Security bumps for the CAN-2004-0495 and CAN-2004-0535 vulnerabilities.

author: Tim Yamin <plasmaroo@gentoo.org> 2004-06-24 21:32:48 +0000
committer: Tim Yamin <plasmaroo@gentoo.org> 2004-06-24 21:32:48 +0000
commit: 00e4a88d85c2b178be287f51d9e653e25f48068b (patch)
tree: b553d47eb5eb3c5435e24fe53f4cbc9083822c2e /sys-kernel
parent: (no commit message) (diff)
download: historical-00e4a88d85c2b178be287f51d9e653e25f48068b.tar.gz
historical-00e4a88d85c2b178be287f51d9e653e25f48068b.tar.bz2
historical-00e4a88d85c2b178be287f51d9e653e25f48068b.zip
6 files changed, 692 insertions, 13 deletions
diff --git a/sys-kernel/gs-sources/ChangeLog b/sys-kernel/gs-sources/ChangeLog
index c294fad238f3..614307c8e50d 100644
--- a/sys-kernel/gs-sources/ChangeLog
+++ b/sys-kernel/gs-sources/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for sys-kernel/gs-sources
 # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gs-sources/ChangeLog,v 1.41 2004/06/23 23:02:00 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gs-sources/ChangeLog,v 1.42 2004/06/24 21:32:48 plasmaroo Exp $
+
+*gs-sources-2.4.25_pre7-r7 (24 Jun 2004)
+
+  24 Jun 2004; <plasmaroo@gentoo.org> -gs-sources-2.4.25_pre7-r6.ebuild,
+  +gs-sources-2.4.25_pre7-r7.ebuild, +files/gs-sources.CAN-2004-0495.patch,
+  +files/gs-sources.CAN-2004-0535.patch:
+  Security bump for the CAN-2004-0495 and CAN-2004-0535 vulnerabilities. Old
+  version removed.
 
   23 Jun 2004; Aron Griffis <agriffis@gentoo.org>
   gs-sources-2.4.25_pre7-r6.ebuild:
diff --git a/sys-kernel/gs-sources/Manifest b/sys-kernel/gs-sources/Manifest
index 9c0ea8632efc..5a8db0790233 100644
--- a/sys-kernel/gs-sources/Manifest
+++ b/sys-kernel/gs-sources/Manifest
@@ -1,16 +1,18 @@
-MD5 4a82e52b5a43b5d0ee8cf5b5fb00042f gs-sources-2.4.25_pre7-r6.ebuild 2794
-MD5 939660042e34b1fcfe6a9e91157a25fe ChangeLog 7944
+MD5 c096a5122cc9fab0a5fad2dbbb3d27c3 ChangeLog 8274
 MD5 4df72e65b139d3e4c18bec81f3a561df metadata.xml 227
-MD5 c9da1bc82b906f6abc648c056e7bf662 files/gs-sources.FPULockup-53804.patch 354
-MD5 a3ec1083055b245758b2262dd2245145 files/pci.ids.patch 3376
-MD5 c460ea130cb4ae84a5063ba044e3ce72 files/gs-sources.CAN-2004-0427.patch 460
-MD5 de75cfa969ed092578d9ddda6c5be334 files/gs-sources.CAN-2004-0181.patch 1233
-MD5 e77a93fdf26f06cf3ea5080b27211725 files/gs-sources.CAN-2003-0985.patch 414
+MD5 5ea949fda4fd81118622af761ab43380 gs-sources-2.4.25_pre7-r7.ebuild 2992
+MD5 517fc1b71501382d041ce0bdfe304511 files/00_3.5-useraddress.patch 7247
+MD5 21f3a4f186017d925067335e24db36a1 files/gs-sources.CAN-2004-0109.patch 1877
 MD5 174438d215b70cad5ffb00ca8123c062 files/gs-sources.munmap.patch 837
-MD5 302215db36238af65fd57bd22db6d7ed files/digest-gs-sources-2.4.25_pre7-r6 147
 MD5 d4a740ae56c2049247083af387a22a85 files/gs-sources.CAN-2004-0394.patch 350
+MD5 302215db36238af65fd57bd22db6d7ed files/digest-gs-sources-2.4.25_pre7-r7 147
+MD5 0f66013f643c79c97fda489618a4e2fd files/gs-sources.CAN-2004-0535.patch 476
+MD5 de75cfa969ed092578d9ddda6c5be334 files/gs-sources.CAN-2004-0181.patch 1233
+MD5 dc18e982f8149588a291956481885a8c files/gs-sources.CAN-2004-0495.patch 17549
 MD5 eaeda68a619caaddd5b8fdc5e7c39932 files/gs-sources.CAN-2004-0177.patch 384
