diff options
author | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-20 20:20:39 +0000 |
---|---|---|
committer | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-20 20:20:39 +0000 |
commit | 1dd77c2e7d2d4d780d47d9ac374dda3e59911343 (patch) | |
tree | 8bec704a8350fb9326744226dc54a62fb788e6f3 /sys-kernel | |
parent | Stable on sparc wrt #68976 (diff) | |
download | historical-1dd77c2e7d2d4d780d47d9ac374dda3e59911343.tar.gz historical-1dd77c2e7d2d4d780d47d9ac374dda3e59911343.tar.bz2 historical-1dd77c2e7d2d4d780d47d9ac374dda3e59911343.zip |
Security fixes - bugs #73000, #74384, #74392, #74464, #74465.
Diffstat (limited to 'sys-kernel')
8 files changed, 534 insertions, 5 deletions
diff --git a/sys-kernel/ck-sources/ChangeLog b/sys-kernel/ck-sources/ChangeLog index 8b2ffdd428eb..8dd70d4aaa8a 100644 --- a/sys-kernel/ck-sources/ChangeLog +++ b/sys-kernel/ck-sources/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for sys-kernel/ck-sources # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.73 2004/12/19 18:50:09 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.74 2004/12/20 20:20:39 plasmaroo Exp $ + + 20 Dec 2004; <plasmaroo@gentoo.org> ck-sources-2.6.9-r3.ebuild, + +files/ck-sources-2.6.9.CAN-2004-1016.patch, + +files/ck-sources-2.6.9.CAN-2004-1056.patch, + +files/ck-sources-2.6.9.CAN-2004-1137.patch, + +files/ck-sources-2.6.9.CAN-2004-1151.patch, + +files/ck-sources-2.6.9.shmLocking.patch: + Security fixes - bugs #73000, #74384, #74392, #74464, #74465. 19 Dec 2004; <plasmaroo@gentoo.org> ck-sources-2.6.9-r3.ebuild, +files/ck-sources-2.6.9.AF_UNIX.SELinux.patch: diff --git a/sys-kernel/ck-sources/Manifest b/sys-kernel/ck-sources/Manifest index 06e7ccea466e..b1201186a143 100644 --- a/sys-kernel/ck-sources/Manifest +++ b/sys-kernel/ck-sources/Manifest @@ -1,19 +1,24 @@ -MD5 083c2c1e5ff20023498a6c3f91910e37 ChangeLog 14330 -MD5 0da7a0fefa1fb1e58bf944f03d90dda3 ck-sources-2.6.9-r3.ebuild 870 +MD5 069c21f7a261f0a76e6991a971ec34f2 ChangeLog 14693 +MD5 da6a8b2e8485d25070da95f62bcf9282 ck-sources-2.6.9-r3.ebuild 1057 MD5 467750a99a7e23aac6f007d29c5f122b ck-sources-2.4.27-r4.ebuild 1077 MD5 7187b8c28501f454a2412c9e4a7fcf53 metadata.xml 421 MD5 2b3ddb8b8b15f8da35ade38544b57857 files/ck-sources-2.4.27.XDRWrapFix.patch 1499 +MD5 6aa8f7a7c2d55734389b53d3bcf78570 files/ck-sources-2.6.9.CAN-2004-1016.patch 2835 MD5 4d656fa3f3a47df751c0d78b64ed8353 files/ck-sources-2.6.9.AF_UNIX.SELinux.patch 1761 MD5 42b42f2a4f260fad2fef264b82aff2ae files/ck-sources-2.6.9.vma.patch 8952 MD5 b0a1f80aff51d6601e8924329023b241 files/ck-sources.AF_UNIX.patch 515 MD5 d1ccc2047be533c992f67270a150a210 files/ck-sources-2.4.27.cmdlineLeak.patch 388 +MD5 001b0a631c9fc28133013a1f8f78f74c files/ck-sources-2.6.9.CAN-2004-1056.patch 8458 MD5 53fe3d26f6fc45487d69895fc07770cb files/ck-sources-2.6.9.binfmt_elf.patch 2350 MD5 b9a94233e1457787352e5f85e3e3582d files/ck-sources-2.4.27.binfmt_a.out.patch 2009 +MD5 09e9f1cad6f2f28fe81682cbad8e3011 files/ck-sources-2.6.9.CAN-2004-1137.patch 2551 MD5 025c80544aef14ce3a49024d791c5596 files/ck-sources-2.6.9.binfmt_a.out.patch 1763 MD5 7f0579764a55a43256ce069632e0373e files/digest-ck-sources-2.6.9-r3 129 MD5 915e8d7a0618736caa44d96968015467 files/ck-sources-2.4.27.binfmt_elf.patch 2346 +MD5 26b8e3797f4269779dc15d1a11ccfc65 files/ck-sources-2.6.9.shmLocking.patch 1765 MD5 8812f60b8d02b0b3b4c46a3311ddd851 files/ck-sources-2.6.9.smbfs.patch 2662 MD5 d4a740ae56c2049247083af387a22a85 files/ck-sources-2.4.27.CAN-2004-0394.patch 350 MD5 cc2afc76adbf81038af8a5f262ed5174 files/digest-ck-sources-2.4.27-r4 214 MD5 1e1fe7bb98c80db4644f4b7fd7dd5d32 files/ck-sources-2.4.27.smbfs.patch 3434 +MD5 6bcdd0bb63e2db559a5c6465c73a7f89 