summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Yamin <plasmaroo@gentoo.org>2004-12-20 22:09:18 +0000
committerTim Yamin <plasmaroo@gentoo.org>2004-12-20 22:09:18 +0000
commit9df4adc5118bd3ac1a85da8fc629bb6fe11d7ee9 (patch)
tree908a6107eec8687182ebef4b106bb310ab0c04d0
parentDEPEND fix closes #74959. (Manifest recommit) (diff)
downloadgentoo-2-9df4adc5118bd3ac1a85da8fc629bb6fe11d7ee9.tar.gz
gentoo-2-9df4adc5118bd3ac1a85da8fc629bb6fe11d7ee9.tar.bz2
gentoo-2-9df4adc5118bd3ac1a85da8fc629bb6fe11d7ee9.zip
Security fixes - bugs #74384, #74392, #74464, #74465.
-rw-r--r--sys-kernel/win4lin-sources/ChangeLog12
-rw-r--r--sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r5 (renamed from sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r4)0
-rw-r--r--sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1016.patch75
-rw-r--r--sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1056.patch268
-rw-r--r--sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1137.patch77
-rw-r--r--sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.shmLocking.patch56
-rw-r--r--sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r5.ebuild (renamed from sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r4.ebuild)9
7 files changed, 494 insertions, 3 deletions
diff --git a/sys-kernel/win4lin-sources/ChangeLog b/sys-kernel/win4lin-sources/ChangeLog
index b2e78ccc17ed..1f6c6f06b537 100644
--- a/sys-kernel/win4lin-sources/ChangeLog
+++ b/sys-kernel/win4lin-sources/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for sys-kernel/win4lin-sources
# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/ChangeLog,v 1.46 2004/12/19 20:27:50 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/ChangeLog,v 1.47 2004/12/20 22:09:18 plasmaroo Exp $
+
+*win4lin-sources-2.6.9-r5 (20 Dec 2004)
+
+ 20 Dec 2004; <plasmaroo@gentoo.org> -win4lin-sources-2.6.9-r4.ebuild,
+ +win4lin-sources-2.6.9-r5.ebuild,
+ +files/win4lin-sources-2.6.9.CAN-2004-1016.patch,
+ +files/win4lin-sources-2.6.9.CAN-2004-1056.patch,
+ +files/win4lin-sources-2.6.9.CAN-2004-1137.patch,
+ +files/win4lin-sources-2.6.9.shmLocking.patch:
+ Security fixes - bugs #74384, #74392, #74464, #74465.
*win4lin-sources-2.6.9-r4 (19 Dec 2004)
diff --git a/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r4 b/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r5
index 12075686996a..12075686996a 100644
--- a/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r4
+++ b/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r5
diff --git a/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1016.patch b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1016.patch
new file mode 100644
index 000000000000..aa25ac95ed61
--- /dev/null
+++ b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1016.patch
@@ -0,0 +1,75 @@
+===== include/linux/socket.h 1.12 vs edited =====
+--- 1.12/include/linux/socket.h 2004-09-09 06:40:01 +10:00
++++ edited/include/linux/socket.h 2004-11-27 11:53:40 +11:00
+@@ -90,6 +90,10 @@
+ (struct cmsghdr *)(ctl) : \
+ (struct cmsghdr *)NULL)
+ #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen)
++#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \
++ (cmsg)->cmsg_len <= (unsigned long) \
++ ((mhdr)->msg_controllen - \
++ ((char *)(cmsg) - (char *)(mhdr)->msg_control)))
+
+ /*
+ * This mess will go away with glibc
+===== net/core/scm.c 1.10 vs edited =====
+--- 1.10/net/core/scm.c 2004-05-31 05:08:14 +10:00
++++ edited/net/core/scm.c 2004-11-27 11:48:55 +11:00
+@@ -127,9 +127,7 @@
+ for too short ancillary data object at all! Oops.
+ OK, let's add it...
