Grsec/PaX: 2.9.1-{2.6.32.59,3.2.27,3.5.2}-20120815195120120815

author: Anthony G. Basile <blueness@gentoo.org> 2012-08-18 09:03:46 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2012-08-18 09:03:46 -0400
commit: 4f1c87dabdf07e6f285b3c3f99d46007b78e942a (patch)
tree: 69a9e85da54801e7f17e0db9295bc60f7e5b951f
parent: Grsec/PaX: 2.9.1-{2.6.32.59,3.2.27,3.5.1}-201208132030 (diff)
download: hardened-patchset-4f1c87dabdf07e6f285b3c3f99d46007b78e942a.tar.gz
hardened-patchset-4f1c87dabdf07e6f285b3c3f99d46007b78e942a.tar.bz2
hardened-patchset-4f1c87dabdf07e6f285b3c3f99d46007b78e942a.zip
12 files changed, 180 insertions, 136 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index df11424..1250ead 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch:	1058_linux-2.6.32.59.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208132029.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208151950.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208132029.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208151950.patch
index 1d2b332..ad50ae4 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208132029.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208151950.patch
@@ -69106,7 +69106,7 @@ index f539204..068db1f 100644
  
  	fput(tfile);
 diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..a9275f4 100644
+index 86fafc6..25f0d1a 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,12 +56,33 @@
@@ -69838,9 +69838,9 @@ index 86fafc6..a9275f4 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
-+void report_size_overflow(const char *file, unsigned int line, const char *func)
++void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
 +{
-+	printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u\n", func, file, line);
++	printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
 +	dump_stack();
 +	do_group_exit(SIGKILL);
 +}
@@ -113560,10 +113560,10 @@ index 0000000..42bbc4f
 +_002415_hash acl_alloc_num 1-2 60778 _002415_hash NULL
 diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
 new file mode 100644
-index 0000000..5af42b5
+index 0000000..41e11e1
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin.c
-@@ -0,0 +1,1558 @@
+@@ -0,0 +1,1579 @@
 +/*
 + * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -113632,7 +113632,7 @@ index 0000000..5af42b5
 +static tree get_size_overflow_type(gimple stmt, tree node);
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20120811beta",
++	.version	= "20120815beta",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -114309,6 +114309,27 @@ index 0000000..5af42b5
 +	return true;
 +}
 +
++static bool is_a_cast_and_const_overflow(tree no_const_rhs)
++{
++	tree rhs1, lhs, rhs1_type, lhs_type;
++	enum machine_mode lhs_mode, rhs_mode;
++	gimple def_stmt = get_def_stmt(no_const_rhs);
++
++	if (!gimple_assign_cast_p(def_stmt))
++		return false;
++
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	lhs = gimple_get_lhs(def_stmt);
++	rhs1_type = TREE_TYPE(rhs1);
++	lhs_type = TREE_TYPE(lhs);
++	rhs_mode = TYPE_MODE(rhs1_type);
++	lhs_mode = TYPE_MODE(lhs_type);
++	if (TYPE_UNSIGNED(lhs_type) == TYPE_UNSIGNED(rhs1_type) || lhs_mode != rhs_mode)
++		return false;
++
++	return true;
++}
++
 +static tree handle_unary_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple stmt)
 +{
 +	tree size_overflow_type, lhs = gimple_get_lhs(stmt);
@@ -114350,8 +114371,10 @@ index 0000000..5af42b5
 +	change_rhs1(stmt, new_rhs1);
 +	check_size_overflow(stmt, size_overflow_type, new_rhs1, rhs1, potentionally_overflowed, BEFORE_STMT);
 +
++	rhs1 = gimple_assign_rhs1(stmt);
++	rhs1_type = TREE_TYPE(rhs1);
 +	if (TYPE_UNSIGNED(rhs1_type) != TYPE_UNSIGNED(lhs_type))
-+		return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT);
++		return create_assign(visited, potentionally_overflowed, stmt, rhs1, AFTER_STMT);
 +
 +	if (!check_mode_type(stmt))
 +		return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT);
@@ -114448,11 +114471,8 @@ index 0000000..5af42b5
 +	current_func = build_string(NAME_LEN(current_function_decl) + 1, NAME(current_function_decl));
 +	current_func = create_string_param(current_func);
 +
-+	if (min)
-+		snprintf(ssa_name_buf, 100, "%s_%u (min)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg));
-+	else
-+		snprintf(ssa_name_buf, 100, "%s_%u (max)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg));
-+	ssa_name = build_string(100, ssa_name_buf);
++	snprintf(ssa_name_buf, sizeof(ssa_name_buf), "%s_%u (%s)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg), min ? "min" : "max");
++	ssa_name = build_string(sizeof(ssa_name_buf), ssa_name_buf);
 +	ssa_name = create_string_param(ssa_name);
 +
 +	// void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
@@ -114589,7 +114609,8 @@ index 0000000..5af42b5
 +	if (gimple_assign_rhs_code(def_stmt) == MIN_EXPR)
 +		return dup_assign(visited, potentionally_overflowed, def_stmt, size_overflow_type, new_rhs1, new_rhs2, NULL_TREE);
 +
-+	check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT);
++	if (!is_a_cast_and_const_overflow(orig_rhs))
++		check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT);
 +
 +	new_rhs = change_assign_rhs(def_stmt, orig_rhs, var_rhs);
 +	gimple_assign_set_rhs(def_stmt, new_rhs);
diff --git a/3.2.27/0000_README b/3.2.27/0000_README
index a31279f..bf13cdb 100644
--- a/3.2.27/0000_README
+++ b/3.2.27/0000_README
@@ -26,7 +26,7 @@ Patch:	1026_linux-3.2.27.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.27
 