files/ck-sources-2.6.9.CAN-2004-1151.patch 1143 MD5 530630d25910e6bd9376b63ea099655f files/ck-sources-2.6.9.AF_UNIX.patch 469 diff --git a/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild b/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild index 6a2ef6e8f067..c8b93b242c50 100644 --- a/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild +++ b/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild @@ -1,13 +1,18 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild,v 1.8 2004/12/19 18:50:09 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild,v 1.9 2004/12/20 20:20:39 plasmaroo Exp $ UNIPATCH_LIST="${DISTDIR}/patch-${KV}.bz2 ${FILESDIR}/${P}.binfmt_elf.patch ${FILESDIR}/${P}.binfmt_a.out.patch ${FILESDIR}/${P}.AF_UNIX.patch ${FILESDIR}/${P}.AF_UNIX.SELinux.patch - ${FILESDIR}/${P}.vma.patch" + ${FILESDIR}/${P}.vma.patch + ${FILESDIR}/${P}.CAN-2004-1016.patch + ${FILESDIR}/${P}.CAN-2004-1056.patch + ${FILESDIR}/${P}.CAN-2004-1137.patch + ${FILESDIR}/${P}.CAN-2004-1151.patch + ${FILESDIR}/${P}.shmLocking.patch" K_PREPATCHED="yes" UNIPATCH_STRICTORDER="yes" diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1016.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1016.patch new file mode 100644 index 000000000000..aa25ac95ed61 --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1016.patch @@ -0,0 +1,75 @@ +===== include/linux/socket.h 1.12 vs edited ===== +--- 1.12/include/linux/socket.h 2004-09-09 06:40:01 +10:00 ++++ edited/include/linux/socket.h 2004-11-27 11:53:40 +11:00 +@@ -90,6 +90,10 @@ + (struct cmsghdr *)(ctl) : \ + (struct cmsghdr *)NULL) + #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen) ++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \ ++ (cmsg)->cmsg_len <= (unsigned long) \ ++ ((mhdr)->msg_controllen - \ ++ ((char *)(cmsg) - (char *)(mhdr)->msg_control))) + + /* + * This mess will go away with glibc +===== net/core/scm.c 1.10 vs edited ===== +--- 1.10/net/core/scm.c 2004-05-31 05:08:14 +10:00 ++++ edited/net/core/scm.c 2004-11-27 11:48:55 +11:00 +@@ -127,9 +127,7 @@ + for too short ancillary data object at all! Oops. + OK, let's add it... + */ +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) ++ if (!CMSG_OK(msg, cmsg)) + goto error; + + if (cmsg->cmsg_level != SOL_SOCKET) +===== net/ipv4/ip_sockglue.c 1.26 vs edited ===== +--- 1.26/net/ipv4/ip_sockglue.c 2004-07-01 06:10:53 +10:00 ++++ edited/net/ipv4/ip_sockglue.c 2004-11-27 11:49:45 +11:00 +@@ -146,11 +146,8 @@ + struct cmsghdr *cmsg; + + for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) { +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) + return -EINVAL; +- } + if (cmsg->cmsg_level != SOL_IP) + continue; + switch (cmsg->cmsg_type) { +===== net/ipv6/datagram.c 1.20 vs edited ===== +--- 1.20/net/ipv6/datagram.c 2004-11-10 17:57:03 +11:00 ++++ edited/net/ipv6/datagram.c 2004-11-27 11:51:15 +11:00 +@@ -427,9 +427,7 @@ + int addr_type; + struct net_device *dev = NULL; + +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) { + err = -EINVAL; + goto exit_f; + } +===== net/sctp/socket.c 1.129 vs edited ===== +--- 1.129/net/sctp/socket.c 2004-11-19 08:43:18 +11:00 ++++ edited/net/sctp/socket.c 2004-11-27 11:52:11 +11:00 +@@ -4098,12 +4098,8 @@ + for (cmsg = CMSG_FIRSTHDR(msg); + cmsg != NULL; + cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) { +- /* Check for minimum length. The SCM code has this check. */ +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) + return -EINVAL; +- } + + /* Should we parse this header or ignore? */ + if (cmsg->cmsg_level != IPPROTO_SCTP) diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1056.