[kernel] r17654 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/arm debian/patches/bugfix/s390 debian/patches/bugfix/x86 debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jun 13 18:40:48 UTC 2011
Author: dannf
Date: Mon Jun 13 18:40:46 2011
New Revision: 17654
Log:
merge 2.6.26-26lenny3
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/agp-fix-OOM-and-buffer-overflow.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/agp-fix-OOM-and-buffer-overflow.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/dccp-fix-oops-on-Reset-after-close.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/dccp-fix-oops-on-Reset-after-close.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/validate-size-of-efi-guid-partition-entries.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/validate-size-of-efi-guid-partition-entries.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
dists/lenny/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
dists/lenny/linux-2.6/debian/patches/bugfix/s390/remove-task_show_regs.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/s390/remove-task_show_regs.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
dists/lenny/linux-2.6/debian/patches/features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch
dists/lenny/linux-2.6/debian/patches/series/26lenny3
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/series/26lenny3
dists/lenny/linux-2.6/debian/patches/series/26lenny3-extra
- copied unchanged from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/series/26lenny3-extra
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Mon Jun 13 16:42:02 2011 (r17653)
+++ dists/lenny/linux-2.6/debian/changelog Mon Jun 13 18:40:46 2011 (r17654)
@@ -34,6 +34,59 @@
-- Ben Hutchings <ben at decadent.org.uk> Mon, 29 Nov 2010 02:01:24 +0000
+linux-2.6 (2.6.26-26lenny3) oldstable-security; urgency=high
+
+ [ dann frazier ]
+ * net: clear heap allocations for privileged ethtool actions (CVE-2010-4655)
+ * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+ (CVE-2011-0711)
+ * [s390] remove task_show_regs (CVE-2011-0710)
+ * fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010)
+ * ldm: corrupted partition table can cause kernel oops (CVE-2011-1012)
+ * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
+ * Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
+ * bridge: netfilter: fix information leak (CVE-2011-1080)
+ * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
+ (CVE-2011-1090)
+ * dccp: fix oops on Reset after close (CVE-2011-1093)
+ * Fix corrupted OSF partition table parsing (CVE-2011-1163)
+ * netfilter: arp_tables: fix infoleak to userspace (CVE-2011-1170)
+ * netfilter: ip_tables: fix infoleak to userspace (CVE-2011-1171)
+ * ipv6: netfilter: ip6_tables: fix infoleak to userspace (CVE-2011-1172)
+ * econet: 4 byte infoleak to the network (CVE-2011-1173)
+ * irda: validate peer name and attribute lengths (CVE-2011-1180)
+ * RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
+ * IB/cm: Bump reference count on cm_id before invoking callback
+ (CVE-2011-0695)
+ * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+ (CVE-2011-1182)
+ * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
+ * proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
+ * cifs: Fix cache stuffing issue in the dns_resolver keyring (CVE-2010-2524)
+ * serial: Fix information leak in TIOCGICOUNT ioctl (CVE-2010-4075)
+ * net: ax25: improve information leak to userland fix, a further fix
+ for CVE-2010-3875
+ * char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)
+ * ROSE: prevent heap corruption with bad facilities (CVE-2011-1493)
+ * next_pidmap: fix overflow condition (CVE-2011-1593)
+ * can: Add missing socket check in can/bcm release (CVE-2011-1598)
+ * agp: fix arbitrary kernel memory writes (CVE-2011-1745, CVE-2011-2022)
+ * agp: fix OOM and buffer overflow (CVE-2011-1746)
+ * can: Add missing socket check in can/raw release (CVE-2011-1748)
+ * [arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759)
+ * gre: fix netns vs proto registration ordering (CVE-2011-1767)
+ * Validate size of EFI GUID partition entries (CVE-2011-1776)
+ * fs/partitions/ldm.c: fix oops caused by corrupted partition table
+ (CVE-2011-1017)
+ * Improve fix for buffer overflow in ldm_frag_add (CVE-2011-2182)
+ * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
+ * tunnels: fix netns vs proto registration ordering
+
+ [ Ben Hutchings ]
+ * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
+
+ -- dann frazier <dannf at debian.org> Sat, 11 Jun 2011 08:25:25 -0600
+
linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high
[ dann frazier ]
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/agp-fix-OOM-and-buffer-overflow.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/agp-fix-OOM-and-buffer-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/agp-fix-OOM-and-buffer-overflow.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/agp-fix-OOM-and-buffer-overflow.patch)
@@ -0,0 +1,53 @@
+commit b522f02184b413955f3bc952e3776ce41edc6355
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Thu Apr 14 20:55:19 2011 +0400
+
+ agp: fix OOM and buffer overflow
+
+ page_count is copied from userspace. agp_allocate_memory() tries to
+ check whether this number is too big, but doesn't take into account the
+ wrap case. Also agp_create_user_memory() doesn't check whether
+ alloc_size is calculated from num_agp_pages variable without overflow.
+ This may lead to allocation of too small buffer with following buffer
+ overflow.
+
+ Another problem in agp code is not addressed in the patch - kernel memory
+ exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked
+ whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
+ Each allocation is limited to 16KB, though, there is no per-process limit.
+ This might lead to OOM situation, which is not even solved in case of the
+ caller death by OOM killer - the memory is allocated for another (faked) process.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
+index 012cba0..850a643 100644
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -115,6 +115,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
+ struct agp_memory *new;
+ unsigned long alloc_size = num_agp_pages*sizeof(struct page *);
+
++ if (INT_MAX/sizeof(struct page *) < num_agp_pages)
++ return NULL;
++
+ new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
+ if (new == NULL)
+ return NULL;
+@@ -234,11 +237,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
+ int scratch_pages;
+ struct agp_memory *new;
+ size_t i;
++ int cur_memory;
+
+ if (!bridge)
+ return NULL;
+
+- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
++ cur_memory = atomic_read(&bridge->current_memory_agp);
++ if ((cur_memory + page_count > bridge->max_memory_agp) ||
++ (cur_memory + page_count < page_count))
+ return NULL;
+
+ if (type >= AGP_USER_TYPES) {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch)
@@ -0,0 +1,52 @@
+commit 194b3da873fd334ef183806db751473512af29ce
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Thu Apr 14 20:55:16 2011 +0400
+
+ agp: fix arbitrary kernel memory writes
+
+ pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
+ cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the
+ comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
+ and it is not checked at all in case of AGPIOC_UNBIND. As a result, user
+ with sufficient privileges (usually "video" group) may generate either
+ local DoS or privilege escalation.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
+index 850a643..b072648 100644
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -1095,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
+ return -EINVAL;
+ }
+
+- /* AK: could wrap */
+- if ((pg_start + mem->page_count) > num_entries)
++ if (((pg_start + mem->page_count) > num_entries) ||
++ ((pg_start + mem->page_count) < pg_start))
+ return -EINVAL;
+
+ j = pg_start;
+@@ -1130,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ {
+ size_t i;
+ struct agp_bridge_data *bridge;
+- int mask_type;
++ int mask_type, num_entries;
+
+ bridge = mem->bridge;
+ if (!bridge)
+@@ -1142,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
+ if (type != mem->type)
+ return -EINVAL;
+
++ num_entries = agp_num_entries();
++ if (((pg_start + mem->page_count) > num_entries) ||
++ ((pg_start + mem->page_count) < pg_start))
++ return -EINVAL;
++
+ mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
+ if (mask_type != 0) {
+ /* The generic routines know nothing of memory types */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch)
@@ -0,0 +1,26 @@
+commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon Feb 14 13:54:31 2011 +0300
+
+ Bluetooth: bnep: fix buffer overflow
+
+ Struct ca is copied from userspace. It is not checked whether the "device"
+ field is NULL terminated. This potentially leads to BUG() inside of
+ alloc_netdev_mqs() and/or information leak by creating a device with a name
+ made of contents of kernel stack.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+
+diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
+index 2862f53..d935da7 100644
+--- a/net/bluetooth/bnep/sock.c
++++ b/net/bluetooth/bnep/sock.c
+@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
+ sockfd_put(nsock);
+ return -EBADFD;
+ }
++ ca.device[sizeof(ca.device)-1] = 0;
+
+ err = bnep_add_connection(&ca, nsock);
+ if (!err) {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch)
@@ -0,0 +1,25 @@
+commit c4c896e1471aec3b004a693c689f60be3b17ac86
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon Feb 14 13:54:26 2011 +0300
+
+ Bluetooth: sco: fix information leak to userspace
+
+ struct sco_conninfo has one padding byte in the end. Local variable
+ cinfo of type sco_conninfo is copied to userspace with this uninizialized
+ one byte, leading to old stack contents leak.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 960c6d1..926ed39 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -703,6 +703,7 @@ static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user
+ break;
+ }
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch)
@@ -0,0 +1,28 @@
+commit d846f71195d57b0bbb143382647c2c6638b04c5a
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon Feb 14 16:49:23 2011 +0100
+
+ bridge: netfilter: fix information leak
+
+ Struct tmp is copied from userspace. It is not checked whether the "name"
+ field is NULL terminated. This may lead to buffer overflow and passing
+ contents of kernel stack as a module name to try_then_request_module() and,
+ consequently, to modprobe commandline. It would be seen by all userspace
+ processes.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Patrick McHardy <kaber at trash.net>
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 5f1825d..893669c 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
+ if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ return -ENOMEM;
+
++ tmp.name[sizeof(tmp.name) - 1] = 0;
++
+ countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+ newinfo = vmalloc(sizeof(*newinfo) + countersize);
+ if (!newinfo)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch)
@@ -0,0 +1,32 @@
+commit c6914a6f261aca0c9f715f883a353ae7ff51fe83
+Author: Dave Jones <davej at redhat.com>
+Date: Tue Apr 19 20:36:59 2011 -0700
+
+ can: Add missing socket check in can/bcm release.
+
+ We can get here with a NULL socket argument passed from userspace,
+ so we need to handle it accordingly.
+
+ Signed-off-by: Dave Jones <davej at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 57b1aed..8a6a05e 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1427,9 +1427,14 @@ static int bcm_init(struct sock *sk)
+ static int bcm_release(struct socket *sock)
+ {
+ struct sock *sk = sock->sk;
+- struct bcm_sock *bo = bcm_sk(sk);
++ struct bcm_sock *bo;
+ struct bcm_op *op, *next;
+
++ if (sk == NULL)
++ return 0;
++
++ bo = bcm_sk(sk);
++
+ /* remove bcm_ops, timer, rx_unregister(), etc. */
+
+ unregister_netdevice_notifier(&bo->notifier);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch)
@@ -0,0 +1,34 @@
+commit 10022a6c66e199d8f61d9044543f38785713cbbd
+Author: Oliver Hartkopp <socketcan at hartkopp.net>
+Date: Wed Apr 20 01:57:15 2011 +0000
+
+ can: add missing socket check in can/raw release
+
+ v2: added space after 'if' according code style.
+
+ We can get here with a NULL socket argument passed from userspace,
+ so we need to handle it accordingly.
