security update

8 files changed, 987 insertions, 5 deletions

diff --git a/sys-kernel/gentoo-sources/ChangeLog b/sys-kernel/gentoo-sources/ChangeLog
index f9022b842ea4..1b3cbc76548f 100644
--- a/sys-kernel/gentoo-sources/ChangeLog
+++ b/sys-kernel/gentoo-sources/ChangeLog
@@ -1,6 +1,11 @@
 # ChangeLog for sys-kernel/gentoo-sources
 # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.24 2003/05/10 03:49:27 pfeifer Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.25 2003/08/08 03:45:46 aliz Exp $
+
+*gentoo-sources-2.4.20-r6 (08 Aug 2003)
+
+  08 Aug 2003; Daniel Ahlberg <aliz@gentoo.org> gentoo-source-2.4.20-r6.ebuid :
+  Apply a bunch of security fixes.
 
 *gentoo-sources-2.4.20-r5 (10 May 2003)
 
diff --git a/sys-kernel/gentoo-sources/Manifest b/sys-kernel/gentoo-sources/Manifest
index a306c8a76695..b7f5ea5d7810 100644
--- a/sys-kernel/gentoo-sources/Manifest
+++ b/sys-kernel/gentoo-sources/Manifest
@@ -1,12 +1,13 @@
-MD5 dc01cedfa9fa0cd31fdbf12f57ed5e6a ChangeLog 8427
+MD5 49cb6f1f586af93951dc72dc4b1789bc ChangeLog 8581
 MD5 9cc585c615bb29fe4b4468735dcac812 gentoo-sources-2.4.19-r10.ebuild 2122
-MD5 3979719eac65fa98a49f2e14aa90450e gentoo-sources-2.4.20-r6.ebuild 4734
+MD5 fd4722afd6439f260d3fe421bce5a45e gentoo-sources-2.4.20-r6.ebuild 4737
+MD5 c5f2073c7cc7a957decdccff135e5a5d gentoo-sources-2.4.20-r5.ebuild 4580
 MD5 8c31359a134b927f7038539e7dd896d4 files/digest-gentoo-sources-2.4.19-r10 146
-MD5 849223b7d8e6c9c2a22f84b571aa516c files/digest-gentoo-sources-2.4.20-r5 145
 MD5 2ac4fd77e067652901ccf234c9687bb1 files/i810_drm.patch 1247
 MD5 857ff623313f874e811763a2db96e831 files/lcall-DoS.patch 885
 MD5 3bf2f78421fe7eb5babc154d4ad4dbbd files/security.patch1 14328
-MD5 a06275cab7eca31fffb806899fc1b603 files/security.patch2 3594
+MD5 f308aef282ea75ea55d5c6035dafa100 files/security.patch2 4014
 MD5 b40c150e8529876064e1ec409a47984e files/security.patch4 783
 MD5 0d1cdff97252338dc5acc37c5f84d7c6 files/security.patch3 3333
 MD5 849223b7d8e6c9c2a22f84b571aa516c files/digest-gentoo-sources-2.4.20-r6 145
+MD5 849223b7d8e6c9c2a22f84b571aa516c files/digest-gentoo-sources-2.4.20-r5 145
diff --git a/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r6 b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r6
new file mode 100644
index 000000000000..ba471a1c8d80
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/digest-gentoo-sources-2.4.20-r6
@@ -0,0 +1,2 @@
+MD5 c439d5c93d7fc9a1480a90842465bb97 linux-2.4.20.tar.bz2 27421046
+MD5 197e927b5fc04c754b039998895b3039 patches-2.4.20-gentoo-r5.tar.bz2 4134962
diff --git a/sys-kernel/gentoo-sources/files/security.patch1 b/sys-kernel/gentoo-sources/files/security.patch1
new file mode 100644
index 000000000000..b5271dca2079
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/security.patch1
@@ -0,0 +1,526 @@
+diff -Nru a/include/linux/jhash.h b/include/linux/jhash.h
+--- /dev/null	Wed Dec 31 16:00:00 1969
++++ b/include/linux/jhash.h	Mon May  5 16:06:49 2003
+@@ -0,0 +1,161 @@
++#ifndef _LINUX_JHASH_H
++#define _LINUX_JHASH_H
++
++/* jhash.h: Jenkins hash support.
++ *
++ * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
++ *
++ * http://burtleburtle.net/bob/hash/
++ *
++ * These are the credits from Bob's sources:
++ *
++ * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
++ * hash(), hash2(), hash3, and mix() are externally useful functions.
++ * Routines to test the hash are included if SELF_TEST is defined.
++ * You can use this free for any purpose.  It has no warranty.
++ *
++ * Copyright (C) 2003 David S. Miller (davem@redhat.com)
++ *
++ * I've modified Bob's hash to be useful in the Linux kernel, and
++ * any bugs present are surely my fault.  -DaveM
++ */
++
++/* NOTE: Arguments are modified. */
++#define __jhash_mix(a, b, c) \
++{ \
++  a -= b; a -= c; a ^= (c>>13); \
++  b -= c; b -= a; b ^= (a<<8); \
++  c -= a; c -= b; c ^= (b>>13); \
++  a -= b; a -= c; a ^= (c>>12);  \
++  b -= c; b -= a; b ^= (a<<16); \
++  c -= a; c -= b; c ^= (b>>5); \
++  a -= b; a -= c; a ^= (c>>3);  \
++  b -= c; b -= a; b ^= (a<<10); \
++  c -= a; c -= b; c ^= (b>>15); \
++}
++
++/* The golden ration: an arbitrary value */
++#define JHASH_GOLDEN_RATIO	0x9e3779b9
++
++/* The most generic version, hashes an arbitrary sequence
++ * of bytes.  No alignment or length assumptions are made about
++ * the input key.
