Security fixes - #81195, #81295, #82201.

Package-Manager: portage-2.0.51.22
author: Tim Yamin <plasmaroo@gentoo.org> 2005-05-20 19:37:20 +0000
committer: Tim Yamin <plasmaroo@gentoo.org> 2005-05-20 19:37:20 +0000
commit: 51aad2456a470aa613b92df47167294ec415c90e (patch)
tree: bb09890ddb9f7748b6748968e6048bff3fb44b32 /sys-kernel
parent: Stable on sparc wrt #93215 (diff)
download: historical-51aad2456a470aa613b92df47167294ec415c90e.tar.gz
historical-51aad2456a470aa613b92df47167294ec415c90e.tar.bz2
historical-51aad2456a470aa613b92df47167294ec415c90e.zip
7 files changed, 677 insertions, 8 deletions
diff --git a/sys-kernel/gentoo-sources/ChangeLog b/sys-kernel/gentoo-sources/ChangeLog
index 6f8de0b71772..d850fc0fcfa7 100644
--- a/sys-kernel/gentoo-sources/ChangeLog
+++ b/sys-kernel/gentoo-sources/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for sys-kernel/gentoo-sources
 # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.144 2005/05/20 19:32:51 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.145 2005/05/20 19:37:20 plasmaroo Exp $
+
+*gentoo-sources-2.4.28-r9 (20 May 2005)
+
+  20 May 2005; <plasmaroo@gentoo.org> -gentoo-sources-2.4.28-r8.ebuild,
+  +gentoo-sources-2.4.28-r9.ebuild, +files/gentoo-sources-2.4.81195.patch,
+  +files/gentoo-sources-2.4.81295.patch,
+  +files/gentoo-sources-2.4.82201.patch:
+  Security fixes - #81195, #81295, #82201.
 
   20 May 2005; <plasmaroo@gentoo.org> -gentoo-sources-2.4.25-r17.ebuild,
   -files/gentoo-sources-2.4.AF_UNIX.patch,
diff --git a/sys-kernel/gentoo-sources/Manifest b/sys-kernel/gentoo-sources/Manifest
index 425a9dcc9ebf..7628ebc9fbbf 100644
--- a/sys-kernel/gentoo-sources/Manifest
+++ b/sys-kernel/gentoo-sources/Manifest
@@ -1,15 +1,16 @@
-MD5 08feec4312c86d97a171062b2d0b2723 ChangeLog 39832
+MD5 f518e14acd9c5813a82ea2b96c991ad5 ChangeLog 40146
 MD5 386b6b1084b1c4cabfad87fc8b603114 gentoo-sources-2.6.10-r6.ebuild 1607
 MD5 cd14a3055fad29bf0256428a774ea70d gentoo-sources-2.6.7-r19.ebuild 1455
 MD5 c1ee17378c95e5a55411ba392601942d gentoo-sources-2.6.11-r9.ebuild 1610
 MD5 410c3afeb274354a7ce68257edc18012 metadata.xml 283
 MD5 2d2150ca2b1b3db3d469a5a2356161fb gentoo-sources-2.6.9-r9.ebuild 1625
 MD5 45bb97671264e772e7c5711ffd5e39be gentoo-sources-2.6.10-r7.ebuild 1620
-MD5 3229d029559913e76e4a92d8bacb5941 gentoo-sources-2.4.28-r8.ebuild 1307
 MD5 1ec0f7ec45dce6f53d70a7df0fabe7a5 gentoo-sources-2.6.1-r2.ebuild 2235
 MD5 16b31595b302b6eba105f3786457192d gentoo-sources-2.6.11-r8.ebuild 1620
+MD5 e935e807cb37104cc7670ccdc49fb975 gentoo-sources-2.4.28-r9.ebuild 1412
 MD5 f1eccb6d2c06d2ecaf19e44477012f4d gentoo-sources-2.6.11-r7.ebuild 1624
 MD5 0694ed26023de7664f6d3658f04c4bbe files/digest-gentoo-sources-2.6.7-r19 221
+MD5 3f8d2e3d28369e95a59804dbf9a9132b files/gentoo-sources-2.4.81195.patch 11448
 MD5 d1ccc2047be533c992f67270a150a210 files/gentoo-sources-2.4.cmdlineLeak.patch 388
 MD5 b63da6e1cbd38d159d722aa5debf0e73 files/digest-gentoo-sources-2.6.11-r7 224
 MD5 bf7030a67c46e734e2a7ea9265a45191 files/gentoo-sources-2.4.brk-locked.patch 8859
@@ -17,15 +18,17 @@ MD5 3bdf00d5f80fe9dfbfe8220e076cd04c files/gentoo-sources-2.4.CAN-2004-0497.patc
 MD5 03fa0238a07d103d2ccb9c8b01f88326 files/digest-gentoo-sources-2.6.10-r6 224
 MD5 82a228d6106b8994d8f43ab40647205b files/digest-gentoo-sources-2.6.11-r8 224
 MD5 b9a94233e1457787352e5f85e3e3582d files/gentoo-sources-2.4.binfmt_a.out.patch 2009
+MD5 4120a11b06ed6042ad4cb29de19b011c files/gentoo-sources-2.4.81295.patch 8526