-Patch:	4420_grsecurity-2.9.1-3.2.27-201208132029.patch
+Patch:	4420_grsecurity-2.9.1-3.2.27-201208151951.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.27/4420_grsecurity-2.9.1-3.2.27-201208132029.patch b/3.2.27/4420_grsecurity-2.9.1-3.2.27-201208151951.patch
index 7fcc3aa..77e6914 100644
--- a/3.2.27/4420_grsecurity-2.9.1-3.2.27-201208132029.patch
+++ b/3.2.27/4420_grsecurity-2.9.1-3.2.27-201208151951.patch
@@ -44551,7 +44551,7 @@ index 608c1c3..7d040a8 100644
  	return rc;
  }
 diff --git a/fs/exec.c b/fs/exec.c
-index 160cd2f..78b8d86 100644
+index 160cd2f..7f5ba47 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,12 +55,33 @@
@@ -45310,9 +45310,9 @@ index 160cd2f..78b8d86 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
-+void report_size_overflow(const char *file, unsigned int line, const char *func)
++void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
 +{
-+	printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u\n", func, file, line);
++	printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
 +	dump_stack();
 +	do_group_exit(SIGKILL);
 +}
@@ -87207,10 +87207,10 @@ index 0000000..a898f84
 +_003150_hash acl_alloc_num 1-2 60778 _003150_hash NULL
 diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
 new file mode 100644
-index 0000000..5af42b5
+index 0000000..41e11e1
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin.c
-@@ -0,0 +1,1558 @@
+@@ -0,0 +1,1579 @@
 +/*
 + * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -87279,7 +87279,7 @@ index 0000000..5af42b5
 +static tree get_size_overflow_type(gimple stmt, tree node);
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20120811beta",
++	.version	= "20120815beta",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -87956,6 +87956,27 @@ index 0000000..5af42b5
 +	return true;
 +}
 +
++static bool is_a_cast_and_const_overflow(tree no_const_rhs)
++{
++	tree rhs1, lhs, rhs1_type, lhs_type;
++	enum machine_mode lhs_mode, rhs_mode;
++	gimple def_stmt = get_def_stmt(no_const_rhs);
++
++	if (!gimple_assign_cast_p(def_stmt))
++		return false;
++
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	lhs = gimple_get_lhs(def_stmt);
++	rhs1_type = TREE_TYPE(rhs1);
++	lhs_type = TREE_TYPE(lhs);
++	rhs_mode = TYPE_MODE(rhs1_type);
++	lhs_mode = TYPE_MODE(lhs_type);
++	if (TYPE_UNSIGNED(lhs_type) == TYPE_UNSIGNED(rhs1_type) || lhs_mode != rhs_mode)
++		return false;
++
++	return true;
++}
++
 +static tree handle_unary_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple stmt)
 +{
 +	tree size_overflow_type, lhs = gimple_get_lhs(stmt);
@@ -87997,8 +88018,10 @@ index 0000000..5af42b5
 +	change_rhs1(stmt, new_rhs1);
 +	check_size_overflow(stmt, size_overflow_type, new_rhs1, rhs1, potentionally_overflowed, BEFORE_STMT);
 +
++	rhs1 = gimple_assign_rhs1(stmt);
++	rhs1_type = TREE_TYPE(rhs1);
 +	if (TYPE_UNSIGNED(rhs1_type) != TYPE_UNSIGNED(lhs_type))
-+		return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT);
++		return create_assign(visited, potentionally_overflowed, stmt, rhs1, AFTER_STMT);
 +
 +	if (!check_mode_type(stmt))
 +		return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT);
@@ -88095,11 +88118,8 @@ index 0000000..5af42b5
 +	current_func = build_string(NAME_LEN(current_function_decl) + 1, NAME(current_function_decl));
 +	current_func = create_string_param(current_func);
 +
-+	if (min)
-+		snprintf(ssa_name_buf, 100, "%s_%u (min)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg));
-+	else
-+		snprintf(ssa_name_buf, 100, "%s_%u (max)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg));
-+	ssa_name = build_string(100, ssa_name_buf);
++	snprintf(ssa_name_buf, sizeof(ssa_name_buf), "%s_%u (%s)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg), min ? "min" : "max");
++	ssa_name = build_string(sizeof(ssa_name_buf), ssa_name_buf);
 +	ssa_name = create_string_param(ssa_name);
 +
 +	// void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
@@ -88236,7 +88256,8 @@ index 0000000..5af42b5
 +	if (gimple_assign_rhs_code(def_stmt) == MIN_EXPR)
 +		return dup_assign(visited, potentionally_overflowed, def_stmt, size_overflow_type, new_rhs1, new_rhs2, NULL_TREE);
 +
-+	check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT);
++	if (!is_a_cast_and_const_overflow(orig_rhs))
++		check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT);
 +
 +	new_rhs = change_assign_rhs(def_stmt, orig_rhs, var_rhs);
 +	gimple_assign_set_rhs(def_stmt, new_rhs);
diff --git a/3.5.1/0000_README b/3.5.2/0000_README
index c4d6ba4..f134d6f 100644
--- a/3.5.1/0000_README
+++ b/3.5.2/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.5.1-201208132030.patch
+Patch:	4420_grsecurity-2.9.1-3.5.2-201208151951.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.5.1/4420_grsecurity-2.9.1-3.5.1-201208132030.patch b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208151951.patch
index 9cc5a66..6ced4b1 100644
--- a/3.5.1/4420_grsecurity-2.9.1-3.5.1-201208132030.patch
+++ b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208151951.patch
@@ -275,7 +275,7 @@ index 13d6166..8c235b6 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index d7ee1cb..bf3389b 100644
+index 5caa2fa..5fc9329 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1442,7 +1442,7 @@ index 75fe66b..2255c86 100644
  /*
   * Memory returned by kmalloc() may be used for DMA, so we must make
 diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
-index 004c1bc..d9d6d91 100644
+index e4448e1..7bc86b7 100644
 --- a/arch/arm/include/asm/cacheflush.h
 +++ b/arch/arm/include/asm/cacheflush.h
 @@ -108,7 +108,7 @@ struct cpu_cache_fns {
@@ -1663,7 +1663,7 @@ index b57c75e..ed2d6b2 100644
  