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1056.patch new file mode 100644 index 000000000000..cd8d7af324c2 --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1056.patch @@ -0,0 +1,268 @@ +diff -ur linux-2.6.9/drivers/char/drm/i810_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c +--- linux-2.6.9/drivers/char/drm/i810_dma.c 2004-10-18 22:53:46.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-19 22:46:33.317446112 +0000 +@@ -1030,10 +1030,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i810_flush_queue(dev); + return 0; +@@ -1055,10 +1052,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1090,10 +1084,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1114,10 +1105,8 @@ + + DRM_DEBUG("i810_swap_bufs\n"); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1152,10 +1141,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d))) + return -EFAULT; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + d.granted = 0; + +@@ -1266,10 +1252,7 @@ + return -EFAULT; + + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_mc called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (mc.idx >= dma->buf_count || mc.idx < 0) + return -EINVAL; +@@ -1317,10 +1300,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_fstatus called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + return I810_READ(0x30008); + } + +@@ -1331,10 +1311,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_ov0_flip called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + //Tell the overlay to update + I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000); +@@ -1376,10 +1353,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv->page_flipping) + i810_do_init_pageflip( dev ); +diff -ur linux-2.6.9/drivers/char/drm/i830_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c +--- linux-2.6.9/drivers/char/drm/i830_dma.c 2004-10-18 22:53:12.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-19 22:46:33.319445808 +0000 +@@ -1319,10 +1319,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i830_flush_queue(dev); + return 0; +@@ -1343,10 +1340,7 @@ + if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1373,10 +1367,7 @@ + if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1398,10 +1389,7 @@ + + DRM_DEBUG("i830_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + i830_dma_dispatch_swap( dev ); + return 0; +@@ -1442,10 +1430,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv->page_flipping) + i830_do_init_pageflip( dev ); +@@ -1484,10 +1469,7 @@ + if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + d.granted = 0; + +diff -ur linux-2.6.9/drivers/char/drm/i830_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c +--- linux-2.6.9/drivers/char/drm/i830_irq.c 2004-10-18 22:54:54.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-19 22:46:33.320445656 +0000 +@@ -129,10 +129,7 @@ + drm_i830_irq_emit_t emit; + int result; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_irq_emit called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if ( !dev_priv ) { + DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ ); +diff -ur linux-2.6.9/drivers/char/drm/i915_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c +--- linux-2.6.9/drivers/char/drm/i915_dma.c 2004-10-18 22:53:51.