+
+ Thanks to Dave Jones pointing at this issue in net/can/bcm.c
+
+ Signed-off-by: Oliver Hartkopp <socketcan at hartkopp.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 649acfa..0eb39a7 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
+ static int raw_release(struct socket *sock)
+ {
+ struct sock *sk = sock->sk;
+- struct raw_sock *ro = raw_sk(sk);
++ struct raw_sock *ro;
++
++ if (!sk)
++ return 0;
++
++ ro = raw_sk(sk);
+
+ unregister_netdevice_notifier(&ro->notifier);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/dccp-fix-oops-on-Reset-after-close.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/dccp-fix-oops-on-Reset-after-close.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/dccp-fix-oops-on-Reset-after-close.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/dccp-fix-oops-on-Reset-after-close.patch)
@@ -0,0 +1,69 @@
+commit 720dc34bbbe9493c7bd48b2243058b4e447a929d
+Author: Gerrit Renker <gerrit at erg.abdn.ac.uk>
+Date: Tue Mar 1 23:02:07 2011 -0800
+
+ dccp: fix oops on Reset after close
+
+ This fixes a bug in the order of dccp_rcv_state_process() that still permitted
+ reception even after closing the socket. A Reset after close thus causes a NULL
+ pointer dereference by not preventing operations on an already torn-down socket.
+
+ dccp_v4_do_rcv()
+ |
+ | state other than OPEN
+ v
+ dccp_rcv_state_process()
+ |
+ | DCCP_PKT_RESET
+ v
+ dccp_rcv_reset()
+ |
+ v
+ dccp_time_wait()
+
+ WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
+ Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
+ [<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
+ [<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
+ [<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
+ [<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
+ [<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
+ [<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
+ [<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
+ [<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
+ [<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)
+
+ The fix is by testing the socket state first. Receiving a packet in Closed state
+ now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.
+
+ Reported-and-tested-by: Johan Hovold <jhovold at gmail.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Gerrit Renker <gerrit at erg.abdn.ac.uk>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/net/dccp/input.c b/net/dccp/input.c
+index 08392ed..ee30e18 100644
+--- a/net/dccp/input.c
++++ b/net/dccp/input.c
+@@ -600,6 +600,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ /* Caller (dccp_v4_do_rcv) will send Reset */
+ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+ return 1;
++ } else if (sk->sk_state == DCCP_CLOSED) {
++ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
++ return 1;
+ }
+
+ if (sk->sk_state != DCCP_REQUESTING) {
+@@ -662,10 +665,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ }
+
+ switch (sk->sk_state) {
+- case DCCP_CLOSED:
+- dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+- return 1;
+-
+ case DCCP_REQUESTING:
+ /* FIXME: do congestion control initialization */
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch)
@@ -0,0 +1,33 @@
+commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Thu Mar 17 01:40:10 2011 +0000
+
+ econet: 4 byte infoleak to the network
+
+ struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
+ x86_64. These bytes are not initialized in the variable 'ah' before
+ sending 'ah' to the network. This leads to 4 bytes kernel stack
+ infoleak.
+
+ This bug was introduced before the git epoch.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Acked-by: Phil Blundell <philb at gnu.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 0c28263..116d3fd 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ udpdest.sin_addr.s_addr = htonl(network | addr.station);
+ }
+
++ memset(&ah, 0, sizeof(ah));
+ ah.port = port;
+ ah.cb = cb & 0x7f;
+ ah.code = 2; /* magic */
+- ah.pad = 0;
+
+ /* tack our header on the front of the iovec */
+ size = sizeof(struct aunhdr);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch)
@@ -0,0 +1,55 @@
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Thu May 26 16:25:57 2011 -0700
+
+ fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+ a bug that causes a kernel oops on certain corrupted GUID partition
+ tables.
+
+ This bug has security impacts, because it allows, for example, to
+ prepare a storage device that crashes a kernel subsystem upon connecting
+ the device (e.g., a "USB Stick of (Partial) Death").
+
+ crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+
+ computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+ There is no validation of (*gpt)->header_size before the efi_crc32 call.
+
+ A corrupted partition table may have large values for (*gpt)->header_size.
+ In this case, the CRC32 computation access memory beyond the memory
+ allocated for gpt, which may cause a kernel heap overflow.
+
+ Validate value of GUID partition table header size.
+
+ [akpm at linux-foundation.org: fix layout and indenting]
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: Matt Domsch <Matt_Domsch at dell.com>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Cc: Dave Jones <davej at codemonkey.org.uk>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
+index 19d6750..6296b40 100644
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -310,6 +310,15 @@ static int is_gpt_valid(struct parsed_partitions *state, u64 lba,
+ goto fail;
+ }
+
++ /* Check the GUID Partition Table header size */
++ if (le32_to_cpu((*gpt)->header_size) >
++ bdev_hardsect_size(bdev)) {
++ pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++ le32_to_cpu((*gpt)->header_size),
++ bdev_hardsect_size(bdev));
++ goto fail;
++ }
++
+ /* Check the GUID Partition Table CRC */
+ origcrc = le32_to_cpu((*gpt)->header_crc32);
+ (*gpt)->header_crc32 = 0;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch)
@@ -0,0 +1,68 @@
+commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Mon Mar 14 14:59:33 2011 +0100
+
+ Fix corrupted OSF partition table parsing
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating OSF partitions contains a bug that leaks data
+ from kernel heap memory to userspace for certain corrupted OSF
+ partitions.
+
+ In more detail:
+
+ for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
+
+ iterates from 0 to d_npartitions - 1, where d_npartitions is read from
+ the partition table without validation and partition is a pointer to an
+ array of at most 8 d_partitions.
+
+ Add the proper and obvious validation.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: stable at kernel.org
+ [ Changed the patch trivially to not repeat the whole le16_to_cpu()
+ thing, and to use an explicit constant for the magic value '8' ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/osf.c linux-source-2.6.32/fs/partitions/osf.c
+--- linux-source-2.6.32.orig/fs/partitions/osf.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/fs/partitions/osf.c 2011-03-22 23:27:01.507715211 -0600
+@@ -10,10 +10,13 @@
+ #include "check.h"
+ #include "osf.h"
+
++#define MAX_OSF_PARTITIONS 8
++
+ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
+ int i;
+ int slot = 1;
++ unsigned int npartitions;
+ Sector sect;
+ unsigned char *data;
+ struct disklabel {
+@@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitio
+ u8 p_fstype;
+ u8 p_frag;
+ __le16 p_cpg;
+- } d_partitions[8];
++ } d_partitions[MAX_OSF_PARTITIONS];
+ } * label;
+ struct d_partition * partition;
+
+@@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitio
+ put_dev_sector(sect);
+ return 0;
+ }
+- for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
++ npartitions = le16_to_cpu(label->d_npartitions);
++ if (npartitions > MAX_OSF_PARTITIONS) {
++ put_dev_sector(sect);
++ return 0;
++ }
++ for (i = 0 ; i < npartitions; i++, partition++) {
+ if (slot == state->limit)
+ break;
+ if (le32_to_cpu(partition->p_size))
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch)
@@ -0,0 +1,34 @@
+commit cae13fe4cc3f24820ffb990c09110626837e85d4
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Thu May 19 09:24:17 2011 +0200
+
+ Fix for buffer overflow in ldm_frag_add not sufficient
+
+ As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer
+ overflow in ldm_frag_add) is not sufficient. The original patch in
+ commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted
+ partition table") does not consider that, for subsequent fragments,
+ previously allocated memory is used.
+
+ [1] http://lkml.org/lkml/2011/5/6/407
+
+ Reported-by: Ben Hutchings <ben at decadent.org.uk>
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
+index ce4f624..a29d5cc 100644
+--- a/fs/partitions/ldm.c
++++ b/fs/partitions/ldm.c
+@@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
+
+ list_add_tail (&f->list, frags);
+ found:
++ if (rec >= f->num) {
++ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num);
++ return false;
++ }
++
+ if (f->map & (1 << rec)) {
+ ldm_error ("Duplicate VBLK, part %d.", rec);
+ f->map &= 0x7F; /* Mark the group as broken */
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch)
@@ -0,0 +1,33 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 8 Jul 2010 14:00:27 -0400
+Subject: [fs] cifs: reject DNS upcall add_key req from userspace
+Message-id: <1278597627-23193-3-git-send-email-jlayton at redhat.com>
+Patchwork-id: 26764
+O-Subject: [RHEL5.6 PATCH 2/2] BZ#612171: cifs: have DNS upcall reject add_key
+ requests from userspace
+Bugzilla: 612171
+CVE: CVE-2010-2524
+RH-Acked-by: Steve Dickson <SteveD at redhat.com>
+RH-Acked-by: David Howells <dhowells at redhat.com>
+
+The dns_resolver keyring is susceptible to cache stuffing -- a user
+could preload the keyring and then trick the kernel into following a DFS
+referral to a server of his choosing. Use KEY_FLAG_ADDED to reject
+add_key requests for the dns_resolver key type.
+
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+[dannf: Ported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/cifs/dns_resolve.c linux-source-2.6.26/fs/cifs/dns_resolve.c
+--- linux-source-2.6.26.orig/fs/cifs/dns_resolve.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/cifs/dns_resolve.c 2011-05-29 12:16:29.488948431 -0600
+@@ -35,6 +35,9 @@ static int dns_resolver_instantiate(stru
+ int rc = 0;
+ char *ip;
+
++ if (test_bit(KEY_FLAG_ADDED, &key->flags))
++ return -EACCES;
++
+ ip = kmalloc(datalen+1, GFP_KERNEL);
+ if (!ip)
+ return -ENOMEM;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch)
@@ -0,0 +1,62 @@
+commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed
+Author: Timo Warns <warns at pre-sense.de>
+Date: Thu Feb 17 22:27:40 2011 +0100
+
+ fs/partitions: Validate map_count in Mac partition tables
+
+ Validate number of blocks in map and remove redundant variable.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
+index d4a0fad..5765198 100644
+--- a/fs/partitions/mac.c
++++ b/fs/partitions/mac.c
+@@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)
+
+ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
+- int slot = 1;
+ Sector sect;
+ unsigned char *data;
+- int blk, blocks_in_map;
++ int slot, blocks_in_map;
+ unsigned secsize;
+ #ifdef CONFIG_PPC_PMAC
+ int found_root = 0;
+@@ -59,10 +58,14 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
+ put_dev_sector(sect);
+ return 0; /* not a MacOS disk */
+ }
+- printk(" [mac]");
+ blocks_in_map = be32_to_cpu(part->map_count);
+- for (blk = 1; blk <= blocks_in_map; ++blk) {
+- int pos = blk * secsize;
++ if (blocks_in_map < 0 || blocks_in_map >= MAX_PART) {
++ put_dev_sector(sect);
++ return 0;
++ }
++ printk(" [mac]");
++ for (slot = 1; slot <= blocks_in_map; ++slot) {
++ int pos = slot * secsize;
+ put_dev_sector(sect);
+ data = read_dev_sector(bdev, pos/512, §);
+ if (!data)
+@@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
+ }
+
+ if (goodness > found_root_goodness) {
+- found_root = blk;
++ found_root = slot;
+ found_root_goodness = goodness;
+ }
+ }
+ #endif /* CONFIG_PPC_PMAC */
+-
+- ++slot;
+ }
+ #ifdef CONFIG_PPC_PMAC
+ if (found_root_goodness)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch)
@@ -0,0 +1,49 @@
+commit c2892f02712e9516d72841d5c019ed6916329794
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date: Tue Feb 16 07:57:44 2010 +0000
+
+ gre: fix netns vs proto registration ordering
+
+ GRE protocol receive hook can be called right after protocol addition is done.
+ If netns stuff is not yet initialized, we're going to oops in
+ net_generic().
