merge the changes from the etch-security branch as of r8377 - requested by vorlon, in case of potential update prior to 4.0r0

svn path=/dists/etch/linux-2.6/; revision=8378
2007-03-22 00:05:32 +00:00 · 2007-03-22 00:05:32 +00:00 · fce1968d96
parent 37f11ea59c 879d40431c
commit fce1968d96
6 changed files with 627 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -23,7 +23,26 @@ linux-2.6 (2.6.18.dfsg.1-12) UNRELEASED; urgency=low
    Thanks to Doug Nazar for the patch and to Daniel J. Priem for testing.
    Closes: #409313.

- -- Steve Langasek <vorlon@debian.org>  Mon,  5 Mar 2007 00:25:35 -0800
+  [ dann frazier ]
+  * bugfix/keys-serial-num-collision.patch
+    [SECURITY] Fix the key serial number collision avoidance code in
+    key_alloc_serial() that could lead to a local DoS (oops).
+    (closes: #398470)
+    See CVE-2007-0006
+  * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+    [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
+    to a local DoS (oops).
+    See CVE-2007-1388
+  * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+    [SECURITY] Fix kernel memory leak vulnerability in
+    ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
+    See CVE-2007-1000
+  * bugfix/listxattr-mem-corruption.patch
+    [SECURITY] Fix userspace corruption vulnerability caused by
+    incorrectly promoted return values in bad_inode_ops
+    See CVE-2006-5753
+
+ -- dann frazier <dannf@debian.org>  Wed, 21 Mar 2007 18:03:28 -0600

 linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low

--- a/debian/patches/bugfix/ipv6_getsockopt_sticky-null-opt.patch
+++ b/debian/patches/bugfix/ipv6_getsockopt_sticky-null-opt.patch
@ -0,0 +1,42 @@
+From: David S. Miller <davem@sunset.davemloft.net>
+Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800)
+Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+X-Git-Tag: v2.6.21-rc4~99^2~7
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f
+
+[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 286c867..4e0561a 100644
+--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
+@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
+ EXPORT_SYMBOL(compat_ipv6_setsockopt);
+ #endif
+ 
+-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
+static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
+ 				  char __user *optval, int len)
+ {
+-	if (!hdr)
+	struct ipv6_opt_hdr *hdr;
+
+	if (!opt || !opt->hopopt)
+ 		return 0;
+	hdr = opt->hopopt;
+
+ 	len = min_t(int, len, ipv6_optlen(hdr));
+ 	if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+ 		return -EFAULT;
+@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
+ 	{
+ 
+ 		lock_sock(sk);
+-		len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
+		len = ipv6_getsockopt_sticky(sk, np->opt,
+ 					     optval, len);
+ 		release_sock(sk);
+ 		return put_user(len, optlen);
--- a/debian/patches/bugfix/ipv6_setsockopt-NULL-deref.patch
+++ b/debian/patches/bugfix/ipv6_setsockopt-NULL-deref.patch
@ -0,0 +1,28 @@
+From: Olaf Kirch <olaf.kirch@oracle.com>
+Date: Fri, 9 Mar 2007 21:55:38 +0000 (-0800)
+Subject: [IPV6]: Fix for ipv6_setsockopt NULL dereference
+X-Git-Tag: v2.6.21-rc4~50^2~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dfee0a725bb027b749ffdd318eb48b91d564b266
+
+[IPV6]: Fix for ipv6_setsockopt NULL dereference
+
+I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155
+
+Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
+Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 4e0561a..b82333b 100644
+--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
+@@ -413,7 +413,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+ 		}
+ 
+ 		/* routing header option needs extra check */
+-		if (optname == IPV6_RTHDR && opt->srcrt) {
+		if (optname == IPV6_RTHDR && opt && opt->srcrt) {
+ 			struct ipv6_rt_hdr *rthdr = opt->srcrt;
+ 			switch (rthdr->type) {
+ 			case IPV6_SRCRT_TYPE_0:
--- a/debian/patches/bugfix/keys-serial-num-collision.patch
+++ b/debian/patches/bugfix/keys-serial-num-collision.patch
@ -0,0 +1,92 @@
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000)
+Subject: [PATCH] Keys: Fix key serial number collision handling
+X-Git-Tag: v2.6.21-rc2~42^2~22
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4
+
+[PATCH] Keys: Fix key serial number collision handling
+
+Fix the key serial number collision avoidance code in key_alloc_serial().
