add additional security fixes to next_round

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

16 files changed, 711 insertions, 1 deletions

diff --git a/next_round/Bluetooth-bnep-fix-buffer-overflow.patch b/next_round/Bluetooth-bnep-fix-buffer-overflow.patch
new file mode 100644
index 0000000..d27b57f
--- /dev/null
+++ b/next_round/Bluetooth-bnep-fix-buffer-overflow.patch
@@ -0,0 +1,31 @@
+From 6a6fd71ee3f72d054d83f1b3ab3c968f081e89ff Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Mon, 14 Feb 2011 13:54:31 +0300
+Subject: [PATCH] Bluetooth: bnep: fix buffer overflow
+
+commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.
+
+Struct ca is copied from userspace.  It is not checked whether the "device"
+field is NULL terminated.  This potentially leads to BUG() inside of
+alloc_netdev_mqs() and/or information leak by creating a device with a name
+made of contents of kernel stack.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
+index 2862f53..d935da7 100644
+--- a/net/bluetooth/bnep/sock.c
++++ b/net/bluetooth/bnep/sock.c
+@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
+ 			sockfd_put(nsock);
+ 			return -EBADFD;
+ 		}
++		ca.device[sizeof(ca.device)-1] = 0;
+ 
+ 		err = bnep_add_connection(&ca, nsock);
+ 		if (!err) {
+-- 
+1.7.4.4
+
diff --git a/next_round/Bluetooth-sco-fix-information-leak-to-userspace.patch b/next_round/Bluetooth-sco-fix-information-leak-to-userspace.patch
new file mode 100644
index 0000000..02449c3
--- /dev/null
+++ b/next_round/Bluetooth-sco-fix-information-leak-to-userspace.patch
@@ -0,0 +1,30 @@
+From 53fb882e9b974daff7dab842b35f970d052dda90 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Mon, 14 Feb 2011 13:54:26 +0300
+Subject: [PATCH] Bluetooth: sco: fix information leak to userspace
+
+commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.
+
+struct sco_conninfo has one padding byte in the end.  Local variable
+cinfo of type sco_conninfo is copied to userspace with this uninizialized
+one byte, leading to old stack contents leak.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index ca6b2ad..5fa81fa 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -704,6 +704,7 @@ static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user
+ 			break;
+ 		}
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
+ 
+-- 
+1.7.4.4
+
diff --git a/next_round/CAN-Use-inode-instead-of-kernel-address-for-proc-fil.patch b/next_round/CAN-Use-inode-instead-of-kernel-address-for-proc-fil.patch
new file mode 100644
index 0000000..b186be2
--- /dev/null
+++ b/next_round/CAN-Use-inode-instead-of-kernel-address-for-proc-fil.patch
@@ -0,0 +1,43 @@
+From c148837fae3c1bb54dc3167ab4de6eb769164578 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sun, 26 Dec 2010 06:54:53 +0000
+Subject: [PATCH] CAN: Use inode instead of kernel address for /proc file
+
+commit 9f260e0efa4766e56d0ac14f1aeea6ee5eb8fe83 upstream.
+
+Since the socket address is just being used as a unique identifier, its
+inode number is an alternative that does not leak potentially sensitive
+information.
+
+CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index b8f7a2f..dd23fb1 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -125,7 +125,7 @@ struct bcm_sock {
+ 	struct list_head tx_ops;
+ 	unsigned long dropped_usr_msgs;
+ 	struct proc_dir_entry *bcm_proc_read;
+-	char procname [20]; /* pointer printed in ASCII with \0 */
++	char procname [32]; /* inode number in decimal with \0 */
+ };
+ 
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+@@ -1523,7 +1523,7 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
+ 
+ 	if (proc_dir) {
+ 		/* unique socket address as filename */
+-		sprintf(bo->procname, "%p", sock);
++		sprintf(bo->procname, "%lu", sock_i_ino(sk));
+ 		bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
+ 						     proc_dir,
+ 						     &bcm_proc_fops, sk);
+-- 
+1.7.4.4
+
diff --git a/next_round/MIPS-secure_computing-syscall-audit-syscall-number-s.patch b/next_round/MIPS-secure_computing-syscall-audit-syscall-number-s.patch
new file mode 100644
index 0000000..4865b74
--- /dev/null
+++ b/next_round/MIPS-secure_computing-syscall-audit-syscall-number-s.patch
@@ -0,0 +1,44 @@
+From de34a0e3a24afe1beef6565f1b7b27ae0bd9b093 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ftp.linux.org.uk>
+Date: Tue, 28 Sep 2010 18:50:27 +0100
+Subject: [PATCH] MIPS: secure_computing, syscall audit: syscall number should
+ in r2, not r0.
