* [OE-core][dunfell 01/13] libxml2: backport fix for CVE-2022-23308
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 02/13] libxml2: move to gitlab.gnome.org Steve Sakoman
` (11 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Ralph Siemsen <ralph.siemsen@linaro.org>
Use-after-free of ID and IDREF attributes, which could result in denial
of service.
https://nvd.nist.gov/vuln/detail/CVE-2022-23308
CVE: CVE-2022-23308
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2022-23308.patch | 204 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
2 files changed, 205 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..bf5604e81a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,204 @@
+From 8b66850de350f0fcd786ae776a65ba15a5999e50 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Feb 2022 03:29:24 +0100
+Subject: [PATCH] Use-after-free of ID and IDREF attributes
+
+If a document is parsed with XML_PARSE_DTDVALID and without
+XML_PARSE_NOENT, the value of ID attributes has to be normalized after
+potentially expanding entities in xmlRemoveID. Otherwise, later calls
+to xmlGetID can return a pointer to previously freed memory.
+
+ID attributes which are empty or contain only whitespace after
+entity expansion are affected in a similar way. This is fixed by
+not storing such attributes in the ID table.
+
+The test to detect streaming mode when validating against a DTD was
+broken. In connection with the defects above, this could result in a
+use-after-free when using the xmlReader interface with validation.
+Fix detection of streaming mode to avoid similar issues. (This changes
+the expected result of a test case. But as far as I can tell, using the
+XML reader with XIncludes referencing the root document never worked
+properly, anyway.)
+
+All of these issues can result in denial of service. Using xmlReader
+with validation could result in disclosure of memory via the error
+channel, typically stderr. The security impact of xmlGetID returning
+a pointer to freed memory depends on the application. The typical use
+case of calling xmlGetID on an unmodified document is not affected.
+
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e]
+
+The upstream patch 652dd12a858989b14eed4e84e453059cd3ba340e has been modified
+to skip the patch to the testsuite result (result/XInclude/ns1.xml.rdr), as
+this particular test does not exist in v2.9.10 (it was added later).
+
+CVE: CVE-2022-23308
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+---
+ valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 55 insertions(+), 33 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index 07963e7..ee75311 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+ return (ret);
+ }
+
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++ xmlChar *dst;
++ const xmlChar *src;
++
++ if (str == NULL)
++ return;
++ src = str;
++ dst = str;
++
++ while (*src == 0x20) src++;
++ while (*src != 0) {
++ if (*src == 0x20) {
++ while (*src == 0x20) src++;
++ if (*src != 0)
++ *dst++ = 0x20;
++ } else {
++ *dst++ = *src++;
++ }
++ }
++ *dst = 0;
++}
++
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
+ xmlFree((char *)(str));
+
++static int
++xmlIsStreaming(xmlValidCtxtPtr ctxt) {
++ xmlParserCtxtPtr pctxt;
++
++ if (ctxt == NULL)
++ return(0);
++ /*
++ * These magic values are also abused to detect whether we're validating
++ * while parsing a document. In this case, userData points to the parser
++ * context.
++ */
++ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
++ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
++ return(0);
++ pctxt = ctxt->userData;
++ return(pctxt->parseMode == XML_PARSE_READER);
++}
++
+ /**
+ * xmlFreeID:
+ * @not: A id
+@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+ if (doc == NULL) {
+ return(NULL);
+ }
+- if (value == NULL) {
++ if ((value == NULL) || (value[0] == 0)) {
+ return(NULL);
+ }
+ if (attr == NULL) {
+@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+ */
+ ret->value = xmlStrdup(value);
+ ret->doc = doc;
+- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++ if (xmlIsStreaming(ctxt)) {
+ /*
+ * Operating in streaming mode, attr is gonna disappear
+ */
+@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+ ID = xmlNodeListGetString(doc, attr->children, 1);
+ if (ID == NULL)
+ return(-1);
++ xmlValidNormalizeString(ID);
+
+ id = xmlHashLookup(table, ID);
+ if (id == NULL || id->attr != attr) {
+@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+ * fill the structure.
+ */
+ ret->value = xmlStrdup(value);
+- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++ if (xmlIsStreaming(ctxt)) {
+ /*
+ * Operating in streaming mode, attr is gonna disappear
+ */
+@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
+- xmlChar *ret, *dst;
+- const xmlChar *src;
++ xmlChar *ret;
+ xmlAttributePtr attrDecl = NULL;
+ int extsubset = 0;
+
+@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ ret = xmlStrdup(value);
+ if (ret == NULL)
+ return(NULL);
+- src = value;
+- dst = ret;
+- while (*src == 0x20) src++;
+- while (*src != 0) {
+- if (*src == 0x20) {
+- while (*src == 0x20) src++;
+- if (*src != 0)
+- *dst++ = 0x20;
+- } else {
+- *dst++ = *src++;
+- }
+- }
+- *dst = 0;
++ xmlValidNormalizeString(ret);
+ if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
+ xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
+ "standalone: %s on %s value had to be normalized based on external subset declaration\n",
+@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+ const xmlChar *name, const xmlChar *value) {
+- xmlChar *ret, *dst;
+- const xmlChar *src;
++ xmlChar *ret;
+ xmlAttributePtr attrDecl = NULL;
+
+ if (doc == NULL) return(NULL);
+@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+ ret = xmlStrdup(value);
+ if (ret == NULL)
+ return(NULL);
+- src = value;
+- dst = ret;
+- while (*src == 0x20) src++;
+- while (*src != 0) {
+- if (*src == 0x20) {
+- while (*src == 0x20) src++;
+- if (*src != 0)
+- *dst++ = 0x20;
+- } else {
+- *dst++ = *src++;
+- }
+- }
+- *dst = 0;
++ xmlValidNormalizeString(ret);
+ return(ret);
+ }
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index ebb996c8dd..1b22e5672c 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://CVE-2021-3537.patch \
file://CVE-2021-3518.patch \
file://CVE-2021-3541.patch \
+ file://CVE-2022-23308.patch \
"
SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 02/13] libxml2: move to gitlab.gnome.org
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 01/13] libxml2: backport fix for CVE-2022-23308 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 03/13] re2c: backport fix for CVE-2018-21232 Steve Sakoman
` (10 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Ralph Siemsen <ralph.siemsen@linaro.org>
The project has migrated from www.xmlsoft.org to gitlab.gnome.org.
Update the homepage accordingly, and use gnomebase to construct the
download URL, rather than including it in SRC_URI explicitly.
Note that the download is now in .xz format rather than .gz, so the
sha256sum is updated accordingly. Post-decompression tarballs are
identical, so there is no change to the libxml2 code.
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8bc17ceb997f8f31a03e5f5efc41c03ef1df3add)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/libxml/libxml2_2.9.10.bb | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 1b22e5672c..976eeca1d4 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -1,6 +1,6 @@
SUMMARY = "XML C Parser Library and Toolkit"
DESCRIPTION = "The XML Parser Library allows for manipulation of XML files. Libxml2 exports Push and Pull type parser interfaces for both XML and HTML. It can do DTD validation at parse time, on a parsed document instance or with an arbitrary DTD. Libxml2 includes complete XPath, XPointer and Xinclude implementations. It also has a SAX like interface, which is designed to be compatible with Expat."
-HOMEPAGE = "http://www.xmlsoft.org/"
+HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2"
BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2"
SECTION = "libs"
LICENSE = "MIT"
@@ -11,8 +11,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \
DEPENDS = "zlib virtual/libiconv"
-SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
- http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \
+inherit gnomebase
+
+SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \
file://libxml-64bit.patch \
file://runtest.patch \
file://run-ptest \
@@ -30,8 +31,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://CVE-2022-23308.patch \
"
-SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
-SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
+SRC_URI[archive.sha256sum] = "28a92f6ab1f311acf5e478564c49088ef0ac77090d9c719bbc5d518f1fe62eb9"
SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 03/13] re2c: backport fix for CVE-2018-21232
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 01/13] libxml2: backport fix for CVE-2022-23308 Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 02/13] libxml2: move to gitlab.gnome.org Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 04/13] qemu: backport fix for CVE-2020-13253 Steve Sakoman
` (9 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Davide Gardenal <davidegarde2000@gmail.com>
Backport commits from the following issue:
https://github.com/skvadrik/re2c/issues/219
CVE: CVE-2018-21232
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../re2c/re2c/CVE-2018-21232-1.patch | 347 ++++++++++++++++++
.../re2c/re2c/CVE-2018-21232-2.patch | 243 ++++++++++++
.../re2c/re2c/CVE-2018-21232-3.patch | 156 ++++++++
.../re2c/re2c/CVE-2018-21232-4.patch | 166 +++++++++
meta/recipes-support/re2c/re2c_1.0.1.bb | 6 +-
5 files changed, 917 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
create mode 100644 meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
new file mode 100644
index 0000000000..b7dcaefad3
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
@@ -0,0 +1,347 @@
+From fd634998f813340768c333cdad638498602856e5 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Tue, 21 Apr 2020 21:28:32 +0100
+Subject: [PATCH] Rewrite recursion into iteration (Tarjan's SCC algorithm and
+ YYFILL states).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Stack overflow reported by Agostino Sarubbo.