+
+This didn't use to be so much of a problem as the key serial numbers were
+allocated from a simple incremental counter, and it would have to go through
+two billion keys before it could possibly encounter a collision.  However, now
+that random numbers are used instead, collisions are much more likely.
+
+This is fixed by finding a hole in the rbtree where the next unused serial
+number ought to be and using that by going almost back to the top of the
+insertion routine and redoing the insertion with the new serial number rather
+than trying to be clever and attempting to work out the insertion point
+pointer directly.
+
+This fixes kernel BZ #7727.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index ac9326c..700400d 100644
+--- a/security/keys/key.c
+++ b/security/keys/key.c
+@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key)
+ 
+ 	spin_lock(&key_serial_lock);
+ 
+attempt_insertion:
+ 	parent = NULL;
+ 	p = &key_serial_tree.rb_node;
+ 
+@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key)
+ 		else
+ 			goto serial_exists;
+ 	}
+-	goto insert_here;
+
+	/* we've found a suitable hole - arrange for this key to occupy it */
+	rb_link_node(&key->serial_node, parent, p);
+	rb_insert_color(&key->serial_node, &key_serial_tree);
+
+	spin_unlock(&key_serial_lock);
+	return;
+ 
+ 	/* we found a key with the proposed serial number - walk the tree from
+ 	 * that point looking for the next unused serial number */
+ serial_exists:
+ 	for (;;) {
+ 		key->serial++;
+-		if (key->serial < 2)
+-			key->serial = 2;
+-
+-		if (!rb_parent(parent))
+-			p = &key_serial_tree.rb_node;
+-		else if (rb_parent(parent)->rb_left == parent)
+-			p = &(rb_parent(parent)->rb_left);
+-		else
+-			p = &(rb_parent(parent)->rb_right);
+		if (key->serial < 3) {
+			key->serial = 3;
+			goto attempt_insertion;
+		}
+ 
+ 		parent = rb_next(parent);
+ 		if (!parent)
+-			break;
+			goto attempt_insertion;
+ 
+ 		xkey = rb_entry(parent, struct key, serial_node);
+ 		if (key->serial < xkey->serial)
+-			goto insert_here;
+			goto attempt_insertion;
+ 	}
+ 
+-	/* we've found a suitable hole - arrange for this key to occupy it */
+-insert_here:
+-	rb_link_node(&key->serial_node, parent, p);
+-	rb_insert_color(&key->serial_node, &key_serial_tree);
+-
+-	spin_unlock(&key_serial_lock);
+-
+ } /* end key_alloc_serial() */
+ 
+ /*****************************************************************************/
--- a/debian/patches/bugfix/listxattr-mem-corruption.patch
+++ b/debian/patches/bugfix/listxattr-mem-corruption.patch
@ -0,0 +1,441 @@
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800)
+Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
+X-Git-Tag: v2.6.20-rc4~60
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837
+
+[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
+
+CVE-2006-5753 is for a case where an inode can be marked bad, switching
+the ops to bad_inode_ops, which are all connected as:
+
+static int return_EIO(void)
+{
+        return -EIO;
+}
+
+#define EIO_ERROR ((void *) (return_EIO))
+
+static struct inode_operations bad_inode_ops =
+{
+        .create         = bad_inode_create
+...etc...
+
+The problem here is that the void cast causes return types to not be
+promoted, and for ops such as listxattr which expect more than 32 bits of
+return value, the 32-bit -EIO is interpreted as a large positive 64-bit
+number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
+
+This goes particularly badly when the return value is taken as a number of
+bytes to copy into, say, a user's buffer for example...
