Update Grsec/PaX

2.2.2-2.6.32.41-201106132135 2.2.2-2.6.39.1-201106132135
author: Anthony G. Basile <blueness@gentoo.org> 2011-06-15 12:41:51 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2011-06-15 12:41:51 -0400
commit: f7b78ff5181a2af72e7265fbfc9268ce65a8a259 (patch)
tree: 7c9c8df8f1f50b425d1ce7d06c22c791399f51f6
parent: Update Grsec/PaX (diff)
download: hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.tar.gz
hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.tar.bz2
hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.zip
4 files changed, 423 insertions, 48 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 3c6c9f7..1b0ab21 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch
index 3d01c9c..69e5b91 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106071941.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.41-201106132135.patch
@@ -50,8 +50,60 @@ diff -urNp linux-2.6.32.41/arch/alpha/kernel/module.c linux-2.6.32.41/arch/alpha
  	for (i = 0; i < n; i++) {
 diff -urNp linux-2.6.32.41/arch/alpha/kernel/osf_sys.c linux-2.6.32.41/arch/alpha/kernel/osf_sys.c
 --- linux-2.6.32.41/arch/alpha/kernel/osf_sys.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.41/arch/alpha/kernel/osf_sys.c	2011-04-17 15:56:45.000000000 -0400
-@@ -1169,7 +1169,7 @@ arch_get_unmapped_area_1(unsigned long a
++++ linux-2.6.32.41/arch/alpha/kernel/osf_sys.c	2011-06-13 17:19:47.000000000 -0400
+@@ -431,7 +431,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char 
+ 		return -EFAULT;
+ 
+ 	len = namelen;
+-	if (namelen > 32)
++	if (len > 32)
+ 		len = 32;
+ 
+ 	down_read(&uts_sem);
+@@ -618,7 +618,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ 	down_read(&uts_sem);
+ 	res = sysinfo_table[offset];
+ 	len = strlen(res)+1;
+-	if (len > count)
++	if ((unsigned long)len > (unsigned long)count)
+ 		len = count;
+ 	if (copy_to_user(buf, res, len))
+ 		err = -EFAULT;
+@@ -673,7 +673,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
+ 		return 1;
+ 
+ 	case GSI_GET_HWRPB:
+-		if (nbytes < sizeof(*hwrpb))
++		if (nbytes > sizeof(*hwrpb))
+ 			return -EINVAL;
+ 		if (copy_to_user(buffer, hwrpb, nbytes) != 0)
+ 			return -EFAULT;
+@@ -1035,6 +1035,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ {
+ 	struct rusage r;
+ 	long ret, err;
++	unsigned int status = 0;
+ 	mm_segment_t old_fs;
+ 
+ 	if (!ur)
+@@ -1043,13 +1044,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ 	old_fs = get_fs();
+ 		
+ 	set_fs (KERNEL_DS);
+-	ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
++	ret = sys_wait4(pid, (unsigned int __user *) &status, options,
++			(struct rusage __user *) &r);
+ 	set_fs (old_fs);
+ 
+ 	if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ 		return -EFAULT;
+ 
+ 	err = 0;
++	err |= put_user(status, ustatus);
+ 	err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ 	err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ 	err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
+@@ -1169,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
  		/* At this point:  (!vma || addr < vma->vm_end). */
  		if (limit - len < addr)
  			return -ENOMEM;
@@ -60,7 +112,7 @@ diff -urNp linux-2.6.32.41/arch/alpha/kernel/osf_sys.c linux-2.6.32.41/arch/alph
  			return addr;
  		addr = vma->vm_end;
  		vma = vma->vm_next;
-@@ -1205,6 +1205,10 @@ arch_get_unmapped_area(struct file *filp
+@@ -1205,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
  	   merely specific addresses, but regions of memory -- perhaps
  	   this feature should be incorporated into all ports?  */
  
@@ -71,7 +123,7 @@ diff -urNp linux-2.6.32.41/arch/alpha/kernel/osf_sys.c linux-2.6.32.41/arch/alph
  	if (addr) {
  		addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
  		if (addr != (unsigned long) -ENOMEM)
-@@ -1212,8 +1216,8 @@ arch_get_unmapped_area(struct file *filp
+@@ -1212,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
  	}
  
  	/* Next, try allocating at TASK_UNMAPPED_BASE.  */
@@ -306,6 +358,27 @@ diff -urNp linux-2.6.32.41/arch/arm/kernel/kgdb.c linux-2.6.32.41/arch/arm/kerne
  #ifndef __ARMEB__
  	.gdb_bpt_instr		= {0xfe, 0xde, 0xff, 0xe7}
  #else /* ! __ARMEB__ */
+diff -urNp linux-2.6.32.41/arch/arm/kernel/traps.c linux-2.6.32.41/arch/arm/kernel/traps.c
+--- linux-2.6.32.41/arch/arm/kernel/traps.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.41/arch/arm/kernel/traps.c	2011-06-13 21:31:18.000000000 -0400
+@@ -247,6 +247,8 @@ static void __die(const char *str, int e
+ 
+ DEFINE_SPINLOCK(die_lock);
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ /*
+  * This function is protected against re-entrancy.
