[kernel] r18103 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/debian debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Sep 20 03:48:10 UTC 2011
Author: dannf
Date: Tue Sep 20 03:48:07 2011
New Revision: 18103
Log:
merge 2.6.26-26lenny4
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2011-2492.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/CVE-2011-2492.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/CVE-2011-3188.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
dists/lenny/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
dists/lenny/linux-2.6/debian/patches/series/26lenny4
- copied unchanged from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/series/26lenny4
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Tue Sep 20 03:45:55 2011 (r18102)
+++ dists/lenny/linux-2.6/debian/changelog Tue Sep 20 03:48:07 2011 (r18103)
@@ -34,6 +34,32 @@
-- Ben Hutchings <ben at decadent.org.uk> Mon, 29 Nov 2010 02:01:24 +0000
+linux-2.6 (2.6.26-26lenny4) oldstable-security; urgency=high
+
+ [ dann frazier ]
+ * Fix regression in fix for CVE-2011-1768 (Closes: #633738)
+ * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
+ * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
+ * proc: restrict access to /proc/PID/io (CVE-2011-2495)
+ * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
+ * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
+ * net_sched: Fix qdisc_notify() (CVE-2011-2525)
+ * Fix overflow in auerswald driver (CVE-2009-4067)
+ * restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
+ * befs: Validate length of long symbolic links (CVE-2011-2928)
+ * cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191)
+ * Switch to MD5 for sequence number generation (CVE-2011-3188)
+
+ [ Moritz Muehlenhoff ]
+ * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
+ * Fix several Alpha vulnerabilities (CVE-2011-2208, CVE-2011-2209,
+ CVE-2011-2210, CVE-2011-2211)
+ * inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213)
+ * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace
+ (CVE-2011-2492)
+
+ -- dann frazier <dannf at debian.org> Sat, 17 Sep 2011 10:10:24 -0600
+
linux-2.6 (2.6.26-26lenny3) oldstable-security; urgency=high
[ dann frazier ]
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2011-2492.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/CVE-2011-2492.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2011-2492.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/CVE-2011-2492.patch)
@@ -0,0 +1,41 @@
+From: Filip Palian <s3810 at pjwstk.edu.pl>
+Date: Thu, 12 May 2011 17:32:46 +0000 (+0200)
+Subject: Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
+X-Git-Tag: v3.0-rc4~5^2~13^2~2^2~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8d03e971cf403305217b8e62db3a2e5ad2d6263f
+
+Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
+
+Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
+byte each. This byte in "cinfo" is copied to userspace uninitialized.
+
+Signed-off-by: Filip Palian <filip.palian at pjwstk.edu.pl>
+Acked-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+[backported to 2.6.26 - jmm]
+---
+
+diff -aur linux-2.6-2.6.26.orig//net/bluetooth/l2cap.c linux-2.6-2.6.26/net/bluetooth/l2cap.c
+--- linux-2.6-2.6.26.orig//net/bluetooth/l2cap.c 2008-07-13 23:51:29.000000000 +0200
++++ linux-2.6-2.6.26/net/bluetooth/l2cap.c 2011-08-11 20:27:06.000000000 +0200
+@@ -1110,6 +1110,7 @@
+ break;
+ }
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+
+Nur in linux-2.6-2.6.26/net/bluetooth: l2cap.c~.
+diff -aur linux-2.6-2.6.26.orig//net/bluetooth/rfcomm/sock.c linux-2.6-2.6.26/net/bluetooth/rfcomm/sock.c
+--- linux-2.6-2.6.26.orig//net/bluetooth/rfcomm/sock.c 2008-07-13 23:51:29.000000000 +0200
++++ linux-2.6-2.6.26/net/bluetooth/rfcomm/sock.c 2011-08-11 20:27:53.000000000 +0200
+@@ -770,6 +770,7 @@
+
+ l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+
+Nur in linux-2.6-2.6.26/net/bluetooth/rfcomm: sock.c~.
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/CVE-2011-3188.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/CVE-2011-3188.patch)
@@ -0,0 +1,979 @@
+diff --git a/crypto/md5.c b/crypto/md5.c
+index 39268f3..a528400 100644
+--- a/crypto/md5.c
++++ b/crypto/md5.c
+@@ -20,6 +20,7 @@
+ #include <linux/string.h>
+ #include <linux/crypto.h>
+ #include <linux/types.h>
++#include <linux/cryptohash.h>
+ #include <asm/byteorder.h>
+
+ #define MD5_DIGEST_SIZE 16
+@@ -27,103 +28,12 @@
+ #define MD5_BLOCK_WORDS 16
+ #define MD5_HASH_WORDS 4
+
+-#define F1(x, y, z) (z ^ (x & (y ^ z)))
+-#define F2(x, y, z) F1(z, x, y)
+-#define F3(x, y, z) (x ^ y ^ z)
+-#define F4(x, y, z) (y ^ (x | ~z))
+-
+-#define MD5STEP(f, w, x, y, z, in, s) \
+- (w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
+-
+ struct md5_ctx {
+ u32 hash[MD5_HASH_WORDS];
+ u32 block[MD5_BLOCK_WORDS];
+ u64 byte_count;
+ };
+
+-static void md5_transform(u32 *hash, u32 const *in)
+-{
+- u32 a, b, c, d;
+-
+- a = hash[0];
+- b = hash[1];
+- c = hash[2];
+- d = hash[3];
+-
+- MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+- MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+- MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+- MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+- MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+- MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+- MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+- MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+- MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+- MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+- MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+- MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+- MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+- MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+- MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+- MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+-
+- MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+- MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+- MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+- MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+- MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+- MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+- MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+- MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+- MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+- MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+- MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+- MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+- MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+- MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+- MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+- MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+-
+- MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+- MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+- MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+- MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+- MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+- MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+- MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+- MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+- MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+- MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+- MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+- MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+- MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+- MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+- MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+- MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+-
+- MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+- MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+- MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+- MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+- MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+- MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+- MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+- MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+- MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+- MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+- MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+- MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+- MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+- MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+- MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+- MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+-
+- hash[0] += a;
+- hash[1] += b;
+- hash[2] += c;
+- hash[3] += d;
+-}
+-
+ /* XXX: this stuff can be optimized */
+ static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
+ {
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 1d3de5c..10c141a 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1295,328 +1295,13 @@ ctl_table random_table[] = {
+ };
+ #endif /* CONFIG_SYSCTL */
+
+-/********************************************************************
+- *
+- * Random funtions for networking
+- *
+- ********************************************************************/
+-
+-/*
+- * TCP initial sequence number picking. This uses the random number
+- * generator to pick an initial secret value. This value is hashed
+- * along with the TCP endpoint information to provide a unique
+- * starting point for each pair of TCP endpoints. This defeats
+- * attacks which rely on guessing the initial TCP sequence number.
+- * This algorithm was suggested by Steve Bellovin.
+- *
+- * Using a very strong hash was taking an appreciable amount of the total
+- * TCP connection establishment time, so this is a weaker hash,
+- * compensated for by changing the secret periodically.
+- */
+-
+-/* F, G and H are basic MD4 functions: selection, majority, parity */
+-#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+-#define G(x, y, z) (((x) & (y)) + (((x) ^ (y)) & (z)))
+-#define H(x, y, z) ((x) ^ (y) ^ (z))
+-
+-/*
+- * The generic round function. The application is so specific that
+- * we don't bother protecting all the arguments with parens, as is generally
+- * good macro practice, in favor of extra legibility.