+
+I originally had coded up the fix by creating a return_EIO_<TYPE> macro
+for each return type, like this:
+
+static int return_EIO_int(void)
+{
+	return -EIO;
+}
+#define EIO_ERROR_INT ((void *) (return_EIO_int))
+
+static struct inode_operations bad_inode_ops =
+{
+	.create		= EIO_ERROR_INT,
+...etc...
+
+but Al felt that it was probably better to create an EIO-returner for each
+actual op signature.  Since so few ops share a signature, I just went ahead
+& created an EIO function for each individual file & inode op that returns
+a value.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+--- linux-source-2.6.18/fs/bad_inode.c.orig	2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/fs/bad_inode.c	2007-03-19 20:56:08.000000000 -0600
+@@ -14,61 +14,321 @@
+ #include <linux/time.h>
+ #include <linux/smp_lock.h>
+ #include <linux/namei.h>
+#include <linux/poll.h>
+ 
+-static int return_EIO(void)
+
+static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_read(struct file *filp, char __user *buf,
+			size_t size, loff_t *ppos)
+{
+        return -EIO;
+}
+
+static ssize_t bad_file_write(struct file *filp, const char __user *buf,
+			size_t siz, loff_t *ppos)
+{
+        return -EIO;
+}
+
+static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf,
+				 size_t siz, loff_t pos)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf,
+			size_t siz, loff_t pos)
+{
+	return -EIO;
+}
+
+static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir)
+{
+	return -EIO;
+}
+
+static unsigned int bad_file_poll(struct file *filp, poll_table *wait)
+{
+	return POLLERR;
+}
+
+static int bad_file_ioctl (struct inode *inode, struct file *filp,
+			unsigned int cmd, unsigned long arg)
+{
+	return -EIO;
+}
+
+static long bad_file_unlocked_ioctl(struct file *file, unsigned cmd,
+			unsigned long arg)
+{
+	return -EIO;
+}
+
+static long bad_file_compat_ioctl(struct file *file, unsigned int cmd,
+			unsigned long arg)
+{
+	return -EIO;
+}
+
+static int bad_file_mmap(struct file *file, struct vm_area_struct *vma)
+{
+	return -EIO;
+}
+
+static int bad_file_open(struct inode *inode, struct file *filp)
+{
+	return -EIO;
+}
+
+static int bad_file_flush(struct file *file, fl_owner_t id)
+{
+	return -EIO;
+}
+
+static int bad_file_release(struct inode *inode, struct file *filp)
+{
+	return -EIO;
+}
+
+static int bad_file_fsync(struct file *file, struct dentry *dentry,
+			int datasync)
+{
+	return -EIO;
+}
+
+static int bad_file_aio_fsync(struct kiocb *iocb, int datasync)
+{
+	return -EIO;
+}
+
+static int bad_file_fasync(int fd, struct file *filp, int on)
+{
+	return -EIO;
+}
+
+static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov,
+			unsigned long nr_segs, loff_t *ppos)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov,
+			unsigned long nr_segs, loff_t *ppos)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos,
+			size_t count, read_actor_t actor, void *target)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_sendpage(struct file *file, struct page *page,
+			int off, size_t len, loff_t *pos, int more)
+{
+	return -EIO;
+}
+
+static unsigned long bad_file_get_unmapped_area(struct file *file,