 MD5 1cd653d48c2ece7fbb55c16134288362 files/digest-gentoo-sources-2.6.9-r9 221
 MD5 1efe4024e443e60db5fd9b21b22fabd2 files/gentoo-sources-2.4.77666.patch 1724
 MD5 792fa9165e5ae65d46ee206c7f7a4fc9 files/gentoo-sources-2.4.78363.patch 788
 MD5 150fc6d514e8cb2b07a3a7b14b8d92ef files/digest-gentoo-sources-2.6.1-r2 138
-MD5 179bd3656f72932f69b0f860d23483cd files/digest-gentoo-sources-2.4.28-r8 226
 MD5 ee806dc7db51b79562ec4b9b7b84023a files/digest-gentoo-sources-2.6.10-r7 224
 MD5 1d78b90e495e432432e095ee47bbc2fc files/gentoo-sources-2.4.77094.patch 452
 MD5 6ed89b8ac0b47a4c25d3a616ef9245cc files/gentoo-sources-2.4.vma.patch 11369
+MD5 6faf43bc1de5775e68cde4e6d2c2a76b files/gentoo-sources-2.4.82201.patch 480
 MD5 8c35751caf824a9dacb02e80d6189b2e files/gentoo-sources-2.4.CAN-2004-1137.patch 1764
+MD5 179bd3656f72932f69b0f860d23483cd files/digest-gentoo-sources-2.4.28-r9 226
 MD5 757ee1239c3f14645ccea3640d551e11 files/gentoo-sources-2.4.CAN-2004-1056.patch 11249
 MD5 0f93b46ae17cbd0fc9b4d1cf5d704296 files/gentoo-sources-2.4.81106.patch 2243
 MD5 29e531cdd3f2effce5e31a1f2afb5b5d files/gentoo-sources-2.4.28.brk-locked.patch 8912
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r8 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r9
index f231f9c88076..f231f9c88076 100644
--- a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r8
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.28-r9
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.81195.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.81195.patch
new file mode 100644
index 000000000000..05228332304b
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.81195.patch
@@ -0,0 +1,373 @@
+diff -Naru a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
+--- a/include/linux/netfilter_ipv4/ip_conntrack.h	2005-03-29 07:28:22 -08:00
++++ b/include/linux/netfilter_ipv4/ip_conntrack.h	2005-03-29 07:28:22 -08:00
+@@ -249,10 +249,9 @@
+ /* Call me when a conntrack is destroyed. */
+ extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
+ 
+-extern int ip_ct_no_defrag;
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb);
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user);
+ 
+ /* Delete all conntracks which match. */
+ extern void
+diff -Naru a/include/net/ip.h b/include/net/ip.h
+--- a/include/net/ip.h	2005-03-29 07:28:22 -08:00
++++ b/include/net/ip.h	2005-03-29 07:28:22 -08:00
+@@ -227,9 +227,19 @@
+ /*
+  *	Functions provided by ip_fragment.o
+  */
+- 
+-struct sk_buff *ip_defrag(struct sk_buff *skb);
+-extern void ipfrag_flush(void);
++
++enum ip_defrag_users
++{
++	IP_DEFRAG_LOCAL_DELIVER,
++	IP_DEFRAG_CALL_RA_CHAIN,
++	IP_DEFRAG_CONNTRACK_IN,
++	IP_DEFRAG_CONNTRACK_OUT,
++	IP_DEFRAG_NAT_OUT,
++	IP_DEFRAG_VS_OUT,
++	IP_DEFRAG_VS_FWD
++};
++
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user);
+ extern int ip_frag_nqueues;
+ extern atomic_t ip_frag_mem;
+ 
+diff -Naru a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+--- a/net/ipv4/ip_fragment.c	2005-03-29 07:28:22 -08:00
++++ b/net/ipv4/ip_fragment.c	2005-03-29 07:28:22 -08:00
+@@ -72,6 +72,7 @@
+ struct ipq {
+ 	struct ipq	*next;		/* linked list pointers			*/
+ 	struct list_head lru_list;	/* lru list member 			*/
++	u32		user;
+ 	u32		saddr;
+ 	u32		daddr;
+ 	u16		id;
+@@ -242,13 +243,13 @@
+ /* Memory limiting on fragments.  Evictor trashes the oldest 
+  * fragment queue until we are back under the threshold.
