summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Yamin <plasmaroo@gentoo.org>2004-12-25 13:15:40 +0000
committerTim Yamin <plasmaroo@gentoo.org>2004-12-25 13:15:40 +0000
commit26118403f03d5df6f4c4ac33f78979972cdebe34 (patch)
tree5a13382d34b9de980f6445a772bcc068648986d5 /sys-kernel
parentexcluding speakup as the patch doesn't quite work on 2.6.10. It will be back... (diff)
downloadhistorical-26118403f03d5df6f4c4ac33f78979972cdebe34.tar.gz
historical-26118403f03d5df6f4c4ac33f78979972cdebe34.tar.bz2
historical-26118403f03d5df6f4c4ac33f78979972cdebe34.zip
Security bump for bugs #72452 and #74464; please thank tocharian for the ebuild.
Diffstat (limited to 'sys-kernel')
-rw-r--r--sys-kernel/grsec-sources/ChangeLog9
-rw-r--r--sys-kernel/grsec-sources/files/CAN-2004-1056.patch321
-rw-r--r--sys-kernel/grsec-sources/files/CAN-2004-1074.patch352
-rw-r--r--sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r32
-rw-r--r--sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild38
5 files changed, 721 insertions, 1 deletions
diff --git a/sys-kernel/grsec-sources/ChangeLog b/sys-kernel/grsec-sources/ChangeLog
index 0bc594da810a..f62a6e030091 100644
--- a/sys-kernel/grsec-sources/ChangeLog
+++ b/sys-kernel/grsec-sources/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for sys-kernel/grsec-sources
# Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/ChangeLog,v 1.39 2004/12/15 06:59:46 solar Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/ChangeLog,v 1.40 2004/12/25 13:15:40 plasmaroo Exp $
+
+*grsec-sources-2.4.28.2.0.2-r3 (25 Dec 2004)
+
+ 25 Dec 2004; <plasmaroo@gentoo.org> +grsec-sources-2.4.28.2.0.2-r3.ebuild,
+ +files/CAN-2004-1056.patch, +files/CAN-2004-1074.patch:
+ Security bump for bugs #72452 and #74464; please thank tocharian for the
+ ebuild.
*grsec-sources-2.4.28.2.0.2-r2 (15 Dec 2004)
diff --git a/sys-kernel/grsec-sources/files/CAN-2004-1056.patch b/sys-kernel/grsec-sources/files/CAN-2004-1056.patch
new file mode 100644
index 000000000000..53b777acaac5
--- /dev/null
+++ b/sys-kernel/grsec-sources/files/CAN-2004-1056.patch
@@ -0,0 +1,321 @@
+diff -ur linux-2.4.28/drivers/char/drm/i810.h linux-2.4.28.plasmaroo/drivers/char/drm/i810.h
+--- linux-2.4.28/drivers/char/drm/i810.h 2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810.h 2004-12-23 16:26:31.000000000 +0000
+@@ -114,4 +114,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev ) \
+ ((drm_i810_private_t *)((dev)->dev_private))->buffer_map
+
++#define LOCK_TEST_WITH_RETURN( dev ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.28/drivers/char/drm/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c
+--- linux-2.4.28/drivers/char/drm/i810_dma.c 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-23 16:27:16.000000000 +0000
+@@ -948,10 +948,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -973,10 +970,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
+@@ -1004,10 +998,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1026,10 +1017,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1064,10 +1052,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ d.granted = 0;
+
+@@ -1174,11 +1159,7 @@
+ if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc)))
+ return -EFAULT;
+
+-
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
+ mc.last_render );
+@@ -1223,10 +1204,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+ return I810_READ(0x30008);
+ }
+
+@@ -1237,10 +1215,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+diff -ur linux-2.4.28/drivers/char/drm/i830.h linux-2.4.28.plasmaroo/drivers/char/drm/i830.h
+--- linux-2.4.28/drivers/char/drm/i830.h 2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830.h 2004-12-23 16:31:33.000000000 +0000