++ */
++static __inline__ u32 jenkins_hash(void *key, u32 length, u32 initval)
++{
++	u32 a, b, c, len;
++	u8 *k = key;
++
++	len = length;
++	a = b = JHASH_GOLDEN_RATIO;
++	c = initval;
++
++	while (len >= 12) {
++		a += (k[0] +((u32)k[1]<<8) +((u32)k[2]<<16) +((u32)k[3]<<24));
++		b += (k[4] +((u32)k[5]<<8) +((u32)k[6]<<16) +((u32)k[7]<<24));
++		c += (k[8] +((u32)k[9]<<8) +((u32)k[10]<<16)+((u32)k[11]<<24));
++
++		__jhash_mix(a,b,c);
++
++		k += 12;
++		len -= 12;
++	}
++
++	c += length;
++	switch (len) {
++	case 11: c += ((u32)k[10]<<24);
++	case 10: c += ((u32)k[9]<<16);
++	case 9 : c += ((u32)k[8]<<8);
++	case 8 : b += ((u32)k[7]<<24);
++	case 7 : b += ((u32)k[6]<<16);
++	case 6 : b += ((u32)k[5]<<8);
++	case 5 : b += k[4];
++	case 4 : a += ((u32)k[3]<<24);
++	case 3 : a += ((u32)k[2]<<16);
++	case 2 : a += ((u32)k[1]<<8);
++	case 1 : a += k[0];
++	};
++
++	__jhash_mix(a,b,c);
++
++	return c;
++}
++
++/* A special optimized version that handles 1 or more of u32s.
++ * The length parameter here is the number of u32s in the key.
++ */
++static __inline__ u32 hash2(u32 *k, u32 length, u32 initval)
++{
++	u32 a, b, c, len;
++
++	a = b = JHASH_GOLDEN_RATIO;
++	c = initval;
++	len = length;
++
++	while (len >= 3) {
++		a += k[0];
++		b += k[1];
++		c += k[2];
++		__jhash_mix(a, b, c);
++		k += 3; len -= 3;
++	}
++
++	c += length * 4;
++
++	switch (len) {
++	case 2 : b += k[1];
++	case 1 : a += k[0];
++	};
++
++	__jhash_mix(a,b,c);
++
++	return c;
++}
++
++
++/* A special ultra-optimized versions that knows they are hashing exactly
++ * 3, 2 or 1 word(s).
++ *
++ * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
++ *       done at the end is not done here.
++ */
++static __inline__ u32 jenkins_hash_3words(u32 a, u32 b, u32 c,
++					  u32 initval)
++{
++	a += JHASH_GOLDEN_RATIO;
++	b += JHASH_GOLDEN_RATIO;
++	c += initval;
++
++	__jhash_mix(a, b, c);
++
++	return c;
++}
++
++static __inline__ u32 jenkins_hash_2words(u32 a, u32 b, u32 initval)
++{
++	u32 c = 0;
++
++	a += JHASH_GOLDEN_RATIO;
++	b += JHASH_GOLDEN_RATIO;
++	c += initval;
++
++	__jhash_mix(a, b, c);
++
++	return c;
++}
++
++static __inline__ u32 jenkins_hash_1word(u32 a, u32 initval)
++{
++	u32 b = 0;
++	u32 c = 0;
++
++	a += JHASH_GOLDEN_RATIO;
++	b += JHASH_GOLDEN_RATIO;
++	c += initval;
++
++	__jhash_mix(a, b, c);
++
++	return c;
++}
++
++#endif /* _LINUX_JHASH_H */
+diff -Nru a/include/linux/sysctl.h b/include/linux/sysctl.h
+--- a/include/linux/sysctl.h	Mon May  5 16:06:49 2003
++++ b/include/linux/sysctl.h	Mon May  5 16:06:49 2003
+@@ -315,7 +315,8 @@
+ 	NET_IPV4_ROUTE_GC_ELASTICITY=14,
+ 	NET_IPV4_ROUTE_MTU_EXPIRES=15,
+ 	NET_IPV4_ROUTE_MIN_PMTU=16,
+-	NET_IPV4_ROUTE_MIN_ADVMSS=17
++	NET_IPV4_ROUTE_MIN_ADVMSS=17,
++	NET_IPV4_ROUTE_SECRET_INTERVAL=18,
+ };
+ 
+ enum
+diff -Nru a/include/net/tcp.h b/include/net/tcp.h
+--- a/include/net/tcp.h	Mon May  5 16:06:49 2003
++++ b/include/net/tcp.h	Mon May  5 16:06:49 2003
+@@ -1604,6 +1604,7 @@
+ 	int			qlen;
+ 	int			qlen_young;
+ 	int			clock_hand;
++	u32			hash_rnd;
+ 	struct open_request	*syn_table[TCP_SYNQ_HSIZE];
+ };
+ 
+diff -Nru a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
+--- a/net/ipv4/netfilter/ip_conntrack_core.c	Mon May  5 16:06:49 2003
++++ b/net/ipv4/netfilter/ip_conntrack_core.c	Mon May  5 16:06:49 2003
+@@ -28,6 +28,8 @@
+ #include <linux/stddef.h>
+ #include <linux/sysctl.h>
+ #include <linux/slab.h>
++#include <linux/random.h>
++#include <linux/jhash.h>
+ /* For ERR_PTR().  Yeah, I know... --RR */
+ #include <linux/fs.h>
+ 
+@@ -104,20 +106,21 @@
+ 	nf_conntrack_put(&ct->infos[0]);
+ }
+ 
+-static inline u_int32_t
++static int ip_conntrack_hash_rnd_initted;
++static unsigned int ip_conntrack_hash_rnd;