+
+ This is remotely oopsable if ip_gre is compiled as module and packet
+ comes at unfortunate moment of module loading.
+
+ Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/net/ipv4/ip_gre.c linux-source-2.6.26/net/ipv4/ip_gre.c
+--- linux-source-2.6.26.orig/net/ipv4/ip_gre.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv4/ip_gre.c 2011-06-05 19:39:48.411064447 -0600
+@@ -1235,16 +1235,22 @@ static int __init ipgre_init(void)
+
+ printk(KERN_INFO "GRE over IPv4 tunneling driver\n");
+
+- if (inet_add_protocol(&ipgre_protocol, IPPROTO_GRE) < 0) {
+- printk(KERN_INFO "ipgre init: can't add protocol\n");
+- return -EAGAIN;
+- }
+-
+ err = register_pernet_gen_device(&ipgre_net_id, &ipgre_net_ops);
+ if (err < 0)
+- inet_del_protocol(&ipgre_protocol, IPPROTO_GRE);
++ return err;
+
++ err = inet_add_protocol(&ipgre_protocol, IPPROTO_GRE);
++ if (err < 0) {
++ printk(KERN_INFO "ipgre init: can't add protocol\n");
++ goto add_proto_failed;
++ }
++
++ out:
+ return err;
++
++ add_proto_failed:
++ unregister_pernet_gen_device(ipgre_net_id, &ipgre_net_ops);
++ goto out;
+ }
+
+ static void __exit ipgre_fini(void)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch)
@@ -0,0 +1,39 @@
+commit d0d57ad143753293b2dfc52b13740234131c2f5d
+Author: Sean Hefty <sean.hefty at intel.com>
+Date: Wed Feb 23 08:17:40 2011 -0800
+
+ IB/cm: Bump reference count on cm_id before invoking callback
+
+ commit 29963437a48475036353b95ab142bf199adb909e upstream.
+
+ When processing a SIDR REQ, the ib_cm allocates a new cm_id. The
+ refcount of the cm_id is initialized to 1. However, cm_process_work
+ will decrement the refcount after invoking all callbacks. The result
+ is that the cm_id will end up with refcount set to 0 by the end of the
+ sidr req handler.
+
+ If a user tries to destroy the cm_id, the destruction will proceed,
+ under the incorrect assumption that no other threads are referencing
+ the cm_id. This can lead to a crash when the cm callback thread tries
+ to access the cm_id.
+
+ This problem was noticed as part of a larger investigation with kernel
+ crashes in the rdma_cm when running on a real time OS.
+
+ Signed-off-by: Sean Hefty <sean.hefty at intel.com>
+ Acked-by: Doug Ledford <dledford at redhat.com>
+ Signed-off-by: Roland Dreier <roland at purestorage.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index 922d35f..29deac3 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -2987,6 +2987,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
+ goto out; /* No match. */
+ }
+ atomic_inc(&cur_cm_id_priv->refcount);
++ atomic_inc(&cm_id_priv->refcount);
+ spin_unlock_irq(&cm.lock);
+
+ cm_id_priv->id.cm_handler = cur_cm_id_priv->id.cm_handler;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch)
@@ -0,0 +1,33 @@
+commit 34d211a2d5df4984a35b18d8ccacbe1d10abb067
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed Mar 16 08:04:07 2011 -0700
+
+ Increase OSF partition limit from 8 to 18
+
+ It turns out that while a maximum of 8 partitions may be what people
+ "should" have had, you can actually fit up to 18 entries(*) in a sector.
+
+ And some people clearly were taking advantage of that, like Michael
+ Cree, who had ten partitions on one of his OSF disks.
+
+ (*) The OSF partition data starts at byte offset 64 in the first sector,
+ and the array of 16-byte partition entries start at offset 148 in
+ the on-disk partition structure.
+
+ Reported-by: Michael Cree <mcree at orcon.net.nz>
+ Cc: stable at kernel.org (v2.6.38)
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/osf.c linux-source-2.6.32/fs/partitions/osf.c
+--- linux-source-2.6.32.orig/fs/partitions/osf.c 2011-03-22 23:27:01.507715211 -0600
++++ linux-source-2.6.32/fs/partitions/osf.c 2011-03-22 23:30:09.964362350 -0600
+@@ -10,7 +10,7 @@
+ #include "check.h"
+ #include "osf.h"
+
+-#define MAX_OSF_PARTITIONS 8
++#define MAX_OSF_PARTITIONS 18
+
+ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch)
@@ -0,0 +1,49 @@
+commit 6a8ab060779779de8aea92ce3337ca348f973f54
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Tue Mar 15 13:37:13 2011 +0100
+
+ ipv6: netfilter: ip6_tables: fix infoleak to userspace
+
+ Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
+ copied from userspace. Fields of these structs that are
+ zero-terminated strings are not checked. When they are used as argument
+ to a format string containing "%s" in request_module(), some sensitive
+ information is leaked to userspace via argument of spawned modprobe
+ process.
+
+ The first bug was introduced before the git epoch; the second was
+ introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
+ 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
+ CAP_NET_ADMIN.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Patrick McHardy <kaber at trash.net>
+
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 47b7b8d..c9598a9 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1275,6 +1275,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
+ /* overflow check */
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1822,6 +1823,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -2051,6 +2053,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ ret = -EFAULT;
+ break;
+ }
++ rev.name[sizeof(rev.name)-1] = 0;
+
+ if (cmd == IP6T_SO_GET_REVISION_TARGET)
+ target = 1;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch)
@@ -0,0 +1,35 @@
+commit d370af0ef7951188daeb15bae75db7ba57c67846
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sun Mar 20 15:32:06 2011 +0000
+
+ irda: validate peer name and attribute lengths
+
+ Length fields provided by a peer for names and attributes may be longer
+ than the destination array sizes. Validate lengths to prevent stack
+ buffer overflows.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/iriap.c b/net/irda/iriap.c
+index 5b743bd..3647753 100644
+--- a/net/irda/iriap.c
++++ b/net/irda/iriap.c
+@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
+ n = 1;
+
+ name_len = fp[n++];
++
++ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
++
+ memcpy(name, fp+n, name_len); n+=name_len;
+ name[name_len] = '\0';
+
+ attr_len = fp[n++];
++
++ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
++
+ memcpy(attr, fp+n, attr_len); n+=attr_len;
+ attr[attr_len] = '\0';
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch)
@@ -0,0 +1,39 @@
+commit 294f6cf48666825d23c9372ef37631232746e40d
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Fri Feb 25 14:44:21 2011 -0800
+
+ ldm: corrupted partition table can cause kernel oops
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
+ a bug that causes a kernel oops on certain corrupted LDM partitions. A
+ kernel subsystem seems to crash, because, after the oops, the kernel no
+ longer recognizes newly connected storage devices.
+
+ The patch changes ldm_parse_vmdb() to Validate the value of vblk_size.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Acked-by: Richard Russon <ldm at flatcap.org>
+ Cc: Harvey Harrison <harvey.harrison at gmail.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
+index 0fdda2e..2ebdde7 100644
+--- a/fs/partitions/ldm.c
++++ b/fs/partitions/ldm.c
+@@ -251,6 +251,11 @@ static bool ldm_parse_vmdb (const u8 *data, struct vmdb *vm)
+ }
+
+ vm->vblk_size = BE32 (data + 0x08);
++ if (vm->vblk_size == 0) {
++ ldm_error ("Illegal VBLK size");
++ return false;
++ }
++
+ vm->vblk_offset = BE32 (data + 0x0C);
+ vm->last_vblk_seq = BE32 (data + 0x04);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch)
@@ -0,0 +1,28 @@
+commit 5b919f833d9d60588d026ad82d17f17e8872c7a9
+Author: Kees Cook <kees.cook at canonical.com>
+Date: Wed Jan 12 00:34:49 2011 -0800
+
+ net: ax25: fix information leak to userland harder
+
+ Commit fe10ae53384e48c51996941b7720ee16995cbcb7 adds a memset() to clear
+ the structure being sent back to userspace, but accidentally used the
+ wrong size.
+
+ Reported-by: Brad Spengler <spender at grsecurity.net>
+ Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Cc: stable at kernel.org
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index bb86d29..6da5dae 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1392,7 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ ax25_cb *ax25;
+ int err = 0;
+
+- memset(fsa, 0, sizeof(fsa));
++ memset(fsa, 0, sizeof(*fsa));
+ lock_sock(sk);
+ ax25 = ax25_sk(sk);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch)
@@ -0,0 +1,30 @@
+commit b00916b189d13a615ff05c9242201135992fcda3
+Author: Kees Cook <kees.cook at canonical.com>
+Date: Mon Oct 11 12:23:25 2010 -0700
+
+ net: clear heap allocations for privileged ethtool actions
+
+ Several other ethtool functions leave heap uncleared (potentially) by
+ drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
+ are well controlled. In some situations (e.g. unchecked error conditions),
+ the heap will remain unchanged in areas before copying back to userspace.
+ Note that these are less of an issue since these all require CAP_NET_ADMIN.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Acked-by: Ben Hutchings <bhutchings at solarflare.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/net/core/ethtool.c linux-source-2.6.26/net/core/ethtool.c
+--- linux-source-2.6.26.orig/net/core/ethtool.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/core/ethtool.c 2011-03-30 22:30:58.796187153 -0600
+@@ -226,7 +226,7 @@ static int ethtool_get_regs(struct net_d
+ if (regs.len > reglen)
+ regs.len = reglen;
+
+- regbuf = kmalloc(reglen, GFP_USER);
++ regbuf = kzalloc(reglen, GFP_USER);
+ if (!regbuf)
+ return -ENOMEM;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch)
@@ -0,0 +1,50 @@
+commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Tue Mar 15 13:35:21 2011 +0100
+
+ netfilter: arp_tables: fix infoleak to userspace
+
+ Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
+ copied from userspace. Fields of these structs that are
+ zero-terminated strings are not checked. When they are used as argument
+ to a format string containing "%s" in request_module(), some sensitive
+ information is leaked to userspace via argument of spawned modprobe
+ process.
+
+ The first bug was introduced before the git epoch; the second is
+ introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
+ 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
+ CAP_NET_ADMIN.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Patrick McHardy <kaber at trash.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 03e83a6..3c8d072 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1033,6 +1033,7 @@ static int do_replace(struct net *net, void __user *user, unsigned int len)
+ /* overflow check */
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1453,6 +1454,7 @@ static int compat_do_replace(struct net *net, void __user *user,
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1708,6 +1710,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
+ ret = -EFAULT;
+ break;
+ }
++ rev.name[sizeof(rev.name)-1] = 0;
+
+ try_then_request_module(xt_find_revision(NF_ARP, rev.name,
+ rev.revision, 1, &ret),
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch)
@@ -0,0 +1,48 @@
+commit 78b79876761b86653df89c48a7010b5cbd41a84a
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Tue Mar 15 13:36:05 2011 +0100
+
+ netfilter: ip_tables: fix infoleak to userspace
+
+ Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
+ copied from userspace. Fields of these structs that are
+ zero-terminated strings are not checked. When they are used as argument
+ to a format string containing "%s" in request_module(), some sensitive
+ information is leaked to userspace via argument of spawned modprobe
+ process.
