diff options
author | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-24 18:46:22 +0000 |
---|---|---|
committer | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-24 18:46:22 +0000 |
commit | 54fc9b8d3ac3b9a5e8458f7c8fc778c1b94eef55 (patch) | |
tree | 06e7383a03b1cdd19e93a2949c056e263ef4c6dc | |
parent | Security bump; bugs #72452, #74384, #74392, #74464. (diff) | |
download | historical-54fc9b8d3ac3b9a5e8458f7c8fc778c1b94eef55.tar.gz historical-54fc9b8d3ac3b9a5e8458f7c8fc778c1b94eef55.tar.bz2 historical-54fc9b8d3ac3b9a5e8458f7c8fc778c1b94eef55.zip |
Security bump; bugs #72452, #74384, #74392, #74464.
-rw-r--r-- | sys-kernel/usermode-sources/ChangeLog | 12 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/Manifest | 10 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/digest-usermode-sources-2.4.26-r11 (renamed from sys-kernel/usermode-sources/files/digest-usermode-sources-2.4.26-r10) | 0 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1016.patch | 75 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1056.patch | 321 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1137.patch | 59 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/files/usermode-sources-2.4.vma.patch | 246 | ||||
-rw-r--r-- | sys-kernel/usermode-sources/usermode-sources-2.4.26-r11.ebuild (renamed from sys-kernel/usermode-sources/usermode-sources-2.4.26-r10.ebuild) | 8 |
8 files changed, 725 insertions, 6 deletions
diff --git a/sys-kernel/usermode-sources/ChangeLog b/sys-kernel/usermode-sources/ChangeLog index c6db2aabc934..ee08fb7672e9 100644 --- a/sys-kernel/usermode-sources/ChangeLog +++ b/sys-kernel/usermode-sources/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sys-kernel/usermode-sources # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/usermode-sources/ChangeLog,v 1.56 2004/12/20 21:44:42 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/usermode-sources/ChangeLog,v 1.57 2004/12/24 18:46:22 plasmaroo Exp $ + +*usermode-sources-2.4.26-r11 (24 Dec 2004) + + 24 Dec 2004; <plasmaroo@gentoo.org> -usermode-sources-2.4.26-r10.ebuild, + +usermode-sources-2.4.26-r11.ebuild, + +files/usermode-sources-2.4.CAN-2004-1016.patch, + +files/usermode-sources-2.4.CAN-2004-1056.patch, + +files/usermode-sources-2.4.CAN-2004-1137.patch, + +files/usermode-sources-2.4.vma.patch: + Security bump; bugs #72452, #74384, #74392, #74464. *usermode-sources-2.6.8.1-r7 (20 Dec 2004) diff --git a/sys-kernel/usermode-sources/Manifest b/sys-kernel/usermode-sources/Manifest index e034cd846037..349c36bb325b 100644 --- a/sys-kernel/usermode-sources/Manifest +++ b/sys-kernel/usermode-sources/Manifest @@ -1,16 +1,18 @@ -MD5 976fecdada0b9790cbbf116074bd04f4 ChangeLog 15535 -MD5 19e3506068443dc2783e651d4bfb4b47 usermode-sources-2.4.26-r10.ebuild 1879 +MD5 17e387ded51ecf1bd4e76e9b9f147dfd ChangeLog 15942 MD5 a76f13cb946fc2720c04b189616da2de metadata.xml 159 +MD5 efdd4db86592ff7a900438926ea51542 usermode-sources-2.4.26-r11.ebuild 2041 MD5 cba95577dd7bcd6b4831714db9e30291 usermode-sources-2.6.8.1-r7.ebuild 1317 MD5 d1ccc2047be533c992f67270a150a210 files/usermode-sources-2.4.cmdlineLeak.patch 388 MD5 4d656fa3f3a47df751c0d78b64ed8353 files/usermode-sources-2.6.AF_UNIX.SELinux.patch 1761 MD5 dc18e982f8149588a291956481885a8c files/usermode-sources-2.4.CAN-2004-0495.patch 17549 MD5 6bcdd0bb63e2db559a5c6465c73a7f89 files/usermode-sources-2.6.CAN-2004-1151.patch 1143 +MD5 6aa8f7a7c2d55734389b53d3bcf78570 files/usermode-sources-2.4.CAN-2004-1016.patch 2835 MD5 09e9f1cad6f2f28fe81682cbad8e3011 files/usermode-sources-2.6.CAN-2004-1137.patch 2551 MD5 b0a1f80aff51d6601e8924329023b241 files/usermode-sources.AF_UNIX.patch 515 MD5 530630d25910e6bd9376b63ea099655f files/usermode-sources-2.6.AF_UNIX.patch 469 MD5 b9a94233e1457787352e5f85e3e3582d