+MD5 a3ec1083055b245758b2262dd2245145 files/pci.ids.patch 3376
+MD5 e77a93fdf26f06cf3ea5080b27211725 files/gs-sources.CAN-2003-0985.patch 414
 MD5 5bf9836a632a861728d33f9736bb7431 files/gs-sources.CAN-2004-0133.patch 427
-MD5 517fc1b71501382d041ce0bdfe304511 files/00_3.5-useraddress.patch 7247
-MD5 21f3a4f186017d925067335e24db36a1 files/gs-sources.CAN-2004-0109.patch 1877
+MD5 c460ea130cb4ae84a5063ba044e3ce72 files/gs-sources.CAN-2004-0427.patch 460
 MD5 ac42024b6e6ee1e2165914db4b22a61c files/gs-sources.CAN-2004-0178.patch 424
+MD5 c9da1bc82b906f6abc648c056e7bf662 files/gs-sources.FPULockup-53804.patch 354
diff --git a/sys-kernel/gs-sources/files/digest-gs-sources-2.4.25_pre7-r6 b/sys-kernel/gs-sources/files/digest-gs-sources-2.4.25_pre7-r7
index f55b28665921..f55b28665921 100644
--- a/sys-kernel/gs-sources/files/digest-gs-sources-2.4.25_pre7-r6
+++ b/sys-kernel/gs-sources/files/digest-gs-sources-2.4.25_pre7-r7
diff --git a/sys-kernel/gs-sources/files/gs-sources.CAN-2004-0495.patch b/sys-kernel/gs-sources/files/gs-sources.CAN-2004-0495.patch
new file mode 100644
index 000000000000..bea80eac69a9
--- /dev/null
+++ b/sys-kernel/gs-sources/files/gs-sources.CAN-2004-0495.patch
@@ -0,0 +1,655 @@
+--- linux/net/decnet/dn_dev.c.bak	Wed Jun 16 14:42:24 2004
++++ linux/net/decnet/dn_dev.c	Wed Jun 16 14:42:34 2004
+@@ -1070,31 +1070,39 @@ int dnet_gifconf(struct net_device *dev,
+ {
+ 	struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr;
+ 	struct dn_ifaddr *ifa;
+-	struct ifreq *ifr = (struct ifreq *)buf;
++	char buffer[DN_IFREQ_SIZE];
++	struct ifreq *ifr = (struct ifreq *)buffer;
++	struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr;
+ 	int done = 0;
+ 
+ 	if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL))
+ 		return 0;
+ 
+ 	for(; ifa; ifa = ifa->ifa_next) {
+-		if (!ifr) {
++		if (!buf) {
+ 			done += sizeof(DN_IFREQ_SIZE);
+ 			continue;
+ 		}
+ 		if (len < DN_IFREQ_SIZE)
+ 			return done;
+-		memset(ifr, 0, DN_IFREQ_SIZE);
++		memset(buffer, 0, DN_IFREQ_SIZE);
+ 
+ 		if (ifa->ifa_label)
+ 			strcpy(ifr->ifr_name, ifa->ifa_label);
+ 		else
+ 			strcpy(ifr->ifr_name, dev->name);
+ 
+-		(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet;
+-		(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2;
+-		(*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local;
++		addr->sdn_family = AF_DECnet;
++		addr->sdn_add.a_len = 2;
++		memcpy(addr->sdn_add.a_addr, &ifa->ifa_local,
++			sizeof(dn_address));
+ 
+-		ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE);
++		if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) {
++			done = -EFAULT;
++			break;
++		}
++
++		buf  += DN_IFREQ_SIZE;
+ 		len  -= DN_IFREQ_SIZE;
+ 		done += DN_IFREQ_SIZE;
+ 	}
+--- linux-2.4.21/drivers/net/wireless/airo.c	2003-06-13 15:51:35.000000000 +0100
++++ linux-2.4.21/drivers/net/wireless/airo.c.plasmaroo	2004-06-24 11:09:08.260352168 +0100
+@@ -3012,19 +3012,22 @@
+ 			  size_t len,
+ 			  loff_t *offset )
+ {
+-	int i;
+-	int pos;
++	loff_t pos = *offset;
+ 	struct proc_data *priv = (struct proc_data*)file->private_data;
+ 
+-	if( !priv->rbuffer ) return -EINVAL;
++	if (!priv->rbuffer)