+  */
+-static void __ip_evictor(int threshold)
++static void ip_evictor(void)
+ {
+ 	struct ipq *qp;
+ 	struct list_head *tmp;
+ 	int work;
+ 
+-	work = atomic_read(&ip_frag_mem) - threshold;
++	work = atomic_read(&ip_frag_mem) - sysctl_ipfrag_low_thresh;
+ 	if (work <= 0)
+ 		return;
+ 
+@@ -273,11 +274,6 @@
+ 	}
+ }
+ 
+-static inline void ip_evictor(void)
+-{
+-	__ip_evictor(sysctl_ipfrag_low_thresh);
+-}
+-
+ /*
+  * Oops, a fragment queue timed out.  Kill it and send an ICMP reply.
+  */
+@@ -324,7 +320,8 @@
+ 		if(qp->id == qp_in->id		&&
+ 		   qp->saddr == qp_in->saddr	&&
+ 		   qp->daddr == qp_in->daddr	&&
+-		   qp->protocol == qp_in->protocol) {
++		   qp->protocol == qp_in->protocol &&
++		   qp->user == qp_in->user) {
+ 			atomic_inc(&qp->refcnt);
+ 			write_unlock(&ipfrag_lock);
+ 			qp_in->last_in |= COMPLETE;
+@@ -351,7 +348,7 @@
+ }
+ 
+ /* Add an entry to the 'ipq' queue for a newly received IP datagram. */
+-static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph)
++static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph, u32 user)
+ {
+ 	struct ipq *qp;
+ 
+@@ -363,6 +360,7 @@
+ 	qp->id = iph->id;
+ 	qp->saddr = iph->saddr;
+ 	qp->daddr = iph->daddr;
++	qp->user = user;
+ 	qp->len = 0;
+ 	qp->meat = 0;
+ 	qp->fragments = NULL;
+@@ -385,7 +383,7 @@
+ /* Find the correct entry in the "incomplete datagrams" queue for
+  * this IP datagram, and create new one, if nothing is found.
+  */
+-static inline struct ipq *ip_find(struct iphdr *iph)
++static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
+ {
+ 	__u16 id = iph->id;
+ 	__u32 saddr = iph->saddr;
+@@ -399,7 +397,8 @@
+ 		if(qp->id == id		&&
+ 		   qp->saddr == saddr	&&
+ 		   qp->daddr == daddr	&&
+-		   qp->protocol == protocol) {
++		   qp->protocol == protocol &&
++		   qp->user == user) {
+ 			atomic_inc(&qp->refcnt);
+ 			read_unlock(&ipfrag_lock);
+ 			return qp;
+@@ -407,7 +406,7 @@
+ 	}
+ 	read_unlock(&ipfrag_lock);
+ 
+-	return ip_frag_create(hash, iph);
++	return ip_frag_create(hash, iph, user);
+ }
+ 
+ /* Add new segment to existing queue. */
+@@ -641,7 +640,7 @@
+ }
+ 
+ /* Process an incoming IP datagram fragment. */
+-struct sk_buff *ip_defrag(struct sk_buff *skb)
++struct sk_buff *ip_defrag(struct sk_buff *skb, u32 user)
+ {
+ 	struct iphdr *iph = skb->nh.iph;
+ 	struct ipq *qp;
+@@ -656,7 +655,7 @@
+ 	dev = skb->dev;
+ 
+ 	/* Lookup (or create) queue header */
+-	if ((qp = ip_find(iph)) != NULL) {
++	if ((qp = ip_find(iph, user)) != NULL) {
+ 		struct sk_buff *ret = NULL;
+ 
+ 		spin_lock(&qp->lock);
+@@ -686,9 +685,4 @@
+ 	ipfrag_secret_timer.function = ipfrag_secret_rebuild;
+ 	ipfrag_secret_timer.expires = jiffies + sysctl_ipfrag_secret_interval;
+ 	add_timer(&ipfrag_secret_timer);
+-}
+-
+-void ipfrag_flush(void)
+-{
+-	__ip_evictor(0);
+ }
+diff -Naru a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+--- a/net/ipv4/ip_input.c	2005-03-29 07:28:22 -08:00
++++ b/net/ipv4/ip_input.c	2005-03-29 07:28:22 -08:00
+@@ -170,7 +170,7 @@
+ 		    && ((sk->bound_dev_if == 0) 
+ 			|| (sk->bound_dev_if == skb->dev->ifindex))) {
+ 			if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+-				skb = ip_defrag(skb);
++				skb = ip_defrag(skb, IP_DEFRAG_CALL_RA_CHAIN);
+ 				if (skb == NULL) {
+ 					read_unlock(&ip_ra_lock);
+ 					return 1;
+@@ -291,7 +291,7 @@
+ 	 */
+ 
+ 	if (skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+-		skb = ip_defrag(skb);
