Update Grsec/PaX20101115

 2.2.0-2.6.32.25-201011151726 against 2.6.32.25
 2.2.0-2.6.36-201011151726 against 2.6.36

2 files changed, 73 insertions, 3 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 745f6ce..fecc43d 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.0-2.6.32.25-201011131640.patch
+Patch:	4420_grsecurity-2.2.0-2.6.32.25-201011151726.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.0-2.6.32.25-201011131640.patch b/2.6.32/4420_grsecurity-2.2.0-2.6.32.25-201011151726.patch
index 817174f..3ea1d8f 100644
--- a/2.6.32/4420_grsecurity-2.2.0-2.6.32.25-201011131640.patch
+++ b/2.6.32/4420_grsecurity-2.2.0-2.6.32.25-201011151726.patch
@@ -47954,13 +47954,13 @@ diff -urNp linux-2.6.32.25/include/linux/jbd.h linux-2.6.32.25/include/linux/jbd
  static inline void *jbd_alloc(size_t size, gfp_t flags)
 diff -urNp linux-2.6.32.25/include/linux/kallsyms.h linux-2.6.32.25/include/linux/kallsyms.h
 --- linux-2.6.32.25/include/linux/kallsyms.h	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.25/include/linux/kallsyms.h	2010-11-13 16:38:15.000000000 -0500
++++ linux-2.6.32.25/include/linux/kallsyms.h	2010-11-15 17:10:03.000000000 -0500
 @@ -15,7 +15,8 @@
  
  struct module;
  
 -#ifdef CONFIG_KALLSYMS
-+#if !defined(__INCLUDED_BY_HIDESYM) && defined(CONFIG_KALLSYMS)
++#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
  /* Lookup the address for a symbol. Returns 0 if not found. */
  unsigned long kallsyms_lookup_name(const char *name);
@@ -49008,6 +49008,18 @@ diff -urNp linux-2.6.32.25/include/linux/slub_def.h linux-2.6.32.25/include/linu
  	void (*ctor)(void *);
  	int inuse;		/* Offset to metadata */
  	int align;		/* Alignment */
+diff -urNp linux-2.6.32.25/include/linux/socket.h linux-2.6.32.25/include/linux/socket.h
+--- linux-2.6.32.25/include/linux/socket.h	2010-10-31 16:44:11.000000000 -0400
++++ linux-2.6.32.25/include/linux/socket.h	2010-11-15 17:11:27.000000000 -0500
+@@ -304,7 +304,7 @@ extern int csum_partial_copy_fromiovecen
+ 					  int offset, 
+ 					  unsigned int len, __wsum *csump);
+ 
+-extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
++extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
+ extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
+ extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
+ 			     int offset, int len);
 diff -urNp linux-2.6.32.25/include/linux/sonet.h linux-2.6.32.25/include/linux/sonet.h
 --- linux-2.6.32.25/include/linux/sonet.h	2010-08-13 16:24:37.000000000 -0400
 +++ linux-2.6.32.25/include/linux/sonet.h	2010-10-23 19:59:20.000000000 -0400
@@ -56672,6 +56684,26 @@ diff -urNp linux-2.6.32.25/net/bridge/br_sysfs_if.c linux-2.6.32.25/net/bridge/b
  	.show = brport_show,
  	.store = brport_store,
  };
+diff -urNp linux-2.6.32.25/net/compat.c linux-2.6.32.25/net/compat.c
+--- linux-2.6.32.25/net/compat.c	2010-08-13 16:24:37.000000000 -0400
++++ linux-2.6.32.25/net/compat.c	2010-11-15 17:12:20.000000000 -0500
+@@ -40,10 +40,12 @@ static inline int iov_from_user_compat_t
+ 		compat_size_t len;
+ 
+ 		if (get_user(len, &uiov32->iov_len) ||
+-		   get_user(buf, &uiov32->iov_base)) {
+-			tot_len = -EFAULT;
+-			break;
+-		}
++		   get_user(buf, &uiov32->iov_base))
++			return -EFAULT;
++
++		if (len > INT_MAX - tot_len)
++			len = INT_MAX - tot_len;
++
+ 		tot_len += len;
+ 		kiov->iov_base = compat_ptr(buf);
+ 		kiov->iov_len = (__kernel_size_t) len;
 diff -urNp linux-2.6.32.25/net/core/dev.c linux-2.6.32.25/net/core/dev.c
 --- linux-2.6.32.25/net/core/dev.c	2010-08-29 21:08:20.000000000 -0400
 +++ linux-2.6.32.25/net/core/dev.c	2010-10-23 19:59:20.000000000 -0400
@@ -56735,6 +56767,44 @@ diff -urNp linux-2.6.32.25/net/core/flow.c linux-2.6.32.25/net/core/flow.c
  
  #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
  
+diff -urNp linux-2.6.32.25/net/core/iovec.c linux-2.6.32.25/net/core/iovec.c
+--- linux-2.6.32.25/net/core/iovec.c	2010-10-31 16:44:11.000000000 -0400
++++ linux-2.6.32.25/net/core/iovec.c	2010-11-15 17:14:08.000000000 -0500
+@@ -36,10 +36,9 @@
+  *	in any case.
+  */
+ 
+-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
++int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
+ {
+-	int size, ct;
+-	long err;
++	int size, ct, err;
+ 
+ 	if (m->msg_namelen) {
+ 		if (mode == VERIFY_READ) {
+@@ -61,14 +60,13 @@ long verify_iovec(struct msghdr *m, stru
+ 	err = 0;
+ 
+ 	for (ct = 0; ct < m->msg_iovlen; ct++) {
+-		err += iov[ct].iov_len;
+-		/*
+-		 * Goal is not to verify user data, but to prevent returning
+-		 * negative value, which is interpreted as errno.
+-		 * Overflow is still possible, but it is harmless.
+-		 */
+-		if (err < 0)
+-			return -EMSGSIZE;
++		size_t len = iov[ct].iov_len;
++
++		if (len > INT_MAX - err) {
++			len = INT_MAX - err;
++			iov[ct].iov_len = len;
++		}
++		err += len;
+ 	}
+ 
+ 	return err;
 diff -urNp linux-2.6.32.25/net/dccp/ccids/ccid3.c linux-2.6.32.25/net/dccp/ccids/ccid3.c
 --- linux-2.6.32.25/net/dccp/ccids/ccid3.c	2010-08-13 16:24:37.000000000 -0400
 +++ linux-2.6.32.25/net/dccp/ccids/ccid3.c	2010-10-23 19:59:20.000000000 -0400