++		return -EINVAL;
+ 
+-	pos = *offset;
+-	for( i = 0; i+pos < priv->readlen && i < len; i++ ) {
+-		if (put_user( priv->rbuffer[i+pos], buffer+i ))
+-			return -EFAULT;
+-	}
+-	*offset += i;
+-	return i;
++	if (pos < 0)
++		return -EINVAL;
++	if (pos >= priv->readlen)
++		return 0;
++	if (len > priv->readlen - pos)
++		len = priv->readlen - pos;
++	if (copy_to_user(buffer, priv->rbuffer + pos, len))
++		return -EFAULT;
++	*offset = pos + len;
++	return len;
+ }
+ 
+ /*
+@@ -3036,24 +3039,24 @@
+ 			   size_t len,
+ 			   loff_t *offset )
+ {
+-	int i;
+-	int pos;
++	loff_t pos = *offset;
+ 	struct proc_data *priv = (struct proc_data*)file->private_data;
+ 
+-	if ( !priv->wbuffer ) {
++	if (!priv->wbuffer)
+ 		return -EINVAL;
+-	}
+-
+-	pos = *offset;
+ 
+-	for( i = 0; i + pos <  priv->maxwritelen &&
+-		     i < len; i++ ) {
+-		if (get_user( priv->wbuffer[i+pos], buffer + i ))
+-			return -EFAULT;
+-	}
+-	if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos;
+-	*offset += i;
+-	return i;
++	if (pos < 0)
++		return -EINVAL;
++	if (pos >= priv->maxwritelen)
++		return 0;
++	if (len > priv->maxwritelen - pos)
++		len = priv->maxwritelen - pos;
++	if (copy_from_user(priv->wbuffer + pos, buffer, len))
++		return -EFAULT;
++	if (pos + len > priv->writelen)
++		priv->writelen = pos + len;
++	*offset = pos + len;
++	return len;
+ }
+ 
+ static int proc_status_open( struct inode *inode, struct file *file ) {
+--- linux/drivers/sound/mpu401.c.bak	Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/mpu401.c	Wed Jun 16 14:42:34 2004
+@@ -1493,14 +1493,16 @@ static unsigned long mpu_timer_get_time(
+ static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg)
+ {
+ 	int midi_dev = sound_timer_devs[dev]->devlink;
++	int *p = (int *)arg;
+ 
+ 	switch (command)
+ 	{
+ 		case SNDCTL_TMR_SOURCE:
+ 			{
+ 				int parm;
+-	
+-				parm = *(int *) arg;
++
++				if (get_user(parm, p))
++					return -EFAULT;
+ 				parm &= timer_caps;
+ 
+ 				if (parm != 0)
+@@ -1512,7 +1514,9 @@ static int mpu_timer_ioctl(int dev, unsi
+ 					else if (timer_mode & TMR_MODE_SMPTE)
+ 						mpu_cmd(midi_dev, 0x3d, 0);		/* Use SMPTE sync */
+ 				}
+-				return (*(int *) arg = timer_mode);
++				if (put_user(timer_mode, p))
++					return -EFAULT;
++				return timer_mode;
+ 			}
+ 			break;
+ 
+@@ -1537,10 +1541,13 @@ static int mpu_timer_ioctl(int dev, unsi
+ 			{
+ 				int val;
+ 
+-				val = *(int *) arg;
++				if (get_user(val, p))
++					return -EFAULT;
+ 				if (val)
+ 					set_timebase(midi_dev, val);
+-				return (*(int *) arg = curr_timebase);
++				if (put_user(curr_timebase, p))
++					return -EFAULT;
++				return curr_timebase;
+ 			}
+ 			break;
+ 
+@@ -1549,7 +1556,8 @@ static int mpu_timer_ioctl(int dev, unsi
+ 				int val;
+ 				int ret;
+ 
+-				val = *(int *) arg;
++				if (get_user(val, p))
++					return -EFAULT;
+ 
+ 				if (val)
+ 				{
+@@ -1564,7 +1572,9 @@ static int mpu_timer_ioctl(int dev, unsi
+ 					}
+ 					curr_tempo = val;
+ 				}
+-				return (*(int *) arg = curr_tempo);
++				if (put_user(curr_tempo, p))
++					return -EFAULT;
++				return curr_tempo;
+ 			}
+ 			break;
+ 
