Update Grsec/PaX and address bug #36601920110628

 2.2.2-2.6.32.42-201106281648
 2.2.2-2.6.39.2-201106281648

6 files changed, 76 insertions, 45 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 35d3570..03320de 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
index 12c6656..d0d2a83 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106251302.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.42-201106281648.patch
@@ -27407,27 +27407,6 @@ diff -urNp linux-2.6.32.42/drivers/char/vt_ioctl.c linux-2.6.32.42/drivers/char/
  		if (!perm) {
  			ret = -EPERM;
  			goto reterr;
-diff -urNp linux-2.6.32.42/drivers/connector/Kconfig linux-2.6.32.42/drivers/connector/Kconfig
---- linux-2.6.32.42/drivers/connector/Kconfig	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.42/drivers/connector/Kconfig	2011-06-20 17:54:56.000000000 -0400
-@@ -1,7 +1,7 @@
- 
- menuconfig CONNECTOR
- 	tristate "Connector - unified userspace <-> kernelspace linker"
--	depends on NET
-+	depends on NET && !GRKERNSEC
- 	---help---
- 	  This is unified userspace <-> kernelspace connector working on top
- 	  of the netlink socket protocol.
-@@ -13,7 +13,7 @@ if CONNECTOR
- 
- config PROC_EVENTS
- 	boolean "Report process events to userspace"
--	depends on CONNECTOR=y
-+	depends on CONNECTOR=y && !GRKERNSEC
- 	default y
- 	---help---
- 	  Provide a connector that reports process events to userspace. Send
 diff -urNp linux-2.6.32.42/drivers/cpufreq/cpufreq.c linux-2.6.32.42/drivers/cpufreq/cpufreq.c
 --- linux-2.6.32.42/drivers/cpufreq/cpufreq.c	2011-06-25 12:55:34.000000000 -0400
 +++ linux-2.6.32.42/drivers/cpufreq/cpufreq.c	2011-06-25 12:56:37.000000000 -0400
@@ -67135,7 +67114,7 @@ diff -urNp linux-2.6.32.42/net/atm/resources.c linux-2.6.32.42/net/atm/resources
  }
 diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l2cap.c
 --- linux-2.6.32.42/net/bluetooth/l2cap.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.42/net/bluetooth/l2cap.c	2011-06-12 06:34:08.000000000 -0400
++++ linux-2.6.32.42/net/bluetooth/l2cap.c	2011-06-25 14:36:21.000000000 -0400
 @@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
  			err = -ENOTCONN;
  			break;
@@ -67145,6 +67124,15 @@ diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l
  		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
  		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
  