+Related to #219 "overflow-1.re test fails on system with small stack".
+
+Upstram-Status: Backport:
+https://github.com/skvadrik/re2c/commit/fd634998f813340768c333cdad638498602856e5
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/dfa/fillpoints.cc b/src/dfa/fillpoints.cc
+--- a/src/dfa/fillpoints.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/dfa/fillpoints.cc (date 1646929180243)
+@@ -5,151 +5,186 @@
+
+ #include "src/dfa/dfa.h"
+
+-namespace re2c
+-{
++
++/*
++ * note [finding strongly connected components of DFA]
++ *
++ * A slight modification of Tarjan's algorithm.
++ *
++ * The algorithm traverses the DFA in depth-first order. It maintains a stack
++ * of states that have already been visited but haven't been assigned to an SCC
++ * yet. For each state the algorithm calculates 'lowlink': index of the highest
++ * ancestor state reachable in one step from a descendant of this state.
++ * Lowlink is used to determine when a set of states should be popped off stack
++ * into a new SCC.
++ *
++ * We use lowlink to hold different kinds of information:
++ * - values in range [0 .. stack size] mean that the state is on stack (a
++ * link to a state with the smallest index reachable from this one)
++ * - SCC_UND means that this state has not been visited yet
++ * - SCC_INF means that this state has already been popped off stack
++ *
++ * We use stack size (rather than topological sort index) as a unique index of
++ * the state on stack. This is safe because the indices of states on stack are
++ * unique and less than the indices of states that have been popped off stack
++ * (SCC_INF).
++ */
++
++namespace re2c {
++ namespace {
+
+-static const size_t SCC_INF = std::numeric_limits<size_t>::max();
+-static const size_t SCC_UND = SCC_INF - 1;
++ static const size_t SCC_INF = std::numeric_limits<size_t>::max();
++ static const size_t SCC_UND = SCC_INF - 1;
+
+-static bool loopback(size_t node, size_t narcs, const size_t *arcs)
+-{
+- for (size_t i = 0; i < narcs; ++i)
+- {
+- if (arcs[i] == node)
+- {
+- return true;
+- }
+- }
+- return false;
+-}
++ static bool loopback(size_t state, size_t narcs, const size_t *arcs)
++ {
++ for (size_t i = 0; i < narcs; ++i) {
++ if (arcs[i] == state) return true;
++ }
++ return false;
++ }
+
+-/*
+- * node [finding strongly connected components of DFA]
+- *
+- * A slight modification of Tarjan's algorithm.
+- *
+- * The algorithm walks graph in deep-first order. It maintains a stack
+- * of nodes that have already been visited but haven't been assigned to
+- * SCC yet. For each node the algorithm calculates 'lowlink': index of
+- * the highest ancestor node reachable in one step from a descendant of
+- * the node. Lowlink is used to determine when a set of nodes should be
+- * popped off the stack into a new SCC.
+- *
+- * We use lowlink to hold different kinds of information:
+- * - values in range [0 .. stack size] mean that this node is on stack
+- * (link to a node with the smallest index reachable from this one)
+- * - SCC_UND means that this node has not been visited yet
+- * - SCC_INF means that this node has already been popped off stack
+- *
+- * We use stack size (rather than topological sort index) as unique index
+- * of a node on stack. This is safe because indices of nodes on stack are
+- * still unique and less than indices of nodes that have been popped off
+- * stack (SCC_INF).
+- *
+- */
+-static void scc(
+- const dfa_t &dfa,
+- std::stack<size_t> &stack,
+- std::vector<size_t> &lowlink,
+- std::vector<bool> &trivial,
+- size_t i)
+-{
+- const size_t link = stack.size();
+- lowlink[i] = link;
+- stack.push(i);
++ struct StackItem {
++ size_t state; // current state
++ size_t symbol; // next arc to be visited in this state
++ size_t link; // Tarjan's "lowlink"
++ };
++
++// Tarjan's algorithm
++ static void scc(const dfa_t &dfa, std::vector<bool> &trivial,
++ std::vector<StackItem> &stack_dfs)
++ {
++ std::vector<size_t> lowlink(dfa.states.size(), SCC_UND);
++ std::stack<size_t> stack;
++
++ StackItem x0 = {0, 0, 0};
++ stack_dfs.push_back(x0);
++
++ while (!stack_dfs.empty()) {
++ const size_t i = stack_dfs.back().state;
++ size_t c = stack_dfs.back().symbol;
++ size_t link = stack_dfs.back().link;
++ stack_dfs.pop_back();
++
++ const size_t *arcs = dfa.states[i]->arcs;
++
++ if (c == 0) {
++ // DFS recursive enter
++ //DASSERT(lowlink[i] == SCC_UND);
++ link = lowlink[i] = stack.size();
++ stack.push(i);
++ }
++ else {
++ // DFS recursive return (from one of successor states)
++ const size_t j = arcs[c - 1];
++ //DASSERT(lowlink[j] != SCC_UND);
++ lowlink[i] = std::min(lowlink[i], lowlink[j]);
++ }
+
+- const size_t *arcs = dfa.states[i]->arcs;
+- for (size_t c = 0; c < dfa.nchars; ++c)
+- {
+- const size_t j = arcs[c];
+- if (j != dfa_t::NIL)
+- {
+- if (lowlink[j] == SCC_UND)
+- {
+- scc(dfa, stack, lowlink, trivial, j);
+- }
+- if (lowlink[j] < lowlink[i])
+- {
+- lowlink[i] = lowlink[j];
+- }
+- }
+- }
++ // find the next successor state that hasn't been visited yet
++ for (; c < dfa.nchars; ++c) {
++ const size_t j = arcs[c];
++ if (j != dfa_t::NIL) {
++ if (lowlink[j] == SCC_UND) {
++ break;
++ }
++ lowlink[i] = std::min(lowlink[i], lowlink[j]);
++ }
++ }
+
+- if (lowlink[i] == link)
+- {
+- // SCC is non-trivial (has loops) iff it either:
+- // - consists of multiple nodes (they all must be interconnected)
+- // - consists of single node which loops back to itself
+- trivial[i] = i == stack.top()
+- && !loopback(i, dfa.nchars, arcs);
++ if (c < dfa.nchars) {
++ // recurse into the next successor state
++ StackItem x1 = {i, c + 1, link};
++ stack_dfs.push_back(x1);
++ StackItem x2 = {arcs[c], 0, SCC_UND};
++ stack_dfs.push_back(x2);
++ }
++ else if (lowlink[i] == link) {
++ // all successors have been visited
++ // SCC is non-trivial (has loops) if either:
++ // - it contains multiple interconnected states
++ // - it contains a single self-looping state
++ trivial[i] = i == stack.top() && !loopback(i, dfa.nchars, arcs);
+
+- size_t j;
+- do
+- {
+- j = stack.top();
+- stack.pop();
+- lowlink[j] = SCC_INF;
+- }
+- while (j != i);
+- }
+-}
++ for (;;) {
++ const size_t j = stack.top();
++ stack.pop();
++ lowlink[j] = SCC_INF;
++ if (i == j) break;
++ }
++ }
++ }
++ }
+
+-static void calc_fill(
+- const dfa_t &dfa,
+- const std::vector<bool> &trivial,
+- std::vector<size_t> &fill,
+- size_t i)
+-{
+- if (fill[i] == SCC_UND)
+- {
+- fill[i] = 0;
+- const size_t *arcs = dfa.states[i]->arcs;
+- for (size_t c = 0; c < dfa.nchars; ++c)
+- {
+- const size_t j = arcs[c];
+- if (j != dfa_t::NIL)
+- {
+- calc_fill(dfa, trivial, fill, j);
+- size_t max = 1;
+- if (trivial[j])
+- {
+- max += fill[j];
+- }
+- if (max > fill[i])
+- {
+- fill[i] = max;
+- }
+- }
+- }
+- }
+-}
+-
+-void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill)
+-{
+- const size_t size = dfa.states.size();
+-
+- // find DFA states that belong to non-trivial SCC
+- std::stack<size_t> stack;
+- std::vector<size_t> lowlink(size, SCC_UND);
+- std::vector<bool> trivial(size, false);
+- scc(dfa, stack, lowlink, trivial, 0);
+-
+- // for each DFA state, calculate YYFILL argument:
+- // maximal path length to the next YYFILL state
+- fill.resize(size, SCC_UND);
+- calc_fill(dfa, trivial, fill, 0);
++ static void calc_fill(const dfa_t &dfa, const std::vector<bool> &trivial,
++ std::vector<StackItem> &stack_dfs, std::vector<size_t> &fill)
++ {
++ const size_t nstates = dfa.states.size();
++ fill.resize(nstates, SCC_UND);
++
++ StackItem x0 = {0, 0, SCC_INF};
++ stack_dfs.push_back(x0);
++
++ while (!stack_dfs.empty()) {
++ const size_t i = stack_dfs.back().state;
++ size_t c = stack_dfs.back().symbol;
++ stack_dfs.pop_back();
++
++ const size_t *arcs = dfa.states[i]->arcs;
++
++ if (c == 0) {
++ // DFS recursive enter
++ if (fill[i] != SCC_UND) continue;
++ fill[i] = 0;
++ }
++ else {
++ // DFS recursive return (from one of successor states)
++ const size_t j = arcs[c - 1];
++ //DASSERT(fill[i] != SCC_UND && fill[j] != SCC_UND);
++ fill[i] = std::max(fill[i], 1 + (trivial[j] ? fill[j] : 0));
++ }
++
++ // find the next successor state that hasn't been visited yet
++ for (; c < dfa.nchars; ++c) {
++ const size_t j = arcs[c];
++ if (j != dfa_t::NIL) break;
++ }
++
++ if (c < dfa.nchars) {
++ // recurse into the next successor state
++ StackItem x1 = {i, c + 1, SCC_INF};
++ stack_dfs.push_back(x1);
++ StackItem x2 = {arcs[c], 0, SCC_INF};
++ stack_dfs.push_back(x2);
++ }
++ }
+
+- // The following states must trigger YYFILL:
+- // - inital state
+- // - all states in non-trivial SCCs
+- // for other states, reset YYFILL argument to zero
+- for (size_t i = 1; i < size; ++i)
+- {
+- if (trivial[i])
+- {
+- fill[i] = 0;
+- }
+- }
+-}
++ // The following states must trigger YYFILL:
++ // - inital state
++ // - all states in non-trivial SCCs
++ // for other states, reset YYFILL argument to zero
++ for (size_t i = 1; i < nstates; ++i) {
++ if (trivial[i]) {
++ fill[i] = 0;
++ }
++ }
++ }
+
++ } // anonymous namespace
++
++ void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill)
++ {
++ const size_t nstates = dfa.states.size();
++ std::vector<bool> trivial(nstates, false);
++ std::vector<StackItem> stack_dfs;
++ stack_dfs.reserve(nstates);
++
++ // find DFA states that belong to non-trivial SCC
++ scc(dfa, trivial, stack_dfs);
++
++ // for each DFA state, calculate YYFILL argument:
++ // maximal path length to the next YYFILL state
++ calc_fill(dfa, trivial, stack_dfs, fill);
++ }
++
+ } // namespace re2c
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
new file mode 100644
index 0000000000..820a6decbc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
@@ -0,0 +1,243 @@
+From 7b5643476bd99c994c4f51b8143f942982d85521 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Wed, 22 Apr 2020 22:37:24 +0100
+Subject: [PATCH] Rewrite recursion into iteration (fixed tags computation).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+
+Upstream-Stauts: Backport:
+https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/re/tag.cc b/src/re/tag.cc
+--- a/src/re/tag.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/tag.cc (date 1646986908580)
+@@ -6,7 +6,7 @@
+ {
+
+ const size_t Tag::RIGHTMOST = std::numeric_limits<size_t>::max();
+-const size_t Tag::VARDIST = std::numeric_limits<size_t>::max();
++const uint32_t Tag::VARDIST = std::numeric_limits<uint32_t>::max();
+ const size_t Tag::FICTIVE = Tag::RIGHTMOST - 1;
+
+ } // namespace re2c
+
+
+diff --git a/src/re/tag.h b/src/re/tag.h
+--- a/src/re/tag.h (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/tag.h (date 1646986922376)
+@@ -19,7 +19,7 @@
+ struct Tag
+ {
+ static const size_t RIGHTMOST;
+- static const size_t VARDIST;
++ static const uint32_t VARDIST;
+ static const size_t FICTIVE;
+
+ const std::string *name;
+
+
+diff --git a/src/re/fixed_tags.cc b/src/re/fixed_tags.cc
+--- a/src/re/fixed_tags.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/fixed_tags.cc (date 1646991137317)
+@@ -7,78 +7,131 @@
+ #include "src/re/tag.h"
+
+ namespace re2c {
++namespace {
+
+ /* note [fixed and variable tags]
+ *
+- * If distance between two tags is constant (equal for all strings that
+- * match the given regexp), then lexer only needs to track one of them:
+- * the second tag equals the first tag plus static offset.
++ * If distance between two tags is constant (equal for all strings that match
++ * the given regexp), then lexer only needs to track one of them: the second
++ * tag equals the first tag plus static offset.
+ *
+- * However, this optimization is applied only to tags in top-level
+- * concatenation, because other tags may be uninitialized and we don't
+- * want to mess with conditional calculation of fixed tags.
+- *
++ * This optimization is applied only to tags in top-level concatenation,
++ * because in other cases the base tag may be NULL, and the calculation of
++ * the fixed tag value is not as simple as substracting a fixed offset.
+ * Furthermore, fixed tags are fobidden with generic API because it cannot
+- * express fixed offsets.
+- *
+- * Tags with history also cannot be fixed.
++ * express fixed offsets. M-tags (with history) also cannot be fixed.
+ *
+ * Another special case is fictive tags (those that exist only to impose
+- * hierarchical laws of POSIX disambiguation). We treat them as fixed
+- * in order to suppress code generation.
++ * hierarchical laws of POSIX disambiguation). We treat them as fixed in order
++ * to suppress code generation.
+ */
+
+-static void find_fixed_tags(RE *re, std::vector<Tag> &tags,
+- size_t &dist, size_t &base, bool toplevel)
++struct StackItem {
++ RE *re; // current sub-RE
++ uint32_t dist; // distance backup for alternative, unused for other RE
++ uint8_t succ; // index of the next successor to be visited
++ bool toplevel; // if this sub-RE is in top-level concatenation
++};
++
++static void find_fixed_tags(RESpec &spec, std::vector<StackItem> &stack, RE *re0)
+ {
+- switch (re->type) {
+- case RE::NIL: break;
+- case RE::SYM:
+- if (dist != Tag::VARDIST) ++dist;
+- break;
+- case RE::ALT: {
+- size_t d1 = dist, d2 = dist;
+- find_fixed_tags(re->alt.re1, tags, d1, base, false);
+- find_fixed_tags(re->alt.re2, tags, d2, base, false);
+- dist = (d1 == d2) ? d1 : Tag::VARDIST;
+- break;
+- }
+- case RE::CAT:
+- find_fixed_tags(re->cat.re2, tags, dist, base, toplevel);
+- find_fixed_tags(re->cat.re1, tags, dist, base, toplevel);
+- break;
+- case RE::ITER:
+- find_fixed_tags(re->iter.re, tags, dist, base, false);
+- dist = Tag::VARDIST;
+- break;
+- case RE::TAG: {
+- // see note [fixed and variable tags]
+- Tag &tag = tags[re->tag.idx];
+- if (fictive(tag)) {
+- tag.base = tag.dist = 0;
+- } else if (toplevel && dist != Tag::VARDIST && !history(tag)) {
+- tag.base = base;
+- tag.dist = dist;
+- } else if (toplevel) {
+- base = re->tag.idx;
+- dist = 0;
+- }
+- if (trailing(tag)) dist = 0;
+- break;
+- }
+- }
++ static const uint32_t VARDIST = Tag::VARDIST;
++ bool toplevel = spec.opts->input_api != INPUT_CUSTOM;
++
++ // base tag, intially the fake "rightmost tag" (the end of RE)
++ size_t base = Tag::RIGHTMOST;
++
++ // the distance to the nearest top-level tag to the right (base tag)
++ uint32_t dist = 0;
++
++ const StackItem i0 = {re0, VARDIST, 0, toplevel};
++ stack.push_back(i0);
++