+@@ -1572,18 +1582,25 @@ static int mpu_timer_ioctl(int dev, unsi
+ 			{
+ 				int val;
+ 
+-				val = *(int *) arg;
++				if (get_user(val, p))
++					return -EFAULT;
+ 				if (val != 0)		/* Can't change */
+ 					return -EINVAL;
+-				return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60);
++				val = (curr_tempo * curr_timebase + 30) / 60;
++				if (put_user(val, p))
++					return -EFAULT;
++				return val;
+ 			}
+ 			break;
+ 
+ 		case SNDCTL_SEQ_GETTIME:
+-			return (*(int *) arg = curr_ticks);
++			if (put_user(curr_ticks, p))
++				return -EFAULT;
++			return curr_ticks;
+ 
+ 		case SNDCTL_TMR_METRONOME:
+-			metronome_mode = *(int *) arg;
++			if (get_user(metronome_mode, p))
++				return -EFAULT;
+ 			setup_metronome(midi_dev);
+ 			return 0;
+ 
+--- linux/drivers/sound/msnd.c.bak	Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/msnd.c	Wed Jun 16 14:42:34 2004
+@@ -155,13 +155,10 @@ void msnd_fifo_make_empty(msnd_fifo *f)
+ 	f->len = f->tail = f->head = 0;
+ }
+ 
+-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user)
++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len)
+ {
+ 	int count = 0;
+ 
+-	if (f->len == f->n)
+-		return 0;
+-
+ 	while ((count < len) && (f->len != f->n)) {
+ 
+ 		int nwritten;
+@@ -177,11 +174,7 @@ int msnd_fifo_write(msnd_fifo *f, const 
+ 				nwritten = len - count;
+ 		}
+ 
+-		if (user) {
+-			if (copy_from_user(f->data + f->tail, buf, nwritten))
+-				return -EFAULT;
+-		} else
+-			isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
++		isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
+ 
+ 		count += nwritten;
+ 		buf += nwritten;
+@@ -193,13 +186,10 @@ int msnd_fifo_write(msnd_fifo *f, const 
+ 	return count;
+ }
+ 
+-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user)
++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len)
+ {
+ 	int count = 0;
+ 
+-	if (f->len == 0)
+-		return f->len;
+-
+ 	while ((count < len) && (f->len > 0)) {
+ 
+ 		int nread;
+@@ -215,11 +205,7 @@ int msnd_fifo_read(msnd_fifo *f, char *b
+ 				nread = len - count;
+ 		}
+ 
+-		if (user) {
+-			if (copy_to_user(buf, f->data + f->head, nread))
+-				return -EFAULT;
+-		} else
+-			isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
++		isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
+ 
+ 		count += nread;
+ 		buf += nread;
+--- linux/drivers/sound/msnd.h.bak	Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/msnd.h	Wed Jun 16 14:42:34 2004
+@@ -266,8 +266,8 @@ void				msnd_fifo_init(msnd_fifo *f);
+ void				msnd_fifo_free(msnd_fifo *f);
+ int				msnd_fifo_alloc(msnd_fifo *f, size_t n);
+ void				msnd_fifo_make_empty(msnd_fifo *f);
+-int				msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user);
+-int				msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user);
++int				msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len);
++int				msnd_fifo_read(msnd_fifo *f, char *buf, size_t len);
+ 
+ int				msnd_wait_TXDE(multisound_dev_t *dev);
+ int				msnd_wait_HC0(multisound_dev_t *dev);
+--- linux/drivers/sound/msnd_pinnacle.c.bak	Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/msnd_pinnacle.c	Wed Jun 16 14:42:34 2004