+@@ -154,4 +154,14 @@
+ #define DRIVER_AGP_BUFFERS_MAP( dev ) \
+ ((drm_i830_private_t *)((dev)->dev_private))->buffer_map
+
++#define LOCK_TEST_WITH_RETURN( dev ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ #endif
+diff -ur linux-2.4.28/drivers/char/drm/i830_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c
+--- linux-2.4.28/drivers/char/drm/i830_dma.c 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-23 16:32:08.000000000 +0000
+@@ -1330,10 +1330,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1354,10 +1351,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1384,10 +1378,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1409,10 +1400,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1453,10 +1441,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1495,10 +1480,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ d.granted = 0;
+
+diff -ur linux-2.4.28/drivers/char/drm/i830_irq.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c
+--- linux-2.4.28/drivers/char/drm/i830_irq.c 2003-11-28 18:26:20.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-23 16:39:47.000000000 +0000
+@@ -130,10 +130,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
+diff -ur linux-2.4.28/drivers/char/drm-4.0/drmP.h linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h
+--- linux-2.4.28/drivers/char/drm-4.0/drmP.h 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h 2004-12-23 16:21:30.000000000 +0000
+@@ -294,6 +294,16 @@
+ #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x))
+ #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist)
+
++#define LOCK_TEST_WITH_RETURN( dev ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ typedef int drm_ioctl_t(struct inode *inode, struct file *filp,
+ unsigned int cmd, unsigned long arg);
+
+diff -ur linux-2.4.28/drivers/char/drm-4.0/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c
+--- linux-2.4.28/drivers/char/drm-4.0/i810_dma.c 2004-02-18 13:36:31.000000000 +0000
++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c 2004-12-23 16:21:30.000000000 +0000
+@@ -1249,10 +1249,7 @@
+ drm_device_t *dev = priv->dev;
+
+ DRM_DEBUG("i810_flush_ioctl\n");
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -1274,10 +1271,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1308,10 +1302,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_clear( dev, clear.flags,
+ clear.clear_color,
+@@ -1327,10 +1318,7 @@
+
+ DRM_DEBUG("i810_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1366,10 +1354,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ d.granted = 0;
+
+@@ -1399,10 +1384,7 @@
+ drm_i810_buf_priv_t *buf_priv;
+ drm_device_dma_t *dma = dev->dma;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN(dev);
+
+ if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
+ return -EFAULT;
diff --git a/sys-kernel/grsec-sources/files/CAN-2004-1074.patch b/sys-kernel/grsec-sources/files/CAN-2004-1074.patch
new file mode 100644
index 000000000000..57fe2f42bfc0
--- /dev/null
+++ b/sys-kernel/grsec-sources/files/CAN-2004-1074.patch
@@ -0,0 +1,352 @@
+diff -Nru linux-2.4.28/arch/ia64/ia32/binfmt_elf32.c linux-2.4.28-hardened/arch/ia64/ia32/binfmt_elf32.c
+--- linux-2.4.28/arch/ia64/ia32/binfmt_elf32.c 2004-12-21 20:59:35.000000000 -0500
++++ linux-2.4.28-hardened/arch/ia64/ia32/binfmt_elf32.c 2004-12-21 21:07:11.095515536 -0500
+@@ -105,7 +105,11 @@
+ vma->vm_private_data = NULL;
+ down_write(&current->mm->mmap_sem);
+ {
+- insert_vm_struct(current->mm, vma);
++ if (insert_vm_struct(current->mm, vma)) {
++ kmem_cache_free(vm_area_cachep, vma);
++ up_write(&current->mm->mmap_sem);
++ return;