+ */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen)
++ if (!CMSG_OK(msg, cmsg))
+ goto error;
+
+ if (cmsg->cmsg_level != SOL_SOCKET)
+===== net/ipv4/ip_sockglue.c 1.26 vs edited =====
+--- 1.26/net/ipv4/ip_sockglue.c 2004-07-01 06:10:53 +10:00
++++ edited/net/ipv4/ip_sockglue.c 2004-11-27 11:49:45 +11:00
+@@ -146,11 +146,8 @@
+ struct cmsghdr *cmsg;
+
+ for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+ if (cmsg->cmsg_level != SOL_IP)
+ continue;
+ switch (cmsg->cmsg_type) {
+===== net/ipv6/datagram.c 1.20 vs edited =====
+--- 1.20/net/ipv6/datagram.c 2004-11-10 17:57:03 +11:00
++++ edited/net/ipv6/datagram.c 2004-11-27 11:51:15 +11:00
+@@ -427,9 +427,7 @@
+ int addr_type;
+ struct net_device *dev = NULL;
+
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg)) {
+ err = -EINVAL;
+ goto exit_f;
+ }
+===== net/sctp/socket.c 1.129 vs edited =====
+--- 1.129/net/sctp/socket.c 2004-11-19 08:43:18 +11:00
++++ edited/net/sctp/socket.c 2004-11-27 11:52:11 +11:00
+@@ -4098,12 +4098,8 @@
+ for (cmsg = CMSG_FIRSTHDR(msg);
+ cmsg != NULL;
+ cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) {
+- /* Check for minimum length. The SCM code has this check. */
+- if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+- (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+- + cmsg->cmsg_len) > msg->msg_controllen) {
++ if (!CMSG_OK(msg, cmsg))
+ return -EINVAL;
+- }
+
+ /* Should we parse this header or ignore? */
+ if (cmsg->cmsg_level != IPPROTO_SCTP)
diff --git a/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1056.patch b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1056.patch
new file mode 100644
index 000000000000..cd8d7af324c2
--- /dev/null
+++ b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1056.patch
@@ -0,0 +1,268 @@
+diff -ur linux-2.6.9/drivers/char/drm/i810_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.6.9/drivers/char/drm/i810_dma.c 2004-10-18 22:53:46.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-19 22:46:33.317446112 +0000
+@@ -1030,10 +1030,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -1055,10 +1052,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1090,10 +1084,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1114,10 +1105,8 @@
+
+ DRM_DEBUG("i810_swap_bufs\n");
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1152,10 +1141,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+@@ -1266,10 +1252,7 @@
+ return -EFAULT;
+
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (mc.idx >= dma->buf_count || mc.idx < 0)
+ return -EINVAL;
+@@ -1317,10 +1300,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+ return I810_READ(0x30008);
+ }
+
+@@ -1331,10 +1311,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+@@ -1376,10 +1353,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i810_do_init_pageflip( dev );
+diff -ur linux-2.6.9/drivers/char/drm/i830_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.6.9/drivers/char/drm/i830_dma.c 2004-10-18 22:53:12.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-19 22:46:33.319445808 +0000
+@@ -1319,10 +1319,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1343,10 +1340,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t __user *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1373,10 +1367,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t __user *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1398,10 +1389,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1442,10 +1430,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1484,10 +1469,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t __user *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+diff -ur linux-2.6.9/drivers/char/drm/i830_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.6.9/drivers/char/drm/i830_irq.c 2004-10-18 22:54:54.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-19 22:46:33.320445656 +0000
+@@ -129,10 +129,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -ur linux-2.6.9/drivers/char/drm/i915_dma.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c
+--- linux-2.6.9/drivers/char/drm/i915_dma.c 2004-10-18 22:53:51.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_dma.c 2004-12-19 22:46:33.321445504 +0000
+@@ -545,10 +545,7 @@
+ {
+ DRM_DEVICE;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flush_ioctl called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_quiescent(dev);
+ }
+@@ -574,10 +571,7 @@
+ DRM_DEBUG("i915 batchbuffer, start %x used %d cliprects %d\n",
+ batch.start, batch.used, batch.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_batchbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects,
+ batch.num_cliprects *
+@@ -606,10 +600,7 @@
+ DRM_DEBUG("i915 cmdbuffer, buf %p sz %d cliprects %d\n",
+ cmdbuf.buf, cmdbuf.sz, cmdbuf.num_cliprects);
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_cmdbuffer called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (cmdbuf.num_cliprects &&
+ DRM_VERIFYAREA_READ(cmdbuf.cliprects,
+@@ -645,10 +636,7 @@
+ DRM_DEVICE;
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_flip_buf called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ return i915_dispatch_flip(dev);
+ }
+diff -ur linux-2.6.9/drivers/char/drm/i915_irq.c linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c
+--- linux-2.6.9/drivers/char/drm/i915_irq.c 2004-10-18 22:53:51.000000000 +0100
++++ linux-2.6.9.drm.plasmaroo/drivers/char/drm/i915_irq.c 2004-12-19 22:46:33.321445504 +0000
+@@ -92,10 +92,7 @@
+ drm_i915_irq_emit_t emit;
+ int result;
+
+- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i915_irq_emit called without lock held\n");
+- return DRM_ERR(EINVAL);
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv) {
+ DRM_ERROR("%s called with no initialization\n", __FUNCTION__);
diff --git a/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1137.patch b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1137.patch
new file mode 100644
index 000000000000..0a54680f6f4b
--- /dev/null
+++ b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.CAN-2004-1137.patch
@@ -0,0 +1,77 @@
+# ChangeSet
+# 2004/12/14 11:06:25-08:00 chrisw@osdl.org
+# [IPV4/IPV6]: IGMP source filter fixes
+#
+# When adding or deleting from the source list make sure to find matches
+# by comparing against the new source address, not the group address.
+# Also, check each addr in the list rather than just the first one.