+  */
+@@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
+ 	if (panic_on_oops)
+ 		panic("Fatal exception");
+ 
++	gr_handle_kernel_exploit();
++
+ 	do_exit(SIGSEGV);
+ }
+ 
 diff -urNp linux-2.6.32.41/arch/arm/mach-at91/pm.c linux-2.6.32.41/arch/arm/mach-at91/pm.c
 --- linux-2.6.32.41/arch/arm/mach-at91/pm.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.41/arch/arm/mach-at91/pm.c	2011-04-17 15:56:45.000000000 -0400
@@ -2577,6 +2650,27 @@ diff -urNp linux-2.6.32.41/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.41/arch/
  	}
  	return error;
  }
+diff -urNp linux-2.6.32.41/arch/powerpc/kernel/traps.c linux-2.6.32.41/arch/powerpc/kernel/traps.c
+--- linux-2.6.32.41/arch/powerpc/kernel/traps.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.41/arch/powerpc/kernel/traps.c	2011-06-13 21:33:37.000000000 -0400
+@@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
+ static inline void pmac_backlight_unblank(void) { }
+ #endif
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ int die(const char *str, struct pt_regs *regs, long err)
+ {
+ 	static struct {
+@@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs 
+ 	if (panic_on_oops)
+ 		panic("Fatal exception");
+ 
++	gr_handle_kernel_exploit();
++
+ 	oops_exit();
+ 	do_exit(err);
+ 
 diff -urNp linux-2.6.32.41/arch/powerpc/kernel/vdso.c linux-2.6.32.41/arch/powerpc/kernel/vdso.c
 --- linux-2.6.32.41/arch/powerpc/kernel/vdso.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.41/arch/powerpc/kernel/vdso.c	2011-04-17 15:56:45.000000000 -0400
@@ -4257,8 +4351,17 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.41/arch
  	}
 diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_32.c linux-2.6.32.41/arch/sparc/kernel/traps_32.c
 --- linux-2.6.32.41/arch/sparc/kernel/traps_32.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.41/arch/sparc/kernel/traps_32.c	2011-04-17 15:56:46.000000000 -0400
-@@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
++++ linux-2.6.32.41/arch/sparc/kernel/traps_32.c	2011-06-13 21:25:39.000000000 -0400
+@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
+ #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
+ #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ void die_if_kernel(char *str, struct pt_regs *regs)
+ {
+ 	static int die_counter;
+@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
  		      count++ < 30				&&
                        (((unsigned long) rw) >= PAGE_OFFSET)	&&
  		      !(((unsigned long) rw) & 0x7)) {
@@ -4267,9 +4370,20 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_32.c linux-2.6.32.41/arch/spa
  			       (void *) rw->ins[7]);
  			rw = (struct reg_window32 *)rw->ins[6];
  		}
+ 	}
+ 	printk("Instruction DUMP:");
+ 	instruction_dump ((unsigned long *) regs->pc);
+-	if(regs->psr & PSR_PS)
++	if(regs->psr & PSR_PS) {
++		gr_handle_kernel_exploit();
+ 		do_exit(SIGKILL);
++	}
+ 	do_exit(SIGSEGV);
+ }
+ 
 diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_64.c linux-2.6.32.41/arch/sparc/kernel/traps_64.c
 --- linux-2.6.32.41/arch/sparc/kernel/traps_64.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.41/arch/sparc/kernel/traps_64.c	2011-04-17 15:56:46.000000000 -0400
++++ linux-2.6.32.41/arch/sparc/kernel/traps_64.c	2011-06-13 21:24:11.000000000 -0400
 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
  		       i + 1,
  		       p->trapstack[i].tstate, p->trapstack[i].tpc,
@@ -4370,7 +4484,16 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_64.c linux-2.6.32.41/arch/spa
  	} while (++count < 16);
  }
  
-@@ -2260,7 +2271,7 @@ void die_if_kernel(char *str, struct pt_
+@@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
+ 	return (struct reg_window *) (fp + STACK_BIAS);
+ }
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ void die_if_kernel(char *str, struct pt_regs *regs)
+ {
+ 	static int die_counter;
+@@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
  		while (rw &&
  		       count++ < 30&&
  		       is_kernel_stack(current, rw)) {
