* [OE-core][kirkstone 01/15] ffmpeg: fix for CVE-2022-48434
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 02/15] connman: fix CVE-2023-28488 DoS in client.c Steve Sakoman
` (13 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Narpat Mali <narpat.mali@windriver.com>
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and
other products, leaves stale hwaccel state in worker threads, which
allows attackers to trigger a use-after-free and execute arbitrary
code in some circumstances (e.g., hardware re-initialization upon a
mid-video SPS change when Direct3D11 is used).
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2022-48434.patch | 130 ++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +-
2 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 0000000000..3cd374dc39
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,130 @@
+From e40c964a0678908e2c756741343ed50d6a99ee12 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton@khirnov.net>
+Date: Fri, 28 Apr 2023 11:45:30 +0000
+Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
+ worker threads
+
+This state is not refcounted, so make sure it always has a well-defined
+owner.
+
+Remove the block added in 091341f, as
+this commit also solves that issue in a more general way.
+
+CVE:CVE-2022-48434
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
+index 85a6bc9..e40dced 100644
+--- a/libavcodec/pthread_frame.c
++++ b/libavcodec/pthread_frame.c
+@@ -145,6 +145,12 @@ typedef struct FrameThreadContext {
+ * Set for the first N packets, where N is the number of threads.
+ * While it is set, ff_thread_en/decode_frame won't return any results.
+ */
++
++ /* hwaccel state is temporarily stored here in order to transfer its ownership
++ * to the next decoding thread without the need for extra synchronization */
++ const AVHWAccel *stash_hwaccel;
++ void *stash_hwaccel_context;
++ void *stash_hwaccel_priv;
+ } FrameThreadContext;
+
+ #if FF_API_THREAD_SAFE_CALLBACKS
+@@ -229,9 +235,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
+ ff_thread_finish_setup(avctx);
+
+ if (p->hwaccel_serializing) {
++ /* wipe hwaccel state to avoid stale pointers lying around;
++ * the state was transferred to FrameThreadContext in
++ * ff_thread_finish_setup(), so nothing is leaked */
++ avctx->hwaccel = NULL;
++ avctx->hwaccel_context = NULL;
++ avctx->internal->hwaccel_priv_data = NULL;
++
+ p->hwaccel_serializing = 0;
+ pthread_mutex_unlock(&p->parent->hwaccel_mutex);
+ }
++ av_assert0(!avctx->hwaccel);
+
+ if (p->async_serializing) {
+ p->async_serializing = 0;
+@@ -294,14 +308,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
+ dst->color_range = src->color_range;
+ dst->chroma_sample_location = src->chroma_sample_location;
+
+- dst->hwaccel = src->hwaccel;
+- dst->hwaccel_context = src->hwaccel_context;
+-
+ dst->channels = src->channels;
+ dst->sample_rate = src->sample_rate;
+ dst->sample_fmt = src->sample_fmt;
+ dst->channel_layout = src->channel_layout;
+- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
+
+ if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
+ (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
+@@ -442,6 +452,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
+ pthread_mutex_unlock(&p->mutex);
+ return err;
+ }
++
++ /* transfer hwaccel state stashed from previous thread, if any */
++ av_assert0(!p->avctx->hwaccel);
++ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel);
++ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context);
++ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+ }
+
+ av_packet_unref(p->avpkt);
+@@ -647,6 +663,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
+ async_lock(p->parent);
+ }
+
++ /* save hwaccel state for passing to the next thread;
++ * this is done here so that this worker thread can wipe its own hwaccel
++ * state after decoding, without requiring synchronization */
++ av_assert0(!p->parent->stash_hwaccel);
++ p->parent->stash_hwaccel = avctx->hwaccel;
++ p->parent->stash_hwaccel_context = avctx->hwaccel_context;
++ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data;
++
+ pthread_mutex_lock(&p->progress_mutex);
+ if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
+ av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
+@@ -700,13 +724,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+
+ park_frame_worker_threads(fctx, thread_count);
+
+- if (fctx->prev_thread && avctx->internal->hwaccel_priv_data !=
+- fctx->prev_thread->avctx->internal->hwaccel_priv_data) {
+- if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) {
+- av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n");
+- }
+- }
+-
+ if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
+ if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
+ av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
+@@ -760,6 +777,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+ av_freep(&fctx->threads);
+ ff_pthread_free(fctx, thread_ctx_offsets);
+
++ /* if we have stashed hwaccel state, move it to the user-facing context,
++ * so it will be freed in avcodec_close() */
++ av_assert0(!avctx->hwaccel);
++ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel);
++ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context);
++ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
++
+ av_freep(&avctx->internal->thread_ctx);
+ }
+
+--
+2.40.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 4bcbda9976..6ece34fcfd 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -28,7 +28,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \
- "
+ file://CVE-2022-48434.patch \
+ "
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 02/15] connman: fix CVE-2023-28488 DoS in client.c
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 01/15] ffmpeg: fix for CVE-2022-48434 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 03/15] freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c Steve Sakoman
` (12 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../connman/connman/CVE-2023-28488.patch | 60 +++++++++++++++++++
.../connman/connman_1.41.bb | 1 +
2 files changed, 61 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..a6cabdfb20
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,60 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Avoid overwriting the read packet length after the initial test. Thus
+move all the length checks which depends on the total length first
+and do not use the total lenght from the IP packet afterwards.