+# And, finally, only delete from list when there's a match rather than
+# vice-versa. Drop the effort to keep list sorted, since it's not done
+# on full-state api and can create an sl_addr entry that the delta api
+# won't be able to delete. Without these fixes sl_count can be corrupted
+# which can allow for kernel memory corruption.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+# Signed-off-by: David S. Miller <davem@davemloft.net>
+#
+diff -Nru a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c 2004-12-20 11:32:15 -08:00
++++ b/net/ipv4/igmp.c 2004-12-20 11:32:15 -08:00
+@@ -1778,12 +1778,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -1825,9 +1825,9 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
++ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
+ sizeof(__u32));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
+diff -Nru a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+--- a/net/ipv6/mcast.c 2004-12-20 11:32:15 -08:00
++++ b/net/ipv6/mcast.c 2004-12-20 11:32:15 -08:00
+@@ -391,12 +391,12 @@
+ goto done;
+ rv = !0;
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group,
++ rv = memcmp(&psl->sl_addr[i], source,
+ sizeof(struct in6_addr));
+- if (rv >= 0)
++ if (rv == 0)
+ break;
+ }
+- if (!rv) /* source not found */
++ if (rv) /* source not found */
+ goto done;
+
+ /* update the interface filter */
+@@ -437,8 +437,8 @@
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+ for (i=0; i<psl->sl_count; i++) {
+- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
+- if (rv >= 0)
++ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
++ if (rv == 0)
+ break;
+ }
+ if (rv == 0) /* address already there is an error */
diff --git a/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.shmLocking.patch b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.shmLocking.patch
new file mode 100644
index 000000000000..dba7c9ca796f
--- /dev/null
+++ b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.shmLocking.patch
@@ -0,0 +1,56 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2004/12/13 08:30:17-08:00 hugh@veritas.com
+# [PATCH] shmctl SHM_LOCK perms
+#
+# Michael Kerrisk has observed that at present any process can SHM_LOCK any
+# shm segment of size within process RLIMIT_MEMLOCK, despite having no
+# permissions on the segment: surprising, though not obviously evil. And any
+# process can SHM_UNLOCK any shm segment, despite no permissions on it: that
+# is surely wrong.
+#
+# Unless CAP_IPC_LOCK, restrict both SHM_LOCK and SHM_UNLOCK to when the
+# process euid matches the shm owner or creator: that seems the least
+# surprising behaviour, which could be relaxed if a need appears later.
+#
+# Signed-off-by: Hugh Dickins <hugh@veritas.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# ipc/shm.c
+# 2004/12/13 02:47:27-08:00 hugh@veritas.com +10 -5
+# shmctl SHM_LOCK perms
+#
+diff -Nru a/ipc/shm.c b/ipc/shm.c
+--- a/ipc/shm.c 2004-12-20 10:32:59 -08:00
++++ b/ipc/shm.c 2004-12-20 10:32:59 -08:00
+@@ -511,11 +511,6 @@
+ case SHM_LOCK:
+ case SHM_UNLOCK:
+ {
+- /* Allow superuser to lock segment in memory */
+- if (!can_do_mlock() && cmd == SHM_LOCK) {
+- err = -EPERM;
+- goto out;
+- }
+ shp = shm_lock(shmid);
+ if(shp==NULL) {
+ err = -EINVAL;
+@@ -524,6 +519,16 @@
+ err = shm_checkid(shp,shmid);
+ if(err)
+ goto out_unlock;
++
++ if (!capable(CAP_IPC_LOCK)) {
++ err = -EPERM;
++ if (current->euid != shp->shm_perm.uid &&
++ current->euid != shp->shm_perm.cuid)
++ goto out_unlock;
++ if (cmd == SHM_LOCK &&
++ !current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur)
++ goto out_unlock;
++ }
+
+ err = security_shm_shmctl(shp, cmd);
+ if (err)
diff --git a/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r4.ebuild b/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r5.ebuild
index a552cde4b666..351912842197 100644
--- a/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r4.ebuild
+++ b/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r5.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r4.ebuild,v 1.1 2004/12/19 20:27:50 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r5.ebuild,v 1.1 2004/12/20 22:09:18 plasmaroo Exp $
ETYPE="sources"
inherit kernel-2
@@ -16,7 +16,12 @@ UNIPATCH_LIST="
${FILESDIR}/${P}.AF_UNIX.patch
${FILESDIR}/${P}.AF_UNIX.SELinux.patch
${FILESDIR}/${P}.CAN-2004-1151.patch
- ${FILESDIR}/${P}.vma.patch"
+ ${FILESDIR}/${P}.vma.patch
+ ${FILESDIR}/${P}.CAN-2004-1016.patch
+ ${FILESDIR}/${P}.CAN-2004-1056.patch
+ ${FILESDIR}/${P}.CAN-2004-1137.patch
+ ${FILESDIR}/${P}.CAN-2004-1151.patch
+ ${FILESDIR}/${P}.shmLocking.patch"
S=${WORKDIR}/linux-${KV}