+- * Rotation is separate from addition to prevent recomputation
+- */
+-#define ROUND(f, a, b, c, d, x, s) \
+- (a += f(b, c, d) + x, a = (a << s) | (a >> (32 - s)))
+-#define K1 0
+-#define K2 013240474631UL
+-#define K3 015666365641UL
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-
+-static __u32 twothirdsMD4Transform(__u32 const buf[4], __u32 const in[12])
+-{
+- __u32 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
+-
+- /* Round 1 */
+- ROUND(F, a, b, c, d, in[ 0] + K1, 3);
+- ROUND(F, d, a, b, c, in[ 1] + K1, 7);
+- ROUND(F, c, d, a, b, in[ 2] + K1, 11);
+- ROUND(F, b, c, d, a, in[ 3] + K1, 19);
+- ROUND(F, a, b, c, d, in[ 4] + K1, 3);
+- ROUND(F, d, a, b, c, in[ 5] + K1, 7);
+- ROUND(F, c, d, a, b, in[ 6] + K1, 11);
+- ROUND(F, b, c, d, a, in[ 7] + K1, 19);
+- ROUND(F, a, b, c, d, in[ 8] + K1, 3);
+- ROUND(F, d, a, b, c, in[ 9] + K1, 7);
+- ROUND(F, c, d, a, b, in[10] + K1, 11);
+- ROUND(F, b, c, d, a, in[11] + K1, 19);
+-
+- /* Round 2 */
+- ROUND(G, a, b, c, d, in[ 1] + K2, 3);
+- ROUND(G, d, a, b, c, in[ 3] + K2, 5);
+- ROUND(G, c, d, a, b, in[ 5] + K2, 9);
+- ROUND(G, b, c, d, a, in[ 7] + K2, 13);
+- ROUND(G, a, b, c, d, in[ 9] + K2, 3);
+- ROUND(G, d, a, b, c, in[11] + K2, 5);
+- ROUND(G, c, d, a, b, in[ 0] + K2, 9);
+- ROUND(G, b, c, d, a, in[ 2] + K2, 13);
+- ROUND(G, a, b, c, d, in[ 4] + K2, 3);
+- ROUND(G, d, a, b, c, in[ 6] + K2, 5);
+- ROUND(G, c, d, a, b, in[ 8] + K2, 9);
+- ROUND(G, b, c, d, a, in[10] + K2, 13);
+-
+- /* Round 3 */
+- ROUND(H, a, b, c, d, in[ 3] + K3, 3);
+- ROUND(H, d, a, b, c, in[ 7] + K3, 9);
+- ROUND(H, c, d, a, b, in[11] + K3, 11);
+- ROUND(H, b, c, d, a, in[ 2] + K3, 15);
+- ROUND(H, a, b, c, d, in[ 6] + K3, 3);
+- ROUND(H, d, a, b, c, in[10] + K3, 9);
+- ROUND(H, c, d, a, b, in[ 1] + K3, 11);
+- ROUND(H, b, c, d, a, in[ 5] + K3, 15);
+- ROUND(H, a, b, c, d, in[ 9] + K3, 3);
+- ROUND(H, d, a, b, c, in[ 0] + K3, 9);
+- ROUND(H, c, d, a, b, in[ 4] + K3, 11);
+- ROUND(H, b, c, d, a, in[ 8] + K3, 15);
+-
+- return buf[1] + b; /* "most hashed" word */
+- /* Alternative: return sum of all words? */
+-}
+-#endif
+-
+-#undef ROUND
+-#undef F
+-#undef G
+-#undef H
+-#undef K1
+-#undef K2
+-#undef K3
+-
+-/* This should not be decreased so low that ISNs wrap too fast. */
+-#define REKEY_INTERVAL (300 * HZ)
+-/*
+- * Bit layout of the tcp sequence numbers (before adding current time):
+- * bit 24-31: increased after every key exchange
+- * bit 0-23: hash(source,dest)
+- *
+- * The implementation is similar to the algorithm described
+- * in the Appendix of RFC 1185, except that
+- * - it uses a 1 MHz clock instead of a 250 kHz clock
+- * - it performs a rekey every 5 minutes, which is equivalent
+- * to a (source,dest) tulple dependent forward jump of the
+- * clock by 0..2^(HASH_BITS+1)
+- *
+- * Thus the average ISN wraparound time is 68 minutes instead of
+- * 4.55 hours.
+- *
+- * SMP cleanup and lock avoidance with poor man's RCU.
+- * Manfred Spraul <manfred at colorfullife.com>
+- *
+- */
+-#define COUNT_BITS 8
+-#define COUNT_MASK ((1 << COUNT_BITS) - 1)
+-#define HASH_BITS 24
+-#define HASH_MASK ((1 << HASH_BITS) - 1)
+-
+-static struct keydata {
+- __u32 count; /* already shifted to the final position */
+- __u32 secret[12];
+-} ____cacheline_aligned ip_keydata[2];
+-
+-static unsigned int ip_cnt;
+-
+-static void rekey_seq_generator(struct work_struct *work);
+-
+-static DECLARE_DELAYED_WORK(rekey_work, rekey_seq_generator);
+-
+-/*
+- * Lock avoidance:
+- * The ISN generation runs lockless - it's just a hash over random data.
+- * State changes happen every 5 minutes when the random key is replaced.
+- * Synchronization is performed by having two copies of the hash function
+- * state and rekey_seq_generator always updates the inactive copy.
+- * The copy is then activated by updating ip_cnt.
+- * The implementation breaks down if someone blocks the thread
+- * that processes SYN requests for more than 5 minutes. Should never
+- * happen, and even if that happens only a not perfectly compliant
+- * ISN is generated, nothing fatal.
+- */
+-static void rekey_seq_generator(struct work_struct *work)
+-{
+- struct keydata *keyptr = &ip_keydata[1 ^ (ip_cnt & 1)];
+-
+- get_random_bytes(keyptr->secret, sizeof(keyptr->secret));
+- keyptr->count = (ip_cnt & COUNT_MASK) << HASH_BITS;
+- smp_wmb();
+- ip_cnt++;
+- schedule_delayed_work(&rekey_work, REKEY_INTERVAL);
+-}
+-
+-static inline struct keydata *get_keyptr(void)
++static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
++static int __init random_int_secret_init(void)
+ {
+- struct keydata *keyptr = &ip_keydata[ip_cnt & 1];
+-
+- smp_rmb();
+-
+- return keyptr;
+-}
+-
+-static __init int seqgen_init(void)
+-{
+- rekey_seq_generator(NULL);
++ get_random_bytes(random_int_secret, sizeof(random_int_secret));
+ return 0;
+ }
+-late_initcall(seqgen_init);
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+- __be16 sport, __be16 dport)
+-{
+- __u32 seq;
+- __u32 hash[12];
+- struct keydata *keyptr = get_keyptr();
+-
+- /* The procedure is the same as for IPv4, but addresses are longer.
+- * Thus we must use twothirdsMD4Transform.
+- */
+-
+- memcpy(hash, saddr, 16);
+- hash[4] = ((__force u16)sport << 16) + (__force u16)dport;
+- memcpy(&hash[5], keyptr->secret, sizeof(__u32) * 7);
+-
+- seq = twothirdsMD4Transform((const __u32 *)daddr, hash) & HASH_MASK;
+- seq += keyptr->count;
+-
+- seq += ktime_to_ns(ktime_get_real());
+-
+- return seq;
+-}
+-EXPORT_SYMBOL(secure_tcpv6_sequence_number);
+-#endif
+-
+-/* The code below is shamelessly stolen from secure_tcp_sequence_number().
+- * All blames to Andrey V. Savochkin <saw at msu.ru>.
+- */
+-__u32 secure_ip_id(__be32 daddr)
+-{
+- struct keydata *keyptr;
+- __u32 hash[4];
+-
+- keyptr = get_keyptr();
+-
+- /*
+- * Pick a unique starting offset for each IP destination.
+- * The dest ip address is placed in the starting vector,
+- * which is then hashed with random data.
+- */
+- hash[0] = (__force __u32)daddr;
+- hash[1] = keyptr->secret[9];
+- hash[2] = keyptr->secret[10];
+- hash[3] = keyptr->secret[11];
+-
+- return half_md4_transform(hash, keyptr->secret);
+-}
+-
+-#ifdef CONFIG_INET
+-
+-__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport)
+-{
+- __u32 seq;
+- __u32 hash[4];
+- struct keydata *keyptr = get_keyptr();
+-
+- /*
+- * Pick a unique starting offset for each TCP connection endpoints
+- * (saddr, daddr, sport, dport).
+- * Note that the words are placed into the starting vector, which is
+- * then mixed with a partial MD4 over random data.
+- */
+- hash[0] = (__force u32)saddr;
+- hash[1] = (__force u32)daddr;
+- hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+- hash[3] = keyptr->secret[11];
+-
+- seq = half_md4_transform(hash, keyptr->secret) & HASH_MASK;
+- seq += keyptr->count;
+- /*
+- * As close as possible to RFC 793, which
+- * suggests using a 250 kHz clock.
+- * Further reading shows this assumes 2 Mb/s networks.
+- * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
+- * For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
+- * we also need to limit the resolution so that the u32 seq
+- * overlaps less than one time per MSL (2 minutes).
+- * Choosing a clock of 64 ns period is OK. (period of 274 s)
+- */
+- seq += ktime_to_ns(ktime_get_real()) >> 6;
+-
+- return seq;
+-}
+-
+-/* Generate secure starting point for ephemeral IPV4 transport port search */
+-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+-{
+- struct keydata *keyptr = get_keyptr();
+- u32 hash[4];
+-
+- /*
+- * Pick a unique starting offset for each ephemeral port search
+- * (saddr, daddr, dport) and 48bits of random data.
