* [OE-core][dunfell 01/36] glibc: Security fix CVE-2021-33574
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 02/36] glibc: Security fix for CVE-2021-38604 Steve Sakoman
` (34 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: glibc.org
MR: 111508
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/glibc.git
ChangeID: 815edc154adc45d08d00995862409f13014f885f
Description:
This version of glibc does not have __pthread_attr_setaffinity_np so an adapted patch was taken from 2.28 (https://sourceware.org/bugzilla/attachment.cgi?id=13497) and https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glibc/glibc/CVE-2021-33574_1.patch | 72 ++++++++++++++++++
.../glibc/glibc/CVE-2021-33574_2.patch | 73 +++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 2 +
3 files changed, 147 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..cef0ce54ed
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,72 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ NEWS | 4 ++++
+ sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
+ \f
+ Version 2.31.1
+
++ CVE-2021-33574: The mq_notify function has a potential use-after-free
++ issue when using a notification type of SIGEV_THREAD and a thread
++ attribute with a non-default affinity mask.
++
+ The following bugs are resolved with this release:
+ [19519] iconv(1) with -c option hangs on illegal multi-byte sequences
+ (CVE-2016-10228)
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
++++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -135,8 +135,11 @@ helper_thread (void *arg)
+ (void) __pthread_barrier_wait (¬ify_barrier);
+ }
+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+- /* The only state we keep is the copy of the thread attributes. */
+- free (data.attr);
++ {
++ /* The only state we keep is the copy of the thread attributes. */
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+ }
+ return NULL;
+ }
+@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sig
+ if (data.attr == NULL)
+ return -1;
+
+- memcpy (data.attr, notification->sigev_notify_attributes,
+- sizeof (pthread_attr_t));
++ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+ }
+
+ /* Construct the new request. */
+@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sig
+
+ /* If it failed, free the allocated memory. */
+ if (__glibc_unlikely (retval != 0))
+- free (data.attr);
++ {
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+
+ return retval;
+ }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..396cd7fc0e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+https://sourceware.org/bugzilla/attachment.cgi?id=13497
+
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
++++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
+ if (data.attr == NULL)
+ return -1;
+
+- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
++ memcpy (data.attr, notification->sigev_notify_attributes,
++ sizeof (pthread_attr_t));
++
++ struct pthread_attr *source =
++ (struct pthread_attr *) (notification->sigev_notify_attributes);
++ struct pthread_attr *target = (struct pthread_attr *) (data.attr);
++ cpu_set_t *newp;
++ cpu_set_t *cpuset = source->cpuset;
++ size_t cpusetsize = source->cpusetsize;
++
++ /* alloc a new memory for cpuset to avoid use after free */
++ if (cpuset != NULL && cpusetsize > 0)
++ {
++ newp = (cpu_set_t *) malloc (cpusetsize);
++ if (newp == NULL)
++ {
++ free(data.attr);
++ return -1;
++ }
++
++ memcpy (newp, cpuset, cpusetsize);
++ target->cpuset = newp;
++ }
++ else
++ {
++ target->cpuset = NULL;
++ target->cpusetsize = 0;
++ }
+ }
+
+ /* Construct the new request. */
+@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
+ int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+
+ /* If it failed, free the allocated memory. */
+- if (__glibc_unlikely (retval != 0))
++ if (retval != 0 && data.attr != NULL)
+ {
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 8742efc36f..2e950dfeda 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -67,6 +67,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0028-inject-file-assembly-directives.patch \
file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
file://CVE-2020-29573.patch \
+ file://CVE-2021-33574_1.patch \
+ file://CVE-2021-33574_2.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 02/36] glibc: Security fix for CVE-2021-38604
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 01/36] glibc: Security fix CVE-2021-33574 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 03/36] gnupg: upgrade 2.2.20 -> 2.2.21 Steve Sakoman
` (33 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: glibc.org
MR: 112635
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8
ChangeID: 53b105da48e604f6763bb04b7114f41bfb620d2f
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glibc/glibc/CVE-2021-38604.patch | 41 +++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
new file mode 100644
index 0000000000..36fd4a61b2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
@@ -0,0 +1,41 @@
+From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Mon, 9 Aug 2021 20:17:34 +0530
+Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
+
+Helper thread frees copied attribute on NOTIFY_REMOVED message
+received from the OS kernel. Unfortunately, it fails to check whether
+copied attribute actually exists (data.attr != NULL). This worked
+earlier because free() checks passed pointer before actually
+attempting to release corresponding memory. But
+__pthread_attr_destroy assumes pointer is not NULL.
+
+So passing NULL pointer to __pthread_attr_destroy will result in
+segmentation fault. This scenario is possible if
+notification->sigev_notify_attributes == NULL (which means default
+thread attributes should be used).
+
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-38604
+Signed-off-by: Armin Kuser <akuster@mvista.com>
+
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
++++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -134,7 +134,7 @@ helper_thread (void *arg)
+ to wait until it is done with it. */
+ (void) __pthread_barrier_wait (¬ify_barrier);
+ }
+- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
++ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+ {
+ /* The only state we keep is the copy of the thread attributes. */
+ pthread_attr_destroy (data.attr);
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 2e950dfeda..3a3586f1b9 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -69,6 +69,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://CVE-2020-29573.patch \
file://CVE-2021-33574_1.patch \
file://CVE-2021-33574_2.patch \
+ file://CVE-2021-38604.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 03/36] gnupg: upgrade 2.2.20 -> 2.2.21
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 01/36] glibc: Security fix CVE-2021-33574 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 02/36] glibc: Security fix for CVE-2021-38604 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 04/36] gnupg: update 2.2.21 -> 2.2.22 Steve Sakoman
` (32 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 1aeb32228d92568e90f313a2a027c6790937eb8a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50e1649a320f2e631da9e6393efb8459fd979e88)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...-a-custom-value-for-the-location-of-.patch | 6 +++---
.../gnupg/gnupg/relocate.patch | 20 +++++++++----------
.../{gnupg_2.2.20.bb => gnupg_2.2.21.bb} | 3 +--
3 files changed, 14 insertions(+), 15 deletions(-)
rename meta/recipes-support/gnupg/{gnupg_2.2.20.bb => gnupg_2.2.21.bb} (95%)
diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index 2c204e0245..0e78f5679e 100644
--- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
-From e7ad11cf54475e455fdb84d118e4782961698567 Mon Sep 17 00:00:00 2001
+From 0e51c62706a8c54e90a2d98c5250ecc894c65182 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 22 Jan 2018 18:00:21 +0200
Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index 919ab31..cd58fdb 100644
+index f3c9863..a57f559 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1855,7 +1855,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
+@@ -1856,7 +1856,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index e5a82aa76d..25732a8277 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
-From 59c077f32e81190955910cae02599c7a3edfa7fb Mon Sep 17 00:00:00 2001
+From 6e3b1d89758c3ee7072aeefa305ce5fe76f2e439 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 19 Sep 2018 14:44:40 +0100
Subject: [PATCH] Allow the environment to override where gnupg looks for its
@@ -12,10 +12,10 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/common/homedir.c b/common/homedir.c
-index e9e75d0..19140aa 100644
+index 4b6e46e..58989b4 100644
--- a/common/homedir.c
+++ b/common/homedir.c
-@@ -760,7 +760,7 @@ gnupg_socketdir (void)
+@@ -763,7 +763,7 @@ gnupg_socketdir (void)
if (!name)
{
unsigned int dummy;
@@ -24,7 +24,7 @@ index e9e75d0..19140aa 100644
}
return name;
-@@ -786,7 +786,7 @@ gnupg_sysconfdir (void)
+@@ -789,7 +789,7 @@ gnupg_sysconfdir (void)
}
return name;
#else /*!HAVE_W32_SYSTEM*/
@@ -33,7 +33,7 @@ index e9e75d0..19140aa 100644
#endif /*!HAVE_W32_SYSTEM*/
}
-@@ -815,7 +815,7 @@ gnupg_bindir (void)
+@@ -818,7 +818,7 @@ gnupg_bindir (void)
else
return rdir;
#else /*!HAVE_W32_SYSTEM*/
@@ -42,7 +42,7 @@ index e9e75d0..19140aa 100644
#endif /*!HAVE_W32_SYSTEM*/
}
-@@ -828,7 +828,7 @@ gnupg_libexecdir (void)
+@@ -831,7 +831,7 @@ gnupg_libexecdir (void)
#ifdef HAVE_W32_SYSTEM
return gnupg_bindir ();
#else /*!HAVE_W32_SYSTEM*/
@@ -51,7 +51,7 @@ index e9e75d0..19140aa 100644
#endif /*!HAVE_W32_SYSTEM*/
}
-@@ -842,7 +842,7 @@ gnupg_libdir (void)
+@@ -845,7 +845,7 @@ gnupg_libdir (void)
name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL);
return name;
#else /*!HAVE_W32_SYSTEM*/
@@ -60,7 +60,7 @@ index e9e75d0..19140aa 100644
#endif /*!HAVE_W32_SYSTEM*/
}
-@@ -856,7 +856,7 @@ gnupg_datadir (void)
+@@ -859,7 +859,7 @@ gnupg_datadir (void)
name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL);
return name;
#else /*!HAVE_W32_SYSTEM*/
@@ -69,7 +69,7 @@ index e9e75d0..19140aa 100644
#endif /*!HAVE_W32_SYSTEM*/
}
-@@ -872,7 +872,7 @@ gnupg_localedir (void)
+@@ -875,7 +875,7 @@ gnupg_localedir (void)
NULL);
return name;
#else /*!HAVE_W32_SYSTEM*/
@@ -78,7 +78,7 @@ index e9e75d0..19140aa 100644
#endif /*!HAVE_W32_SYSTEM*/
}
-@@ -940,7 +940,7 @@ gnupg_cachedir (void)
+@@ -943,7 +943,7 @@ gnupg_cachedir (void)
}
return dir;
#else /*!HAVE_W32_SYSTEM*/
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.20.bb b/meta/recipes-support/gnupg/gnupg_2.2.21.bb
similarity index 95%
rename from meta/recipes-support/gnupg/gnupg_2.2.20.bb
rename to meta/recipes-support/gnupg/gnupg_2.2.21.bb
index 6629fc8556..f0aca9ef3e 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.20.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.21.bb
@@ -25,8 +25,7 @@ SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-
file://relocate.patch"
SRC_URI_append_class-nativesdk = " file://relocate.patch"
-SRC_URI[md5sum] = "4ff88920cf52b35db0dedaee87bdbbb1"
-SRC_URI[sha256sum] = "04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30"
+SRC_URI[sha256sum] = "61e83278fb5fa7336658a8b73ab26f379d41275bb1c7c6e694dd9f9a6e8e76ec"
EXTRA_OECONF = "--disable-ldap \
--disable-ccid-driver \
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 04/36] gnupg: update 2.2.21 -> 2.2.22
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (2 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 03/36] gnupg: upgrade 2.2.20 -> 2.2.21 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 05/36] gnupg: uprev 2.2.22 -> 2.2.23 Steve Sakoman
` (31 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: ad9f9fd5609c2014454c73045bc603c9883977e3)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 33eade06ebb327be80eef278835053759ffe23fa)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...use-a-custom-value-for-the-location-of-.patch | 6 +++---
.../gnupg/0003-dirmngr-uses-libgpg-error.patch | 16 +++++++---------
meta/recipes-support/gnupg/gnupg/relocate.patch | 2 +-
.../gnupg/{gnupg_2.2.21.bb => gnupg_2.2.22.bb} | 2 +-
4 files changed, 12 insertions(+), 14 deletions(-)
rename meta/recipes-support/gnupg/{gnupg_2.2.21.bb => gnupg_2.2.22.bb} (97%)
diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index 0e78f5679e..c641a19616 100644
--- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
-From 0e51c62706a8c54e90a2d98c5250ecc894c65182 Mon Sep 17 00:00:00 2001
+From 56343af532389c31eab32c096c9a989c53c78ce0 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 22 Jan 2018 18:00:21 +0200
Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index f3c9863..a57f559 100644
+index 1d05d39..eaaf33c 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1856,7 +1856,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
+@@ -1858,7 +1858,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
diff --git a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
index 3e798efd06..607a09f188 100644
--- a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
+++ b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
@@ -1,7 +1,7 @@
-From 9c3858ffda6246bf9e1e6aeeb920532a56b19408 Mon Sep 17 00:00:00 2001
+From 9a901dbb1c48685f2db6d7b55916c9484e871f16 Mon Sep 17 00:00:00 2001
From: Saul Wold <sgw@linux.intel.com>
Date: Wed, 16 Aug 2017 11:18:01 +0800
-Subject: [PATCH 3/4] dirmngr uses libgpg error
+Subject: [PATCH] dirmngr uses libgpg error
Upstream-Status: Pending
Signed-off-by: Saul Wold <sgw@linux.intel.com>
@@ -9,24 +9,22 @@ Signed-off-by: Saul Wold <sgw@linux.intel.com>
Rebase to 2.1.23
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
---
dirmngr/Makefile.am | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
-index b404165..d3f916e 100644
+index 208a813..292c036 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
-@@ -82,7 +82,8 @@ endif
+@@ -90,7 +90,8 @@ endif
dirmngr_LDADD = $(libcommonpth) \
$(DNSLIBS) $(LIBASSUAN_LIBS) \
$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
-- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
-+ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) \
+- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS)
++ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \
+ $(GPG_ERROR_LIBS)
if USE_LDAP
dirmngr_LDADD += $(ldaplibs)
endif
---
-1.8.3.1
-
diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index 25732a8277..aa8d1e3cc2 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
-From 6e3b1d89758c3ee7072aeefa305ce5fe76f2e439 Mon Sep 17 00:00:00 2001
+From 4005b3342db06749453835720b5a5c2392a90810 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 19 Sep 2018 14:44:40 +0100
Subject: [PATCH] Allow the environment to override where gnupg looks for its
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.21.bb b/meta/recipes-support/gnupg/gnupg_2.2.22.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.2.21.bb
rename to meta/recipes-support/gnupg/gnupg_2.2.22.bb
index f0aca9ef3e..887ab0e1f2 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.21.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.22.bb
@@ -25,7 +25,7 @@ SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-
file://relocate.patch"
SRC_URI_append_class-nativesdk = " file://relocate.patch"
-SRC_URI[sha256sum] = "61e83278fb5fa7336658a8b73ab26f379d41275bb1c7c6e694dd9f9a6e8e76ec"
+SRC_URI[sha256sum] = "7c1370565e1910b9d8c4e0fb57b9de34aa062ec7bb91abad5803d791f38d855b"
EXTRA_OECONF = "--disable-ldap \
--disable-ccid-driver \
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 05/36] gnupg: uprev 2.2.22 -> 2.2.23
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (3 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 04/36] gnupg: update 2.2.21 -> 2.2.22 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 06/36] gnupg: update 2.2.23 -> 2.2.26 Steve Sakoman
` (30 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Saul Wold <Saul.Wold@windriver.com>
Source: poky.org
MR: 105607
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-support/gnupg?h=hardknott&id=0c06506d42f9e1f43a54a178cda47cfea3f12f81
ChangeID: 4341d0331368d6cd51d635d2c70555b3dce61792
Description:
This addresses CVE-2020-25125 and provides some other minor
updates and translations.