++
++static u_int32_t
+ hash_conntrack(const struct ip_conntrack_tuple *tuple)
+ {
+ #if 0
+ 	dump_tuple(tuple);
+ #endif
+-	/* ntohl because more differences in low bits. */
+-	/* To ensure that halves of the same connection don't hash
+-	   clash, we add the source per-proto again. */
+-	return (ntohl(tuple->src.ip + tuple->dst.ip
+-		     + tuple->src.u.all + tuple->dst.u.all
+-		     + tuple->dst.protonum)
+-		+ ntohs(tuple->src.u.all))
+-		% ip_conntrack_htable_size;
++	return (jenkins_hash_3words(tuple->src.ip,
++				    (tuple->dst.ip ^ tuple->dst.protonum),
++				    (tuple->src.u.all |
++				     (tuple->dst.u.all << 16)),
++				    ip_conntrack_hash_rnd)
++		% ip_conntrack_htable_size);
+ }
+ 
+ inline int
+@@ -633,11 +636,16 @@
+ {
+ 	struct ip_conntrack *conntrack;
+ 	struct ip_conntrack_tuple repl_tuple;
+-	size_t hash, repl_hash;
++	size_t hash;
+ 	struct ip_conntrack_expect *expected;
+ 	int i;
+ 	static unsigned int drop_next = 0;
+ 
++	if (!ip_conntrack_hash_rnd_initted) {
++		get_random_bytes(&ip_conntrack_hash_rnd, 4);
++		ip_conntrack_hash_rnd_initted = 1;
++	}
++
+ 	hash = hash_conntrack(tuple);
+ 
+ 	if (ip_conntrack_max &&
+@@ -661,7 +669,6 @@
+ 		DEBUGP("Can't invert tuple.\n");
+ 		return NULL;
+ 	}
+-	repl_hash = hash_conntrack(&repl_tuple);
+ 
+ 	conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC);
+ 	if (!conntrack) {
+@@ -1428,7 +1435,7 @@
+ 	ip_conntrack_max = 8 * ip_conntrack_htable_size;
+ 
+ 	printk("ip_conntrack version %s (%u buckets, %d max)"
+-	       " - %d bytes per conntrack\n", IP_CONNTRACK_VERSION,
++	       " - %Zd bytes per conntrack\n", IP_CONNTRACK_VERSION,
+ 	       ip_conntrack_htable_size, ip_conntrack_max,
+ 	       sizeof(struct ip_conntrack));
+ 
+diff -Nru a/net/ipv4/route.c b/net/ipv4/route.c
+--- a/net/ipv4/route.c	Mon May  5 16:06:49 2003
++++ b/net/ipv4/route.c	Mon May  5 16:06:49 2003
+@@ -85,6 +85,7 @@
+ #include <linux/mroute.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/random.h>
++#include <linux/jhash.h>
+ #include <net/protocol.h>
+ #include <net/ip.h>
+ #include <net/route.h>
+@@ -117,13 +118,14 @@
+ int ip_rt_mtu_expires		= 10 * 60 * HZ;
+ int ip_rt_min_pmtu		= 512 + 20 + 20;
+ int ip_rt_min_advmss		= 256;
+-
++int ip_rt_secret_interval	= 10 * 60 * HZ;
+ static unsigned long rt_deadline;
+ 
+ #define RTprint(a...)	printk(KERN_DEBUG a)
+ 
+ static struct timer_list rt_flush_timer;
+ static struct timer_list rt_periodic_timer;
++static struct timer_list rt_secret_timer;
+ 
+ /*
+  *	Interface to generic destination cache.
+@@ -194,19 +196,17 @@
+ static struct rt_hash_bucket 	*rt_hash_table;
+ static unsigned			rt_hash_mask;
+ static int			rt_hash_log;
++static unsigned int		rt_hash_rnd;
+ 
+ struct rt_cache_stat rt_cache_stat[NR_CPUS];
+ 
+ static int rt_intern_hash(unsigned hash, struct rtable *rth,
+ 				struct rtable **res);
+ 
+-static __inline__ unsigned rt_hash_code(u32 daddr, u32 saddr, u8 tos)
++static unsigned int rt_hash_code(u32 daddr, u32 saddr, u8 tos)
+ {
+-	unsigned hash = ((daddr & 0xF0F0F0F0) >> 4) |
+-			((daddr & 0x0F0F0F0F) << 4);
+-	hash ^= saddr ^ tos;
+-	hash ^= (hash >> 16);
+-	return (hash ^ (hash >> 8)) & rt_hash_mask;
++	return (jenkins_hash_3words(daddr, saddr, (u32) tos, rt_hash_rnd)
++		& rt_hash_mask);
+ }
+ 
+ static int rt_cache_get_info(char *buffer, char **start, off_t offset,
+@@ -479,6 +479,15 @@
+ 	spin_unlock_bh(&rt_flush_lock);
+ }
+ 
++static void rt_secret_rebuild(unsigned long dummy)
++{
++	unsigned long now = jiffies;
++
++	get_random_bytes(&rt_hash_rnd, 4);
++	rt_cache_flush(0);
++	mod_timer(&rt_secret_timer, now + ip_rt_secret_interval);
++}
++
+ /*
+    Short description of GC goals.