+- */
+- hash[0] = (__force u32)saddr;
+- hash[1] = (__force u32)daddr;
+- hash[2] = (__force u32)dport ^ keyptr->secret[10];
+- hash[3] = keyptr->secret[11];
+-
+- return half_md4_transform(hash, keyptr->secret);
+-}
+-
+-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+- __be16 dport)
+-{
+- struct keydata *keyptr = get_keyptr();
+- u32 hash[12];
+-
+- memcpy(hash, saddr, 16);
+- hash[4] = (__force u32)dport;
+- memcpy(&hash[5], keyptr->secret, sizeof(__u32) * 7);
+-
+- return twothirdsMD4Transform((const __u32 *)daddr, hash);
+-}
+-#endif
+-
+-#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
+-/* Similar to secure_tcp_sequence_number but generate a 48 bit value
+- * bit's 32-47 increase every key exchange
+- * 0-31 hash(source, dest)
+- */
+-u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport)
+-{
+- u64 seq;
+- __u32 hash[4];
+- struct keydata *keyptr = get_keyptr();
+-
+- hash[0] = (__force u32)saddr;
+- hash[1] = (__force u32)daddr;
+- hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+- hash[3] = keyptr->secret[11];
+-
+- seq = half_md4_transform(hash, keyptr->secret);
+- seq |= ((u64)keyptr->count) << (32 - HASH_BITS);
+-
+- seq += ktime_to_ns(ktime_get_real());
+- seq &= (1ull << 48) - 1;
+-
+- return seq;
+-}
+-EXPORT_SYMBOL(secure_dccp_sequence_number);
+-#endif
+-
+-#endif /* CONFIG_INET */
+-
++late_initcall(random_int_secret_init);
+
+ /*
+ * Get a random word for internal kernel use only. Similar to urandom but
+@@ -1624,17 +1309,15 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
+ * value is not cryptographically secure but for several uses the cost of
+ * depleting entropy is too high
+ */
+-DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
++DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+- struct keydata *keyptr;
+ __u32 *hash = get_cpu_var(get_random_int_hash);
+- int ret;
++ unsigned int ret;
+
+- keyptr = get_keyptr();
+ hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;
+-
+- ret = half_md4_transform(hash, keyptr->secret);
++ md5_transform(hash, random_int_secret);
++ ret = hash[0];
+ put_cpu_var(get_random_int_hash);
+
+ return ret;
+diff --git a/include/linux/cryptohash.h b/include/linux/cryptohash.h
+index c118b2a..1ba279b 100644
+--- a/include/linux/cryptohash.h
++++ b/include/linux/cryptohash.h
+@@ -7,6 +7,11 @@
+ void sha_init(__u32 *buf);
+ void sha_transform(__u32 *digest, const char *data, __u32 *W);
+
++#define MD5_DIGEST_WORDS 4
++#define MD5_MESSAGE_BYTES 64
++
++void md5_transform(__u32 *hash, __u32 const *in);
++
+ __u32 half_md4_transform(__u32 buf[4], __u32 const in[8]);
+
+ #endif
+diff --git a/include/linux/random.h b/include/linux/random.h
+index 36f125c..2d74fe2 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -51,17 +51,6 @@ extern void add_interrupt_randomness(int irq);
+ extern void get_random_bytes(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
+
+-extern __u32 secure_ip_id(__be32 daddr);
+-extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
+-extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+- __be16 dport);
+-extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport);
+-extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+- __be16 sport, __be16 dport);
+-extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+- __be16 sport, __be16 dport);
+-
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+ #endif
+diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h
+new file mode 100644
+index 0000000..d97f689
+--- /dev/null
++++ b/include/net/secure_seq.h
+@@ -0,0 +1,20 @@
++#ifndef _NET_SECURE_SEQ
++#define _NET_SECURE_SEQ
++
++#include <linux/types.h>
++
++extern __u32 secure_ip_id(__be32 daddr);
++extern __u32 secure_ipv6_id(const __be32 daddr[4]);
++extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
++extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++ __be16 dport);
++extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport);
++extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport);
++extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport);
++extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport);
++
++#endif /* _NET_SECURE_SEQ */
+diff --git a/lib/Makefile b/lib/Makefile
+index 74b0cfb..44721c7 100644
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -5,7 +5,7 @@
+ lib-y := ctype.o string.o vsprintf.o cmdline.o \
+ rbtree.o radix-tree.o dump_stack.o \
+ idr.o int_sqrt.o extable.o prio_tree.o \
+- sha1.o irq_regs.o reciprocal_div.o argv_split.o \
++ sha1.o md5.o irq_regs.o reciprocal_div.o argv_split.o \
+ proportions.o prio_heap.o ratelimit.o
+
+ lib-$(CONFIG_MMU) += ioremap.o
+diff --git a/lib/md5.c b/lib/md5.c
+new file mode 100644
+index 0000000..c777180
+--- /dev/null
++++ b/lib/md5.c
+@@ -0,0 +1,95 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/cryptohash.h>
++
++#define F1(x, y, z) (z ^ (x & (y ^ z)))
++#define F2(x, y, z) F1(z, x, y)
++#define F3(x, y, z) (x ^ y ^ z)
++#define F4(x, y, z) (y ^ (x | ~z))
++
++#define MD5STEP(f, w, x, y, z, in, s) \
++ (w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
++
++void md5_transform(__u32 *hash, __u32 const *in)
++{
++ u32 a, b, c, d;
++
++ a = hash[0];
++ b = hash[1];
++ c = hash[2];
++ d = hash[3];
++
++ MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
++ MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
++ MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
++ MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
++ MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
++ MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
++ MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
++ MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
++ MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
++ MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
++ MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
++ MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
++ MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
++ MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
++ MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
++ MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
++
++ MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
++ MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
++ MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
++ MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
++ MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
++ MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
++ MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
++ MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
++ MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
++ MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
++ MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
++ MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
++ MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
++ MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
++ MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
++ MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
++
++ MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
++ MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
++ MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
++ MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
++ MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
++ MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
++ MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
++ MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
++ MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
++ MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
++ MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
++ MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
++ MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
++ MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
++ MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
++ MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
++
++ MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
++ MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
++ MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
++ MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
++ MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
++ MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
++ MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
++ MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
++ MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
++ MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
++ MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
++ MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
++ MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
++ MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
++ MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
++ MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
++
++ hash[0] += a;
++ hash[1] += b;
++ hash[2] += c;
++ hash[3] += d;
++}
++EXPORT_SYMBOL(md5_transform);
+diff --git a/net/core/Makefile b/net/core/Makefile
+index b1332f6..a7fbc26 100644
+--- a/net/core/Makefile
++++ b/net/core/Makefile
+@@ -3,7 +3,7 @@
+ #
+
+ obj-y := sock.o request_sock.o skbuff.o iovec.o datagram.o stream.o scm.o \
+- gen_stats.o gen_estimator.o net_namespace.o
++ gen_stats.o gen_estimator.o net_namespace.o secure_seq.o
+
+ obj-$(CONFIG_SYSCTL) += sysctl_net_core.o
+
+diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
+new file mode 100644
+index 0000000..45329d7
+--- /dev/null
++++ b/net/core/secure_seq.c
+@@ -0,0 +1,184 @@
++#include <linux/kernel.h>
++#include <linux/init.h>
++#include <linux/cryptohash.h>
++#include <linux/module.h>
++#include <linux/cache.h>
++#include <linux/random.h>
++#include <linux/hrtimer.h>
++#include <linux/ktime.h>
++#include <linux/string.h>
++
++#include <net/secure_seq.h>
++
++static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
++
++static int __init net_secret_init(void)
++{
++ get_random_bytes(net_secret, sizeof(net_secret));
++ return 0;
++}
++late_initcall(net_secret_init);
++
++static u32 seq_scale(u32 seq)
++{
++ /*
++ * As close as possible to RFC 793, which
++ * suggests using a 250 kHz clock.
++ * Further reading shows this assumes 2 Mb/s networks.
++ * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
++ * For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
++ * we also need to limit the resolution so that the u32 seq
++ * overlaps less than one time per MSL (2 minutes).