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c 2004-12-19 22:46:33.321445504 +0000 +@@ -545,10 +545,7 @@ + { + DRM_DEVICE; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_flush_ioctl called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + return i915_quiescent(dev); + } +@@ -574,10 +571,7 @@ + DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n", + batch.start, batch.used, batch.num_cliprects); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_batchbuffer called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects, + batch.num_cliprects * +@@ -606,10 +600,7 @@ + DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n", + cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects); + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_cmdbuffer called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (cmdbuf.num_cliprects && + DRM_VERIFYAREA_READ(cmdbuf.cliprects, +@@ -645,10 +636,7 @@ + DRM_DEVICE; + + DRM_DEBUG("%s\n", __FUNCTION__); +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_flip_buf called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + return i915_dispatch_flip(dev); + } +diff -ur linux-2.6.9/drivers/char/drm/i915_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c +--- linux-2.6.9/drivers/char/drm/i915_irq.c 2004-10-18 22:53:51.000000000 +0100 ++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c 2004-12-19 22:46:33.321445504 +0000 +@@ -92,10 +92,7 @@ + drm_i915_irq_emit_t emit; + int result; + +- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i915_irq_emit called without lock held\n"); +- return DRM_ERR(EINVAL); +- } ++ LOCK_TEST_WITH_RETURN( dev, filp ); + + if (!dev_priv) { + DRM_ERROR("%s called with no initialization\n", __FUNCTION__); diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1137.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1137.patch new file mode 100644 index 000000000000..0a54680f6f4b --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1137.patch @@ -0,0 +1,77 @@ +# ChangeSet +# 2004/12/14 11:06:25-08:00 chrisw@osdl.org +# [IPV4/IPV6]: IGMP source filter fixes +# +# When adding or deleting from the source list make sure to find matches +# by comparing against the new source address, not the group address. +# Also, check each addr in the list rather than just the first one. +# And, finally, only delete from list when there's a match rather than +# vice-versa. Drop the effort to keep list sorted, since it's not done +# on full-state api and can create an sl_addr entry that the delta api +# won't be able to delete. Without these fixes sl_count can be corrupted +# which can allow for kernel memory corruption. +# +# Signed-off-by: Chris Wright <chrisw@osdl.org> +# Signed-off-by: David S. Miller <davem@davemloft.net> +# +diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c +--- a/net/ipv4/igmp.c 2004-12-20 11:32:15 -08:00 ++++ b/net/ipv4/igmp.c 2004-12-20 11:32:15 -08:00 +@@ -1778,12 +1778,12 @@ + goto done; + rv = !0; + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, ++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr, + sizeof(__u32)); +- if (rv >= 0) ++ if (rv == 0) + break; + } +- if (!rv) /* source not found */ ++ if (rv) /* source not found */ + goto done; + + /* update the interface filter */ +@@ -1825,9 +1825,9 @@ + } + rv = 1; /* > 0 for insert logic below if sl_count is 0 */ + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, ++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr, + sizeof(__u32)); +- if (rv >= 0) ++ if (rv == 0) + break; + } + if (rv == 0) /* address already there is an error */ +diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c +--- a/net/ipv6/mcast.c 2004-12-20 11:32:15 -08:00 ++++ b/net/ipv6/mcast.c 2004-12-20 11:32:15 -08:00 +@@ -391,12 +391,12 @@ + goto done; + rv = !0; + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, group, ++ rv = memcmp(&psl->sl_addr[i], source, + sizeof(struct in6_addr)); +- if (rv >= 0) ++ if (rv == 0) + break; + } +- if (!rv) /* source not found */ ++ if (rv) /* source not found */ + goto done; + + /* update the interface filter */ +@@ -437,8 +437,8 @@ + } + rv = 1; /* > 0 for insert logic below if sl_count is 0 */ + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr)); +- if (rv >= 0) ++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr)); ++ if (rv == 0) + break; + } + if (rv == 0) /* address already there is an error */ diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1151.