@@ -4379,6 +4502,19 @@ diff -urNp linux-2.6.32.41/arch/sparc/kernel/traps_64.c linux-2.6.32.41/arch/spa
  			       (void *) rw->ins[7]);
  
  			rw = kernel_stack_up(rw);
+@@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
+ 		}
+ 		user_instruction_dump ((unsigned int __user *) regs->tpc);
+ 	}
+-	if (regs->tstate & TSTATE_PRIV)
++	if (regs->tstate & TSTATE_PRIV) {
++		gr_handle_kernel_exploit();		
+ 		do_exit(SIGKILL);
++	}
++
+ 	do_exit(SIGSEGV);
+ }
+ EXPORT_SYMBOL(die_if_kernel);
 diff -urNp linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c
 --- linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.41/arch/sparc/kernel/unaligned_64.c	2011-04-17 15:56:46.000000000 -0400
@@ -36760,6 +36896,20 @@ diff -urNp linux-2.6.32.41/fs/btrfs/extent_io.h linux-2.6.32.41/fs/btrfs/extent_
  };
  
  struct extent_state {
+diff -urNp linux-2.6.32.41/fs/btrfs/extent-tree.c linux-2.6.32.41/fs/btrfs/extent-tree.c
+--- linux-2.6.32.41/fs/btrfs/extent-tree.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.41/fs/btrfs/extent-tree.c	2011-06-12 06:39:08.000000000 -0400
+@@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
+ 				u64 group_start = group->key.objectid;
+ 				new_extents = kmalloc(sizeof(*new_extents),
+ 						      GFP_NOFS);
++				if (!new_extents) {
++					ret = -ENOMEM;
++					goto out;
++				}
+ 				nr_extents = 1;
+ 				ret = get_new_locations(reloc_inode,
+ 							extent_key,
 diff -urNp linux-2.6.32.41/fs/btrfs/free-space-cache.c linux-2.6.32.41/fs/btrfs/free-space-cache.c
 --- linux-2.6.32.41/fs/btrfs/free-space-cache.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.41/fs/btrfs/free-space-cache.c	2011-04-17 15:56:46.000000000 -0400
@@ -36783,7 +36933,7 @@ diff -urNp linux-2.6.32.41/fs/btrfs/free-space-cache.c linux-2.6.32.41/fs/btrfs/
  			ret = btrfs_bitmap_cluster(block_group, entry, cluster,
 diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c
 --- linux-2.6.32.41/fs/btrfs/inode.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.41/fs/btrfs/inode.c	2011-04-17 15:56:46.000000000 -0400
++++ linux-2.6.32.41/fs/btrfs/inode.c	2011-06-12 06:39:58.000000000 -0400
 @@ -63,7 +63,7 @@ static const struct inode_operations btr
  static const struct address_space_operations btrfs_aops;
  static const struct address_space_operations btrfs_symlink_aops;
@@ -36793,7 +36943,24 @@ diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c
  
  static struct kmem_cache *btrfs_inode_cachep;
  struct kmem_cache *btrfs_trans_handle_cachep;
-@@ -5410,7 +5410,7 @@ fail:
+@@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
+ 			 1, 0, NULL, GFP_NOFS);
+ 	while (start < end) {
+ 		async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
++		BUG_ON(!async_cow);
+ 		async_cow->inode = inode;
+ 		async_cow->root = root;
+ 		async_cow->locked_page = locked_page;
+@@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
+ 	inline_size = btrfs_file_extent_inline_item_len(leaf,
+ 					btrfs_item_nr(leaf, path->slots[0]));
+ 	tmp = kmalloc(inline_size, GFP_NOFS);
++	if (!tmp)
++		return -ENOMEM;
+ 	ptr = btrfs_file_extent_inline_start(item);
+ 
+ 	read_extent_buffer(leaf, tmp, ptr, inline_size);
+@@ -5410,7 +5413,7 @@ fail:
  	return -ENOMEM;
  }
  
@@ -36802,7 +36969,7 @@ diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c
  			 struct dentry *dentry, struct kstat *stat)
  {
  	struct inode *inode = dentry->d_inode;
-@@ -5422,6 +5422,14 @@ static int btrfs_getattr(struct vfsmount
+@@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
  	return 0;
  }
  
@@ -36817,7 +36984,7 @@ diff -urNp linux-2.6.32.41/fs/btrfs/inode.c linux-2.6.32.41/fs/btrfs/inode.c
  static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
  			   struct inode *new_dir, struct dentry *new_dentry)
  {
-@@ -5972,7 +5980,7 @@ static const struct file_operations btrf
+@@ -5972,7 +5983,7 @@ static const struct file_operations btrf
  	.fsync		= btrfs_sync_file,
  };
  
@@ -43625,8 +43792,8 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl_alloc.c linux-2.6.32.41/grsecurity/g