++ }
+ }
+ up_write(&current->mm->mmap_sem);
+ }
+@@ -127,7 +131,11 @@
+ vma->vm_private_data = NULL;
+ down_write(&current->mm->mmap_sem);
+ {
+- insert_vm_struct(current->mm, vma);
++ if (insert_vm_struct(current->mm, vma)) {
++ kmem_cache_free(vm_area_cachep, vma);
++ up_write(&current->mm->mmap_sem);
++ return;
++ }
+ }
+ up_write(&current->mm->mmap_sem);
+ }
+@@ -174,7 +182,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -205,7 +213,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = 0;
+- insert_vm_struct(current->mm, mpnt);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return ret;
++ }
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru linux-2.4.28/arch/ia64/kernel/perfmon.c linux-2.4.28-hardened/arch/ia64/kernel/perfmon.c
+--- linux-2.4.28/arch/ia64/kernel/perfmon.c 2004-12-21 20:47:22.000000000 -0500
++++ linux-2.4.28-hardened/arch/ia64/kernel/perfmon.c 2004-12-21 21:07:11.102514472 -0500
+@@ -967,7 +967,8 @@
+ * now insert the vma in the vm list for the process, must be
+ * done with mmap lock held
+ */
+- insert_vm_struct(mm, vma);
++ if(insert_vm_struct(mm, vma)) /* Handle -ENOMEM et al. */
++ goto error;
+
+ mm->total_vm += size >> PAGE_SHIFT;
+
+diff -Nru linux-2.4.28/arch/ia64/mm/init.c linux-2.4.28-hardened/arch/ia64/mm/init.c
+--- linux-2.4.28/arch/ia64/mm/init.c 2004-12-21 20:59:35.000000000 -0500
++++ linux-2.4.28-hardened/arch/ia64/mm/init.c 2004-12-21 21:07:11.104514168 -0500
+@@ -105,7 +105,13 @@
+ vma->vm_pgoff = 0;
+ vma->vm_file = NULL;
+ vma->vm_private_data = NULL;
+- insert_vm_struct(current->mm, vma);
++ down_write(&current->mm->mmap_sem);
++ if (insert_vm_struct(current->mm, vma)) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return;
++ }
++ up_write(&current->mm->mmap_sem);
+ }
+
+ /* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -117,7 +123,13 @@
+ vma->vm_end = PAGE_SIZE;
+ vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+- insert_vm_struct(current->mm, vma);
++ down_write(&current->mm->mmap_sem);
++ if (insert_vm_struct(current->mm, vma)) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return;
++ }
++ up_write(&current->mm->mmap_sem);
+ }
+ }
+ }
+diff -Nru linux-2.4.28/arch/ppc/mm/fault.c linux-2.4.28-hardened/arch/ppc/mm/fault.c
+--- linux-2.4.28/arch/ppc/mm/fault.c 2004-12-21 20:57:02.000000000 -0500
++++ linux-2.4.28-hardened/arch/ppc/mm/fault.c 2004-12-21 21:07:11.107513712 -0500
+@@ -83,8 +83,10 @@
+ nopage: pax_syscall_nopage,
+ };
+
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++ int ret;
++
+ vma->vm_mm = current->mm;
+ vma->vm_start = addr;
+ vma->vm_end = addr + PAGE_SIZE;
+@@ -94,8 +96,15 @@
+ vma->vm_pgoff = 0UL;
+ vma->vm_file = NULL;
+ vma->vm_private_data = NULL;
+- insert_vm_struct(current->mm, vma);
++ ret = insert_vm_struct(current->mm, vma);
++ if(ret != 0)
++ {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return ret;
++ }
+ ++current->mm->total_vm;
++ return 0;
+ }
+ #endif
+
+@@ -333,7 +342,8 @@
+ return 1;
+ }
+
+- pax_insert_vma(vma, call_syscall);
++ if(pax_insert_vma(vma, call_syscall))
++ return 1; /* VMA overlapping attempt; bye bye! */
+ current->mm->call_syscall = call_syscall;
+ up_write(&current->mm->mmap_sem);
+
+@@ -377,7 +387,8 @@
+ return 1;
+ }
+
+- pax_insert_vma(vma, call_syscall);
++ if(pax_insert_vma(vma, call_syscall))
++ return 1; /* VMA overlapping attempt; bye bye! */
+ current->mm->call_syscall = call_syscall;
+ up_write(&current->mm->mmap_sem);
+
+diff -Nru linux-2.4.28/arch/s390x/kernel/exec32.c linux-2.4.28-hardened/arch/s390x/kernel/exec32.c
+--- linux-2.4.28/arch/s390x/kernel/exec32.c 2004-12-21 20:59:35.000000000 -0500