++ * Choosing a clock of 64 ns period is OK. (period of 274 s)
++ */
++ return seq + (ktime_to_ns(ktime_get_real()) >> 6);
++}
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 secret[MD5_MESSAGE_BYTES / 4];
++ u32 hash[MD5_DIGEST_WORDS];
++ u32 i;
++
++ memcpy(hash, saddr, 16);
++ for (i = 0; i < 4; i++)
++ secret[i] = net_secret[i] + daddr[i];
++ secret[4] = net_secret[4] +
++ (((__force u16)sport << 16) + (__force u16)dport);
++ for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++ secret[i] = net_secret[i];
++
++ md5_transform(hash, secret);
++
++ return seq_scale(hash[0]);
++}
++EXPORT_SYMBOL(secure_tcpv6_sequence_number);
++
++u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++ __be16 dport)
++{
++ u32 secret[MD5_MESSAGE_BYTES / 4];
++ u32 hash[MD5_DIGEST_WORDS];
++ u32 i;
++
++ memcpy(hash, saddr, 16);
++ for (i = 0; i < 4; i++)
++ secret[i] = net_secret[i] + (__force u32) daddr[i];
++ secret[4] = net_secret[4] + (__force u32)dport;
++ for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++ secret[i] = net_secret[i];
++
++ md5_transform(hash, secret);
++
++ return hash[0];
++}
++#endif
++
++#ifdef CONFIG_INET
++__u32 secure_ip_id(__be32 daddr)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++
++ hash[0] = (__force __u32) daddr;
++ hash[1] = net_secret[13];
++ hash[2] = net_secret[14];
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ return hash[0];
++}
++
++__u32 secure_ipv6_id(const __be32 daddr[4])
++{
++ __u32 hash[4];
++
++ memcpy(hash, daddr, 16);
++ md5_transform(hash, net_secret);
++
++ return hash[0];
++}
++
++__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++
++ hash[0] = (__force u32)saddr;
++ hash[1] = (__force u32)daddr;
++ hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ return seq_scale(hash[0]);
++}
++
++u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++
++ hash[0] = (__force u32)saddr;
++ hash[1] = (__force u32)daddr;
++ hash[2] = (__force u32)dport ^ net_secret[14];
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ return hash[0];
++}
++EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
++#endif
++
++#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
++u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 hash[MD5_DIGEST_WORDS];
++ u64 seq;
++
++ hash[0] = (__force u32)saddr;
++ hash[1] = (__force u32)daddr;
++ hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++ hash[3] = net_secret[15];
++
++ md5_transform(hash, net_secret);
++
++ seq = hash[0] | (((u64)hash[1]) << 32);
++ seq += ktime_to_ns(ktime_get_real());
++ seq &= (1ull << 48) - 1;
++
++ return seq;
++}
++EXPORT_SYMBOL(secure_dccp_sequence_number);
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++ __be16 sport, __be16 dport)
++{
++ u32 secret[MD5_MESSAGE_BYTES / 4];
++ u32 hash[MD5_DIGEST_WORDS];
++ u64 seq;
++ u32 i;
++
++ memcpy(hash, saddr, 16);
++ for (i = 0; i < 4; i++)
++ secret[i] = net_secret[i] + daddr[i];
++ secret[4] = net_secret[4] +
++ (((__force u16)sport << 16) + (__force u16)dport);
++ for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++ secret[i] = net_secret[i];
++
++ md5_transform(hash, secret);
++
++ seq = hash[0] | (((u64)hash[1]) << 32);
++ seq += ktime_to_ns(ktime_get_real());
++ seq &= (1ull << 48) - 1;
++
++ return seq;
++}
++EXPORT_SYMBOL(secure_dccpv6_sequence_number);
++#endif
++#endif
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index 37d27bc..b8ace9c 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -25,6 +25,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/tcp_states.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+
+ #include "ackvec.h"
+ #include "ccid.h"
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index f7fe2a5..624fc34 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -28,6 +28,7 @@
+ #include <net/transp_v6.h>
+ #include <net/ip6_checksum.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+
+ #include "dccp.h"
+ #include "ipv6.h"
+@@ -69,13 +70,7 @@ static inline void dccp_v6_send_check(struct sock *sk, int unused_value,
+ dh->dccph_checksum = dccp_v6_csum_finish(skb, &np->saddr, &np->daddr);
+ }
+
+-static inline __u32 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+- __be16 sport, __be16 dport )
+-{
+- return secure_tcpv6_sequence_number(saddr, daddr, sport, dport);
+-}
+-
+-static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
++static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
+ {
+ return secure_dccpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
+ ipv6_hdr(skb)->saddr.s6_addr32,
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 2023d37..5cd9f73 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -21,6 +21,7 @@
+
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+
+ /*
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index af99519..53f90d8 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -21,6 +21,7 @@
+ #include <linux/net.h>
+ #include <net/ip.h>
+ #include <net/inetpeer.h>
++#include <net/secure_seq.h>
+
+ /*
+ * Theory of operations.
+diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c
+index 91537f1..3766ea1 100644
+--- a/net/ipv4/netfilter/nf_nat_proto_common.c
++++ b/net/ipv4/netfilter/nf_nat_proto_common.c
+@@ -12,6 +12,7 @@
+ #include <linux/ip.h>
+
+ #include <linux/netfilter.h>
++#include <net/secure_seq.h>
+ #include <net/netfilter/nf_nat.h>
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_rule.h>
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 96be336..8330b55 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -109,6 +109,7 @@
+ #ifdef CONFIG_SYSCTL
+ #include <linux/sysctl.h>
+ #endif
++#include <net/secure_seq.h>
+
+ #define RT_FL_TOS(oldflp) \
+ ((u32)(oldflp->fl4_tos & (IPTOS_RT_MASK | RTO_ONLINK)))
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index ffe869a..c39f222 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -72,6 +72,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/xfrm.h>
+ #include <net/netdma.h>
++#include <net/secure_seq.h>
+
+ #include <linux/inet.h>
+ #include <linux/ipv6.h>
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index 580014a..e155689 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -20,6 +20,7 @@
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/inet6_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+
+ void __inet6_hash(struct sock *sk)
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f2e7b37..6361e40 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -61,6 +61,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/netdma.h>
+ #include <net/inet_common.h>
++#include <net/secure_seq.h>
+
+ #include <asm/uaccess.h>
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/alpha-fix-several-security-issues.patch)
@@ -0,0 +1,88 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed, 15 Jun 2011 22:09:01 +0000 (-0700)
+Subject: alpha: fix several security issues
+X-Git-Tag: v3.0-rc4~42
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=21c5977a836e399fc710ff2c5367845ed5c2527f
+
+alpha: fix several security issues
+
+Fix several security issues in Alpha-specific syscalls. Untested, but
+mostly trivial.
+
+1. Signedness issue in osf_getdomainname allows copying out-of-bounds
+kernel memory to userland.
+
+2. Signedness issue in osf_sysinfo allows copying large amounts of
+kernel memory to userland.
+
+3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
+size, allowing copying large amounts of kernel memory to userland.
+
+4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
+privilege escalation via writing return value of sys_wait4 to kernel
+memory.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: Richard Henderson <rth at twiddle.net>
+Cc: Ivan Kokshaysky <ink at jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88 at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
+index 376f221..326f0a2 100644
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
+ return -EFAULT;
+
+ len = namelen;
+- if (namelen > 32)
++ if (len > 32)
+ len = 32;
+
+ down_read(&uts_sem);
+@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
+ down_read(&uts_sem);
+ res = sysinfo_table[offset];
+ len = strlen(res)+1;
+- if (len > count)
++ if ((unsigned long)len > (unsigned long)count)
+ len = count;
+ if (copy_to_user(buf, res, len))
+ err = -EFAULT;
+@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
+ return 1;
+
+ case GSI_GET_HWRPB:
+- if (nbytes < sizeof(*hwrpb))
++ if (nbytes > sizeof(*hwrpb))
+ return -EINVAL;
+ if (copy_to_user(buffer, hwrpb, nbytes) != 0)
+ return -EFAULT;
+@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
+ {
+ struct rusage r;
+ long ret, err;
++ unsigned int status = 0;
+ mm_segment_t old_fs;
+
+ if (!ur)
+@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
+ old_fs = get_fs();
+
+ set_fs (KERNEL_DS);
+- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
++ ret = sys_wait4(pid, (unsigned int __user *) &status, options,
++ (struct rusage __user *) &r);
+ set_fs (old_fs);
+
+ if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ return -EFAULT;
+
+ err = 0;
++ err |= put_user(status, ustatus);
+ err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch)
@@ -0,0 +1,43 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Mon, 14 Feb 2011 21:45:59 +0000 (+0100)
+Subject: ALSA: caiaq - Fix possible string-buffer overflow
+X-Git-Tag: v2.6.38-rc6~15^2~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eaae55dac6b64c0616046436b294e69fc5311581
+
+ALSA: caiaq - Fix possible string-buffer overflow
+
+Use strlcpy() to assure not to overflow the string array sizes by
+too long USB device name string.