+@@ -804,7 +804,7 @@ static int dev_release(struct inode *ino
+ 
+ static __inline__ int pack_DARQ_to_DARF(register int bank)
+ {
+-	register int size, n, timeout = 3;
++	register int size, timeout = 3;
+ 	register WORD wTmp;
+ 	LPDAQD DAQD;
+ 
+@@ -825,13 +825,10 @@ static __inline__ int pack_DARQ_to_DARF(
+ 	/* Read data from the head (unprotected bank 1 access okay
+            since this is only called inside an interrupt) */
+ 	outb(HPBLKSEL_1, dev.io + HP_BLKS);
+-	if ((n = msnd_fifo_write(
++	msnd_fifo_write(
+ 		&dev.DARF,
+ 		(char *)(dev.base + bank * DAR_BUFF_SIZE),
+-		size, 0)) <= 0) {
+-		outb(HPBLKSEL_0, dev.io + HP_BLKS);
+-		return n;
+-	}
++		size);
+ 	outb(HPBLKSEL_0, dev.io + HP_BLKS);
+ 
+ 	return 1;
+@@ -853,21 +850,16 @@ static __inline__ int pack_DAPF_to_DAPQ(
+ 		if (protect) {
+ 			/* Critical section: protect fifo in non-interrupt */
+ 			spin_lock_irqsave(&dev.lock, flags);
+-			if ((n = msnd_fifo_read(
++			n = msnd_fifo_read(
+ 				&dev.DAPF,
+ 				(char *)(dev.base + bank_num * DAP_BUFF_SIZE),
+-				DAP_BUFF_SIZE, 0)) < 0) {
+-				spin_unlock_irqrestore(&dev.lock, flags);
+-				return n;
+-			}
++				DAP_BUFF_SIZE);
+ 			spin_unlock_irqrestore(&dev.lock, flags);
+ 		} else {
+-			if ((n = msnd_fifo_read(
++			n = msnd_fifo_read(
+ 				&dev.DAPF,
+ 				(char *)(dev.base + bank_num * DAP_BUFF_SIZE),
+-				DAP_BUFF_SIZE, 0)) < 0) {
+-				return n;
+-			}
++				DAP_BUFF_SIZE);
+ 		}
+ 		if (!n)
+ 			break;
+@@ -894,30 +886,43 @@ static __inline__ int pack_DAPF_to_DAPQ(
+ static int dsp_read(char *buf, size_t len)
+ {
+ 	int count = len;
++	char *page = (char *)__get_free_page(PAGE_SIZE);
++
++	if (!page)
++		return -ENOMEM;
+ 
+ 	while (count > 0) {
+-		int n;
++		int n, k;
+ 		unsigned long flags;
+ 
++		k = PAGE_SIZE;
++		if (k > count)
++			k = count;
++
+ 		/* Critical section: protect fifo in non-interrupt */
+ 		spin_lock_irqsave(&dev.lock, flags);
+-		if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) {
+-			printk(KERN_WARNING LOGNAME ": FIFO read error\n");
+-			spin_unlock_irqrestore(&dev.lock, flags);
+-			return n;
+-		}
++		n = msnd_fifo_read(&dev.DARF, page, k);
+ 		spin_unlock_irqrestore(&dev.lock, flags);
++		if (copy_to_user(buf, page, n)) {
++			free_page((unsigned long)page);
++			return -EFAULT;
++		}
+ 		buf += n;
+ 		count -= n;
+ 
++		if (n == k && count)
++			continue;
++
+ 		if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) {
+ 			dev.last_recbank = -1;
+ 			if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0)
+ 				set_bit(F_READING, &dev.flags);
+ 		}
+ 
+-		if (dev.rec_ndelay)
++		if (dev.rec_ndelay) {
++			free_page((unsigned long)page);
+ 			return count == len ? -EAGAIN : len - count;
++		}
+ 
+ 		if (count > 0) {
+ 			set_bit(F_READBLOCK, &dev.flags);
+@@ -926,41 +931,57 @@ static int dsp_read(char *buf, size_t le
+ 				get_rec_delay_jiffies(DAR_BUFF_SIZE)))
+ 				clear_bit(F_READING, &dev.flags);
+ 			clear_bit(F_READBLOCK, &dev.flags);
+-			if (signal_pending(current))
++			if (signal_pending(current)) {
++				free_page((unsigned long)page);
+ 				return -EINTR;
++			}
+ 		}
+ 	}
+-
++	free_page((unsigned long)page);
+ 	return len - count;
+ }
+ 