+
+ The first and the third bugs were introduced before the git epoch; the
+ second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
+ one should have CAP_NET_ADMIN.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Patrick McHardy <kaber at trash.net>
+
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index ef7d7b9..b09ed0d 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1262,6 +1262,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
+ /* overflow check */
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -1807,6 +1808,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
++ tmp.name[sizeof(tmp.name)-1] = 0;
+
+ newinfo = xt_alloc_table_info(tmp.size);
+ if (!newinfo)
+@@ -2036,6 +2038,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ ret = -EFAULT;
+ break;
+ }
++ rev.name[sizeof(rev.name)-1] = 0;
+
+ if (cmd == IPT_SO_GET_REVISION_TARGET)
+ target = 1;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch)
@@ -0,0 +1,46 @@
+commit e924960dacdf85d118a98c7262edf2f99c3015cf
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date: Mon Jan 25 10:28:21 2010 +0000
+
+ netns xfrm: fixup xfrm6_tunnel error propagation
+
+ Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index 438831d..23fb100 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -353,13 +353,19 @@ static struct xfrm6_tunnel xfrm46_tunnel_handler = {
+
+ static int __init xfrm6_tunnel_init(void)
+ {
+- if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
++ int rv;
++
++ rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++ if (rv < 0)
+ goto err;
+- if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6))
++ rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
++ if (rv < 0)
+ goto unreg;
+- if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET))
++ rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
++ if (rv < 0)
+ goto dereg6;
+- if (xfrm6_tunnel_spi_init() < 0)
++ rv = xfrm6_tunnel_spi_init();
++ if (rv < 0)
+ goto dereg46;
+ return 0;
+
+@@ -370,7 +376,7 @@ dereg6:
+ unreg:
+ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+ err:
+- return -EAGAIN;
++ return rv;
+ }
+
+ static void __exit xfrm6_tunnel_fini(void)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/next_pidmap-fix-overflow-condition.patch)
@@ -0,0 +1,60 @@
+commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Mon Apr 18 10:35:30 2011 -0700
+
+ next_pidmap: fix overflow condition
+
+ next_pidmap() just quietly accepted whatever 'last' pid that was passed
+ in, which is not all that safe when one of the users is /proc.
+
+ Admittedly the proc code should do some sanity checking on the range
+ (and that will be the next commit), but that doesn't mean that the
+ helper functions should just do that pidmap pointer arithmetic without
+ checking the range of its arguments.
+
+ So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1"
+ doesn't really matter, the for-loop does check against the end of the
+ pidmap array properly (it's only the actual pointer arithmetic overflow
+ case we need to worry about, and going one bit beyond isn't going to
+ overflow).
+
+ [ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
+
+ Reported-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Analyzed-by: Robert Święcki <robert at swiecki.net>
+ Cc: Eric W. Biederman <ebiederm at xmission.com>
+ Cc: Pavel Emelyanov <xemul at openvz.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/include/linux/pid.h linux-source-2.6.26/include/linux/pid.h
+--- linux-source-2.6.26.orig/include/linux/pid.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/pid.h 2011-06-02 22:25:05.950398468 -0600
+@@ -119,7 +119,7 @@ extern struct pid *find_pid(int nr);
+ */
+ extern struct pid *find_get_pid(int nr);
+ extern struct pid *find_ge_pid(int nr, struct pid_namespace *);
+-int next_pidmap(struct pid_namespace *pid_ns, int last);
++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last);
+
+ extern struct pid *alloc_pid(struct pid_namespace *ns);
+ extern void free_pid(struct pid *pid);
+diff -urpN linux-source-2.6.26.orig/kernel/pid.c linux-source-2.6.26/kernel/pid.c
+--- linux-source-2.6.26.orig/kernel/pid.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/kernel/pid.c 2011-06-02 22:25:05.950398468 -0600
+@@ -181,11 +181,14 @@ static int alloc_pidmap(struct pid_names
+ return -1;
+ }
+
+-int next_pidmap(struct pid_namespace *pid_ns, int last)
++int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
+ {
+ int offset;
+ struct pidmap *map, *end;
+
++ if (last >= PID_MAX_LIMIT)
++ return -1;
++
+ offset = (last + 1) & BITS_PER_PAGE_MASK;
+ map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
+ end = &pid_ns->pidmap[PIDMAP_ENTRIES];
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch)
@@ -0,0 +1,26 @@
+commit 43b7c3f051dea504afccc39bcb56d8e26c2e0b77
+Author: Jovi Zhang <bookjovi at gmail.com>
+Date: Wed Mar 2 23:19:37 2011 +0000
+
+ nfs: fix compilation warning
+
+ this commit fix compilation warning as following:
+ linux-2.6/fs/nfs/nfs4proc.c:3265: warning: comparison of distinct pointer types lacks a cast
+
+ Signed-off-by: Jovi Zhang <bookjovi at gmail.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index b295e70..096a8b6 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2572,7 +2572,7 @@ static int buf_to_pages_noslab(const void *buf, size_t buflen,
+ spages = pages;
+
+ do {
+- len = min(PAGE_CACHE_SIZE, buflen);
++ len = min_t(size_t, PAGE_CACHE_SIZE, buflen);
+ newpage = alloc_page(GFP_KERNEL);
+
+ if (newpage == NULL)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch)
@@ -0,0 +1,144 @@
+commit e9e3d724e2145f5039b423c290ce2b2c3d8f94bc
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date: Fri Mar 4 19:26:03 2011 -0500
+
+ nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
+
+ The "bad_page()" page allocator sanity check was reported recently (call
+ chain as follows):
+
+ bad_page+0x69/0x91
+ free_hot_cold_page+0x81/0x144
+ skb_release_data+0x5f/0x98
+ __kfree_skb+0x11/0x1a
+ tcp_ack+0x6a3/0x1868
+ tcp_rcv_established+0x7a6/0x8b9
+ tcp_v4_do_rcv+0x2a/0x2fa
+ tcp_v4_rcv+0x9a2/0x9f6
+ do_timer+0x2df/0x52c
+ ip_local_deliver+0x19d/0x263
+ ip_rcv+0x539/0x57c
+ netif_receive_skb+0x470/0x49f
+ :virtio_net:virtnet_poll+0x46b/0x5c5
+ net_rx_action+0xac/0x1b3
+ __do_softirq+0x89/0x133
+ call_softirq+0x1c/0x28
+ do_softirq+0x2c/0x7d
+ do_IRQ+0xec/0xf5
+ default_idle+0x0/0x50
+ ret_from_intr+0x0/0xa
+ default_idle+0x29/0x50
+ cpu_idle+0x95/0xb8
+ start_kernel+0x220/0x225
+ _sinittext+0x22f/0x236
+
+ It occurs because an skb with a fraglist was freed from the tcp
+ retransmit queue when it was acked, but a page on that fraglist had
+ PG_Slab set (indicating it was allocated from the Slab allocator (which
+ means the free path above can't safely free it via put_page.
+
+ We tracked this back to an nfsv4 setacl operation, in which the nfs code
+ attempted to fill convert the passed in buffer to an array of pages in
+ __nfs4_proc_set_acl, which gets used by the skb->frags list in
+ xs_sendpages. __nfs4_proc_set_acl just converts each page in the buffer
+ to a page struct via virt_to_page, but the vfs allocates the buffer via
+ kmalloc, meaning the PG_slab bit is set. We can't create a buffer with
+ kmalloc and free it later in the tcp ack path with put_page, so we need
+ to either:
+
+ 1) ensure that when we create the list of pages, no page struct has
+ PG_Slab set
+
+ or
+
+ 2) not use a page list to send this data
+
+ Given that these buffers can be multiple pages and arbitrarily sized, I
+ think (1) is the right way to go. I've written the below patch to
+ allocate a page from the buddy allocator directly and copy the data over
+ to it. This ensures that we have a put_page free-able page for every
+ entry that winds up on an skb frag list, so it can be safely freed when
+ the frame is acked. We do a put page on each entry after the
+ rpc_call_sync call so as to drop our own reference count to the page,
+ leaving only the ref count taken by tcp_sendpages. This way the data
+ will be properly freed when the ack comes in
+
+ Successfully tested by myself to solve the above oops.
+
+ Note, as this is the result of a setacl operation that exceeded a page
+ of data, I think this amounts to a local DOS triggerable by an
+ uprivlidged user, so I'm CCing security on this as well.
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ CC: Trond Myklebust <Trond.Myklebust at netapp.com>
+ CC: security at kernel.org
+ CC: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index be4fe7b..b295e70 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2563,6 +2563,35 @@ static void buf_to_pages(const void *buf, size_t buflen,
+ }
+ }
+
++static int buf_to_pages_noslab(const void *buf, size_t buflen,
++ struct page **pages, unsigned int *pgbase)
++{
++ struct page *newpage, **spages;
++ int rc = 0;
++ size_t len;
++ spages = pages;
++
++ do {
++ len = min(PAGE_CACHE_SIZE, buflen);
++ newpage = alloc_page(GFP_KERNEL);
++
++ if (newpage == NULL)
++ goto unwind;
++ memcpy(page_address(newpage), buf, len);
++ buf += len;
++ buflen -= len;
++ *pages++ = newpage;
++ rc++;
++ } while (buflen != 0);
++
++ return rc;
++
++unwind:
++ for(; rc > 0; rc--)
++ __free_page(spages[rc-1]);
++ return -ENOMEM;
++}
++
+ struct nfs4_cached_acl {
+ int cached;
+ size_t len;
+@@ -2728,13 +2757,23 @@ static int __nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t bufl
+ .rpc_argp = &arg,
+ .rpc_resp = NULL,
+ };
+- int ret;
++ int ret, i;
+
+ if (!nfs4_server_supports_acls(server))
+ return -EOPNOTSUPP;
++ i = buf_to_pages_noslab(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
++ if (i < 0)
++ return i;
+ nfs_inode_return_delegation(inode);
+- buf_to_pages(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
+ ret = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
++
++ /*
++ * Free each page after tx, so the only ref left is
++ * held by the network stack
++ */
++ for (; i > 0; i--)
++ put_page(pages[i-1]);
++
+ nfs_access_zap_cache(inode);
+ nfs_zap_acl_cache(inode);
+ return ret;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch)
@@ -0,0 +1,63 @@
+commit c340b1d640001c8c9ecff74f68fd90422ae2448a
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Thu Apr 14 15:21:56 2011 -0700
+
+ fs/partitions/ldm.c: fix oops caused by corrupted partition table
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
+ a bug that causes a kernel oops on certain corrupted LDM partitions.
+ A kernel subsystem seems to crash, because, after the oops, the kernel no
+ longer recognizes newly connected storage devices.
+
+ The patch validates the value of vblk_size.