  EXPORT_SYMBOL(__get_user_1);
 diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index 19c95ea..7160f7c 100644
+index 693b744..e684262 100644
 --- a/arch/arm/kernel/process.c
 +++ b/arch/arm/kernel/process.c
 @@ -28,7 +28,6 @@
@@ -1674,7 +1674,7 @@ index 19c95ea..7160f7c 100644
  #include <linux/hw_breakpoint.h>
  #include <linux/cpuidle.h>
  
-@@ -255,9 +254,10 @@ void machine_power_off(void)
+@@ -256,9 +255,10 @@ void machine_power_off(void)
  	machine_shutdown();
  	if (pm_power_off)
  		pm_power_off();
@@ -1686,7 +1686,7 @@ index 19c95ea..7160f7c 100644
  {
  	machine_shutdown();
  
-@@ -499,12 +499,6 @@ unsigned long get_wchan(struct task_struct *p)
+@@ -501,12 +501,6 @@ unsigned long get_wchan(struct task_struct *p)
  	return 0;
  }
  
@@ -1745,7 +1745,7 @@ index e15d83b..8c466dd 100644
  #endif
  
 diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index 3647170..065e1cd 100644
+index c7cae6b..e1e523c 100644
 --- a/arch/arm/kernel/traps.c
 +++ b/arch/arm/kernel/traps.c
 @@ -264,6 +264,8 @@ static int __die(const char *str, int err, struct thread_info *thread, struct pt
@@ -2326,7 +2326,7 @@ index 0f01de2..d37d309 100644
  #define __cacheline_aligned	__aligned(L1_CACHE_BYTES)
  #define ____cacheline_aligned	__aligned(L1_CACHE_BYTES)
 diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
-index 7d91166..88ab87e 100644
+index 6e6fe18..a6ae668 100644
 --- a/arch/ia64/include/asm/atomic.h
 +++ b/arch/ia64/include/asm/atomic.h
 @@ -208,6 +208,16 @@ atomic64_add_negative (__s64 i, atomic64_t *v)
@@ -13672,7 +13672,7 @@ index 7261083..5c12053 100644
  bogus_magic:
  	jmp	bogus_magic
 diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
-index 1f84794..e23f862 100644
+index 73ef56c..0238021 100644
 --- a/arch/x86/kernel/alternative.c
 +++ b/arch/x86/kernel/alternative.c
 @@ -276,6 +276,13 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
@@ -27605,7 +27605,7 @@ index 251c7b62..000462d 100644
  				bool enable = !device_may_wakeup(&dev->dev);
  				device_set_wakeup_enable(&dev->dev, enable);
 diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c
-index 0734086..3ad3e4c 100644
+index bbac51e..4c094f9 100644
 --- a/drivers/acpi/processor_driver.c
 +++ b/drivers/acpi/processor_driver.c
 @@ -556,7 +556,7 @@ static int __cpuinit acpi_processor_add(struct acpi_device *device)
@@ -29623,10 +29623,10 @@ index 0a484b4..f48ccd1 100644
  
  	if (cmd != SIOCWANDEV)
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 4ec04a7..9918387 100644
+index d98b2a6..f0ceb97 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
-@@ -261,8 +261,13 @@
+@@ -272,8 +272,13 @@
  /*
   * Configuration information
   */
@@ -29640,7 +29640,7 @@ index 4ec04a7..9918387 100644
  #define SEC_XFER_SIZE 512
  #define EXTRACT_SIZE 10
  