 +}
 diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c
 --- linux-2.6.32.41/grsecurity/gracl.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.41/grsecurity/gracl.c	2011-05-24 20:26:07.000000000 -0400
-@@ -0,0 +1,4079 @@
++++ linux-2.6.32.41/grsecurity/gracl.c	2011-06-11 16:24:26.000000000 -0400
+@@ -0,0 +1,4085 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -43711,7 +43878,8 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c
 +extern struct vfsmount *hugetlbfs_vfsmount;
 +#endif
 +
-+static struct acl_object_label *fakefs_obj;
++static struct acl_object_label *fakefs_obj_rw;
++static struct acl_object_label *fakefs_obj_rwx;
 +
 +extern int gr_init_uidset(void);
 +extern void gr_free_uidset(void);
@@ -44443,10 +44611,15 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c
 +	printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
 +#endif
 +
-+	fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
-+	if (fakefs_obj == NULL)
++	fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
++	if (fakefs_obj_rw == NULL)
++		return 1;
++	fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
++
++	fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
++	if (fakefs_obj_rwx == NULL)
 +		return 1;
-+	fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
++	fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
 +
 +	subj_map_set.s_hash =
 +	    (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
@@ -45454,7 +45627,7 @@ diff -urNp linux-2.6.32.41/grsecurity/gracl.c linux-2.6.32.41/grsecurity/gracl.c
 +#endif
 +		/* ignore Eric Biederman */
 +	    IS_PRIVATE(l_dentry->d_inode))) {
-+		retval = fakefs_obj;
++		retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
 +		goto out;
 +	}
 +
@@ -52261,7 +52434,7 @@ diff -urNp linux-2.6.32.41/grsecurity/grsum.c linux-2.6.32.41/grsecurity/grsum.c
 +}
 diff -urNp linux-2.6.32.41/grsecurity/Kconfig linux-2.6.32.41/grsecurity/Kconfig
 --- linux-2.6.32.41/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.41/grsecurity/Kconfig	2011-04-17 15:56:46.000000000 -0400
++++ linux-2.6.32.41/grsecurity/Kconfig	2011-06-13 21:34:09.000000000 -0400
 @@ -0,0 +1,1045 @@
 +#
 +# grecurity configuration
@@ -52405,7 +52578,7 @@ diff -urNp linux-2.6.32.41/grsecurity/Kconfig linux-2.6.32.41/grsecurity/Kconfig
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
 +	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_KERN_LOCKOUT if (X86)
++	select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC32 || SPARC64)
 +	select PAX
 +	select PAX_RANDUSTACK
 +	select PAX_ASLR
@@ -52605,7 +52778,7 @@ diff -urNp linux-2.6.32.41/grsecurity/Kconfig linux-2.6.32.41/grsecurity/Kconfig
 +
 +config GRKERNSEC_KERN_LOCKOUT
 +	bool "Active kernel exploit response"
-+	depends on X86
++	depends on X86 || ARM || PPC || SPARC32 || SPARC64
 +	help
 +	  If you say Y here, when a PaX alert is triggered due to suspicious
 +	  activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
@@ -55028,8 +55201,8 @@ diff -urNp linux-2.6.32.41/include/linux/gralloc.h linux-2.6.32.41/include/linux
 +#endif
 diff -urNp linux-2.6.32.41/include/linux/grdefs.h linux-2.6.32.41/include/linux/grdefs.h
 --- linux-2.6.32.41/include/linux/grdefs.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.41/include/linux/grdefs.h	2011-04-17 15:56:46.000000000 -0400
-@@ -0,0 +1,139 @@
++++ linux-2.6.32.41/include/linux/grdefs.h	2011-06-11 16:20:26.000000000 -0400
+@@ -0,0 +1,140 @@
 +#ifndef GRDEFS_H
 +#define GRDEFS_H
 +
@@ -55119,7 +55292,8 @@ diff -urNp linux-2.6.32.41/include/linux/grdefs.h linux-2.6.32.41/include/linux/
 +	GR_PROCFIND	= 0x00008000,
 +	GR_POVERRIDE	= 0x00010000,
 +	GR_KERNELAUTH	= 0x00020000,
-+	GR_ATSECURE	= 0x00040000
++	GR_ATSECURE	= 0x00040000,
++	GR_SHMEXEC	= 0x00080000
 +};
 +
 +enum {
@@ -66922,6 +67096,29 @@ diff -urNp linux-2.6.32.41/net/atm/resources.c linux-2.6.32.41/net/atm/resources
  	__AAL_STAT_ITEMS
  #undef __HANDLE_ITEM
  }
+diff -urNp linux-2.6.32.41/net/bluetooth/l2cap.c linux-2.6.32.41/net/bluetooth/l2cap.c