++		skb = ip_defrag(skb, IP_DEFRAG_LOCAL_DELIVER);
+ 		if (!skb)
+ 			return 0;
+ 	}
+diff -Naru a/net/ipv4/ipvs/ip_vs_core.c b/net/ipv4/ipvs/ip_vs_core.c
+--- a/net/ipv4/ipvs/ip_vs_core.c	2005-03-29 07:28:22 -08:00
++++ b/net/ipv4/ipvs/ip_vs_core.c	2005-03-29 07:28:22 -08:00
+@@ -506,7 +506,7 @@
+ 
+ 	/* reassemble IP fragments, but will it happen in ICMP packets?? */
+ 	if (skb->nh.iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+-		skb = ip_defrag(skb);
++		skb = ip_defrag(skb, IP_DEFRAG_VS_OUT);
+ 		if (!skb)
+ 			return NF_STOLEN;
+ 		*skb_p = skb;
+@@ -658,7 +658,7 @@
+ 
+ 	/* reassemble IP fragments */
+ 	if (iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+-		skb = ip_defrag(skb);
++		skb = ip_defrag(skb, IP_DEFRAG_VS_OUT);
+ 		if (!skb)
+ 			return NF_STOLEN;
+ 		iph = skb->nh.iph;
+@@ -1164,7 +1164,7 @@
+ 		return NF_ACCEPT;
+ 
+ 	if (iph->frag_off & __constant_htons(IP_MF|IP_OFFSET)) {
+-		skb = ip_defrag(skb);
++		skb = ip_defrag(skb, IP_DEFRAG_VS_FWD);
+ 		if (!skb)
+ 			return NF_STOLEN;
+ 		*skb_p = skb;
+diff -Naru a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
+--- a/net/ipv4/netfilter/ip_conntrack_core.c	2005-03-29 07:28:22 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_core.c	2005-03-29 07:28:22 -08:00
+@@ -834,7 +834,10 @@
+ 
+ 	/* Gather fragments. */
+ 	if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+-		*pskb = ip_ct_gather_frags(*pskb);
++		*pskb = ip_ct_gather_frags(*pskb,
++		                           hooknum == NF_IP_PRE_ROUTING ?
++		                           IP_DEFRAG_CONNTRACK_IN :
++		                           IP_DEFRAG_CONNTRACK_OUT);
+ 		if (!*pskb)
+ 			return NF_STOLEN;
+ 	}
+@@ -1183,29 +1186,22 @@
+ 	WRITE_UNLOCK(&ip_conntrack_lock);
+ }
+ 
+-int ip_ct_no_defrag;
+-
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+-ip_ct_gather_frags(struct sk_buff *skb)
++ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ 	struct sock *sk = skb->sk;
+ #ifdef CONFIG_NETFILTER_DEBUG
+ 	unsigned int olddebug = skb->nf_debug;
+ #endif
+ 
+-	if (unlikely(ip_ct_no_defrag)) {
+-		kfree_skb(skb);
+-		return NULL;
+-	}
+-
+ 	if (sk) {
+ 		sock_hold(sk);
+ 		skb_orphan(skb);
+ 	}
+ 
+ 	local_bh_disable(); 
+-	skb = ip_defrag(skb);
++	skb = ip_defrag(skb, user);
+ 	local_bh_enable();
+ 
+ 	if (!skb) {
+diff -Naru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- a/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-03-29 07:28:22 -08:00
++++ b/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-03-29 07:28:22 -08:00
+@@ -393,13 +393,6 @@
+  cleanup_inandlocalops:
+ 	nf_unregister_hook(&ip_conntrack_local_out_ops);
+  cleanup_inops:
+-	/* Frag queues may hold fragments with skb->dst == NULL */
+-	ip_ct_no_defrag = 1;
+-	local_bh_disable();
+-	br_write_lock(BR_NETPROTO_LOCK);
+-	br_write_unlock(BR_NETPROTO_LOCK);
+-	ipfrag_flush();
+-	local_bh_enable();
+ 	nf_unregister_hook(&ip_conntrack_in_ops);
+  cleanup_proc:
+ 	proc_net_remove("ip_conntrack");
+diff -Naru a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
+--- a/net/ipv4/netfilter/ip_nat_standalone.c	2005-03-29 07:28:22 -08:00
++++ b/net/ipv4/netfilter/ip_nat_standalone.c	2005-03-29 07:28:22 -08:00
+@@ -201,7 +201,7 @@
+ 	   I'm starting to have nightmares about fragments.  */
+ 
+ 	if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+-		*pskb = ip_ct_gather_frags(*pskb);
++		*pskb = ip_ct_gather_frags(*pskb, IP_DEFRAG_NAT_OUT);