++ while (!stack.empty()) {
++ const StackItem i = stack.back();
++ stack.pop_back();
++ RE *re = i.re;
++
++ if (re->type == RE::SYM) {
++ if (dist != VARDIST) ++dist;
++ }
++ else if (re->type == RE::ALT) {
++ if (i.succ == 0) {
++ // save the current distance on stack (from the alternative end
++ // to base) and recurse into the left sub-RE
++ StackItem k = {re, dist, 1, i.toplevel};
++ stack.push_back(k);
++ StackItem j = {re->alt.re1, VARDIST, 0, false};
++ stack.push_back(j);
++ }
++ else if (i.succ == 1) {
++ // save the current distance on stack (from the left sub-RE to
++ // base), reset distance to the distance popped from stack (from
++ // the alternative end to base), recurse into the right sub-RE
++ StackItem k = {re, dist, 2, i.toplevel};
++ stack.push_back(k);
++ StackItem j = {re->alt.re2, VARDIST, 0, false};
++ stack.push_back(j);
++ dist = i.dist;
++ }
++ else {
++ // both sub-RE visited, compare the distance on stack (from the
++ // left sub-RE to base) to the current distance (from the right
++ // sub-RE to base), if not equal set variable distance
++ dist = (i.dist == dist) ? i.dist : VARDIST;
++ }
++ }
++ else if (re->type == RE::ITER) {
++ if (i.succ == 0) {
++ // recurse into the sub-RE
++ StackItem k = {re, VARDIST, 1, i.toplevel};
++ stack.push_back(k);
++ StackItem j = {re->iter.re, VARDIST, 0, false};
++ stack.push_back(j);
++ }
++ else {
++ // sub-RE visited, assume unknown number of iterations
++ // TODO: find precise distance for fixed repetition counter
++ dist = VARDIST;
++ }
++ }
++ else if (re->type == RE::CAT) {
++ // the right sub-RE is pushed on stack after the left sub-RE and
++ // visited earlier (because distance is computed from right to left)
++ StackItem j1 = {re->cat.re1, VARDIST, 0, i.toplevel};
++ stack.push_back(j1);
++ StackItem j2 = {re->cat.re2, VARDIST, 0, i.toplevel};
++ stack.push_back(j2);
++ }
++ else if (re->type == RE::TAG) {
++ // see note [fixed and variable tags]
++ Tag &tag = spec.tags[re->tag.idx];
++ if (fictive(tag)) {
++ tag.base = tag.dist = 0;
++ }
++ else if (i.toplevel && dist != VARDIST && !history(tag)) {
++ tag.base = base;
++ tag.dist = dist;
++ }
++ else if (i.toplevel) {
++ base = re->tag.idx;
++ dist = 0;
++ }
++ if (trailing(tag)) {
++ dist = 0;
++ }
++ }
++ }
+ }
++
++} // anonymous namespace
+
+-void find_fixed_tags(RESpec &spec)
+-{
+- const bool generic = spec.opts->input_api == INPUT_CUSTOM;
+- std::vector<RE*>::iterator
+- i = spec.res.begin(),
+- e = spec.res.end();
+- for (; i != e; ++i) {
+- size_t base = Tag::RIGHTMOST, dist = 0;
+- find_fixed_tags(*i, spec.tags, dist, base, !generic);
+- }
+-}
++ void find_fixed_tags(RESpec &spec)
++ {
++ std::vector<StackItem> stack;
++ for (std::vector<RE*>::iterator i = spec.res.begin(); i != spec.res.end(); ++i) {
++ find_fixed_tags(spec, stack, *i);
++ }
++ }
+
+-} // namespace re2c
++} // namespace re2c
+\ No newline at end of file
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
new file mode 100644
index 0000000000..f942e21cba
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
@@ -0,0 +1,156 @@
+From 4d9c809355b574f2a58eac119f5e076c48e4d1e2 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Thu, 23 Apr 2020 22:16:51 +0100
+Subject: [PATCH] Rewrite recursion into iteration (nullable RE).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+
+Upstream-Status: Backport:
+https://github.com/skvadrik/re2c/commit/4d9c809355b574f2a58eac119f5e076c48e4d1e2
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/re/nullable.cc b/src/re/nullable.cc
+--- a/src/re/nullable.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/nullable.cc (date 1647253886226)
+@@ -9,43 +9,100 @@
+ #include "src/re/tag.h"
+
+ namespace re2c {
++ namespace {
++
++ struct StackItem {
++ const RE *re; // current sub-RE
++ uint8_t succ; // index of the next sucessor to be visited
++ };
+
+-static bool nullable(const RESpec &spec, const RE *re, bool &trail)
+-{
+- if (trail) return true;
++ static bool nullable(const RESpec &spec, std::vector<StackItem> &stack, const RE *re0)
++ {
++ // the "nullable" status of the last sub-RE visited by DFS
++ bool null = false;
+
+- switch (re->type) {
+- case RE::NIL: return true;
+- case RE::SYM: return false;
+- case RE::ITER:
+- return nullable(spec, re->iter.re, trail);
+- case RE::TAG:
+- trail |= trailing(spec.tags[re->tag.idx]);
+- return true;
+- case RE::ALT:
+- return nullable(spec, re->alt.re1, trail)
+- || nullable(spec, re->alt.re2, trail);
+- case RE::CAT:
+- return nullable(spec, re->cat.re1, trail)
+- && nullable(spec, re->cat.re2, trail);
+- }
+- return false; /* unreachable */
+-}
++ const StackItem i0 = {re0, 0};
++ stack.push_back(i0);
++
++ while (!stack.empty()) {
++ const StackItem i = stack.back();
++ stack.pop_back();
++
++ const RE *re = i.re;
++ if (re->type == RE::NIL) {
++ null = true;
++ }
++ else if (re->type == RE::SYM) {
++ null = false;
++ }
++ else if (re->type == RE::TAG) {
++ null = true;
+
+-/*
+- * warn about rules that match empty string
+- * (including rules with nonempty trailing context)
+- * false positives on partially self-shadowed rules like [^]?
+- */
+-void warn_nullable(const RESpec &spec, const std::string &cond)
+-{
+- const size_t nre = spec.res.size();
+- for (size_t i = 0; i < nre; ++i) {
+- bool trail = false;
+- if (nullable(spec, spec.res[i], trail)) {
+- spec.warn.match_empty_string(spec.rules[i].code->fline, cond);
+- }
+- }
+-}
++ // Trailing context is always in top-level concatenation, and sub-RE
++ // are visited from left to right. Since we are here, sub-RE to the
++ // left of the trailing context is nullable (otherwise we would not
++ // recurse into the right sub-RE), therefore the whole RE is nullable.
++ if (trailing(spec.tags[re->tag.idx])) {
++ //DASSERT(stack.size() == 1 && stack.back().re->type == RE::CAT);
++ stack.pop_back();
++ break;
++ }
++ }
++ else if (re->type == RE::ALT) {
++ if (i.succ == 0) {
++ // recurse into the left sub-RE
++ StackItem k = {re, 1};
++ stack.push_back(k);
++ StackItem j = {re->alt.re1, 0};
++ stack.push_back(j);
++ }
++ else if (!null) {
++ // if the left sub-RE is nullable, so is alternative, so stop
++ // recursion; otherwise recurse into the right sub-RE
++ StackItem j = {re->alt.re2, 0};
++ stack.push_back(j);
++ }
++ }
++ else if (re->type == RE::CAT) {
++ if (i.succ == 0) {
++ // recurse into the left sub-RE
++ StackItem k = {re, 1};
++ stack.push_back(k);
++ StackItem j = {re->cat.re1, 0};
++ stack.push_back(j);
++ }
++ else if (null) {
++ // if the left sub-RE is not nullable, neither is concatenation,
++ // so stop recursion; otherwise recurse into the right sub-RE
++ StackItem j = {re->cat.re2, 0};
++ stack.push_back(j);
++ }
++ }
++ else if (re->type == RE::ITER) {
++ // iteration is nullable if the sub-RE is nullable
++ // (zero repetitions is represented with alternative)
++ StackItem j = {re->iter.re, 0};
++ stack.push_back(j);
++ }
++ }
++
++ //DASSERT(stack.empty());
++ return null;
++ }
++
++ } // anonymous namespace
++
++// Warn about rules that match empty string (including rules with nonempty
++// trailing context). False positives on partially self-shadowed rules like [^]?