Updated commits for reference:
e234d04c3 Werner Koch Release 2.2.23
aeb8272ca Werner Koch gpg: Fix AEAD preference list overflow
038314665 Werner Koch po: auto update
1a4b0fd79 Yuri Chornoivan po: Update Ukrainian translation
93d10403a Jakub Bogusz po: Update Polish translation
a8a8105bc Werner Koch po: Add key-check.c to the list of translatable sources.
cad9955ac Petr Pisar po: Update Czech translation.
896c528ba Werner Koch gpg: Fix segv importing certain keys.
0a9665187 NIIBE Yutaka scd: Fix a regression for OpenPGP card.
bcae9cd4e Nagy Ferenc László po: Minor update to the Hungarian translation.
d2fe2ffd7 Werner Koch sm: Fix a bug in the rfc2253 parser
f799b3ddb Werner Koch Post release updates
(From OE-Core rev: 965683336816eba7cb0548e59faf224f74b306b1)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0c06506d42f9e1f43a54a178cda47cfea3f12f81)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/gnupg/{gnupg_2.2.22.bb => gnupg_2.2.23.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-support/gnupg/{gnupg_2.2.22.bb => gnupg_2.2.23.bb} (97%)
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.22.bb b/meta/recipes-support/gnupg/gnupg_2.2.23.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.2.22.bb
rename to meta/recipes-support/gnupg/gnupg_2.2.23.bb
index 887ab0e1f2..fc157c7906 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.22.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.23.bb
@@ -25,7 +25,7 @@ SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-
file://relocate.patch"
SRC_URI_append_class-nativesdk = " file://relocate.patch"
-SRC_URI[sha256sum] = "7c1370565e1910b9d8c4e0fb57b9de34aa062ec7bb91abad5803d791f38d855b"
+SRC_URI[sha256sum] = "10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c"
EXTRA_OECONF = "--disable-ldap \
--disable-ccid-driver \
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 06/36] gnupg: update 2.2.23 -> 2.2.26
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (4 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 05/36] gnupg: uprev 2.2.22 -> 2.2.23 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 07/36] gnupg: upgrade 2.2.26 -> 2.2.27 Steve Sakoman
` (29 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: eb7ad793d8c2e924adccc62e7680bb1cac640e89)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit df0bb1cb96389d534b53faf677a0f6ee30dd672d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...e-a-custom-value-for-the-location-of-.patch | 6 +++---
.../gnupg/0003-dirmngr-uses-libgpg-error.patch | 18 ++++++++----------
.../recipes-support/gnupg/gnupg/relocate.patch | 2 +-
.../gnupg/{gnupg_2.2.23.bb => gnupg_2.2.26.bb} | 2 +-
4 files changed, 13 insertions(+), 15 deletions(-)
rename meta/recipes-support/gnupg/{gnupg_2.2.23.bb => gnupg_2.2.26.bb} (97%)
diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index c641a19616..a0af2d48dc 100644
--- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
-From 56343af532389c31eab32c096c9a989c53c78ce0 Mon Sep 17 00:00:00 2001
+From abc5c396aaddaef2e6811362e3e0cc0da28c2b34 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 22 Jan 2018 18:00:21 +0200
Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index 1d05d39..eaaf33c 100644
+index 64cb8c6..3fe9027 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1858,7 +1858,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
+@@ -1824,7 +1824,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
diff --git a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
index 607a09f188..a13b4d5fb5 100644
--- a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
+++ b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
@@ -1,4 +1,4 @@
-From 9a901dbb1c48685f2db6d7b55916c9484e871f16 Mon Sep 17 00:00:00 2001
+From 6c75656b68cb6e38b039ae532bd39437cd6daec5 Mon Sep 17 00:00:00 2001
From: Saul Wold <sgw@linux.intel.com>
Date: Wed, 16 Aug 2017 11:18:01 +0800
Subject: [PATCH] dirmngr uses libgpg error
@@ -11,20 +11,18 @@ Rebase to 2.1.23
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- dirmngr/Makefile.am | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ dirmngr/Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
-index 208a813..292c036 100644
+index 00d3c42..450d873 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
-@@ -90,7 +90,8 @@ endif
- dirmngr_LDADD = $(libcommonpth) \
+@@ -101,6 +101,7 @@ dirmngr_LDADD = $(libcommonpth) \
$(DNSLIBS) $(LIBASSUAN_LIBS) \
$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
-- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS)
-+ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \
-+ $(GPG_ERROR_LIBS)
+ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \
++ $(GPG_ERROR_LIBS) \
+ $(dirmngr_robj)
if USE_LDAP
dirmngr_LDADD += $(ldaplibs)
- endif
diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index aa8d1e3cc2..7f7812cd46 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
-From 4005b3342db06749453835720b5a5c2392a90810 Mon Sep 17 00:00:00 2001
+From bd66af2ac7bb6d9294ac8055a55462ba7c4f9c9b Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 19 Sep 2018 14:44:40 +0100
Subject: [PATCH] Allow the environment to override where gnupg looks for its
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.23.bb b/meta/recipes-support/gnupg/gnupg_2.2.26.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.2.23.bb
rename to meta/recipes-support/gnupg/gnupg_2.2.26.bb
index fc157c7906..e2b03a520f 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.23.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.26.bb
@@ -25,7 +25,7 @@ SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-
file://relocate.patch"
SRC_URI_append_class-nativesdk = " file://relocate.patch"
-SRC_URI[sha256sum] = "10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c"
+SRC_URI[sha256sum] = "517569e6c9fad22175df16be5900f94c991c41e53612db63c14493e814cfff6d"
EXTRA_OECONF = "--disable-ldap \
--disable-ccid-driver \
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 07/36] gnupg: upgrade 2.2.26 -> 2.2.27
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (5 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 06/36] gnupg: update 2.2.23 -> 2.2.26 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 08/36] qemu: Security fix CVE-2020-25085 Steve Sakoman
` (28 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@cn.fujitsu.com>
(From OE-Core rev: 90798e892fd3e0d2ef77a7ba64a33ea9f8ef317b)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 33a997a80a56fba4138780fadda231ae4fd751ea)
[gnupg 2.2 is an LTS release so this series are all bug fixes.
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000452.html]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/gnupg/{gnupg_2.2.26.bb => gnupg_2.2.27.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-support/gnupg/{gnupg_2.2.26.bb => gnupg_2.2.27.bb} (97%)
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.26.bb b/meta/recipes-support/gnupg/gnupg_2.2.27.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.2.26.bb
rename to meta/recipes-support/gnupg/gnupg_2.2.27.bb
index e2b03a520f..1181c8341b 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.26.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.27.bb
@@ -25,7 +25,7 @@ SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-
file://relocate.patch"
SRC_URI_append_class-nativesdk = " file://relocate.patch"
-SRC_URI[sha256sum] = "517569e6c9fad22175df16be5900f94c991c41e53612db63c14493e814cfff6d"
+SRC_URI[sha256sum] = "34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399"
EXTRA_OECONF = "--disable-ldap \
--disable-ccid-driver \
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 08/36] qemu: Security fix CVE-2020-25085
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (6 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 07/36] gnupg: upgrade 2.2.26 -> 2.2.27 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 09/36] qemu: Security fix CVE-2020-25624 Steve Sakoman
` (27 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 105773
Type: Security Fix
Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html
ChangeID: 77c8a9e75b94da3c03c64c95d9e6ab9d45037572
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 41 +++++++++--------
.../qemu/qemu/CVE-2020-25085.patch | 46 +++++++++++++++++++
2 files changed, 67 insertions(+), 20 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e25c2524aa..a33008670b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,27 +35,28 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-7039-2.patch \
file://CVE-2020-7039-3.patch \
file://0001-Add-enable-disable-udev.patch \
- file://CVE-2020-7211.patch \
- file://0001-qemu-Do-not-include-file-if-not-exists.patch \
+ file://CVE-2020-7211.patch \
+ file://0001-qemu-Do-not-include-file-if-not-exists.patch \
file://CVE-2020-11102.patch \
- file://CVE-2020-11869.patch \
- file://CVE-2020-13361.patch \
- file://CVE-2020-10761.patch \
- file://CVE-2020-10702.patch \
- file://CVE-2020-13659.patch \
- file://CVE-2020-13800.patch \
- file://CVE-2020-13362.patch \
- file://CVE-2020-15863.patch \
- file://CVE-2020-14364.patch \
- file://CVE-2020-14415.patch \
- file://CVE-2020-16092.patch \
- file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
- file://CVE-2019-20175.patch \
- file://CVE-2020-24352.patch \
- file://CVE-2020-25723.patch \
- file://CVE-2021-20203.patch \
- file://CVE-2021-3392.patch \
- "
+ file://CVE-2020-11869.patch \
+ file://CVE-2020-13361.patch \
+ file://CVE-2020-10761.patch \
+ file://CVE-2020-10702.patch \
+ file://CVE-2020-13659.patch \
+ file://CVE-2020-13800.patch \
+ file://CVE-2020-13362.patch \
+ file://CVE-2020-15863.patch \
+ file://CVE-2020-14364.patch \
+ file://CVE-2020-14415.patch \
+ file://CVE-2020-16092.patch \
+ file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+ file://CVE-2019-20175.patch \
+ file://CVE-2020-24352.patch \
+ file://CVE-2020-25723.patch \
+ file://CVE-2021-20203.patch \
+ file://CVE-2021-3392.patch \
+ file://CVE-2020-25085.patch \
+ "
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
new file mode 100644
index 0000000000..be19256cef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
@@ -0,0 +1,46 @@
+From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 1 Sep 2020 15:22:06 +0200
+Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'Transfer Block Size' field is 12-bit wide.
+
+See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
+
+Two different bug reproducer available:
+- https://bugs.launchpad.net/qemu/+bug/1892960
+- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
+
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25085
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/sd/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/sd/sdhci.c
+===================================================================
+--- qemu-4.2.0.orig/hw/sd/sdhci.c
++++ qemu-4.2.0/hw/sd/sdhci.c
+@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset,
+ break;
+ case SDHC_BLKSIZE:
+ if (!TRANSFERRING_DATA(s->prnsts)) {
+- MASKED_WRITE(s->blksize, mask, value);
++ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ }
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 09/36] qemu: Security fix CVE-2020-25624
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (7 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 08/36] qemu: Security fix CVE-2020-25085 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 10/36] Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380 Steve Sakoman
` (26 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 106958
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 9d0c21c4ff5dc12ba623685cd7ae4d4bc294f519
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2020-25624_1.patch | 87 +++++++++++++++
.../qemu/qemu/CVE-2020-25624_2.patch | 101 ++++++++++++++++++
3 files changed, 190 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a33008670b..6978be951e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -56,6 +56,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-20203.patch \
file://CVE-2021-3392.patch \
file://CVE-2020-25085.patch \
+ file://CVE-2020-25624_1.patch \
+ file://CVE-2020-25624_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
new file mode 100644
index 0000000000..a46b5be193
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
@@ -0,0 +1,87 @@
+From fbec359e9279ce78908b9f2af2c264e7448336af Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 17 Feb 2020 12:48:10 -0800
+Subject: [PATCH] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI
+ to include file
+
+We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it
+to its include file.
+
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20200217204812.9857-2-linux@roeck-us.net
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25624 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 15 ---------------
+ hw/usb/hcd-ohci.h | 16 ++++++++++++++++
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 8a94bd004a..1e6e85e86a 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -1870,21 +1870,6 @@ void ohci_sysbus_die(struct OHCIState *ohci)
+ ohci_bus_stop(ohci);
+ }
+
+-#define TYPE_SYSBUS_OHCI "sysbus-ohci"
+-#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
+-
+-typedef struct {
+- /*< private >*/
+- SysBusDevice parent_obj;
+- /*< public >*/
+-
+- OHCIState ohci;
+- char *masterbus;
+- uint32_t num_ports;
+- uint32_t firstport;
+- dma_addr_t dma_offset;
+-} OHCISysBusState;
+-
+ static void ohci_realize_pxa(DeviceState *dev, Error **errp)
+ {
+ OHCISysBusState *s = SYSBUS_OHCI(dev);
+diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h
+index 16e3f1e13a..5c8819aedf 100644
+--- a/hw/usb/hcd-ohci.h
++++ b/hw/usb/hcd-ohci.h
+@@ -22,6 +22,7 @@
+ #define HCD_OHCI_H
+
+ #include "sysemu/dma.h"
++#include "hw/usb.h"
+
+ /* Number of Downstream Ports on the root hub: */
+ #define OHCI_MAX_PORTS 15
+@@ -90,6 +91,21 @@ typedef struct OHCIState {
+ void (*ohci_die)(struct OHCIState *ohci);
+ } OHCIState;
+
++#define TYPE_SYSBUS_OHCI "sysbus-ohci"
++#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
++
++typedef struct {
++ /*< private >*/
++ SysBusDevice parent_obj;
++ /*< public >*/
++
++ OHCIState ohci;
++ char *masterbus;
++ uint32_t num_ports;
++ uint32_t firstport;
++ dma_addr_t dma_offset;
++} OHCISysBusState;
++
+ extern const VMStateDescription vmstate_ohci_state;
+
+ void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
new file mode 100644
index 0000000000..8c1275b2f4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
@@ -0,0 +1,101 @@
+From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:58 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
+
+While servicing the OHCI transfer descriptors(TD), OHCI host
+controller derives variables 'start_addr', 'end_addr', 'len'
+etc. from values supplied by the host controller driver.
+Host controller driver may supply values such that using
+above variables leads to out-of-bounds access issues.
+Add checks to avoid them.
