to be uploaded to the card.\n");
+ return -EINVAL;
+ }
++ memset(&info, 0, sizeof(info));
+ spin_lock_irqsave(&hdsp->lock, flags);
+ info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
+ info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index ab423bc..bd36bdd 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -4133,6 +4133,7 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep * hw, struct file *file,
+
+ case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
+
++ memset(&info, 0, sizeof(info));
+ spin_lock_irq(&hdspm->lock);
+ info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
+ info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch)
@@ -0,0 +1,35 @@
+commit fb582545098ca3312abc342cd381ddf5e68e332b
+Author: David S. Miller <davem at davemloft.net>
+Date: Mon Sep 20 15:40:35 2010 -0700
+
+ rose: Fix signedness issues wrt. digi count.
+
+ Just use explicit casts, since we really can't change the
+ types of structures exported to userspace which have been
+ around for 15 years or so.
+
+ Reported-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 47baa05..3ec3394 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -668,7 +668,7 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
+@@ -728,7 +728,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/scm-lower-SCM_MAX_FD.patch)
@@ -0,0 +1,71 @@
+commit f1d0e842f4b3dd9f7ea8fe2ae439ea922d421026
+Author: dann frazier <dann.frazier at canonical.com>
+Date: Mon Jan 17 11:52:13 2011 -0700
+
+ scm: lower SCM_MAX_FD
+
+ Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
+ halved. (commit f8d570a4 added two pointers in this structure)
+
+ scm_fp_dup() should not copy whole structure (and trigger kmemcheck
+ warnings), but only the used part. While we are at it, only allocate
+ needed size.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: Backported to Debian's 2.6.26]
+
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 33e9986..d33d511 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -10,12 +10,13 @@
+ /* Well, we should have at least one descriptor open
+ * to accept passed FDs 8)
+ */
+-#define SCM_MAX_FD 255
++#define SCM_MAX_FD 253
+
+ struct scm_fp_list
+ {
+ struct list_head list;
+- int count;
++ short count;
++ short max;
+ struct file *fp[SCM_MAX_FD];
+ };
+
+diff --git a/net/core/scm.c b/net/core/scm.c
+index ab242cc..c10e1f1 100644
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -77,10 +77,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
+ *fplp = fpl;
+ INIT_LIST_HEAD(&fpl->list);
+ fpl->count = 0;
++ fpl->max = SCM_MAX_FD;
+ }
+ fpp = &fpl->fp[fpl->count];
+
+- if (fpl->count + num > SCM_MAX_FD)
++ if (fpl->count + num > fpl->max)
+ return -EINVAL;
+
+ /*
+@@ -299,12 +300,13 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
+ if (!fpl)
+ return NULL;
+
+- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
++ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
++ GFP_KERNEL);
+ if (new_fpl) {
+ INIT_LIST_HEAD(&new_fpl->list);
+- for (i=fpl->count-1; i>=0; i--)
++ for (i = 0; i < fpl->count; i++)
+ get_file(fpl->fp[i]);
+- memcpy(new_fpl, fpl, sizeof(*fpl));
++ new_fpl->max = new_fpl->count;
+ }
+ return new_fpl;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch)
@@ -0,0 +1,35 @@
+commit 5a493b9d0cb9bd16579e8f86036f7238476e0fd8
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Wed Sep 15 10:00:26 2010 -0400
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ sctp: Do not reset the packet during sctp_packet_config().
+
+ sctp_packet_config() is called when getting the packet ready
+ for appending of chunks. The function should not touch the
+ current state, since it's possible to ping-pong between two
+ transports when sending, and that can result packet corruption
+ followed by skb overlfow crash.
+
+ Reported-by: Thomas Dreibholz <dreibh at iem.uni-due.de>
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/output.c b/net/sctp/output.c
+index 6d45bae..9b38671 100644
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -78,12 +78,6 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
+ packet, vtag);
+
+ packet->vtag = vtag;
+- packet->has_cookie_echo = 0;
+- packet->has_sack = 0;
+- packet->has_auth = 0;
+- packet->has_data = 0;
+- packet->ipfragok = 0;
+- packet->auth = NULL;
+
+ if (ecn_capable && sctp_packet_empty(packet)) {
+ chunk = sctp_get_ecne_prepend(packet->transport->asoc);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch)
@@ -0,0 +1,47 @@
+commit 322d8fe673fcb447be77b60d1c3f6a42554f3daa
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Oct 1 11:51:47 2010 +0000
+
+ sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
+
+ The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
+ array and attempts to ensure that only a supported hmac entry is
+ returned. The current code fails to do this properly - if the last id
+ in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
+ id integer remains set after exiting the loop, and the address of an
+ out-of-bounds entry will be returned and subsequently used in the parent
+ function, causing potentially ugly memory corruption. This patch resets
+ the id integer to 0 on encountering an invalid id so that NULL will be
+ returned after finishing the loop if no valid ids are found.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Acked-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 52db5f6..1ca7e4d 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -542,16 +542,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
+ id = ntohs(hmacs->hmac_ids[i]);
+
+ /* Check the id is in the supported range */
+- if (id > SCTP_AUTH_HMAC_ID_MAX)
++ if (id > SCTP_AUTH_HMAC_ID_MAX) {
++ id = 0;
+ continue;
++ }
+
+ /* See is we support the id. Supported IDs have name and
+ * length fields set, so that we can allocated and use
+ * them. We can safely just check for name, for without the
+ * name, we can't allocate the TFM.