++ void warn_nullable(const RESpec &spec, const std::string &cond)
++ {
++ std::vector<StackItem> stack;
++ const size_t nre = spec.res.size();
++ for (size_t i = 0; i < nre; ++i) {
++ if (nullable(spec, stack, spec.res[i])) {
++ spec.warn.match_empty_string(spec.rules[i].code->fline, cond);
++ }
++ }
++ }
+
+ } // namespace re2c
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
new file mode 100644
index 0000000000..ee8d84b1bc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
@@ -0,0 +1,166 @@
+From 89be91f3df00657261870adbc590209fdb2bc405 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Thu, 23 Apr 2020 23:02:21 +0100
+Subject: [PATCH] Rewrite recursion into iteration (estimation of NFA size for
+ RE).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+
+Upstram-Status: Backport:
+https://github.com/skvadrik/re2c/commit/89be91f3df00657261870adbc590209fdb2bc405
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/nfa/estimate_size.cc b/src/nfa/estimate_size.cc
+--- a/src/nfa/estimate_size.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/nfa/estimate_size.cc (date 1647005399735)
+@@ -6,41 +6,113 @@
+ #include "src/re/re.h"
+
+ namespace re2c {
++namespace {
++
++struct StackItem {
++ const RE *re; // current sub-RE
++ uint32_t size; // size of the sub-RE (only for alternative and concatenation)
++ uint8_t succ; // index of the next sucessor to be visited
++};
+
+-static size_t estimate(const RE *re)
++static uint32_t estimate_re_size(const RE *re0, std::vector<StackItem> &stack)
+ {
+- switch (re->type) {
+- case RE::NIL: return 0;
+- case RE::SYM: return 1;
+- case RE::TAG: return 1;
+- case RE::ALT:
+- return estimate(re->alt.re1)
+- + estimate(re->alt.re2)
+- + 1;
+- case RE::CAT:
+- return estimate(re->cat.re1)
+- + estimate(re->cat.re2);
+- case RE::ITER: {
+- const size_t
+- iter = estimate(re->iter.re),
+- min = re->iter.min,
+- max = re->iter.max;
+- return max == AST::MANY
+- ? iter * min + 1
+- : iter * max + (max - min);
+- }
+- }
+- return 0; /* unreachable */
+-}
++ // the estimated size of the last sub-RE visited by DFS
++ uint32_t size = 0;
++
++ const StackItem i0 = {re0, 0, 0};
++ stack.push_back(i0);
++
++ while (!stack.empty()) {
++ const StackItem i = stack.back();
++ stack.pop_back();
++
++ const RE *re = i.re;
++ if (re->type == RE::NIL) {
++ size = 0;
++ }
++ else if (re->type == RE::SYM || re->type == RE::TAG) {
++ size = 1;
++ }
++ else if (re->type == RE::ALT) {
++ if (i.succ == 0) {
++ // recurse into the left sub-RE
++ StackItem k = {re, 0, 1};
++ stack.push_back(k);
++ StackItem j = {re->alt.re1, 0, 0};
++ stack.push_back(j);
++ }
++ else if (i.succ == 1) {
++ // recurse into the right sub-RE
++ StackItem k = {re, size, 2};
++ stack.push_back(k);
++ StackItem j = {re->alt.re2, 0, 0};
++ stack.push_back(j);
++ }
++ else {
++ // both sub-RE visited, recursive return
++ size = i.size // left sub-RE (saved on stack)
++ + size // right sub-RE (just visited by DFS)
++ + 1; // additional state for alternative
++ }
++ }
++ else if (re->type == RE::CAT) {
++ if (i.succ == 0) {
++ // recurse into the left sub-RE
++ StackItem k = {re, 0, 1};
++ stack.push_back(k);
++ StackItem j = {re->cat.re1, 0, 0};
++ stack.push_back(j);
++ }
++ else if (i.succ == 1) {
++ // recurse into the right sub-RE
++ StackItem k = {re, size, 2};
++ stack.push_back(k);
++ StackItem j = {re->cat.re2, 0, 0};
++ stack.push_back(j);
++ }
++ else {
++ // both sub-RE visited, recursive return
++ size = i.size // left sub-RE (saved on stack)
++ + size; // right sub-RE (just visited by DFS)
++ }
++ }
++ else if (re->type == RE::ITER) {
++ if (i.succ == 0) {
++ // recurse into the sub-RE
++ StackItem k = {re, 0, 1};
++ stack.push_back(k);
++ StackItem j = {re->iter.re, 0, 0};
++ stack.push_back(j);
++ }
++ else {
++ // sub-RE visited, recursive return
++ const uint32_t min = re->iter.min, max = re->iter.max;
++ size = max == AST::MANY
++ ? size * min + 1
++ : size * max + (max - min);
++ }
++ }
++ }
++
++ //DASSERT(stack.empty());
++ return size;
++}
++
++} // anonymous namespace
+
+ size_t estimate_size(const std::vector<RE*> &res)
+ {
+- const size_t nre = res.size();
+- size_t size = nre - 1;
+- for (size_t i = 0; i < nre; ++i) {
+- size += estimate(res[i]) + 1;
+- }
+- return size;
++ std::vector<StackItem> stack;
++
++ const size_t nre = res.size();
++ //DASSERT(nre > 0);
++ size_t size = nre - 1;
++
++ for (size_t i = 0; i < nre; ++i) {
++ size += estimate_re_size(res[i], stack) + 1;
++ }
++
++ return size;
+ }
+
+ } // namespace re2c
+
diff --git a/meta/recipes-support/re2c/re2c_1.0.1.bb b/meta/recipes-support/re2c/re2c_1.0.1.bb
index faeb496a1a..ca5c33f151 100644
--- a/meta/recipes-support/re2c/re2c_1.0.1.bb
+++ b/meta/recipes-support/re2c/re2c_1.0.1.bb
@@ -7,7 +7,11 @@ SECTION = "devel"
LICENSE = "PD"
LIC_FILES_CHKSUM = "file://README;beginline=146;md5=881056c9add17f8019ccd8c382ba963a"
-SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz \
+file://CVE-2018-21232-1.patch \
+file://CVE-2018-21232-2.patch \
+file://CVE-2018-21232-3.patch \
+file://CVE-2018-21232-4.patch"
SRC_URI[md5sum] = "e2c6cf52fc6a21595f21bc82db5324f8"
SRC_URI[sha256sum] = "605058d18a00e01bfc32aebf83af35ed5b13180b4e9f279c90843afab2c66c7c"
UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 04/13] qemu: backport fix for CVE-2020-13253
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (2 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 03/13] re2c: backport fix for CVE-2018-21232 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 05/13] bluez5: fix CVE-2021-3658 Steve Sakoman
` (8 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Davide Gardenal <davidegarde2000@gmail.com>
Backport commits from the following MR:
https://git.qemu.org/?p=qemu.git;a=commit;h=3a9163af4e3dd61795a35d47b702e302f98f81d6
Two other commits have been backported in order to be able
to correctly apply the patches.
CVE: CVE-2020-13253
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 5 +
.../qemu/qemu/CVE-2020-13253_1.patch | 50 +++++++
.../qemu/qemu/CVE-2020-13253_2.patch | 112 ++++++++++++++
.../qemu/qemu/CVE-2020-13253_3.patch | 86 +++++++++++
.../qemu/qemu/CVE-2020-13253_4.patch | 139 ++++++++++++++++++
.../qemu/qemu/CVE-2020-13253_5.patch | 54 +++++++
6 files changed, 446 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index ef9bc3f64a..0bdc917783 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -92,6 +92,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-27617.patch \
file://CVE-2020-28916.patch \
file://CVE-2021-3682.patch \
+ file://CVE-2020-13253_1.patch \
+ file://CVE-2020-13253_2.patch \
+ file://CVE-2020-13253_3.patch \
+ file://CVE-2020-13253_4.patch \
+ file://CVE-2020-13253_5.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
new file mode 100644
index 0000000000..7f8383987c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
@@ -0,0 +1,50 @@
+From 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 5 Jun 2018 22:28:51 -0300
+Subject: [PATCH 1/1] hw/sd/sdcard: Simplify realize() a bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+We don't need to check if sd->blk is set twice.
+
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=6dd3a164f5b31c703c7d8372841ad3bd6a57de6d
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index 1cc16bf..edd60a0 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -2105,12 +2105,12 @@ static void sd_realize(DeviceState *dev, Error **errp)
+ return;
+ }
+
+- if (sd->blk && blk_is_read_only(sd->blk)) {
+- error_setg(errp, "Cannot use read-only drive as SD card");
+- return;
+- }
+-
+ if (sd->blk) {
++ if (blk_is_read_only(sd->blk)) {
++ error_setg(errp, "Cannot use read-only drive as SD card");
++ return;
++ }
++
+ ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
+ BLK_PERM_ALL, errp);
+ if (ret < 0) {
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
new file mode 100644
index 0000000000..53145d059f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
@@ -0,0 +1,112 @@
+From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 7 Jul 2020 13:02:34 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+QEMU allows to create SD card with unrealistic sizes. This could
+work, but some guests (at least Linux) consider sizes that are not
+a power of 2 as a firmware bug and fix the card size to the next
+power of 2.
+
+While the possibility to use small SD card images has been seen as
+a feature, it became a bug with CVE-2020-13253, where the guest is
+able to do OOB read/write accesses past the image size end.
+
+In a pair of commits we will fix CVE-2020-13253 as:
+
+ Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+ occurred and no data transfer is performed.
+
+ Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+ occurred and no data transfer is performed.
+
+ WP_VIOLATION errors are not modified: the error bit is set, we
+ stay in receive-data state, wait for a stop command. All further
+ data transfer is ignored. See the check on sd->card_status at the
+ beginning of sd_read_data() and sd_write_data().
+
+While this is the correct behavior, in case QEMU create smaller SD
+cards, guests still try to access past the image size end, and QEMU
+considers this is an invalid address, thus "all further data transfer
+is ignored". This is wrong and make the guest looping until
+eventually timeouts.
+
+Fix by not allowing invalid SD card sizes (suggesting the expected
+size as a hint):
+
+ $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
+ qemu-system-arm: Invalid SD card size: 60 MiB
+ SD card size has to be a power of 2, e.g. 64 MiB.
+ You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
+ (note that this will lose data if you make the image smaller than it currently is).