+
+Reported by Polina Smirnova <moe.hwr@gmail.com>
+
+CVE: CVE-2023-28488
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 3016dfc..28fa606 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ struct sockaddr_in *dst_addr)
+ {
+- int bytes;
+ struct ip_udp_dhcp_packet packet;
+ uint16_t check;
++ int bytes, tot_len;
+
+ memset(&packet, 0, sizeof(packet));
+
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ if (bytes < 0)
+ return -1;
+
+- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+- return -1;
+-
+- if (bytes < ntohs(packet.ip.tot_len))
++ tot_len = ntohs(packet.ip.tot_len);
++ if (bytes > tot_len) {
++ /* ignore any extra garbage bytes */
++ bytes = tot_len;
++ } else if (bytes < tot_len) {
+ /* packet is bigger than sizeof(packet), we did partial read */
+ return -1;
++ }
+
+- /* ignore any extra garbage bytes */
+- bytes = ntohs(packet.ip.tot_len);
++ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++ return -1;
+
+ if (!sanity_check(&packet, bytes))
+ return -1;
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175..27b28be41c 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -8,6 +8,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
file://CVE-2022-32292.patch \
+ file://CVE-2023-28488.patch \
"
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 03/15] freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 01/15] ffmpeg: fix for CVE-2022-48434 Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 02/15] connman: fix CVE-2023-28488 DoS in client.c Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 04/15] go: fix CVE-2023-24534 denial of service from excessive memory allocation Steve Sakoman
` (11 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Vivek Kumbhar <vkumbhar@mvista.com>
Fix An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../freetype/freetype/CVE-2023-2004.patch | 41 +++++++++++++++++++
.../freetype/freetype_2.11.1.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000000..f600309d3e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,41 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+
+Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
+CVE: CVE-2023-2004
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 7f2db0c..8968111 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include <ft2build.h>
+ #include <freetype/internal/ftdebug.h>
+ #include FT_CONFIG_CONFIG_H
++#include <freetype/internal/ftcalc.h>
+ #include <freetype/internal/ftstream.h>
+ #include <freetype/internal/sfnt.h>
+ #include <freetype/tttags.h>
+@@ -1147,7 +1148,7 @@
+ delta == 1 ? "" : "s",
+ vertical ? "VVAR" : "HVAR" ));
+
+- *avalue += delta;
++ *avalue = ADD_INT( *avalue, delta );
+
+ Exit:
+ return error;
+--
+2.25.1
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
index d425e162bc..29f4d8dfb7 100644
--- a/meta/recipes-graphics/freetype/freetype_2.11.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \
file://CVE-2022-27404.patch \
file://CVE-2022-27405.patch \
file://CVE-2022-27406.patch \
+ file://CVE-2023-2004.patch \
"
SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 04/15] go: fix CVE-2023-24534 denial of service from excessive memory allocation
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (2 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 03/15] freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 05/15] go: Security fix for CVE-2023-24538 Steve Sakoman
` (10 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Vivek Kumbhar <vkumbhar@mvista.com>
A parsed MIME header is a map[string][]string. In the common case,
a header contains many one-element []string slices. To avoid
allocating a separate slice for each key, ReadMIMEHeader looks
ahead in the input to predict the number of keys that will be
parsed, and allocates a single []string of that length.
The individual slices are then allocated out of the larger one.