+
+ [akpm at linux-foundation.org: coding-style fixes]
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Cc: Harvey Harrison <harvey.harrison at gmail.com>
+ Cc: Richard Russon <rich at flatcap.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/partitions/ldm.c linux-source-2.6.26/fs/partitions/ldm.c
+--- linux-source-2.6.26.orig/fs/partitions/ldm.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/partitions/ldm.c 2011-06-05 21:23:22.003023825 -0600
+@@ -1294,6 +1294,11 @@ static bool ldm_frag_add (const u8 *data
+
+ BUG_ON (!data || !frags);
+
++ if (size < 2 * VBLK_SIZE_HEAD) {
++ ldm_error("Value of size is to small.");
++ return false;
++ }
++
+ group = BE32 (data + 0x08);
+ rec = BE16 (data + 0x0C);
+ num = BE16 (data + 0x0E);
+@@ -1301,6 +1306,10 @@ static bool ldm_frag_add (const u8 *data
+ ldm_error ("A VBLK claims to have %d parts.", num);
+ return false;
+ }
++ if (rec >= num) {
++ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
++ return false;
++ }
+
+ list_for_each (item, frags) {
+ f = list_entry (item, struct frag, list);
+@@ -1329,10 +1338,9 @@ found:
+
+ f->map |= (1 << rec);
+
+- if (num > 0) {
+- data += VBLK_SIZE_HEAD;
+- size -= VBLK_SIZE_HEAD;
+- }
++ data += VBLK_SIZE_HEAD;
++ size -= VBLK_SIZE_HEAD;
++
+ memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
+
+ return true;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch)
@@ -0,0 +1,94 @@
+commit f83ce3e6b02d5e48b3a43b001390e2b58820389d
+Author: Jake Edge <jake at lwn.net>
+Date: Mon May 4 12:51:14 2009 -0600
+
+ proc: avoid information leaks to non-privileged processes
+
+ By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
+ only allow processes that can ptrace() a given process to see information
+ that might be used to bypass address space layout randomization (ASLR).
+ These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
+ as the non-symbolic output from /proc/pid/wchan.
+
+ ASLR can be bypassed by sampling eip as shown by the proof-of-concept
+ code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
+ (http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
+ also noted as possibly usable information leaks as well. The
+ start_stack address also leaks potentially useful information.
+
+ Cc: Stable Team <stable at kernel.org>
+ Signed-off-by: Jake Edge <jake at lwn.net>
+ Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+ Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/array.c linux-source-2.6.26/fs/proc/array.c
+--- linux-source-2.6.26.orig/fs/proc/array.c 2011-01-24 22:55:23.000000000 -0700
++++ linux-source-2.6.26/fs/proc/array.c 2011-05-29 12:39:14.441111404 -0600
+@@ -80,6 +80,7 @@
+ #include <linux/delayacct.h>
+ #include <linux/seq_file.h>
+ #include <linux/pid_namespace.h>
++#include <linux/ptrace.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+@@ -342,6 +343,7 @@ static int do_task_stat(struct seq_file
+ char state;
+ pid_t ppid = 0, pgid = -1, sid = -1;
+ int num_threads = 0;
++ int permitted;
+ struct mm_struct *mm;
+ unsigned long long start_time;
+ unsigned long cmin_flt = 0, cmaj_flt = 0;
+@@ -354,11 +356,14 @@ static int do_task_stat(struct seq_file
+
+ state = *get_task_state(task);
+ vsize = eip = esp = 0;
++ permitted = ptrace_may_attach(task);
+ mm = get_task_mm(task);
+ if (mm) {
+ vsize = task_vsize(mm);
+- eip = KSTK_EIP(task);
+- esp = KSTK_ESP(task);
++ if (permitted) {
++ eip = KSTK_EIP(task);
++ esp = KSTK_ESP(task);
++ }
+ }
+
+ get_task_comm(tcomm, task);
+@@ -414,7 +419,7 @@ static int do_task_stat(struct seq_file
+ unlock_task_sighand(task, &flags);
+ }
+
+- if (!whole || num_threads < 2)
++ if (permitted && (!whole || num_threads < 2))
+ wchan = get_wchan(task);
+ if (!whole) {
+ min_flt = task->min_flt;
+@@ -466,7 +471,7 @@ static int do_task_stat(struct seq_file
+ rsslim,
+ mm ? mm->start_code : 0,
+ mm ? mm->end_code : 0,
+- mm ? mm->start_stack : 0,
++ (permitted && mm) ? mm->start_stack : 0,
+ esp,
+ eip,
+ /* The signal information here is obsolete.
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c 2011-01-24 22:55:33.000000000 -0700
++++ linux-source-2.6.26/fs/proc/base.c 2011-05-29 12:38:52.196846232 -0600
+@@ -329,7 +329,10 @@ static int proc_pid_wchan(struct task_st
+ wchan = get_wchan(task);
+
+ if (lookup_symbol_name(wchan, symname) < 0)
+- return sprintf(buffer, "%lu", wchan);
++ if (!ptrace_may_attach(task))
++ return 0;
++ else
++ return sprintf(buffer, "%lu", wchan);
+ else
+ return sprintf(buffer, "%s", symname);
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch)
@@ -0,0 +1,37 @@
+commit d8bdc59f215e62098bc5b4256fd9928bf27053a1
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Mon Apr 18 10:36:54 2011 -0700
+
+ proc: do proper range check on readdir offset
+
+ Rather than pass in some random truncated offset to the pid-related
+ functions, check that the offset is in range up-front.
+
+ This is just cleanup, the previous commit fixed the real problem.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c 2011-05-29 12:38:52.196846232 -0600
++++ linux-source-2.6.26/fs/proc/base.c 2011-06-02 22:27:05.351985412 -0600
+@@ -2706,11 +2706,16 @@ static int proc_pid_fill_cache(struct fi
+ /* for the /proc/ directory itself, after non-process stuff has been done */
+ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
+ {
+- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
++ unsigned int nr;
++ struct task_struct *reaper;
+ struct tgid_iter iter;
+ struct pid_namespace *ns;
+
++ if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
++ goto out_no_task;
++ nr = filp->f_pos - FIRST_PROCESS_ENTRY;
++
++ reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ if (!reaper)
+ goto out_no_task;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch)
@@ -0,0 +1,43 @@
+commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3
+Author: Kees Cook <kees.cook at canonical.com>
+Date: Wed Mar 23 16:42:53 2011 -0700
+
+ proc: protect mm start_code/end_code in /proc/pid/stat
+
+ While mm->start_stack was protected from cross-uid viewing (commit
+ f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
+ processes")), the start_code and end_code values were not. This would
+ allow the text location of a PIE binary to leak, defeating ASLR.
+
+ Note that the value "1" is used instead of "0" for a protected value since
+ "ps", "killall", and likely other readers of /proc/pid/stat, take
+ start_code of "0" to mean a kernel thread and will misbehave. Thanks to
+ Brad Spengler for pointing this out.
+
+ Addresses CVE-2011-0726
+
+ Signed-off-by: Kees Cook <kees.cook at canonical.com>
+ Cc: <stable at kernel.org>
+ Cc: Alexey Dobriyan <adobriyan at gmail.com>
+ Cc: David Howells <dhowells at redhat.com>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+ Cc: Brad Spengler <spender at grsecurity.net>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index 7c99c1c..5e4f776 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ vsize,
+ mm ? get_mm_rss(mm) : 0,
+ rsslim,
+- mm ? mm->start_code : 0,
+- mm ? mm->end_code : 0,
++ mm ? (permitted ? mm->start_code : 1) : 0,
++ mm ? (permitted ? mm->end_code : 1) : 0,
+ (permitted && mm) ? mm->start_stack : 0,
+ esp,
+ eip,
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch)
@@ -0,0 +1,127 @@
+commit a7ba58c8eed0a01e565b7cd41c5bcad0eb671f8f
+Author: Sean Hefty <sean.hefty at intel.com>
+Date: Wed Feb 23 08:11:32 2011 -0800
+
+ RDMA/cma: Fix crash in request handlers
+
+ commit 25ae21a10112875763c18b385624df713a288a05 upstream.
+
+ Doug Ledford and Red Hat reported a crash when running the rdma_cm on
+ a real-time OS. The crash has the following call trace:
+
+ cm_process_work
+ cma_req_handler
+ cma_disable_callback
+ rdma_create_id
+ kzalloc
+ init_completion
+ cma_get_net_info
+ cma_save_net_info
+ cma_any_addr
+ cma_zero_addr
+ rdma_translate_ip
+ rdma_copy_addr
+ cma_acquire_dev
+ rdma_addr_get_sgid
+ ib_find_cached_gid
+ cma_attach_to_dev
+ ucma_event_handler
+ kzalloc
+ ib_copy_ah_attr_to_user
+ cma_comp
+
+ [ preempted ]
+
+ cma_write
+ copy_from_user
+ ucma_destroy_id
+ copy_from_user
+ _ucma_find_context
+ ucma_put_ctx
+ ucma_free_ctx
+ rdma_destroy_id
+ cma_exch
+ cma_cancel_operation
+ rdma_node_get_transport
+
+ rt_mutex_slowunlock
+ bad_area_nosemaphore
+ oops_enter
+
+ They were able to reproduce the crash multiple times with the
+ following details:
+
+ Crash seems to always happen on the:
+ mutex_unlock(&conn_id->handler_mutex);
+ as conn_id looks to have been freed during this code path.
+
+ An examination of the code shows that a race exists in the request
+ handlers. When a new connection request is received, the rdma_cm
+ allocates a new connection identifier. This identifier has a single
+ reference count on it. If a user calls rdma_destroy_id() from another
+ thread after receiving a callback, rdma_destroy_id will proceed to
+ destroy the id and free the associated memory. However, the request
+ handlers may still be in the process of running. When control returns
+ to the request handlers, they can attempt to access the newly created
+ identifiers.
+
+ Fix this by holding a reference on the newly created rdma_cm_id until
+ the request handler is through accessing it.
+
+ Signed-off-by: Sean Hefty <sean.hefty at intel.com>
+ Acked-by: Doug Ledford <dledford at redhat.com>
+ Signed-off-by: Roland Dreier <roland at purestorage.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/drivers/infiniband/core/cma.c linux-source-2.6.26/drivers/infiniband/core/cma.c
+--- linux-source-2.6.26.orig/drivers/infiniband/core/cma.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/infiniband/core/cma.c 2011-05-15 15:42:39.173354544 -0600
+@@ -1127,6 +1127,11 @@ static int cma_req_handler(struct ib_cm_
+ cm_id->context = conn_id;
+ cm_id->cm_handler = cma_ib_handler;
+
++ /*
++ * Protect against the user destroying conn_id from another thread
++ * until we're done accessing it.
++ */
++ atomic_inc(&conn_id->refcount);
+ ret = conn_id->id.event_handler(&conn_id->id, &event);
+ if (!ret) {
+ /*
+@@ -1139,8 +1144,10 @@ static int cma_req_handler(struct ib_cm_
+ ib_send_cm_mra(cm_id, CMA_CM_MRA_SETTING, NULL, 0);
+ mutex_unlock(&lock);
+ cma_enable_remove(conn_id);
++ cma_deref_id(conn_id);
+ goto out;
+ }
++ cma_deref_id(conn_id);
+
+ /* Destroy the CM ID by returning a non-zero value. */
+ conn_id->cm_id.ib = NULL;
+@@ -1342,15 +1349,23 @@ static int iw_conn_req_handler(struct iw
+ event.param.conn.private_data_len = iw_event->private_data_len;
+ event.param.conn.initiator_depth = attr.max_qp_init_rd_atom;
+ event.param.conn.responder_resources = attr.max_qp_rd_atom;
++
++ /*
++ * Protect against the user destroying conn_id from another thread
++ * until we're done accessing it.
++ */
++ atomic_inc(&conn_id->refcount);
+ ret = conn_id->id.event_handler(&conn_id->id, &event);
+ if (ret) {
+ /* User wants to destroy the CM ID */
+ conn_id->cm_id.iw = NULL;
+ cma_exch(conn_id, CMA_DESTROYING);
+ cma_enable_remove(conn_id);
++ cma_deref_id(conn_id);
+ rdma_destroy_id(&conn_id->id);
++ goto out;
+ }
+-
++ cma_deref_id(conn_id);
+ out:
+ if (dev)
+ dev_put(dev);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch)
@@ -0,0 +1,73 @@
+commit be20250c13f88375345ad99950190685eda51eb8
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sat Mar 19 20:43:43 2011 +0000
+
+ ROSE: prevent heap corruption with bad facilities
+
+ When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
+ a remote host to provide more digipeaters than expected, resulting in
+ heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and
+ abort facilities parsing on failure.