+ */
+- if (!sctp_hmac_list[id].hmac_name)
++ if (!sctp_hmac_list[id].hmac_name) {
++ id = 0;
+ continue;
++ }
+
+ break;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch)
@@ -0,0 +1,39 @@
+commit b7a3ef62ad1c65562e9f84cd5812887c4fe6eedb
+Author: Roland McGrath <roland at redhat.com>
+Date: Tue Sep 7 19:35:49 2010 -0700
+
+ setup_arg_pages: diagnose excessive argument size
+
+ The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
+ check the size of the argument/environment area on the stack.
+ When it is unworkably large, shift_arg_pages() hits its BUG_ON.
+ This is exploitable with a very large RLIMIT_STACK limit, to
+ create a crash pretty easily.
+
+ Check that the initial stack is not too large to make it possible
+ to map in any executable. We're not checking that the actual
+ executable (or intepreter, for binfmt_elf) will fit. So those
+ mappings might clobber part of the initial stack mapping. But
+ that is just userland lossage that userland made happen, not a
+ kernel problem.
+
+ Signed-off-by: Roland McGrath <roland at redhat.com>
+ Reviewed-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 164ac13..d490980 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -599,6 +599,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ #else
+ stack_top = arch_align_stack(stack_top);
+ stack_top = PAGE_ALIGN(stack_top);
++
++ if (unlikely(stack_top < mmap_min_addr) ||
++ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
++ return -ENOMEM;
++
+ stack_shift = vma->vm_end - stack_top;
+
+ bprm->p -= stack_shift;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch)
@@ -0,0 +1,39 @@
+commit a1a719748020a3287b37cc9e8e1e85b7241da532
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Thu Sep 30 15:15:31 2010 -0700
+
+ sys_semctl: fix kernel stack leakage
+
+ The semctl syscall has several code paths that lead to the leakage of
+ uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
+ IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
+ version of the semid_ds struct.
+
+ The copy_semid_to_user() function declares a semid_ds struct on the stack
+ and copies it back to the user without initializing or zeroing the
+ "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
+ allowing the leakage of 16 bytes of kernel stack memory.
+
+ The code is still reachable on 32-bit systems - when calling semctl()
+ newer glibc's automatically OR the IPC command with the IPC_64 flag, but
+ invoking the syscall directly allows users to use the older versions of
+ the struct.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Cc: Manfred Spraul <manfred at colorfullife.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 80e4575..3fe877f 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -571,6 +571,8 @@ static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in,
+ {
+ struct semid_ds out;
+
++ memset(&out, 0, sizeof(out));
++
+ ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
+
+ out.sem_otime = in->sem_otime;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch)
@@ -0,0 +1,27 @@
+commit 3ed780117dbe5acb64280d218f0347f238dafed0
+Author: Kees Cook <kees.cook at canonical.com>
+Date: Mon Oct 11 11:28:16 2010 -0700
+
+ usb: iowarrior: don't trust report_size for buffer size
+
+ If the iowarrior devices in this case statement support more than 8 bytes
+ per report, it is possible to write past the end of a kernel heap allocation.
+ This will probably never be possible, but change the allocation to be more
+ defensive anyway.
+
+ Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index bc88c79..8ed8d05 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
+ case USB_DEVICE_ID_CODEMERCS_IOWPV2:
+ case USB_DEVICE_ID_CODEMERCS_IOW40:
+ /* IOW24 and IOW40 use a synchronous call */
+- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
++ buf = kmalloc(count, GFP_KERNEL);
+ if (!buf) {
+ retval = -ENOMEM;
+ goto exit;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,44 @@
+commit f34a022b4ad4074098e41d6ffe2349a07b5e7237
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 15 17:44:16 2010 -0400
+
+ USB: serial/mos*: prevent reading uninitialized stack memory
+
+ The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
+ unprivileged users to read uninitialized stack memory, because the
+ "reserved" member of the serial_icounter_struct struct declared on the
+ stack is not altered or zeroed before being copied back to the user.
+ This patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index 50f1fe2..c3e6058 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1479,6 +1479,9 @@ static int mos7720_ioctl(struct usb_serial_port *port, struct file *file,
+
+ case TIOCGICOUNT:
+ cnow = mos7720_port->icount;
++
++ memset(&icount, 0, sizeof(struct serial_icounter_struct));
++
+ icount.cts = cnow.cts;
+ icount.dsr = cnow.dsr;
+ icount.rng = cnow.rng;
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
+index 78f2f6d..34c05b1 100644
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -2446,6 +2446,9 @@ static int mos7840_ioctl(struct usb_serial_port *port, struct file *file,
+ case TIOCGICOUNT:
+ cnow = mos7840_port->icount;
+ smp_rmb();
++
++ memset(&icount, 0, sizeof(struct serial_icounter_struct));
++
+ icount.cts = cnow.cts;
+ icount.dsr = cnow.dsr;
+ icount.rng = cnow.rng;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch)
@@ -0,0 +1,85 @@
+commit 87ab58c497c22602a90ae1fb93b24f96bbfddfaf
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Oct 15 11:12:38 2010 -0700
+
+ v4l1: fix 32-bit compat microcode loading translation
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ The compat code for the VIDIOCSMICROCODE ioctl is totally buggered.
+ It's only used by the VIDEO_STRADIS driver, and that one is scheduled to
+ staging and eventually removed unless somebody steps up to maintain it
+ (at which point it should use request_firmware() rather than some magic
+ ioctl). So we'll get rid of it eventually.