+--- linux-2.6.32.41/net/bluetooth/l2cap.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.41/net/bluetooth/l2cap.c	2011-06-12 06:34:08.000000000 -0400
+@@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
+ 			err = -ENOTCONN;
+ 			break;
+ 		}
+-
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+ 
+diff -urNp linux-2.6.32.41/net/bluetooth/rfcomm/sock.c linux-2.6.32.41/net/bluetooth/rfcomm/sock.c
+--- linux-2.6.32.41/net/bluetooth/rfcomm/sock.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.41/net/bluetooth/rfcomm/sock.c	2011-06-12 06:35:00.000000000 -0400
+@@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st
+ 
+ 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+ 
 diff -urNp linux-2.6.32.41/net/bridge/br_private.h linux-2.6.32.41/net/bridge/br_private.h
 --- linux-2.6.32.41/net/bridge/br_private.h	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.41/net/bridge/br_private.h	2011-04-17 15:56:46.000000000 -0400
diff --git a/2.6.39/0000_README b/2.6.39/0000_README
index e431fc5..f82a66c 100644
--- a/2.6.39/0000_README
+++ b/2.6.39/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch
+Patch:	4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch
index 3621970..9d35972 100644
--- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106071941.patch
+++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.1-201106132135.patch
@@ -197,8 +197,60 @@ diff -urNp linux-2.6.39.1/arch/alpha/kernel/module.c linux-2.6.39.1/arch/alpha/k
  	for (i = 0; i < n; i++) {
 diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/kernel/osf_sys.c
 --- linux-2.6.39.1/arch/alpha/kernel/osf_sys.c	2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.1/arch/alpha/kernel/osf_sys.c	2011-05-22 19:36:30.000000000 -0400
-@@ -1142,7 +1142,7 @@ arch_get_unmapped_area_1(unsigned long a
++++ linux-2.6.39.1/arch/alpha/kernel/osf_sys.c	2011-06-13 17:19:07.000000000 -0400
+@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char 
+ 		return -EFAULT;
+ 
+ 	len = namelen;
+-	if (namelen > 32)
++	if (len > 32)
+ 		len = 32;
+ 
+ 	down_read(&uts_sem);
+@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ 	down_read(&uts_sem);
+ 	res = sysinfo_table[offset];
+ 	len = strlen(res)+1;
+-	if (len > count)
++	if ((unsigned long)len > (unsigned long)count)
+ 		len = count;
+ 	if (copy_to_user(buf, res, len))
+ 		err = -EFAULT;
+@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
+ 		return 1;
+ 
+ 	case GSI_GET_HWRPB:
+-		if (nbytes < sizeof(*hwrpb))
++		if (nbytes > sizeof(*hwrpb))
+ 			return -EINVAL;
+ 		if (copy_to_user(buffer, hwrpb, nbytes) != 0)
+ 			return -EFAULT;
+@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ {
+ 	struct rusage r;
+ 	long ret, err;
++	unsigned int status = 0;
+ 	mm_segment_t old_fs;
+ 
+ 	if (!ur)
+@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ 	old_fs = get_fs();
+ 		
+ 	set_fs (KERNEL_DS);
+-	ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
++	ret = sys_wait4(pid, (unsigned int __user *) &status, options,
++			(struct rusage __user *) &r);
+ 	set_fs (old_fs);
+ 
+ 	if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ 		return -EFAULT;
+ 
+ 	err = 0;
++	err |= put_user(status, ustatus);
+ 	err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ 	err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ 	err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
+@@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
  		/* At this point:  (!vma || addr < vma->vm_end). */
  		if (limit - len < addr)
  			return -ENOMEM;
@@ -207,7 +259,7 @@ diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/
  			return addr;
  		addr = vma->vm_end;
  		vma = vma->vm_next;
-@@ -1178,6 +1178,10 @@ arch_get_unmapped_area(struct file *filp
+@@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
  	   merely specific addresses, but regions of memory -- perhaps
  	   this feature should be incorporated into all ports?  */
  
@@ -218,7 +270,7 @@ diff -urNp linux-2.6.39.1/arch/alpha/kernel/osf_sys.c linux-2.6.39.1/arch/alpha/