The prediction of the number of header keys was done by counting
newlines in the input buffer, which does not take into account
header continuation lines (where a header key/value spans multiple
lines) or the end of the header block and the start of the body.
This could lead to a substantial amount of overallocation, for
example when the body consists of nothing but a large block of
newlines.
Fix header key count prediction to take into account the end of
the headers (indicated by a blank line) and continuation lines
(starting with whitespace).
Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
Fixes CVE-2023-24534
For #58975
Fixes #59267
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-24534.patch | 200 ++++++++++++++++++
2 files changed, 201 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index cda9227042..c5260569e2 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -28,6 +28,7 @@ SRC_URI += "\
file://cve-2022-41725.patch \
file://CVE-2022-41722.patch \
file://CVE-2023-24537.patch \
+ file://CVE-2023-24534.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
new file mode 100644
index 0000000000..c65c7852d5
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
@@ -0,0 +1,200 @@
+From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 10 Mar 2023 14:21:05 -0800
+Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting
+ the number of MIME header keys
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: I675451438d619a9130360c56daf529559004903f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481982
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96]
+CVE: CVE-2023-24534
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+---
+ src/bytes/bytes.go | 14 ++++++++
+ src/net/textproto/reader.go | 30 ++++++++++------
+ src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 11 deletions(-)
+
+diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go
+index ce52649..95ff31c 100644
+--- a/src/bytes/bytes.go
++++ b/src/bytes/bytes.go
+@@ -1174,3 +1174,17 @@ func Index(s, sep []byte) int {
+ }
+ return -1
+ }
++
++// Cut slices s around the first instance of sep,
++// returning the text before and after sep.
++// The found result reports whether sep appears in s.
++// If sep does not appear in s, cut returns s, nil, false.
++//
++// Cut returns slices of the original slice s, not copies.
++func Cut(s, sep []byte) (before, after []byte, found bool) {
++ if i := Index(s, sep); i >= 0 {
++ return s[:i], s[i+len(sep):], true
++ }
++ return s, nil, false
++}
++
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 6a680f4..fcbede8 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -493,8 +493,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ // large one ahead of time which we'll cut up into smaller
+ // slices. If this isn't big enough later, we allocate small ones.
+ var strs []string
+- hint := r.upcomingHeaderNewlines()
++ hint := r.upcomingHeaderKeys()
+ if hint > 0 {
++ if hint > 1000 {
++ hint = 1000 // set a cap to avoid overallocation
++ }
+ strs = make([]string, hint)
+ }
+
+@@ -589,9 +592,11 @@ func mustHaveFieldNameColon(line []byte) error {
+ return nil
+ }
+
+-// upcomingHeaderNewlines returns an approximation of the number of newlines
++var nl = []byte("\n")
++
++// upcomingHeaderKeys returns an approximation of the number of keys
+ // that will be in this header. If it gets confused, it returns 0.
+-func (r *Reader) upcomingHeaderNewlines() (n int) {
++func (r *Reader) upcomingHeaderKeys() (n int) {
+ // Try to determine the 'hint' size.
+ r.R.Peek(1) // force a buffer load if empty
+ s := r.R.Buffered()
+@@ -599,17 +604,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) {
+ return
+ }
+ peek, _ := r.R.Peek(s)
+- for len(peek) > 0 {
+- i := bytes.IndexByte(peek, '\n')
+- if i < 3 {
+- // Not present (-1) or found within the next few bytes,
+- // implying we're at the end ("\r\n\r\n" or "\n\n")
+- return
++ for len(peek) > 0 && n < 1000 {
++ var line []byte
++ line, peek, _ = bytes.Cut(peek, nl)
++ if len(line) == 0 || (len(line) == 1 && line[0] == '\r') {
++ // Blank line separating headers from the body.
++ break
++ }
++ if line[0] == ' ' || line[0] == '\t' {
++ // Folded continuation of the previous line.
++ continue
+ }
+ n++
+- peek = peek[i+1:]
+ }
+- return
++ return n
+ }
+
+ // CanonicalMIMEHeaderKey returns the canonical format of the
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index 3124d43..3ae0de1 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -9,6 +9,7 @@ import (
+ "bytes"
+ "io"
+ "reflect"
++ "runtime"
+ "strings"
+ "testing"
+ )
+@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) {
+ }
+ }
+
++// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very
++// difficult to test well via the external API.