+
+ Additionally, when parsing the FAC_CCITT_DEST_NSAP and
+ FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
+ of less than 10, resulting in an underflow in a memcpy size, causing a
+ kernel panic due to massive heap corruption. A length of greater than
+ 20 results in a stack overflow of the callsign array. Abort facilities
+ parsing on these invalid length values.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
+index 1734abb..174d51c 100644
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -290,10 +290,15 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ facilities->source_ndigis = 0;
+ facilities->dest_ndigis = 0;
+ for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
+- if (pt[6] & AX25_HBIT)
++ if (pt[6] & AX25_HBIT) {
++ if (facilities->dest_ndigis >= ROSE_MAX_DIGIS)
++ return -1;
+ memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN);
+- else
++ } else {
++ if (facilities->source_ndigis >= ROSE_MAX_DIGIS)
++ return -1;
+ memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN);
++ }
+ }
+ }
+ p += l + 2;
+@@ -333,6 +338,11 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+
+ case 0xC0:
+ l = p[1];
++
++ /* Prevent overflows*/
++ if (l < 10 || l > 20)
++ return -1;
++
+ if (*p == FAC_CCITT_DEST_NSAP) {
+ memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
+ memcpy(callsign, p + 12, l - 10);
+@@ -373,12 +383,16 @@ int rose_parse_facilities(unsigned char *p,
+ switch (*p) {
+ case FAC_NATIONAL: /* National */
+ len = rose_parse_national(p + 1, facilities, facilities_len - 1);
++ if (len < 0)
++ return 0;
+ facilities_len -= len + 1;
+ p += len + 1;
+ break;
+
+ case FAC_CCITT: /* CCITT */
+ len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
++ if (len < 0)
++ return 0;
+ facilities_len -= len + 1;
+ p += len + 1;
+ break;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch)
@@ -0,0 +1,46 @@
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 8 Jul 2010 14:00:26 -0400
+Subject: [security] keys: new key flag for add_key from userspace
+Message-id: <1278597627-23193-2-git-send-email-jlayton at redhat.com>
+Patchwork-id: 26762
+O-Subject: [RHEL5.6 PATCH 1/2] BZ#612171: keys: new key flag to indicate an
+ add_key from userspace
+Bugzilla: 612171
+CVE: CVE-2010-2524
+RH-Acked-by: Steve Dickson <SteveD at redhat.com>
+RH-Acked-by: David Howells <dhowells at redhat.com>
+
+For some keys, we don't really want to allow users to stuff the keyring
+with values of their own choosing. Add a new key flag that indicates that
+an instantiation request is for an add_key() call from userspace. The
+instantiation routine for the key can then reject requests based on this
+if it needs to.
+
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+
+diff --git a/include/linux/key.h b/include/linux/key.h
+index 451063a..51c1bcb 100644
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -150,6 +150,7 @@ struct key {
+ #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
+ #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
+ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
++#define KEY_FLAG_ADDED 6 /* set if key is being added via userspace add_key */
+
+ /* the description string
+ * - this is used to match a key against search criteria
+diff --git a/security/keys/key.c b/security/keys/key.c
+index 98f1f85..52b7b55 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -839,6 +839,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
+ goto error_3;
+ }
+
++ /* this is an unsolicited add_key() call from userspace */
++ set_bit(KEY_FLAG_ADDED, &key->flags);
++
+ /* instantiate it and link it into the target keyring */
+ ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
+ if (ret < 0) {
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch)
@@ -0,0 +1,42 @@
+From: Mauro Carvalho Chehab <mchehab at redhat.com>
+Date: Mon, 29 Nov 2010 20:42:27 -0500
+Subject: [serial] serial_core: clean data before filling it
+Message-id: <4CF41033.7040103 at redhat.com>
+Patchwork-id: 29669
+O-Subject: [PATCH RHEL5.6] CVE-2010-4075 (BZ#648701): clean data before filling
+ it
+Bugzilla: 648701
+CVE: CVE-2010-4075
+RH-Acked-by: Jarod Wilson <jarod at redhat.com>
+RH-Acked-by: Prarit Bhargava <prarit at redhat.com>
+
+Backport proposed patch for 2.6.35:
+
+http://www.openwall.com/lists/oss-security/2010/10/06/6
+http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03388.html
+
+Upstream patch is more complex and breaks kABI.
+
+>From the proposed patch, from Dan Rosenberg:
+
+The TIOCGICOUNT device ioctl allows unprivileged users to read
+uninitialized stack memory, because the "reserved" member of the
+serial_icounter_struct struct declared on the stack is not altered or
+zeroed before being copied back to the user. This patch takes care of
+it.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Signed-off-by: Jarod Wilson <jarod at redhat.com>
+
+diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
+index b80c760..69c6544 100644
+--- a/drivers/serial/serial_core.c
++++ b/drivers/serial/serial_core.c
+@@ -1046,6 +1046,7 @@ static int uart_get_count(struct uart_state *state,
+ struct uart_icount cnow;
+ struct uart_port *port = state->port;
+
++ memset(&icount, 0, sizeof(struct serial_icounter_struct));
+ spin_lock_irq(&port->lock);
+ memcpy(&cnow, &port->icount, sizeof(struct uart_icount));
+ spin_unlock_irq(&port->lock);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch)
@@ -0,0 +1,28 @@
+commit 1309d7afbed112f0e8e90be9af975550caa0076b
+Author: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Tue Mar 29 13:31:25 2011 +0200
+
+ char/tpm: Fix unitialized usage of data buffer
+
+ This patch fixes information leakage to the userspace by initializing
+ the data buffer to zero.
+
+ Reported-by: Peter Huewe <huewe.external at infineon.com>
+ Signed-off-by: Peter Huewe <huewe.external at infineon.com>
+ Signed-off-by: Marcel Selhorst <m.selhorst at sirrix.com>
+ [ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way
+ deeper problems than a simple multiplication can fix. - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: adjusted to apply to Debian's 2.6.26]
+
+--- linux-source-2.6.26.orig/drivers/char/tpm/tpm.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/char/tpm/tpm.c 2011-05-31 23:53:14.451994322 -0600
+@@ -922,7 +922,7 @@ int tpm_open(struct inode *inode, struct
+
+ spin_unlock(&driver_lock);
+
+- chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
++ chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
+ if (chip->data_buffer == NULL) {
+ chip->num_opens--;
+ put_device(chip->dev);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch)
@@ -0,0 +1,160 @@
+commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978
+Author: Alexey Dobriyan <adobriyan at gmail.com>
+Date: Tue Feb 16 09:05:04 2010 +0000
+
+ tunnels: fix netns vs proto registration ordering
+
+ Same stuff as in ip_gre patch: receive hook can be called before netns
+ setup is done, oopsing in net_generic().
+
+ Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ [dannf: backported to Debian's 2.6.26]
+
+diff -urpN linux-source-2.6.26.orig/net/ipv4/ipip.c linux-source-2.6.26/net/ipv4/ipip.c
+--- linux-source-2.6.26.orig/net/ipv4/ipip.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv4/ipip.c 2011-06-09 20:08:37.464943595 -0600
+@@ -842,15 +842,14 @@ static int __init ipip_init(void)
+
+ printk(banner);
+
+- if (xfrm4_tunnel_register(&ipip_handler, AF_INET)) {
++ err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
++ if (err < 0)
++ return err;
++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
++ if (err < 0) {
++ unregister_pernet_device(&ipip_net_ops);
+ printk(KERN_INFO "ipip init: can't register tunnel\n");
+- return -EAGAIN;
+ }
+-
+- err = register_pernet_gen_device(&ipip_net_id, &ipip_net_ops);
+- if (err)
+- xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+-
+ return err;
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c linux-source-2.6.26/net/ipv6/ip6_tunnel.c
+--- linux-source-2.6.26.orig/net/ipv6/ip6_tunnel.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv6/ip6_tunnel.c 2011-06-09 20:13:03.276239292 -0600
+@@ -1489,27 +1489,29 @@ static int __init ip6_tunnel_init(void)
+ {
+ int err;
+
+- if (xfrm6_tunnel_register(&ip4ip6_handler, AF_INET)) {
++ err = register_pernet_device(&ip6_tnl_net_ops);
++ if (err < 0)
++ goto out_pernet;
++
++ err = xfrm6_tunnel_register(&ip4ip6_handler, AF_INET);
++ if (err < 0) {
+ printk(KERN_ERR "ip6_tunnel init: can't register ip4ip6\n");
+- err = -EAGAIN;
+- goto out;
++ goto out_ip4ip6;
+ }
+
+- if (xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6)) {
++ err = xfrm6_tunnel_register(&ip6ip6_handler, AF_INET6);
++ if (err < 0) {
+ printk(KERN_ERR "ip6_tunnel init: can't register ip6ip6\n");
+- err = -EAGAIN;
+- goto unreg_ip4ip6;
++ goto out_ip6ip6;
+ }
+
+- err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
+- if (err < 0)
+- goto err_pernet;
+ return 0;
+-err_pernet:
+- xfrm6_tunnel_deregister(&ip6ip6_handler, AF_INET6);
+-unreg_ip4ip6:
++
++out_ip6ip6:
+ xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
+-out:
++out_ip4ip6:
++ unregister_pernet_device(&ip6_tnl_net_ops);
++out_pernet:
+ return err;
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/ipv6/sit.c linux-source-2.6.26/net/ipv6/sit.c
+--- linux-source-2.6.26.orig/net/ipv6/sit.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/ipv6/sit.c 2011-06-09 20:09:47.285806826 -0600
+@@ -1082,15 +1082,14 @@ static int __init sit_init(void)
+
+ printk(KERN_INFO "IPv6 over IPv4 tunneling driver\n");
+
+- if (xfrm4_tunnel_register(&sit_handler, AF_INET6) < 0) {
+- printk(KERN_INFO "sit init: Can't add protocol\n");
+- return -EAGAIN;
+- }
+-
+ err = register_pernet_gen_device(&sit_net_id, &sit_net_ops);
+ if (err < 0)
+- xfrm4_tunnel_deregister(&sit_handler, AF_INET6);
+-
++ return err;
++ err = xfrm4_tunnel_register(&sit_handler, AF_INET6);
++ if (err < 0) {
++ unregister_pernet_device(&sit_net_ops);
++ printk(KERN_INFO "sit init: Can't add protocol\n");
++ }
+ return err;
+ }
+
+diff -urpN linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c
+--- linux-source-2.6.26.orig/net/ipv6/xfrm6_tunnel.c 2011-06-09 21:11:53.125828225 -0600
++++ linux-source-2.6.26/net/ipv6/xfrm6_tunnel.c 2011-06-09 21:20:18.328528733 -0600
+@@ -346,36 +346,36 @@ static int __init xfrm6_tunnel_init(void
+ {
+ int rv;
+
+- rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++ rv = xfrm6_tunnel_spi_init();
+ if (rv < 0)
+ goto err;
++ rv = xfrm_register_type(&xfrm6_tunnel_type, AF_INET6);
++ if (rv < 0)
++ goto out_type;
+ rv = xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6);
+ if (rv < 0)
+- goto unreg;
++ goto out_xfrm6;
+ rv = xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET);
+ if (rv < 0)
+- goto dereg6;
+- rv = xfrm6_tunnel_spi_init();
+- if (rv < 0)
+- goto dereg46;
++ goto out_xfrm46;
+ return 0;
+
+-dereg46:
+- xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+-dereg6:
++out_xfrm46:
+ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+-unreg:
++out_xfrm6:
+ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++out_type:
++ xfrm6_tunnel_spi_fini();
+ err:
+ return rv;
+ }
+
+ static void __exit xfrm6_tunnel_fini(void)
+ {
+- xfrm6_tunnel_spi_fini();
+ xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++ xfrm6_tunnel_spi_fini();
+ }
+
+ module_init(xfrm6_tunnel_init);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/validate-size-of-efi-guid-partition-entries.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/validate-size-of-efi-guid-partition-entries.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/validate-size-of-efi-guid-partition-entries.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/validate-size-of-efi-guid-partition-entries.patch)
@@ -0,0 +1,29 @@
+commit fa039d5f6b126fbd65eefa05db2f67e44df8f121
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Fri May 6 13:47:35 2011 +0200
+
+ Validate size of EFI GUID partition entries.
