main/linux-grsec: merge in stable fixes

main/linux-grsec/APKBUILD

@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.6.11
 _kernver=3.6
-pkgrel=5
+pkgrel=6
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,11 +14,11 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
-	grsecurity-2.9.1-3.6.11-unofficial-1.patch
+	patch-3.6.11-al1.patch
+	grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
 	
 	0004-arp-flush-arp-cache-on-device-change.patch
 	r8169-num-rx-desc.patch
-	xsa40.patch
 	ipv4-remove-output-route-check-in-ipv4_mtu.patch
 	0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
 
@@ -144,10 +144,10 @@ dev() {
 
 md5sums="1a1760420eac802c541a20ab51a093d1  linux-3.6.tar.xz
 bd4bba74093405887d521309a74c19e9  patch-3.6.11.xz
-dce5c43ac3b5d8e35e245b35e90e1837  grsecurity-2.9.1-3.6.11-unofficial-1.patch
+90efc91d59e9cfde50de2031a798e62b  patch-3.6.11-al1.patch
+3838e6334ed957fd73e793e1816fe66c  grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
-d9de28f8a74fe0347866705b4bd6db85  xsa40.patch
 d9b4a528e722d10ba53034ebd440c31b  ipv4-remove-output-route-check-in-ipv4_mtu.patch
 63468b44e34fa19237e0a2a1f6737b14  0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
 373db5888708938c6b1baed6da781fcb  kernelconfig.x86

main/linux-grsec/xsa40.patch

-Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
-
-This fixes CVE-2013-0190 / XSA-40
-
-There has been an error on the xen_failsafe_callback path for failed
-iret, which causes the stack pointer to be wrong when entering the
-iret_exc error path.  This can result in the kernel crashing.
-
-In the classic kernel case, the relevant code looked a little like:
-
-        popl %eax      # Error code from hypervisor
-        jz 5f
-        addl $16,%esp
-        jmp iret_exc   # Hypervisor said iret fault
-5:      addl $16,%esp
-                       # Hypervisor said segment selector fault
-
-Here, there are two identical addls on either option of a branch which
-appears to have been optimised by hoisting it above the jz, and
-converting it to an lea, which leaves the flags register unaffected.
-
-In the PVOPS case, the code looks like:
-
-        popl_cfi %eax         # Error from the hypervisor
-        lea 16(%esp),%esp     # Add $16 before choosing fault path
-        CFI_ADJUST_CFA_OFFSET -16
-        jz 5f
-        addl $16,%esp         # Incorrectly adjust %esp again
-        jmp iret_exc
-
-It is possible unprivileged userspace applications to cause this
-behaviour, for example by loading an LDT code selector, then changing
-the code selector to be not-present.  At this point, there is a race
-condition where it is possible for the hypervisor to return back to
-userspace from an interrupt, fault on its own iret, and inject a
-failsafe_callback into the kernel.
-
-This bug has been present since the introduction of Xen PVOPS support
-in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
-
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
-diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index ff84d54..6ed91d9 100644
---- a/arch/x86/kernel/entry_32.S
-+++ b/arch/x86/kernel/entry_32.S
-@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
- 	lea 16(%esp),%esp
- 	CFI_ADJUST_CFA_OFFSET -16
- 	jz 5f
--	addl $16,%esp
- 	jmp iret_exc
- 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
- 	SAVE_ALL
-