+
+commit e5b377a8fb7b05f27647698ac739a0504cb2bf80 upstream.
+
+As it is, audit_syscall_entry() and secure_computing() get the
+bogus value (0, in fact)
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-arch@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/1697/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index c51b95f..c877733 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -536,7 +536,7 @@ asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
+ {
+ 	/* do the secure computing check first */
+ 	if (!entryexit)
+-		secure_computing(regs->regs[0]);
++		secure_computing(regs->regs[2]);
+ 
+ 	if (unlikely(current->audit_context) && entryexit)
+ 		audit_syscall_exit(AUDITSC_RESULT(regs->regs[2]),
+@@ -565,7 +565,7 @@ asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
+ 
+ out:
+ 	if (unlikely(current->audit_context) && !entryexit)
+-		audit_syscall_entry(audit_arch(), regs->regs[0],
++		audit_syscall_entry(audit_arch(), regs->regs[2],
+ 				    regs->regs[4], regs->regs[5],
+ 				    regs->regs[6], regs->regs[7]);
+ }
+-- 
+1.7.4.4
+
diff --git a/next_round/bridge-netfilter-fix-information-leak.patch b/next_round/bridge-netfilter-fix-information-leak.patch
new file mode 100644
index 0000000..2b443bb
--- /dev/null
+++ b/next_round/bridge-netfilter-fix-information-leak.patch
@@ -0,0 +1,33 @@
+From d93c63fc5c765ee820d57247764e0669cd03a243 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Mon, 14 Feb 2011 16:49:23 +0100
+Subject: [PATCH] bridge: netfilter: fix information leak
+
+commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.
+
+Struct tmp is copied from userspace.  It is not checked whether the "name"
+field is NULL terminated.  This may lead to buffer overflow and passing
+contents of kernel stack as a module name to try_then_request_module() and,
+consequently, to modprobe commandline.  It would be seen by all userspace
+processes.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index f0865fd..2b8c983 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1112,6 +1112,8 @@ static int do_replace(struct net *net, const void __user *user,
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
+ 
++	tmp.name[sizeof(tmp.name) - 1] = 0;
++
+ 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+ 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
+ 	if (!newinfo)
+-- 
+1.7.4.4
+
diff --git a/next_round/econet-4-byte-infoleak-to-the-network.patch b/next_round/econet-4-byte-infoleak-to-the-network.patch
new file mode 100644
index 0000000..7a0a818
--- /dev/null
+++ b/next_round/econet-4-byte-infoleak-to-the-network.patch
@@ -0,0 +1,38 @@
+From da8bcef8516ae10648795bfae8def8730fff5b97 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Thu, 17 Mar 2011 01:40:10 +0000
+Subject: [PATCH] econet: 4 byte infoleak to the network
+
+commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream.
+
+struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
+x86_64.  These bytes are not initialized in the variable 'ah' before
+sending 'ah' to the network.  This leads to 4 bytes kernel stack
+infoleak.
+
+This bug was introduced before the git epoch.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Acked-by: Phil Blundell <philb@gnu.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 728d389..4a392c9 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ 		udpdest.sin_addr.s_addr = htonl(network | addr.station);
+ 	}
+ 
++	memset(&ah, 0, sizeof(ah));
+ 	ah.port = port;
+ 	ah.cb = cb & 0x7f;
+ 	ah.code = 2;		/* magic */
+-	ah.pad = 0;
+ 
+ 	/* tack our header on the front of the iovec */
+ 	size = sizeof(struct aunhdr);
+-- 
+1.7.4.4
+
diff --git a/next_round/inet_diag-Make-sure-we-actually-run-the-same-bytecod.patch b/next_round/inet_diag-Make-sure-we-actually-run-the-same-bytecod.patch
new file mode 100644
index 0000000..b21039e
--- /dev/null
+++ b/next_round/inet_diag-Make-sure-we-actually-run-the-same-bytecod.patch
@@ -0,0 +1,106 @@
+From 915d27013eb3e1408305f6e4b477d2b5fddf7842 Mon Sep 17 00:00:00 2001
+From: Nelson Elhage <nelhage@ksplice.com>
+Date: Wed, 3 Nov 2010 16:35:41 +0000
+Subject: [PATCH] inet_diag: Make sure we actually run the same bytecode we
+ audited.