  	if (addr) {
  		addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
  		if (addr != (unsigned long) -ENOMEM)
-@@ -1185,8 +1189,8 @@ arch_get_unmapped_area(struct file *filp
+@@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
  	}
  
  	/* Next, try allocating at TASK_UNMAPPED_BASE.  */
@@ -682,6 +734,28 @@ diff -urNp linux-2.6.39.1/arch/arm/kernel/process.c linux-2.6.39.1/arch/arm/kern
  #ifdef CONFIG_MMU
  /*
   * The vectors page is always readable from user space for the
+diff -urNp linux-2.6.39.1/arch/arm/kernel/traps.c linux-2.6.39.1/arch/arm/kernel/traps.c
+--- linux-2.6.39.1/arch/arm/kernel/traps.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.1/arch/arm/kernel/traps.c	2011-06-13 21:30:34.000000000 -0400
+@@ -258,6 +258,8 @@ static int __die(const char *str, int er
+ 
+ static DEFINE_SPINLOCK(die_lock);
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ /*
+  * This function is protected against re-entrancy.
+  */
+@@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs
+ 		panic("Fatal exception in interrupt");
+ 	if (panic_on_oops)
+ 		panic("Fatal exception");
++
++	gr_handle_kernel_exploit();
++
+ 	if (ret != NOTIFY_STOP)
+ 		do_exit(SIGSEGV);
+ }
 diff -urNp linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c
 --- linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.1/arch/arm/mach-cns3xxx/pcie.c	2011-05-22 19:36:30.000000000 -0400
@@ -3959,6 +4033,27 @@ diff -urNp linux-2.6.39.1/arch/powerpc/kernel/signal_64.c linux-2.6.39.1/arch/po
  		regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
  	} else {
  		err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
+diff -urNp linux-2.6.39.1/arch/powerpc/kernel/traps.c linux-2.6.39.1/arch/powerpc/kernel/traps.c
+--- linux-2.6.39.1/arch/powerpc/kernel/traps.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.1/arch/powerpc/kernel/traps.c	2011-06-13 21:33:04.000000000 -0400
+@@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void)
+ static inline void pmac_backlight_unblank(void) { }
+ #endif
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ int die(const char *str, struct pt_regs *regs, long err)
+ {
+ 	static struct {
+@@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs 
+ 	if (panic_on_oops)
+ 		panic("Fatal exception");
+ 
++	gr_handle_kernel_exploit();
++
+ 	oops_exit();
+ 	do_exit(err);
+ 
 diff -urNp linux-2.6.39.1/arch/powerpc/kernel/vdso.c linux-2.6.39.1/arch/powerpc/kernel/vdso.c
 --- linux-2.6.39.1/arch/powerpc/kernel/vdso.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.1/arch/powerpc/kernel/vdso.c	2011-05-22 19:36:30.000000000 -0400
@@ -5999,8 +6094,17 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.1/arch/s
  	}
 diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_32.c linux-2.6.39.1/arch/sparc/kernel/traps_32.c
 --- linux-2.6.39.1/arch/sparc/kernel/traps_32.c	2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.1/arch/sparc/kernel/traps_32.c	2011-05-22 19:41:32.000000000 -0400
-@@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
++++ linux-2.6.39.1/arch/sparc/kernel/traps_32.c	2011-06-13 21:29:23.000000000 -0400
+@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
+ #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
+ #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ void die_if_kernel(char *str, struct pt_regs *regs)
+ {
+ 	static int die_counter;
+@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
  		      count++ < 30				&&
                        (((unsigned long) rw) >= PAGE_OFFSET)	&&
  		      !(((unsigned long) rw) & 0x7)) {
@@ -6009,9 +6113,20 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_32.c linux-2.6.39.1/arch/sparc
  			       (void *) rw->ins[7]);
  			rw = (struct reg_window32 *)rw->ins[6];
  		}
+ 	}
+ 	printk("Instruction DUMP:");
+ 	instruction_dump ((unsigned long *) regs->pc);
+-	if(regs->psr & PSR_PS)
++	if(regs->psr & PSR_PS) {
++		gr_handle_kernel_exploit();
+ 		do_exit(SIGKILL);
++	}
+ 	do_exit(SIGSEGV);
+ }
+ 
 diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc/kernel/traps_64.c