+ 
+@@ -2414,6 +2423,15 @@
+ 		mode:		0644,
+ 		proc_handler:	&proc_dointvec,
+ 	},
++	{
++		ctl_name:	NET_IPV4_ROUTE_SECRET_INTERVAL,
++		procname:	"secret_interval",
++		data:		&ip_rt_secret_interval,
++		maxlen:		sizeof(int),
++		mode:		0644,
++		proc_handler:	&proc_dointvec_jiffies,
++		strategy:	&sysctl_jiffies,
++	},
+ 	 { 0 }
+ };
+ #endif
+@@ -2444,15 +2462,25 @@
+ 		*eof = 1;
+ 	}
+ 
+-	/* Copy first cpu. */
+-	*start = buffer;
+-	memcpy(buffer, IP_RT_ACCT_CPU(0), length);
+-
+-	/* Add the other cpus in, one int at a time */
+-	for (i = 1; i < smp_num_cpus; i++) {
+-		unsigned int j;
+-		for (j = 0; j < length/4; j++)
+-			((u32*)buffer)[j] += ((u32*)IP_RT_ACCT_CPU(i))[j];
++	offset /= sizeof(u32);
++
++	if (length > 0) {
++		u32 *src = ((u32 *) IP_RT_ACCT_CPU(0)) + offset;
++		u32 *dst = (u32 *) buffer;
++
++		/* Copy first cpu. */
++		*start = buffer;
++		memcpy(dst, src, length);
++
++		/* Add the other cpus in, one int at a time */
++		for (i = 1; i < smp_num_cpus; i++) {
++			unsigned int j;
++
++			src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset;
++
++			for (j = 0; j < length/4; j++)
++				dst[j] += src[j];
++		}
+ 	}
+ 	return length;
+ }
+@@ -2462,6 +2490,9 @@
+ {
+ 	int i, order, goal;
+ 
++	rt_hash_rnd = (int) ((num_physpages ^ (num_physpages>>8)) ^
++			     (jiffies ^ (jiffies >> 7)));
++
+ #ifdef CONFIG_NET_CLS_ROUTE
+ 	for (order = 0;
+ 	     (PAGE_SIZE << order) < 256 * sizeof(struct ip_rt_acct) * NR_CPUS; order++)
+@@ -2518,6 +2549,7 @@
+ 
+ 	rt_flush_timer.function = rt_run_flush;
+ 	rt_periodic_timer.function = rt_check_expire;
++	rt_secret_timer.function = rt_secret_rebuild;
+ 
+ 	/* All the timers, started at system startup tend
+ 	   to synchronize. Perturb it a bit.
+@@ -2525,6 +2557,10 @@
+ 	rt_periodic_timer.expires = jiffies + net_random() % ip_rt_gc_interval +
+ 					ip_rt_gc_interval;
+ 	add_timer(&rt_periodic_timer);
++
++	rt_secret_timer.expires = jiffies + net_random() % ip_rt_secret_interval +
++		ip_rt_secret_interval;
++	add_timer(&rt_secret_timer);
+ 
+ 	proc_net_create ("rt_cache", 0, rt_cache_get_info);
+ 	proc_net_create ("rt_cache_stat", 0, rt_cache_stat_get_info);
+diff -Nru a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+--- a/net/ipv4/tcp.c	Mon May  5 16:06:49 2003
++++ b/net/ipv4/tcp.c	Mon May  5 16:06:49 2003
+@@ -252,6 +252,7 @@
+ #include <linux/init.h>
+ #include <linux/smp_lock.h>
+ #include <linux/fs.h>
++#include <linux/random.h>
+ 
+ #include <net/icmp.h>
+ #include <net/tcp.h>
+@@ -542,6 +543,7 @@
+ 	for (lopt->max_qlen_log = 6; ; lopt->max_qlen_log++)
+ 		if ((1<<lopt->max_qlen_log) >= sysctl_max_syn_backlog)
+ 			break;
++	get_random_bytes(&lopt->hash_rnd, 4);
+ 
+ 	write_lock_bh(&tp->syn_wait_lock);
+ 	tp->listen_opt = lopt;
+diff -Nru a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+--- a/net/ipv4/tcp_ipv4.c	Mon May  5 16:06:49 2003
++++ b/net/ipv4/tcp_ipv4.c	Mon May  5 16:06:49 2003
+@@ -56,6 +56,7 @@
+ #include <linux/fcntl.h>
+ #include <linux/random.h>
+ #include <linux/cache.h>
++#include <linux/jhash.h>
+ #include <linux/init.h>
+ 
+ #include <net/icmp.h>
+@@ -868,12 +869,10 @@
+ 	return ((struct rtable*)skb->dst)->rt_iif;
+ }
+ 
+-static __inline__ unsigned tcp_v4_synq_hash(u32 raddr, u16 rport)
++static __inline__ u32 tcp_v4_synq_hash(u32 raddr, u16 rport, u32 rnd)
+ {
+-	unsigned h = raddr ^ rport;
+-	h ^= h>>16;
+-	h ^= h>>8;
+-	return h&(TCP_SYNQ_HSIZE-1);
++	return (jenkins_hash_2words(raddr, (u32) rport, rnd)
++		& (TCP_SYNQ_HSIZE - 1));
+ }
+ 
+ static struct open_request *tcp_v4_search_req(struct tcp_opt *tp, 
+@@ -884,7 +883,7 @@
+ 	struct tcp_listen_opt *lopt = tp->listen_opt;
+ 	struct open_request *req, **prev;  
+ 
+-	for (prev = &lopt->syn_table[tcp_v4_synq_hash(raddr, rport)];
++	for (prev = &lopt->syn_table[tcp_v4_synq_hash(raddr, rport, lopt->hash_rnd)];
+ 	     (req = *prev) != NULL;
+ 	     prev = &req->dl_next) {
+ 		if (req->rmt_port == rport &&
+@@ -904,7 +903,7 @@
+ {
+ 	struct tcp_opt *tp = &sk->tp_pinfo.af_tcp;
+ 	struct tcp_listen_opt *lopt = tp->listen_opt;