+
+ But in the meantime, the compatibility ioctl code is broken, and this
+ tries to get it to at least limp along (even if Mauro suggested just
+ deleting it entirely, which may be the right thing to do - I don't think
+ the compatibility translation code has ever worked unless you were very
+ lucky).
+
+ Reported-by: Kees Cook <kees.cook at canonical.com>
+ Cc: Mauro Carvalho Chehab <mchehab at infradead.org>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/media/video/compat_ioctl32.c b/drivers/media/video/compat_ioctl32.c
+index e4a0a73..612b339 100644
+--- a/drivers/media/video/compat_ioctl32.c
++++ b/drivers/media/video/compat_ioctl32.c
+@@ -499,17 +499,24 @@ struct video_code32
+ {
+ char loadwhat[16]; /* name or tag of file being passed */
+ compat_int_t datasize;
+- unsigned char *data;
++ compat_uptr_t data;
+ };
+
+-static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *microcode32(struct video_code32 *kp)
+ {
+- if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+- copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
+- get_user(kp->datasize, &up->datasize) ||
+- copy_from_user(kp->data, up->data, up->datasize))
+- return -EFAULT;
+- return 0;
++ struct video_code __user *up;
++
++ up = compat_alloc_user_space(sizeof(*up));
++
++ /*
++ * NOTE! We don't actually care if these fail. If the
++ * user address is invalid, the native ioctl will do
++ * the error handling for us
++ */
++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++ (void) put_user(kp->datasize, &up->datasize);
++ (void) put_user(compat_ptr(kp->data), &up->data);
++ return up;
+ }
+
+ #define VIDIOCGTUNER32 _IOWR('v',4, struct video_tuner32)
+@@ -618,7 +625,7 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
+ struct video_tuner vt;
+ struct video_buffer vb;
+ struct video_window vw;
+- struct video_code vc;
++ struct video_code32 vc;
+ struct video_audio va;
+ #endif
+ struct v4l2_format v2f;
+@@ -745,8 +752,11 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
+ break;
+ #ifdef CONFIG_VIDEO_V4L1_COMPAT
+ case VIDIOCSMICROCODE:
+- err = microcode32(&karg.vc, up);
+- compatible_arg = 0;
++ /* Copy the 32-bit "video_code32" to kernel space */
++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++ return -EFAULT;
++ /* Convert the 32-bit version to a 64-bit version in user space */
++ up = microcode32(&karg.vc);
+ break;
+ #endif
+ };
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,31 @@
+commit fd02db9de73faebc51240619c7c7f99bee9f65c7
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 22 13:05:09 2010 -0700
+
+ drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory
+
+ The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
+ of uninitialized stack memory, because the "reserved" member of the
+ fb_vblank struct declared on the stack is not altered or zeroed before
+ being copied back to the user. This patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Cc: Thomas Winischhofer <thomas at winischhofer.net>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/video/sis/sis_main.c b/drivers/video/sis/sis_main.c
+index 559bf17..b52f8e4 100644
+--- a/drivers/video/sis/sis_main.c
++++ b/drivers/video/sis/sis_main.c
+@@ -1701,6 +1701,9 @@ static int sisfb_ioctl(struct fb_info *info, unsigned int cmd,
+ break;
+
+ case FBIOGET_VBLANK:
++
++ memset(&sisvbblank, 0, sizeof(struct fb_vblank));
++
+ sisvbblank.count = 0;
+ sisvbblank.flags = sisfb_setupvbblankflags(ivideo, &sisvbblank.vcount, &sisvbblank.hcount);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch)
@@ -0,0 +1,178 @@
+commit f5eb917b861828da18dc28854308068c66d1449a
+Author: John Hughes <john at calva.com>
+Date: Wed Apr 7 21:29:25 2010 -0700
+
+ x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
+
+ Here is a patch to stop X.25 examining fields beyond the end of the packet.
+
+ For example, when a simple CALL ACCEPTED was received:
+
+ 10 10 0f
+
+ x25_parse_facilities was attempting to decode the FACILITIES field, but this
+ packet contains no facilities field.
+
+ Signed-off-by: John Hughes <john at calva.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/include/net/x25.h b/include/net/x25.h
+index 9baa07d..33f67fb 100644
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -182,6 +182,10 @@ extern int sysctl_x25_clear_request_timeout;
+ extern int sysctl_x25_ack_holdback_timeout;
+ extern int sysctl_x25_forward;
+
++extern int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr);
++
+ extern int x25_addr_ntoa(unsigned char *, struct x25_address *,
+ struct x25_address *);
+ extern int x25_addr_aton(unsigned char *, struct x25_address *,
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 9796f3e..fe26c01 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -82,6 +82,41 @@ struct compat_x25_subscrip_struct {
+ };
+ #endif
+
++
++int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr)
++{
++ unsigned char len;
++ int needed;
++ int rc;
++
++ if (skb->len < 1) {
++ /* packet has no address block */
++ rc = 0;
++ goto empty;
++ }
++
++ len = *skb->data;
++ needed = 1 + (len >> 4) + (len & 0x0f);
++
++ if (skb->len < needed) {
++ /* packet is too short to hold the addresses it claims
++ to hold */
++ rc = -1;
++ goto empty;
++ }
++
++ return x25_addr_ntoa(skb->data, called_addr, calling_addr);
++
++empty:
++ *called_addr->x25_addr = 0;
++ *calling_addr->x25_addr = 0;
++
++ return rc;
++}
++
++
+ int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
+ struct x25_address *calling_addr)
+ {
+@@ -921,16 +956,26 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
+ /*
+ * Extract the X.25 addresses and convert them to ASCII strings,
+ * and remove them.