files/usermode-sources-2.4.binfmt_a.out.patch 2009 -MD5 054d55975dd07c5a434e0ccfcf26f682 files/digest-usermode-sources-2.4.26-r10 297 +MD5 8c35751caf824a9dacb02e80d6189b2e files/usermode-sources-2.4.CAN-2004-1137.patch 1764 +MD5 054d55975dd07c5a434e0ccfcf26f682 files/digest-usermode-sources-2.4.26-r11 297 MD5 d4a740ae56c2049247083af387a22a85 files/usermode-sources-2.4.26.CAN-2004-0394.patch 350 MD5 915e8d7a0618736caa44d96968015467 files/usermode-sources-2.4.binfmt_elf.patch 2346 MD5 1e1fe7bb98c80db4644f4b7fd7dd5d32 files/usermode-sources-2.4.smbfs.patch 3434 @@ -19,12 +21,14 @@ MD5 a9991d6324d7404ed99e79be6e44e9de files/usermode-sources-2.6.binfmt_elf.patch MD5 60d25ff310fc6abfdce39ec9e47345af files/usermode-sources-2.4.CAN-2004-0685.patch 2809 MD5 c942eca63f26d0e933a366491340e95b files/usermode-sources-2.6.CAN-2004-1056.patch 6187 MD5 0f66013f643c79c97fda489618a4e2fd files/usermode-sources-2.4.CAN-2004-0535.patch 476 +MD5 757ee1239c3f14645ccea3640d551e11 files/usermode-sources-2.4.CAN-2004-1056.patch 11249 MD5 6aa8f7a7c2d55734389b53d3bcf78570 files/usermode-sources-2.6.CAN-2004-1016.patch 2835 MD5 8165de5e2ab6e0d3263ea35ce856fd1b files/usermode-sources-2.6.smbfs.patch 3309 MD5 c2510fe1891f5a9effb12c2196922206 files/usermode-sources-2.6.cmdlineLeak.patch 281 MD5 95708646470a95668e8789cd415844ed files/usermode-sources.CAN-2004-0497.patch 846 MD5 452e04a312368605e145428c35bd0e05 files/usermode-sources-2.6.devPtmx.patch 572 MD5 2b3ddb8b8b15f8da35ade38544b57857 files/usermode-sources-2.4.XDRWrapFix.patch 1499 +MD5 c27699e9d62f7d46213bd51f87636163 files/usermode-sources-2.4.vma.patch 8143 MD5 c9da1bc82b906f6abc648c056e7bf662 files/usermode-sources-2.4.FPULockup-53804.patch 354 MD5 7b6f30de95fee7eef67ec1866a06005a files/digest-usermode-sources-2.6.8.1-r7 214 MD5 22192366443458dc8815827df35b63a7 files/usermode-sources-2.6.vma.patch 8034 diff --git a/sys-kernel/usermode-sources/files/digest-usermode-sources-2.4.26-r10 b/sys-kernel/usermode-sources/files/digest-usermode-sources-2.4.26-r11 index 9e29fc732ec2..9e29fc732ec2 100644 --- a/sys-kernel/usermode-sources/files/digest-usermode-sources-2.4.26-r10 +++ b/sys-kernel/usermode-sources/files/digest-usermode-sources-2.4.26-r11 diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1016.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1016.patch new file mode 100644 index 000000000000..aa25ac95ed61 --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1016.patch @@ -0,0 +1,75 @@ +===== include/linux/socket.h 1.12 vs edited ===== +--- 1.12/include/linux/socket.h 2004-09-09 06:40:01 +10:00 ++++ edited/include/linux/socket.h 2004-11-27 11:53:40 +11:00 +@@ -90,6 +90,10 @@ + (struct cmsghdr *)(ctl) : \ + (struct cmsghdr *)NULL) + #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen) ++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \ ++ (cmsg)->cmsg_len <= (unsigned long) \ ++ ((mhdr)->msg_controllen - \ ++ ((char *)(cmsg) - (char *)(mhdr)->msg_control))) + + /* + * This mess will go away with glibc +===== net/core/scm.c 1.10 vs edited ===== +--- 1.10/net/core/scm.c 2004-05-31 05:08:14 +10:00 ++++ edited/net/core/scm.c 2004-11-27 11:48:55 +11:00 +@@ -127,9 +127,7 @@ + for too short ancillary data object at all! Oops. + OK, let's add it... + */ +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) ++ if (!CMSG_OK(msg, cmsg)) + goto error; + + if (cmsg->cmsg_level != SOL_SOCKET) +===== net/ipv4/ip_sockglue.c 1.26 vs edited ===== +--- 1.26/net/ipv4/ip_sockglue.c 2004-07-01 06:10:53 +10:00 ++++ edited/net/ipv4/ip_sockglue.c 2004-11-27 11:49:45 +11:00 +@@ -146,11 +146,8 @@ + struct cmsghdr *cmsg; + + for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) { +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) + return -EINVAL; +- } + if (cmsg->cmsg_level != SOL_IP) + continue; + switch (cmsg->cmsg_type) { +===== net/ipv6/datagram.c 1.20 vs edited ===== +--- 1.20/net/ipv6/datagram.c 2004-11-10 17:57:03 +11:00 ++++ edited/net/ipv6/datagram.c 2004-11-27 11:51:15 +11:00 +@@ -427,9 +427,7 @@ + int addr_type; + struct net_device *dev = NULL; + +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) { + err = -EINVAL; + goto exit_f; + } +===== net/sctp/socket.c 1.129 vs edited ===== +--- 1.129/net/sctp/socket.c 2004-11-19 08:43:18 +11:00 ++++ edited/net/sctp/socket.c 2004-11-27 11:52:11 +11:00 +@@ -4098,12 +4098,8 @@ + for (cmsg = CMSG_FIRSTHDR(msg); + cmsg != NULL; + cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) { +- /* Check for minimum length. The SCM code has this check. */ +- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || +- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) +- + cmsg->cmsg_len) > msg->msg_controllen) { ++ if (!CMSG_OK(msg, cmsg)) + return -EINVAL; +- } + + /* Should we parse this header or ignore? */ + if (cmsg->cmsg_level != IPPROTO_SCTP) diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1056.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1056.patch new file mode 100644 index 000000000000..53b777acaac5 --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1056.patch @@ -0,0 +1,321 @@ +diff -ur linux-2.4.28/drivers/char/drm/i810.h linux-2.4.28.plasmaroo/drivers/char/drm/i810.h +--- linux-2.4.28/drivers/char/drm/i810.h 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810.h 2004-12-23 16:26:31.000000000 +0000 +@@ -114,4 +114,14 @@ + #define DRIVER_AGP_BUFFERS_MAP( dev ) \ + ((drm_i810_private_t *)((dev)->dev_private))->buffer_map + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + #endif +diff -ur linux-2.4.28/drivers/char/drm/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c +--- linux-2.4.28/drivers/char/drm/i810_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-23 16:27:16.000000000 +0000 +@@ -948,10 +948,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_flush_queue(dev); + return 0; +@@ -973,10 +970,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL; + +@@ -1004,10 +998,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1026,10 +1017,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1064,10 +1052,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +@@ -1174,11 +1159,7 @@ + if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc))) + return -EFAULT; + +- +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_mc called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used, + mc.last_render ); +@@ -1223,10 +1204,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_fstatus called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + return I810_READ(0x30008); + } + +@@ -1237,10 +1215,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_ov0_flip called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + //Tell the overlay to update + I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000); +diff -ur linux-2.4.28/drivers/char/drm/i830.h linux-2.4.28.plasmaroo/drivers/char/drm/i830.h +--- linux-2.4.28/drivers/char/drm/i830.h 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830.h 2004-12-23 16:31:33.000000000 +0000 +@@ -154,4 +154,14 @@ + #define DRIVER_AGP_BUFFERS_MAP( dev ) \ + ((drm_i830_private_t *)((dev)->dev_private))->buffer_map + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + #endif +diff -ur linux-2.4.28/drivers/char/drm/i830_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c +--- linux-2.4.28/drivers/char/drm/i830_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-23 16:32:08.000000000 +0000 +@@ -1330,10 +1330,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i830_flush_queue(dev); + return 0; +@@ -1354,10 +1351,7 @@ + if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1384,10 +1378,7 @@ + if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1409,10 +1400,7 @@ + + DRM_DEBUG("i830_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i830_dma_dispatch_swap( dev ); + return 0; +@@ -1453,10 +1441,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if (!dev_priv->page_flipping) + i830_do_init_pageflip( dev ); +@@ -1495,10 +1480,7 @@ + if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +diff -ur linux-2.4.28/drivers/char/drm/i830_irq.