+
+Reported-by: Rafa <rafa at mwrinfosecurity.com>
+Cc: stable <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+[adapted to 2.6.26 - jmm]
+---
+
+diff --git a/sound/usb/caiaq/audio.c b/sound/usb/caiaq/audio.c
+index 68b9747..66eabaf 100644
+--- a/sound/usb/caiaq/audio.c
++++ b/sound/usb/caiaq/caiaq-audio.c
+@@ -785,7 +785,7 @@ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *dev)
+ }
+
+ dev->pcm->private_data = dev;
+- strcpy(dev->pcm->name, dev->product_name);
++ strlcpy(dev->pcm->name, dev->product_name, sizeof(dev->pcm->name));
+
+ memset(dev->sub_playback, 0, sizeof(dev->sub_playback));
+ memset(dev->sub_capture, 0, sizeof(dev->sub_capture));
+diff --git a/sound/usb/caiaq/midi.c b/sound/usb/caiaq/midi.c
+index 2f218c7..a1a4708 100644
+--- a/sound/usb/caiaq/midi.c
++++ b/sound/usb/caiaq/caiaq-midi.c
+@@ -136,7 +136,7 @@ int snd_usb_caiaq_midi_init(struct snd_usb_caiaqdev *device)
+ if (ret < 0)
+ return ret;
+
+- strcpy(rmidi->name, device->product_name);
++ strlcpy(rmidi->name, device->product_name, sizeof(rmidi->name));
+
+ rmidi->info_flags = SNDRV_RAWMIDI_INFO_DUPLEX;
+ rmidi->private_data = device;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch)
@@ -0,0 +1,35 @@
+commit 2fadaef41283aad7100fa73f01998cddaca25833
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:52:11 2011 -0500
+
+ auxv: require the target to be tracable (or yourself)
+
+ same as for environ, except that we didn't do any checks to
+ prevent access after suid execve
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.26]
+
+commit bf8db462fc178f51a71fcf01a0cbe9d51215f0bf
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:11:15 2011 -0600
+
+ bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index f582fff..fc5f0d7 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -300,9 +300,9 @@ out:
+
+ static int proc_pid_auxv(struct task_struct *task, char *buffer)
+ {
+- int res = 0;
+- struct mm_struct *mm = get_task_mm(task);
+- if (mm) {
++ struct mm_struct *mm = mm_for_maps(task);
++ int res = PTR_ERR(mm);
++ if (mm && !IS_ERR(mm)) {
+ unsigned int nwords = 0;
+ do
+ nwords += 2;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch)
@@ -0,0 +1,36 @@
+commit 7df5fa06de89a4ac311957e0cb9c1d87552b4325
+Author: Duane Griffin <duaneg at dghda.com>
+Date: Fri Dec 19 20:47:18 2008 +0000
+
+ befs: ensure fast symlinks are NUL-terminated
+
+ Ensure fast symlink targets are NUL-terminated, even if corrupted
+ on-disk.
+
+ Cc: Sergey S. Kostyliov <rathamahata at php4.ru>
+ Signed-off-by: Duane Griffin <duaneg at dghda.com>
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index b6dfee3..d06cb02 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -378,7 +378,8 @@ static struct inode *befs_iget(struct super_block *sb, unsigned long ino)
+ inode->i_size = 0;
+ inode->i_blocks = befs_sb->block_size / VFS_BLOCK_SIZE;
+ strncpy(befs_ino->i_data.symlink, raw_inode->data.symlink,
+- BEFS_SYMLINK_LEN);
++ BEFS_SYMLINK_LEN - 1);
++ befs_ino->i_data.symlink[BEFS_SYMLINK_LEN - 1] = '\0';
+ } else {
+ int num_blks;
+
+@@ -477,6 +478,8 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ kfree(link);
+ befs_error(sb, "Failed to read entire long symlink");
+ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch)
@@ -0,0 +1,45 @@
+commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Wed Aug 17 17:59:56 2011 +0200
+
+ befs: Validate length of long symbolic links.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index 54b8c28..720d885 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ befs_data_stream *data = &befs_ino->i_data.ds;
+ befs_off_t len = data->size;
+
+- befs_debug(sb, "Follow long symlink");
+-
+- link = kmalloc(len, GFP_NOFS);
+- if (!link) {
+- link = ERR_PTR(-ENOMEM);
+- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
+- kfree(link);
+- befs_error(sb, "Failed to read entire long symlink");
++ if (len == 0) {
++ befs_error(sb, "Long symlink with illegal length");
+ link = ERR_PTR(-EIO);
+ } else {
+- link[len - 1] = '\0';
++ befs_debug(sb, "Follow long symlink");
++
++ link = kmalloc(len, GFP_NOFS);
++ if (!link) {
++ link = ERR_PTR(-ENOMEM);
++ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
++ kfree(link);
++ befs_error(sb, "Failed to read entire long symlink");
++ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
++ }
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
@@ -0,0 +1,30 @@
+commit 7ac28817536797fd40e9646452183606f9e17f71
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Jun 24 08:38:05 2011 -0400
+
+ Bluetooth: Prevent buffer overflow in l2cap config request
+
+ A remote user can provide a small value for the command size field in
+ the command header of an l2cap configuration request, resulting in an
+ integer underflow when subtracting the size of the configuration request
+ header. This results in copying a very large amount of data via
+ memcpy() and destroying the kernel heap. Check for underflow.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 514aa8f..71120ee 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch)
@@ -0,0 +1,41 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Tue, 23 Aug 2011 11:21:28 +0000 (-0400)
+Subject: cifs: fix possible memory corruption in CIFSFindNext
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fsfrench%2Fcifs-2.6.git;a=commitdiff_plain;h=c32dfffaf59f73bbcf4472141b851a4dc5db2bf0
+
+cifs: fix possible memory corruption in CIFSFindNext
+
+The name_len variable in CIFSFindNext is a signed int that gets set to
+the resume_name_len in the cifs_search_info. The resume_name_len however
+is unsigned and for some infolevels is populated directly from a 32 bit
+value sent by the server.
+
+If the server sends a very large value for this, then that value could
+look negative when converted to a signed int. That would make that
+value pass the PATH_MAX check later in CIFSFindNext. The name_len would
+then be used as a length value for a memcpy. It would then be treated
+as unsigned again, and the memcpy scribbles over a ton of memory.
+
+Fix this by making the name_len an unsigned value in CIFSFindNext.
+
+Cc: <stable at kernel.org>
+Reported-by: Darren Lavender <dcl at hppine99.gbr.hp.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+[dannf: backported to Debian's 2.6.32]
+---
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 04b755a..665b128 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -3596,7 +3596,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
+ T2_FNEXT_RSP_PARMS *parms;
+ char *response_data;
+ int rc = 0;
+- int bytes_returned, name_len;
++ int bytes_returned;
++ unsigned int name_len;
+ __u16 params, byte_count;
+
+ cFYI(1, ("In FindNext"));
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/close-race-in-proc-pid-environ.patch)
@@ -0,0 +1,47 @@
+commit d6f64b89d7ff22ce05896ab4a93a653e8d0b123d
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:26:01 2011 -0500
+
+ close race in /proc/*/environ
+
+ Switch to mm_for_maps(). Maybe we ought to make it r--r--r--,
+ since we do checks on IO anyway...
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.26]
+
+commit c6e0832fdcd651328728c00e6464f36c091444fa
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:10:48 2011 -0600
+
+ bugfix/all/close-race-in-proc-pid-environ.patch
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 6e71515..f582fff 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -906,20 +906,18 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+ if (!task)
+ goto out_no_task;
+
+- if (!ptrace_may_attach(task))
+- goto out;
+-
+ ret = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+ goto out;
+
+- ret = 0;
+
+- mm = get_task_mm(task);
+- if (!mm)
++ mm = mm_for_maps(task);
++ ret = PTR_ERR(mm);
++ if (!mm || IS_ERR(mm))
+ goto out_free;
+
++ ret = 0;
+ while (count > 0) {
+ int this_len, retval, max_len;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/fix-inet_diag_bc_audit.patch)
@@ -0,0 +1,72 @@
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Fri, 17 Jun 2011 20:25:39 +0000 (-0400)
+Subject: inet_diag: fix inet_diag_bc_audit()
+X-Git-Tag: v3.0-rc4~5^2~8
+X-Git-Url: http://git.us.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d
+
+inet_diag: fix inet_diag_bc_audit()
+
+A malicious user or buggy application can inject code and trigger an
+infinite loop in inet_diag_bc_audit()
+
+Also make sure each instruction is aligned on 4 bytes boundary, to avoid
+unaligned accesses.
+
+Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index 6ffe94c..3267d38 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
+ return 0;
+ if (cc == len)
+ return 1;
+- if (op->yes < 4)
++ if (op->yes < 4 || op->yes & 3)
+ return 0;
+ len -= op->yes;
+ bc += op->yes;
+@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)
+
+ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ {
+- const unsigned char *bc = bytecode;
++ const void *bc = bytecode;
+ int len = bytecode_len;
+
+ while (len > 0) {
+- struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
++ const struct inet_diag_bc_op *op = bc;
+
+ //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
+ switch (op->code) {
+@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
+ case INET_DIAG_BC_S_LE:
+ case INET_DIAG_BC_D_GE:
+ case INET_DIAG_BC_D_LE:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ case INET_DIAG_BC_JMP:
+- if (op->no < 4 || op->no > len + 4)
++ if (op->no < 4 || op->no > len + 4 || op->no & 3)
+ return -EINVAL;
+ if (op->no < len &&
+ !valid_cc(bytecode, bytecode_len, len - op->no))
+ return -EINVAL;
+ break;
+ case INET_DIAG_BC_NOP:
+- if (op->yes < 4 || op->yes > len + 4)
+- return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
++ if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
++ return -EINVAL;
+ bc += op->yes;
+ len -= op->yes;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch)
@@ -0,0 +1,43 @@
+commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Thu Apr 7 07:35:50 2011 -0700
+
+ mm: avoid wrapping vm_pgoff in mremap()
+
+ The normal mmap paths all avoid creating a mapping where the pgoff
+ inside the mapping could wrap around due to overflow. However, an
+ expanding mremap() can take such a non-wrapping mapping and make it
+ bigger and cause a wrapping condition.