 --- linux-2.6.39.1/arch/sparc/kernel/traps_64.c	2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.1/arch/sparc/kernel/traps_64.c	2011-05-22 19:41:32.000000000 -0400
++++ linux-2.6.39.1/arch/sparc/kernel/traps_64.c	2011-06-13 21:28:54.000000000 -0400
 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
  		       i + 1,
  		       p->trapstack[i].tstate, p->trapstack[i].tpc,
@@ -6119,7 +6234,16 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc
  				graph++;
  			}
  		}
-@@ -2254,7 +2265,7 @@ void die_if_kernel(char *str, struct pt_
+@@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
+ 	return (struct reg_window *) (fp + STACK_BIAS);
+ }
+ 
++extern void gr_handle_kernel_exploit(void);
++
+ void die_if_kernel(char *str, struct pt_regs *regs)
+ {
+ 	static int die_counter;
+@@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
  		while (rw &&
  		       count++ < 30 &&
  		       kstack_valid(tp, (unsigned long) rw)) {
@@ -6128,6 +6252,18 @@ diff -urNp linux-2.6.39.1/arch/sparc/kernel/traps_64.c linux-2.6.39.1/arch/sparc
  			       (void *) rw->ins[7]);
  
  			rw = kernel_stack_up(rw);
+@@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
+ 		}
+ 		user_instruction_dump ((unsigned int __user *) regs->tpc);
+ 	}
+-	if (regs->tstate & TSTATE_PRIV)
++	if (regs->tstate & TSTATE_PRIV) {
++		gr_handle_kernel_exploit();
+ 		do_exit(SIGKILL);
++	}
+ 	do_exit(SIGSEGV);
+ }
+ EXPORT_SYMBOL(die_if_kernel);
 diff -urNp linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c
 --- linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.1/arch/sparc/kernel/unaligned_64.c	2011-05-22 19:41:32.000000000 -0400
@@ -51282,8 +51418,8 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl_alloc.c linux-2.6.39.1/grsecurity/gra
 +}
 diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c
 --- linux-2.6.39.1/grsecurity/gracl.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.39.1/grsecurity/gracl.c	2011-05-24 20:27:30.000000000 -0400
-@@ -0,0 +1,4103 @@
++++ linux-2.6.39.1/grsecurity/gracl.c	2011-06-11 16:26:18.000000000 -0400
+@@ -0,0 +1,4109 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -51368,7 +51504,8 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c
 +extern struct vfsmount *hugetlbfs_vfsmount;
 +#endif
 +
-+static struct acl_object_label *fakefs_obj;
++static struct acl_object_label *fakefs_obj_rw;
++static struct acl_object_label *fakefs_obj_rwx;
 +
 +extern int gr_init_uidset(void);
 +extern void gr_free_uidset(void);
@@ -52112,10 +52249,15 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c
 +	printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
 +#endif
 +
-+	fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
-+	if (fakefs_obj == NULL)
++	fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
++	if (fakefs_obj_rw == NULL)
++		return 1;
++	fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
++
++	fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
++	if (fakefs_obj_rwx == NULL)
 +		return 1;
-+	fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
++	fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
 +
 +	subj_map_set.s_hash =
 +	    (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
@@ -53124,7 +53266,7 @@ diff -urNp linux-2.6.39.1/grsecurity/gracl.c linux-2.6.39.1/grsecurity/gracl.c
 +#endif
 +		/* ignore Eric Biederman */
 +	    IS_PRIVATE(l_dentry->d_inode))) {
-+		retval = fakefs_obj;
++		retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
 +		goto out;
 +	}
 +
@@ -59838,7 +59980,7 @@ diff -urNp linux-2.6.39.1/grsecurity/grsum.c linux-2.6.39.1/grsecurity/grsum.c
 +}
 diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig
 --- linux-2.6.39.1/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.39.1/grsecurity/Kconfig	2011-05-22 19:41:42.000000000 -0400
++++ linux-2.6.39.1/grsecurity/Kconfig	2011-06-13 21:34:34.000000000 -0400
 @@ -0,0 +1,1045 @@
 +#
 +# grecurity configuration
@@ -59982,7 +60124,7 @@ diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