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index edd60a09c0..76d68359a4 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -32,6 +32,7 @@
+
+ #include "qemu/osdep.h"
+ #include "qemu/units.h"
++#include "qemu/cutils.h"
+ #include "hw/irq.h"
+ #include "hw/registerfields.h"
+ #include "sysemu/block-backend.h"
+@@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
+ }
+
+ if (sd->blk) {
++ int64_t blk_size;
++
+ if (blk_is_read_only(sd->blk)) {
+ error_setg(errp, "Cannot use read-only drive as SD card");
+ return;
+ }
+
++ blk_size = blk_getlength(sd->blk);
++ if (blk_size > 0 && !is_power_of_2(blk_size)) {
++ int64_t blk_size_aligned = pow2ceil(blk_size);
++ char *blk_size_str;
++
++ blk_size_str = size_to_str(blk_size);
++ error_setg(errp, "Invalid SD card size: %s", blk_size_str);
++ g_free(blk_size_str);
++
++ blk_size_str = size_to_str(blk_size_aligned);
++ error_append_hint(errp,
++ "SD card size has to be a power of 2, e.g. %s.\n"
++ "You can resize disk images with"
++ " 'qemu-img resize <imagefile> <new-size>'\n"
++ "(note that this will lose data if you make the"
++ " image smaller than it currently is).\n",
++ blk_size_str);
++ g_free(blk_size_str);
++
++ return;
++ }
++
+ ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
+ BLK_PERM_ALL, errp);
+ if (ret < 0) {
+--
+2.32.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
new file mode 100644
index 0000000000..b512b2bd7f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
@@ -0,0 +1,86 @@
+From 794d68de2f021a6d3874df41d6bbe8590ec05207 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Mon, 13 Jul 2020 09:27:35 +0200
+Subject: [PATCH] hw/sd/sdcard: Update coding style to make checkpatch.pl happy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+To make the next commit easier to review, clean this code first.
+
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=794d68de2f021a6d3874df41d6bbe8590ec05207
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+--- a/hw/sd/sd.c (revision b0ca999a43a22b38158a222233d3f5881648bb4f)
++++ b/hw/sd/sd.c (date 1647514442924)
+@@ -1154,8 +1154,9 @@
+ sd->data_start = addr;
+ sd->data_offset = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size)
++ if (sd->data_start + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
++ }
+ return sd_r1;
+
+ default:
+@@ -1170,8 +1171,9 @@
+ sd->data_start = addr;
+ sd->data_offset = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size)
++ if (sd->data_start + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
++ }
+ return sd_r1;
+
+ default:
+@@ -1216,12 +1218,15 @@
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size)
++ if (sd->data_start + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+- if (sd_wp_addr(sd, sd->data_start))
++ }
++ if (sd_wp_addr(sd, sd->data_start)) {
+ sd->card_status |= WP_VIOLATION;
+- if (sd->csd[14] & 0x30)
++ }
++ if (sd->csd[14] & 0x30) {
+ sd->card_status |= WP_VIOLATION;
++ }
+ return sd_r1;
+
+ default:
+@@ -1240,12 +1245,15 @@
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size)
++ if (sd->data_start + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+- if (sd_wp_addr(sd, sd->data_start))
++ }
++ if (sd_wp_addr(sd, sd->data_start)) {
+ sd->card_status |= WP_VIOLATION;
+- if (sd->csd[14] & 0x30)
++ }
++ if (sd->csd[14] & 0x30) {
+ sd->card_status |= WP_VIOLATION;
++ }
+ return sd_r1;
+
+ default:
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
new file mode 100644
index 0000000000..6b4c1ec050
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
@@ -0,0 +1,139 @@
+From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Thu, 4 Jun 2020 19:22:29 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is
+ invalid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only move the state machine to ReceivingData if there is no
+pending error. This avoids later OOB access while processing
+commands queued.
+
+ "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
+
+ 4.3.3 Data Read
+
+ Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+ occurred and no data transfer is performed.
+
+ 4.3.4 Data Write
+
+ Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+ occurred and no data transfer is performed.
+
+WP_VIOLATION errors are not modified: the error bit is set, we
+stay in receive-data state, wait for a stop command. All further
+data transfer is ignored. See the check on sd->card_status at the
+beginning of sd_read_data() and sd_write_data().
+
+Fixes: CVE-2020-13253
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index f4f76f8fd2..fad9cf1ee7 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+ case 17: /* CMD17: READ_SINGLE_BLOCK */
+ switch (sd->state) {
+ case sd_transfer_state:
+- sd->state = sd_sendingdata_state;
+- sd->data_start = addr;
+- sd->data_offset = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size) {
++ if (addr + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
+ }
++
++ sd->state = sd_sendingdata_state;
++ sd->data_start = addr;
++ sd->data_offset = 0;
+ return sd_r1;
+
+ default:
+@@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+ case 18: /* CMD18: READ_MULTIPLE_BLOCK */
+ switch (sd->state) {
+ case sd_transfer_state:
+- sd->state = sd_sendingdata_state;
+- sd->data_start = addr;
+- sd->data_offset = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size) {
++ if (addr + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
+ }
++
++ sd->state = sd_sendingdata_state;
++ sd->data_start = addr;
++ sd->data_offset = 0;
+ return sd_r1;
+
+ default:
+@@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+ /* Writing in SPI mode not implemented. */
+ if (sd->spi)
+ break;
++
++ if (addr + sd->blk_len > sd->size) {
++ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
++ }
++
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size) {
+- sd->card_status |= ADDRESS_ERROR;
+- }
+ if (sd_wp_addr(sd, sd->data_start)) {
+ sd->card_status |= WP_VIOLATION;
+ }
+@@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+ /* Writing in SPI mode not implemented. */
+ if (sd->spi)
+ break;
++
++ if (addr + sd->blk_len > sd->size) {
++ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
++ }
++
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size) {
+- sd->card_status |= ADDRESS_ERROR;
+- }
+ if (sd_wp_addr(sd, sd->data_start)) {
+ sd->card_status |= WP_VIOLATION;
+ }
+--
+2.32.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
new file mode 100644
index 0000000000..ffce610f79
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
@@ -0,0 +1,54 @@
+From 9157dd597d293ab7f599f4d96c3fe8a6e07c633d Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Wed, 3 Jun 2020 19:59:16 +0200
+Subject: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Only SCSD cards support Class 6 (Block Oriented Write Protection)
+commands.
+
+ "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
+
+ 4.3.14 Command Functional Difference in Card Capacity Types
+
+ * Write Protected Group
+
+ SDHC and SDXC do not support write-protected groups. Issuing
+ CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=9157dd597d293ab7f599f4d96c3fe8a6e07c633d
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index 5137168..1cc16bf 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -920,6 +920,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+ sd->multi_blk_cnt = 0;
+ }
+
++ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
++ /* Only Standard Capacity cards support class 6 commands */
++ return sd_illegal;
++ }
++
+ switch (req.cmd) {
+ /* Basic commands (Class 0 and Class 1) */
+ case 0: /* CMD0: GO_IDLE_STATE */
+--
+1.8.3.1
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 05/13] bluez5: fix CVE-2021-3658
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (3 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 04/13] qemu: backport fix for CVE-2020-13253 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 06/13] openssl: upgrade 1.1.1l -> 1.1.1n Steve Sakoman
` (7 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Minjae Kim <flowergom@gmail.com>
adapter incorrectly restores Discoverable state after powered down
Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
CVE: CVE-2021-3658
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2021-3658.patch | 95 +++++++++++++++++++
2 files changed, 96 insertions(+)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 34796fdd20..7cf061dcf6 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -54,6 +54,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-test-gatt-Fix-hung-issue.patch \
file://CVE-2021-0129.patch \
file://CVE-2021-3588.patch \
+ file://CVE-2021-3658.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
new file mode 100644
index 0000000000..1738ca13da
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: [PATCH] adapter: Fix storing discoverable setting
+
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
++++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+ if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+ g_dbus_emit_property_changed(dbus_conn, adapter->path,
+ ADAPTER_INTERFACE, "Discoverable");
+- store_adapter_info(adapter);
++ /* Only persist discoverable setting if it was not set
++ * temporarily by discovery.
++ */
++ if (!adapter->discovery_discoverable)
++ store_adapter_info(adapter);
+ btd_adv_manager_refresh(adapter->adv_manager);
+ }
+
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+ struct mgmt_cp_start_service_discovery *sd_cp;
+- GSList *l;
+-
+
+ DBG("");
+
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ return -ENOMEM;
+ }
+
+- for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+- struct discovery_client *client = l->data;
++ /* Only attempt to overwrite current discoverable setting when not
++ * discoverable.
++ */
++ if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
++ GSList *l;
+
+- if (!client->discovery_filter)
+- continue;
++ for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
++ struct discovery_client *client = l->data;
+
+- if (client->discovery_filter->discoverable)
+- break;
+- }
++ if (!client->discovery_filter)
++ continue;
+
+- set_discovery_discoverable(adapter, l ? true : false);
++ if (client->discovery_filter->discoverable) {
++ set_discovery_discoverable(adapter, true);
++ break;
++ }
++ }
++ }
+
+ /*
+ * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
+ return 0;
+ }
+
+- if (adapter->discovery_discoverable)
+- set_discovery_discoverable(adapter, false);
++ set_discovery_discoverable(adapter, false);
+
+ /*
+ * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+ g_free(adapter->current_discovery_filter);
+ adapter->current_discovery_filter = NULL;
+
++ set_discovery_discoverable(adapter, false);
+ adapter->discovering = false;
+
+ while (adapter->connections) {
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 06/13] openssl: upgrade 1.1.1l -> 1.1.1n
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (4 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 05/13] bluez5: fix CVE-2021-3658 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 07/13] python3: upgrade 3.8.12 -> 3.8.13 Steve Sakoman
` (6 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Ovidiu Panait <ovidiu.panait@windriver.com>
Upgrade openssl 1.1.1l -> 1.1.1n to fix CVE-2022-0778:
https://nvd.nist.gov/vuln/detail/CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
This also fixes an evp_extra_test ptest failure introduced by openssl-1.1.1m:
"""
not ok 19 - test_signatures_with_engine
ERROR: (ptr) 'e = ENGINE_by_id(engine_id) != NULL' failed @ ../openssl-1.1.1m/test/evp_extra_test.c:1890
0x0
not ok 20 - test_cipher_with_engine
<snip>
"""
The ptest change is already present in Yocto master since oe-core
commit 5cd40648b0ba ("openssl: upgrade to 3.0.1").