+
+ Noticed by Robert Swiecki when running a system call fuzzer, where it
+ caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A
+ vma dumping patch by Hugh then pinpointed the crazy wrapped case.
+
+ Reported-and-tested-by: Robert Swiecki <robert at swiecki.net>
+ Acked-by: Hugh Dickins <hughd at google.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 1de98d4..a7c1f9f 100644
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -277,9 +277,16 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
+ if (old_len > vma->vm_end - addr)
+ goto Efault;
+
+- if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
+- if (new_len > old_len)
++ /* Need to be careful about a growing mapping */
++ if (new_len > old_len) {
++ unsigned long pgoff;
++
++ if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
+ goto Efault;
++ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
++ pgoff += vma->vm_pgoff;
++ if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
++ goto Einval;
+ }
+
+ if (vma->vm_flags & VM_LOCKED) {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/net_sched-Fix-qdisc_notify.patch)
@@ -0,0 +1,52 @@
+commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Sat May 22 20:37:44 2010 +0000
+
+ net_sched: Fix qdisc_notify()
+
+ Ben Pfaff reported a kernel oops and provided a test program to
+ reproduce it.
+
+ https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805
+
+ tc_fill_qdisc() should not be called for builtin qdisc, or it
+ dereference a NULL pointer to get device ifindex.
+
+ Fix is to always use tc_qdisc_dump_ignore() before calling
+ tc_fill_qdisc().
+
+ Reported-by: Ben Pfaff <blp at nicira.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 2761cf4..93cbd8e 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -867,6 +867,11 @@ nla_put_failure:
+ return -1;
+ }
+
++static bool tc_qdisc_dump_ignore(struct Qdisc *q)
++{
++ return (q->flags & TCQ_F_BUILTIN) ? true : false;
++}
++
+ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ u32 clid, struct Qdisc *old, struct Qdisc *new)
+ {
+@@ -877,11 +882,11 @@ static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n,
+ if (!skb)
+ return -ENOBUFS;
+
+- if (old && old->handle) {
++ if (old && !tc_qdisc_dump_ignore(old)) {
+ if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+ goto err_out;
+ }
+- if (new) {
++ if (new && !tc_qdisc_dump_ignore(new)) {
+ if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+ goto err_out;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch)
@@ -0,0 +1,71 @@
+commit 0b760113a3a155269a3fba93a409c640031dd68f
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Tue May 31 15:15:34 2011 -0400
+
+ NLM: Don't hang forever on NLM unlock requests
+
+ If the NLM daemon is killed on the NFS server, we can currently end up
+ hanging forever on an 'unlock' request, instead of aborting. Basically,
+ if the rpcbind request fails, or the server keeps returning garbage, we
+ really want to quit instead of retrying.
+
+ Tested-by: Vasily Averin <vvs at sw.ru>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Cc: stable at kernel.org
+
+diff -urpN linux-source-2.6.32.orig/fs/lockd/clntproc.c linux-source-2.6.32/fs/lockd/clntproc.c
+--- linux-source-2.6.32.orig/fs/lockd/clntproc.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/fs/lockd/clntproc.c 2011-08-03 23:36:15.028741583 -0600
+@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(stru
+
+ if (task->tk_status < 0) {
+ dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status);
+- goto retry_rebind;
++ switch (task->tk_status) {
++ case -EACCES:
++ case -EIO:
++ goto die;
++ default:
++ goto retry_rebind;
++ }
+ }
+ if (status == NLM_LCK_DENIED_GRACE_PERIOD) {
+ rpc_delay(task, NLMCLNT_GRACE_WAIT);
+diff -urpN linux-source-2.6.32.orig/include/linux/sunrpc/sched.h linux-source-2.6.32/include/linux/sunrpc/sched.h
+--- linux-source-2.6.32.orig/include/linux/sunrpc/sched.h 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/include/linux/sunrpc/sched.h 2011-08-03 23:43:26.040758731 -0600
+@@ -84,8 +84,8 @@ struct rpc_task {
+ long tk_rtt; /* round-trip time (jiffies) */
+
+ pid_t tk_owner; /* Process id for batching tasks */
+- unsigned char tk_priority : 2;/* Task priority */
+-
++ unsigned char tk_priority : 2,/* Task priority */
++ tk_rebind_retry : 2;
+ #ifdef RPC_DEBUG
+ unsigned short tk_pid; /* debugging aid */
+ #endif
+diff -urpN linux-source-2.6.32.orig/net/sunrpc/clnt.c linux-source-2.6.32/net/sunrpc/clnt.c
+--- linux-source-2.6.32.orig/net/sunrpc/clnt.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/net/sunrpc/clnt.c 2011-08-03 23:36:15.036741657 -0600
+@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task)
+ status = -EOPNOTSUPP;
+ break;
+ }
++ if (task->tk_rebind_retry == 0)
++ break;
++ task->tk_rebind_retry--;
+ rpc_delay(task, 3*HZ);
+ goto retry_timeout;
+ case -ETIMEDOUT:
+diff -urpN linux-source-2.6.32.orig/net/sunrpc/sched.c linux-source-2.6.32/net/sunrpc/sched.c
+--- linux-source-2.6.32.orig/net/sunrpc/sched.c 2011-06-11 13:10:38.000000000 -0600
++++ linux-source-2.6.32/net/sunrpc/sched.c 2011-08-03 23:36:15.044741731 -0600
+@@ -789,6 +789,7 @@ static void rpc_init_task(struct rpc_tas
+ /* Initialize retry counters */
+ task->tk_garb_retry = 2;
+ task->tk_cred_retry = 2;
++ task->tk_rebind_retry = 2;
+
+ task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
+ task->tk_owner = current->tgid;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/pagemap-close-races-with-suid-execve.patch)
@@ -0,0 +1,64 @@
+commit ca6b0bf0e086513b9ee5efc0aa5770ecb57778af
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:04:37 2011 -0500
+
+ pagemap: close races with suid execve
+
+ just use mm_for_maps()
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.26]
+
+commit 4fb7cdfbc27b0635a9ec66200291d2d2babb9970
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:06:29 2011 -0600
+
+ bugfix/all/pagemap-close-races-with-suid-execve.patch
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index bce2890..47afca0 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2440,7 +2440,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ #ifdef CONFIG_PROC_PAGE_MONITOR
+ REG("clear_refs", S_IWUSR, clear_refs),
+ REG("smaps", S_IRUGO, smaps),
+- REG("pagemap", S_IRUSR, pagemap),
++ REG("pagemap", S_IRUGO, pagemap),
+ #endif
+ #ifdef CONFIG_SECURITY
+ DIR("attr", S_IRUGO|S_IXUGO, attr_dir),
+@@ -2776,7 +2776,7 @@ static const struct pid_entry tid_base_stuff[] = {
+ #ifdef CONFIG_PROC_PAGE_MONITOR
+ REG("clear_refs", S_IWUSR, clear_refs),
+ REG("smaps", S_IRUGO, smaps),
+- REG("pagemap", S_IRUSR, pagemap),
++ REG("pagemap", S_IRUGO, pagemap),
+ #endif
+ #ifdef CONFIG_SECURITY
+ DIR("attr", S_IRUGO|S_IXUGO, attr_dir),
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 8feda82..56c00dc 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -663,7 +663,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ goto out;
+
+ ret = -EACCES;
+- if (!ptrace_may_attach(task))
++ mm = mm_for_maps(task);
++ if (!mm)
+ goto out_task;
+
+ ret = -EINVAL;
+@@ -672,10 +673,6 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ goto out_task;
+
+ ret = 0;
+- mm = get_task_mm(task);
+- if (!mm)
+- goto out_task;
+-
+
+ uaddr = (unsigned long)buf & PAGE_MASK;
+ uend = (unsigned long)(buf + count);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch)
@@ -0,0 +1,37 @@
+commit 76597cd31470fa130784c78fadb4dab2e624a723
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sun Mar 27 19:09:29 2011 -0700
+
+ proc: fix oops on invalid /proc/<pid>/maps access
+
+ When m_start returns an error, the seq_file logic will still call m_stop
+ with that error entry, so we'd better make sure that we check it before
+ using it as a vma.
+
+ Introduced by commit ec6fd8a4355c ("report errors in /proc/*/*map*
+ sanely"), which replaced NULL with various ERR_PTR() cases.