++++ linux-2.4.28-hardened/arch/s390x/kernel/exec32.c 2004-12-21 21:07:11.109513408 -0500
+@@ -41,7 +41,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -65,7 +65,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = (void *) 0;
+- insert_vm_struct(current->mm, mpnt);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return ret;
++ }
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru linux-2.4.28/arch/sparc/mm/fault.c linux-2.4.28-hardened/arch/sparc/mm/fault.c
+--- linux-2.4.28/arch/sparc/mm/fault.c 2004-12-21 20:57:02.000000000 -0500
++++ linux-2.4.28-hardened/arch/sparc/mm/fault.c 2004-12-21 21:07:11.111513104 -0500
+@@ -250,8 +250,10 @@
+ nopage: pax_emuplt_nopage,
+ };
+
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++ int ret;
++
+ vma->vm_mm = current->mm;
+ vma->vm_start = addr;
+ vma->vm_end = addr + PAGE_SIZE;
+@@ -261,8 +263,15 @@
+ vma->vm_pgoff = 0UL;
+ vma->vm_file = NULL;
+ vma->vm_private_data = NULL;
+- insert_vm_struct(current->mm, vma);
++ ret = insert_vm_struct(current->mm, vma);
++ if(ret != 0)
++ {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return ret;
++ }
+ ++current->mm->total_vm;
++ return 0;
+ }
+
+ /*
+@@ -423,7 +432,8 @@
+ return 1;
+ }
+
+- pax_insert_vma(vma, call_dl_resolve);
++ if(pax_insert_vma(vma, call_dl_resolve))
++ return 1; /* VMA overlapping attempt; bye bye! */
+ current->mm->call_dl_resolve = call_dl_resolve;
+ up_write(&current->mm->mmap_sem);
+
+diff -Nru linux-2.4.28/arch/sparc64/mm/fault.c linux-2.4.28-hardened/arch/sparc64/mm/fault.c
+--- linux-2.4.28/arch/sparc64/mm/fault.c 2004-12-21 20:57:02.000000000 -0500
++++ linux-2.4.28-hardened/arch/sparc64/mm/fault.c 2004-12-21 21:07:11.117512192 -0500
+@@ -338,8 +338,10 @@
+ nopage: pax_emuplt_nopage,
+ };
+
+-static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
+ {
++ int ret;
++
+ vma->vm_mm = current->mm;
+ vma->vm_start = addr;
+ vma->vm_end = addr + PAGE_SIZE;
+@@ -349,8 +351,15 @@
+ vma->vm_pgoff = 0UL;
+ vma->vm_file = NULL;
+ vma->vm_private_data = NULL;
+- insert_vm_struct(current->mm, vma);
++ ret = insert_vm_struct(current->mm, vma);
++ if(ret != 0)
++ {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, vma);
++ return ret;
++ }
+ ++current->mm->total_vm;
++ return 0;
+ }
+ #endif
+
+@@ -633,7 +642,8 @@
+ return 1;
+ }
+
+- pax_insert_vma(vma, call_dl_resolve);
++ if(pax_insert_vma(vma, call_dl_resolve))
++ return 1; /* VMA overlapping attempt; bye bye! */
+ current->mm->call_dl_resolve = call_dl_resolve;
+ up_write(&current->mm->mmap_sem);
+
+diff -Nru linux-2.4.28/arch/x86_64/ia32/ia32_binfmt.c linux-2.4.28-hardened/arch/x86_64/ia32/ia32_binfmt.c
+--- linux-2.4.28/arch/x86_64/ia32/ia32_binfmt.c 2004-12-21 20:59:35.000000000 -0500
++++ linux-2.4.28-hardened/arch/x86_64/ia32/ia32_binfmt.c 2004-12-21 21:07:11.122511432 -0500
+@@ -243,7 +243,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+
+@@ -274,7 +274,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = (void *) 0;
+- insert_vm_struct(current->mm, mpnt);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return ret;
++ }
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ }
+
+diff -Nru linux-2.4.28/include/linux/mm.h linux-2.4.28-hardened/include/linux/mm.h
+--- linux-2.4.28/include/linux/mm.h 2004-12-21 20:59:35.000000000 -0500
++++ linux-2.4.28-hardened/include/linux/mm.h 2004-12-21 21:07:11.000000000 -0500
+@@ -568,7 +568,7 @@
+ /* mmap.c */
+ extern void lock_vma_mappings(struct vm_area_struct *);
+ extern void unlock_vma_mappings(struct vm_area_struct *);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void build_mmap_rb(struct mm_struct *);
+ extern void exit_mmap(struct mm_struct *);
+diff -Nru linux-2.4.28/mm/mmap.c linux-2.4.28-hardened/mm/mmap.c