-@@ -300,10 +305,17 @@ static struct poolinfo {
+@@ -313,10 +318,17 @@ static struct poolinfo {
  	int poolwords;
  	int tap1, tap2, tap3, tap4, tap5;
  } poolinfo_table[] = {
@@ -29658,7 +29658,18 @@ index 4ec04a7..9918387 100644
  #if 0
  	/* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1  -- 115 */
  	{ 2048,	1638,	1231,	819,	411,	1 },
-@@ -726,6 +738,17 @@ void add_disk_randomness(struct gendisk *disk)
+@@ -527,8 +539,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
+ 		input_rotate += i ? 7 : 14;
+ 	}
+ 
+-	ACCESS_ONCE(r->input_rotate) = input_rotate;
+-	ACCESS_ONCE(r->add_ptr) = i;
++	ACCESS_ONCE_RW(r->input_rotate) = input_rotate;
++	ACCESS_ONCE_RW(r->add_ptr) = i;
+ 	smp_wmb();
+ 
+ 	if (out)
+@@ -799,6 +811,17 @@ void add_disk_randomness(struct gendisk *disk)
  }
  #endif
  
@@ -29667,8 +29678,8 @@ index 4ec04a7..9918387 100644
 +
 +__init void transfer_latent_entropy(void)
 +{
-+	mix_pool_bytes(&input_pool, &latent_entropy, sizeof(latent_entropy));
-+	mix_pool_bytes(&nonblocking_pool, &latent_entropy, sizeof(latent_entropy));
++	mix_pool_bytes(&input_pool, &latent_entropy, sizeof(latent_entropy), NULL);
++	mix_pool_bytes(&nonblocking_pool, &latent_entropy, sizeof(latent_entropy), NULL);
 +//	printk(KERN_INFO "PAX: transferring latent entropy: %16llx\n", latent_entropy);
 +}
 +#endif
@@ -29676,7 +29687,7 @@ index 4ec04a7..9918387 100644
  /*********************************************************************
   *
   * Entropy extraction routines
-@@ -913,7 +936,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1008,7 +1031,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
  
  		extract_buf(r, tmp);
  		i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -29685,7 +29696,7 @@ index 4ec04a7..9918387 100644
  			ret = -EFAULT;
  			break;
  		}
-@@ -1238,7 +1261,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1342,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid);
  #include <linux/sysctl.h>
  
  static int min_read_thresh = 8, min_write_thresh;
@@ -29970,10 +29981,10 @@ index 515a42c..5ecf3ba 100644
  void fw_card_initialize(struct fw_card *card,
  		const struct fw_card_driver *driver, struct device *device);
 diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
-index 153980b..4b4d046 100644
+index b298158..7ed8432 100644
 --- a/drivers/firmware/dmi_scan.c
 +++ b/drivers/firmware/dmi_scan.c
-@@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
+@@ -452,11 +452,6 @@ void __init dmi_scan_machine(void)
  		}
  	}
  	else {
@@ -29985,7 +29996,7 @@ index 153980b..4b4d046 100644
  		p = dmi_ioremap(0xF0000, 0x10000);
  		if (p == NULL)
  			goto error;
-@@ -723,7 +718,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
+@@ -726,7 +721,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
  	if (buf == NULL)
  		return -1;
  
@@ -31156,10 +31167,10 @@ index 8a8725c..afed796 100644
  			marker = list_first_entry(&queue->head,
  						 struct vmw_marker, head);
 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 4c87276..9ecc3c7 100644
+index 1f6957c..b579481 100644
 --- a/drivers/hid/hid-core.c
 +++ b/drivers/hid/hid-core.c
-@@ -2151,7 +2151,7 @@ static bool hid_ignore(struct hid_device *hdev)
+@@ -2153,7 +2153,7 @@ static bool hid_ignore(struct hid_device *hdev)
  
  int hid_add_device(struct hid_device *hdev)
  {
@@ -31168,7 +31179,7 @@ index 4c87276..9ecc3c7 100644
  	int ret;
  
  	if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2186,7 +2186,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2188,7 +2188,7 @@ int hid_add_device(struct hid_device *hdev)
  	/* XXX hack, any other cleaner solution after the driver core
  	 * is converted to allow more than 20 bytes as the device name? */
  	dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -33506,7 +33517,7 @@ index 1cbfc6b..56e1dbb 100644
  /*----------------------------------------------------------------*/
  
 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index cacd008..2823610 100644
+index 53aec45..250851c 100644
 --- a/drivers/md/raid1.c
 +++ b/drivers/md/raid1.c
 @@ -1685,7 +1685,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
@@ -35419,10 +35430,10 @@ index d9e0824..1a874e7 100644
  
  static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
 diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
-index b620c55..a76cd49 100644
+index 02f5007..bd0bd8f 100644
 --- a/drivers/net/wireless/ath/ath9k/hw.h
 +++ b/drivers/net/wireless/ath/ath9k/hw.h
-@@ -609,7 +609,7 @@ struct ath_hw_private_ops {
+@@ -610,7 +610,7 @@ struct ath_hw_private_ops {
  
  	/* ANI */
  	void (*ani_cache_ini_regs)(struct ath_hw *ah);
@@ -35431,7 +35442,7 @@ index b620c55..a76cd49 100644
  
