fixup hardened for glibc-2.6 and move into amd64/ia64/ppc/ppc64/x86 unstable

Package-Manager: portage-2.1.3_rc8

5 files changed, 615 insertions, 15 deletions

diff --git a/sys-libs/glibc/Manifest b/sys-libs/glibc/Manifest
index e3fbff19d64d..ba91f048fb87 100644
--- a/sys-libs/glibc/Manifest
+++ b/sys-libs/glibc/Manifest
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 AUX 2.3.1/glibc-2.3.1-ctype-compat-v3.patch 2823 RMD160 f1162b7f313f7ea18fb178157d3bd6205d818e3a SHA1 d1dceb79689e9c627ebd630389ec1948d7a0a6e4 SHA256 0bc07eb47578d5bfb98774b18bf07aee2af44a7ccd947602c223b34e0d88394a
 MD5 941f13d27badc76c1e3704c59acaff26 files/2.3.1/glibc-2.3.1-ctype-compat-v3.patch 2823
 RMD160 f1162b7f313f7ea18fb178157d3bd6205d818e3a files/2.3.1/glibc-2.3.1-ctype-compat-v3.patch 2823
@@ -402,6 +405,14 @@ AUX 2.5/glibc-2.5-hardened-pie.patch 1569 RMD160 8746aeb9f9c68ca153d93cf92c9df93
 MD5 43fbcad7f8dbfcc0dd3efed283ae2d0a files/2.5/glibc-2.5-hardened-pie.patch 1569
 RMD160 8746aeb9f9c68ca153d93cf92c9df93d0fb324d6 files/2.5/glibc-2.5-hardened-pie.patch 1569
 SHA256 ff9cde8857c5da89faa4039e2a81748674fbeaaa49d85c378d80711d55f2b0c1 files/2.5/glibc-2.5-hardened-pie.patch 1569
+AUX 2.6/glibc-2.6-gentoo-stack_chk_fail.c 9158 RMD160 25c335af45de2a2d83672b21174dd3baee442faa SHA1 9f4f3a36b967698ee470056abff85131da86ee29 SHA256 38442c5869858f124a36e49c345e3a0efc75da3b17c1258d015685038e4d605f
+MD5 16811b4ed06a5052238b688be8966e63 files/2.6/glibc-2.6-gentoo-stack_chk_fail.c 9158
+RMD160 25c335af45de2a2d83672b21174dd3baee442faa files/2.6/glibc-2.6-gentoo-stack_chk_fail.c 9158
+SHA256 38442c5869858f124a36e49c345e3a0efc75da3b17c1258d015685038e4d605f files/2.6/glibc-2.6-gentoo-stack_chk_fail.c 9158
+AUX 2.6/glibc-2.6-hardened-inittls-nosysenter.patch 8674 RMD160 f4e7df0cb25292afc13e18332569d2ca288fdf92 SHA1 7f34ef26d6607321e0ec5ad0f389cb1aedf5e0da SHA256 cf58ded8fbe9fcb3dc094521feec2588c1520ff2c632b20c69d6a210325c4fcf
+MD5 cebca9f412d4c393f32f9cca68575a5f files/2.6/glibc-2.6-hardened-inittls-nosysenter.patch 8674
+RMD160 f4e7df0cb25292afc13e18332569d2ca288fdf92 files/2.6/glibc-2.6-hardened-inittls-nosysenter.patch 8674
+SHA256 cf58ded8fbe9fcb3dc094521feec2588c1520ff2c632b20c69d6a210325c4fcf files/2.6/glibc-2.6-hardened-inittls-nosysenter.patch 8674
 AUX fix-sysctl_h.patch 376 RMD160 b5dd68158224b09ddc42986be02351c74f81e0a0 SHA1 5601fbea6961368bcc192aef78e96ee2c5310713 SHA256 3a589f63fd1f3f6c5a00c66a10943d3d64630aefb1eb5b37e7f2a856fcea234a
 MD5 e4393f4721a207750581d6265d5f7f40 files/fix-sysctl_h.patch 376
 RMD160 b5dd68158224b09ddc42986be02351c74f81e0a0 files/fix-sysctl_h.patch 376
@@ -460,7 +471,7 @@ DIST glibc-2.5-patches-1.6.tar.bz2 533385 RMD160 4568b467d225b9fc3b5f6cdb9341826
 DIST glibc-2.5-patches-1.7.tar.bz2 535578 RMD160 090764d7267ab1023486d423fbaa00809597bcfd SHA1 718a27f6c9a9de95fa70a54af3bd33621ca7d8a2 SHA256 1f56ee67b56ffa57f3f15aeb75dd6b663187a1ec7958fc323de5d0c51347146c
 DIST glibc-2.5-patches-1.8.tar.bz2 493626 RMD160 925758819ac682dcbcb38a1f3522cff6f3581e5b SHA1 ef09fd0ef5c609ac86c6cef23f377476d4c92fc7 SHA256 d71810e9e25a131633a5681b4a632f09caf4957451ee67f0514b7264314eeb84
 DIST glibc-2.5.tar.bz2 15321839 RMD160 25a0a460c0db1e5b7c570e5087461696f2096fd2 SHA1 ec9a007c4875062099a4701ac9137fcdb5a71447 SHA256 9b2e12bb1eafb55ab2e5a868532b8e6ec39216c66c25b8998d7474bc4d4eb529