+				unsigned long addr, unsigned long len,
+				unsigned long pgoff, unsigned long flags)
+ {
+ 	return -EIO;
+ }
+ 
+-#define EIO_ERROR ((void *) (return_EIO))
+static int bad_file_check_flags(int flags)
+{
+	return -EIO;
+}
+
+static int bad_file_dir_notify(struct file *file, unsigned long arg)
+{
+	return -EIO;
+}
+
+static int bad_file_flock(struct file *filp, int cmd, struct file_lock *fl)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_splice_write(struct pipe_inode_info *pipe,
+			struct file *out, loff_t *ppos, size_t len,
+			unsigned int flags)
+{
+	return -EIO;
+}
+
+static ssize_t bad_file_splice_read(struct file *in, loff_t *ppos,
+			struct pipe_inode_info *pipe, size_t len,
+			unsigned int flags)
+{
+	return -EIO;
+}
+ 
+ static const struct file_operations bad_file_ops =
+ {
+-	.llseek		= EIO_ERROR,
+-	.aio_read	= EIO_ERROR,
+-	.read		= EIO_ERROR,
+-	.write		= EIO_ERROR,
+-	.aio_write	= EIO_ERROR,
+-	.readdir	= EIO_ERROR,
+-	.poll		= EIO_ERROR,
+-	.ioctl		= EIO_ERROR,
+-	.mmap		= EIO_ERROR,
+-	.open		= EIO_ERROR,
+-	.flush		= EIO_ERROR,
+-	.release	= EIO_ERROR,
+-	.fsync		= EIO_ERROR,
+-	.aio_fsync	= EIO_ERROR,
+-	.fasync		= EIO_ERROR,
+-	.lock		= EIO_ERROR,
+-	.readv		= EIO_ERROR,
+-	.writev		= EIO_ERROR,
+-	.sendfile	= EIO_ERROR,
+-	.sendpage	= EIO_ERROR,
+-	.get_unmapped_area = EIO_ERROR,
+	.llseek		= bad_file_llseek,
+	.read		= bad_file_read,
+	.write		= bad_file_write,
+	.aio_read	= bad_file_aio_read,
+	.aio_write	= bad_file_aio_write,
+	.readdir	= bad_file_readdir,
+	.poll		= bad_file_poll,
+	.ioctl		= bad_file_ioctl,
+	.unlocked_ioctl	= bad_file_unlocked_ioctl,
+	.compat_ioctl	= bad_file_compat_ioctl,
+	.mmap		= bad_file_mmap,
+	.open		= bad_file_open,
+	.flush		= bad_file_flush,
+	.release	= bad_file_release,
+	.fsync		= bad_file_fsync,
+	.aio_fsync	= bad_file_aio_fsync,
+	.fasync		= bad_file_fasync,
+	.lock		= bad_file_lock,
+	.readv		= bad_file_readv,
+	.writev		= bad_file_writev,
+	.sendfile	= bad_file_sendfile,
+	.sendpage	= bad_file_sendpage,
+	.get_unmapped_area = bad_file_get_unmapped_area,
+	.check_flags	= bad_file_check_flags,
+	.dir_notify	= bad_file_dir_notify,
+	.flock		= bad_file_flock,
+	.splice_write	= bad_file_splice_write,
+	.splice_read	= bad_file_splice_read,
+ };
+ 
+static int bad_inode_create (struct inode *dir, struct dentry *dentry,
+		int mode, struct nameidata *nd)
+{
+	return -EIO;
+}
+
+static struct dentry *bad_inode_lookup(struct inode *dir,
+			struct dentry *dentry, struct nameidata *nd)
+{
+	return ERR_PTR(-EIO);
+}
+
+static int bad_inode_link (struct dentry *old_dentry, struct inode *dir,
+		struct dentry *dentry)
+{
+	return -EIO;
+}
+
+static int bad_inode_unlink(struct inode *dir, struct dentry *dentry)
+{
+	return -EIO;
+}
+
+static int bad_inode_symlink (struct inode *dir, struct dentry *dentry,
+		const char *symname)
+{
+	return -EIO;
+}
+
+static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry,
+			int mode)
+{
+	return -EIO;
+}
+
+static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry)
+{
+	return -EIO;
+}
+
+static int bad_inode_mknod (struct inode *dir, struct dentry *dentry,