+ static int dsp_write(const char *buf, size_t len)
+ {
+ 	int count = len;
++	char *page = (char *)__get_free_page(GFP_KERNEL);
++
++	if (!page)
++		return -ENOMEM;
+ 
+ 	while (count > 0) {
+-		int n;
++		int n, k;
+ 		unsigned long flags;
+ 
++		k = PAGE_SIZE;
++		if (k > count)
++			k = count;
++
++		if (copy_from_user(page, buf, k)) {
++			free_page((unsigned long)page);
++			return -EFAULT;
++		}
++
+ 		/* Critical section: protect fifo in non-interrupt */
+ 		spin_lock_irqsave(&dev.lock, flags);
+-		if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) {
+-			printk(KERN_WARNING LOGNAME ": FIFO write error\n");
+-			spin_unlock_irqrestore(&dev.lock, flags);
+-			return n;
+-		}
++		n = msnd_fifo_write(&dev.DAPF, page, k);
+ 		spin_unlock_irqrestore(&dev.lock, flags);
+ 		buf += n;
+ 		count -= n;
+ 
++		if (count && n == k)
++			continue;
++
+ 		if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) {
+ 			dev.last_playbank = -1;
+ 			if (pack_DAPF_to_DAPQ(1) > 0)
+ 				set_bit(F_WRITING, &dev.flags);
+ 		}
+ 
+-		if (dev.play_ndelay)
++		if (dev.play_ndelay) {
++			free_page((unsigned long)page);
+ 			return count == len ? -EAGAIN : len - count;
++		}
+ 
+ 		if (count > 0) {
+ 			set_bit(F_WRITEBLOCK, &dev.flags);
+@@ -968,11 +989,14 @@ static int dsp_write(const char *buf, si
+ 				&dev.writeblock,
+ 				get_play_delay_jiffies(DAP_BUFF_SIZE));
+ 			clear_bit(F_WRITEBLOCK, &dev.flags);
+-			if (signal_pending(current))
++			if (signal_pending(current)) {
++				free_page((unsigned long)page);
+ 				return -EINTR;
++			}
+ 		}
+ 	}
+ 
++	free_page((unsigned long)page);
+ 	return len - count;
+ }
+ 
+--- linux/drivers/sound/pss.c.bak	Wed Jun 16 14:42:24 2004
++++ linux/drivers/sound/pss.c	Wed Jun 16 14:42:34 2004
+@@ -450,20 +450,36 @@ static void pss_mixer_reset(pss_confdata
+ 	}
+ }
+ 
+-static void arg_to_volume_mono(unsigned int volume, int *aleft)
++static int set_volume_mono(caddr_t p, int *aleft)
+ {
+ 	int left;
++	unsigned volume;
++	if (get_user(volume, (unsigned *)p))
++		return -EFAULT;
+ 	
+-	left = volume & 0x00ff;
++	left = volume & 0xff;
+ 	if (left > 100)
+ 		left = 100;
+ 	*aleft = left;
++	return 0;
+ }
+ 
+-static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright)
++static int set_volume_stereo(caddr_t p, int *aleft, int *aright)
+ {
+-	arg_to_volume_mono(volume, aleft);
+-	arg_to_volume_mono(volume >> 8, aright);
++	int left, right;
++	unsigned volume;
++	if (get_user(volume, (unsigned *)p))
++		return -EFAULT;
++
++	left = volume & 0xff;
++	if (left > 100)
++		left = 100;
++	right = (volume >> 8) & 0xff;
++	if (right > 100)
++		right = 100;
++	*aleft = left;
++	*aright = right;
++	return 0;
+ }
+ 
+ static int ret_vol_mono(int left)
+@@ -510,33 +526,38 @@ static int pss_mixer_ioctl (int dev, uns
+ 					return call_ad_mixer(devc, cmd, arg);
+ 				else
+ 				{
+-					if (*(int *)arg != 0)
++					int v;
++					if (get_user(v, (int *)arg))
++						return -EFAULT;
++					if (v != 0)
+ 						return -EINVAL;
+ 					return 0;
+ 				}
+ 			case SOUND_MIXER_VOLUME:
+-				arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l,
+-					&devc->mixer.volume_r); 
++				if (set_volume_stereo(arg,