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1151.patch new file mode 100644 index 000000000000..fc4289e4f444 --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.9.CAN-2004-1151.patch @@ -0,0 +1,35 @@ +--- 1.74/arch/x86_64/ia32/sys_ia32.c 2004-12-19 10:58:02 -08:00 ++++ 1.75/arch/x86_64/ia32/sys_ia32.c 2004-12-19 10:58:02 -08:00 +@@ -525,11 +525,12 @@ + int sys32_ni_syscall(int call) + { + struct task_struct *me = current; +- static char lastcomm[8]; +- if (strcmp(lastcomm, me->comm)) { +- printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call, +- current->comm); +- strcpy(lastcomm, me->comm); ++ static char lastcomm[sizeof(me->comm)]; ++ ++ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) { ++ printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", ++ call, me->comm); ++ strncpy(lastcomm, me->comm, sizeof(lastcomm)); + } + return -ENOSYS; + } +@@ -1125,11 +1126,11 @@ + long sys32_vm86_warning(void) + { + struct task_struct *me = current; +- static char lastcomm[8]; +- if (strcmp(lastcomm, me->comm)) { ++ static char lastcomm[sizeof(me->comm)]; ++ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) { + printk(KERN_INFO "%s: vm86 mode not supported on 64 bit kernel\n", + me->comm); +- strcpy(lastcomm, me->comm); ++ strncpy(lastcomm, me->comm, sizeof(lastcomm)); + } + return -ENOSYS; + } diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.9.shmLocking.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.9.shmLocking.patch new file mode 100644 index 000000000000..dba7c9ca796f --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.9.shmLocking.patch @@ -0,0 +1,56 @@ +# This is a BitKeeper generated diff -Nru style patch. +# +# ChangeSet +# 2004/12/13 08:30:17-08:00 hugh@veritas.com +# [PATCH] shmctl SHM_LOCK perms +# +# Michael Kerrisk has observed that at present any process can SHM_LOCK any +# shm segment of size within process RLIMIT_MEMLOCK, despite having no +# permissions on the segment: surprising, though not obviously evil. And any +# process can SHM_UNLOCK any shm segment, despite no permissions on it: that +# is surely wrong. +# +# Unless CAP_IPC_LOCK, restrict both SHM_LOCK and SHM_UNLOCK to when the +# process euid matches the shm owner or creator: that seems the least +# surprising behaviour, which could be relaxed if a need appears later. +# +# Signed-off-by: Hugh Dickins <hugh@veritas.com> +# Signed-off-by: Andrew Morton <akpm@osdl.org> +# Signed-off-by: Linus Torvalds <torvalds@osdl.org> +# +# ipc/shm.c +# 2004/12/13 02:47:27-08:00 hugh@veritas.com +10 -5 +# shmctl SHM_LOCK perms +# +diff -Nru a/ipc/shm.c b/ipc/shm.c +--- a/ipc/shm.c 2004-12-20 10:32:59 -08:00 ++++ b/ipc/shm.c 2004-12-20 10:32:59 -08:00 +@@ -511,11 +511,6 @@ + case SHM_LOCK: + case SHM_UNLOCK: + { +- /* Allow superuser to lock segment in memory */ +- if (!can_do_mlock() && cmd == SHM_LOCK) { +- err = -EPERM; +- goto out; +- } + shp = shm_lock(shmid); + if(shp==NULL) { + err = -EINVAL; +@@ -524,6 +519,16 @@ + err = shm_checkid(shp,shmid); + if(err) + goto out_unlock; ++ ++ if (!capable(CAP_IPC_LOCK)) { ++ err = -EPERM; ++ if (current->euid != shp->shm_perm.uid && ++ current->euid != shp->shm_perm.cuid) ++ goto out_unlock; ++ if (cmd == SHM_LOCK && ++ !current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur) ++ goto out_unlock; ++ } + + err = security_shm_shmctl(shp, cmd); + if (err) |