+--- linux-2.4.28/mm/mmap.c 2004-12-21 20:59:35.000000000 -0500
++++ linux-2.4.28-hardened/mm/mmap.c 2004-12-21 21:07:11.000000000 -0500
+@@ -1478,14 +1478,15 @@
+ validate_mm(mm);
+ }
+
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ struct vm_area_struct * __vma, * prev;
+ rb_node_t ** rb_link, * rb_parent;
+
+ __vma = find_vma_prepare(mm, vma->vm_start, &prev, &rb_link, &rb_parent);
+ if (__vma && __vma->vm_start < vma->vm_end)
+- BUG();
++ return -ENOMEM;
+ vma_link(mm, vma, prev, rb_link, rb_parent);
+ validate_mm(mm);
++ return 0;
+ }
+--- linux-2.4.28-grsec/fs/exec.c 2004-12-24 15:27:42.000000000 -0500
++++ linux-2.4.28-grsec-2.0.2/fs/exec.c 2004-12-24 15:47:07.208307624 -0500
+@@ -358,7 +358,7 @@
+ {
+ unsigned long stack_base;
+ struct vm_area_struct *mpnt;
+- int i;
++ int i, ret;
+
+ #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
+ struct vm_area_struct *mpnt_m = NULL;
+@@ -387,7 +387,6 @@
+
+ down_write(&current->mm->mmap_sem);
+ {
+- struct vm_area_struct *vma;
+ mpnt->vm_mm = current->mm;
+ mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ mpnt->vm_end = STACK_TOP;
+@@ -402,13 +401,11 @@
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+ mpnt->vm_private_data = (void *) 0;
+- vma = find_vma(current->mm, mpnt->vm_start);
+- if (vma) {
+- up_write(&current->mm->mmap_sem);
++ if ((ret = insert_vm_struct(current->mm, mpnt))) {
++ up_write(&current->mm->mmap_sem);
+ kmem_cache_free(vm_area_cachep, mpnt);
+- return -ENOMEM;
++ return ret;
+ }
+- insert_vm_struct(current->mm, mpnt);
+ current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+
+ #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
diff --git a/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r3 b/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r3
new file mode 100644
index 000000000000..04b30398565d
--- /dev/null
+++ b/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.28.2.0.2-r3
@@ -0,0 +1,2 @@
+MD5 2f2e5e29772fdacd04129ba16a24afcf grsecurity-2.0.2-2.4.28.patch.gz 141933
+MD5 ac7735000d185bc7778c08288760a8a3 linux-2.4.28.tar.bz2 31064046
diff --git a/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild b/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild
new file mode 100644
index 000000000000..8b087bc76f21
--- /dev/null
+++ b/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild
@@ -0,0 +1,38 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/grsec-sources-2.4.28.2.0.2-r3.ebuild,v 1.1 2004/12/25 13:15:40 plasmaroo Exp $
+
+ETYPE="sources"
+UNIPATCH_STRICTORDER="yes"
+inherit kernel-2
+detect_version
+
+OKV="${KV_MAJOR}.${KV_MINOR}.${KV_PATCH/.*/}"
+PATCH_BASE="${PV/${OKV}./}"
+PATCH_BASE="${PATCH_BASE/_/-}"
+EXTRAVERSION="-grsec-${PATCH_BASE}"
+KV_FULL="${OKV}${EXTRAVERSION}"
+
+PATCH_SRC_BASE="grsecurity-${PATCH_BASE}-${OKV}.patch.gz"
+DESCRIPTION="Vanilla sources of the linux kernel with the grsecurity ${PATCH_BASE} patch"
+SRC_URI="http://grsecurity.net/grsecurity-${PATCH_BASE}-${OKV}.patch.gz \
+ http://www.kernel.org/pub/linux/kernel/v2.4/linux-${OKV}.tar.bz2"
+
+HOMEPAGE="http://www.kernel.org/ http://www.grsecurity.net"
+KEYWORDS="x86 sparc ppc alpha amd64 -hppa"
+RESTRICT="buildpkg"
+IUSE=""
+
+UNIPATCH_LIST="${DISTDIR}/${PATCH_SRC_BASE} \
+ ${FILESDIR}/2.4.28-binfmt_a.out.patch \
+ ${FILESDIR}/CAN-2004-1016.patch \
+ ${FILESDIR}/CAN-2004-1074.patch \
+ ${FILESDIR}/CAN-2004-1056.patch"
+
+src_unpack() {
+ kernel-2_src_unpack
+
+ # users are often confused by what settings should be set.
+ # so we provide an example of what a P4 desktop would look like.
+ cp ${FILESDIR}/2.4.24-x86.config gentoo-grsec-custom-example-2.4.2x-x86.config
+}