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c +--- linux-2.4.28/drivers/char/drm/i830_irq.c 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-23 16:39:47.000000000 +0000 +@@ -130,10 +130,7 @@ + drm_i830_irq_emit_t emit; + int result; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_irq_emit called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if ( !dev_priv ) { + DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ ); +diff -ur linux-2.4.28/drivers/char/drm-4.0/drmP.h linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h +--- linux-2.4.28/drivers/char/drm-4.0/drmP.h 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h 2004-12-23 16:21:30.000000000 +0000 +@@ -294,6 +294,16 @@ + #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x)) + #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist) + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + typedef int drm_ioctl_t(struct inode *inode, struct file *filp, + unsigned int cmd, unsigned long arg); + +diff -ur linux-2.4.28/drivers/char/drm-4.0/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c +--- linux-2.4.28/drivers/char/drm-4.0/i810_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c 2004-12-23 16:21:30.000000000 +0000 +@@ -1249,10 +1249,7 @@ + drm_device_t *dev = priv->dev; + + DRM_DEBUG("i810_flush_ioctl\n"); +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_flush_queue(dev); + return 0; +@@ -1274,10 +1271,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1308,10 +1302,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_clear( dev, clear.flags, + clear.clear_color, +@@ -1327,10 +1318,7 @@ + + DRM_DEBUG("i810_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1366,10 +1354,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +@@ -1399,10 +1384,7 @@ + drm_i810_buf_priv_t *buf_priv; + drm_device_dma_t *dma = dev->dma; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d))) + return -EFAULT; diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1137.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1137.patch new file mode 100644 index 000000000000..161806ce79d7 --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.4.CAN-2004-1137.patch @@ -0,0 +1,59 @@ +--- linux-2.4.28-orig/net/ipv4/igmp.c 2004-08-08 01:26:06.000000000 +0200 ++++ linux-2.4.28/net/ipv4/igmp.c 2004-12-15 22:12:48.000000000 +0100 +@@ -1757,12 +1757,12 @@ + goto done; + rv = !0; + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, ++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr, + sizeof(__u32)); +- if (rv >= 0) ++ if (rv == 0) + break; + } +- if (!rv) /* source not found */ ++ if (rv) /* source not found */ + goto done; + + /* update the interface filter */ +@@ -1804,9 +1804,9 @@ + } + rv = 1; /* > 0 for insert logic below if sl_count is 0 */ + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, ++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr, + sizeof(__u32)); +- if (rv >= 0) ++ if (rv == 0) + break; + } + if (rv == 0) /* address already there is an error */ +--- linux-2.4.28-orig/net/ipv6/mcast.c 2004-11-17 12:54:22.000000000 +0100 ++++ linux-2.4.28/net/ipv6/mcast.c 2004-12-15 22:14:07.000000000 +0100 +@@ -386,12 +386,12 @@ + goto done; + rv = !0; + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, group, ++ rv = memcmp(&psl->sl_addr[i], source, + sizeof(struct in6_addr)); +- if (rv >= 0) ++ if (rv == 0) + break; + } +- if (!rv) /* source not found */ ++ if (rv) /* source not found */ + goto done; + + /* update the interface filter */ +@@ -432,8 +432,8 @@ + } + rv = 1; /* > 0 for insert logic below if sl_count is 0 */ + for (i=0; i<psl->sl_count; i++) { +- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr)); +- if (rv >= 0) ++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr)); ++ if (rv == 0) + break; + } + if (rv == 0) /* address already there is an error */ diff --git a/sys-kernel/usermode-sources/files/usermode-sources-2.4.vma.patch b/sys-kernel/usermode-sources/files/usermode-sources-2.4.vma.patch new file mode 100644 index 000000000000..2469dd5ab2c5 --- /dev/null +++ b/sys-kernel/usermode-sources/files/usermode-sources-2.4.vma.patch @@ -0,0 +1,246 @@ +# This is a BitKeeper generated diff -Nru style patch. +# +# ChangeSet +# 2004/12/17 21:45:58-02:00 chrisw@osdl.org +# [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). +# +# Backport of 2.6 fix to insert_vm_struct to make it return an error +# rather than BUG(). This eliminates a user triggerable BUG() when user +# created a large vma that overlapped with arg pages during exec (could be +# triggered with a.out on i386 and x86_64 and elf on ia64). +# +# Signed-off-by: Chris Wright <chrisw@osdl.org> +# +# ===== arch/ia64/ia32/binfmt_elf32.c 1.13 vs edited ===== +# +# arch/ia64/ia32/binfmt_elf32.c +# 2004/12/17 17:22:06-02:00 chrisw@osdl.org +16 -4 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). +# +# arch/ia64/mm/init.c +# 2004/12/17 15:25:47-02:00 chrisw@osdl.org +14 -2 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). +# +# arch/s390x/kernel/exec32.c +# 2004/12/17 15:32:42-02:00 chrisw@osdl.org +6 -2 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user +# +# arch/x86_64/ia32/ia32_binfmt.c +# 2004/12/17 15:34:21-02:00 chrisw@osdl.org +6 -2 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user +# +# fs/exec.c +# 2004/12/17 15:54:18-02:00 chrisw@osdl.org +6 -2 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). +# +# include/linux/mm.h +# 2004/12/16 20:38:37-02:00 chrisw@osdl.org +1 -1 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). This eliminates a user triggerable BUG() when user +# +# mm/mmap.c +# 2004/12/16 20:43:15-02:00 chrisw@osdl.org +3 -2 +# Backport of 2.6 fix to insert_vm_struct to make it return an error rather than BUG(). +# +diff -Nru a/arch/ia64/ia32/binfmt_elf32.c b/arch/ia64/ia32/binfmt_elf32.c +--- a/arch/ia64/ia32/binfmt_elf32.c 2004-12-19 07:39:49 -08:00 ++++ b/arch/ia64/ia32/binfmt_elf32.c 2004-12-19 07:39:49 -08:00 +@@ -95,7 +95,11 @@ + vma->vm_private_data = NULL; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -117,7 +121,11 @@ + vma->vm_private_data = NULL; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -164,7 +172,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -188,7 +196,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = 0; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c +--- a/arch/ia64/mm/init.c 2004-12-19 07:39:49 -08:00 ++++ b/arch/ia64/mm/init.c 2004-12-19 07:39:49 -08:00 +@@ -105,7 +105,13 @@ + vma->vm_pgoff = 0; + vma->vm_file = NULL; + vma->vm_private_data = NULL; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + + /* map NaT-page at address zero to speed up speculative dereferencing of NULL: */ +@@ -117,7 +123,13 @@ + vma->vm_end = PAGE_SIZE; + vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT); + vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + } + } +diff -Nru a/arch/s390x/kernel/exec32.c b/arch/s390x/kernel/exec32.c +--- a/arch/s390x/kernel/exec32.c 2004-12-19 07:39:49 -08:00 ++++ b/arch/s390x/kernel/exec32.c 2004-12-19 