++ *
++ * Address block is mandatory in call request packets
+ */
+- addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
++ addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
++ if (addr_len <= 0)
++ goto out_clear_request;
+ skb_pull(skb, addr_len);
+
+ /*
+ * Get the length of the facilities, skip past them for the moment
+ * get the call user data because this is needed to determine
+ * the correct listener
++ *
++ * Facilities length is mandatory in call request packets
+ */
++ if (skb->len < 1)
++ goto out_clear_request;
+ len = skb->data[0] + 1;
++ if (skb->len < len)
++ goto out_clear_request;
+ skb_pull(skb,len);
+
+ /*
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index a21f664..a2765c6 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
+ {
+ unsigned char *p = skb->data;
+- unsigned int len = *p++;
++ unsigned int len;
+
+ *vc_fac_mask = 0;
+
+@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
+ memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
+
++ if (skb->len < 1)
++ return 0;
++
++ len = *p++;
++
++ if (len >= skb->len)
++ return -1;
++
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
+@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
+ memcpy(new, ours, sizeof(*new));
+
+ len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
++ if (len < 0)
++ return len;
+
+ /*
+ * They want reverse charging, we won't accept it.
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 96d9227..b39072f 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
+ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
+ {
+ struct x25_address source_addr, dest_addr;
++ int len;
+
+ switch (frametype) {
+ case X25_CALL_ACCEPTED: {
+@@ -106,11 +107,17 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ * Parse the data in the frame.
+ */
+ skb_pull(skb, X25_STD_MIN_LEN);
+- skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
+- skb_pull(skb,
+- x25_parse_facilities(skb, &x25->facilities,
++
++ len = x25_parse_address_block(skb, &source_addr,
++ &dest_addr);
++ if (len > 0)
++ skb_pull(skb, len);
++
++ len = x25_parse_facilities(skb, &x25->facilities,
+ &x25->dte_facilities,
+- &x25->vc_facil_mask));
++ &x25->vc_facil_mask);
++ if (len > 0)
++ skb_pull(skb, len);
+ /*
+ * Copy any Call User Data.
+ */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch)
@@ -0,0 +1,47 @@
+commit 5dc84345aee17d6e4feda954e0fd835c95120b5c
+Author: andrew hendry <andrew.hendry at gmail.com>
+Date: Wed Nov 3 12:54:53 2010 +0000
+
+ memory corruption in X.25 facilities parsing
+
+ Signed-of-by: Andrew Hendry <andrew.hendry at gmail.com>
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index a2765c6..79cf932 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ case X25_FAC_CLASS_D:
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->calling_len = p[2];
+ memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLING_AE;
+ break;
+ case X25_FAC_CALLED_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->called_len = p[2];
+ memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLED_AE;
+diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
+index 5695065..88d7652 100644
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -118,6 +118,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
+ &x25->vc_facil_mask);
+ if (len > 0)
+ skb_pull(skb, len);
++ else
++ return -1;
+ /*
+ * Copy any Call User Data.
+ */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch)
@@ -0,0 +1,69 @@
+commit 912cc939a980785d6d285bde16e4a3e37cee9b33
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Nov 12 12:44:42 2010 -0800
+
+ x25: Prevent crashing when parsing bad X.25 facilities
+
+ Now with improved comma support.
+
+ On parsing malformed X.25 facilities, decrementing the remaining length
+ may cause it to underflow. Since the length is an unsigned integer,
+ this will result in the loop continuing until the kernel crashes.
+
+ This patch adds checks to ensure decrementing the remaining length does
+ not cause it to wrap around.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
+index 79cf932..804afd3 100644
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
++ if (len < 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_REVERSE:
+ if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 2;
+ break;
+ case X25_FAC_CLASS_B:
++ if (len < 3)
++ return 0;
+ switch (*p) {
+ case X25_FAC_PACKET_SIZE:
+ facilities->pacsize_in = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 3;
+ break;
+ case X25_FAC_CLASS_C:
++ if (len < 4)
++ return 0;
+ printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ "values %02X, %02X, %02X\n",
+ p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ len -= 4;
+ break;
+ case X25_FAC_CLASS_D:
++ if (len < p[1] + 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
+ break;
+ default:
+ printk(KERN_DEBUG "X.25: unknown facility %02X,"
+- "length %d, values %02X, %02X, "
+- "%02X, %02X\n",
+- p[0], p[1], p[2], p[3], p[4], p[5]);
++ "length %d\n", p[0], p[1]);
+ break;
+ }
+ len -= p[1] + 2;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch)
@@ -0,0 +1,29 @@
+commit 3df0537450fc7726a21c2c85f9fe8cb2d47d0fb6
+Author: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+Date: Mon Sep 6 18:24:57 2010 -0400
+
+ xfs: prevent reading uninitialized stack memory
+
+ The XFS_IOC_FSGETXATTR ioctl allows unprivileged users to read 12
+ bytes of uninitialized stack memory, because the fsxattr struct
+ declared on the stack in xfs_ioc_fsgetxattr() does not alter (or zero)
+ the 12-byte fsx_pad member before copying it back to the user. This
+ patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Reviewed-by: Eric Sandeen <sandeen at redhat.com>
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+
+diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+index a42ba9d..de2e754 100644
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c
+@@ -847,6 +847,8 @@ xfs_ioc_fsgetxattr(
+ {
+ struct fsxattr fa;
+
++ memset(&fa, 0, sizeof(struct fsxattr));
++
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+ fa.fsx_xflags = xfs_ip2xflags(ip);
+ fa.fsx_extsize = ip->i_d.di_extsize << ip->i_mount->m_sb.sb_blocklog;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch)
@@ -0,0 +1,44 @@
+commit 370c6b5200b04645ab1b00bad931ae899cd55471
+Author: Gleb Natapov <gleb at redhat.com>
+Date: Wed Nov 10 12:08:12 2010 +0200
+
+ KVM: VMX: fix vmx null pointer dereference on debug register access
+
+ There is a bug in KVM that can be used to crash a host on Intel
+ machines. If emulator is tricked into emulating mov to/from DR instruction
+ it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
+ are not initialized. Recently this is not exploitable from guest
+ userspace, but malicious guest kernel can trigger it easily.