+
+AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
+ READ of size 2 at 0x7ffd53af76a0 thread T0
+ #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
+ #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
+ #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
+ #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
+ #4 timerlist_run_timers ../util/qemu-timer.c:572
+ #5 qemu_clock_run_timers ../util/qemu-timer.c:586
+ #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
+ #7 main_loop_wait ../util/main-loop.c:527
+ #8 qemu_main_loop ../softmmu/vl.c:1676
+ #9 main ../softmmu/main.c:50
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <j_kangel@163.com>
+Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20200915182259.68522-2-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25624 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1e6e85e86a..9dc59101f9 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ }
+
+ start_offset = iso_td.offset[relative_frame_number];
+- next_offset = iso_td.offset[relative_frame_number + 1];
++ if (relative_frame_number < frame_count) {
++ next_offset = iso_td.offset[relative_frame_number + 1];
++ } else {
++ next_offset = iso_td.be;
++ }
+
+ if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
+ ((relative_frame_number < frame_count) &&
+@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ }
+ } else {
+ /* Last packet in the ISO TD */
+- end_addr = iso_td.be;
++ end_addr = next_offset;
++ }
++
++ if (start_addr > end_addr) {
++ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
++ return 1;
+ }
+
+ if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ } else {
+ len = end_addr - start_addr + 1;
+ }
++ if (len > sizeof(ohci->usb_buf)) {
++ len = sizeof(ohci->usb_buf);
++ }
+
+ if (len && dir != OHCI_TD_DIR_IN) {
+ if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
+ if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+ len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+ } else {
++ if (td.cbp > td.be) {
++ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
++ ohci_die(ohci);
++ return 1;
++ }
+ len = (td.be - td.cbp) + 1;
+ }
++ if (len > sizeof(ohci->usb_buf)) {
++ len = sizeof(ohci->usb_buf);
++ }
+
+ pktlen = len;
+ if (len && dir != OHCI_TD_DIR_IN) {
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 10/36] Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (8 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 09/36] qemu: Security fix CVE-2020-25624 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 11/36] qemu: Security fix for CVE-2020-29443 Steve Sakoman
` (25 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: Qemu.org
MR: 105781, 109964, 108621
Type: Security Fix
Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05905.html
ChangeID: 0acf082885e7ab3ac2fb41d6e503449869dd46a8
Description:
This address:
CVE-2020-25625
and its two fixes address an incomplete fix for CVE-2020-25625
CVE-2021-3409
CVE-2020-17380
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-25625.patch | 42 +++++++++++++++++++
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6978be951e..76bfb4fcf9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -58,6 +58,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-25085.patch \
file://CVE-2020-25624_1.patch \
file://CVE-2020-25624_2.patch \
+ file://CVE-2020-25625.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
new file mode 100644
index 0000000000..374d7c4562
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
@@ -0,0 +1,42 @@
+From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:59 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire
+
+While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
+retires a TD if it has passed its time frame. It does not check if
+the TD was already processed once and holds an error code in TD_CC.
+It may happen if the TD list has a loop. Add check to avoid an
+infinite loop condition.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200915182259.68522-3-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25625
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 9dc59101f9..8b912e95d3 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+ the next ISO TD of the same ED */
+ trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
+ frame_count);
++ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
++ /* avoid infinite loop */
++ return 1;
++ }
+ OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
+ ed->head &= ~OHCI_DPTR_MASK;
+ ed->head |= (iso_td.next & OHCI_DPTR_MASK);
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 11/36] qemu: Security fix for CVE-2020-29443
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (9 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 10/36] Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380 Steve Sakoman
@ 2021-08-28 18:10 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 12/36] qemu: Security fix CVE-2021-20221 Steve Sakoman
` (24 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:10 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: Qemu.org
MR: 109315
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=813212288970c39b1800f63e83ac6e96588095c6
ChangeID: c0296e285169cc937cc9758c9d84ac690297ee54
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-29443.patch | 45 +++++++++++++++++++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 76bfb4fcf9..bd1a83955f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -59,6 +59,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-25624_1.patch \
file://CVE-2020-25624_2.patch \
file://CVE-2020-25625.patch \
+ file://CVE-2020-29443.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..1528d5c2fd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,45 @@
+From 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 13:09:26 +0100
+Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
+
+A case was reported where s->io_buffer_index can be out of range.
+The report skimped on the details but it seems to be triggered
+by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
+ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
+with assertions. The first one ensures that there is no overflow
+when incrementing s->io_buffer_index, the second checks for the
+buffer overrun.
+
+Note that the buffer overrun is only a read, so I am not sure
+if the assertion failure is actually less harmful than the overrun.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20201201120926.56559-1-pbonzini@redhat.com
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+CVE: CVE-2020-29443
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/ide/atapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 14a2b0bb2f..e79157863f 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+ s->packet_transfer_size -= size;
+ s->elementary_transfer_size -= size;
+ s->io_buffer_index += size;
++ assert(size <= s->io_buffer_total_len);
++ assert(s->io_buffer_index <= s->io_buffer_total_len);
+
+ /* Some adapters process PIO data right away. In that case, we need
+ * to avoid mutual recursion between ide_transfer_start
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 12/36] qemu: Security fix CVE-2021-20221
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (10 preceding siblings ...)
2021-08-28 18:10 ` [OE-core][dunfell 11/36] qemu: Security fix for CVE-2020-29443 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 13/36] qemu: fix CVE-2021-20181 Steve Sakoman
` (23 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: Qemu.org
MR: 111643
Type: Security Fix
Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a
ChangeID: b3ca1aa4b772a5f27f327250c5b0b988375c86a9
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-20221.patch | 67 +++++++++++++++++++
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bd1a83955f..ea654e0008 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -60,6 +60,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-25624_2.patch \
file://CVE-2020-25625.patch \
file://CVE-2020-29443.patch \
+ file://CVE-2021-20221.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
new file mode 100644
index 0000000000..46c9ab4184
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,67 @@
+From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 31 Jan 2021 11:34:01 +0100
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+ - 4.3 Distributor register descriptions
+ - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+ - Table 4-21 GICD_SGIR bit assignments
+
+ The Interrupt ID of the SGI to forward to the specified CPU
+ interfaces. The value of this field is the Interrupt ID, in
+ the range 0-15, for example a value of 0b0011 specifies
+ Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+ $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+ [I 1612088147.116987] OPENED
+ [R +0.278293] writel 0x8000f00 0xff4affb0
+ ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-20221
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/intc/arm_gic.c
+===================================================================
+--- qemu-4.2.0.orig/hw/intc/arm_gic.c
++++ qemu-4.2.0/hw/intc/arm_gic.c
+@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque
+ int target_cpu;
+
+ cpu = gic_get_current_cpu(s);
+- irq = value & 0x3ff;
++ irq = value & 0xf;
+ switch ((value >> 24) & 3) {
+ case 0:
+ mask = (value >> 16) & ALL_CPU_MASK;
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 13/36] qemu: fix CVE-2021-20181
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (11 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 12/36] qemu: Security fix CVE-2021-20221 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 14/36] qemu: fix CVE-2021-3416 Steve Sakoman
` (22 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: Poky.org
MR: 111631
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=53390d2261d2d35cdd637cf12a0fb4dc63f0f88c
ChangeID: 0c660a9ef3637d847c0880283df05d8696221308
Description:
(From OE-Core rev: a993a379bb490efbbf507f5dccda5ab358e8afea)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c2f79065ef0684f2c0bdb92f1b03e690ab730b8c)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 53390d2261d2d35cdd637cf12a0fb4dc63f0f88c)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-20181.patch | 81 +++++++++++++++++++
2 files changed, 82 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index ea654e0008..a61f69ba49 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -61,6 +61,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-25625.patch \
file://CVE-2020-29443.patch \
file://CVE-2021-20221.patch \
+ file://CVE-2021-20181.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000000..1b8c77f838
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
+From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Thu, 14 Jan 2021 17:04:12 +0100
+Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
+
+Depending on the client activity, the server can be asked to open a huge
+number of file descriptors and eventually hit RLIMIT_NOFILE. This is
+currently mitigated using a reclaim logic : the server closes the file
+descriptors of idle fids, based on the assumption that it will be able
+to re-open them later. This assumption doesn't hold of course if the
+client requests the file to be unlinked. In this case, we loop on the
+entire fid list and mark all related fids as unreclaimable (the reclaim
+logic will just ignore them) and, of course, we open or re-open their
+file descriptors if needed since we're about to unlink the file.
+
+This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
+opening of a file can cause the coroutine to yield, another client
+request could possibly add a new fid that we may want to mark as
+non-reclaimable as well. The loop is thus restarted if the re-open
+request was actually transmitted to the backend. This is achieved
+by keeping a reference on the first fid (head) before traversing
+the list.
+
+This is wrong in several ways:
+- a potential clunk request from the client could tear the first
+ fid down and cause the reference to be stale. This leads to a
+ use-after-free error that can be detected with ASAN, using a
+ custom 9p client
+- fids are added at the head of the list : restarting from the
+ previous head will always miss fids added by a some other
+ potential request
+
+All these problems could be avoided if fids were being added at the
+end of the list. This can be achieved with a QSIMPLEQ, but this is
+probably too much change for a bug fix. For now let's keep it
+simple and just restart the loop from the current head.
+
+Fixes: CVE-2021-20181
+Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
+Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
+CVE: CVE-2021-20181
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/9pfs/9p.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 94df440fc..6026b51a1 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ {
+ int err;
+ V9fsState *s = pdu->s;
+- V9fsFidState *fidp, head_fid;
++ V9fsFidState *fidp;
+
+- head_fid.next = s->fid_list;
++again:
+ for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+ if (fidp->path.size != path->size) {
+ continue;
+@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ * switched to the worker thread
+ */
+ if (err == 0) {
+- fidp = &head_fid;
++ goto again;
+ }
+ }
+ }
+--
+2.29.2
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 14/36] qemu: fix CVE-2021-3416
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (12 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 13/36] qemu: fix CVE-2021-20181 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 15/36] qemu: fix CVE-2021-20257 Steve Sakoman
` (21 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: poky.org
MR: 109686
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=381aebe82f1f6fcc26b47966bc8520dbb1476961
ChangeID: 50b1589249cc3c595d224e3a8347da2b54339ef8
Description:
Drop CVE-2021-3416_4.patch as hw/net/msf2-emac.c does not exist in 4.2.0
(From OE-Core rev: 7a3ce8a79a6c682e1b38f757eb68534e0ce5589d)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e2b5bc11d1b26b73b62e1a63cb75572793282dcb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 381aebe82f1f6fcc26b47966bc8520dbb1476961)
[Drop CVE-2021-3416_4.patch, affected file does not exist in 4.2.0]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 9 +
.../qemu/qemu/CVE-2021-3416_1.patch | 177 ++++++++++++++++++
.../qemu/qemu/CVE-2021-3416_10.patch | 41 ++++
.../qemu/qemu/CVE-2021-3416_2.patch | 42 +++++
.../qemu/qemu/CVE-2021-3416_3.patch | 43 +++++
.../qemu/qemu/CVE-2021-3416_5.patch | 42 +++++
.../qemu/qemu/CVE-2021-3416_6.patch | 40 ++++
.../qemu/qemu/CVE-2021-3416_7.patch | 42 +++++
.../qemu/qemu/CVE-2021-3416_8.patch | 44 +++++
.../qemu/qemu/CVE-2021-3416_9.patch | 41 ++++
10 files changed, 521 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a61f69ba49..e64a6b2cb2 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -62,6 +62,15 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-29443.patch \
file://CVE-2021-20221.patch \
file://CVE-2021-20181.patch \
+ file://CVE-2021-3416_1.patch \
+ file://CVE-2021-3416_2.patch \
+ file://CVE-2021-3416_3.patch \
+ file://CVE-2021-3416_5.patch \
+ file://CVE-2021-3416_6.patch \
+ file://CVE-2021-3416_7.patch \
+ file://CVE-2021-3416_8.patch \
+ file://CVE-2021-3416_9.patch \
+ file://CVE-2021-3416_10.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000000..5bacd67481
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
+From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 11:44:36 +0800
+Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some NIC supports loopback mode and this is done by calling
+nc->info->receive() directly which in fact suppresses the effort of
+reentrancy check that is done in qemu_net_queue_send().
+
+Unfortunately we can't use qemu_net_queue_send() here since for
+loopback there's no sender as peer, so this patch introduce a
+qemu_receive_packet() which is used for implementing loopback mode
+for a NIC with this check.