+
+commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 upstream.
+
+We were using nlmsg_find_attr() to look up the bytecode by attribute when
+auditing, but then just using the first attribute when actually running
+bytecode. So, if we received a message with two attribute elements, where only
+the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
+bytecode strings.
+
+Fix this by consistently using nlmsg_find_attr everywhere.
+
+Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
+Signed-off-by: Thomas Graf <tgraf@infradead.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index e5fa2dd..7403b9b 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -490,9 +490,11 @@ static int inet_csk_diag_dump(struct sock *sk,
+ {
+ 	struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ 
+-	if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++	if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ 		struct inet_diag_entry entry;
+-		struct rtattr *bc = (struct rtattr *)(r + 1);
++		const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++							  sizeof(*r),
++							  INET_DIAG_REQ_BYTECODE);
+ 		struct inet_sock *inet = inet_sk(sk);
+ 
+ 		entry.family = sk->sk_family;
+@@ -512,7 +514,7 @@ static int inet_csk_diag_dump(struct sock *sk,
+ 		entry.dport = ntohs(inet->inet_dport);
+ 		entry.userlocks = sk->sk_userlocks;
+ 
+-		if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++		if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ 			return 0;
+ 	}
+ 
+@@ -527,9 +529,11 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ {
+ 	struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ 
+-	if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++	if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ 		struct inet_diag_entry entry;
+-		struct rtattr *bc = (struct rtattr *)(r + 1);
++		const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++							  sizeof(*r),
++							  INET_DIAG_REQ_BYTECODE);
+ 
+ 		entry.family = tw->tw_family;
+ #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+@@ -548,7 +552,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ 		entry.dport = ntohs(tw->tw_dport);
+ 		entry.userlocks = 0;
+ 
+-		if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++		if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ 			return 0;
+ 	}
+ 
+@@ -618,7 +622,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ 	struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct listen_sock *lopt;
+-	struct rtattr *bc = NULL;
++	const struct nlattr *bc = NULL;
+ 	struct inet_sock *inet = inet_sk(sk);
+ 	int j, s_j;
+ 	int reqnum, s_reqnum;
+@@ -638,8 +642,9 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ 	if (!lopt || !lopt->qlen)
+ 		goto out;
+ 
+-	if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+-		bc = (struct rtattr *)(r + 1);
++	if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
++		bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
++				     INET_DIAG_REQ_BYTECODE);
+ 		entry.sport = inet->inet_num;
+ 		entry.userlocks = sk->sk_userlocks;
+ 	}
+@@ -672,8 +677,8 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ 					&ireq->rmt_addr;
+ 				entry.dport = ntohs(ireq->rmt_port);
+ 
+-				if (!inet_diag_bc_run(RTA_DATA(bc),
+-						    RTA_PAYLOAD(bc), &entry))
++				if (!inet_diag_bc_run(nla_data(bc),
++						      nla_len(bc), &entry))
+ 					continue;
+ 			}
+ 
+-- 
+1.7.4.4
+
diff --git a/next_round/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch b/next_round/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
new file mode 100644
index 0000000..f6a2822
--- /dev/null
+++ b/next_round/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
@@ -0,0 +1,54 @@
+From 42cd9f4416b7a6b6b54d365baf6075fa63428bc3 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 15 Mar 2011 13:37:13 +0100
+Subject: [PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace
+
+commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream.
+
+Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
+copied from userspace.  Fields of these structs that are
+zero-terminated strings are not checked.  When they are used as argument
+to a format string containing "%s" in request_module(), some sensitive
+information is leaked to userspace via argument of spawned modprobe
+process.