+
+ CVE-2010-0435
+
+ On upstream bug was fixed differently around 2.6.34.
+
+ Signed-off-by: Gleb Natapov <gleb at redhat.com>
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: adjusted to apply to Debian's 2.6.26]
+
+diff -urpN a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+--- a/arch/x86/kvm/x86.c 2010-12-29 10:52:59.402636320 -0700
++++ b/arch/x86/kvm/x86.c 2010-12-29 11:26:30.646136793 -0700
+@@ -2113,6 +2113,9 @@ int emulator_get_dr(struct x86_emulate_c
+ {
+ struct kvm_vcpu *vcpu = ctxt->vcpu;
+
++ if (!kvm_x86_ops->get_dr)
++ return X86EMUL_UNHANDLEABLE;
++
+ switch (dr) {
+ case 0 ... 3:
+ *dest = kvm_x86_ops->get_dr(vcpu, dr);
+@@ -2128,6 +2131,9 @@ int emulator_set_dr(struct x86_emulate_c
+ unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
+ int exception;
+
++ if (!kvm_x86_ops->set_dr)
++ return X86EMUL_UNHANDLEABLE;
++
+ kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
+ if (exception) {
+ /* FIXME: better handling */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch)
@@ -0,0 +1,95 @@
+commit 013d46c61ea18bec76c436b441a93690b0c74b48
+Author: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+Date: Thu Feb 25 22:22:22 2010 -0300
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ thinkpad-acpi: lock down video output state access
+
+ Given the right combination of ThinkPad and X.org, just reading the
+ video output control state is enough to hard-crash X.org.
+
+ Until the day I somehow find out a model or BIOS cut date to not
+ provide this feature to ThinkPads that can do video switching through
+ X RandR, change permissions so that only processes with CAP_SYS_ADMIN
+ can access any sort of video output control state.
+
+ This bug could be considered a local DoS I suppose, as it allows any
+ non-privledged local user to cause some versions of X.org to
+ hard-crash some ThinkPads.
+
+ Reported-by: Jidanni <jidanni at jidanni.org>
+ Signed-off-by: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+ Cc: stable at kernel.org
+
+diff --git a/Documentation/laptops/thinkpad-acpi.txt b/Documentation/laptops/thinkpad-acpi.txt
+index 64b3f14..aea8fcd 100644
+--- a/Documentation/laptops/thinkpad-acpi.txt
++++ b/Documentation/laptops/thinkpad-acpi.txt
+@@ -663,6 +663,10 @@ LCD, CRT or DVI (if available). The following commands are available:
+ echo expand_toggle > /proc/acpi/ibm/video
+ echo video_switch > /proc/acpi/ibm/video
+
++NOTE: Access to this feature is restricted to processes owning the
++CAP_SYS_ADMIN capability for safety reasons, as it can interact badly
++enough with some versions of X.org to crash it.
++
+ Each video output device can be enabled or disabled individually.
+ Reading /proc/acpi/ibm/video shows the status of each device.
+
+diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
+index 8d62fb0..bcd3fa2 100644
+--- a/drivers/misc/Kconfig
++++ b/drivers/misc/Kconfig
+@@ -310,9 +310,15 @@ config THINKPAD_ACPI_VIDEO
+ server running, phase of the moon, and the current mood of
+ Schroedinger's cat. If you can use X.org's RandR to control
+ your ThinkPad's video output ports instead of this feature,
+- don't think twice: do it and say N here to save some memory.
++ don't think twice: do it and say N here to save memory and avoid
++ bad interactions with X.org.
+
+- If you are not sure, say Y here.
++ NOTE: access to this feature is limited to processes with the
++ CAP_SYS_ADMIN capability, to avoid local DoS issues in platforms
++ where it interacts badly with X.org.
++
++ If you are not sure, say Y here but do try to check if you could
++ be using X.org RandR instead.