  /**
   * struct ath_hw_ops - callbacks used by hardware code and driver code
-@@ -639,7 +639,7 @@ struct ath_hw_ops {
+@@ -640,7 +640,7 @@ struct ath_hw_ops {
  	void (*antdiv_comb_conf_set)(struct ath_hw *ah,
  			struct ath_hw_antcomb_conf *antconf);
  
@@ -35440,7 +35451,7 @@ index b620c55..a76cd49 100644
  
  struct ath_nf_limits {
  	s16 max;
-@@ -659,7 +659,7 @@ enum ath_cal_list {
+@@ -660,7 +660,7 @@ enum ath_cal_list {
  #define AH_FASTCC       0x4
  
  struct ath_hw {
@@ -44147,7 +44158,7 @@ index b2a34a1..162fa69 100644
  	return rc;
  }
 diff --git a/fs/exec.c b/fs/exec.c
-index e95aeed..9c7b4c2 100644
+index e95aeed..a943469 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,6 +55,15 @@
@@ -44846,9 +44857,9 @@ index e95aeed..9c7b4c2 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
-+void report_size_overflow(const char *file, unsigned int line, const char *func)
++void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
 +{
-+	printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u\n", func, file, line);
++	printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
 +	dump_stack();
 +	do_group_exit(SIGKILL);
 +}
@@ -63283,20 +63294,20 @@ index 3fd2e87..d93a721 100644
  struct ctl_table_header;
  struct ctl_table;
 diff --git a/include/linux/random.h b/include/linux/random.h
-index 8f74538..de61694 100644
+index ac621ce..c1215f3 100644
 --- a/include/linux/random.h
 +++ b/include/linux/random.h
-@@ -54,6 +54,10 @@ extern void add_input_randomness(unsigned int type, unsigned int code,
+@@ -53,6 +53,10 @@ extern void add_input_randomness(unsigned int type, unsigned int code,
  				 unsigned int value);
- extern void add_interrupt_randomness(int irq);
+ extern void add_interrupt_randomness(int irq, int irq_flags);
  
 +#ifdef CONFIG_PAX_LATENT_ENTROPY
 +extern void transfer_latent_entropy(void);
 +#endif
 +
  extern void get_random_bytes(void *buf, int nbytes);
+ extern void get_random_bytes_arch(void *buf, int nbytes);
  void generate_random_uuid(unsigned char uuid_out[16]);
- 
 @@ -69,12 +73,17 @@ void srandom32(u32 seed);
  
  u32 prandom32(struct rnd_state *);
@@ -63663,7 +63674,7 @@ index 899fbb4..1cb4138 100644
  
  #define VIDEO_TYPE_MDA		0x10	/* Monochrome Text Display	*/
 diff --git a/include/linux/security.h b/include/linux/security.h
-index 4e5a73c..a5784a1 100644
+index 3dea6a9..81fd81f 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -26,6 +26,7 @@
@@ -68397,7 +68408,7 @@ index 19db29f..33b52b6 100644
  
  		if (pm_wakeup_pending()) {
 diff --git a/kernel/printk.c b/kernel/printk.c
-index 21bea76..f55ef3e 100644
+index 146827f..a501fec 100644
 --- a/kernel/printk.c
 +++ b/kernel/printk.c
 @@ -782,6 +782,11 @@ static int check_syslog_permissions(int type, bool from_file)
@@ -70528,7 +70539,7 @@ index e796429..6e38f9f 100644
  static inline void *ptr_to_indirect(void *ptr)
  {
 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
-index c3f36d41..5c5aeb5 100644
+index 598a73e..5c5aeb5 100644
 --- a/lib/vsprintf.c
 +++ b/lib/vsprintf.c
 @@ -16,6 +16,9 @@
@@ -70600,7 +70611,7 @@ index c3f36d41..5c5aeb5 100644
  	case 'B':
  		return symbol_string(buf, end, ptr, spec, *fmt);
  	case 'R':
-@@ -1025,12 +1041,15 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1025,6 +1041,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
  			va_end(va);
  			return buf;
  		}
@@ -70609,15 +70620,7 @@ index c3f36d41..5c5aeb5 100644
  	case 'K':
  		/*
  		 * %pK cannot be used in IRQ context because its test
- 		 * for CAP_SYSLOG would be meaningless.
- 		 */
--		if (in_irq() || in_serving_softirq() || in_nmi()) {
-+		if (kptr_restrict && (in_irq() || in_serving_softirq() ||
-+				      in_nmi())) {
- 			if (spec.field_width == -1)
- 				spec.field_width = default_width;
- 			return string(buf, end, "pK-error", spec);
-@@ -1047,6 +1066,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1048,6 +1066,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
  		}
  		break;
  	}
@@ -70639,7 +70642,7 @@ index c3f36d41..5c5aeb5 100644
  	spec.flags |= SMALL;
  	if (spec.field_width == -1) {
  		spec.field_width = default_width;
-@@ -1758,11 +1792,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -1759,11 +1792,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
  	typeof(type) value;						\
  	if (sizeof(type) == 8) {					\
  		args = PTR_ALIGN(args, sizeof(u32));			\
@@ -70654,7 +70657,7 @@ index c3f36d41..5c5aeb5 100644
  	}								\
  	args += sizeof(type);						\
  	value;								\
-@@ -1825,7 +1859,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -1826,7 +1859,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
  		case FORMAT_TYPE_STR: {
  			const char *str_arg = args;
  			args += strlen(str_arg) + 1;
@@ -70777,10 +70780,10 @@ index 57c4b93..24b8f59 100644
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index e198831..38d524f 100644
+index 19558df..f7743b3 100644
 --- a/mm/hugetlb.c
 +++ b/mm/hugetlb.c
-@@ -2447,6 +2447,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2463,6 +2463,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
  	return 1;
  }
  