-DIST glibc-2.6-patches-1.3.tar.bz2 86529 RMD160 003ca0739f40912752af29351217406dc904b71e SHA1 172079bd339b74b92b6b674de201b00148ff575f SHA256 e6e1a05359c9248ae4185ccd596bb2535e2747833b48563bf3dcfa6f810d9c54
+DIST glibc-2.6-patches-1.4.tar.bz2 88209 RMD160 b0bd771cebbac93d812bf352c02346d84b05c4c1 SHA1 551c71074ee29b3060773d4ad031a6eb42c6665a SHA256 8a20749c5fe874d17174ea4743c74bf5479efeac79f44418814c398713cd4f7d
 DIST glibc-2.6.tar.bz2 15637436 RMD160 9f201f54d41941df299ab88722f4095dd417a5e4 SHA1 33a7d9aab6f0a76161d59341273e46d9aae8fc01 SHA256 f773ae5762c193091df46244ce355e38d358e8f8be088be0dbf934a193063bba
 DIST glibc-fedora-20041219T2331.tar.bz2 761998 RMD160 cfc859a7e0a904cfb340c832267d3377e850cf6e SHA1 31e10b882bb9288831e1a1b2ed0ddece7099ffbd SHA256 e36ffa84388ebb746cb80c37d6fd1acc9e45e07b85c30b0a2ad9f511fae59cec
 DIST glibc-infopages-2.3.5.tar.bz2 1273846 RMD160 14a587e5df98ad113fa1499d2a958efbb47c437a SHA1 bb974b6dacd02161532717a9d8f97248acd6da14 SHA256 79a602955e3cf4288fa9967240b397281594acab18c263d2ef864e7d71aa54e1
@@ -518,10 +529,10 @@ EBUILD glibc-2.5-r4.ebuild 38683 RMD160 14aa5868b50544d1dfec92ba262b1286c5cf3fcd
 MD5 1edf846f3b3534ecb0b880b9d09317c7 glibc-2.5-r4.ebuild 38683
 RMD160 14aa5868b50544d1dfec92ba262b1286c5cf3fcd glibc-2.5-r4.ebuild 38683
 SHA256 faeaedd141626f29e38ddcc5ca39dbd0f9591b5177db2450ee58c7d6ddbe4556 glibc-2.5-r4.ebuild 38683
-EBUILD glibc-2.6.ebuild 38865 RMD160 2baec84454b7fbf9c73d68c5f492ac65ef478a3d SHA1 ff7780efe8bf405b2554ddbdd20f89ea29e2b3f5 SHA256 eb737b5e7dd41692bc09e4651b334f7c8199a5b06fef8bdb63d328b4a66a18b6
-MD5 b04c0146a8f2df6ab52d49706e71056f glibc-2.6.ebuild 38865
-RMD160 2baec84454b7fbf9c73d68c5f492ac65ef478a3d glibc-2.6.ebuild 38865
-SHA256 eb737b5e7dd41692bc09e4651b334f7c8199a5b06fef8bdb63d328b4a66a18b6 glibc-2.6.ebuild 38865
+EBUILD glibc-2.6.ebuild 38894 RMD160 03051eabf32146b33423e83b8557179c4202e973 SHA1 5f59c7a0f69573f7b4fe6a345012c00d0382a493 SHA256 858bcb54b15b8ae8e418200d7331dd883d14d86512db3c2e23fc5771087d1619
+MD5 1ed6c42d3741d404d2b317073d7c769a glibc-2.6.ebuild 38894
+RMD160 03051eabf32146b33423e83b8557179c4202e973 glibc-2.6.ebuild 38894
+SHA256 858bcb54b15b8ae8e418200d7331dd883d14d86512db3c2e23fc5771087d1619 glibc-2.6.ebuild 38894
 MISC ChangeLog 104270 RMD160 8460e8de36c8980c9aa60bacf0df8d8de7845f5d SHA1 fce13dc25160a3a1544ae3d0a9cd42644f492cb0 SHA256 58570f656f7acc0e35cb4b368403b560b6ad930feecb31752971d66dbbb3dc8d
 MD5 84aca5541d1950d83ebd906775964ffb ChangeLog 104270
 RMD160 8460e8de36c8980c9aa60bacf0df8d8de7845f5d ChangeLog 104270
@@ -557,6 +568,13 @@ SHA256 347f49efa2bc3ea4836f4fe5ac10a00ab84ce12b5b64e5f6eecd979c32416dfd files/di
 MD5 8fb737a670df02044e87c750f06bcba3 files/digest-glibc-2.5-r4 1280
 RMD160 8f822529a03eaaa016cf10b653c5507eb2026e08 files/digest-glibc-2.5-r4 1280
 SHA256 6419a0a7af10b901eff6afd36e0982ba7b826e2645ab26b895895eab19bbbc5f files/digest-glibc-2.5-r4 1280
-MD5 108ca416c0fc9da66576e98d7f6dc772 files/digest-glibc-2.6 1006
-RMD160 db5b3def6d25b6cf1b0c8a421a454a7838428273 files/digest-glibc-2.6 1006
-SHA256 17d338bc32e4184e9ed46b45a4275b3be73fb1247365c8edf2164be71cbd5cad files/digest-glibc-2.6 1006