+
+ (On ia64, you happen to get a unaligned fault instead of a page fault,
+ since the address used is generally some random error code like -EPERM)
+
+ Reported-by: Anca Emanuel <anca.emanuel at gmail.com>
+ Reported-by: Tony Luck <tony.luck at intel.com>
+ Cc: Al Viro <viro at zeniv.linux.org.uk>
+ Cc: Américo Wang <xiyou.wangcong at gmail.com>
+ Cc: Stephen Wilson <wilsons at start.ca>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 7c708a4..2e7addf 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -182,7 +182,8 @@ static void m_stop(struct seq_file *m, void *v)
+ struct proc_maps_private *priv = m->private;
+ struct vm_area_struct *vma = v;
+
+- vma_stop(priv, vma);
++ if (!IS_ERR(vma))
++ vma_stop(priv, vma);
+ if (priv->task)
+ put_task_struct(priv->task);
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-map-report-errors-sanely.patch)
@@ -0,0 +1,80 @@
+commit ec6fd8a4355cda81cd9f06bebc048e83eb514ac7
+Author: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue Feb 15 22:22:54 2011 -0500
+
+ report errors in /proc/*/*map* sanely
+
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+ [dannf: backported to Debian's 2.6.26]
+
+commit c4511551969b481182ce9114dd552d68e1c5dfe7
+Author: dann frazier <dannf at debian.org>
+Date: Wed Aug 31 22:09:22 2011 -0600
+
+ bugfix/all/proc-map-report-errors-sanely.patch
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 47afca0..01421c4 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -254,7 +254,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
+ if (!ptrace_may_attach(task) ||
+ mm != task->mm) {
+ mmput(mm);
+- mm = NULL;
++ mm = ERR_PTR(-EACCES);
+ }
+ }
+ return mm;
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 56c00dc..e2dd752 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -114,11 +114,11 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+
+ priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
+ if (!priv->task)
+- return NULL;
++ return ERR_PTR(-ESRCH);
+
+ mm = mm_for_maps(priv->task);
+- if (!mm)
+- return NULL;
++ if (!mm || IS_ERR(mm))
++ return mm;
+ down_read(&mm->mmap_sem);
+
+ tail_vma = get_gate_vma(priv->task);
+@@ -662,9 +662,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ if (!task)
+ goto out;
+
+- ret = -EACCES;
+ mm = mm_for_maps(task);
+- if (!mm)
++ ret = PTR_ERR(mm);
++ if (!mm || IS_ERR(mm))
+ goto out_task;
+
+ ret = -EINVAL;
+diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
+index 5b4a574..8ed6452 100644
+--- a/fs/proc/task_nommu.c
++++ b/fs/proc/task_nommu.c
+@@ -129,13 +129,13 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+ /* pin the task and mm whilst we play with them */
+ priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
+ if (!priv->task)
+- return NULL;
++ return ERR_PTR(-ESRCH);
+
+ mm = mm_for_maps(priv->task);
+- if (!mm) {
++ if (!mm || IS_ERR(mm)) {
+ put_task_struct(priv->task);
+ priv->task = NULL;
+- return NULL;
++ return mm;
+ }
+ down_read(&mm->mmap_sem);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch)
@@ -0,0 +1,42 @@
+commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Fri Jun 24 16:08:38 2011 +0400
+
+ proc: restrict access to /proc/PID/io
+
+ /proc/PID/io may be used for gathering private information. E.g. for
+ openssh and vsftpd daemons wchars/rchars may be used to learn the
+ precise password length. Restrict it to processes being able to ptrace
+ the target process.
+
+ ptrace_may_access() is needed to prevent keeping open file descriptor of
+ "io" file, executing setuid binary and gathering io information of the
+ setuid'ed process.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 3f20d5d..bce2890 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2378,6 +2378,9 @@ static int proc_base_fill_cache(struct file *filp, void *dirent,
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ static int proc_pid_io_accounting(struct task_struct *task, char *buffer)
+ {
++ if (!ptrace_may_attach(task))
++ return -EACCES;
++
+ return sprintf(buffer,
+ #ifdef CONFIG_TASK_XACCT
+ "rchar: %llu\n"
+@@ -2470,7 +2473,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ REG("coredump_filter", S_IRUGO|S_IWUSR, coredump_filter),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+- INF("io", S_IRUGO, pid_io_accounting),
++ INF("io", S_IRUSR, pid_io_accounting),
+ #endif
+ };
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch)
@@ -0,0 +1,80 @@
+From 26c4caea9d697043cc5a458b96411b86d7f6babd Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon, 27 Jun 2011 16:18:11 -0700
+Subject: taskstats: don't allow duplicate entries in listener mode
+
+From: Vasiliy Kulikov <segoon at openwall.com>
+
+commit 26c4caea9d697043cc5a458b96411b86d7f6babd upstream.
+
+Currently a single process may register exit handlers unlimited times.
+It may lead to a bloated listeners chain and very slow process
+terminations.
+
+Eg after 10KK sent TASKSTATS_CMD_ATTR_REGISTER_CPUMASKs ~300 Mb of
+kernel memory is stolen for the handlers chain and "time id" shows 2-7
+seconds instead of normal 0.003. It makes it possible to exhaust all
+kernel memory and to eat much of CPU time by triggerring numerous exits
+on a single CPU.
+
+The patch limits the number of times a single process may register
+itself on a single CPU to one.
+
+One little issue is kept unfixed - as taskstats_exit() is called before
+exit_files() in do_exit(), the orphaned listener entry (if it was not
+explicitly deregistered) is kept until the next someone's exit() and
+implicit deregistration in send_cpu_listeners(). So, if a process
+registered itself as a listener exits and the next spawned process gets
+the same pid, it would inherit taskstats attributes.
+
+Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+Cc: Balbir Singh <bsingharora at gmail.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[dannf: backported to Debian's 2.6.26]
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 4a23517..bd0027e 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -293,17 +293,19 @@ ret:
+ static int add_del_listener(pid_t pid, cpumask_t *maskp, int isadd)
+ {
+ struct listener_list *listeners;
+- struct listener *s, *tmp;
++ struct listener *s, *tmp, *s2;
+ unsigned int cpu;
+ cpumask_t mask = *maskp;
+
+ if (!cpus_subset(mask, cpu_possible_map))
+ return -EINVAL;
+
++ s = NULL;
+ if (isadd == REGISTER) {
+ for_each_cpu_mask(cpu, mask) {
+- s = kmalloc_node(sizeof(struct listener), GFP_KERNEL,
+- cpu_to_node(cpu));
++ if (!s)
++ s = kmalloc_node(sizeof(struct listener),
++ GFP_KERNEL, cpu_to_node(cpu));
+ if (!s)
+ goto cleanup;
+ s->pid = pid;
+@@ -312,9 +314,16 @@ static int add_del_listener(pid_t pid, cpumask_t *maskp, int isadd)
+
+ listeners = &per_cpu(listener_array, cpu);
+ down_write(&listeners->sem);
++ list_for_each_entry_safe(s2, tmp, &listeners->list, list) {
++ if (s2->pid == pid)
++ goto next_cpu;
++ }
+ list_add(&s->list, &listeners->list);
++ s = NULL;
++next_cpu:
+ up_write(&listeners->sem);
+ }
++ kfree(s);
+ return 0;
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch)
@@ -0,0 +1,12 @@
+diff -urpN linux-source-2.6.32.orig/net/ipv6/ip6_tunnel.c linux-source-2.6.32/net/ipv6/ip6_tunnel.c
+--- linux-source-2.6.32.orig/net/ipv6/ip6_tunnel.c 2011-06-11 13:10:52.000000000 -0600
++++ linux-source-2.6.32/net/ipv6/ip6_tunnel.c 2011-07-21 00:23:41.002857909 -0600
+@@ -1465,7 +1465,7 @@ static int __init ip6_tunnel_init(void)
+ {
+ int err;
+
+- err = register_pernet_device(&ip6_tnl_net_ops);
++ err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
+ if (err < 0)
+ goto out_pernet;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/usb-misc-auerswald-overflow-fix.patch)
@@ -0,0 +1,89 @@
+On Wed, Aug 17, 2011 at 06:39:11PM +0200, Moritz Mühlenhoff wrote:
+> On Wed, Aug 17, 2011 at 10:05:30AM -0600, dann frazier wrote:
+> > On Wed, Aug 17, 2011 at 10:33:21AM +0200, Moritz Muehlenhoff wrote:
+> > > Hi Dann,
+> > > I've whipped up a patch for CVE-2009-4067. (The driver was removed
+> > > upstream, so there's no upstream fix). Could you have a second look,
+> > > please?
+> >
+> > Sure - where can I find it?
+>
+> I forgot the attachment :-)
+>
+> Cheers,
+> Moritz
+
+> diff -aur linux-2.6-2.6.26.orig/drivers/usb/misc/auerswald.c linux-2.6-2.6.26/drivers/usb/misc/auerswald.c
+> --- linux-2.6-2.6.26.orig/drivers/usb/misc/auerswald.c 2008-07-13 23:51:29.000000000 +0200
+> +++ linux-2.6-2.6.26/drivers/usb/misc/auerswald.c 2011-08-17 10:30:13.958449758 +0200
+> @@ -1946,7 +1946,7 @@
+> /* Try to get a suitable textual description of the device */
+> /* Device name:*/
+> ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
+> - if (ret >= 0) {
+> + if (ret >= 0 && ret < AUSI_DLEN) {
+> u += ret;
+> /* Append Serial Number */
+> memcpy(&cp->dev_desc[u], ",Ser# ", 6);
+> Nur in linux-2.6-2.6.26/drivers/usb/misc/: auerswald.c~.