++func TestReaderUpcomingHeaderKeys(t *testing.T) {
++ for _, test := range []struct {
++ input string
++ want int
++ }{{
++ input: "",
++ want: 0,
++ }, {
++ input: "A: v",
++ want: 1,
++ }, {
++ input: "A: v\r\nB: v\r\n",
++ want: 2,
++ }, {
++ input: "A: v\nB: v\n",
++ want: 2,
++ }, {
++ input: "A: v\r\n continued\r\n still continued\r\nB: v\r\n\r\n",
++ want: 2,
++ }, {
++ input: "A: v\r\n\r\nB: v\r\nC: v\r\n",
++ want: 1,
++ }, {
++ input: "A: v" + strings.Repeat("\n", 1000),
++ want: 1,
++ }} {
++ r := reader(test.input)
++ got := r.upcomingHeaderKeys()
++ if test.want != got {
++ t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want)
++ }
++ }
++}
++
+ func TestReadMIMEHeaderNoKey(t *testing.T) {
+ r := reader(": bar\ntest-1: 1\n\n")
+ m, err := r.ReadMIMEHeader()
+@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) {
+ }
+ }
+
++// Test that reading a header doesn't overallocate. Issue 58975.
++func TestReadMIMEHeaderAllocations(t *testing.T) {
++ var totalAlloc uint64
++ const count = 200
++ for i := 0; i < count; i++ {
++ r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096))
++ var m1, m2 runtime.MemStats
++ runtime.ReadMemStats(&m1)
++ _, err := r.ReadMIMEHeader()
++ if err != nil {
++ t.Fatalf("ReadMIMEHeader: %v", err)
++ }
++ runtime.ReadMemStats(&m2)
++ totalAlloc += m2.TotalAlloc - m1.TotalAlloc
++ }
++ // 32k is large and we actually allocate substantially less,
++ // but prior to the fix for #58975 we allocated ~400k in this case.
++ if got, want := totalAlloc/count, uint64(32768); got > want {
++ t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want)
++ }
++}
++
+ type readResponseTest struct {
+ in string
+ inCode int
+--
+2.25.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 05/15] go: Security fix for CVE-2023-24538
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (3 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 04/15] go: fix CVE-2023-24534 denial of service from excessive memory allocation Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 06/15] binutils : Fix CVE-2023-25584 Steve Sakoman
` (9 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Shubham Kulkarni <skulkarni@mvista.com>
html/template: disallow actions in JS template literals
Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-24538.patch | 208 ++++++++++++++++++
2 files changed, 209 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index c5260569e2..d7cb47ebf4 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -29,6 +29,7 @@ SRC_URI += "\
file://CVE-2022-41722.patch \
file://CVE-2023-24537.patch \
file://CVE-2023-24534.patch \
+ file://CVE-2023-24538.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
new file mode 100644
index 0000000000..502486befc
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
@@ -0,0 +1,208 @@
+From 07cc3b8711a8efbb5885f56dd90d854049ad2f7d Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 20 Mar 2023 11:01:13 -0700
+Subject: [PATCH] html/template: disallow actions in JS template literals
+
+ECMAScript 6 introduced template literals[0][1] which are delimited with
+backticks. These need to be escaped in a similar fashion to the
+delimiters for other string literals. Additionally template literals can
+contain special syntax for string interpolation.
+
+There is no clear way to allow safe insertion of actions within JS
+template literals, as handling (JS) string interpolation inside of these
+literals is rather complex. As such we've chosen to simply disallow
+template actions within these template literals.
+
+A new error code is added for this parsing failure case, errJsTmplLit,
+but it is unexported as it is not backwards compatible with other minor
+release versions to introduce an API change in a minor release. We will
+export this code in the next major release.
+
+The previous behavior (with the cavet that backticks are now escaped
+properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.
+
+This change subsumes CL471455.
+
+Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
+this issue.
+
+Fixes CVE-2023-24538
+For #59234
+Fixes #59271
+
+[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
+[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go | 2 ++
+ src/html/template/error.go | 13 +++++++++++++
+ src/html/template/escape.go | 11 +++++++++++
+ src/html/template/js.go | 2 ++
+ src/html/template/jsctx_string.go | 9 +++++++++
+ src/html/template/transition.go | 7 ++++++-
+ 6 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..0b65313 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -116,6 +116,8 @@ const (
+ stateJSDqStr
+ // stateJSSqStr occurs inside a JavaScript single quoted string.