+
+NIC that supports loopback mode will be converted to this helper.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/net/net.h | 5 +++++
+ include/net/queue.h | 8 ++++++++
+ net/net.c | 38 +++++++++++++++++++++++++++++++-------
+ net/queue.c | 22 ++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index 778fc787c..03f058ecb 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
+ void qemu_del_net_client(NetClientState *nc);
+ typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
+ void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
++int qemu_can_receive_packet(NetClientState *nc);
+ int qemu_can_send_packet(NetClientState *nc);
+ ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
+ int iovcnt);
+ ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
+ int iovcnt, NetPacketSent *sent_cb);
+ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet_iov(NetClientState *nc,
++ const struct iovec *iov,
++ int iovcnt);
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
+ ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
+ int size, NetPacketSent *sent_cb);
+diff --git a/include/net/queue.h b/include/net/queue.h
+index c0269bb1d..9f2f289d7 100644
+--- a/include/net/queue.h
++++ b/include/net/queue.h
+@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
+
+ void qemu_del_net_queue(NetQueue *queue);
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size);
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt);
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+diff --git a/net/net.c b/net/net.c
+index 6a2c3d956..5e15e5d27 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
+ #endif
+ }
+
++int qemu_can_receive_packet(NetClientState *nc)
++{
++ if (nc->receive_disabled) {
++ return 0;
++ } else if (nc->info->can_receive &&
++ !nc->info->can_receive(nc)) {
++ return 0;
++ }
++ return 1;
++}
++
+ int qemu_can_send_packet(NetClientState *sender)
+ {
+ int vm_running = runstate_is_running();
+@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
+ return 1;
+ }
+
+- if (sender->peer->receive_disabled) {
+- return 0;
+- } else if (sender->peer->info->can_receive &&
+- !sender->peer->info->can_receive(sender->peer)) {
+- return 0;
+- }
+- return 1;
++ return qemu_can_receive_packet(sender->peer);
+ }
+
+ static ssize_t filter_receive_iov(NetClientState *nc,
+@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+ return qemu_send_packet_async(nc, buf, size, NULL);
+ }
+
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
++}
++
++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
++ int iovcnt)
++{
++ if (!qemu_can_receive_packet(nc)) {
++ return 0;
++ }
++
++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
++}
++
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
+ {
+ return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
+diff --git a/net/queue.c b/net/queue.c
+index 19e32c80f..c872d51df 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
+ return ret;
+ }
+
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++ const uint8_t *data,
++ size_t size)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
++}
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++ const struct iovec *iov,
++ int iovcnt)
++{
++ if (queue->delivering) {
++ return 0;
++ }
++
++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
++}
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+ NetClientState *sender,
+ unsigned flags,
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000000..fdb4894e44
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,41 @@
+From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:35:30 -0500
+Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/lan9118.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/lan9118.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/lan9118.c
++++ qemu-4.2.0/hw/net/lan9118.c
+@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *
+ /* FIXME: Honor TX disable, and allow queueing of packets. */
+ if (s->phy_control & 0x4000) {
+ /* This assumes the receive routine doesn't touch the VLANClient. */
+- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000000..5e53e20bac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
+From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:13:22 +0800
+Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index d7d05ae30..cf22c4f07 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
+
+ NetClientState *nc = qemu_get_queue(s->nic);
+ if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000000..3fc469e3e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
+From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:57:40 +0800
+Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
+ loopback packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/dp8393x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
+index 205c0decc..533a8304d 100644
+--- a/hw/net/dp8393x.c
++++ b/hw/net/dp8393x.c
+@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
+ s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
+ if (nc->info->can_receive(nc)) {
+ s->loopback_packet = 1;
+- nc->info->receive(nc, s->tx_buffer, tx_len);
++ qemu_receive_packet(nc, s->tx_buffer, tx_len);
+ }
+ } else {
+ /* Transmit packet */
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000000..93202ebcef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,42 @@
+From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:14:35 +0800
+Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/sungem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/sungem.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/sungem.c
++++ qemu-4.2.0/hw/net/sungem.c
+@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMSta
+ NetClientState *nc = qemu_get_queue(s->nic);
+
+ if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
+- nc->info->receive(nc, buf, size);
++ qemu_receive_packet(nc, buf, size);
+ } else {
+ qemu_send_packet(nc, buf, size);
+ }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000000..40b4bd96e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,40 @@
+From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:27:52 +0800
+Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_receive_iov() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/net_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/net_tx_pkt.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/net_tx_pkt.c
++++ qemu-4.2.0/hw/net/net_tx_pkt.c
+@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(stru
+ NetClientState *nc, const struct iovec *iov, int iov_cnt)
+ {
+ if (pkt->is_loopback) {
+- nc->info->receive_iov(nc, iov, iov_cnt);
++ qemu_receive_packet_iov(nc, iov, iov_cnt);
+ } else {
+ qemu_sendv_packet(nc, iov, iov_cnt);
+ }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000000..b3b702cca4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,42 @@
+From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Fri, 26 Feb 2021 13:47:53 -0500
+Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/rtl8139.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/rtl8139.c
++++ qemu-4.2.0/hw/net/rtl8139.c
+@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81
+ }
+
+ DPRINTF("+++ transmit loopback mode\n");
+- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
+
+ if (iov) {
+ g_free(buf2);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000000..ed716468dc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
+From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 10:33:34 -0500
+Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/pcnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index f3f18d859..dcd3fc494 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1250,7 +1250,7 @@ txagain:
+ if (BCR_SWSTYLE(s) == 1)
+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ s->looptest = 0;
+ } else {
+ if (s->nic) {
+--
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000000..f4a985604e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,41 @@
+From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:33:43 -0500
+Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/cadence_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: qemu-4.2.0/hw/net/cadence_gem.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/cadence_gem.c
++++ qemu-4.2.0/hw/net/cadence_gem.c
+@@ -1225,7 +1225,7 @@ static void gem_transmit(CadenceGEMState
+ /* Send the packet somewhere */
+ if (s->phy_loop || (s->regs[GEM_NWCTRL] &
+ GEM_NWCTRL_LOCALLOOP)) {
+- gem_receive(qemu_get_queue(s->nic), tx_packet,
++ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
+ total_bytes);
+ } else {
+ qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 15/36] qemu: fix CVE-2021-20257
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (13 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 14/36] qemu: fix CVE-2021-3416 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 16/36] qemu: Security fix CVE-2021-3544 Steve Sakoman
` (20 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: https://git.yoctoproject.org/git/poky
MR: 110290
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=5c1a29e6deec8f92ac43363bd72439aec7e27721
ChangeID: 7f301e939cf9d1fdb826ac47d1fc96430086a68e
Description:
(From OE-Core rev: 5b66ff7972951db973d12f3dae6ccecf3bc29e56)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 547ac986a74cfcae39b691ebb92aadc8436443ea)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5c1a29e6deec8f92ac43363bd72439aec7e27721)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-20257.patch | 55 +++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e64a6b2cb2..1ddb373115 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -71,6 +71,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3416_8.patch \
file://CVE-2021-3416_9.patch \
file://CVE-2021-3416_10.patch \
+ file://CVE-2021-20257.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
new file mode 100644
index 0000000000..7175b24e99
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
+From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:45:28 +0800
+Subject: [PATCH] e1000: fail early for evil descriptor
+
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
+CVE: CVE-2021-20257
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index cf22c4f07..c3564c7ce 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+ do {
+ bytes = split_size;
++ if (tp->size >= msh) {
++ goto eop;
++ }
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ tp->size += split_size;
+ }
+
++eop:
+ if (!(txd_lower & E1000_TXD_CMD_EOP))
+ return;
+ if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+--
+2.29.2
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 16/36] qemu: Security fix CVE-2021-3544
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (14 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 15/36] qemu: fix CVE-2021-20257 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 17/36] qemu: Security fixes CVE-2021-3545/6 Steve Sakoman
` (19 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 111833
Type: Security Fix
Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/86dd8fac..63736af5
ChangeID: 7f301e939cf9d1fdb826ac47d1fc96430086a68e
Description:
https://gitlab.com/qemu-project/qemu/-/commit/86dd8fac
https://gitlab.com/qemu-project/qemu/-/commit/b9f79858
https://gitlab.com/qemu-project/qemu/-/commit/b7afebcf
Tweeked the above patches as vhost-user-gpu.c does not exist.
https://gitlab.com/qemu-project/qemu/-/commit/f6091d86
https://gitlab.com/qemu-project/qemu/-/commit/63736af5
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 5 ++
.../qemu/qemu/CVE-2021-3544.patch | 29 ++++++++++++
.../qemu/qemu/CVE-2021-3544_2.patch | 39 +++++++++++++++
.../qemu/qemu/CVE-2021-3544_3.patch | 39 +++++++++++++++
.../qemu/qemu/CVE-2021-3544_4.patch | 46 ++++++++++++++++++
.../qemu/qemu/CVE-2021-3544_5.patch | 47 +++++++++++++++++++
6 files changed, 205 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 1ddb373115..90549136e5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -72,6 +72,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3416_9.patch \
file://CVE-2021-3416_10.patch \
file://CVE-2021-20257.patch \
+ file://CVE-2021-3544.patch \
+ file://CVE-2021-3544_2.patch \
+ file://CVE-2021-3544_3.patch \
+ file://CVE-2021-3544_4.patch \
+ file://CVE-2021-3544_5.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
new file mode 100644
index 0000000000..1b4fcbfb60
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
@@ -0,0 +1,29 @@
+vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
+
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+[vhost-user-gpu does not exist in 4.2.0]
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
+ g_critical("%s: resource creation failed %d %d %d",
+ __func__, c2d.resource_id, c2d.width, c2d.height);
+ g_free(res);
++ vugbm_buffer_destroy(&res->buffer);
+ cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+ return;
+ }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
new file mode 100644
index 0000000000..36cbb127f8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
@@ -0,0 +1,39 @@
+vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
+
+
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b3
+
+ ("virtio-gpu: fix memory leak
+ in resource attach backing")
+ Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+ Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+ Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+ Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+[vhost-user-gpu does not exist in 4.2.0 context]
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
+ return;
+ }
+
++ if (res->iov) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++ return;
++ }
++
+ ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+ if (ret != 0) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
new file mode 100644
index 0000000000..c534f4c24f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
@@ -0,0 +1,39 @@
+vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
+
+If the guest trigger following sequences, the attach_backing will be leaked:
+
+vg_resource_create_2d
+vg_resource_attach_backing
+vg_resource_unref
+
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c
+
+("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+[vhost-user-gpu does not exist in the 4.2.0]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
+ }
+
+ vugbm_buffer_destroy(&res->buffer);
++ g_free(res->iov);
+ pixman_image_unref(res->image);
+ QTAILQ_REMOVE(&g->reslist, res, next);
+ g_free(res);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
new file mode 100644
index 0000000000..96e36eb854
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
@@ -0,0 +1,46 @@
+vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
+
+The 'res->iov' will be leaked if the guest trigger following sequences:
+
+virgl_cmd_create_resource_2d
+virgl_resource_attach_backing
+virgl_cmd_resource_unref
+
+This patch fixes this.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c
+
+("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+ struct virtio_gpu_ctrl_command *cmd)
+ {
+ struct virtio_gpu_resource_unref unref;
++ struct iovec *res_iovs = NULL;
++ int num_iovs = 0;
+
+ VUGPU_FILL_CMD(unref);
+
++ virgl_renderer_resource_detach_iov(unref.resource_id,
++ &res_iovs,
++ &num_iovs);
++ g_free(res_iovs);
++
+ virgl_renderer_resource_unref(unref.resource_id);
+ }
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
new file mode 100644
index 0000000000..e592ce50e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
@@ -0,0 +1,47 @@
+From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: [PATCH] vhost-user-gpu: fix memory leak in
+ 'virgl_resource_attach_backing' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g,
+ return;
+ }
+
+- virgl_renderer_resource_attach_iov(att_rb.resource_id,
++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+ res_iovs, att_rb.nr_entries);
++ if (ret != 0) {
++ g_free(res_iovs);
++ }
+ }
+
+ static void
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 17/36] qemu: Security fixes CVE-2021-3545/6
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (15 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 16/36] qemu: Security fix CVE-2021-3544 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 18/36] qemu: fix CVE-2021-3527 Steve Sakoman
` (18 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 111845, 111839
Type: Security Fix
Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/9f22893a & 121841b2
ChangeID: 111b168e0fe4d2a722158c6bfdaceb06a8789e69
Description:
Fixes: CVE-2021-3545 and CVE-2021-3546
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-3545.patch | 41 ++++++++++++++++
.../qemu/qemu/CVE-2021-3546.patch | 47 +++++++++++++++++++
3 files changed, 90 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 90549136e5..028b81ee34 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -77,6 +77,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3544_3.patch \
file://CVE-2021-3544_4.patch \
file://CVE-2021-3544_5.patch \
+ file://CVE-2021-3545.patch \
+ file://CVE-2021-3546.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
new file mode 100644
index 0000000000..fcdda64437
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
@@ -0,0 +1,41 @@
+From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: [PATCH] vhost-user-gpu: fix memory disclosure in
+ virgl_cmd_get_capset_info (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise some of the 'resp' will be leaked to guest.
+
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3545
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -132,6 +132,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+
+ VUGPU_FILL_CMD(info);
+
++ memset(&resp, 0, sizeof(resp));
+ if (info.capset_index == 0) {
+ resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+ virgl_renderer_get_cap_set(resp.capset_id,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
new file mode 100644
index 0000000000..f8da428233
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
@@ -0,0 +1,47 @@
+From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3546
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
+ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 18/36] qemu: fix CVE-2021-3527
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (16 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 17/36] qemu: Security fixes CVE-2021-3545/6 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 19/36] qemu: fix CVE-2021-3582 Steve Sakoman
` (17 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Source: http://git.yoctoproject.org/cgit/poky.git
MR: 111827
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=45e06a2e02cb01540d3970bd8ab5771014a031f9
ChangeID: 33bb20f503888abc346ae1a6f590f57ebdd0f1f9
Description:
(cherry picked from commit 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a)
(From OE-Core rev: fcbcd27a1c97668af9634143376f75ab32fffd68)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 45e06a2e02cb01540d3970bd8ab5771014a031f9)
[Fixup for Dunfell context]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-3527-1.patch | 42 +++++++++++++
.../qemu/qemu/CVE-2021-3527-2.patch | 59 +++++++++++++++++++
3 files changed, 103 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 028b81ee34..78e487fc6f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -79,6 +79,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3544_5.patch \
file://CVE-2021-3545.patch \
file://CVE-2021-3546.patch \
+ file://CVE-2021-3527-1.patch \
+ file://CVE-2021-3527-2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
+From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+ if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+ next == NULL ||
+ /* Work around for Linux usbfs bulk splitting + migration */
+- (totalsize == (16 * KiB - 36) && p->int_req)) {
++ (totalsize == (16 * KiB - 36) && p->int_req) ||
++ /* Next package may grow combined package over 1MiB */
++ totalsize > 1 * MiB - ep->max_packet_size) {
+ usb_device_handle_data(ep->dev, first);
+ assert(first->status == USB_RET_ASYNC);
+ if (first->combined) {
+--
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
new file mode 100644
index 0000000000..6371aced12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
+From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:12 +0200
+Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use autofree heap allocation instead.
+
+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/redirect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f3417..6a75b0dc4a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
+ .endpoint = ep,
+ .length = p->iov.size
+ };
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ /* No id, we look at the ep when receiving a status back */
+ usb_packet_copy(p, buf, p->iov.size);
+ usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+ &bulk_packet, NULL, 0);
+ } else {
+- uint8_t buf[size];
++ g_autofree uint8_t *buf = g_malloc(size);
+ usb_packet_copy(p, buf, size);
+ usbredir_log_data(dev, "bulk data out:", buf, size);
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
+ USBPacket *p, uint8_t ep)
+ {
+ struct usb_redir_interrupt_packet_header interrupt_packet;
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+
+ DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+ p->iov.size, p->id);
+--
+GitLab
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 19/36] qemu: fix CVE-2021-3582
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (17 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 18/36] qemu: fix CVE-2021-3527 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 20/36] qemu: fix CVE-2021-3607 Steve Sakoman
` (16 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: http://git.yoctoproject.org/cgit/poky.git
MR: 112743
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=e11384737ed489ea02800d545432b9ded82bf1bb
ChangeID: a2ff7112354349e8cf8960f30499f61e545d7f8e
Description:
(From OE-Core rev: fb2634922db91e5b877dd10021dafec7b5c6e565)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e11384737ed489ea02800d545432b9ded82bf1bb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3582.patch | 47 +++++++++++++++++++
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 78e487fc6f..854a907216 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3546.patch \
file://CVE-2021-3527-1.patch \
file://CVE-2021-3527-2.patch \
+ file://CVE-2021-3582.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
new file mode 100644
index 0000000000..7a88e29384
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
@@ -0,0 +1,47 @@
+From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel@redhat.com>
+Date: Wed, 16 Jun 2021 14:06:00 +0300
+Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
+ (CVE-2021-3582)
+
+Ensure mremap boundaries not trusting the guest kernel to
+pass the correct buffer length.