+ 
+ 		if (!*pskb)
+ 			return NF_STOLEN;
+diff -Naru a/net/netsyms.c b/net/netsyms.c
+--- a/net/netsyms.c	2005-03-29 07:28:22 -08:00
++++ b/net/netsyms.c	2005-03-29 07:28:22 -08:00
+@@ -287,7 +287,6 @@
+ EXPORT_SYMBOL(inetdev_by_index);
+ EXPORT_SYMBOL(in_dev_finish_destroy);
+ EXPORT_SYMBOL(ip_defrag);
+-EXPORT_SYMBOL(ipfrag_flush);
+ 
+ /* Route manipulation */
+ EXPORT_SYMBOL(ip_rt_ioctl);
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/26 22:04:53-08:00 kaber@trash.net 
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# include/linux/netfilter_ipv4/ip_conntrack.h
+#   2005/01/26 22:04:47-08:00 kaber@trash.net +1 -2
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# include/net/ip.h
+#   2005/01/26 22:04:47-08:00 kaber@trash.net +13 -3
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/ip_fragment.c
+#   2005/01/26 22:04:47-08:00 kaber@trash.net +13 -19
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/ip_input.c
+#   2005/01/26 22:04:47-08:00 kaber@trash.net +2 -2
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/ipvs/ip_vs_core.c
+#   2005/01/26 22:04:47-08:00 kaber@trash.net +3 -3
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/netfilter/ip_conntrack_core.c
+#   2005/01/26 22:04:47-08:00 kaber@trash.net +6 -10
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/netfilter/ip_conntrack_standalone.c
+#   2005/01/26 22:04:48-08:00 kaber@trash.net +0 -7
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/ipv4/netfilter/ip_nat_standalone.c
+#   2005/01/26 22:04:48-08:00 kaber@trash.net +1 -1
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
+# net/netsyms.c
+#   2005/01/26 22:04:48-08:00 kaber@trash.net +0 -1
+#   [IPV4]: Keep fragment queues private to each user.
+#   
+#   Signed-off-by: Patrick McHardy <kaber@trash.net>
+#   Signed-off-by: David S. Miller <davem@davemloft.net>
+# 
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.81295.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.81295.patch
new file mode 100644
index 000000000000..e14e7190e716
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.81295.patch
@@ -0,0 +1,270 @@
+diff -Naru a/arch/mips64/kernel/linux32.c b/arch/mips64/kernel/linux32.c
+--- a/arch/mips64/kernel/linux32.c	2005-04-15 13:46:27 -07:00
++++ b/arch/mips64/kernel/linux32.c	2005-04-15 13:46:27 -07:00
+@@ -1088,11 +1088,9 @@
+ 		i--;
+ 	}
+ 
+-	inode = file->f_dentry->d_inode;
+ 	/* VERIFY_WRITE actually means a read, as we write to user space */
+-	retval = locks_verify_area((type == VERIFY_WRITE
+-				    ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
+-				   inode, file, file->f_pos, tot_len);
++	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
++				   file, &file->f_pos, tot_len);
+ 	if (retval) {
+ 		if (iov != iovstack)
+ 			kfree(iov);
+diff -Naru a/arch/parisc/kernel/sys_parisc32.c b/arch/parisc/kernel/sys_parisc32.c
+--- a/arch/parisc/kernel/sys_parisc32.c	2005-04-15 13:46:27 -07:00
++++ b/arch/parisc/kernel/sys_parisc32.c	2005-04-15 13:46:27 -07:00
+@@ -1671,11 +1671,9 @@
+ 		i--;
+ 	}
+ 
+-	inode = file->f_dentry->d_inode;
+ 	/* VERIFY_WRITE actually means a read, as we write to user space */
+-	retval = locks_verify_area((type == VERIFY_WRITE
+-				    ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
+-				   inode, file, file->f_pos, tot_len);
++	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
++				   file, &file->f_pos, tot_len);