+ stateJSSqStr
++ // stateJSBqStr occurs inside a JavaScript back quoted string.
++ stateJSBqStr
+ // stateJSRegexp occurs inside a JavaScript regexp literal.
+ stateJSRegexp
+ // stateJSBlockCmt occurs inside a JavaScript /* block comment */.
+diff --git a/src/html/template/error.go b/src/html/template/error.go
+index 0e52706..fd26b64 100644
+--- a/src/html/template/error.go
++++ b/src/html/template/error.go
+@@ -211,6 +211,19 @@ const (
+ // pipeline occurs in an unquoted attribute value context, "html" is
+ // disallowed. Avoid using "html" and "urlquery" entirely in new templates.
+ ErrPredefinedEscaper
++
++ // errJSTmplLit: "... appears in a JS template literal"
++ // Example:
++ // <script>var tmpl = `{{.Interp}`</script>
++ // Discussion:
++ // Package html/template does not support actions inside of JS template
++ // literals.
++ //
++ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor
++ // release, since it is backwards incompatible with the other minor
++ // releases. As such we need to leave it unexported, and then we'll add it
++ // in the next major release.
++ errJSTmplLit
+ )
+
+ func (e *Error) Error() string {
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 8739735..ca078f4 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -8,6 +8,7 @@ import (
+ "bytes"
+ "fmt"
+ "html"
++ "internal/godebug"
+ "io"
+ "text/template"
+ "text/template/parse"
+@@ -205,6 +206,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
+ c.jsCtx = jsCtxDivOp
+ case stateJSDqStr, stateJSSqStr:
+ s = append(s, "_html_template_jsstrescaper")
++ case stateJSBqStr:
++ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp")
++ if debugAllowActionJSTmpl == "1" {
++ s = append(s, "_html_template_jsstrescaper")
++ } else {
++ return context{
++ state: stateError,
++ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n),
++ }
++ }
+ case stateJSRegexp:
+ s = append(s, "_html_template_jsregexpescaper")
+ case stateCSS:
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index ea9c183..b888eaf 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{
+ // Encode HTML specials as hex so the output can be embedded
+ // in HTML attributes without further encoding.
+ '"': `\u0022`,
++ '`': `\u0060`,
+ '&': `\u0026`,
+ '\'': `\u0027`,
+ '+': `\u002b`,
+@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{
+ '"': `\u0022`,
+ '&': `\u0026`,
+ '\'': `\u0027`,
++ '`': `\u0060`,
+ '+': `\u002b`,
+ '/': `\/`,
+ '<': `\u003c`,
+diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
+index dd1d87e..2394893 100644
+--- a/src/html/template/jsctx_string.go
++++ b/src/html/template/jsctx_string.go
+@@ -4,6 +4,15 @@ package template
+
+ import "strconv"
+
++func _() {
++ // An "invalid array index" compiler error signifies that the constant values have changed.
++ // Re-run the stringer command to generate them again.
++ var x [1]struct{}
++ _ = x[jsCtxRegexp-0]
++ _ = x[jsCtxDivOp-1]
++ _ = x[jsCtxUnknown-2]
++}
++
+ const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
+
+ var _jsCtx_index = [...]uint8{0, 11, 21, 33}
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 06df679..92eb351 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){
+ stateJS: tJS,
+ stateJSDqStr: tJSDelimited,
+ stateJSSqStr: tJSDelimited,
++ stateJSBqStr: tJSDelimited,
+ stateJSRegexp: tJSDelimited,
+ stateJSBlockCmt: tBlockCmt,
+ stateJSLineCmt: tLineCmt,
+@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) {
+
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+- i := bytes.IndexAny(s, `"'/`)
++ i := bytes.IndexAny(s, "\"`'/")
+ if i == -1 {
+ // Entire input is non string, comment, regexp tokens.