+
+Fixes: CVE-2021-3582
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3582
+Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index f59879e257..da7ddfa548 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
+ return NULL;
+ }
+
++ length = ROUND_UP(length, TARGET_PAGE_SIZE);
++ if (nchunks * TARGET_PAGE_SIZE != length) {
++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
++ (unsigned long)length);
++ return NULL;
++ }
++
+ dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
+ if (!dir) {
+ rdma_error_report("Failed to map to page directory");
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 20/36] qemu: fix CVE-2021-3607
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (18 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 19/36] qemu: fix CVE-2021-3582 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 21/36] qemu: fix CVE-2021-3608 Steve Sakoman
` (15 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: http://git.yoctoproject.org/cgit/poky.git
MR: 112749
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=460485d774480cd89cadf3b068f5197f44d86f25
ChangeID: 4e40dee2e6ce0b5b4de971f2c2b336929e7f22c3
Description:
(From OE-Core rev: 764bca67650da9df439527796879dda767c8c008)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 460485d774480cd89cadf3b068f5197f44d86f25)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3607.patch | 43 +++++++++++++++++++
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 854a907216..6066418a7b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -82,6 +82,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3527-1.patch \
file://CVE-2021-3527-2.patch \
file://CVE-2021-3582.patch \
+ file://CVE-2021-3607.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
new file mode 100644
index 0000000000..0547c74484
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
@@ -0,0 +1,43 @@
+From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:46:34 +0300
+Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
+
+Check the guest passed a non zero page count
+for pvrdma device ring buffers.
+
+Fixes: CVE-2021-3607
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3607
+Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 84ae8024fc..7c0c3551a8 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
+ uint64_t *dir, *tbl;
+ int rc = 0;
+
++ if (!num_pages) {
++ rdma_error_report("Ring pages count must be strictly positive");
++ return -EINVAL;
++ }
++
+ dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+ if (!dir) {
+ rdma_error_report("Failed to map to page directory (ring %s)", name);
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 21/36] qemu: fix CVE-2021-3608
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (19 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 20/36] qemu: fix CVE-2021-3607 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 22/36] rpm: Add fix for CVE-2021-20266 Steve Sakoman
` (14 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: http://git.yoctoproject.org/cgit/poky.git
MR: 112749
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=f5e77d70e2eb35751f5bad5572b6eb8a3ab14422
ChangeID: 4496341da3af9126c9c67170e1a2cce929c29828
Description:
(From OE-Core rev: 5e05ee8ff363eac84edec568039b86bcd716c6ce)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5e77d70e2eb35751f5bad5572b6eb8a3ab14422)
[Refreshed patch]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3608.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6066418a7b..c8c170dda0 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -83,6 +83,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3527-2.patch \
file://CVE-2021-3582.patch \
file://CVE-2021-3607.patch \
+ file://CVE-2021-3608.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
new file mode 100644
index 0000000000..7055ec3d23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
@@ -0,0 +1,40 @@
+From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:52:46 +0300
+Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not unmap uninitialized dma addresses.
+
+Fixes: CVE-2021-3608
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3608
+Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
+===================================================================
+--- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c
++++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
+ atomic_set(&ring->ring_state->cons_head, 0);
+ */
+ ring->npages = npages;
+- ring->pages = g_malloc(npages * sizeof(void *));
++ ring->pages = g_malloc0(npages * sizeof(void *));
+
+ for (i = 0; i < npages; i++) {
+ if (!tbl[i]) {
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 22/36] rpm: Add fix for CVE-2021-20266
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (20 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 21/36] qemu: fix CVE-2021-3608 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 23/36] binutils: Security fix for CVE-2021-3549 Steve Sakoman
` (13 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Adding fix for CVE-2021-20266
Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15]
Note: Hunk#2 and Hunk#3 refreshed to apply patch and match value of
dl_max variable to make it with current version
All Hunks are refreshed to solve patch-fuzz
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../rpm/files/CVE-2021-20266.patch | 109 ++++++++++++++++++
meta/recipes-devtools/rpm/rpm_4.14.2.1.bb | 1 +
2 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
new file mode 100644
index 0000000000..f2fc47e321
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
@@ -0,0 +1,109 @@
+From ebbf0f0133c498d229e94ecf2ed0b41d6e6a142a Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <athena@invisiblethingslab.com>
+Date: Mon, 8 Feb 2021 16:05:01 -0500
+Subject: [PATCH] hdrblobInit() needs bounds checks too
+
+Users can pass untrusted data to hdrblobInit() and it must be robust
+against this.
+
+Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15]
+CVE: CVE-2021-20266
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 31 insertions(+), 17 deletions(-)
+
+diff --git a/lib/header.c b/lib/header.c
+index 5b09f8352..ad5b6dc57 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -11,6 +11,7 @@
+ #include "system.h"
+ #include <netdb.h>
+ #include <errno.h>
++#include <inttypes.h>
+ #include <rpm/rpmtypes.h>
+ #include <rpm/rpmstring.h>
+ #include "lib/header_internal.h"
+@@ -1890,6 +1891,25 @@ hdrblob hdrblobFree(hdrblob blob)
+ return NULL;
+ }
+
++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
++ char **emsg) {
++ uint32_t il_max = HEADER_TAGS_MAX;
++ uint32_t dl_max = HEADER_DATA_MAX;
++ if (regionTag == RPMTAG_HEADERSIGNATURES) {
++ il_max = 32;
++ dl_max = 8192;
++ }
++ if (hdrchkRange(il_max, il)) {
++ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
++ return RPMRC_FAIL;
++ }
++ if (hdrchkRange(dl_max, dl)) {
++ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
++ return RPMRC_FAIL;
++ }
++ return RPMRC_OK;
++}
++
+ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
+ {
+ int32_t block[4];
+@@ -1902,13 +1922,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
+ size_t nb;
+ rpmRC rc = RPMRC_FAIL; /* assume failure */
+ int xx;
+- int32_t il_max = HEADER_TAGS_MAX;
+- int32_t dl_max = HEADER_DATA_MAX;
+-
+- if (regionTag == RPMTAG_HEADERSIGNATURES) {
+- il_max = 32;
+- dl_max = 8192;
+- }
+
+ memset(block, 0, sizeof(block));
+ if ((xx = Freadall(fd, bs, blen)) != blen) {
+@@ -1921,15 +1934,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
+ goto exit;
+ }
+ il = ntohl(block[2]);
+- if (hdrchkRange(il_max, il)) {
+- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
+- goto exit;
+- }
+ dl = ntohl(block[3]);
+- if (hdrchkRange(dl_max, dl)) {
+- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
++ if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
+ goto exit;
+- }
+
+ nb = (il * sizeof(struct entryInfo_s)) + dl;
+ uc = sizeof(il) + sizeof(dl) + nb;
+@@ -1973,11 +1980,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
+ struct hdrblob_s *blob, char **emsg)
+ {
+ rpmRC rc = RPMRC_FAIL;
+-
+ memset(blob, 0, sizeof(*blob));
++ if (uc && uc < 8) {
++ rasprintf(emsg, _("hdr length: BAD"));
++ goto exit;
++ }
++
+ blob->ei = (int32_t *) uh; /* discards const */
+- blob->il = ntohl(blob->ei[0]);
+- blob->dl = ntohl(blob->ei[1]);
++ blob->il = ntohl((uint32_t)(blob->ei[0]));
++ blob->dl = ntohl((uint32_t)(blob->ei[1]));
++ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
++ goto exit;
++
+ blob->pe = (entryInfo) &(blob->ei[2]);
+ blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
+ (blob->il * sizeof(*blob->pe)) + blob->dl;
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index 018b2f8700..c93654aa8f 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -45,6 +45,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \
file://CVE-2021-3421.patch \
+ file://CVE-2021-20266.patch \
"
PE = "1"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 23/36] binutils: Security fix for CVE-2021-3549
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (21 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 22/36] rpm: Add fix for CVE-2021-20266 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 24/36] binutils: Security fix for CVE-2020-16593 Steve Sakoman
` (12 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: git://sourceware.org/binutils-gdb.git
MR: 111523
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1cfcf3004e1830f8fe9112cfcd15285508d2c2b7
ChangeID: 2d3161f601852eb8f9a9ca982c6b0cd44e036bc6
Description:
Affects <= 2.36
Fixup Changelog to apply to dunfel context.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.34.inc | 1 +
.../binutils/binutils/CVE-2021-3549.patch | 187 ++++++++++++++++++
2 files changed, 188 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 3e10279b1d..1c1118df54 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -48,5 +48,6 @@ SRC_URI = "\
file://CVE-2020-16598.patch \
file://CVE-2021-20197.patch \
file://CVE-2021-3487.patch \
+ file://CVE-2021-3549.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..4391db340a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,187 @@
+From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 11 Feb 2021 16:56:42 +1030
+Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
+
+Adds missing sanity checks for avr device info note, to avoid
+potential buffer overflows. Uses bfd_malloc_and_get_section for
+sanity checking section size.
+
+ PR 27290
+ PR 27293
+ PR 27295
+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+ Use bfd_malloc_and_get_section.
+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
+ check namesz. Return NULL if descsz is too small. Ensure
+ string table is terminated.
+ (elf32_avr_get_device_info): Formatting. Add note_size param.
+ Sanity check note.
+ (elf32_avr_dump_mem_usage): Adjust to suit.
+
+Upstream-Status: Backport
+CVE: CVE-2021-3549
+Signed-of-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 14 +++++++++
+ binutils/od-elf32_avr.c | 66 ++++++++++++++++++++++++++---------------
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+
+Index: git/binutils/od-elf32_avr.c
+===================================================================
+--- git.orig/binutils/od-elf32_avr.c
++++ git/binutils/od-elf32_avr.c
+@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
+ return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
+ }
+
+-static char*
++static char *
+ elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
+ {
+ asection *section;
++ bfd_byte *contents;
+
+- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
++ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
++ if (section == NULL)
+ return NULL;
+
+- *size = bfd_section_size (section);
+- char *contents = (char *) xmalloc (*size);
+- bfd_get_section_contents (abfd, section, contents, 0, *size);
++ if (!bfd_malloc_and_get_section (abfd, section, &contents))
++ {
++ free (contents);
++ contents = NULL;
++ }
+
+- return contents;
++ *size = bfd_section_size (section);
++ return (char *) contents;
+ }
+
+-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
+- bfd_size_type size)
++static char *
++elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
++ bfd_size_type *descsz)
+ {
+ Elf_External_Note *xnp = (Elf_External_Note *) contents;
+ Elf_Internal_Note in;
+@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bf
+ if (in.namesz > contents - in.namedata + size)
+ return NULL;
+
++ if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
++ return NULL;
++
+ in.descsz = bfd_get_32 (abfd, xnp->descsz);
+ in.descdata = in.namedata + align_power (in.namesz, 2);
+- if (in.descsz != 0
+- && (in.descdata >= contents + size
+- || in.descsz > contents - in.descdata + size))
++ if (in.descsz < 6 * sizeof (uint32_t)
++ || in.descdata >= contents + size
++ || in.descsz > contents - in.descdata + size)
+ return NULL;
+
+- if (strcmp (in.namedata, "AVR") != 0)
+- return NULL;
++ /* If the note has a string table, ensure it is 0 terminated. */
++ if (in.descsz > 8 * sizeof (uint32_t))
++ in.descdata[in.descsz - 1] = 0;
+
++ *descsz = in.descsz;
+ return in.descdata;
+ }
+
+ static void
+ elf32_avr_get_device_info (bfd *abfd, char *description,
+- deviceinfo *device)
++ bfd_size_type desc_size, deviceinfo *device)
+ {
+ if (description == NULL)
+ return;
+
+ const bfd_size_type memory_sizes = 6;
+
+- memcpy (device, description, memory_sizes * sizeof(uint32_t));
+- device->name = NULL;
++ memcpy (device, description, memory_sizes * sizeof (uint32_t));
++ desc_size -= memory_sizes * sizeof (uint32_t);
++ if (desc_size < 8)
++ return;
+
+- uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
++ uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
+ bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
+- char *str_table = ((char *) stroffset_table) + stroffset_table_size;
+
+ /* If the only content is the size itself, there's nothing in the table */
+- if (stroffset_table_size == 4)
++ if (stroffset_table_size < 8)
+ return;
++ if (desc_size <= stroffset_table_size)
++ return;
++ desc_size -= stroffset_table_size;
+
+ /* First entry is the device name index. */
+ uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
++ if (device_name_index >= desc_size)
++ return;
+
++ char *str_table = (char *) stroffset_table + stroffset_table_size;
+ device->name = str_table + device_name_index;
+ }
+
+@@ -183,7 +201,7 @@ static void
+ elf32_avr_dump_mem_usage (bfd *abfd)
+ {
+ char *description = NULL;
+- bfd_size_type note_section_size = 0;
++ bfd_size_type sec_size, desc_size;
+
+ deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
+ device.name = "Unknown";
+@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
+ bfd_size_type text_usage = 0;
+ bfd_size_type eeprom_usage = 0;
+
+- char *contents = elf32_avr_get_note_section_contents (abfd,
+- ¬e_section_size);
++ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
+
+ if (contents != NULL)
+ {
+- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
+- elf32_avr_get_device_info (abfd, description, &device);
++ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
++ &desc_size);
++ elf32_avr_get_device_info (abfd, description, desc_size, &device);
+ }
+
+ elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,17 @@
++2021-02-11 Alan Modra <amodra@gmail.com>
++
++ PR 27290
++ PR 27293
++ PR 27295
++ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
++ Use bfd_malloc_and_get_section.
++ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
++ check namesz. Return NULL if descsz is too small. Ensure
++ string table is terminated.
++ (elf32_avr_get_device_info): Formatting. Add note_size param.
++ Sanity check note.
++ (elf32_avr_dump_mem_usage): Adjust to suit.
++
+ 2020-02-01 Nick Clifton <nickc@redhat.com>
+
+ * configure: Regenerate.