+
+The first bug was introduced before the git epoch;  the second was
+introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
+6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
+CAP_NET_ADMIN.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 9210e31..542edbf 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1325,6 +1325,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
+ 	/* overflow check */
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+ 	if (!newinfo)
+@@ -1871,6 +1872,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+ 	if (!newinfo)
+@@ -2100,6 +2102,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ 			ret = -EFAULT;
+ 			break;
+ 		}
++		rev.name[sizeof(rev.name)-1] = 0;
+ 
+ 		if (cmd == IP6T_SO_GET_REVISION_TARGET)
+ 			target = 1;
+-- 
+1.7.4.4
+
diff --git a/next_round/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch b/next_round/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
new file mode 100644
index 0000000..71e1da6
--- /dev/null
+++ b/next_round/irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
@@ -0,0 +1,56 @@
+From 85a1f8f3899edf07506b1949e1bbbcaec0e8ac7a Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 22 Dec 2010 13:58:27 +0000
+Subject: [PATCH] irda: prevent integer underflow in IRLMP_ENUMDEVICES
+
+commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
+
+If the user-provided len is less than the expected offset, the
+IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
+size value.  While this isn't be a security issue on x86 because it will
+get caught by the access_ok() check, it may leak large amounts of kernel
+heap on other architectures.  In any event, this patch fixes it.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 6fae047..e63c226 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2278,6 +2278,14 @@ static int __irda_getsockopt(struct socket *sock, int level, int optname,
+ 
+ 	switch (optname) {
+ 	case IRLMP_ENUMDEVICES:
++
++		/* Offset to first device entry */
++		offset = sizeof(struct irda_device_list) -
++			sizeof(struct irda_device_info);
++
++		if (len < offset)
++			return -EINVAL;
++
+ 		/* Ask lmp for the current discovery log */
+ 		discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
+ 						    self->nslots);
+@@ -2287,15 +2295,9 @@ static int __irda_getsockopt(struct socket *sock, int level, int optname,
+ 		err = 0;
+ 
+ 		/* Write total list length back to client */
+-		if (copy_to_user(optval, &list,
+-				 sizeof(struct irda_device_list) -
+-				 sizeof(struct irda_device_info)))
++		if (copy_to_user(optval, &list, offset))
+ 			err = -EFAULT;
+ 
+-		/* Offset to first device entry */
+-		offset = sizeof(struct irda_device_list) -
+-			sizeof(struct irda_device_info);
+-
+ 		/* Copy the list itself - watch for overflow */
+ 		if(list.len > 2048)
+ 		{
+-- 
+1.7.4.4
+
diff --git a/next_round/net-ax25-fix-information-leak-to-userland.patch b/next_round/net-ax25-fix-information-leak-to-userland.patch
new file mode 100644
index 0000000..70e302d
--- /dev/null
+++ b/next_round/net-ax25-fix-information-leak-to-userland.patch
@@ -0,0 +1,39 @@
+From 7e9f67e1b0bc5ababdadc04a0eb28ecca508c187 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Wed, 10 Nov 2010 10:14:33 -0800
+Subject: [PATCH] net: ax25: fix information leak to userland
+
+commit fe10ae53384e48c51996941b7720ee16995cbcb7 upstream.
+
+Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
+field of fsa struct, also the struct has padding bytes between
+sax25_call and sax25_ndigis fields.  This structure is then copied to
+userland.  It leads to leaking of contents of kernel stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 65c5801..eb100ce 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ 	ax25_cb *ax25;
+ 	int err = 0;
+ 
++	memset(fsa, 0, sizeof(fsa));
+ 	lock_sock(sk);
+ 	ax25 = ax25_sk(sk);
+ 
+@@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ 
+ 		fsa->fsa_ax25.sax25_family = AF_AX25;
+ 		fsa->fsa_ax25.sax25_call   = ax25->dest_addr;
+-		fsa->fsa_ax25.sax25_ndigis = 0;
+ 
+ 		if (ax25->digipeat != NULL) {
+ 			ndigi = ax25->digipeat->ndigi;
+-- 
+1.7.4.4
+
diff --git a/next_round/net-fix-rds_iovec-page-count-overflow.patch b/next_round/net-fix-rds_iovec-page-count-overflow.patch
new file mode 100644
index 0000000..536709c
--- /dev/null
+++ b/next_round/net-fix-rds_iovec-page-count-overflow.patch
@@ -0,0 +1,46 @@
+From be76ee52b281e51975d638a5f2c6d662b1ffeed0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 28 Oct 2010 15:40:55 +0000
+Subject: [PATCH] net: fix rds_iovec page count overflow
+
+commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream.