+-	unsigned h = tcp_v4_synq_hash(req->af.v4_req.rmt_addr, req->rmt_port);
++	u32 h = tcp_v4_synq_hash(req->af.v4_req.rmt_addr, req->rmt_port, lopt->hash_rnd);
+ 
+ 	req->expires = jiffies + TCP_TIMEOUT_INIT;
+ 	req->retrans = 0;
+diff -Nru a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+--- a/net/ipv6/tcp_ipv6.c	Mon May  5 16:06:49 2003
++++ b/net/ipv6/tcp_ipv6.c	Mon May  5 16:06:49 2003
+@@ -36,6 +36,7 @@
+ #include <linux/in6.h>
+ #include <linux/netdevice.h>
+ #include <linux/init.h>
++#include <linux/jhash.h>
+ #include <linux/ipsec.h>
+ 
+ #include <linux/ipv6.h>
+@@ -368,12 +369,12 @@
+  * Open request hash tables.
+  */
+ 
+-static __inline__ unsigned tcp_v6_synq_hash(struct in6_addr *raddr, u16 rport)
++static u32 tcp_v6_synq_hash(struct in6_addr *raddr, u16 rport, u32 rnd)
+ {
+-	unsigned h = raddr->s6_addr32[3] ^ rport;
+-	h ^= h>>16;
+-	h ^= h>>8;
+-	return h&(TCP_SYNQ_HSIZE-1);
++	return (jenkins_hash_3words(raddr->s6_addr32[0] ^ raddr->s6_addr32[1],
++				    raddr->s6_addr32[2] ^ raddr->s6_addr32[3],
++				    (u32) rport, rnd)
++		& (TCP_SYNQ_HSIZE - 1));
+ }
+ 
+ static struct open_request *tcp_v6_search_req(struct tcp_opt *tp,
+@@ -386,7 +387,7 @@
+ 	struct tcp_listen_opt *lopt = tp->listen_opt;
+ 	struct open_request *req, **prev;  
+ 
+-	for (prev = &lopt->syn_table[tcp_v6_synq_hash(raddr, rport)];
++	for (prev = &lopt->syn_table[tcp_v6_synq_hash(raddr, rport, lopt->hash_rnd)];
+ 	     (req = *prev) != NULL;
+ 	     prev = &req->dl_next) {
+ 		if (req->rmt_port == rport &&
+@@ -1135,7 +1136,7 @@
+ {
+ 	struct tcp_opt *tp = &sk->tp_pinfo.af_tcp;
+ 	struct tcp_listen_opt *lopt = tp->listen_opt;
+-	unsigned h = tcp_v6_synq_hash(&req->af.v6_req.rmt_addr, req->rmt_port);
++	u32 h = tcp_v6_synq_hash(&req->af.v6_req.rmt_addr, req->rmt_port, lopt->hash_rnd);
+ 
+ 	req->sk = NULL;
+ 	req->expires = jiffies + TCP_TIMEOUT_INIT;
+-
diff --git a/sys-kernel/gentoo-sources/files/security.patch2 b/sys-kernel/gentoo-sources/files/security.patch2
new file mode 100644
index 000000000000..e75cc78468c0
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/security.patch2
@@ -0,0 +1,146 @@
+diff -uNp u2/fs/binfmt_elf.c.cd10.orig u2/fs/binfmt_elf.c
+--- u2/fs/binfmt_elf.c.cd10.orig	2002-08-03 02:39:45.000000000 +0200
++++ u2/fs/binfmt_elf.c	2003-07-09 23:44:30.000000000 +0200
+@@ -456,2 +456,3 @@
+        char passed_fileno[6];
++       struct files_struct *files, *ftmp;
+
+@@ -475,10 +476,17 @@ static int load_elf_binary(struct linux_
+ 	retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size);
+ 	if (retval < 0)
+ 		goto out_free_ph;
++		
++	files = current->files;		/* Refcounted so ok */
++	if(unshare_files() < 0)
++		goto out_free_ph;
+ 
++	/* exec will make our files private anyway, but for the a.out
++	   loader stuff we need to do it earlier */
++	   
+ 	retval = get_unused_fd();
+ 	if (retval < 0)
+-		goto out_free_ph;
++		goto out_free_fh;
+ 	get_file(bprm->file);
+ 	fd_install(elf_exec_fileno = retval, bprm->file);
+ 
+@@ -593,6 +601,9 @@ static int load_elf_binary(struct linux_
+ 	if (retval)
+ 		goto out_free_dentry;
+ 
++	/* Discard our unneeded old files struct */
++	put_files_struct(files);
++
+ 	/* OK, This is the point of no return */
+ 	current->mm->start_data = 0;
+ 	current->mm->end_data = 0;
+@@ -797,6 +808,10 @@ out_free_interp:
+ 		kfree(elf_interpreter);
+ out_free_file:
+ 	sys_close(elf_exec_fileno);
++out_free_fh:
++	ftmp = current->files;
++	current->files = files;
++	put_files_struct(ftmp);
+ out_free_ph:
+ 	kfree(elf_phdata);
+ 	goto out;
+--- linux-2.4.21/fs/exec.c.orig	Thu Jun 19 14:28:39 2003
++++ linux-2.4.21/fs/exec.c	Wed Jul  2 01:21:32 2003
+@@ -561,6 +561,7 @@
+ 	char * name;
+ 	int i, ch, retval;
+ 	struct signal_struct * oldsig;
++	struct files_struct * files;
+ 
+ 	/*
+ 	 * Make sure we have a private signal table
+@@ -569,6 +570,18 @@
+ 	retval = make_private_signals();
+ 	if (retval) goto flush_failed;
+ 
++	/*
++	 * Make sure we have private file handles. Ask the
++	 * fork helper to do the work for us and the exit
++	 * helper to do the cleanup of the old one.