 +	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_KERN_LOCKOUT if (X86)
++	select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC32 || SPARC64)
 +	select PAX
 +	select PAX_RANDUSTACK
 +	select PAX_ASLR
@@ -60182,7 +60324,7 @@ diff -urNp linux-2.6.39.1/grsecurity/Kconfig linux-2.6.39.1/grsecurity/Kconfig
 +
 +config GRKERNSEC_KERN_LOCKOUT
 +	bool "Active kernel exploit response"
-+	depends on X86
++	depends on X86 || ARM || PPC || SPARC32 || SPARC64
 +	help
 +	  If you say Y here, when a PaX alert is triggered due to suspicious
 +	  activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
@@ -62590,8 +62732,8 @@ diff -urNp linux-2.6.39.1/include/linux/gralloc.h linux-2.6.39.1/include/linux/g
 +#endif
 diff -urNp linux-2.6.39.1/include/linux/grdefs.h linux-2.6.39.1/include/linux/grdefs.h
 --- linux-2.6.39.1/include/linux/grdefs.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.39.1/include/linux/grdefs.h	2011-05-22 19:41:42.000000000 -0400
-@@ -0,0 +1,139 @@
++++ linux-2.6.39.1/include/linux/grdefs.h	2011-06-11 16:24:51.000000000 -0400
+@@ -0,0 +1,140 @@
 +#ifndef GRDEFS_H
 +#define GRDEFS_H
 +
@@ -62681,7 +62823,8 @@ diff -urNp linux-2.6.39.1/include/linux/grdefs.h linux-2.6.39.1/include/linux/gr
 +	GR_PROCFIND	= 0x00008000,
 +	GR_POVERRIDE	= 0x00010000,
 +	GR_KERNELAUTH	= 0x00020000,
-+	GR_ATSECURE	= 0x00040000
++	GR_ATSECURE	= 0x00040000,
++	GR_SHMEXEC	= 0x00080000
 +};
 +
 +enum {
@@ -67640,6 +67783,19 @@ diff -urNp linux-2.6.39.1/kernel/hrtimer.c linux-2.6.39.1/kernel/hrtimer.c
  {
  	hrtimer_peek_ahead_timers();
  }
+diff -urNp linux-2.6.39.1/kernel/irq/manage.c linux-2.6.39.1/kernel/irq/manage.c
+--- linux-2.6.39.1/kernel/irq/manage.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.1/kernel/irq/manage.c	2011-06-13 17:09:06.000000000 -0400
+@@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u
+ 	struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
+ 	int ret = 0;
+ 
++	if (!desc)
++		return -EINVAL;
++
+ 	/* wakeup-capable irqs can be shared between drivers that
+ 	 * don't need to have the same sleep mode behaviors.
+ 	 */
 diff -urNp linux-2.6.39.1/kernel/jump_label.c linux-2.6.39.1/kernel/jump_label.c
 --- linux-2.6.39.1/kernel/jump_label.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.1/kernel/jump_label.c	2011-05-22 19:36:33.000000000 -0400
@@ -75604,6 +75760,28 @@ diff -urNp linux-2.6.39.1/net/batman-adv/unicast.c linux-2.6.39.1/net/batman-adv
  	frag1->seqno = htons(seqno - 1);
  	frag2->seqno = htons(seqno);
  
+diff -urNp linux-2.6.39.1/net/bluetooth/l2cap_sock.c linux-2.6.39.1/net/bluetooth/l2cap_sock.c
+--- linux-2.6.39.1/net/bluetooth/l2cap_sock.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.1/net/bluetooth/l2cap_sock.c	2011-06-12 06:36:08.000000000 -0400
+@@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
+ 			break;
+ 		}
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+ 
+diff -urNp linux-2.6.39.1/net/bluetooth/rfcomm/sock.c linux-2.6.39.1/net/bluetooth/rfcomm/sock.c
+--- linux-2.6.39.1/net/bluetooth/rfcomm/sock.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.1/net/bluetooth/rfcomm/sock.c	2011-06-12 06:36:42.000000000 -0400
+@@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st
+ 
+ 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+ 
 diff -urNp linux-2.6.39.1/net/bridge/br_multicast.c linux-2.6.39.1/net/bridge/br_multicast.c
 --- linux-2.6.39.1/net/bridge/br_multicast.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.1/net/bridge/br_multicast.c	2011-05-22 19:36:33.000000000 -0400
author	Anthony G. Basile <blueness@gentoo.org>	2011-06-15 12:41:51 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2011-06-15 12:41:51 -0400
commit	f7b78ff5181a2af72e7265fbfc9268ce65a8a259 (patch)
tree	7c9c8df8f1f50b425d1ce7d06c22c791399f51f6
parent	Update Grsec/PaX (diff)
download	hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.tar.gz hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.tar.bz2 hardened-patchset-f7b78ff5181a2af72e7265fbfc9268ce65a8a259.zip