+
+I think that is sufficient to resolve the specific vulnerability that
+the MWR PDF describes. However, if the user can control AUSI_DEVICE,
+shouldn't we also assume they can control AUSI_SERIALNR, and just
+overflow things a little further down?
+
+Also, there's a couple places where they seem to blindly memcpy a
+hardcoded number of bytes to the end of the string without checking
+to see if this crosses the AUSI_DLEN boundary.
+
+Perhaps I'm overly paranoid, but what do you think of this?
+
+--- linux-source-2.6.26/drivers/usb/misc/auerswald.c.orig 2011-08-21 14:04:46.634626234 -0600
++++ linux-source-2.6.26/drivers/usb/misc/auerswald.c 2011-08-21 14:04:47.826643896 -0600
+@@ -1946,23 +1946,28 @@ static int auerswald_probe (struct usb_i
+ /* Try to get a suitable textual description of the device */
+ /* Device name:*/
+ ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
+- if (ret >= 0) {
+- u += ret;
+- /* Append Serial Number */
+- memcpy(&cp->dev_desc[u], ",Ser# ", 6);
+- u += 6;
+- ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
+- if (ret >= 0) {
+- u += ret;
+- /* Append subscriber number */
+- memcpy(&cp->dev_desc[u], ", ", 2);
+- u += 2;
+- ret = usb_string( cp->usbdev, AUSI_MSN, &cp->dev_desc[u], AUSI_DLEN-u-1);
+- if (ret >= 0) {
+- u += ret;
+- }
+- }
+- }
++ if (ret < 0 || ret >= AUSI_DLEN)
++ goto desc_done;
++ u += ret;
++ if (u >= AUSI_DLEN - 6)
++ goto desc_done;
++ /* Append Serial Number */
++ memcpy(&cp->dev_desc[u], ",Ser# ", 6);
++ u += 6;
++ ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
++ if (ret < 0 || u + ret >= AUSI_DLEN)
++ goto desc_done;
++ u += ret;
++ if (u >= AUSI_DLEN - 2)
++ goto desc_done;
++ /* Append subscriber number */
++ memcpy(&cp->dev_desc[u], ", ", 2);
++ u += 2;
++ ret = usb_string( cp->usbdev, AUSI_MSN, &cp->dev_desc[u], AUSI_DLEN-u-1);
++ if (ret < 0 || u + ret >= AUSI_DLEN)
++ goto desc_done;
++ u += ret;
++desc_done:
+ cp->dev_desc[u] = '\0';
+ info("device is a %s", cp->dev_desc);
+
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
@@ -0,0 +1,43 @@
+commit a626ca6a656450e9f4df91d0dda238fff23285f4
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed Apr 13 08:07:28 2011 -0700
+
+ vm: fix vm_pgoff wrap in stack expansion
+
+ Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+ the case of a expanding mapping causing vm_pgoff wrapping when you used
+ mremap. But there was another case where we expand mappings hiding in
+ plain sight: the automatic stack expansion.
+
+ This fixes that case too.
+
+ This one also found by Robert ÅwiÄcki, using his nasty system call
+ fuzzer tool. Good job.
+
+ Reported-and-tested-by: Robert ÅwiÄcki <robert at swiecki.net>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 292afec..537b365 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1680,10 +1680,13 @@ static int expand_downwards(struct vm_area_struct *vma,
+ size = vma->vm_end - address;
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error) {
+- vma->vm_start = address;
+- vma->vm_pgoff -= grow;
++ error = -ENOMEM;
++ if (grow <= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_start = address;
++ vma->vm_pgoff -= grow;
++ }
+ }
+ }
+ anon_vma_unlock(vma);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
@@ -0,0 +1,40 @@
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517
+Author: Hugh Dickins <hughd at google.com>
+Date: Mon May 9 17:44:42 2011 -0700
+
+ vm: fix vm_pgoff wrap in upward expansion
+
+ Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+ the case of an expanding mapping causing vm_pgoff wrapping when you had
+ downward stack expansion. But there was another case where IA64 and
+ PA-RISC expand mappings: upward expansion.
+
+ This fixes that case too.
+
+ Signed-off-by: Hugh Dickins <hughd at google.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 537b365..515e3cb 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1636,9 +1636,14 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ size = address - vma->vm_start;
+ grow = (address - vma->vm_end) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error)
+- vma->vm_end = address;
++ error = -ENOMEM;
++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_end = address;
++ perf_event_mmap(vma);
++ }
++ }
+ }
+ anon_vma_unlock(vma);
+ return error;
Copied: dists/lenny/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch)
@@ -0,0 +1,23 @@
+commit 613006cb46d1931bf7331fd3951efd7a0a0bb118
+Author: dann frazier <dannf at debian.org>
+Date: Mon Aug 8 21:43:14 2011 -0600
+
+ Avoid ABI change in fix for CVE-2011-2491
+
+diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h
+index 67f63dd..b5e54f3 100644
+--- a/include/linux/sunrpc/sched.h
++++ b/include/linux/sunrpc/sched.h
+@@ -84,8 +84,10 @@ struct rpc_task {
+ long tk_rtt; /* round-trip time (jiffies) */
+
+ pid_t tk_owner; /* Process id for batching tasks */
+- unsigned char tk_priority : 2,/* Task priority */
+- tk_rebind_retry : 2;
++ unsigned char tk_priority : 2;/* Task priority */
++#ifndef __GENKSYMS__
++ unsigned char tk_rebind_retry : 2;
++#endif
+ #ifdef RPC_DEBUG
+ unsigned short tk_pid; /* debugging aid */
+ #endif
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Tue Sep 20 03:45:55 2011 (r18102)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Tue Sep 20 03:48:07 2011 (r18103)
@@ -77442,9 +77442,9 @@
index ffe869a..ca6b5d3 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
-@@ -73,6 +73,8 @@
- #include <net/xfrm.h>
+@@ -74,6 +74,8 @@
#include <net/netdma.h>
+ #include <net/secure_seq.h>
+#include <bc/tcp.h>
+
@@ -79339,9 +79339,9 @@
index 40ea9c3..cdc8697 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
-@@ -62,6 +62,8 @@
- #include <net/netdma.h>
+@@ -63,6 +63,8 @@
#include <net/inet_common.h>
+ #include <net/secure_seq.h>
+#include <bc/tcp.h>
+
Modified: dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Tue Sep 20 03:45:55 2011 (r18102)
+++ dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Tue Sep 20 03:48:07 2011 (r18103)
@@ -6961,7 +6961,7 @@
#ifdef CONFIG_AUDITSYSCALL
@@ -2471,6 +2487,7 @@ static const struct pid_entry tgid_base_
#ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, pid_io_accounting),
+ INF("io", S_IRUSR, pid_io_accounting),
#endif
+ ONE("nsproxy", S_IRUGO, pid_nsproxy),
};
@@ -26700,10 +26700,10 @@
if (r->id.idiag_sport != tw->tw_sport &&
--- a/net/ipv4/inet_hashtables.c 2008-07-14 17:22:58.000000000 -0400
+++ a/net/ipv4/inet_hashtables.c 2008-07-29 17:27:07.000000000 -0400
-@@ -21,6 +21,7 @@
-
+@@ -22,6 +22,7 @@
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
+ #include <net/secure_seq.h>
+#include <net/route.h>
#include <net/ip.h>
Copied: dists/lenny/linux-2.6/debian/patches/series/26lenny4 (from r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/series/26lenny4)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/26lenny4 Tue Sep 20 03:48:07 2011 (r18103, copy of r18102, releases/linux-2.6/2.6.26-26lenny4/debian/patches/series/26lenny4)
@@ -0,0 +1,24 @@
++ bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering-regression-fix.patch
++ bugfix/all/alpha-fix-several-security-issues.patch
++ bugfix/all/fix-inet_diag_bc_audit.patch
++ bugfix/all/CVE-2011-2492.patch
++ bugfix/all/alsa-caiaq-fix-possible-string-buffer-overflow.patch
++ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
++ bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
++ debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
++ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
++ bugfix/all/net_sched-Fix-qdisc_notify.patch
++ bugfix/all/usb-misc-auerswald-overflow-fix.patch
++ bugfix/all/pagemap-close-races-with-suid-execve.patch
++ bugfix/all/proc-map-report-errors-sanely.patch
++ bugfix/all/close-race-in-proc-pid-environ.patch
++ bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
++ bugfix/all/proc-fix-oops-on-invalid-proc-pid-maps-access.patch
++ bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
++ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
++ bugfix/all/cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
++ bugfix/all/CVE-2011-3188.patch
More information about the Kernel-svn-changes
mailing list