+
+ config THINKPAD_ACPI_HOTKEY_POLL
+ bool "Suport NVRAM polling for hot keys"
+diff --git a/drivers/misc/thinkpad_acpi.c b/drivers/misc/thinkpad_acpi.c
+index b596929..e6b0c04 100644
+--- a/drivers/misc/thinkpad_acpi.c
++++ b/drivers/misc/thinkpad_acpi.c
+@@ -214,6 +214,7 @@ struct ibm_init_struct {
+ char param[32];
+
+ int (*init) (struct ibm_init_struct *);
++ mode_t base_procfs_mode;
+ struct ibm_struct *data;
+ };
+
+@@ -3169,6 +3170,10 @@ static int video_read(char *p)
+ return len;
+ }
+
++ /* Even reads can crash X.org, so... */
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
+ status = video_outputsw_get();
+ if (status < 0)
+ return status;
+@@ -3202,6 +3207,10 @@ static int video_write(char *buf)
+ if (video_supported == TPACPI_VIDEO_NONE)
+ return -ENODEV;
+
++ /* Even reads can crash X.org, let alone writes... */
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
+ enable = 0;
+ disable = 0;
+
Copied: dists/lenny/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch)
@@ -0,0 +1,34 @@
+From e8e7c6dabb1049086882b1160895598ec9492b57 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 3/3] econet: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation. We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'econet' protocol is unmaintained and is of mainly historical
+interest. The Debian system does not appear to include any applications
+that use it. Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/econet/af_econet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 0e0254f..60a38f7 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -1171,4 +1171,4 @@ module_init(econet_proto_init);
+ module_exit(econet_proto_exit);
+
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_ECONET);
++/* MODULE_ALIAS_NETPROTO(PF_ECONET); */
+--
+1.7.2.3
+
Copied: dists/lenny/linux-2.6/debian/patches/debian/exec-Get-rid-of-linux_binprm-vma_pages.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/debian/exec-Get-rid-of-linux_binprm-vma_pages.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/debian/exec-Get-rid-of-linux_binprm-vma_pages.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/debian/exec-Get-rid-of-linux_binprm-vma_pages.patch)
@@ -0,0 +1,120 @@
+commit 4e23932a029c81d85addac636acce96e9e1f3eab
+Author: dann frazier <dann.frazier at canonical.com>
+Date: Wed Jan 12 22:30:18 2011 -0700
+
+ From 5e91f59665165f91f97746439e53cc520bb42b97 Mon Sep 17 00:00:00 2001
+ From: Ben Hutchings <ben at decadent.org.uk>
+ Date: Mon, 3 Jan 2011 03:31:58 +0000
+ Subject: [PATCH] exec: Get rid of linux_binprm::vma_pages
+
+ Adding linux_binprm::vma_pages is an ABI-breaker and we can't hide it
+ because the structure is allocated directly by modules. However it's
+ just a cache of vma_pages(bprm->vma), so:
+
+ - We can work out and pass in the old value from get_arg_page()
+ - The calls to acct_arg_size(bprm, 0) are redundant, since
+ neither the cache nor the dead mm need to be updated
+
+ Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+ [dannf: Backported to Debian's 2.6.26]
+
+diff --git a/fs/compat.c b/fs/compat.c
+index ed8008c..df5361f 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -1415,7 +1415,6 @@ out:
+
+ out_mm:
+ if (bprm->mm) {
+- acct_arg_size(bprm, 0);
+ mmput(bprm->mm);
+ }
+
+diff --git a/fs/exec.c b/fs/exec.c
+index ab1bada..6b7c7dd 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -159,16 +159,15 @@ exit:
+
+ #ifdef CONFIG_MMU
+
+-void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages,
++ unsigned long old_pages)
+ {
+ struct mm_struct *mm = current->mm;
+- long diff = (long)(pages - bprm->vma_pages);
++ long diff = (long)(pages - old_pages);
+
+ if (!mm || !diff)
+ return;
+
+- bprm->vma_pages = pages;
+-
+ down_write(&mm->mmap_sem);
+ mm->total_vm += diff;
+ up_write(&mm->mmap_sem);
+@@ -177,6 +176,8 @@ void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
+ struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write)
+ {
++ unsigned long old_vma_pages =
++ (bprm->vma->vm_end - bprm->vma->vm_start) / PAGE_SIZE;
+ struct page *page;
+ int ret;
+
+@@ -196,7 +197,7 @@ struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
+ struct rlimit *rlim;
+
+- acct_arg_size(bprm, size / PAGE_SIZE);
++ acct_arg_size(bprm, size / PAGE_SIZE, old_vma_pages);
+
+ /*
+ * We've historically supported up to 32 pages (ARG_MAX)
+@@ -294,7 +295,8 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
+
+ #else
+
+-void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages,
++ unsigned long old_pages)
+ {
+ }
+
+@@ -988,7 +990,6 @@ int flush_old_exec(struct linux_binprm * bprm)
+ /*
+ * Release all of the old mmap stuff
+ */
+- acct_arg_size(bprm, 0);
+ retval = exec_mmap(bprm->mm);
+ if (retval)
+ goto out;
+@@ -1379,7 +1380,6 @@ out:
+
+ out_mm:
+ if (bprm->mm) {
+- acct_arg_size(bprm, 0);
+ mmput(bprm->mm);
+ }
+
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index b7b836e..ffb7f1a 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -28,7 +28,6 @@ struct linux_binprm{
+ char buf[BINPRM_BUF_SIZE];