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssl/openssl/CVE-2021-4160.patch | 145 ------------------
.../{openssl_1.1.1l.bb => openssl_1.1.1n.bb} | 4 +-
2 files changed, 2 insertions(+), 147 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch
rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (97%)
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch
deleted file mode 100644
index ff1e807157..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Sat, 11 Dec 2021 20:28:11 +0100
-Subject: [PATCH] Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit
- targets
-
-bn_sqr_comba8 does for instance compute a wrong result for the value:
-a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45
-
-The correct result is:
-r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
- 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899
-
-but the actual result was:
-r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
- 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899
-
-so the forth word of the result was 0x75be8e3c but should have been
-0x75be8e3d instead.
-
-Likewise bn_sqr_comba4 has an identical bug for the same value as well:
-a=0x022181ba fd3aa878 899b2346 ee210f45
-
-correct result:
-r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899
-
-wrong result:
-r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899
-
-Fortunately the bn_mul_comba4/8 code paths are not affected.
-
-Also the mips64 target does in fact not handle the carry propagation
-correctly.
-
-Example:
-a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000
- 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001
-
-correct result:
-r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
- 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
- 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
- 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001
-
-wrong result:
-r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
- 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
- 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
- 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/17258)
-
-(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590)
-
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb]
-CVE: CVE-2021-4160
-Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
-
----
- crypto/bn/asm/mips.pl | 4 ++++
- test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 49 insertions(+)
-
-diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
-index 8ad715bda4..74101030f2 100644
---- a/crypto/bn/asm/mips.pl
-+++ b/crypto/bn/asm/mips.pl
-@@ -1984,6 +1984,8 @@ $code.=<<___;
- sltu $at,$c_2,$t_1
- $ADDU $c_3,$t_2,$at
- $ST $c_2,$BNSZ($a0)
-+ sltu $at,$c_3,$t_2
-+ $ADDU $c_1,$at
- mflo ($t_1,$a_2,$a_0)
- mfhi ($t_2,$a_2,$a_0)
- ___
-@@ -2194,6 +2196,8 @@ $code.=<<___;
- sltu $at,$c_2,$t_1
- $ADDU $c_3,$t_2,$at
- $ST $c_2,$BNSZ($a0)
-+ sltu $at,$c_3,$t_2
-+ $ADDU $c_1,$at
- mflo ($t_1,$a_2,$a_0)
- mfhi ($t_2,$a_2,$a_0)
- ___
-diff --git a/test/bntest.c b/test/bntest.c
-index b58028a301..bab34ba54b 100644
---- a/test/bntest.c
-+++ b/test/bntest.c
-@@ -627,6 +627,51 @@ static int test_modexp_mont5(void)
- if (!TEST_BN_eq(c, d))
- goto err;
-
-+ /*
-+ * Regression test for overflow bug in bn_sqr_comba4/8 for
-+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets.
-+ */
-+ {
-+ static const char *ehex[] = {
-+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee",
-+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5",
-+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a",
-+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985",
-+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1",
-+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680",
-+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e",
-+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465",
-+ NULL};
-+ static const char *phex[] = {
-+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241",
-+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31",
-+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053",
-+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439",
-+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5",
-+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813",
-+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4",
-+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5",
-+ NULL};
-+ static const char *mhex[] = {
-+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f",
-+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3",
-+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900",
-+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b",
-+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc",
-+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647",
-+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c",
-+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b",
-+ NULL};
-+
-+ if (!TEST_true(parse_bigBN(&e, ehex))
-+ || !TEST_true(parse_bigBN(&p, phex))
-+ || !TEST_true(parse_bigBN(&m, mhex))
-+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
-+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
-+ || !TEST_BN_eq(a, d))
-+ goto err;
-+ }
-+
- /* Zero input */
- if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0)))
- goto err;
---
-2.25.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
similarity index 97%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
index 24466e11b1..8538bd5a18 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
@@ -18,14 +18,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://afalg.patch \
file://reproducible.patch \
file://reproducibility.patch \
- file://CVE-2021-4160.patch \
"
SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1"
+SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a"
inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -181,6 +180,7 @@ do_install_ptest () {
install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
install -d ${D}${PTEST_PATH}/engines
+ install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
}
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 07/13] python3: upgrade 3.8.12 -> 3.8.13
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (5 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 06/13] openssl: upgrade 1.1.1l -> 1.1.1n Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 08/13] linux-firmware: upgrade 20220209 -> 20220310 Steve Sakoman
` (5 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Tim Orling <ticotimo@gmail.com>
Security and bug fixes (including upgrades for security and bug fixes to
bundled components).
For changes see:
https://docs.python.org/release/3.8.13/whatsnew/changelog.html#python-3-8-13-final
CVE: CVE-2022-26488
License-Update: Add 2022 to copyright years
* Update bpo-36852 patch to apply after change in 3.8.13
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...-detection-of-mips-architecture-for-.patch | 42 ++++++++++---------
.../{python3_3.8.12.bb => python3_3.8.13.bb} | 6 +--
2 files changed, 26 insertions(+), 22 deletions(-)
rename meta/recipes-devtools/python/{python3_3.8.12.bb => python3_3.8.13.bb} (98%)
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
index c4fae09a5b..4ac0e140cc 100644
--- a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
+++ b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
@@ -14,17 +14,21 @@ Upstream-Status: Submitted [https://github.com/python/cpython/pull/13196]
Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io>
%% original patch: 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
+
+Updated to apply after dea270a2a80214de22afadaaca2043d0d782eb7d
+
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
configure.ac | 175 +++++++--------------------------------------------
1 file changed, 21 insertions(+), 154 deletions(-)
diff --git a/configure.ac b/configure.ac
-index ede710e..bc81b0b 100644
+index de83332dd3..16b02d0798 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -710,160 +710,27 @@ fi
- MULTIARCH=$($CC --print-multiarch 2>/dev/null)
- AC_SUBST(MULTIARCH)
+@@ -719,160 +719,27 @@ then
+ fi
+
-AC_MSG_CHECKING([for the platform triplet based on compiler characteristics])
-cat >> conftest.c <<EOF
@@ -185,25 +189,25 @@ index ede710e..bc81b0b 100644
+## Need to handle macos, vxworks and hurd special (?) :-/
+case ${target_os} in
+ darwin*)
-+ PLATFORM_TRIPLET=darwin
-+ ;;
++ PLATFORM_TRIPLET=darwin
++ ;;
+ hurd*)
-+ PLATFORM_TRIPLET=i386-gnu
-+ ;;
++ PLATFORM_TRIPLET=i386-gnu
++ ;;
+ vxworks*)
-+ PLATFORM_TRIPLET=vxworks
-+ ;;
++ PLATFORM_TRIPLET=vxworks
++ ;;
+ *)
+ if test "${target_cpu}" != "i686"; then
-+ PLATFORM_TRIPLET=${target_cpu}-${target_os}
-+ else
-+ PLATFORM_TRIPLET=i386-${target_os}
-+ fi
-+ ;;
-+esac
++ PLATFORM_TRIPLET=${target_cpu}-${target_os}
++ else
++ PLATFORM_TRIPLET=i386-${target_os}
++ fi
++ ;;
++esac
- if test x$PLATFORM_TRIPLET != x && test x$MULTIARCH != x; then
- if test x$PLATFORM_TRIPLET != x$MULTIARCH; then
+ if test x$PLATFORM_TRIPLET != xdarwin; then
+ MULTIARCH=$($CC --print-multiarch 2>/dev/null)
--
-2.24.1
+2.32.0
diff --git a/meta/recipes-devtools/python/python3_3.8.12.bb b/meta/recipes-devtools/python/python3_3.8.13.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.8.12.bb
rename to meta/recipes-devtools/python/python3_3.8.13.bb
index cfcc91b396..112ebec4c1 100644
--- a/meta/recipes-devtools/python/python3_3.8.12.bb
+++ b/meta/recipes-devtools/python/python3_3.8.13.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly
LICENSE = "PSF-2.0 & BSD-0-Clause"
SECTION = "devel/python"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c84eccf626bb6fde43e6ea5e28d8feb5"
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://run-ptest \
@@ -42,8 +42,8 @@ SRC_URI_append_class-native = " \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[md5sum] = "9dd8f82e586b776383c82e27923f8795"
-SRC_URI[sha256sum] = "b1d3a76420375343b5e8a22fceb1ac65b77193e9ed27146524f0a9db058728ea"
+SRC_URI[md5sum] = "c4b7100dcaace9d33ab1fda9a3a038d6"
+SRC_URI[sha256sum] = "6f309077012040aa39fe8f0c61db8c0fa1c45136763299d375c9e5756f09cf57"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 08/13] linux-firmware: upgrade 20220209 -> 20220310
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (6 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 07/13] python3: upgrade 3.8.12 -> 3.8.13 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 09/13] mobile-broadband-provider-info: upgrade 20201225 -> 20210805 Steve Sakoman