+MD5 1d3063f72e6daf93adfd9bdf95dac34c files/digest-glibc-2.6 1006
+RMD160 4c0a5f6855cebe8ebd04919d803a5c77ef35a9d0 files/digest-glibc-2.6 1006
+SHA256 f51eeddc285765fd2b6001d0e2dec497496bc7e9e540fe25e0d99168bbf5c1a3 files/digest-glibc-2.6 1006
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.5 (GNU/Linux)
+
+iD8DBQFGmSWtp/wUKkr7RBoRArxmAJ97MgGEM3RfRupzrIF/mdCZAzf5ZwCgz9Bk
+3BqWr7B+maTTNpoXvnx4imw=
+=KB21
+-----END PGP SIGNATURE-----
diff --git a/sys-libs/glibc/files/2.6/glibc-2.6-gentoo-stack_chk_fail.c b/sys-libs/glibc/files/2.6/glibc-2.6-gentoo-stack_chk_fail.c
new file mode 100644
index 000000000000..adb5adaba8c3
--- /dev/null
+++ b/sys-libs/glibc/files/2.6/glibc-2.6-gentoo-stack_chk_fail.c
@@ -0,0 +1,309 @@
+/* Copyright (C) 2005 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, write to the Free
+   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+   02111-1307 USA.  */
+
+/* Copyright (C) 2006-2007 Gentoo Foundation Inc.
+ * License terms as above.
+ *
+ * Hardened Gentoo SSP handler
+ *
+ * An SSP failure handler that does not use functions from the rest of
+ * glibc; it uses the INTERNAL_SYSCALL methods directly.  This ensures
+ * no possibility of recursion into the handler.
+ *
+ * Direct all bug reports to http://bugs.gentoo.org/
+ *
+ * Re-written from the glibc-2.3 Hardened Gentoo SSP handler
+ * by Kevin F. Quinn - <kevquinn[@]gentoo.org>
+ *
+ * The following people contributed to the glibc-2.3 Hardened
+ * Gentoo SSP handler, from which this implementation draws much:
+ *
+ * Ned Ludd - <solar[@]gentoo.org>
+ * Alexander Gabert - <pappy[@]gentoo.org>
+ * The PaX Team - <pageexec[@]freemail.hu>
+ * Peter S. Mazinger - <ps.m[@]gmx.net>
+ * Yoann Vandoorselaere - <yoann[@]prelude-ids.org>
+ * Robert Connolly - <robert[@]linuxfromscratch.org>
+ * Cory Visi <cory[@]visi.name>
+ * Mike Frysinger <vapier[@]gentoo.org>
+ */
+
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <sys/types.h>
+
+#include <sysdep-cancel.h>
+#include <sys/syscall.h>
+#include <bp-checks.h>
+
+#include <kernel-features.h>
+
+#include <alloca.h>
+/* from sysdeps */
+#include <socketcall.h>
+/* for the stuff in bits/socket.h */
+#include <sys/socket.h>
+#include <sys/un.h>
+
+
+/* Sanity check on SYSCALL macro names - force compilation
+ * failure if the names used here do not exist
+ */
+#if !defined __NR_socketcall && !defined __NR_socket
+# error Cannot do syscall socket or socketcall
+#endif
+#if !defined __NR_socketcall && !defined __NR_connect
+# error Cannot do syscall connect or socketcall
+#endif
+#ifndef __NR_write
+# error Cannot do syscall write
+#endif
+#ifndef __NR_close
+# error Cannot do syscall close
+#endif
+#ifndef __NR_getpid
+# error Cannot do syscall getpid
+#endif
+#ifndef __NR_kill
+# error Cannot do syscall kill
+#endif
+#ifndef __NR_exit
+# error Cannot do syscall exit
+#endif
+#ifdef SSP_SMASH_DUMPS_CORE
+# if !defined _KERNEL_NSIG && !defined _NSIG
+#  error No _NSIG or _KERNEL_NSIG for rt_sigaction
+# endif
+# if !defined __NR_sigaction && !defined __NR_rt_sigaction
+#  error Cannot do syscall sigaction or rt_sigaction
+# endif
+/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size
+ * of the _kernel_ sigset_t which is not the same as the user sigset_t.
+ * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for
+ * some reason.
+ */
+# ifdef _KERNEL_NSIG
+#  define _SSP_NSIG _KERNEL_NSIG
+# else
+#  define _SSP_NSIG _NSIG
+# endif
+#endif
+
+/* Define DO_SIGACTION - default to newer rt signal interface but
+ * fallback to old as needed.
+ */
+#ifdef __NR_rt_sigaction
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8)
+#else
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(sigaction, 3, signum, act, oldact)
+#endif
+
+/* Define DO_SOCKET/DO_CONNECT macros to deal with socketcall vs socket/connect */
+#ifdef __NR_socketcall
+
+# define DO_SOCKET(result, domain, type, protocol) \
+	{socketargs[0] = domain; \
+	socketargs[1] = type; \
+	socketargs[2] = protocol; \
+	socketargs[3] = 0; \
+	result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs);}
+
+# define DO_CONNECT(result,sockfd,serv_addr,addrlen) \
+	{socketargs[0] = sockfd; \
+	socketargs[1] = (unsigned long int)serv_addr; \
+	socketargs[2] = addrlen; \
+	socketargs[3] = 0; \
+	result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs);}
+
+#else
+
+# define DO_SOCKET(result, domain, type, protocol) \
+	{result = INLINE_SYSCALL(socket, 3, domain, type, protocol);}
+
+# define DO_CONNECT(result, sockfd, serv_addr, addrlen) \
+	{result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen);}
+
+#endif	/* __NR_socketcall */
+
+
+#ifndef _PATH_LOG
+# define _PATH_LOG "/dev/log"
+#endif
+
+static const char path_log[] = _PATH_LOG;
+
+/* For building glibc with SSP switched on, define __progname to a
+ * constant if building for the run-time loader, to avoid pulling
+ * in more of libc.so into ld.so
+ */
+#ifdef IS_IN_rtld
+static char *__progname = "<rtld>";
+#else
+extern char *__progname;
+#endif
+
+
+/* Common handler code, used by stack_chk_fail and __stack_smash_handler
+ * Inlined to ensure no self-references to the handler within itself.
+ * Data static to avoid putting more than necessary on the stack,
+ * to aid core debugging.
+ */
+__attribute__ ((__noreturn__ , __always_inline__))
+static inline void
+__hardened_gentoo_stack_chk_fail(char func[], int damaged)
+{
+#define MESSAGE_BUFSIZ 256
+	static pid_t pid;
+	static int plen, i;
+	static char message[MESSAGE_BUFSIZ];
+	static const char msg_ssa[] = ": stack smashing attack";
+	static const char msg_inf[] = " in function ";
+	static const char msg_ssd[] = "*** stack smashing detected ***: ";
+	static const char msg_terminated[] = " - terminated\n";
+	static const char msg_report[] = "Report to http://bugs.gentoo.org/\n";
+	static const char msg_unknown[] = "<unknown>";
+#ifdef SSP_SMASH_DUMPS_CORE
+	static struct sigaction default_abort_act;
+#endif
+	static int log_socket, connect_result;
+	static struct sockaddr_un sock;
+#ifdef __NR_socketcall
+	static unsigned long int socketargs[4];
+#endif
+
+	/* Build socket address
+	 */
+	sock.sun_family = AF_UNIX;
+	i = 0;
+	while ((path_log[i] != '\0') && (i<(sizeof(sock.sun_path)-1))) {
+		sock.sun_path[i] = path_log[i];
+		i++;
+	}
+	sock.sun_path[i] = '\0';
+
+	/* Try SOCK_DGRAM connection to syslog */
+	connect_result = -1;
+	DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0);
+	if (log_socket != -1)
+		DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	if (connect_result == -1) {
+		if (log_socket != -1)
+			INLINE_SYSCALL(close, 1, log_socket);
+		/* Try SOCK_STREAM connection to syslog */
+		DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0);
+		if (log_socket != -1)
+			DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	}
+
+	/* Build message.  Messages are generated both in the old style and new style,
+	 * so that log watchers that are configured for the old-style message continue
+	 * to work.