+
+As reported by Thomas Pollet, the rdma page counting can overflow.  We
+get the rdma sizes in 64-bit unsigned entities, but then limit it to
+UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
+an unaligned address).
+
+So each individual page count fits comfortably in an 'unsigned int' (not
+even close to overflowing into signed), but as they are added up, they
+might end up resulting in a signed return value. Which would be wrong.
+
+Catch the case of tot_pages turning negative, and return the appropriate
+error code.
+
+Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Andy Grover <andy.grover@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index cf0dfa7..a3eb97b 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -498,6 +498,13 @@ static struct rds_rdma_op *rds_rdma_prepare(struct rds_sock *rs,
+ 
+ 		max_pages = max(nr, max_pages);
+ 		nr_pages += nr;
++
++		/*
++		 * nr for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
++		 * so nr_pages cannot overflow without first going negative.
++		 */
++		if ((int)nr_pages < 0)
++			return -EINVAL;
+ 	}
+ 
+ 	pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);
+-- 
+1.7.4.4
+
diff --git a/next_round/net-tipc-fix-information-leak-to-userland.patch b/next_round/net-tipc-fix-information-leak-to-userland.patch
new file mode 100644
index 0000000..ec6c68c
--- /dev/null
+++ b/next_round/net-tipc-fix-information-leak-to-userland.patch
@@ -0,0 +1,30 @@
+From 230221d2243b536b3a1435f982e94a37b9e2bfe4 Mon Sep 17 00:00:00 2001
+From: Kulikov Vasiliy <segooon@gmail.com>
+Date: Sun, 31 Oct 2010 07:10:32 +0000
+Subject: [PATCH] net: tipc: fix information leak to userland
+
+commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream.
+
+Structure sockaddr_tipc is copied to userland with padding bytes after
+"id" field in union field "name" unitialized.  It leads to leaking of
+contents of kernel stack memory.  We have to initialize them to zero.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index cfb20b8..a70214a 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -395,6 +395,7 @@ static int get_name(struct socket *sock, struct sockaddr *uaddr,
+ 	struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
+ 	struct tipc_sock *tsock = tipc_sk(sock->sk);
+ 
++	memset(addr, 0, sizeof(*addr));
+ 	if (peer) {
+ 		if ((sock->state != SS_CONNECTED) &&
+ 			((peer != 2) || (sock->state != SS_DISCONNECTING)))
+-- 
+1.7.4.4
+
diff --git a/next_round/netfilter-arp_tables-fix-infoleak-to-userspace.patch b/next_round/netfilter-arp_tables-fix-infoleak-to-userspace.patch
new file mode 100644
index 0000000..3b9bbe1
--- /dev/null
+++ b/next_round/netfilter-arp_tables-fix-infoleak-to-userspace.patch
@@ -0,0 +1,54 @@
+From f9df5de9d67acf82d61f0cbb7f8ad8cb21361ba4 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 15 Mar 2011 13:35:21 +0100
+Subject: [PATCH] netfilter: arp_tables: fix infoleak to userspace
+
+commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.
+
+Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
+copied from userspace.  Fields of these structs that are
+zero-terminated strings are not checked.  When they are used as argument
+to a format string containing "%s" in request_module(), some sensitive
+information is leaked to userspace via argument of spawned modprobe
+process.
+
+The first bug was introduced before the git epoch;  the second is
+introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
+6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
+CAP_NET_ADMIN.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index f07d77f..baf7997 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1085,6 +1085,7 @@ static int do_replace(struct net *net, const void __user *user,
+ 	/* overflow check */
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+ 	if (!newinfo)
+@@ -1505,6 +1506,7 @@ static int compat_do_replace(struct net *net, void __user *user,
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+ 	if (!newinfo)
+@@ -1757,6 +1759,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
+ 			ret = -EFAULT;
+ 			break;
+ 		}
++		rev.name[sizeof(rev.name)-1] = 0;
+ 
+ 		try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,
+ 							 rev.revision, 1, &ret),
+-- 
+1.7.4.4
+
diff --git a/next_round/netfilter-ip_tables-fix-infoleak-to-userspace.patch b/next_round/netfilter-ip_tables-fix-infoleak-to-userspace.patch
new file mode 100644
index 0000000..faa1cc3
--- /dev/null
+++ b/next_round/netfilter-ip_tables-fix-infoleak-to-userspace.patch
@@ -0,0 +1,53 @@
+From 696667bbd11f443d29538d221414215f6582f11d Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Tue, 15 Mar 2011 13:36:05 +0100
+Subject: [PATCH] netfilter: ip_tables: fix infoleak to userspace
+
+commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream.