++	 */
++	 
++	files = current->files;		/* refcounted so safe to hold */
++	retval = unshare_files();
++	if(retval)
++		goto flush_failed;
++	put_files_struct(files);
++	
+ 	/* 
+ 	 * Release all of the old mmap stuff
+ 	 */
+--- linux-2.4.21/kernel/fork.c.orig	Wed Jul  2 01:21:15 2003
++++ linux-2.4.21/kernel/fork.c	Wed Jul  2 01:21:32 2003
+@@ -448,6 +448,11 @@
+ 		goto out;
+ 	}
+ 
++	/*
++	 * Note: we may be using current for both targets (See exec.c)
++	 * This works because we cache current->files (old) as oldf. Don't
++	 * break this.
++	 */
+ 	tsk->files = NULL;
+ 	error = -ENOMEM;
+ 	newf = kmem_cache_alloc(files_cachep, SLAB_KERNEL);
+@@ -536,6 +541,33 @@
+ 	kmem_cache_free(files_cachep, newf);
+ 	goto out;
+ }
++
++/*
++ *	Helper to unshare the files of the current task. 
++ *	We don't want to expose copy_files internals to 
++ *	the exec layer of the kernel.
++ */
++
++int unshare_files(void)
++{
++	struct files_struct *files  = current->files;
++	int rc;
++	
++	if(!files)
++		BUG();
++		
++	/* This can race but the race causes us to copy when we don't
++	   need to and drop the copy */
++	if(atomic_read(&files->count) == 1)
++	{
++		atomic_inc(&files->count);
++		return 0;
++	}
++	rc = copy_files(0, current);
++	if(rc)
++		current->files = files;
++	return rc;
++}		
+ 
+ static inline int copy_sighand(unsigned long clone_flags, struct task_struct * tsk)
+ {
+--- linux-2.4.21/kernel/ksyms.c.orig	Fri Jun 13 18:51:39 2003
++++ linux-2.4.21/kernel/ksyms.c	Wed Jul  2 01:21:32 2003
+@@ -84,6 +84,7 @@
+ EXPORT_SYMBOL(try_inc_mod_count);
+
+ /* process memory management */
++EXPORT_SYMBOL(unshare_files);
+ EXPORT_SYMBOL(do_mmap_pgoff);
+ EXPORT_SYMBOL(do_munmap);
+ EXPORT_SYMBOL(do_brk);
+--- linux-2.4.21/include/linux/sched.h.orig	Thu Jun 19 14:31:01 2003
++++ linux-2.4.21/include/linux/sched.h	Wed Jul  2 01:24:32 2003
+@@ -864,6 +864,8 @@
+ extern int expand_fdset(struct files_struct *, int nr);
+ extern void free_fdset(fd_set *, int);
+
++extern int unshare_files(void);
++
+ extern int  copy_thread(int, unsigned long, unsigned long, unsigned long, task_t *, struct pt_regs *);
+ extern void flush_thread(void);
+ extern void exit_thread(void);
+
diff --git a/sys-kernel/gentoo-sources/files/security.patch3 b/sys-kernel/gentoo-sources/files/security.patch3
new file mode 100644
index 000000000000..18d1b1b709fe
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/security.patch3
@@ -0,0 +1,134 @@
+diff -Nru a/fs/proc/base.c b/fs/proc/base.c
+--- a/fs/proc/base.c	Tue Apr 22 10:21:00 2003
++++ b/fs/proc/base.c	Mon Jul 14 13:10:30 2003
+@@ -124,20 +124,56 @@
+ 	return result;
+ }
+ 
++#define MAY_PTRACE(task) \
++	(task == current || \
++	(task->p_pptr == current && \
++	(task->ptrace & PT_PTRACED) && task->state == TASK_STOPPED))
++
++static int may_ptrace_attach(struct task_struct *task)
++{
++	int retval = 0;
++
++	task_lock(task);
++
++	if (((current->uid != task->euid) ||
++	    (current->uid != task->suid) ||
++	    (current->uid != task->uid) ||
++	    (current->gid != task->egid) ||
++	    (current->gid != task->sgid) ||
++	    (!cap_issubset(task->cap_permitted, current->cap_permitted)) ||
++	    (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
++		goto out;
++	rmb();
++	if (!is_dumpable(task) && !capable(CAP_SYS_PTRACE))