+	 */
+#define strconcat(str) \
+		{i=0; while ((str[i] != '\0') && ((i+plen)<(MESSAGE_BUFSIZ-1))) \
+		{\
+			message[plen+i]=str[i];\
+			i++;\
+		}\
+		plen+=i;}
+
+	/* R.Henderson post-gcc-4 style message */
+	plen = 0;
+	strconcat(msg_ssd);
+	if (__progname != (char *)0)
+		strconcat(__progname)
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_terminated);
+
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
+	if (connect_result != -1)
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+
+	/* Dr. Etoh pre-gcc-4 style message */
+	plen = 0;
+	if (__progname != (char *)0)
+		strconcat(__progname)
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_ssa);
+	strconcat(msg_inf);
+	if (func != NULL)
+		strconcat(func)
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_terminated);
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
+	if (connect_result != -1)
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+
+	/* Direct reports to bugs.gentoo.org */
+	plen=0;
+	strconcat(msg_report);
+	message[plen++]='\0';
+
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
+	if (connect_result != -1)
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+
+	if (log_socket != -1)
+		INLINE_SYSCALL(close, 1, log_socket);
+
+	/* Suicide */
+	pid = INLINE_SYSCALL(getpid, 0);
+
+#ifdef SSP_SMASH_DUMPS_CORE
+	/* Remove any user-supplied handler for SIGABRT, before using it */
+	default_abort_act.sa_handler = SIG_DFL;
+	default_abort_act.sa_sigaction = NULL;
+	__sigfillset(&default_abort_act.sa_mask);
+	default_abort_act.sa_flags = 0;
+	if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0)
+		INLINE_SYSCALL(kill, 2, pid, SIGABRT);
+
+	/* Note; actions cannot be added to SIGKILL */
+	INLINE_SYSCALL(kill, 2, pid, SIGKILL);
+
+	/* In case the kill didn't work, exit anyway
+	 * The loop prevents gcc thinking this routine returns
+	 */
+	while (1)
+		INLINE_SYSCALL(exit, 0);
+}
+
+__attribute__ ((__noreturn__))
+void __stack_chk_fail(void)
+{
+	__hardened_gentoo_stack_chk_fail(NULL, 0);
+}
+
+#ifdef ENABLE_OLD_SSP_COMPAT
+__attribute__ ((__noreturn__))
+void __stack_smash_handler(char func[], int damaged)
+{
+	__hardened_gentoo_stack_chk_fail(func, damaged);
+}
+#endif
diff --git a/sys-libs/glibc/files/2.6/glibc-2.6-hardened-inittls-nosysenter.patch b/sys-libs/glibc/files/2.6/glibc-2.6-hardened-inittls-nosysenter.patch
new file mode 100644
index 000000000000..be8ca1963cb9
--- /dev/null
+++ b/sys-libs/glibc/files/2.6/glibc-2.6-hardened-inittls-nosysenter.patch
@@ -0,0 +1,273 @@
+When building glibc PIE (which is not something upstream support),
+several modifications are necessary to the glibc build process.
+
+First, any syscalls in PIEs must be of the PIC variant, otherwise
+textrels ensue.  Then, any syscalls made before the initialisation
+of the TLS will fail on i386, as the sysenter variant on i386 uses
+the TLS, giving rise to a chicken-and-egg situation.  This patch
+defines a PIC syscall variant that doesn't use sysenter, even when the sysenter
+version is normally used, and uses the non-sysenter version for the brk
+syscall that is performed by the TLS initialisation.  Further, the TLS
+initialisation is moved in this case prior to the initialisation of
+dl_osversion, as that requires further syscalls.
+
+csu/libc-start.c: Move initial TLS initialization to before the
+initialisation of dl_osversion, when INTERNAL_SYSCALL_NOSYSENTER is defined
+
+csu/libc-tls.c: Use the no-sysenter version of sbrk when
+INTERNAL_SYSCALL_NOSYSENTER is defined.
+
+misc/sbrk.c: Define a no-sysenter version of sbrk, using the no-sysenter
+version of brk - if INTERNAL_SYSCALL_NOSYSENTER is defined.
+
+misc/brk.c: Define a no-sysenter version of brk if
+INTERNAL_SYSCALL_NOSYSENTER is defined.