+
+ Otherwise corrupted EFI partition tables can cause total confusion.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/efi.c linux-source-2.6.32/fs/partitions/efi.c
+--- linux-source-2.6.32.orig/fs/partitions/efi.c 2011-05-03 09:28:49.000000000 -0600
++++ linux-source-2.6.32/fs/partitions/efi.c 2011-05-17 00:36:47.701635525 -0600
+@@ -349,6 +349,12 @@ is_gpt_valid(struct block_device *bdev,
+ goto fail;
+ }
+
++ /* Check that sizeof_partition_entry has the correct value */
++ if (le32_to_cpu((*gpt)->sizeof_partition_entry) != sizeof(gpt_entry)) {
++ pr_debug("GUID Partitition Entry Size check failed.\n");
++ goto fail;
++ }
++
+ if (!(*ptes = alloc_read_gpt_entries(bdev, *gpt)))
+ goto fail;
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch)
@@ -0,0 +1,54 @@
+commit 5ce1bbb97bf1e6707102d30499e7feaa1e6a2134
+Author: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
+Date: Sun Dec 14 23:13:48 2008 -0800
+
+ xfrm6_tunnel: join error paths using goto
+
+ Signed-off-by: Ilpo Järvinen <ilpo.jarvinen at helsinki.fi>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index c2b2781..80193db 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -345,24 +345,23 @@ static struct xfrm6_tunnel xfrm46_tunnel_handler = {
+ static int __init xfrm6_tunnel_init(void)
+ {
+ if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
+- return -EAGAIN;
+-
+- if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6)) {
+- xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+- return -EAGAIN;
+- }
+- if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET)) {
+- xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+- xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+- return -EAGAIN;
+- }
+- if (xfrm6_tunnel_spi_init() < 0) {
+- xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
+- xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+- xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+- return -EAGAIN;
+- }
++ goto err;
++ if (xfrm6_tunnel_register(&xfrm6_tunnel_handler, AF_INET6))
++ goto unreg;
++ if (xfrm6_tunnel_register(&xfrm46_tunnel_handler, AF_INET))
++ goto dereg6;
++ if (xfrm6_tunnel_spi_init() < 0)
++ goto dereg46;
+ return 0;
++
++dereg46:
++ xfrm6_tunnel_deregister(&xfrm46_tunnel_handler, AF_INET);
++dereg6:
++ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
++unreg:
++ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
++err:
++ return -EAGAIN;
+ }
+
+ static void __exit xfrm6_tunnel_fini(void)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch)
@@ -0,0 +1,33 @@
+commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon Feb 14 13:45:28 2011 +0000
+
+ xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+
+ The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
+ xfs_fs_geometry() with a version number of 3. This code path does not
+ fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
+ the leaking of four bytes of uninitialized stack data to potentially
+ unprivileged callers.
+
+ v2 switches to memset() to avoid future issues if structure members
+ change, on suggestion of Dave Chinner.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Reviewed-by: Eugene Teo <eugeneteo at kernel.org>
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+
+diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
+index cec89dd..85668ef 100644
+--- a/fs/xfs/xfs_fsops.c
++++ b/fs/xfs/xfs_fsops.c
+@@ -53,6 +53,9 @@ xfs_fs_geometry(
+ xfs_fsop_geom_t *geo,
+ int new_version)
+ {
++
++ memset(geo, 0, sizeof(*geo));
++
+ geo->blocksize = mp->m_sb.sb_blocksize;
+ geo->rtextsize = mp->m_sb.sb_rextsize;
+ geo->agblocks = mp->m_sb.sb_agblocks;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch)
@@ -0,0 +1,64 @@
+commit af24ee9ea8d532e16883251a6684dfa1be8eec29
+Author: Alex Elder <aelder at sgi.com>
+Date: Tue Mar 1 17:50:00 2011 +0000
+
+ xfs: zero proper structure size for geometry calls
+
+ Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
+ xfs_fs_geometry() in order to avoid passing kernel stack data back
+ to user space:
+
+ + memset(geo, 0, sizeof(*geo));
+
+ Unfortunately, one of the callers of that function passes the
+ address of a smaller data type, cast to fit the type that
+ xfs_fs_geometry() requires. As a result, this can happen:
+
+ Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
+ in: f87aca93
+
+ Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
+ Call Trace:
+
+ [<c12991ac>] ? panic+0x50/0x150
+ [<c102ed71>] ? __stack_chk_fail+0x10/0x18
+ [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
+
+ Fix this by fixing that one caller to pass the right type and then
+ copy out the subset it is interested in.
+
+ Note: This patch is an alternative to one originally proposed by
+ Eric Sandeen.
+
+ Reported-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+ Reviewed-by: Eric Sandeen <sandeen at redhat.com>
+ Tested-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+
+diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+index f5e2a19..0ca0e3c 100644
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c
+@@ -695,14 +695,19 @@ xfs_ioc_fsgeometry_v1(
+ xfs_mount_t *mp,
+ void __user *arg)
+ {
+- xfs_fsop_geom_v1_t fsgeo;
++ xfs_fsop_geom_t fsgeo;
+ int error;
+
+- error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
++ error = xfs_fs_geometry(mp, &fsgeo, 3);
+ if (error)
+ return -error;
+
+- if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
++ /*
++ * Caller should have passed an argument of type
++ * xfs_fsop_geom_v1_t. This is a proper subset of the
++ * xfs_fsop_geom_t that xfs_fs_geometry() fills in.
++ */
++ if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t)))
+ return -XFS_ERROR(EFAULT);
+ return 0;
+ }
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch)
@@ -0,0 +1,29 @@
+commit 0f22072ab50cac7983f9660d33974b45184da4f9
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Apr 29 15:48:07 2011 +0100
+
+ ARM: 6891/1: prevent heap corruption in OABI semtimedop
+
+ When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
+ bound the nsops argument. A sufficiently large value will cause an
+ integer overflow in allocation size, followed by copying too much data
+ into the allocated buffer. Fix this by restricting nsops to SEMOPM.
+ Untested.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
+
+diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
+index 4ad8da1..af0aaeb 100644
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
+ long err;
+ int i;
+
+- if (nsops < 1)
++ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/s390/remove-task_show_regs.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/s390/remove-task_show_regs.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/s390/remove-task_show_regs.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/s390/remove-task_show_regs.patch)
@@ -0,0 +1,94 @@
+commit 261cd298a8c363d7985e3482946edb4bfedacf98
+Author: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Tue Feb 15 09:43:32 2011 +0100
+
+ s390: remove task_show_regs
+
+ task_show_regs used to be a debugging aid in the early bringup days
+ of Linux on s390. /proc/<pid>/status is a world readable file, it
+ is not a good idea to show the registers of a process. The only
+ correct fix is to remove task_show_regs.
+
+ Reported-by: Al Viro <viro at zeniv.linux.org.uk>
+ Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/arch/s390/kernel/traps.c b/arch/s390/kernel/traps.c
+index 4584d81..dc4f574 100644
+--- a/arch/s390/kernel/traps.c
++++ b/arch/s390/kernel/traps.c
+@@ -241,43 +241,6 @@ void show_regs(struct pt_regs *regs)
+ show_last_breaking_event(regs);
+ }
+
+-/* This is called from fs/proc/array.c */
+-void task_show_regs(struct seq_file *m, struct task_struct *task)
+-{
+- struct pt_regs *regs;
+-
+- regs = task_pt_regs(task);
+- seq_printf(m, "task: %p, ksp: %p\n",
+- task, (void *)task->thread.ksp);
+- seq_printf(m, "User PSW : %p %p\n",
+- (void *) regs->psw.mask, (void *)regs->psw.addr);
+-
+- seq_printf(m, "User GPRS: " FOURLONG,
+- regs->gprs[0], regs->gprs[1],
+- regs->gprs[2], regs->gprs[3]);
+- seq_printf(m, " " FOURLONG,
+- regs->gprs[4], regs->gprs[5],
+- regs->gprs[6], regs->gprs[7]);
+- seq_printf(m, " " FOURLONG,
+- regs->gprs[8], regs->gprs[9],
+- regs->gprs[10], regs->gprs[11]);
+- seq_printf(m, " " FOURLONG,
+- regs->gprs[12], regs->gprs[13],
+- regs->gprs[14], regs->gprs[15]);
+- seq_printf(m, "User ACRS: %08x %08x %08x %08x\n",
+- task->thread.acrs[0], task->thread.acrs[1],
+- task->thread.acrs[2], task->thread.acrs[3]);
+- seq_printf(m, " %08x %08x %08x %08x\n",
+- task->thread.acrs[4], task->thread.acrs[5],
+- task->thread.acrs[6], task->thread.acrs[7]);
+- seq_printf(m, " %08x %08x %08x %08x\n",
+- task->thread.acrs[8], task->thread.acrs[9],
+- task->thread.acrs[10], task->thread.acrs[11]);
+- seq_printf(m, " %08x %08x %08x %08x\n",
+- task->thread.acrs[12], task->thread.acrs[13],
+- task->thread.acrs[14], task->thread.acrs[15]);
+-}
+-
+ static DEFINE_SPINLOCK(die_lock);
+
+ void die(const char * str, struct pt_regs * regs, long err)
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index 0b2a88c..9b94c69 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -325,9 +325,6 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ task_sig(m, task);
+ task_cap(m, task);
+ cpuset_task_status_allowed(m, task);
+-#if defined(CONFIG_S390)
+- task_show_regs(m, task);
+-#endif
+ task_context_switch_counts(m, task);
+ return 0;
+ }
+diff --git a/include/asm-s390/processor.h b/include/asm-s390/processor.h
+index a00f79d..048c0a3 100644
+--- a/include/asm-s390/processor.h
++++ b/include/asm-s390/processor.h
+@@ -167,11 +167,6 @@ extern int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags);
+ */
+ extern unsigned long thread_saved_pc(struct task_struct *t);
+
+-/*
+- * Print register of task into buffer. Used in fs/proc/array.c.