+ 	if (retval) {
+ 		if (iov != iovstack)
+ 			kfree(iov);
+diff -Naru a/arch/ppc64/kernel/sys_ppc32.c b/arch/ppc64/kernel/sys_ppc32.c
+--- a/arch/ppc64/kernel/sys_ppc32.c	2005-04-15 13:46:27 -07:00
++++ b/arch/ppc64/kernel/sys_ppc32.c	2005-04-15 13:46:27 -07:00
+@@ -183,11 +183,9 @@
+ 		i--;
+ 	}
+ 
+-	inode = file->f_dentry->d_inode;
+ 	/* VERIFY_WRITE actually means a read, as we write to user space */
+-	retval = locks_verify_area((type == VERIFY_WRITE
+-				    ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
+-				   inode, file, file->f_pos, tot_len);
++	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
++				   file, &file->f_pos, tot_len);
+ 	if (retval) {
+ 		if (iov != iovstack)
+ 			kfree(iov);
+diff -Naru a/arch/s390x/kernel/linux32.c b/arch/s390x/kernel/linux32.c
+--- a/arch/s390x/kernel/linux32.c	2005-04-15 13:46:27 -07:00
++++ b/arch/s390x/kernel/linux32.c	2005-04-15 13:46:27 -07:00
+@@ -1108,7 +1108,6 @@
+ 	unsigned long tot_len;
+ 	struct iovec iovstack[UIO_FASTIOV];
+ 	struct iovec *iov=iovstack, *ivp;
+-	struct inode *inode;
+ 	long retval, i;
+ 	io_fn_t fn;
+ 	iov_fn_t fnv;
+@@ -1145,11 +1144,9 @@
+ 		i--;
+ 	}
+ 
+-	inode = file->f_dentry->d_inode;
+ 	/* VERIFY_WRITE actually means a read, as we write to user space */
+-	retval = locks_verify_area((type == VERIFY_WRITE
+-				    ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
+-				   inode, file, file->f_pos, tot_len);
++	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
++				   file, &file->f_pos, tot_len);
+ 	if (retval)
+ 		goto out;
+ 
+diff -Naru a/arch/sparc64/kernel/sys_sparc32.c b/arch/sparc64/kernel/sys_sparc32.c
+--- a/arch/sparc64/kernel/sys_sparc32.c	2005-04-15 13:46:27 -07:00
++++ b/arch/sparc64/kernel/sys_sparc32.c	2005-04-15 13:46:27 -07:00
+@@ -1093,7 +1093,6 @@
+ 	__kernel_ssize_t32 tot_len;
+ 	struct iovec iovstack[UIO_FASTIOV];
+ 	struct iovec *iov=iovstack, *ivp;
+-	struct inode *inode;
+ 	long retval, i;
+ 	io_fn_t fn;
+ 	iov_fn_t fnv;
+@@ -1140,11 +1139,9 @@
+ 		i--;
+ 	}
+ 
+-	inode = file->f_dentry->d_inode;
+ 	/* VERIFY_WRITE actually means a read, as we write to user space */
+-	retval = locks_verify_area((type == VERIFY_WRITE
+-				    ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
+-				   inode, file, file->f_pos, tot_len);
++	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
++				   file, &file->f_pos, tot_len);
+ 	if (retval)
+ 		goto out;
+ 
+diff -Naru a/fs/file_table.c b/fs/file_table.c
+--- a/fs/file_table.c	2005-04-15 13:46:27 -07:00
++++ b/fs/file_table.c	2005-04-15 13:46:27 -07:00
+@@ -46,6 +46,7 @@
+ 		f->f_version = ++event;
+ 		f->f_uid = current->fsuid;
+ 		f->f_gid = current->fsgid;
++		f->f_maxcount = INT_MAX;
+ 		list_add(&f->f_list, &anon_list);
+ 		file_list_unlock();
+ 		return f;
+@@ -92,6 +92,8 @@
+ 	filp->f_uid    = current->fsuid;
+ 	filp->f_gid    = current->fsgid;
+ 	filp->f_op     = dentry->d_inode->i_fop;
++	filp->f_maxcount = INT_MAX;
++
+ 	if (filp->f_op->open)
+ 		return filp->f_op->open(dentry->d_inode, filp);
+ 	else
+diff -Naru a/fs/read_write.c b/fs/read_write.c
+--- a/fs/read_write.c	2005-04-15 13:46:27 -07:00
++++ b/fs/read_write.c	2005-04-15 13:46:27 -07:00
+@@ -40,6 +40,28 @@
+ 	return -EISDIR;
+ }
+ 
++int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count)
++{
++	struct inode *inode;
++	loff_t pos;
++
++	if (unlikely(count > file->f_maxcount))
++		goto Einval;
++
++	pos = *ppos;