@@ -70808,7 +70811,7 @@ index e198831..38d524f 100644
  /*
   * Hugetlb_cow() should be called with page lock of the original hugepage held.
   * Called with hugetlb_instantiation_mutex held and pte_page locked so we
-@@ -2559,6 +2580,11 @@ retry_avoidcopy:
+@@ -2575,6 +2596,11 @@ retry_avoidcopy:
  				make_huge_pte(vma, new_page, 1));
  		page_remove_rmap(old_page);
  		hugepage_add_new_anon_rmap(new_page, vma, address);
@@ -70820,7 +70823,7 @@ index e198831..38d524f 100644
  		/* Make the old page be freed below */
  		new_page = old_page;
  		mmu_notifier_invalidate_range_end(mm,
-@@ -2713,6 +2739,10 @@ retry:
+@@ -2729,6 +2755,10 @@ retry:
  				&& (vma->vm_flags & VM_SHARED)));
  	set_huge_pte_at(mm, address, ptep, new_pte);
  
@@ -70831,7 +70834,7 @@ index e198831..38d524f 100644
  	if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
  		/* Optimization, do the COW without a second fault */
  		ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
-@@ -2742,6 +2772,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2758,6 +2788,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	static DEFINE_MUTEX(hugetlb_instantiation_mutex);
  	struct hstate *h = hstate_vma(vma);
  
@@ -70842,7 +70845,7 @@ index e198831..38d524f 100644
  	address &= huge_page_mask(h);
  
  	ptep = huge_pte_offset(mm, address);
-@@ -2755,6 +2789,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2771,6 +2805,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  			       VM_FAULT_SET_HINDEX(h - hstates);
  	}
  
@@ -70870,7 +70873,7 @@ index e198831..38d524f 100644
  	if (!ptep)
  		return VM_FAULT_OOM;
 diff --git a/mm/internal.h b/mm/internal.h
-index 2ba87fb..7f451e2 100644
+index 8052379..47029d1 100644
 --- a/mm/internal.h
 +++ b/mm/internal.h
 @@ -95,6 +95,7 @@ extern void putback_lru_page(struct page *page);
@@ -70997,7 +71000,7 @@ index 14d260f..b2a80fd 100644
  	if (end == start)
  		goto out;
 diff --git a/mm/memory-failure.c b/mm/memory-failure.c
-index de4ce70..3629c7d 100644
+index 6de0d61..da836cf 100644
 --- a/mm/memory-failure.c
 +++ b/mm/memory-failure.c
 @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0;
@@ -73517,7 +73520,7 @@ index d4b0c10..ed421b5 100644
  	new->vm_region = region;
  
 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 4a4f921..eaa5e3a 100644
+index 201b508..1fb51ca 100644
 --- a/mm/page_alloc.c
 +++ b/mm/page_alloc.c
 @@ -336,7 +336,7 @@ out:
@@ -74722,7 +74725,7 @@ index 8c7265a..c96d884 100644
  	mm->unmap_area = arch_unmap_area;
  }
 diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 2aad499..a8a740e 100644
+index 2aad499..4006a74 100644
 --- a/mm/vmalloc.c
 +++ b/mm/vmalloc.c
 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -74851,7 +74854,7 @@ index 2aad499..a8a740e 100644
   * vstart and vend.
   */
 -static struct vmap_area *alloc_vmap_area(unsigned long size,
-+static struct __size_overflow(1) vmap_area *alloc_vmap_area(unsigned long size,
++static __size_overflow(1) struct vmap_area *alloc_vmap_area(unsigned long size,
  				unsigned long align,
  				unsigned long vstart, unsigned long vend,
  				int node, gfp_t gfp_mask)
@@ -75498,7 +75501,7 @@ index ae6acf6..d5c8f66 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 1cb0d8a..0427dd9 100644
+index a000840..566cee1 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1135,9 +1135,13 @@ void dev_load(struct net *net, const char *name)
@@ -75515,7 +75518,7 @@ index 1cb0d8a..0427dd9 100644
  	}
  }
  EXPORT_SYMBOL(dev_load);
-@@ -1601,7 +1605,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+@@ -1602,7 +1606,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
  {
  	if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
  		if (skb_copy_ubufs(skb, GFP_ATOMIC)) {
@@ -75524,7 +75527,7 @@ index 1cb0d8a..0427dd9 100644
  			kfree_skb(skb);
  			return NET_RX_DROP;
  		}
-@@ -1611,7 +1615,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+@@ -1612,7 +1616,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
  	nf_reset(skb);
  
  	if (unlikely(!is_skb_forwardable(dev, skb))) {
@@ -75533,7 +75536,7 @@ index 1cb0d8a..0427dd9 100644
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -2040,7 +2044,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
+@@ -2041,7 +2045,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
  
  struct dev_gso_cb {
  	void (*destructor)(struct sk_buff *skb);
@@ -75542,7 +75545,7 @@ index 1cb0d8a..0427dd9 100644
  