` (4 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: wangmy <wangmy@fujitsu.com>
License-Update:
year updated to 2022
Version of some driver files updated
Added files for some drivers
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be1b1d204c89035c54a626db46c5054e553b82c2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...inux-firmware_20220209.bb => linux-firmware_20220310.bb} | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220209.bb => linux-firmware_20220310.bb} (99%)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20220209.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20220310.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20220209.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20220310.bb
index 9cb357fa90..7a6cb1903b 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20220209.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20220310.bb
@@ -72,7 +72,7 @@ LICENSE = "\
LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \
file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \
- file://LICENSE.amdgpu;md5=d357524f5099e2a3db3c1838921c593f \
+ file://LICENSE.amdgpu;md5=44c1166d052226cb2d6c8d7400090203 \
file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \
file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \
file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \
@@ -132,7 +132,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
- file://WHENCE;md5=ed3d7426e4df06fbadcca24ebf00cc5f \
+ file://WHENCE;md5=45a9c4a92d152e9495db81e1192f2bdc \
"
# These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -205,7 +205,7 @@ PE = "1"
SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "e2e46fa618414952bbf2f6920cd3abcddbef45bfb7d1352994b4bfc35394d177"
+SRC_URI[sha256sum] = "5938ee717b2023b48f6bfcf344b40ddc947e3e22c0bc36d4c3418f90fea68182"
inherit allarch
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 09/13] mobile-broadband-provider-info: upgrade 20201225 -> 20210805
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (7 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 08/13] linux-firmware: upgrade 20220209 -> 20220310 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 10/13] mobile-broadband-provider-info: upgrade 20210805 -> 20220315 Steve Sakoman
` (3 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 93a335993ce592a8ee34fc9a490e327f2775e03f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../mobile-broadband-provider-info_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index b4cbc1a76c..4246f4dcbd 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -4,8 +4,8 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide
SECTION = "network"
LICENSE = "PD"
LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a"
-PV = "20201225"
+SRCREV = "11f2247eccd3c161b8fd9b41143862e9fb81193c"
+PV = "20210805"
PE = "1"
SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=master"
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 10/13] mobile-broadband-provider-info: upgrade 20210805 -> 20220315
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (8 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 09/13] mobile-broadband-provider-info: upgrade 20201225 -> 20210805 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 11/13] python3targetconfig: Use for nativesdk too Steve Sakoman
` (2 subsequent siblings)
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ed02ee8f20094f598448d58875cb7be8a24a019f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../mobile-broadband-provider-info_git.bb | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 4246f4dcbd..781b9216c5 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -4,11 +4,12 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide
SECTION = "network"
LICENSE = "PD"
LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "11f2247eccd3c161b8fd9b41143862e9fb81193c"
-PV = "20210805"
+
+SRCREV = "4cbb44a9fe26aa6f0b28beb79f9488b37c097b5e"
+PV = "20220315"
PE = "1"
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=master"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
S = "${WORKDIR}/git"
inherit autotools
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 11/13] python3targetconfig: Use for nativesdk too
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (9 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 10/13] mobile-broadband-provider-info: upgrade 20210805 -> 20220315 Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 12/13] oeqa/runtime/ping: Improve failure message to include more detail Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 13/13] oeqa/selftest/tinfoil: Improve tinfoil event test debugging Steve Sakoman
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
nativesdk is a cross compiled target and therefore should use the target
config, not the native one. Copy the target entries accordingly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b1b5fec350b390fa7f2d26966df1411b032faf87)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/python3targetconfig.bbclass | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
index fc1025c207..a6e67f1bf8 100644
--- a/meta/classes/python3targetconfig.bbclass
+++ b/meta/classes/python3targetconfig.bbclass
@@ -15,3 +15,15 @@ do_compile_prepend_class-target() {
do_install_prepend_class-target() {
export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
}
+
+do_configure:prepend:class-nativesdk() {
+ export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_compile:prepend:class-nativesdk() {
+ export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_install:prepend:class-nativesdk() {
+ export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 12/13] oeqa/runtime/ping: Improve failure message to include more detail
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (10 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 11/13] python3targetconfig: Use for nativesdk too Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
2022-03-21 22:29 ` [OE-core][dunfell 13/13] oeqa/selftest/tinfoil: Improve tinfoil event test debugging Steve Sakoman
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
When the ping test fails due to a timeout we only get limited debug
information. Tweak the code to improve that in case it sheds any light
on intermittent failures.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d81704057950e1970ef7f673fa771834fd2b3f1e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/runtime/cases/ping.py | 20 ++++++++++++--------
meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +-
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/meta/lib/oeqa/runtime/cases/ping.py b/meta/lib/oeqa/runtime/cases/ping.py
index f6603f75ec..498f80d0a5 100644
--- a/meta/lib/oeqa/runtime/cases/ping.py
+++ b/meta/lib/oeqa/runtime/cases/ping.py
@@ -6,6 +6,7 @@ from subprocess import Popen, PIPE
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.oetimeout import OETimeout
+from oeqa.core.exception import OEQATimeoutError
class PingTest(OERuntimeTestCase):
@@ -13,14 +14,17 @@ class PingTest(OERuntimeTestCase):
def test_ping(self):
output = ''
count = 0
- while count < 5:
- cmd = 'ping -c 1 %s' % self.target.ip
- proc = Popen(cmd, shell=True, stdout=PIPE)
- output += proc.communicate()[0].decode('utf-8')
- if proc.poll() == 0:
- count += 1
- else:
- count = 0
+ try:
+ while count < 5:
+ cmd = 'ping -c 1 %s' % self.target.ip
+ proc = Popen(cmd, shell=True, stdout=PIPE)
+ output += proc.communicate()[0].decode('utf-8')
+ if proc.poll() == 0:
+ count += 1
+ else:
+ count = 0
+ except OEQATimeoutError:
+ self.fail("Ping timeout error for address %s, count %s, output: %s" % (self.target.ip, count, output))
msg = ('Expected 5 consecutive, got %d.\n'
'ping output is:\n%s' % (count,output))
self.assertEqual(count, 5, msg = msg)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 976eeca1d4..c45cf4423e 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -31,7 +31,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
file://CVE-2022-23308.patch \
"
-SRC_URI[archive.sha256sum] = "28a92f6ab1f311acf5e478564c49088ef0ac77090d9c719bbc5d518f1fe62eb9"
+SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* [OE-core][dunfell 13/13] oeqa/selftest/tinfoil: Improve tinfoil event test debugging
2022-03-21 22:29 [OE-core][dunfell 00/13] Patch review Steve Sakoman
` (11 preceding siblings ...)
2022-03-21 22:29 ` [OE-core][dunfell 12/13] oeqa/runtime/ping: Improve failure message to include more detail Steve Sakoman
@ 2022-03-21 22:29 ` Steve Sakoman
12 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2022-03-21 22:29 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We still see occasional test failures for unknown reasons. Add some debugging to
show whether the matching files event was received even if the command complete wasn't.
Also ensure any commandfailed/commandexit event is shown.
This will hopefully aid debugging the next time the issue occurs.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2f7a788bb51ef09ee23c94176285437ea760fab7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/tinfoil.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py
index 4fcbe594c9..11cbced5ea 100644
--- a/meta/lib/oeqa/selftest/cases/tinfoil.py
+++ b/meta/lib/oeqa/selftest/cases/tinfoil.py
@@ -87,7 +87,7 @@ class TinfoilTests(OESelftestTestCase):
with bb.tinfoil.Tinfoil() as tinfoil:
tinfoil.prepare(config_only=True)
- tinfoil.set_event_mask(['bb.event.FilesMatchingFound', 'bb.command.CommandCompleted'])
+ tinfoil.set_event_mask(['bb.event.FilesMatchingFound', 'bb.command.CommandCompleted', 'bb.command.CommandFailed', 'bb.command.CommandExit'])
# Need to drain events otherwise events that were masked may still be in the queue
while tinfoil.wait_event():
@@ -118,7 +118,7 @@ class TinfoilTests(OESelftestTestCase):
else:
self.fail('Unexpected event: %s' % event)
- self.assertTrue(commandcomplete, 'Timed out waiting for CommandCompleted event from bitbake server')
+ self.assertTrue(commandcomplete, 'Timed out waiting for CommandCompleted event from bitbake server (Matching event received: %s)' % str(eventreceived))
self.assertTrue(eventreceived, 'Did not receive FilesMatchingFound event from bitbake server')
def test_setvariable_clean(self):
--
2.25.1
^ permalink raw reply related [flat|nested] 18+ messages in thread