+ #ifdef CONFIG_MMU
+ struct vm_area_struct *vma;
+- unsigned long vma_pages;
+ #else
+ # define MAX_ARG_PAGES 32
+ struct page *page[MAX_ARG_PAGES];
+@@ -52,7 +51,6 @@ struct linux_binprm{
+ unsigned long loader, exec;
+ };
+
+-extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages);
+ extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write);
+
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Sun Jan 30 23:26:56 2011 (r16858)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon Jan 31 00:21:49 2011 (r16859)
@@ -37840,14 +37840,6 @@
index 32c254a..58506ef 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
-@@ -22,6 +22,7 @@
- #include <linux/security.h>
- #include <linux/timex.h>
- #include <linux/migrate.h>
-+#include <linux/module.h>
- #include <linux/posix-timers.h>
-
- #include <asm/uaccess.h>
@@ -40,7 +41,7 @@ int put_compat_timespec(const struct timespec *ts, struct compat_timespec __user
__put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
}
@@ -72427,15 +72419,15 @@
if (!fpl)
return -ENOMEM;
*fplp = fpl;
-@@ -282,7 +285,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
- if (!fpl)
+@@ -301,7 +304,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
return NULL;
-- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
-+ new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL_UBC);
+ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
+- GFP_KERNEL);
++ GFP_KERNEL_UBC);
if (new_fpl) {
INIT_LIST_HEAD(&new_fpl->list);
- for (i=fpl->count-1; i>=0; i--)
+ for (i = 0; i < fpl->count; i++)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3666216..b82442c 100644
--- a/net/core/skbuff.c
Copied: dists/lenny/linux-2.6/debian/patches/features/all/xen/CVE-2010-3699.patch (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/features/all/xen/CVE-2010-3699.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/xen/CVE-2010-3699.patch Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/features/all/xen/CVE-2010-3699.patch)
@@ -0,0 +1,175 @@
+
+# HG changeset patch
+# User Keir Fraser <keir at xen.org>
+# Date 1290520718 0
+# Node ID 59f097ef181b2d131fdc72a56071b964d771bcaa
+# Parent 26562626c866026c62c4be83b4c4c87b4cdc31a4
+blkback/blktap/netback: Fix CVE-2010-3699
+
+A guest can cause the backend driver to leak a kernel
+thread. Such leaked threads hold references to the device, whichmakes
+the device impossible to tear down. If shut down, the guest remains a
+zombie domain, the xenwatch process hangs, and most xm commands will
+stop working.
+
+This patch tries to do the following, for all of netback, blkback,
+blktap:
+ - identify/extract idempotent teardown operations,
+ - add/move the invocation of said teardown operation
+ right before we're about to allocate new resources in the
+ Connected states.
+
+Signed-off-by: Laszlo Ersek <lersek at redhat.com>
+[dannf: backported to Debian's 2.6.26]
+
+diff -urpN a/drivers/xen/blkback/xenbus.c b/drivers/xen/blkback/xenbus.c
+--- a/drivers/xen/blkback/xenbus.c 2011-01-17 11:24:08.076823267 -0700
++++ b/drivers/xen/blkback/xenbus.c 2011-01-17 11:25:27.292740125 -0700
+@@ -370,6 +370,11 @@ static void frontend_changed(struct xenb
+ if (dev->state == XenbusStateConnected)
+ break;
+
++ /* Enforce precondition before potential leak point.
++ * blkif_disconnect() is idempotent.
++ */
++ blkif_disconnect(be->blkif);
++
+ err = connect_ring(be);
+ if (err)
+ break;
+@@ -387,6 +392,7 @@ static void frontend_changed(struct xenb
+ break;
+ /* fall through if not online */
+ case XenbusStateUnknown:
++ /* implies blkif_disconnect() via blkback_remove() */
+ device_unregister(&dev->dev);
+ break;
+
+diff -urpN a/drivers/xen/blktap/xenbus.c b/drivers/xen/blktap/xenbus.c
+--- a/drivers/xen/blktap/xenbus.c 2011-01-17 11:24:08.110240977 -0700
++++ b/drivers/xen/blktap/xenbus.c 2011-01-17 11:26:12.704741295 -0700
+@@ -325,6 +325,18 @@ static void tap_backend_changed(struct x
+ tap_update_blkif_status(be->blkif);
+ }
+
++
++static void blkif_disconnect(blkif_t *blkif)
++{
++ if (blkif->xenblkd) {
++ kthread_stop(blkif->xenblkd);
++ blkif->xenblkd = NULL;
++ }
++
++ /* idempotent */
++ tap_blkif_free(blkif);
++}
++
+ /**
+ * Callback received when the frontend's state changes.
+ */
+@@ -353,6 +365,11 @@ static void tap_frontend_changed(struct
+ if (dev->state == XenbusStateConnected)
+ break;
+
++ /* Enforce precondition before potential leak point.
++ * blkif_disconnect() is idempotent.
++ */
++ blkif_disconnect(be->blkif);
++
+ err = connect_ring(be);
+ if (err)
+ break;
+@@ -360,10 +377,7 @@ static void tap_frontend_changed(struct
+ break;
+
+ case XenbusStateClosing:
+- if (be->blkif->xenblkd) {
+- kthread_stop(be->blkif->xenblkd);
+- be->blkif->xenblkd = NULL;
+- }
++ blkif_disconnect(be->blkif);
+ xenbus_switch_state(dev, XenbusStateClosing);
+ break;
+
+@@ -373,6 +387,9 @@ static void tap_frontend_changed(struct
+ break;
+ /* fall through if not online */
+ case XenbusStateUnknown:
++ /* Implies the effects of blkif_disconnect() via
++ * blktap_remove().