++					&devc->mixer.volume_l,
++					&devc->mixer.volume_r))
++					return -EFAULT;
+ 				set_master_volume(devc, devc->mixer.volume_l,
+ 					devc->mixer.volume_r);
+ 				return ret_vol_stereo(devc->mixer.volume_l,
+ 					devc->mixer.volume_r);
+ 		  
+ 			case SOUND_MIXER_BASS:
+-				arg_to_volume_mono(*(unsigned int *)arg,
+-					&devc->mixer.bass);
++				if (set_volume_mono(arg, &devc->mixer.bass))
++					return -EFAULT;
+ 				set_bass(devc, devc->mixer.bass);
+ 				return ret_vol_mono(devc->mixer.bass);
+ 		  
+ 			case SOUND_MIXER_TREBLE:
+-				arg_to_volume_mono(*(unsigned int *)arg,
+-					&devc->mixer.treble);
++				if (set_volume_mono(arg, &devc->mixer.treble))
++					return -EFAULT;
+ 				set_treble(devc, devc->mixer.treble);
+ 				return ret_vol_mono(devc->mixer.treble);
+ 		  
+ 			case SOUND_MIXER_SYNTH:
+-				arg_to_volume_mono(*(unsigned int *)arg,
+-					&devc->mixer.synth);
++				if (set_volume_mono(arg, &devc->mixer.synth))
++					return -EFAULT;
+ 				set_synth_volume(devc, devc->mixer.synth);
+ 				return ret_vol_mono(devc->mixer.synth);
+ 		  
+@@ -546,54 +567,67 @@ static int pss_mixer_ioctl (int dev, uns
+ 	}
+ 	else			
+ 	{
++		int val, and_mask = 0, or_mask = 0;
+ 		/*
+ 		 * Return parameters
+ 		 */
+ 		switch (cmdf)
+ 		{
+-
+ 			case SOUND_MIXER_DEVMASK:
+ 				if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
+-					*(int *)arg = 0; /* no mixer devices */
+-				return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH);
++					break;
++				and_mask = ~0;
++				or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH;
++				break;
+ 		  
+ 			case SOUND_MIXER_STEREODEVS:
+ 				if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
+-					*(int *)arg = 0; /* no stereo devices */
+-				return (*(int *)arg |= SOUND_MASK_VOLUME);
++					break;
++				and_mask = ~0;
++				or_mask = SOUND_MASK_VOLUME;
++				break;
+ 		  
+ 			case SOUND_MIXER_RECMASK:
+ 				if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ 					return call_ad_mixer(devc, cmd, arg);
+-				else
+-					return (*(int *)arg = 0); /* no record devices */
++				break;
+ 
+ 			case SOUND_MIXER_CAPS:
+ 				if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ 					return call_ad_mixer(devc, cmd, arg);
+-				else
+-					return (*(int *)arg = SOUND_CAP_EXCL_INPUT);
++				or_mask = SOUND_CAP_EXCL_INPUT;
++				break;
+ 
+ 			case SOUND_MIXER_RECSRC:
+ 				if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ 					return call_ad_mixer(devc, cmd, arg);
+-				else
+-					return (*(int *)arg = 0); /* no record source */
++				break;
+ 
+ 			case SOUND_MIXER_VOLUME:
+-				return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r));
++				or_mask =  ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r);
++				break;
+ 			  
+ 			case SOUND_MIXER_BASS:
+-				return (*(int *)arg = ret_vol_mono(devc->mixer.bass));
++				or_mask =  ret_vol_mono(devc->mixer.bass);
++				break;
+ 			  
+ 			case SOUND_MIXER_TREBLE:
+-				return (*(int *)arg = ret_vol_mono(devc->mixer.treble));
++				or_mask = ret_vol_mono(devc->mixer.treble);
++				break;
+ 			  
+ 			case SOUND_MIXER_SYNTH:
+-				return (*(int *)arg = ret_vol_mono(devc->mixer.synth));