+
+sysdeps/unix/sysv/linux/i386/sysdep.h: Define INTERNAL_SYSCALL_NOSYSENTER
+Make INTERNAL_SYSCALL always use the PIC variant, even if not SHARED.
+
+Patch by Kevin F. Quinn <kevquinn@gentoo.org>
+
+--- csu/libc-start.c
++++ csu/libc-start.c
+@@ -28,6 +28,7 @@
+ extern int __libc_multiple_libcs;
+ 
+ #include <tls.h>
++#include <sysdep.h>
+ #ifndef SHARED
+ # include <dl-osinfo.h>
+ extern void __pthread_initialize_minimal (void);
+@@ -129,6 +130,11 @@
+ #  endif
+   _dl_aux_init (auxvec);
+ # endif
++# ifdef INTERNAL_SYSCALL_NOSYSENTER
++  /* Do the initial TLS initialization before _dl_osversion,
++     since the latter uses the uname syscall.  */
++  __pthread_initialize_minimal ();
++# endif
+ # ifdef DL_SYSDEP_OSCHECK
+   if (!__libc_multiple_libcs)
+     {
+@@ -138,10 +144,12 @@
+     }
+ # endif
+ 
++# ifndef INTERNAL_SYSCALL_NOSYSENTER
+   /* Initialize the thread library at least a bit since the libgcc
+      functions are using thread functions if these are available and
+      we need to setup errno.  */
+   __pthread_initialize_minimal ();
++# endif
+ #endif
+ 
+ # ifndef SHARED
+--- csu/libc-tls.c
++++ csu/libc-tls.c
+@@ -23,6 +23,7 @@
+ #include <unistd.h>
+ #include <stdio.h>
+ #include <sys/param.h>
++#include <sysdep.h>
+ 
+ 
+ #ifdef SHARED
+@@ -29,6 +30,9 @@
+  #error makefile bug, this file is for static only
+ #endif
+ 
++#ifdef INTERNAL_SYSCALL_NOSYSENTER
++extern void *__sbrk_nosysenter (intptr_t __delta);
++#endif
+ extern ElfW(Phdr) *_dl_phdr;
+ extern size_t _dl_phnum;
+ 
+@@ -141,14 +145,26 @@
+ 
+      The initialized value of _dl_tls_static_size is provided by dl-open.c
+      to request some surplus that permits dynamic loading of modules with
+-     IE-model TLS.  */
++     IE-model TLS.
++     
++     Where the normal sbrk would use a syscall that needs the TLS (i386)
++     use the special non-sysenter version instead.  */
+ #if TLS_TCB_AT_TP
+   tcb_offset = roundup (memsz + GL(dl_tls_static_size), tcbalign);
++# ifdef INTERNAL_SYSCALL_NOSYSENTER
++  tlsblock = __sbrk_nosysenter (tcb_offset + tcbsize + max_align);
++# else
+   tlsblock = __sbrk (tcb_offset + tcbsize + max_align);
++# endif
+ #elif TLS_DTV_AT_TP
+   tcb_offset = roundup (tcbsize, align ?: 1);
++# ifdef INTERNAL_SYSCALL_NOSYSENTER
++  tlsblock = __sbrk_nosysenter (tcb_offset + memsz + max_align
++		     + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size));
++# else
+   tlsblock = __sbrk (tcb_offset + memsz + max_align
+ 		     + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size));
++# endif
+   tlsblock += TLS_PRE_TCB_SIZE;
+ #else
+   /* In case a model with a different layout for the TCB and DTV
+--- misc/sbrk.c
++++ misc/sbrk.c
+@@ -18,6 +18,7 @@
+ 
+ #include <unistd.h>
+ #include <errno.h>
++#include <sysdep.h>
+ 
+ /* Defined in brk.c.  */
+ extern void *__curbrk;
+@@ -29,6 +30,35 @@
+ /* Extend the process's data space by INCREMENT.
+    If INCREMENT is negative, shrink data space by - INCREMENT.
+    Return start of new space allocated, or -1 for errors.  */
++#ifdef INTERNAL_SYSCALL_NOSYSENTER
++/* This version is used by csu/libc-tls.c whem initialising the TLS
++   if the SYSENTER version requires the TLS (which it does on i386).