+@@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++	if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(sk, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);
 diff -urNp linux-2.6.32.42/net/bluetooth/rfcomm/sock.c linux-2.6.32.42/net/bluetooth/rfcomm/sock.c
 --- linux-2.6.32.42/net/bluetooth/rfcomm/sock.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.42/net/bluetooth/rfcomm/sock.c	2011-06-12 06:35:00.000000000 -0400
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
new file mode 100644
index 0000000..de044fb
--- /dev/null
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
@@ -0,0 +1,26 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
+in a different way to avoid bug #366019.  This patch should eventually go upstream.
+
+diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig
+--- a/grsecurity/Kconfig	2011-06-29 07:46:02.000000000 -0400
++++ b/grsecurity/Kconfig	2011-06-29 07:47:20.000000000 -0400
+@@ -670,7 +670,7 @@
+ 
+ config GRKERNSEC_PROC_USER
+ 	bool "Restrict /proc to user only"
+-	depends on GRKERNSEC_PROC
++	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
+ 	help
+ 	  If you say Y here, non-root users will only be able to view their own
+ 	  processes, and restricts them from viewing network-related information,
+@@ -678,7 +678,7 @@
+ 
+ config GRKERNSEC_PROC_USERGROUP
+ 	bool "Allow special group"
+-	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++	depends on GRKERNSEC_PROC
+ 	help
+ 	  If you say Y here, you will be able to select a group that will be
+ 	  able to view all processes and network-related information.  If you've
diff --git a/2.6.39/0000_README b/2.6.39/0000_README
index 339b393..b6b1a96 100644
--- a/2.6.39/0000_README
+++ b/2.6.39/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
+Patch:	4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
index 9451ea7..8495f8b 100644
--- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106251302.patch
+++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.2-201106281648.patch
@@ -28599,27 +28599,6 @@ diff -urNp linux-2.6.39.2/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.3
  	.get_configuration = fifo_icap_get_configuration,
  	.set_configuration = fifo_icap_set_configuration,
  	.get_status = fifo_icap_get_status,
-diff -urNp linux-2.6.39.2/drivers/connector/Kconfig linux-2.6.39.2/drivers/connector/Kconfig
---- linux-2.6.39.2/drivers/connector/Kconfig	2011-05-19 00:06:34.000000000 -0400
-+++ linux-2.6.39.2/drivers/connector/Kconfig	2011-06-20 17:54:16.000000000 -0400
-@@ -1,7 +1,7 @@
- 
- menuconfig CONNECTOR
- 	tristate "Connector - unified userspace <-> kernelspace linker"
--	depends on NET
-+	depends on NET && !GRKERNSEC
- 	---help---
- 	  This is unified userspace <-> kernelspace connector working on top
- 	  of the netlink socket protocol.
-@@ -13,7 +13,7 @@ if CONNECTOR
- 
- config PROC_EVENTS
- 	boolean "Report process events to userspace"
--	depends on CONNECTOR=y
-+	depends on CONNECTOR=y && !GRKERNSEC
- 	default y
- 	---help---
- 	  Provide a connector that reports process events to userspace. Send
 diff -urNp linux-2.6.39.2/drivers/crypto/hifn_795x.c linux-2.6.39.2/drivers/crypto/hifn_795x.c
 --- linux-2.6.39.2/drivers/crypto/hifn_795x.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.2/drivers/crypto/hifn_795x.c	2011-05-22 19:36:31.000000000 -0400
@@ -75786,6 +75765,18 @@ diff -urNp linux-2.6.39.2/net/batman-adv/unicast.c linux-2.6.39.2/net/batman-adv
  	frag1->seqno = htons(seqno - 1);
  	frag2->seqno = htons(seqno);
  
+diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_core.c linux-2.6.39.2/net/bluetooth/l2cap_core.c
+--- linux-2.6.39.2/net/bluetooth/l2cap_core.c	2011-05-19 00:06:34.000000000 -0400
++++ linux-2.6.39.2/net/bluetooth/l2cap_core.c	2011-06-25 14:32:21.000000000 -0400
+@@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++	if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(sk, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);
 diff -urNp linux-2.6.39.2/net/bluetooth/l2cap_sock.c linux-2.6.39.2/net/bluetooth/l2cap_sock.c
 --- linux-2.6.39.2/net/bluetooth/l2cap_sock.c	2011-05-19 00:06:34.000000000 -0400
 +++ linux-2.6.39.2/net/bluetooth/l2cap_sock.c	2011-06-12 06:36:08.000000000 -0400
diff --git a/2.6.39/4437-grsec-kconfig-proc-user.patch b/2.6.39/4437-grsec-kconfig-proc-user.patch
new file mode 100644
index 0000000..372507c
--- /dev/null
+++ b/2.6.39/4437-grsec-kconfig-proc-user.patch
@@ -0,0 +1,26 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
+in a different way to avoid bug #366019.  This patch should eventually go upstream.
+
+diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
+--- a/grsecurity/Kconfig	2011-06-29 10:02:56.000000000 -0400
++++ b/grsecurity/Kconfig	2011-06-29 10:08:07.000000000 -0400
+@@ -670,7 +670,7 @@
+ 
+ config GRKERNSEC_PROC_USER
+ 	bool "Restrict /proc to user only"
+-	depends on GRKERNSEC_PROC
++	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
+ 	help
+ 	  If you say Y here, non-root users will only be able to view their own
+ 	  processes, and restricts them from viewing network-related information,
+@@ -678,7 +678,7 @@
+ 
+ config GRKERNSEC_PROC_USERGROUP
+ 	bool "Allow special group"
+-	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++	depends on GRKERNSEC_PROC
+ 	help
+ 	  If you say Y here, you will be able to select a group that will be
+           able to view all processes and network-related information.  If you've