+			int mode, dev_t rdev)
+{
+	return -EIO;
+}
+
+static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry,
+		struct inode *new_dir, struct dentry *new_dentry)
+{
+	return -EIO;
+}
+
+static int bad_inode_readlink(struct dentry *dentry, char __user *buffer,
+		int buflen)
+{
+	return -EIO;
+}
+
+static int bad_inode_permission(struct inode *inode, int mask,
+			struct nameidata *nd)
+{
+	return -EIO;
+}
+
+static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry,
+			struct kstat *stat)
+{
+	return -EIO;
+}
+
+static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs)
+{
+	return -EIO;
+}
+
+static int bad_inode_setxattr(struct dentry *dentry, const char *name,
+		const void *value, size_t size, int flags)
+{
+	return -EIO;
+}
+
+static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name,
+			void *buffer, size_t size)
+{
+	return -EIO;
+}
+
+static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer,
+			size_t buffer_size)
+{
+	return -EIO;
+}
+
+static int bad_inode_removexattr(struct dentry *dentry, const char *name)
+{
+	return -EIO;
+}
+
+ static struct inode_operations bad_inode_ops =
+ {
+-	.create		= EIO_ERROR,
+-	.lookup		= EIO_ERROR,
+-	.link		= EIO_ERROR,
+-	.unlink		= EIO_ERROR,
+-	.symlink	= EIO_ERROR,
+-	.mkdir		= EIO_ERROR,
+-	.rmdir		= EIO_ERROR,
+-	.mknod		= EIO_ERROR,
+-	.rename		= EIO_ERROR,
+-	.readlink	= EIO_ERROR,
+	.create		= bad_inode_create,
+	.lookup		= bad_inode_lookup,
+	.link		= bad_inode_link,
+	.unlink		= bad_inode_unlink,
+	.symlink	= bad_inode_symlink,
+	.mkdir		= bad_inode_mkdir,
+	.rmdir		= bad_inode_rmdir,
+	.mknod		= bad_inode_mknod,
+	.rename		= bad_inode_rename,
+	.readlink	= bad_inode_readlink,
+ 	/* follow_link must be no-op, otherwise unmounting this inode
+ 	   won't work */
+-	.truncate	= EIO_ERROR,
+-	.permission	= EIO_ERROR,
+-	.getattr	= EIO_ERROR,
+-	.setattr	= EIO_ERROR,
+-	.setxattr	= EIO_ERROR,
+-	.getxattr	= EIO_ERROR,
+-	.listxattr	= EIO_ERROR,
+-	.removexattr	= EIO_ERROR,
+	/* put_link returns void */
+	/* truncate returns void */
+	.permission	= bad_inode_permission,
+	.getattr	= bad_inode_getattr,
+	.setattr	= bad_inode_setattr,
+	.setxattr	= bad_inode_setxattr,
+	.getxattr	= bad_inode_getxattr,
+	.listxattr	= bad_inode_listxattr,
+	.removexattr	= bad_inode_removexattr,
+	/* truncate_range returns void */
+ };
+ 
+ 
+@@ -90,7 +350,7 @@
+  *	on it to fail from this point on.
+  */
+  
+-void make_bad_inode(struct inode * inode) 
+void make_bad_inode(struct inode *inode)
+ {
+ 	remove_inode_hash(inode);
+ 
+@@ -115,7 +375,7 @@
+  *	Returns true if the inode in question has been marked as bad.
+  */
+  
+-int is_bad_inode(struct inode * inode) 
+int is_bad_inode(struct inode *inode)
+ {
+ 	return (inode->i_op == &bad_inode_ops);	
+ }
--- a/debian/patches/series/12
+++ b/debian/patches/series/12
@ -2,3 +2,7 @@
 + bugfix/sparc/eth1394-unaligned-access.patch
 + bugfix/sparc/kenvctrld-cpu-consumption.patch
 + bugfix/sparc/ip_rcv-unaligned-access.patch
+ bugfix/keys-serial-num-collision.patch
+ bugfix/ipv6_setsockopt-NULL-deref.patch
+ bugfix/ipv6_getsockopt_sticky-null-opt.patch
+ bugfix/listxattr-mem-corruption.patch