+- */
+-extern void task_show_regs(struct seq_file *m, struct task_struct *task);
+-
+ extern void show_code(struct pt_regs *regs);
+
+ unsigned long get_wchan(struct task_struct *p);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch)
@@ -0,0 +1,45 @@
+commit 92bf9b9866298c3b7c416eb07c9542d01e8b3ae6
+Author: Roland Dreier <roland at purestorage.com>
+Date: Mon Mar 28 14:13:35 2011 -0700
+
+ Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
+
+ commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream.
+
+ Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
+ from spoofing the signal code") made the check on si_code too strict.
+ There are several legitimate places where glibc wants to queue a
+ negative si_code different from SI_QUEUE:
+
+ - This was first noticed with glibc's aio implementation, which wants
+ to queue a signal with si_code SI_ASYNCIO; the current kernel
+ causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
+ fails with EPERM.
+
+ - Further examination of the glibc source shows that getaddrinfo_a()
+ wants to use SI_ASYNCNL (which the kernel does not even define).
+ The timer_create() fallback code wants to queue signals with SI_TIMER.
+
+ As suggested by Oleg Nesterov <oleg at redhat.com>, loosen the check to
+ forbid only the problematic SI_TKILL case.
+
+ Reported-by: Klaus Dittrich <kladit at arcor.de>
+ Acked-by: Julien Tinnes <jln at google.com>
+ Signed-off-by: Roland Dreier <roland at purestorage.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [wt: 2.6.27 has no rt_tgsigqueueinfo()]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 56d815d..b1506fb 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2296,7 +2296,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
+ /* Not even root can pretend to send signals from the kernel.
+ * Nor can they impersonate a kill()/tgkill(), which adds source info.
+ */
+- if (info.si_code != SI_QUEUE) {
++ if (info.si_code >= 0 || info.si_code == SI_TKILL) {
+ /* We used to allow any < 0 si_code */
+ WARN_ON_ONCE(info.si_code < 0);
+ return -EPERM;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch)
@@ -0,0 +1,50 @@
+commit 127e70c6c9ae94fc0d3d2b02e89f7e7c0fca40ef
+Author: Julien Tinnes <jln at google.com>
+Date: Fri Mar 18 15:05:21 2011 -0700
+
+ Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+
+ commit da48524eb20662618854bb3df2db01fc65f3070c upstream.
+
+ Userland should be able to trust the pid and uid of the sender of a
+ signal if the si_code is SI_TKILL.
+
+ Unfortunately, the kernel has historically allowed sigqueueinfo() to
+ send any si_code at all (as long as it was negative - to distinguish it
+ from kernel-generated signals like SIGILL etc), so it could spoof a
+ SI_TKILL with incorrect siginfo values.
+
+ Happily, it looks like glibc has always set si_code to the appropriate
+ SI_QUEUE, so there are probably no actual user code that ever uses
+ anything but the appropriate SI_QUEUE flag.
+
+ So just tighten the check for si_code (we used to allow any negative
+ value), and add a (one-time) warning in case there are binaries out
+ there that might depend on using other si_code values.
+
+ Signed-off-by: Julien Tinnes <jln at google.com>
+ Acked-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [wt: 2.6.27 does not have do_rt_tgsigqueueinfo()]
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index efcdc95..56d815d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2294,9 +2294,13 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
+ return -EFAULT;
+
+ /* Not even root can pretend to send signals from the kernel.
+- Nor can they impersonate a kill(), which adds source info. */
+- if (info.si_code >= 0)
++ * Nor can they impersonate a kill()/tgkill(), which adds source info.
++ */
++ if (info.si_code != SI_QUEUE) {
++ /* We used to allow any < 0 si_code */
++ WARN_ON_ONCE(info.si_code < 0);
+ return -EPERM;
++ }
+ info.si_signo = sig;
+
+ /* POSIX.1b doesn't mention process groups. */
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon Jun 13 16:42:02 2011 (r17653)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Mon Jun 13 18:40:46 2011 (r17654)
@@ -10042,9 +10042,9 @@
index 797d775..6fd6695 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
-@@ -81,6 +81,8 @@
- #include <linux/seq_file.h>
+@@ -82,6 +82,8 @@
#include <linux/pid_namespace.h>
+ #include <linux/ptrace.h>
+#include <bc/beancounter.h>
+
@@ -10134,9 +10134,9 @@
task_name(m, task);
task_state(m, ns, pid, task);
-@@ -329,6 +360,14 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
- task_show_regs(m, task);
- #endif
+@@ -327,6 +358,14 @@ int proc_pid_status(struct seq_file *m,
+ task_cap(m, task);
+ cpuset_task_status_allowed(m, task);
task_context_switch_counts(m, task);
+#ifdef CONFIG_BEANCOUNTERS
+ ub_dump_task_info(task,
@@ -24981,7 +24981,7 @@
struct rcu_head rcu;
unsigned int level;
struct upid numbers[1];
-@@ -96,6 +99,11 @@ extern void change_pid(struct task_struct *task, enum pid_type,
+@@ -96,6 +99,11 @@ extern void change_pid(struct task_struc
struct pid *pid);
extern void transfer_pid(struct task_struct *old, struct task_struct *new,
enum pid_type);
@@ -24995,7 +24995,7 @@
extern struct pid_namespace init_pid_ns;
@@ -121,8 +129,11 @@ extern struct pid *find_get_pid(int nr);
extern struct pid *find_ge_pid(int nr, struct pid_namespace *);
- int next_pidmap(struct pid_namespace *pid_ns, int last);
+ int next_pidmap(struct pid_namespace *pid_ns, unsigned int last);
-extern struct pid *alloc_pid(struct pid_namespace *ns);
+extern struct pid *alloc_pid(struct pid_namespace *ns, pid_t vpid);
@@ -60287,7 +60287,7 @@
{
int i, offset, max_scan, pid, last = pid_ns->last_pid;
struct pidmap *map;
-@@ -181,6 +183,36 @@ static int alloc_pidmap(struct pid_namespace *pid_ns)
+@@ -181,6 +183,36 @@ static int alloc_pidmap(struct pid_names
return -1;
}
@@ -60321,7 +60321,7 @@
+ return pid;
+}
+
- int next_pidmap(struct pid_namespace *pid_ns, int last)
+ int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
{
int offset;
@@ -226,25 +258,33 @@ void free_pid(struct pid *pid)
Modified: dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Mon Jun 13 16:42:02 2011 (r17653)
+++ dists/lenny/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Mon Jun 13 18:40:46 2011 (r17654)
@@ -6759,10 +6759,10 @@
void put_unused_fd(unsigned int fd)
--- a/fs/proc/array.c 2008-07-14 17:22:50.000000000 -0400
+++ a/fs/proc/array.c 2008-07-17 17:40:35.000000000 -0400
-@@ -80,6 +80,8 @@
- #include <linux/delayacct.h>
+@@ -81,6 +81,8 @@
#include <linux/seq_file.h>
#include <linux/pid_namespace.h>
+ #include <linux/ptrace.h>
+#include <linux/vs_context.h>
+#include <linux/vs_network.h>
@@ -6871,14 +6871,14 @@
int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
-@@ -325,6 +374,7 @@ int proc_pid_status(struct seq_file *m,
+@@ -325,6 +374,7 @@
task_sig(m, task);
task_cap(m, task);
cpuset_task_status_allowed(m, task);
+ task_vs_id(m, task);
- #if defined(CONFIG_S390)
- task_show_regs(m, task);
- #endif
+ task_context_switch_counts(m, task);
+ return 0;
+ }
@@ -496,6 +546,17 @@ static int do_task_stat(struct seq_file
/* convert nsec -> ticks */
start_time = nsec_to_clock_t(start_time);
@@ -6985,14 +6985,14 @@
return proc_fill_cache(filp, dirent, filldir, name, len,
proc_pid_instantiate, iter.task, NULL);
}
-@@ -2706,7 +2723,7 @@ static int proc_pid_fill_cache(struct fi
- int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
- {
- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
-- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
-+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
- struct tgid_iter iter;
- struct pid_namespace *ns;
+@@ -2715,7 +2732,7 @@ int proc_pid_readdir(struct file * filp,
+ goto out_no_task;
+ nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+
+- reaper = get_proc_task(filp->f_path.dentry->d_inode);
++ reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+ if (!reaper)
+ goto out_no_task;
@@ -2726,6 +2743,8 @@ int proc_pid_readdir(struct file * filp,
iter.task;
Copied: dists/lenny/linux-2.6/debian/patches/features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch)
@@ -0,0 +1,19 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: [PATCH] vserver: Complete fix for CVE-2010-4243
+
+VServer requires all adjustments to mm_struct::total_vm to be
+accounted to the server as well.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -169,7 +169,7 @@
+ return;
+
+ down_write(&mm->mmap_sem);
+- mm->total_vm += diff;
++ vx_vmpages_add(mm, diff);
+ up_write(&mm->mmap_sem);
+ }
+
Copied: dists/lenny/linux-2.6/debian/patches/series/26lenny3 (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/series/26lenny3)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/26lenny3 Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/series/26lenny3)
@@ -0,0 +1,46 @@
++ bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch
++ bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
++ bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
++ bugfix/s390/remove-task_show_regs.patch
++ bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch
++ bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
++ bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
++ bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
++ bugfix/all/bridge-netfilter-fix-information-leak.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
++ bugfix/all/dccp-fix-oops-on-Reset-after-close.patch
++ bugfix/all/fix-corrupted-osf-partition-parsing.patch
++ bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
++ bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch
++ bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch
++ bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
++ bugfix/all/econet-4-byte-infoleak-to-the-network.patch
++ bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
++ bugfix/all/rdma-cma-fix-crash-in-request-handlers.patch
++ bugfix/all/ib-cm-bump-reference-count-on-cm_id-before-invoking-callback.patch
++ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
++ bugfix/x86/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code-regression.patch
++ bugfix/all/proc-avoid-information-leaks-to-non-privileged-processes.patch
++ bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
++ bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
++ bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
++ bugfix/all/serial_core-clean-data-before-filling-it.patch
++ bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch
++ bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
++ bugfix/all/rose-prevent-heap-corruption-with-bad-facilities.patch
++ bugfix/all/next_pidmap-fix-overflow-condition.patch
++ bugfix/all/proc-do-proper-range-check-on-readdir-offset.patch
++ bugfix/all/can-add-missing-socket-check-in-can+bcm-release.patch
++ bugfix/all/agp-fix-arbitrary-kernel-memory-writes.patch
++ bugfix/all/agp-fix-OOM-and-buffer-overflow.patch
++ bugfix/all/can-add-missing-socket-check-in-can+raw-release.patch
++ bugfix/arm/prevent-heap-corruption-in-OABI-semtimedop.patch
++ bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
++ bugfix/all/validate-size-of-efi-guid-partition-entries.patch
++ bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch
++ bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch
++ bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
++ bugfix/all/xfrm6_tunnel-join-error-paths-using-goto.patch
++ bugfix/all/netns-xfrm-fixup-xfrm6_tunnel-error-propagation.patch
++ bugfix/all/tunnels-fix-netns-vs-proto-registration-ordering.patch
Copied: dists/lenny/linux-2.6/debian/patches/series/26lenny3-extra (from r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/series/26lenny3-extra)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/26lenny3-extra Mon Jun 13 18:40:46 2011 (r17654, copy of r17653, releases/linux-2.6/2.6.26-26lenny3/debian/patches/series/26lenny3-extra)
@@ -0,0 +1 @@
++ features/all/vserver/vserver-complete-fix-for-CVE-2010-4243.patch featureset=vserver
More information about the Kernel-svn-changes
mailing list