  #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
  
-@@ -2875,7 +2879,7 @@ enqueue:
+@@ -2876,7 +2880,7 @@ enqueue:
  
  	local_irq_restore(flags);
  
@@ -75551,7 +75554,7 @@ index 1cb0d8a..0427dd9 100644
  	kfree_skb(skb);
  	return NET_RX_DROP;
  }
-@@ -2947,7 +2951,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -2948,7 +2952,7 @@ int netif_rx_ni(struct sk_buff *skb)
  }
  EXPORT_SYMBOL(netif_rx_ni);
  
@@ -75560,7 +75563,7 @@ index 1cb0d8a..0427dd9 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  
-@@ -3234,7 +3238,7 @@ ncls:
+@@ -3235,7 +3239,7 @@ ncls:
  	if (pt_prev) {
  		ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
  	} else {
@@ -75569,7 +75572,7 @@ index 1cb0d8a..0427dd9 100644
  		kfree_skb(skb);
  		/* Jamal, now you will not able to escape explaining
  		 * me how you were going to use this. :-)
-@@ -3799,7 +3803,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -3800,7 +3804,7 @@ void netif_napi_del(struct napi_struct *napi)
  }
  EXPORT_SYMBOL(netif_napi_del);
  
@@ -75578,7 +75581,7 @@ index 1cb0d8a..0427dd9 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  	unsigned long time_limit = jiffies + 2;
-@@ -4269,8 +4273,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
+@@ -4270,8 +4274,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
  		else
  			seq_printf(seq, "%04x", ntohs(pt->type));
  
@@ -75592,7 +75595,7 @@ index 1cb0d8a..0427dd9 100644
  	}
  
  	return 0;
-@@ -5820,7 +5829,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5823,7 +5832,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
  	} else {
  		netdev_stats_to_stats64(storage, &dev->stats);
  	}
@@ -75664,7 +75667,7 @@ index 7e7aeb0..2a998cb 100644
  
  	m->msg_iov = iov;
 diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 23e3f66..f78041f 100644
+index 6c50ac0..6b4c038 100644
 --- a/net/core/rtnetlink.c
 +++ b/net/core/rtnetlink.c
 @@ -58,7 +58,7 @@ struct rtnl_link {
@@ -78593,7 +78596,7 @@ index 641f2e4..a63f5e1 100644
  		dput(path.dentry);
  		path.dentry = dentry;
 diff --git a/net/wireless/core.h b/net/wireless/core.h
-index 8523f38..79f6091 100644
+index bc686ef..27845e6 100644
 --- a/net/wireless/core.h
 +++ b/net/wireless/core.h
 @@ -27,7 +27,7 @@ struct cfg80211_registered_device {
@@ -80253,7 +80256,7 @@ index 860aeb3..45765c0 100644
  
  /* Save user chosen LSM */
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index daaa4ed..99a640f 100644
+index db10db2..99a640f 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
 @@ -95,8 +95,6 @@
@@ -80265,29 +80268,7 @@ index daaa4ed..99a640f 100644
  /* SECMARK reference count */
  static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
  
-@@ -2792,11 +2790,16 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
- 
- 			/* We strip a nul only if it is at the end, otherwise the
- 			 * context contains a nul and we should audit that */
--			str = value;
--			if (str[size - 1] == '\0')
--				audit_size = size - 1;
--			else
--				audit_size = size;
-+			if (value) {
-+				str = value;
-+				if (str[size - 1] == '\0')
-+					audit_size = size - 1;
-+				else
-+					audit_size = size;
-+			} else {
-+				str = "";
-+				audit_size = 0;
-+			}
- 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
- 			audit_log_format(ab, "op=setxattr invalid_context=");
- 			audit_log_n_untrustedstring(ab, value, audit_size);
-@@ -5506,7 +5509,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
+@@ -5511,7 +5509,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
  