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 24/36] binutils: Security fix for CVE-2020-16593
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (22 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 23/36] binutils: Security fix for CVE-2021-3549 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 25/36] openssl: update from 1.1.1k to 1.1.1l Steve Sakoman
` (11 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://sourceware.org/git/binutils-gdb.git
MR: 112801
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
ChangeID: 470b309f4859eecdcc837add2bf756484ad94ee5
Description:
Fixed up for 2.34 context
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.34.inc | 1 +
.../binutils/binutils/CVE-2020-16593.patch | 204 ++++++++++++++++++
2 files changed, 205 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 1c1118df54..6104bec591 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -49,5 +49,6 @@ SRC_URI = "\
file://CVE-2021-20197.patch \
file://CVE-2021-3487.patch \
file://CVE-2021-3549.patch \
+ file://CVE-2020-16593.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
new file mode 100644
index 0000000000..cbe4a50507
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
+From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 16 Apr 2020 17:49:38 +0930
+Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
+
+ PR 25827
+ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
+ strdup(0).
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
+CVE: CVE-2020-16593
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -295,12 +295,12 @@ struct comp_unit
+ /* This data structure holds the information of an abbrev. */
+ struct abbrev_info
+ {
+- unsigned int number; /* Number identifying abbrev. */
+- enum dwarf_tag tag; /* DWARF tag. */
+- int has_children; /* Boolean. */
+- unsigned int num_attrs; /* Number of attributes. */
+- struct attr_abbrev *attrs; /* An array of attribute descriptions. */
+- struct abbrev_info *next; /* Next in chain. */
++ unsigned int number; /* Number identifying abbrev. */
++ enum dwarf_tag tag; /* DWARF tag. */
++ bfd_boolean has_children; /* TRUE if the abbrev has children. */
++ unsigned int num_attrs; /* Number of attributes. */
++ struct attr_abbrev * attrs; /* An array of attribute descriptions. */
++ struct abbrev_info * next; /* Next in chain. */
+ };
+
+ struct attr_abbrev
+@@ -1487,6 +1487,8 @@ struct varinfo
+ {
+ /* Pointer to previous variable in list of all variables */
+ struct varinfo *prev_var;
++ /* The offset of the varinfo from the start of the unit. */
++ bfd_uint64_t unit_offset;
+ /* Source location file name */
+ char *file;
+ /* Source location line number */
+@@ -1497,7 +1499,7 @@ struct varinfo
+ /* Where the symbol is defined */
+ asection *sec;
+ /* Is this a stack variable? */
+- unsigned int stack: 1;
++ bfd_boolean stack;
+ };
+
+ /* Return TRUE if NEW_LINE should sort after LINE. */
+@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
+ struct varinfo* each;
+
+ for (each = unit->variable_table; each; each = each->prev_var)
+- if (each->stack == 0
++ if (! each->stack
+ && each->file != NULL
+ && each->name != NULL
+ && each->addr == addr
+@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
+ return TRUE;
+ }
+
++static struct varinfo *
++lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
++{
++ while (table)
++ {
++ if (table->unit_offset == offset)
++ return table;
++ table = table->prev_var;
++ }
++
++ return NULL;
++}
++
++
+ /* DWARF2 Compilation unit functions. */
+
+ /* Scan over each die in a comp. unit looking for functions to add
+@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
+ bfd_vma low_pc = 0;
+ bfd_vma high_pc = 0;
+ bfd_boolean high_pc_relative = FALSE;
++ bfd_uint64_t current_offset;
++
++ current_offset = info_ptr - unit->info_ptr_unit;
+
+ /* PR 17512: file: 9f405d9d. */
+ if (info_ptr >= info_ptr_end)
+@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
+ goto fail;
+ }
+
+- var = NULL;
+ if (abbrev->tag == DW_TAG_subprogram
+ || abbrev->tag == DW_TAG_entry_point
+ || abbrev->tag == DW_TAG_inlined_subroutine)
+ {
+ bfd_size_type amt = sizeof (struct funcinfo);
++
++ var = NULL;
+ func = (struct funcinfo *) bfd_zalloc (abfd, amt);
+ if (func == NULL)
+ goto fail;
+@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
+ if (var == NULL)
+ goto fail;
+ var->tag = abbrev->tag;
+- var->stack = 1;
++ var->stack = TRUE;
+ var->prev_var = unit->variable_table;
+ unit->variable_table = var;
++ var->unit_offset = current_offset;
+ /* PR 18205: Missing debug information can cause this
+ var to be attached to an already cached unit. */
+ }
+-
++ else
++ var = NULL;
+ /* No inline function in scope at this nesting level. */
+ nested_funcs[nesting_level].func = 0;
+ }
+@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
+ {
+ switch (attr.name)
+ {
++ case DW_AT_specification:
++ if (attr.u.val)
++ {
++ struct varinfo * spec_var;
++
++ spec_var = lookup_var_by_offset (attr.u.val,
++ unit->variable_table);
++ if (spec_var == NULL)
++ {
++ _bfd_error_handler (_("DWARF error: could not find "
++ "variable specification "
++ "at offset %lx"),
++ (unsigned long) attr.u.val);
++ break;
++ }
++
++ if (var->name == NULL)
++ var->name = spec_var->name;
++ if (var->file == NULL && spec_var->file != NULL)
++ var->file = strdup (spec_var->file);
++ if (var->line == 0)
++ var->line = spec_var->line;
++ if (var->sec == NULL)
++ var->sec = spec_var->sec;
++ }
++ break;
++
+ case DW_AT_name:
+ if (is_str_attr (attr.form))
+ var->name = attr.u.str;
+@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
+
+ case DW_AT_external:
+ if (attr.u.val != 0)
+- var->stack = 0;
++ var->stack = FALSE;
+ break;
+
+ case DW_AT_location:
+@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
+ if (attr.u.blk->data != NULL
+ && *attr.u.blk->data == DW_OP_addr)
+ {
+- var->stack = 0;
++ var->stack = FALSE;
+
+ /* Verify that DW_OP_addr is the only opcode in the
+ location, in which case the block size will be 1
+@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
+ each_var = each_var->prev_var)
+ {
+ /* Skip stack vars and vars with no files or names. */
+- if (each_var->stack == 0
++ if (! each_var->stack
+ && each_var->file != NULL
+ && each_var->name != NULL)
+ /* There is no need to copy name string into hash table as
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2020-04-16 Alan Modra <amodra@gmail.com>
++
++ PR 25827
++ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
++ strdup(0).
++
+ 2020-02-19 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/25355
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 25/36] openssl: update from 1.1.1k to 1.1.1l
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (23 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 24/36] binutils: Security fix for CVE-2020-16593 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 26/36] Use the label provided when formating a dos partition Steve Sakoman
` (10 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Mikko Rapeli <mikko.rapeli@bmw.de>
Changelog shows only security fixes for CVE-2021-3711 and CVE-2021-3712:
https://www.openssl.org/news/cl111.txt
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssl/{openssl_1.1.1k.bb => openssl_1.1.1l.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/openssl/{openssl_1.1.1k.bb => openssl_1.1.1l.bb} (98%)
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
index 5f281197c9..9412b19fa5 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
@@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5"
+SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1"
inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 26/36] Use the label provided when formating a dos partition
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (24 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 25/36] openssl: update from 1.1.1k to 1.1.1l Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 27/36] lzo: add CVE_PRODUCT Steve Sakoman
` (9 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: jbouchard <jeanbouch418@gmail.com>
Previously the bootimg-pcbios wic plugin was not respecting
the --label option provided from the wks file. The plugin
was setting the label to 'boot'. With this fix, the --label
option is use. If no option are specified, then the default
is 'boot'.
Signed-off-by: jbouchard <jeanbouch418@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0fd7a73c1bd2486b7a022f0f69bbcb2e0d9cb141)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/lib/wic/plugins/source/bootimg-pcbios.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
index f2639e7004..32e47f1831 100644
--- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py
+++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
@@ -186,8 +186,10 @@ class BootimgPcbiosPlugin(SourcePlugin):
# dosfs image, created by mkdosfs
bootimg = "%s/boot%s.img" % (cr_workdir, part.lineno)
- dosfs_cmd = "mkdosfs -n boot -i %s -S 512 -C %s %d" % \
- (part.fsuuid, bootimg, blocks)
+ label = part.label if part.label else "boot"
+
+ dosfs_cmd = "mkdosfs -n %s -i %s -S 512 -C %s %d" % \
+ (label, part.fsuuid, bootimg, blocks)
exec_native_cmd(dosfs_cmd, native_sysroot)
mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (bootimg, hdddir)
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 27/36] lzo: add CVE_PRODUCT
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (25 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 26/36] Use the label provided when formating a dos partition Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 28/36] utils: Reduce the number of calls to the "dirname" command Steve Sakoman
` (8 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Marta Rybczynska <rybczynska@gmail.com>
lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 366cf8201e36df1ac836e49de04ccda1f763ca9e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb b/meta/recipes-support/lzo/lzo_2.10.bb
index 85b14b3c5c..f0c8631aea 100644
--- a/meta/recipes-support/lzo/lzo_2.10.bb
+++ b/meta/recipes-support/lzo/lzo_2.10.bb
@@ -18,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42
inherit autotools ptest
+CVE_PRODUCT = "lzo oberhumer:lzo2"
+
EXTRA_OECONF = "--enable-shared"
do_install_ptest() {
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 28/36] utils: Reduce the number of calls to the "dirname" command
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (26 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 27/36] lzo: add CVE_PRODUCT Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 29/36] tcf-agent: fetching over git:// no longer works Steve Sakoman
` (7 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Oleksandr Popovych <opopovyc@cisco.com>
utils.bbclass contains create_cmdline_wrapper() function that
creates wrapper script with additional arguments for any passed
"$cmd" command, and uses several calls to "dirname".
Because "dirname" is an external command, in cases of lots of
calls to wrapped "$cmd", each call of "dirname" will incur
significant overhead.
There are three same calls to "dirname": one for saving it`s
output to "realdir" variable, and other two in "exec" command.
So last two "dirname" calls can be replaced with cached value
from "realdir" variable.
Signed-off-by: Oleksandr Popovych <opopovyc@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4b9cf2c80fd14386e0b88a2e6c40a9fa3f1ae0f7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/utils.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/utils.bbclass b/meta/classes/utils.bbclass
index cd3d05709e..99f68f7505 100644
--- a/meta/classes/utils.bbclass
+++ b/meta/classes/utils.bbclass
@@ -233,7 +233,7 @@ create_cmdline_wrapper () {
#!/bin/bash
realpath=\`readlink -fn \$0\`
realdir=\`dirname \$realpath\`
-exec -a \`dirname \$realpath\`/$cmdname \`dirname \$realpath\`/$cmdname.real $cmdoptions "\$@"
+exec -a \$realdir/$cmdname \$realdir/$cmdname.real $cmdoptions "\$@"
END
chmod +x $cmd
}
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 29/36] tcf-agent: fetching over git:// no longer works
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (27 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 28/36] utils: Reduce the number of calls to the "dirname" command Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 30/36] mklibs-native: drop deprecated cpp17 exceptions Steve Sakoman
` (6 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44a6cd03721b51cbb4e05870375fa347527b0db5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/tcf-agent/tcf-agent_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
index 44a0d227ec..60faf481c5 100644
--- a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
+++ b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
@@ -10,7 +10,7 @@ SRCREV = "a022ef2f1acfd9209a1bf792dda14ae4b0d1b60f"
PV = "1.7.0+git${SRCPV}"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
-SRC_URI = "git://git.eclipse.org/gitroot/tcf/org.eclipse.tcf.agent \
+SRC_URI = "git://git.eclipse.org/r/tcf/org.eclipse.tcf.agent.git;protocol=https \
file://fix_ranlib.patch \
file://ldflags.patch \
file://tcf-agent.init \
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 30/36] mklibs-native: drop deprecated cpp17 exceptions
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (28 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 29/36] tcf-agent: fetching over git:// no longer works Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 31/36] image_types: Restore pre-btrfs-tools 4.14.1 mkfs.btrfs shrink behavior Steve Sakoman
` (5 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Andrej Valek <andrej.valek@siemens.com>
gcc11 has -std=gnu++17 as default. Remove deprecated C++17 exceptions based
on http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ecated-exception-specification-cpp17.patch | 431 ++++++++++++++++++
.../mklibs/mklibs-native_0.1.44.bb | 1 +
2 files changed, 432 insertions(+)
create mode 100644 meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
diff --git a/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch b/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
new file mode 100644
index 0000000000..f96cc7d302
--- /dev/null
+++ b/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
@@ -0,0 +1,431 @@
+From 597c7a8333df84a87cc48fb8477b603ffbf372a6 Mon Sep 17 00:00:00 2001
+From: Andrej Valek <andrej.valek@siemens.com>
+Date: Mon, 23 Aug 2021 12:45:11 +0200
+Subject: [PATCH] feat(cpp17): remove deprecated exception specifications for
+ C++ 17
+
+Upstream-Status: Submitted [https://salsa.debian.org/installer-team/mklibs/-/merge_requests/2]
+
+based on: http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html
+
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+---
+ src/mklibs-readelf/elf.cpp | 48 ++++++++++++++++++++---------------------
+ src/mklibs-readelf/elf.hpp | 18 ++++++++--------
+ src/mklibs-readelf/elf_data.hpp | 36 +++++++++++++++----------------
+ 3 files changed, 51 insertions(+), 51 deletions(-)
+
+diff --git a/src/mklibs-readelf/elf.cpp b/src/mklibs-readelf/elf.cpp
+index 0e4c0f3..2e6d0f6 100644
+--- a/src/mklibs-readelf/elf.cpp
++++ b/src/mklibs-readelf/elf.cpp
+@@ -36,7 +36,7 @@ file::~file () throw ()
+ delete *it;
+ }
+
+-file *file::open (const char *filename) throw (std::bad_alloc, std::runtime_error)
++file *file::open (const char *filename) throw ()
+ {
+ struct stat buf;
+ int fd;
+@@ -72,7 +72,7 @@ file *file::open (const char *filename) throw (std::bad_alloc, std::runtime_erro
+ }
+
+ template<typename _class>
+-file *file::open_class(uint8_t *mem, size_t len) throw (std::bad_alloc, std::runtime_error)