++		goto out;
++
++	retval = 1;
++
++out:
++	task_unlock(task);
++	return retval;
++}
++
+ static int proc_pid_environ(struct task_struct *task, char * buffer)
+ {
+ 	struct mm_struct *mm;
+ 	int res = 0;
++
++	if (!may_ptrace_attach(task))
++		return -ESRCH;
++
+ 	task_lock(task);
+ 	mm = task->mm;
+ 	if (mm)
+ 		atomic_inc(&mm->mm_users);
+ 	task_unlock(task);
+ 	if (mm) {
+-		int len = mm->env_end - mm->env_start;
++		unsigned int len = mm->env_end - mm->env_start;
+ 		if (len > PAGE_SIZE)
+ 			len = PAGE_SIZE;
+ 		res = access_process_vm(task, mm->env_start, buffer, len, 0);
++		if (!may_ptrace_attach(task))
++			res = -ESRCH;
+ 		mmput(mm);
+ 	}
+ 	return res;
+@@ -328,10 +364,6 @@
+ 	read:		proc_info_read,
+ };
+ 
+-#define MAY_PTRACE(p) \
+-(p==current||(p->p_pptr==current&&(p->ptrace & PT_PTRACED)&&p->state==TASK_STOPPED))
+-
+-
+ static int mem_open(struct inode* inode, struct file* file)
+ {
+ 	file->private_data = (void*)((long)current->self_exec_id);
+@@ -347,8 +379,7 @@
+ 	int copied = 0;
+ 	struct mm_struct *mm;
+ 
+-
+-	if (!MAY_PTRACE(task))
++	if (!MAY_PTRACE(task) || !may_ptrace_attach(task))
+ 		return -ESRCH;
+ 
+ 	page = (char *)__get_free_page(GFP_USER);
+@@ -370,14 +401,13 @@
+ 		copied = -EIO;
+ 		goto out_free;
+ 	}
+-		
+ 
+ 	while (count > 0) {
+ 		int this_len, retval;
+ 
+ 		this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count;
+ 		retval = access_process_vm(task, src, page, this_len, 0);
+-		if (!retval) {
++		if (!retval || !MAY_PTRACE(task) || !may_ptrace_attach(task)) {
+ 			if (!copied)
+ 				copied = -EIO;
+ 			break;
+@@ -411,7 +441,7 @@
+ 	struct task_struct *task = file->f_dentry->d_inode->u.proc_i.task;
+ 	unsigned long dst = *ppos;
+ 
+-	if (!MAY_PTRACE(task))
++	if (!MAY_PTRACE(task) || !may_ptrace_attach(task))
+ 		return -ESRCH;
+ 
+ 	page = (char *)__get_free_page(GFP_USER);
+diff -Nru a/fs/proc/proc_misc.c b/fs/proc/proc_misc.c
+--- a/fs/proc/proc_misc.c	Fri Mar 28 18:11:31 2003
++++ b/fs/proc/proc_misc.c	Mon Jul 14 13:10:30 2003
+@@ -423,9 +423,9 @@
+ 				 int count, int *eof, void *data)
+ {
+ 	extern char saved_command_line[];
+-	int len;
++	int len = 0;
+ 
+-	len = snprintf(page, count, "%s\n", saved_command_line);
++	proc_sprintf(page, &off, &len, "%s\n", saved_command_line);
+ 	return proc_calc_metrics(page, start, off, count, eof, len);
+ }
+ 
+@@ -495,7 +495,8 @@
+ 		buf++; p++; count--; read++;
+ 	}
+ 	pnt = (char *)prof_buffer + p - sizeof(unsigned int);
+-	copy_to_user(buf,(void *)pnt,count);
++	if (copy_to_user(buf,(void *)pnt,count))
++		return -EFAULT;
+ 	read += count;
+ 	*ppos += read;
+ 	return read;
+
+
diff --git a/sys-kernel/gentoo-sources/files/security.patch4 b/sys-kernel/gentoo-sources/files/security.patch4
new file mode 100644
index 000000000000..b58a2b9c0b3d
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/security.patch4
@@ -0,0 +1,26 @@
+--- linux-2.4.20-gw3/arch/i386/kernel/ioport.c	2003-05-16 23:42:47.000000000 +0100
++++ linux-2.4.20-gw4/arch/i386/kernel/ioport.c	2003-05-16 23:42:49.000000000 +0100
+@@ -72,17 +72,18 @@
+ 		 */
+ 		memset(t->io_bitmap,0xff,(IO_BITMAP_SIZE+1)*4);
+ 		t->ioperm = 1;
+-		/*
+-		 * this activates it in the TSS
+-		 */
+-		tss->bitmap = IO_BITMAP_OFFSET;
+ 	}
+ 
+ 	/*
+ 	 * do it in the per-thread copy and in the TSS ...