  #endif
  
@@ -85672,10 +85653,10 @@ index 0000000..036c9c6
 +_003255_hash acl_alloc_num 1-2 60778 _003255_hash NULL
 diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
 new file mode 100644
-index 0000000..5af42b5
+index 0000000..41e11e1
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin.c
-@@ -0,0 +1,1558 @@
+@@ -0,0 +1,1579 @@
 +/*
 + * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -85744,7 +85725,7 @@ index 0000000..5af42b5
 +static tree get_size_overflow_type(gimple stmt, tree node);
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20120811beta",
++	.version	= "20120815beta",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -86421,6 +86402,27 @@ index 0000000..5af42b5
 +	return true;
 +}
 +
++static bool is_a_cast_and_const_overflow(tree no_const_rhs)
++{
++	tree rhs1, lhs, rhs1_type, lhs_type;
++	enum machine_mode lhs_mode, rhs_mode;
++	gimple def_stmt = get_def_stmt(no_const_rhs);
++
++	if (!gimple_assign_cast_p(def_stmt))
++		return false;
++
++	rhs1 = gimple_assign_rhs1(def_stmt);
++	lhs = gimple_get_lhs(def_stmt);
++	rhs1_type = TREE_TYPE(rhs1);
++	lhs_type = TREE_TYPE(lhs);
++	rhs_mode = TYPE_MODE(rhs1_type);
++	lhs_mode = TYPE_MODE(lhs_type);
++	if (TYPE_UNSIGNED(lhs_type) == TYPE_UNSIGNED(rhs1_type) || lhs_mode != rhs_mode)
++		return false;
++
++	return true;
++}
++
 +static tree handle_unary_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple stmt)
 +{
 +	tree size_overflow_type, lhs = gimple_get_lhs(stmt);
@@ -86462,8 +86464,10 @@ index 0000000..5af42b5
 +	change_rhs1(stmt, new_rhs1);
 +	check_size_overflow(stmt, size_overflow_type, new_rhs1, rhs1, potentionally_overflowed, BEFORE_STMT);
 +
++	rhs1 = gimple_assign_rhs1(stmt);
++	rhs1_type = TREE_TYPE(rhs1);
 +	if (TYPE_UNSIGNED(rhs1_type) != TYPE_UNSIGNED(lhs_type))
-+		return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT);
++		return create_assign(visited, potentionally_overflowed, stmt, rhs1, AFTER_STMT);
 +
 +	if (!check_mode_type(stmt))
 +		return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT);
@@ -86560,11 +86564,8 @@ index 0000000..5af42b5
 +	current_func = build_string(NAME_LEN(current_function_decl) + 1, NAME(current_function_decl));
 +	current_func = create_string_param(current_func);
 +
-+	if (min)
-+		snprintf(ssa_name_buf, 100, "%s_%u (min)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg));
-+	else
-+		snprintf(ssa_name_buf, 100, "%s_%u (max)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg));
-+	ssa_name = build_string(100, ssa_name_buf);
++	snprintf(ssa_name_buf, sizeof(ssa_name_buf), "%s_%u (%s)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg), min ? "min" : "max");
++	ssa_name = build_string(sizeof(ssa_name_buf), ssa_name_buf);
 +	ssa_name = create_string_param(ssa_name);
 +
 +	// void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
@@ -86701,7 +86702,8 @@ index 0000000..5af42b5
 +	if (gimple_assign_rhs_code(def_stmt) == MIN_EXPR)
 +		return dup_assign(visited, potentionally_overflowed, def_stmt, size_overflow_type, new_rhs1, new_rhs2, NULL_TREE);
 +
-+	check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT);
++	if (!is_a_cast_and_const_overflow(orig_rhs))
++		check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT);
 +
 +	new_rhs = change_assign_rhs(def_stmt, orig_rhs, var_rhs);
 +	gimple_assign_set_rhs(def_stmt, new_rhs);
diff --git a/3.5.1/4430_grsec-remove-localversion-grsec.patch b/3.5.2/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.5.1/4430_grsec-remove-localversion-grsec.patch
+++ b/3.5.2/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.5.1/4435_grsec-mute-warnings.patch b/3.5.2/4435_grsec-mute-warnings.patch
index e1a7a3c..e1a7a3c 100644
--- a/3.5.1/4435_grsec-mute-warnings.patch
+++ b/3.5.2/4435_grsec-mute-warnings.patch
diff --git a/3.5.1/4440_grsec-remove-protected-paths.patch b/3.5.2/4440_grsec-remove-protected-paths.patch
index 637934a..637934a 100644
--- a/3.5.1/4440_grsec-remove-protected-paths.patch
+++ b/3.5.2/4440_grsec-remove-protected-paths.patch
diff --git a/3.5.1/4450_grsec-kconfig-default-gids.patch b/3.5.2/4450_grsec-kconfig-default-gids.patch
index eb5154a..eb5154a 100644
--- a/3.5.1/4450_grsec-kconfig-default-gids.patch
+++ b/3.5.2/4450_grsec-kconfig-default-gids.patch
diff --git a/3.5.1/4465_selinux-avc_audit-log-curr_ip.patch b/3.5.2/4465_selinux-avc_audit-log-curr_ip.patch
index fd7ab67..fd7ab67 100644
--- a/3.5.1/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.5.2/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.5.1/4470_disable-compat_vdso.patch b/3.5.2/4470_disable-compat_vdso.patch
index 68af025..68af025 100644
--- a/3.5.1/4470_disable-compat_vdso.patch
+++ b/3.5.2/4470_disable-compat_vdso.patch
author	Anthony G. Basile <blueness@gentoo.org>	2012-08-18 09:03:46 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2012-08-18 09:03:46 -0400
commit	4f1c87dabdf07e6f285b3c3f99d46007b78e942a (patch)
tree	69a9e85da54801e7f17e0db9295bc60f7e5b951f
parent	Grsec/PaX: 2.9.1-{2.6.32.59,3.2.27,3.5.1}-201208132030 (diff)
download	hardened-patchset-4f1c87dabdf07e6f285b3c3f99d46007b78e942a.tar.gz hardened-patchset-4f1c87dabdf07e6f285b3c3f99d46007b78e942a.tar.bz2 hardened-patchset-4f1c87dabdf07e6f285b3c3f99d46007b78e942a.zip