++
++	if (unlikely((pos < 0) || (loff_t) (pos + count) < 0))
++		goto Einval;
++
++	inode = file->f_dentry->d_inode;
++	if (inode->i_flock && MANDATORY_LOCK(inode))
++		return locks_mandatory_area(read_write == READ ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE, inode, file, *ppos, count);
++	return 0;
++
++Einval:
++	return -EINVAL;
++}
++
+ loff_t generic_file_llseek(struct file *file, loff_t offset, int origin)
+ {
+ 	long long retval;
+@@ -168,8 +190,8 @@
+ 	file = fget(fd);
+ 	if (file) {
+ 		if (file->f_mode & FMODE_READ) {
+-			ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode,
+-						file, file->f_pos, count);
++			ret = rw_verify_area(READ, file, &file->f_pos, count);
++
+ 			if (!ret) {
+ 				ssize_t (*read)(struct file *, char *, size_t, loff_t *);
+ 				ret = -EINVAL;
+@@ -193,9 +215,7 @@
+ 	file = fget(fd);
+ 	if (file) {
+ 		if (file->f_mode & FMODE_WRITE) {
+-			struct inode *inode = file->f_dentry->d_inode;
+-			ret = locks_verify_area(FLOCK_VERIFY_WRITE, inode, file,
+-				file->f_pos, count);
++			ret = rw_verify_area(WRITE, file, &file->f_pos, count);
+ 			if (!ret) {
+ 				ssize_t (*write)(struct file *, const char *, size_t, loff_t *);
+ 				ret = -EINVAL;
+@@ -224,7 +244,6 @@
+ 	ssize_t ret, i;
+ 	io_fn_t fn;
+ 	iov_fn_t fnv;
+-	struct inode *inode;
+ 
+ 	/*
+ 	 * First get the "struct iovec" from user memory and
+@@ -275,12 +294,11 @@
+ 			goto out;
+ 	}
+ 
+-	inode = file->f_dentry->d_inode;
+ 	/* VERIFY_WRITE actually means a read, as we write to user space */
+-	ret = locks_verify_area((type == VERIFY_WRITE
+-				 ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
+-				inode, file, file->f_pos, tot_len);
+-	if (ret) goto out;
++	ret = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
++				file, &file->f_pos, tot_len);
++	if (ret) 
++		goto out;
+ 
+ 	fnv = (type == VERIFY_WRITE ? file->f_op->readv : file->f_op->writev);
+ 	if (fnv) {
+@@ -383,8 +401,8 @@
+ 		goto bad_file;
+ 	if (!(file->f_mode & FMODE_READ))
+ 		goto out;
+-	ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode,
+-				file, pos, count);
++	ret = rw_verify_area(READ, file, &pos, count);
++
+ 	if (ret)
+ 		goto out;
+ 	ret = -EINVAL;
+@@ -414,8 +432,8 @@
+ 		goto bad_file;
+ 	if (!(file->f_mode & FMODE_WRITE))
+ 		goto out;
+-	ret = locks_verify_area(FLOCK_VERIFY_WRITE, file->f_dentry->d_inode,
+-				file, pos, count);
++	ret = rw_verify_area(WRITE, file, &pos, count);
++
+ 	if (ret)
+ 		goto out;
+ 	ret = -EINVAL;
+diff -Naru a/include/linux/fs.h b/include/linux/fs.h
+--- a/include/linux/fs.h	2005-04-15 13:46:27 -07:00
++++ b/include/linux/fs.h	2005-04-15 13:46:27 -07:00
+@@ -576,6 +576,7 @@
+ 	unsigned int		f_uid, f_gid;
+ 	int			f_error;
+ 
++	size_t			f_maxcount;
+ 	unsigned long		f_version;
+ 
+ 	/* needed for tty driver, and maybe others */
+@@ -1056,14 +1057,7 @@
+ 	return 0;
+ }
+ 
+-static inline int locks_verify_area(int read_write, struct inode *inode,
+-				    struct file *filp, loff_t offset,
+-				    size_t count)
+-{
+-	if (inode->i_flock && MANDATORY_LOCK(inode))
+-		return locks_mandatory_area(read_write, inode, filp, offset, count);
+-	return 0;
+-}
++extern int rw_verify_area(int, struct file *, loff_t *, size_t);
+ 
+ static inline int locks_verify_truncate(struct inode *inode,
+ 				    struct file *filp,
+diff -Naru a/mm/filemap.c b/mm/filemap.c
+--- a/mm/filemap.c	2005-04-15 13:46:27 -07:00