+ 	 */
+ 	set_bitmap(t->io_bitmap, from, num, !turn_on);
+-	set_bitmap(tss->io_bitmap, from, num, !turn_on);
++	if (tss->bitmap == IO_BITMAP_OFFSET) { /* already active? */
++		set_bitmap(tss->io_bitmap, from, num, !turn_on);
++	} else {
++		memcpy(tss->io_bitmap, t->io_bitmap, IO_BITMAP_SIZE);
++		tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */
++	}
+ 
+ 	return 0;
+ }
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r6.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r6.ebuild
new file mode 100644
index 000000000000..e97243d991ed
--- /dev/null
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r6.ebuild
@@ -0,0 +1,142 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r6.ebuild,v 1.1 2003/08/08 03:45:46 aliz Exp $
+
+IUSE="build crypt evms2 aavm usagi"
+
+# OKV=original kernel version, KV=patched kernel version.  They can be the same.
+
+# Kernel ebuilds using the kernel.eclass can remove any patch that you
+# do not want to apply by simply setting the KERNEL_EXCLUDE shell
+# variable to the string you want to exclude (for instance
+# KERNEL_EXCLUDE="evms" would not patch any patches whose names match
+# *evms*).  Kernels are only tested in the default configuration, but
+# this may be useful if you know that a particular patch is causing a
+# conflict with a patch you personally want to apply, or some other
+# similar situation.
+
+ETYPE="sources"
+
+inherit kernel
+OKV="2.4.20"
+# Documentation on the patches contained in this kernel will be installed
+# to /usr/share/doc/gentoo-sources-${PV}/patches.txt.gz
+
+DESCRIPTION="Full sources for the Gentoo Kernel."
+SRC_URI="http://www.kernel.org/pub/linux/kernel/v2.4/linux-${OKV}.tar.bz2
+	mirror://gentoo/patches-${KV/6/5}.tar.bz2"
+HOMEPAGE="http://www.gentoo.org/ http://www.kernel.org/"
+LICENSE="GPL-2"
+KEYWORDS="~x86 -ppc -sparc -alpha -hppa -mips -arm"
+SLOT="${KV}"
+
+
+src_unpack() {
+	unpack ${A}
+	mv linux-${OKV} linux-${KV} || die "Error moving kernel source tree to linux-${KV}"
+
+	cd ${WORKDIR}/${KV/6/5}
+
+	# This is the *ratified* aavm USE flag, enables aavm support in this kernel
+	if [ -z "`use aavm`" ]; then
+		einfo "Setting up kernel for rmap support(default)."
+		for file in *.aavm ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	else
+		einfo "Setting up kernel for aavm support."
+		for file in *.rmap ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	fi
+
+	# If the compiler isn't gcc>3.1 drop the gcc>3.1 patches
+	if [[ "${COMPILER}" == "gcc3" ]];then
+		einfo "You are using gcc>3.1"
+		einfo "Enabling gcc>3.1 processor optimizations."
+		einfo "To use, choose the processor family labelled with (gcc>31) in"
+		einfo "Processor type and features -> Processor Family"
+	else
+		einfo "Your compiler is not gcc3, dropping patches..."
+		for file in *gcc3*;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	fi
+
+	# This is the *ratified* evms2 USE flag, enables evms2 support
+	if [ -z "`use evms2`" ]; then
+		einfo "Setting up kernel for EVMS 1.2.1 support(default)."
+		for file in 2* ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	else
+		einfo "Setting up kernel for EVMS 2.0.1 support."
+		ewarn "This is very beta. Please read the 'evms2' doc provided with this kernel."
+		ewarn "It is the install doc from the evms 2.0.1 tarball."
+		for file in 1* ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	fi
+
+	# This is the crypt USE flag, keeps {USAGI/superfreeswan/patch-int/loop-jari}
+	if [ -z "`use crypt`" ]; then
+		einfo "No Cryptographic support, dropping patches..."
+		for file in 6* 8* ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	else
+		einfo "Cryptographic patches will be applied"
+	fi
+
+	# This is the usagi USE flag, keeps USAGI, drops {superfreeswan/patch-int/loop-jari}
+	# Using USAGI will also cause you to drop all iptables ipv6 patches
+	if [ -z "`use usagi`" ]; then
+		einfo "Keeping {superfreeswan/patch-int/loop-jari} patches, dropping USAGI"
+		for file in 6* ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	else
+		einfo "Keeping USAGI patch, dropping {superfreeswan/patch-int/loop-jari}"
+		for file in *.ipv6 8* ;do
+			einfo "Dropping ${file}..."
+			rm -f ${file}
+		done
+	fi
+
+	kernel_src_unpack
+
+	epatch ${FILESDIR}/security.patch1 
+	epatch ${FILESDIR}/security.patch2 
+	epatch ${FILESDIR}/security.patch3 
+	epatch ${FILESDIR}/security.patch4 
+
+}
+
+pkg_postinst() {
+
+	kernel_pkg_postinst
+
+	ewarn "There is no xfs support in this kernel."
+	ewarn "If you need xfs support, emerge xfs-sources."
+	echo
+	ewarn "If iptables/netfilter behaves abnormally, such as 'Invalid Argument',"
+	ewarn "you will need to re-emerge iptables to restore proper functionality."
+	echo
+	einfo "This set contains the ptrace patch as part of grsecurity."
+	echo
+	einfo "If there are issues with it, read the docs and associated help provided."
+	einfo "Next you should check http://forums.gentoo.org/ for assistance."
+	einfo "Otherwise check http://bugs.gentoo.org/ for an existing bug."
+	einfo "Only create a new bug if you have not found one that matches your issue."
+	einfo "It is best to do an advanced search as the initial search has a very low yield."
+	einfo "Assign bugs to x86-kernel@gentoo.org"
+	echo
+	einfo "Please read the changelog and associated docs for more information."
+}