++file *file::open_class(uint8_t *mem, size_t len) throw ()
+ {
+ switch (mem[EI_DATA])
+ {
+@@ -86,7 +86,7 @@ file *file::open_class(uint8_t *mem, size_t len) throw (std::bad_alloc, std::run
+ }
+
+ template <typename _class, typename _data>
+-file_data<_class, _data>::file_data(uint8_t *mem, size_t len) throw (std::bad_alloc, std::runtime_error)
++file_data<_class, _data>::file_data(uint8_t *mem, size_t len) throw ()
+ : file(mem, len)
+ {
+ if (mem[EI_CLASS] != _class::id)
+@@ -190,7 +190,7 @@ section_data<_class, _data>::section_data(Shdr *shdr, uint8_t *mem) throw ()
+ }
+
+ template <typename _class, typename _data>
+-void section_data<_class, _data>::update(const file &file) throw (std::bad_alloc)
++void section_data<_class, _data>::update(const file &file) throw ()
+ {
+ const section_type<section_type_STRTAB> §ion =
+ dynamic_cast<const section_type<section_type_STRTAB> &>(file.get_section(file.get_shstrndx()));
+@@ -204,7 +204,7 @@ section_type<section_type_DYNAMIC>::~section_type() throw ()
+ }
+
+ template <typename _class, typename _data>
+-section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data>(header, mem)
+ {
+ if (this->type != SHT_DYNAMIC)
+@@ -221,7 +221,7 @@ section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, ui
+ }
+
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_DYNAMIC>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_DYNAMIC>::update(const file &file) throw ()
+ {
+ section_data<_class, _data>::update(file);
+
+@@ -243,7 +243,7 @@ section_type<section_type_DYNSYM>::~section_type() throw ()
+ }
+
+ template <typename _class, typename _data>
+-section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data>(header, mem)
+ {
+ if (this->type != SHT_DYNSYM)
+@@ -260,7 +260,7 @@ section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uin
+ }
+
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_DYNSYM>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_DYNSYM>::update(const file &file) throw ()
+ {
+ section_data<_class, _data>::update (file);
+
+@@ -285,7 +285,7 @@ const version_definition *section_type<section_type_GNU_VERDEF>::get_version_def
+ }
+
+ template <typename _class, typename _data>
+-section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data>(header, mem)
+ {
+ if (this->type != SHT_GNU_verdef)
+@@ -307,7 +307,7 @@ section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header,
+ }
+
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_GNU_VERDEF>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_GNU_VERDEF>::update(const file &file) throw ()
+ {
+ section_data<_class, _data>::update(file);
+
+@@ -333,7 +333,7 @@ const version_requirement_entry *section_type<section_type_GNU_VERNEED>::get_ver
+
+ template <typename _class, typename _data>
+ section_real<_class, _data, section_type_GNU_VERNEED>::
+-section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data> (header, mem)
+ {
+ if (this->type != SHT_GNU_verneed)
+@@ -355,7 +355,7 @@ section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
+ }
+
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &file) throw ()
+ {
+ section_data<_class, _data>::update(file);
+
+@@ -372,7 +372,7 @@ void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &f
+
+ template <typename _class, typename _data>
+ section_real<_class, _data, section_type_GNU_VERSYM>::
+-section_real (Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real (Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data> (header, mem)
+ {
+ if (this->type != SHT_GNU_versym)
+@@ -399,7 +399,7 @@ segment_data<_class, _data>::segment_data (Phdr *phdr, uint8_t *mem) throw ()
+ }
+
+ template <typename _class, typename _data>
+-segment_real<_class, _data, segment_type_INTERP>::segment_real (Phdr *header, uint8_t *mem) throw (std::bad_alloc)
++segment_real<_class, _data, segment_type_INTERP>::segment_real (Phdr *header, uint8_t *mem) throw ()
+ : segment_data<_class, _data> (header, mem)
+ {
+ if (this->type != PT_INTERP)
+@@ -429,13 +429,13 @@ dynamic_data<_class, _data>::dynamic_data (Dyn *dyn) throw ()
+ }
+
+ template <typename _class, typename _data>
+-void dynamic_data<_class, _data>::update_string(const section_type<section_type_STRTAB> §ion) throw (std::bad_alloc)
++void dynamic_data<_class, _data>::update_string(const section_type<section_type_STRTAB> §ion) throw ()
+ {
+ if (is_string)
+ val_string = section.get_string(val);
+ }
+
+-std::string symbol::get_version () const throw (std::bad_alloc)
++std::string symbol::get_version () const throw ()
+ {
+ if (verneed)
+ return verneed->get_name();
+@@ -445,7 +445,7 @@ std::string symbol::get_version () const throw (std::bad_alloc)
+ return "Base";
+ }
+
+-std::string symbol::get_version_file () const throw (std::bad_alloc)
++std::string symbol::get_version_file () const throw ()
+ {
+ if (verneed)
+ return verneed->get_file();
+@@ -453,7 +453,7 @@ std::string symbol::get_version_file () const throw (std::bad_alloc)
+ return "None";
+ }
+
+-std::string symbol::get_name_version () const throw (std::bad_alloc)
++std::string symbol::get_name_version () const throw ()
+ {
+ std::string ver;
+
+@@ -478,13 +478,13 @@ symbol_data<_class, _data>::symbol_data (Sym *sym) throw ()
+ }
+
+ template <typename _class, typename _data>
+-void symbol_data<_class, _data>::update_string(const section_type<section_type_STRTAB> §ion) throw (std::bad_alloc)
++void symbol_data<_class, _data>::update_string(const section_type<section_type_STRTAB> §ion) throw ()
+ {
+ name_string = section.get_string(name);
+ }
+
+ template <typename _class, typename _data>
+-void symbol_data<_class, _data>::update_version(const file &file, uint16_t index) throw (std::bad_alloc)
++void symbol_data<_class, _data>::update_version(const file &file, uint16_t index) throw ()
+ {
+ if (!file.get_section_GNU_VERSYM())
+ return;
+@@ -531,13 +531,13 @@ version_definition_data<_class, _data>::version_definition_data (Verdef *verdef)
+ }
+
+ template <typename _class, typename _data>
+-void version_definition_data<_class, _data>::update_string(const section_type<section_type_STRTAB> §ion) throw (std::bad_alloc)
++void version_definition_data<_class, _data>::update_string(const section_type<section_type_STRTAB> §ion) throw ()
+ {
+ for (std::vector<uint32_t>::iterator it = names.begin(); it != names.end(); ++it)
+ names_string.push_back(section.get_string(*it));
+ }
+
+-version_requirement::version_requirement() throw (std::bad_alloc)
++version_requirement::version_requirement() throw ()
+ : file_string("None")
+ { }
+
+@@ -561,7 +561,7 @@ version_requirement_data<_class, _data>::version_requirement_data (Verneed *vern
+
+ template <typename _class, typename _data>
+ void version_requirement_data<_class, _data>::
+-update_string(const section_type<section_type_STRTAB> §ion) throw (std::bad_alloc)
++update_string(const section_type<section_type_STRTAB> §ion) throw ()
+ {
+ file_string = section.get_string(file);
+
+@@ -596,7 +596,7 @@ version_requirement_entry_data(Vernaux *vna, const version_requirement &verneed)
+
+ template <typename _class, typename _data>
+ void version_requirement_entry_data<_class, _data>::
+-update_string(const section_type<section_type_STRTAB> §ion) throw (std::bad_alloc)
++update_string(const section_type<section_type_STRTAB> §ion) throw ()
+ {
+ name_string = section.get_string(name);
+ }
+diff --git a/src/mklibs-readelf/elf.hpp b/src/mklibs-readelf/elf.hpp
+index 70e61cd..afb0c9e 100644
+--- a/src/mklibs-readelf/elf.hpp
++++ b/src/mklibs-readelf/elf.hpp
+@@ -49,7 +49,7 @@ namespace Elf
+ const uint16_t get_shstrndx() const throw () { return shstrndx; }
+
+ const std::vector<section *> get_sections() const throw () { return sections; };
+- const section &get_section(unsigned int i) const throw (std::out_of_range) { return *sections.at(i); };
++ const section &get_section(unsigned int i) const throw () { return *sections.at(i); };
+ const section_type<section_type_DYNAMIC> *get_section_DYNAMIC() const throw () { return section_DYNAMIC; };
+ const section_type<section_type_DYNSYM> *get_section_DYNSYM() const throw () { return section_DYNSYM; };
+ const section_type<section_type_GNU_VERDEF> *get_section_GNU_VERDEF() const throw () { return section_GNU_VERDEF; };
+@@ -59,13 +59,13 @@ namespace Elf
+ const std::vector<segment *> get_segments() const throw () { return segments; };
+ const segment_type<segment_type_INTERP> *get_segment_INTERP() const throw () { return segment_INTERP; };
+
+- static file *open(const char *filename) throw (std::bad_alloc, std::runtime_error);
++ static file *open(const char *filename) throw ();
+
+ protected:
+- file(uint8_t *mem, size_t len) throw (std::bad_alloc) : mem(mem), len(len) { }
++ file(uint8_t *mem, size_t len) throw () : mem(mem), len(len) { }
+
+ template<typename _class>
+- static file *open_class(uint8_t *, size_t) throw (std::bad_alloc, std::runtime_error);
++ static file *open_class(uint8_t *, size_t) throw ();
+
+ uint16_t type;
+ uint16_t machine;
+@@ -128,7 +128,7 @@ namespace Elf
+ class section_type<section_type_STRTAB> : public virtual section
+ {
+ public:
+- std::string get_string(uint32_t offset) const throw (std::bad_alloc)
++ std::string get_string(uint32_t offset) const throw ()
+ {
+ return std::string(reinterpret_cast<const char *> (mem + offset));
+ }
+@@ -263,10 +263,10 @@ namespace Elf
+ uint8_t get_bind () const throw () { return bind; }
+ uint8_t get_type () const throw () { return type; }
+ const std::string &get_name_string() const throw () { return name_string; }
+- std::string get_version() const throw (std::bad_alloc);
+- std::string get_version_file() const throw (std::bad_alloc);
++ std::string get_version() const throw ();
++ std::string get_version_file() const throw ();
+ uint16_t get_version_data() const throw () { return versym; }
+- std::string get_name_version() const throw (std::bad_alloc);
++ std::string get_name_version() const throw ();
+
+ protected:
+ uint32_t name;
+@@ -305,7 +305,7 @@ namespace Elf
+ class version_requirement
+ {
+ public:
+- version_requirement() throw (std::bad_alloc);
++ version_requirement() throw ();
+ virtual ~version_requirement () throw () { }
+
+ const std::string &get_file() const throw () { return file_string; }
+diff --git a/src/mklibs-readelf/elf_data.hpp b/src/mklibs-readelf/elf_data.hpp
+index 05effee..3871982 100644
+--- a/src/mklibs-readelf/elf_data.hpp
++++ b/src/mklibs-readelf/elf_data.hpp
+@@ -94,7 +94,7 @@ namespace Elf
+ class file_data : public file
+ {
+ public:
+- file_data(uint8_t *, size_t len) throw (std::bad_alloc, std::runtime_error);
++ file_data(uint8_t *, size_t len) throw ();
+
+ const uint8_t get_class() const throw () { return _class::id; }
+ const uint8_t get_data() const throw () { return _data::id; }
+@@ -109,7 +109,7 @@ namespace Elf
+ public:
+ section_data(Shdr *, uint8_t *) throw ();
+
+- virtual void update(const file &) throw (std::bad_alloc);
++ virtual void update(const file &) throw ();
+ };
+
+ template <typename _class, typename _data, typename _type>
+@@ -133,9 +133,9 @@ namespace Elf
+ typedef typename _elfdef<_class>::Shdr Shdr;
+
+ public:
+- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++ section_real(Shdr *, uint8_t *) throw ();
+
+- void update(const file &) throw (std::bad_alloc);
++ void update(const file &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -147,9 +147,9 @@ namespace Elf
+ typedef typename _elfdef<_class>::Shdr Shdr;
+
+ public:
+- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++ section_real(Shdr *, uint8_t *) throw ();
+
+- void update(const file &) throw (std::bad_alloc);
++ void update(const file &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -161,9 +161,9 @@ namespace Elf
+ typedef typename _elfdef<_class>::Shdr Shdr;
+
+ public:
+- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++ section_real(Shdr *, uint8_t *) throw ();
+
+- void update(const file &) throw (std::bad_alloc);
++ void update(const file &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -175,9 +175,9 @@ namespace Elf
+ typedef typename _elfdef<_class>::Shdr Shdr;
+
+ public:
+- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++ section_real(Shdr *, uint8_t *) throw ();
+
+- void update(const file &) throw (std::bad_alloc);
++ void update(const file &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -189,7 +189,7 @@ namespace Elf
+ typedef typename _elfdef<_class>::Shdr Shdr;
+
+ public:
+- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++ section_real(Shdr *, uint8_t *) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -220,7 +220,7 @@ namespace Elf
+ typedef typename _elfdef<_class>::Phdr Phdr;
+
+ public:
+- segment_real (Phdr *, uint8_t *) throw (std::bad_alloc);
++ segment_real (Phdr *, uint8_t *) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -232,7 +232,7 @@ namespace Elf
+ public:
+ dynamic_data (Dyn *) throw ();
+
+- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++ void update_string(const section_type<section_type_STRTAB> &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -244,8 +244,8 @@ namespace Elf
+ public:
+ symbol_data (Sym *) throw ();
+
+- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
+- virtual void update_version (const file &, uint16_t) throw (std::bad_alloc);
++ void update_string(const section_type<section_type_STRTAB> &) throw ();
++ virtual void update_version (const file &, uint16_t) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -257,7 +257,7 @@ namespace Elf
+
+ version_definition_data (Verdef *) throw ();
+
+- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++ void update_string(const section_type<section_type_STRTAB> &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -269,7 +269,7 @@ namespace Elf
+
+ version_requirement_data (Verneed *) throw ();
+
+- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++ void update_string(const section_type<section_type_STRTAB> &) throw ();
+ };
+
+ template <typename _class, typename _data>
+@@ -280,7 +280,7 @@ namespace Elf
+
+ version_requirement_entry_data (Vernaux *, const version_requirement &) throw ();
+
+- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++ void update_string(const section_type<section_type_STRTAB> &) throw ();
+ };
+ }
+
+--
+2.11.0
+
diff --git a/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb b/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
index 1784af1f4c..07142e57e0 100644
--- a/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
+++ b/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://snapshot.debian.org/archive/debian/20180828T214102Z/pool/main/
file://avoid-failure-on-symbol-provided-by-application.patch \
file://show-GNU-unique-symbols-as-provided-symbols.patch \
file://fix_cross_compile.patch \
+ file://remove-deprecated-exception-specification-cpp17.patch \
"
SRC_URI[md5sum] = "6b6eeb9b4016c6a7317acc28c89e32cc"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 31/36] image_types: Restore pre-btrfs-tools 4.14.1 mkfs.btrfs shrink behavior
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (29 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 30/36] mklibs-native: drop deprecated cpp17 exceptions Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 32/36] linux-yocto/5.4: update to v5.4.142 Steve Sakoman
` (4 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Marek Vasut <marex@denx.de>
Currently the mkfs.btrfs generates large images with a lot of wasted
space. This happens since OE-core updated btrfs-tools from 4.13.3 to
4.15.1 in commit 94b645aa77 ("btrfs-tools: update to 4.15.1") .