++ */
+ device_unregister(&dev->dev);
+ break;
+
+diff -urpN a/drivers/xen/netback/xenbus.c b/drivers/xen/netback/xenbus.c
+--- a/drivers/xen/netback/xenbus.c 2011-01-17 11:24:08.192741299 -0700
++++ b/drivers/xen/netback/xenbus.c 2011-01-17 11:27:35.940742945 -0700
+@@ -32,6 +32,7 @@
+ static int connect_rings(struct backend_info *);
+ static void connect(struct backend_info *);
+ static void backend_create_netif(struct backend_info *be);
++static void netback_disconnect(struct device *);
+
+ static int netback_remove(struct xenbus_device *dev)
+ {
+@@ -39,16 +40,22 @@ static int netback_remove(struct xenbus_
+
+ netback_remove_accelerators(be, dev);
+
+- if (be->netif) {
+- kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE);
+- netif_disconnect(be->netif);
+- be->netif = NULL;
+- }
++ netback_disconnect(&dev->dev);
+ kfree(be);
+ dev->dev.driver_data = NULL;
+ return 0;
+ }
+
++static void netback_disconnect(struct device *xbdev_dev)
++{
++ struct backend_info *be = xbdev_dev->driver_data;
++
++ if (be->netif) {
++ kobject_uevent(&xbdev_dev->kobj, KOBJ_OFFLINE);
++ netif_disconnect(be->netif);
++ be->netif = NULL;
++ }
++}
+
+ /**
+ * Entry point to this code when a new device is created. Allocate the basic
+@@ -226,17 +233,19 @@ static void frontend_changed(struct xenb
+ break;
+
+ case XenbusStateConnected:
++
++ /* Enforce precondition before potential leak point.
++ * netback_disconnect() is idempotent.
++ */
++ netback_disconnect(&dev->dev);
++
+ backend_create_netif(be);
+ if (be->netif)
+ connect(be);
+ break;
+
+ case XenbusStateClosing:
+- if (be->netif) {
+- kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE);
+- netif_disconnect(be->netif);
+- be->netif = NULL;
+- }
++ netback_disconnect(&dev->dev);
+ xenbus_switch_state(dev, XenbusStateClosing);
+ break;
+
+@@ -246,6 +255,7 @@ static void frontend_changed(struct xenb
+ break;
+ /* fall through if not online */
+ case XenbusStateUnknown:
++ /* implies netback_disconnect() via netback_remove() */
+ device_unregister(&dev->dev);
+ break;
+
Copied: dists/lenny/linux-2.6/debian/patches/series/25lenny1 (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/25lenny1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/25lenny1 Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/25lenny1)
@@ -0,0 +1,5 @@
++ bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
++ bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch
++ bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
++ bugfix/all/xfs-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/ecryptfs-bugfix-for-error-related-to-ecryptfs_hash_buckets.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/26lenny1 (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny1)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/26lenny1 Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny1)
@@ -0,0 +1,33 @@
++ bugfix/all/net-sched-fix-kernel-leak-in-act_police.patch
++ bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch
++ bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
++ bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
++ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
++ bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
++ bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
++ bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
++ bugfix/all/x25-fix-field-accesses-beyond-end-of-packet.patch
++ bugfix/all/x25-fix-memory-corruption-in-facilities-parsing.patch
++ bugfix/all/sys_semctl-fix-kernel-stack-leakage.patch
++ bugfix/all/rme9652-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/ivtvfb-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/video-sis-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/x25-prevent-crashing-when-parsing-bad-facilities.patch
++ bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
++ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
++ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-ax25-fix-information-leak-to-userland.patch
++ bugfix/all/can-bcm-fix-minor-heap-overflow.patch
++ bugfix/all/net-tipc-fix-information-leak-to-userland.patch
++ bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
++ bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
++ bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
++ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
++ bugfix/all/gdth-integer-overflow-in-ioctl.patch
++ bugfix/all/econet-fix-redeclaration-of-symbol-len.patch
++ bugfix/all/econet-disallow-NULL-remote-addr-for-sendmsg.patch
++ bugfix/all/econet-add-missing-check-for-CAP_NET_ADMIN.patch
++ bugfix/all/econet-coalesced-iovec.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/26lenny2 (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny2)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/26lenny2 Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny2)
@@ -0,0 +1,23 @@
++ bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
++ bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
++ bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
++ bugfix/all/bluetooth-fix-missing-NULL-check.patch
++ bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
++ bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
++ bugfix/all/CVE-2010-4526.patch
++ bugfix/all/CVE-2010-4527.patch
++ bugfix/all/exec-make-argv-envp-memory-visible-to-oom-killer.patch
++ bugfix/all/exec-copy-and-paste-the-fixes-into-compat_do_execve-paths.patch
++ debian/exec-Get-rid-of-linux_binprm-vma_pages.patch
++ bugfix/all/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
++ bugfix/all/af_unix-limit-unix_tot_inflight.patch
++ bugfix/all/scm-lower-SCM_MAX_FD.patch
++ bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
++ debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
++ bugfix/all/econet-fix-crash-in-aun_incoming.patch
++ bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
++ bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
++ bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
++ bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
++ bugfix/all/av7110-check-for-negative-array-offset.patch
++ bugfix/all/usb-iowarrior-dont-trust-report_size-for-buffer-size.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/26lenny2-extra (from r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny2-extra)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/26lenny2-extra Mon Jan 31 00:21:49 2011 (r16859, copy of r16858, releases/linux-2.6/2.6.26-26lenny2/debian/patches/series/26lenny2-extra)
@@ -0,0 +1 @@
++ features/all/xen/CVE-2010-3699.patch featureset=xen
More information about the Kernel-svn-changes
mailing list