+
+Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
+copied from userspace.  Fields of these structs that are
+zero-terminated strings are not checked.  When they are used as argument
+to a format string containing "%s" in request_module(), some sensitive
+information is leaked to userspace via argument of spawned modprobe
+process.
+
+The first and the third bugs were introduced before the git epoch; the
+second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
+one should have CAP_NET_ADMIN.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index b29c66d..c89ac49 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1294,6 +1294,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
+ 	/* overflow check */
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+ 	if (!newinfo)
+@@ -1838,6 +1839,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+ 	if (!newinfo)
+@@ -2067,6 +2069,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ 			ret = -EFAULT;
+ 			break;
+ 		}
++		rev.name[sizeof(rev.name)-1] = 0;
+ 
+ 		if (cmd == IPT_SO_GET_REVISION_TARGET)
+ 			target = 1;
+-- 
+1.7.4.4
+
diff --git a/next_round/series b/next_round/series
index 02e0e45..2a7d7f6 100644
--- a/next_round/series
+++ b/next_round/series
@@ -240,4 +240,18 @@ arch-x86-oprofile-op_model_amd.c-Perform-initialisat.patch
 epoll-convert-max_user_watches-to-long.patch
 fs-call-security_d_instantiate-in-d_obtain_alias-V2.patch
 dcdbas-force-SMI-to-happen-when-expected.patch
-
+net-ax25-fix-information-leak-to-userland.patch
+net-tipc-fix-information-leak-to-userland.patch
+inet_diag-Make-sure-we-actually-run-the-same-bytecod.patch
+irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch
+CAN-Use-inode-instead-of-kernel-address-for-proc-fil.patch
+xfs-prevent-leaking-uninitialized-stack-memory-in-FS.patch
+Bluetooth-sco-fix-information-leak-to-userspace.patch
+Bluetooth-bnep-fix-buffer-overflow.patch
+bridge-netfilter-fix-information-leak.patch
+netfilter-arp_tables-fix-infoleak-to-userspace.patch
+netfilter-ip_tables-fix-infoleak-to-userspace.patch
+ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
+econet-4-byte-infoleak-to-the-network.patch
+net-fix-rds_iovec-page-count-overflow.patch
+MIPS-secure_computing-syscall-audit-syscall-number-s.patch
diff --git a/next_round/xfs-prevent-leaking-uninitialized-stack-memory-in-FS.patch b/next_round/xfs-prevent-leaking-uninitialized-stack-memory-in-FS.patch
new file mode 100644
index 0000000..2f07c8e
--- /dev/null
+++ b/next_round/xfs-prevent-leaking-uninitialized-stack-memory-in-FS.patch
@@ -0,0 +1,39 @@
+From 2fb1867b882254d432b4ad8be9a60791975451ac Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Mon, 14 Feb 2011 13:45:28 +0000
+Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in
+ FSGEOMETRY_V1
+
+commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba upstream.
+
+The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
+xfs_fs_geometry() with a version number of 3.  This code path does not
+fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
+the leaking of four bytes of uninitialized stack data to potentially
+unprivileged callers.
+
+v2 switches to memset() to avoid future issues if structure members
+change, on suggestion of Dave Chinner.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Reviewed-by: Eugene Teo <eugeneteo@kernel.org>
+Signed-off-by: Alex Elder <aelder@sgi.com>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
+index 37a6f62..4e7f02b 100644
+--- a/fs/xfs/xfs_fsops.c
++++ b/fs/xfs/xfs_fsops.c
+@@ -57,6 +57,9 @@ xfs_fs_geometry(
+ 	xfs_fsop_geom_t		*geo,
+ 	int			new_version)
+ {
++
++	memset(geo, 0, sizeof(*geo));
++
+ 	geo->blocksize = mp->m_sb.sb_blocksize;
+ 	geo->rtextsize = mp->m_sb.sb_rextsize;
+ 	geo->agblocks = mp->m_sb.sb_agblocks;
+-- 
+1.7.4.4
+