Note in mkfs.btrfs(8) manpage section -r says the following:
"
-r|--rootdir <rootdir>
...
Note This option may enlarge the image or file to ensure
it’s big enough to contain the files from rootdir. Since
version 4.14.1 the filesystem size is not minimized. Please
see option --shrink if you need that functionality.
--shrink
Shrink the filesystem to its minimal size, only works with
--rootdir option.
...
Note prior to version 4.14.1, the shrinking was done
automatically.
"
Add the --shrink option to EXTRA_IMAGECMD_btrfs to reinstate the
original behavior and un-waste the space.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c4a99d36967302c176b62fad840b5e79486ea356)
Cc: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/image_types.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index ff42ac9423..6dc0e094d0 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -240,7 +240,7 @@ EXTRA_IMAGECMD_jffs2 ?= "--pad ${JFFS2_ENDIANNESS} --eraseblock=${JFFS2_ERASEBLO
EXTRA_IMAGECMD_ext2 ?= "-i 4096"
EXTRA_IMAGECMD_ext3 ?= "-i 4096"
EXTRA_IMAGECMD_ext4 ?= "-i 4096"
-EXTRA_IMAGECMD_btrfs ?= "-n 4096"
+EXTRA_IMAGECMD_btrfs ?= "-n 4096 --shrink"
EXTRA_IMAGECMD_f2fs ?= ""
do_image_cpio[depends] += "cpio-native:do_populate_sysroot"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 32/36] linux-yocto/5.4: update to v5.4.142
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (30 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 31/36] image_types: Restore pre-btrfs-tools 4.14.1 mkfs.btrfs shrink behavior Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 33/36] qemurunner.py: print output from runqemu/qemu-system in stop() Steve Sakoman
` (3 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:
c15b830f7c1c Linux 5.4.142
a17f2f2c8949 KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)
7c1c96ffb658 KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
456fd889227f iommu/vt-d: Fix agaw for a supported 48 bit guest address width
5b5f855a793c vmlinux.lds.h: Handle clang's module.{c,d}tor sections
e9b2b2b29ca8 ceph: take snap_empty_lock atomically with snaprealm refcount change
95ff775df6ec ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm
1d8c232afb03 ceph: add some lockdep assertions around snaprealm handling
a6ff0f3f9f90 KVM: VMX: Use current VMCS to query WAITPKG support for MSR emulation
ec25d05e1893 PCI/MSI: Protect msi_desc::masked for multi-MSI
48d2439c6f2a PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
386ead1d3598 PCI/MSI: Correct misleading comments
76d81dec16d0 PCI/MSI: Do not set invalid bits in MSI mask
6b4bcbf13390 PCI/MSI: Enforce MSI[X] entry updates to be visible
4495a41fbcd7 PCI/MSI: Enforce that MSI-X table entry is masked for update
1866c8f6d43c PCI/MSI: Mask all unused MSI-X entries
3b4220c2bf35 PCI/MSI: Enable and mask MSI-X early
0c8dea3fd55c genirq/timings: Prevent potential array overflow in __irq_timings_store()
4dfe80927102 genirq/msi: Ensure deactivation on teardown
e3e54a930073 x86/resctrl: Fix default monitoring groups reporting
a6b594ad7419 x86/ioapic: Force affinity setup before startup
db5e2666946a x86/msi: Force affinity setup before startup
eda32c21882c genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP
06b347743608 x86/tools: Fix objdump version check again
74451dd8bfca powerpc/kprobes: Fix kprobe Oops happens in booke
b74145d858a8 nbd: Aovid double completion of a request
ad9550114d4c vsock/virtio: avoid potential deadlock when vsock device remove
b9cd73cce50a xen/events: Fix race in set_evtchn_to_irq
4d3c5c319b19 net: igmp: increase size of mr_ifc_count
721ff564cc6a tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets
2ce8a68a312c net: linkwatch: fix failure to restore device state across suspend/resume
33597972a2e9 net: bridge: fix memleak in br_add_if()
f6eee53beb07 net: dsa: sja1105: fix broken backpressure in .port_fdb_dump
1e6a570d3786 net: dsa: lantiq: fix broken backpressure in .port_fdb_dump
564f6bbd0ed6 net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
a9243455e874 net: igmp: fix data-race in igmp_ifc_timer_expire()
ed957c77b391 net: Fix memory leak in ieee802154_raw_deliver
13a381b8bc22 net: dsa: microchip: Fix ksz_read64()
991117eeeee8 drm/meson: fix colour distortion from HDR set during vendor u-boot
e114f15de881 net/mlx5: Fix return value from tracer initialization
f99aa76bb83c psample: Add a fwd declaration for skbuff
9dc8e396c12e iavf: Set RSS LUT and key in reset handle path
23436edae3c9 net: sched: act_mirred: Reset ct info when mirror/redirect skb
9636fbfe7bdd ppp: Fix generating ifname when empty IFLA_IFNAME is specified
1c31ee907fde net: phy: micrel: Fix link detection on ksz87xx switch"
dfeb64f6e2ce platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables
699db2bb96ad platform/x86: pcengines-apuv2: revert wiring up simswitch GPIO as LED
af7f1539cfb1 net: dsa: mt7530: add the missing RxUnicast MIB counter
d353a61860a2 ASoC: cs42l42: Fix LRCLK frame start edge
b036452082f3 netfilter: nf_conntrack_bridge: Fix memory leak when error
cd36a36ea4ea ASoC: cs42l42: Remove duplicate control for WNF filter frequency
eb789cc9179f ASoC: cs42l42: Fix inversion of ADC Notch Switch control
6a3381336398 ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
55e86f07b85e ASoC: cs42l42: Correct definition of ADC Volume control
22d2e3c6a1b8 ieee802154: hwsim: fix GPF in hwsim_new_edge_nl
5bac8c2a3087 ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi
ddcf807fbb70 libnvdimm/region: Fix label activation vs errors
bc97fde4c668 ACPI: NFIT: Fix support for virtual SPA ranges
a753e3f33405 ceph: reduce contention in ceph_check_delayed_caps()
aa04486c419d i2c: dev: zero out array used for i2c reads from userspace
c18b28e5ade8 ASoC: intel: atom: Fix reference to PCM buffer address
aab3fa544647 ASoC: xilinx: Fix reference to PCM buffer address
60e2854acf3b iio: adc: Fix incorrect exit of for-loop
bcac5225923b iio: humidity: hdc100x: Add margin to the conversion time
da7cb80905ec iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 53e6982619..69958c5631 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "e823f31a48749bf1d01a86c274fcec87fae1e5ba"
-SRCREV_meta ?= "71f799f448d405a35d88ecee0aba3ec2b198d542"
+SRCREV_machine ?= "b872fc896dcc555149f26c5dd683f7e6394852d6"
+SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.141"
+LINUX_VERSION ?= "5.4.142"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 44a033d5cb..0178d172f8 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.141"
+LINUX_VERSION ?= "5.4.142"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "63d08f6ee3425e9d94eccf3a75a9ec4e474df916"
-SRCREV_machine ?= "05b2de44f781a297be454242d77f619189dfc6f4"
-SRCREV_meta ?= "71f799f448d405a35d88ecee0aba3ec2b198d542"
+SRCREV_machine_qemuarm ?= "4addf3f9e4f68bc7c03ea19ad95f2a4836ac9873"
+SRCREV_machine ?= "964802684eb1495bd1c5f625307b6d41515a3e9a"
+SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 0e41d734df..7e35e082fb 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "91a35a54a7b2d4d558b3f8b24c39657a3ff71c7c"
-SRCREV_machine_qemuarm64 ?= "a8edc7f1b004c6fb56d142fba3e688ba2a051b54"
-SRCREV_machine_qemumips ?= "4f1c4fc19e8d2cb994dac34fb8bb32a7c776b318"
-SRCREV_machine_qemuppc ?= "7bb64db24c2b7bd2b6656036009bd71618eb125d"
-SRCREV_machine_qemuriscv64 ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac"
-SRCREV_machine_qemux86 ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac"
-SRCREV_machine_qemux86-64 ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac"
-SRCREV_machine_qemumips64 ?= "931ad0c17451151dd3ddfb27dc2e33965f90ce86"
-SRCREV_machine ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac"
-SRCREV_meta ?= "71f799f448d405a35d88ecee0aba3ec2b198d542"
+SRCREV_machine_qemuarm ?= "9b1b66b01c88cf5035d148f37c70b8215c8fde15"
+SRCREV_machine_qemuarm64 ?= "e91700bf8d8130226679954a8137c5f3fd54b81d"
+SRCREV_machine_qemumips ?= "332bc089f06636156b9d5b2a04228c03c680c6d0"
+SRCREV_machine_qemuppc ?= "1bf103767b96923aa6ca76e9e095b04c13ce93cd"
+SRCREV_machine_qemuriscv64 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
+SRCREV_machine_qemux86 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
+SRCREV_machine_qemux86-64 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
+SRCREV_machine_qemumips64 ?= "7b31f99f9e245d029de7fb9e3480f7b00f846b8f"
+SRCREV_machine ?= "108b8b822e7bbba492deafe60ee86839291c3250"
+SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.141"
+LINUX_VERSION ?= "5.4.142"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 33/36] qemurunner.py: print output from runqemu/qemu-system in stop()
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (31 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 32/36] linux-yocto/5.4: update to v5.4.142 Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 34/36] qemurunner.py: handle getOutput() having nothing to read Steve Sakoman
` (2 subsequent siblings)
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
This is done when starting up qemu has failed, but is not done
when qemu started ok, but fails later in QMP communication.
Output from runqemu does contain valuable information to find out
why, so rather than fix all the QMP fails to include it, let's just
print it in stop().
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e2bf68e4401db747484c2c8ba0f77500b1d2d49)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/utils/qemurunner.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index 79db2cc247..a9efb849d9 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -435,6 +435,8 @@ class QemuRunner:
if self.runqemu.poll() is None:
self.logger.debug("Sending SIGKILL to runqemu")
os.killpg(os.getpgid(self.runqemu.pid), signal.SIGKILL)
+ if not self.runqemu.stdout.closed:
+ self.logger.info("Output from runqemu:\n%s" % self.getOutput(self.runqemu.stdout))
self.runqemu.stdin.close()
self.runqemu.stdout.close()
self.runqemu_exited = True
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 34/36] qemurunner.py: handle getOutput() having nothing to read
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (32 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 33/36] qemurunner.py: print output from runqemu/qemu-system in stop() Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 35/36] parselogs.py: ignore intermittent CD/DVDROM identification failure Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 36/36] selftest: disable virgl headless test Steve Sakoman
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4abfdeea175cfcadd6f73a69a676632ab4334a6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/utils/qemurunner.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index a9efb849d9..f7e5a3b3a6 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -120,7 +120,10 @@ class QemuRunner:
import fcntl
fl = fcntl.fcntl(o, fcntl.F_GETFL)
fcntl.fcntl(o, fcntl.F_SETFL, fl | os.O_NONBLOCK)
- return os.read(o.fileno(), 1000000).decode("utf-8")
+ try:
+ return os.read(o.fileno(), 1000000).decode("utf-8")
+ except BlockingIOError:
+ return ""
def handleSIGCHLD(self, signum, frame):
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 35/36] parselogs.py: ignore intermittent CD/DVDROM identification failure
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (33 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 34/36] qemurunner.py: handle getOutput() having nothing to read Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 36/36] selftest: disable virgl headless test Steve Sakoman
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
We don't use the CD/DVD ROM drive in any of our tests, but it
periodically fails discovery and that leads to a QA error:
[ 6.403477] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x4)
The only way to disable the optical ROM drive in qemu is to use
the '-nodefaults' option, which disables the CDROM (among other things).
We can't be sure that none of our tests, or extended users are relying
on default devices, so using that option is more of a risk than adding
the message to our ignore list.
To date, no one has sent a patch to just disable the optical drive
(either in qemu or the BIOS), but that is something we could consider
in the future.
[YOCTO #14528]
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 143fc5504539c69752ca87717507c197a8920ce5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/runtime/cases/parselogs.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/lib/oeqa/runtime/cases/parselogs.py b/meta/lib/oeqa/runtime/cases/parselogs.py
index f703927660..88279c6013 100644
--- a/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -97,6 +97,7 @@ ignore_errors = {
'qemux86' : [
'Failed to access perfctr msr (MSR',
'pci 0000:00:00.0: [Firmware Bug]: reg 0x..: invalid BAR (can\'t size)',
+ 'failed to IDENTIFY (I/O error, err_mask=0x4)',
] + qemux86_common,
'qemux86-64' : qemux86_common,
'qemumips' : [
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread* [OE-core][dunfell 36/36] selftest: disable virgl headless test
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
` (34 preceding siblings ...)
2021-08-28 18:11 ` [OE-core][dunfell 35/36] parselogs.py: ignore intermittent CD/DVDROM identification failure Steve Sakoman
@ 2021-08-28 18:11 ` Steve Sakoman
35 siblings, 0 replies; 37+ messages in thread
From: Steve Sakoman @ 2021-08-28 18:11 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Crashes in mesa when using vgem kernel module (in the absence of real GPU)
have been observed in dunfell (they do not happen in master):
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14527
Let's focus on making host-accelerated virtualized graphics work well in master
and upcoming releases (the issue is not seen there).
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/runtime_test.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 353d411681..1c935da919 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -216,6 +216,7 @@ class TestImage(OESelftestTestCase):
Author: Alexander Kanavin <alex.kanavin@gmail.com>
"""
import subprocess, os
+ self.skipTest("Crashes in mesa observed with this test on dunfell: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14527")
try:
content = os.listdir("/dev/dri")
if len([i for i in content if i.startswith('render')]) == 0:
--
2.25.1
^ permalink raw reply related [flat|nested] 37+ messages in thread