++   Obviously using the TLS before it is initialised is broken. */
++extern int __brk_nosysenter (void *addr);
++void *
++__sbrk_nosysenter (intptr_t increment)
++{
++  void *oldbrk;
++
++  /* If this is not part of the dynamic library or the library is used
++     via dynamic loading in a statically linked program update
++     __curbrk from the kernel's brk value.  That way two separate
++     instances of __brk and __sbrk can share the heap, returning
++     interleaved pieces of it.  */
++  if (__curbrk == NULL || __libc_multiple_libcs)
++    if (__brk_nosysenter (0) < 0)		/* Initialize the break.  */
++      return (void *) -1;
++
++  if (increment == 0)
++    return __curbrk;
++
++  oldbrk = __curbrk;
++  if (__brk_nosysenter (oldbrk + increment) < 0)
++    return (void *) -1;
++
++  return oldbrk;
++}
++#endif
+ void *
+ __sbrk (intptr_t increment)
+ {
+--- sysdeps/unix/sysv/linux/i386/brk.c
++++ sysdeps/unix/sysv/linux/i386/brk.c
+@@ -31,6 +31,30 @@
+    linker.  */
+ weak_alias (__curbrk, ___brk_addr)
+ 
++#ifdef INTERNAL_SYSCALL_NOSYSENTER
++/* This version is used by csu/libc-tls.c whem initialising the TLS
++ * if the SYSENTER version requires the TLS (which it does on i386).
++ * Obviously using the TLS before it is initialised is broken. */
++int
++__brk_nosysenter (void *addr)
++{
++  void *__unbounded newbrk;
++
++  INTERNAL_SYSCALL_DECL (err);
++  newbrk = (void *__unbounded) INTERNAL_SYSCALL_NOSYSENTER (brk, err, 1,
++						 __ptrvalue (addr));
++
++  __curbrk = newbrk;
++
++  if (newbrk < addr)
++    {
++      __set_errno (ENOMEM);
++      return -1;
++    }
++
++  return 0;
++}
++#endif
+ int
+ __brk (void *addr)
+ {
+--- sysdeps/unix/sysv/linux/i386/sysdep.h
++++ sysdeps/unix/sysv/linux/i386/sysdep.h
+@@ -187,7 +187,7 @@
+ /* The original calling convention for system calls on Linux/i386 is
+    to use int $0x80.  */
+ #ifdef I386_USE_SYSENTER
+-# ifdef SHARED
++# if defined SHARED || defined __PIC__
+ #  define ENTER_KERNEL call *%gs:SYSINFO_OFFSET
+ # else
+ #  define ENTER_KERNEL call *_dl_sysinfo
+@@ -358,7 +358,7 @@
+    possible to use more than four parameters.  */
+ #undef INTERNAL_SYSCALL
+ #ifdef I386_USE_SYSENTER
+-# ifdef SHARED
++# if defined SHARED || defined __PIC__
+ #  define INTERNAL_SYSCALL(name, err, nr, args...) \
+   ({									      \
+     register unsigned int resultvar;					      \
+@@ -384,6 +384,18 @@
+     : "0" (name), "i" (offsetof (tcbhead_t, sysinfo))			      \
+       ASMFMT_##nr(args) : "memory", "cc");				      \
+     (int) resultvar; })
++#  define INTERNAL_SYSCALL_NOSYSENTER(name, err, nr, args...) \
++  ({									      \
++    register unsigned int resultvar;					      \
++    EXTRAVAR_##nr							      \
++    asm volatile (							      \
++    LOADARGS_NOSYSENTER_##nr						      \
++    "movl %1, %%eax\n\t"						      \
++    "int $0x80\n\t"							      \
++    RESTOREARGS_NOSYSENTER_##nr						      \
++    : "=a" (resultvar)							      \
++    : "i" (__NR_##name) ASMFMT_##nr(args) : "memory", "cc");		      \
++    (int) resultvar; })
+ # else
+ #  define INTERNAL_SYSCALL(name, err, nr, args...) \
+   ({									      \
+@@ -447,12 +459,20 @@
+ 
+ #define LOADARGS_0
+ #ifdef __PIC__
+-# if defined I386_USE_SYSENTER && defined SHARED
++# if defined I386_USE_SYSENTER && ( defined SHARED || defined __PIC__ )
+ #  define LOADARGS_1 \
+     "bpushl .L__X'%k3, %k3\n\t"
+ #  define LOADARGS_5 \
+     "movl %%ebx, %4\n\t"						      \
+     "movl %3, %%ebx\n\t"