07:39:49 -08:00 +@@ -41,7 +41,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -65,7 +65,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = (void *) 0; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru a/arch/x86_64/ia32/ia32_binfmt.c b/arch/x86_64/ia32/ia32_binfmt.c +--- a/arch/x86_64/ia32/ia32_binfmt.c 2004-12-19 07:39:49 -08:00 ++++ b/arch/x86_64/ia32/ia32_binfmt.c 2004-12-19 07:39:49 -08:00 +@@ -225,7 +225,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -250,7 +250,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = (void *) 0; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru a/fs/exec.c b/fs/exec.c +--- a/fs/exec.c 2004-12-19 07:39:49 -08:00 ++++ b/fs/exec.c 2004-12-19 07:39:49 -08:00 +@@ -327,7 +327,7 @@ + { + unsigned long stack_base; + struct vm_area_struct *mpnt; +- int i; ++ int i, ret; + + stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + +@@ -387,7 +387,6 @@ + + down_write(¤t->mm->mmap_sem); + { +- struct vm_area_struct *vma; + mpnt->vm_mm = current->mm; + mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; + mpnt->vm_end = STACK_TOP; +@@ -402,13 +401,11 @@ + mpnt->vm_pgoff = 0; + mpnt->vm_file = NULL; + mpnt->vm_private_data = (void *) 0; +- vma = find_vma(current->mm, mpnt->vm_start); +- if (vma) { ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { + up_write(¤t->mm->mmap_sem); + kmem_cache_free(vm_area_cachep, mpnt); +- return -ENOMEM; ++ return ret; + } +- insert_vm_struct(current->mm, mpnt); + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -Nru a/include/linux/mm.h b/include/linux/mm.h +--- a/include/linux/mm.h 2004-12-19 07:39:49 -08:00 ++++ b/include/linux/mm.h 2004-12-19 07:39:49 -08:00 +@@ -548,7 +548,7 @@ + /* mmap.c */ + extern void lock_vma_mappings(struct vm_area_struct *); + extern void unlock_vma_mappings(struct vm_area_struct *); +-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *); ++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *); + extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *); + extern void build_mmap_rb(struct mm_struct *); + extern void exit_mmap(struct mm_struct *); +diff -Nru a/mm/mmap.c b/mm/mmap.c +--- a/mm/mmap.c 2004-12-19 07:39:49 -08:00 ++++ b/mm/mmap.c 2004-12-19 07:39:49 -08:00 +@@ -1193,14 +1193,15 @@ + validate_mm(mm); + } + +-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) ++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) + { + struct vm_area_struct * __vma, * prev; + rb_node_t ** rb_link, * rb_parent; + + __vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent); + if (__vma && __vma->vm_start < vma->vm_end) +- BUG(); ++ return -ENOMEM; + vma_link(mm, vma, prev, rb_link, rb_parent); + validate_mm(mm); ++ return 0; + } diff --git a/sys-kernel/usermode-sources/usermode-sources-2.4.26-r10.ebuild b/sys-kernel/usermode-sources/usermode-sources-2.4.26-r11.ebuild index 29b7ccc808bb..2b6ad53f9643 100644 --- a/sys-kernel/usermode-sources/usermode-sources-2.4.26-r10.ebuild +++ b/sys-kernel/usermode-sources/usermode-sources-2.4.26-r11.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/usermode-sources/usermode-sources-2.4.26-r10.ebuild,v 1.1 2004/11/27 20:04:10 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/usermode-sources/usermode-sources-2.4.26-r11.ebuild,v 1.1 2004/12/24 18:46:22 plasmaroo Exp $ ETYPE="sources" inherit kernel-2 @@ -41,7 +41,11 @@ UNIPATCH_LIST="${DISTDIR}/${UML_PATCH}.bz2 ${FILESDIR}/${PN}-2.4.binfmt_elf.patch ${FILESDIR}/${PN}-2.4.smbfs.patch ${FILESDIR}/${PN}-2.4.binfmt_a.out.patch - ${FILESDIR}/${PN}.AF_UNIX.patch" + ${FILESDIR}/${PN}.AF_UNIX.patch + ${FILESDIR}/${PN}-2.4.vma.patch + ${FILESDIR}/${PN}-2.4.CAN-2004-1016.patch + ${FILESDIR}/${PN}-2.4.CAN-2004-1056.patch + ${FILESDIR}/${PN}-2.4.CAN-2004-1137.patch" src_install() { kernel-2_src_install |