++				or_mask = ret_vol_mono(devc->mixer.synth);
++				break;
+ 			default:
+ 				return -EINVAL;
+ 		}
++		if (get_user(val, (int *)arg))
++			return -EFAULT;
++		val &= and_mask;
++		val |= or_mask;
++		if (put_user(val, (int *)arg))
++			return -EFAULT;
++		return val;
+ 	}
+ }
+ 
diff --git a/sys-kernel/gs-sources/files/gs-sources.CAN-2004-0535.patch b/sys-kernel/gs-sources/files/gs-sources.CAN-2004-0535.patch
new file mode 100644
index 000000000000..669fc5fd32fb
--- /dev/null
+++ b/sys-kernel/gs-sources/files/gs-sources.CAN-2004-0535.patch
@@ -0,0 +1,12 @@
+--- drivers/net/e1000/e1000_ethtool.c	2003-06-13 15:51:34.000000000 +0100
++++ drivers/net/e1000/e1000_ethtool.c.plasmaroo	2004-06-24 11:23:32.524963976 +0100
+@@ -468,6 +468,9 @@
+ 
+ 		if(copy_from_user(&regs, addr, sizeof(regs)))
+ 			return -EFAULT;
++		memset(regs_buff, 0, sizeof(regs_buff));
++		if (regs.len > E1000_REGS_LEN)
++			regs.len = E1000_REGS_LEN;
+ 		e1000_ethtool_gregs(adapter, &regs, regs_buff);
+ 		if(copy_to_user(addr, &regs, sizeof(regs)))
+ 			return -EFAULT;
diff --git a/sys-kernel/gs-sources/gs-sources-2.4.25_pre7-r6.ebuild b/sys-kernel/gs-sources/gs-sources-2.4.25_pre7-r7.ebuild
index 3c1c2baa54f5..28ed89244a0d 100644
--- a/sys-kernel/gs-sources/gs-sources-2.4.25_pre7-r6.ebuild
+++ b/sys-kernel/gs-sources/gs-sources-2.4.25_pre7-r7.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Technologies, Inc.
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gs-sources/gs-sources-2.4.25_pre7-r6.ebuild,v 1.3 2004/06/23 23:02:00 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gs-sources/gs-sources-2.4.25_pre7-r7.ebuild,v 1.1 2004/06/24 21:32:48 plasmaroo Exp $
 
 IUSE="build crypt"
 
@@ -41,7 +41,7 @@ src_unpack() {
 	# Kill patches we aren't suppposed to use, don't worry about
 	# failures, if they aren't there that is a good thing!
 	# This is the ratified crypt USE flag, enables IPSEC and patch-int
-	if ! use crypt; then
+	if [ -z "`use crypt`" ]; then
 		einfo "No Cryptographic support, dropping patches..."
 		for file in 8*;do
 			einfo "Dropping ${file}..."
@@ -60,5 +60,7 @@ src_unpack() {
 	epatch ${FILESDIR}/${PN}.CAN-2004-0181.patch || die "Failed to add the CAN-2004-0181 patch!"
 	epatch ${FILESDIR}/${PN}.CAN-2004-0394.patch || die "Failed to add the CAN-2004-0394 patch!"
 	epatch ${FILESDIR}/${PN}.CAN-2004-0427.patch || die "Failed to add the CAN-2004-0427 patch!"
+	epatch ${FILESDIR}/${PN}.CAN-2004-0495.patch || die "Failed to add the CAN-2004-0495 patch!"
+	epatch ${FILESDIR}/${PN}.CAN-2004-0535.patch || die "Failed to add the CAN-2004-0535 patch!"
 	epatch ${FILESDIR}/${PN}.FPULockup-53804.patch || die "Failed to apply FPU-lockup patch!"
 }
author	Tim Yamin <plasmaroo@gentoo.org>	2004-06-24 21:32:48 +0000
committer	Tim Yamin <plasmaroo@gentoo.org>	2004-06-24 21:32:48 +0000
commit	00e4a88d85c2b178be287f51d9e653e25f48068b (patch)
tree	b553d47eb5eb3c5435e24fe53f4cbc9083822c2e /sys-kernel
parent	(no commit message) (diff)
download	historical-00e4a88d85c2b178be287f51d9e653e25f48068b.tar.gz historical-00e4a88d85c2b178be287f51d9e653e25f48068b.tar.bz2 historical-00e4a88d85c2b178be287f51d9e653e25f48068b.zip