++++ b/mm/filemap.c	2005-04-15 13:46:27 -07:00
+@@ -1870,7 +1870,7 @@
+ 		goto fput_in;
+ 	if (!in_inode->i_mapping->a_ops->readpage)
+ 		goto fput_in;
+-	retval = locks_verify_area(FLOCK_VERIFY_READ, in_inode, in_file, in_file->f_pos, count);
++	retval = rw_verify_area(READ, in_file, &in_file->f_pos, count);
+ 	if (retval)
+ 		goto fput_in;
+ 
+@@ -1887,7 +1887,7 @@
+ 	if (!out_file->f_op || !out_file->f_op->write)
+ 		goto fput_out;
+ 	out_inode = out_file->f_dentry->d_inode;
+-	retval = locks_verify_area(FLOCK_VERIFY_WRITE, out_inode, out_file, out_file->f_pos, count);
++	retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);
+ 	if (retval)
+ 		goto fput_out;
+ 
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.82201.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.82201.patch
new file mode 100644
index 000000000000..25f385893926
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.82201.patch
@@ -0,0 +1,12 @@
+diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c
+--- linux-2.5/drivers/net/ppp_async.c	2005-01-21 16:02:12.000000000 +1100
++++ test/drivers/net/ppp_async.c	2005-02-25 10:38:05.000000000 +1100
+@@ -1000,7 +1000,7 @@
+ 	data += 4;
+ 	dlen -= 4;
+ 	/* data[0] is code, data[1] is length */
+-	while (dlen >= 2 && dlen >= data[1]) {
++	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
+ 		switch (data[0]) {
+ 		case LCP_MRU:
+ 			val = (data[2] << 8) + data[3];
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r8.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r9.ebuild
index 66c53171954a..ffaf690d4c59 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r8.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r9.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2005 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r8.ebuild,v 1.2 2005/03/13 22:44:44 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.28-r9.ebuild,v 1.1 2005/05/20 19:37:20 plasmaroo Exp $
 
 ETYPE="sources"
 inherit kernel-2
@@ -10,7 +10,7 @@ KEYWORDS="x86 -ppc"
 IUSE=''
 
 UNIPATCH_STRICTORDER='Y'
-UNIPATCH_LIST="${DISTDIR}/${PF/r8/r4}.tar.bz2
+UNIPATCH_LIST="${DISTDIR}/${PF/r9/r4}.tar.bz2
 	${DISTDIR}/ck-sources-${PV}-CAN-2004-0814.patch
 	${FILESDIR}/${PN}-2.4.cmdlineLeak.patch
 	${FILESDIR}/${PN}-2.4.binfmt_a.out.patch
@@ -26,8 +26,11 @@ UNIPATCH_LIST="${DISTDIR}/${PF/r8/r4}.tar.bz2
 	${FILESDIR}/${PN}-2.4.81106.patch
 	${FILESDIR}/${P}.arpFix.patch
 	${FILESDIR}/${P}.77181.patch
-	${FILESDIR}/${PN}-2.4.PaX-84167.patch"
+	${FILESDIR}/${PN}-2.4.PaX-84167.patch
+	${FILESDIR}/${PN}-2.4.81195.patch
+	${FILESDIR}/${PN}-2.4.81295.patch
+	${FILESDIR}/${PN}-2.4.82201.patch"
 
 DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
-SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r8/r4}.tar.bz2
+SRC_URI="${KERNEL_URI} http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/${PF/r9/r4}.tar.bz2
 	 http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/ck-sources-${PV}-CAN-2004-0814.patch"
author	Tim Yamin <plasmaroo@gentoo.org>	2005-05-20 19:37:20 +0000
committer	Tim Yamin <plasmaroo@gentoo.org>	2005-05-20 19:37:20 +0000
commit	51aad2456a470aa613b92df47167294ec415c90e (patch)
tree	bb09890ddb9f7748b6748968e6048bff3fb44b32 /sys-kernel
parent	Stable on sparc wrt #93215 (diff)
download	historical-51aad2456a470aa613b92df47167294ec415c90e.tar.gz historical-51aad2456a470aa613b92df47167294ec415c90e.tar.bz2 historical-51aad2456a470aa613b92df47167294ec415c90e.zip