++#  define LOADARGS_NOSYSENTER_1 \
++    "bpushl .L__X'%k2, %k2\n\t"
++#  define LOADARGS_NOSYSENTER_2	LOADARGS_NOSYSENTER_1
++#  define LOADARGS_NOSYSENTER_3	LOADARGS_3
++#  define LOADARGS_NOSYSENTER_4	LOADARGS_3
++#  define LOADARGS_NOSYSENTER_5 \
++    "movl %%ebx, %3\n\t"						      \
++    "movl %2, %%ebx\n\t"
+ # else
+ #  define LOADARGS_1 \
+     "bpushl .L__X'%k2, %k2\n\t"
+@@ -474,11 +495,18 @@
+ 
+ #define RESTOREARGS_0
+ #ifdef __PIC__
+-# if defined I386_USE_SYSENTER && defined SHARED
++# if defined I386_USE_SYSENTER && ( defined SHARED || defined __PIC__ )
+ #  define RESTOREARGS_1 \
+     "bpopl .L__X'%k3, %k3\n\t"
+ #  define RESTOREARGS_5 \
+     "movl %4, %%ebx"
++#  define RESTOREARGS_NOSYSENTER_1 \
++    "bpopl .L__X'%k2, %k2\n\t"
++#  define RESTOREARGS_NOSYSENTER_2	RESTOREARGS_NOSYSENTER_1
++#  define RESTOREARGS_NOSYSENTER_3	RESTOREARGS_3
++#  define RESTOREARGS_NOSYSENTER_4	RESTOREARGS_3
++#  define RESTOREARGS_NOSYSENTER_5 \
++    "movl %3, %%ebx"
+ # else
+ #  define RESTOREARGS_1 \
+     "bpopl .L__X'%k2, %k2\n\t"
diff --git a/sys-libs/glibc/files/digest-glibc-2.6 b/sys-libs/glibc/files/digest-glibc-2.6
index 99efe3547829..073fe790647c 100644
--- a/sys-libs/glibc/files/digest-glibc-2.6
+++ b/sys-libs/glibc/files/digest-glibc-2.6
@@ -1,6 +1,6 @@
-MD5 979d7a6a22f2179d161dcb7cf8e5d2fe glibc-2.6-patches-1.3.tar.bz2 86529
-RMD160 003ca0739f40912752af29351217406dc904b71e glibc-2.6-patches-1.3.tar.bz2 86529
-SHA256 e6e1a05359c9248ae4185ccd596bb2535e2747833b48563bf3dcfa6f810d9c54 glibc-2.6-patches-1.3.tar.bz2 86529
+MD5 58f9c91a22877a8aa7b329f2048a63e4 glibc-2.6-patches-1.4.tar.bz2 88209
+RMD160 b0bd771cebbac93d812bf352c02346d84b05c4c1 glibc-2.6-patches-1.4.tar.bz2 88209
+SHA256 8a20749c5fe874d17174ea4743c74bf5479efeac79f44418814c398713cd4f7d glibc-2.6-patches-1.4.tar.bz2 88209
 MD5 0f471d7cb29dd07786082ad23f787949 glibc-2.6.tar.bz2 15637436
 RMD160 9f201f54d41941df299ab88722f4095dd417a5e4 glibc-2.6.tar.bz2 15637436
 SHA256 f773ae5762c193091df46244ce355e38d358e8f8be088be0dbf934a193063bba glibc-2.6.tar.bz2 15637436
diff --git a/sys-libs/glibc/glibc-2.6.ebuild b/sys-libs/glibc/glibc-2.6.ebuild
index c3cc63f3621f..4f6b98f8e488 100644
--- a/sys-libs/glibc/glibc-2.6.ebuild
+++ b/sys-libs/glibc/glibc-2.6.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2007 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.6.ebuild,v 1.8 2007/07/06 04:05:49 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.6.ebuild,v 1.9 2007/07/14 19:35:41 vapier Exp $
 
 # Here's how the cross-compile logic breaks down ...
 #  CTARGET - machine that will target the binaries
@@ -16,7 +16,7 @@
 #  CHOST = CTARGET  - install into /
 #  CHOST != CTARGET - install into /usr/CTARGET/
 
-KEYWORDS=""
+KEYWORDS="~amd64 ~ia64 ~ppc ~ppc64 ~x86"
 
 BRANCH_UPDATE=""
 
@@ -27,7 +27,7 @@ GLIBC_MANPAGE_VERSION="none"
 GLIBC_INFOPAGE_VERSION="none"
 
 # Gentoo patchset
-PATCH_VER="1.3"
+PATCH_VER="1.4"
 
 GENTOO_TOOLCHAIN_BASE_URI="mirror://gentoo"
 GENTOO_TOOLCHAIN_DEV_URI="http://dev.gentoo.org/~azarah/glibc/XXX http://dev.gentoo.org/~vapier/dist/XXX"
@@ -231,7 +231,7 @@ toolchain-glibc_src_unpack() {
 		epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-inittls-nosysenter.patch
 
 		einfo "Installing Hardened Gentoo SSP handler"
-		cp -f "${FILESDIR}"/2.5/glibc-2.5-gentoo-stack_chk_fail.c \
+		cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \
 			debug/stack_chk_fail.c || die
 
 		if use debug ; then