+ c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) {
+ c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp
+ case '\'':
+ c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp
++ case '`':
++ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp
+ case '/':
+ switch {
+ case i+1 < len(s) && s[i+1] == '/':
+@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) {
+ switch c.state {
+ case stateJSSqStr:
+ specials = `\'`
++ case stateJSBqStr:
++ specials = "`\\"
+ case stateJSRegexp:
+ specials = `\/[]`
+ }
+--
+2.7.4
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 06/15] binutils : Fix CVE-2023-25584
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (4 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 05/15] go: Security fix for CVE-2023-24538 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 07/15] binutils : Fix CVE-2023-25585 Steve Sakoman
` (8 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Deepthi Hemraj <deepadeepthi98@gmail.com>
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0022-CVE-2023-25584-1.patch | 56 ++
.../binutils/0022-CVE-2023-25584-2.patch | 38 ++
.../binutils/0022-CVE-2023-25584-3.patch | 534 ++++++++++++++++++
4 files changed, 631 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index bf44e6c762..69fb8539ba 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -50,5 +50,8 @@ SRC_URI = "\
file://0021-CVE-2023-1579-2.patch \
file://0021-CVE-2023-1579-3.patch \
file://0021-CVE-2023-1579-4.patch \
+ file://0022-CVE-2023-25584-1.patch \
+ file://0022-CVE-2023-25584-2.patch \
+ file://0022-CVE-2023-25584-3.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
new file mode 100644
index 0000000000..990243f5c9
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
@@ -0,0 +1,56 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 17 Mar 2022 09:35:39 +0000 (+1030)
+Subject: ubsan: Null dereference in parse_module
+X-Git-Tag: gdb-12.1-release~59
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2
+
+ubsan: Null dereference in parse_module
+
+ * vms-alpha.c (parse_module): Sanity check that DST__K_RTNBEG
+ has set module->func_table for DST__K_RTNEND. Check return
+ of bfd_zalloc.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2]
+
+CVE: CVE-2023-25584
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index 4a92574c850..1129c98f0e2 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4352,9 +4352,13 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+ /* Initialize tables with zero element. */
+ curr_srec = (struct srecinfo *) bfd_zalloc (abfd, sizeof (struct srecinfo));
++ if (!curr_srec)
++ return false;
+ module->srec_table = curr_srec;
+
+ curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo));
++ if (!curr_line)
++ return false;
+ module->line_table = curr_line;
+
+ while (length == -1 || ptr < maxptr)
+@@ -4389,6 +4393,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ case DST__K_RTNBEG:
+ funcinfo = (struct funcinfo *)
+ bfd_zalloc (abfd, sizeof (struct funcinfo));
++ if (!funcinfo)
++ return false;
+ funcinfo->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+ maxptr - (ptr + DST_S_B_RTNBEG_NAME));
+@@ -4401,6 +4407,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ break;
+
+ case DST__K_RTNEND:
++ if (!module->func_table)
++ return false;
+ module->func_table->high = module->func_table->low
+ + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1;
+
diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
new file mode 100644
index 0000000000..f4c5ed2aff
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
@@ -0,0 +1,38 @@
+From da928f639002002dfc649ed9f50492d5d6cb4cee Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Dec 2022 11:11:44 +0000
+Subject: [PATCH] Fix an illegal memory access when parsing a corrupt VMS Alpha
+ file.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix an illegal memory access when parsing a corrupt VMS Alpha file.
+
+ PR 29848
+ * vms-alpha.c (parse_module): Fix potential out of bounds memory
+ access.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=942fa4fb32738ecbb447546d54f1e5f0312d2ed4]
+
+CVE: CVE-2023-25584
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+ bfd/vms-alpha.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index c548722c..53b3f1bf 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ return false;
+ module->line_table = curr_line;
+
+- while (length == -1 || ptr < maxptr)
++ while (length == -1 || (ptr + 3) < maxptr)
+ {
+ /* The first byte is not counted in the recorded length. */
+ int rec_length = bfd_getl16 (ptr) + 1;
diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
new file mode 100644
index 0000000000..abe501e570
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
@@ -0,0 +1,534 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 12 Dec 2022 07:58:49 +0000 (+1030)
+Subject: Lack of bounds checking in vms-alpha.c parse_module
+X-Git-Tag: gdb-13-branchpoint~87
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44
+
+Lack of bounds checking in vms-alpha.c parse_module
+
+ PR 29873
+ PR 29874
+ PR 29875
+ PR 29876
+ PR 29877
+ PR 29878
+ PR 29879
+ PR 29880
+ PR 29881
+ PR 29882
+ PR 29883
+ PR 29884
+ PR 29885
+ PR 29886
+ PR 29887
+ PR 29888
+ PR 29889
+ PR 29890
+ PR 29891
+ * vms-alpha.c (parse_module): Make length param bfd_size_type.
+ Delete length == -1 checks. Sanity check record_length.
+ Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
+ Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
+ before accessing.
+ (build_module_list): Pass dst_section size to parse_module.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
+
+CVE: CVE-2023-25584
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index c0eb5bc5a2a..3b63259cc81 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4340,7 +4340,7 @@ new_module (bfd *abfd)
+
+ static bool
+ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+- int length)
++ bfd_size_type length)
+ {
+ unsigned char *maxptr = ptr + length;
+ unsigned char *src_ptr, *pcl_ptr;
+@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ return false;
+ module->line_table = curr_line;
+
+- while (length == -1 || (ptr + 3) < maxptr)
++ while (ptr + 3 < maxptr)
+ {
+ /* The first byte is not counted in the recorded length. */
+ int rec_length = bfd_getl16 (ptr) + 1;
+@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+ vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type));
+
+- if (length == -1 && rec_type == DST__K_MODEND)
++ if (rec_length > maxptr - ptr)
++ break;
++ if (rec_type == DST__K_MODEND)
+ break;
+
+ switch (rec_type)
+ {
+ case DST__K_MODBEG:
++ if (rec_length <= DST_S_B_MODBEG_NAME)
++ break;
+ module->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
+- maxptr - (ptr + DST_S_B_MODBEG_NAME));
++ rec_length - DST_S_B_MODBEG_NAME);
+
+ curr_pc = 0;
+ prev_pc = 0;
+@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ break;
+
+ case DST__K_RTNBEG:
++ if (rec_length <= DST_S_B_RTNBEG_NAME)
++ break;
+ funcinfo = (struct funcinfo *)
+ bfd_zalloc (abfd, sizeof (struct funcinfo));
+ if (!funcinfo)
+ return false;
+ funcinfo->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+- maxptr - (ptr + DST_S_B_RTNBEG_NAME));
++ rec_length - DST_S_B_RTNBEG_NAME);
+ funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
+ funcinfo->next = module->func_table;
+ module->func_table = funcinfo;
+@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ break;
+
+ case DST__K_RTNEND:
++ if (rec_length < DST_S_L_RTNEND_SIZE + 4)
++ break;
+ if (!module->func_table)
+ return false;
+ module->func_table->high = module->func_table->low
+@@ -4439,10 +4447,63 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+ vms_debug2 ((3, "source info\n"));
+
+- while (src_ptr < ptr + rec_length)
++ while (src_ptr - ptr < rec_length)
+ {
+ int cmd = src_ptr[0], cmd_length, data;
+
++ switch (cmd)
++ {
++ case DST__K_SRC_DECLFILE:
++ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length)
++ cmd_length = 0x10000;
++ else
++ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
++ break;
++
++ case DST__K_SRC_DEFLINES_B:
++ cmd_length = 2;
++ break;
++
++ case DST__K_SRC_DEFLINES_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_SRC_INCRLNUM_B:
++ cmd_length = 2;
++ break;
++
++ case DST__K_SRC_SETFILE:
++ cmd_length = 3;
++ break;
++
++ case DST__K_SRC_SETLNUM_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_SRC_SETLNUM_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_SRC_SETREC_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_SRC_SETREC_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_SRC_FORMFEED:
++ cmd_length = 1;
++ break;
++
++ default:
++ cmd_length = 2;
++ break;
++ }
++
++ if (src_ptr - ptr + cmd_length > rec_length)
++ break;
++
+ switch (cmd)
+ {
+ case DST__K_SRC_DECLFILE:
+@@ -4467,7 +4528,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+ module->file_table [fileid].name = filename;
+ module->file_table [fileid].srec = 1;
+- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
+ vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n",
+ fileid, module->file_table [fileid].name));
+ }
+@@ -4484,7 +4544,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ srec->sfile = curr_srec->sfile;
+ curr_srec->next = srec;
+ curr_srec = srec;
+- cmd_length = 2;
+ vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data));
+ break;
+
+@@ -4499,14 +4558,12 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ srec->sfile = curr_srec->sfile;
+ curr_srec->next = srec;
+ curr_srec = srec;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data));
+ break;
+
+ case DST__K_SRC_INCRLNUM_B:
+ data = src_ptr[DST_S_B_SRC_UNSBYTE];
+ curr_srec->line += data;
+- cmd_length = 2;
+ vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data));
+ break;
+
+@@ -4514,21 +4571,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+ curr_srec->sfile = data;
+ curr_srec->srec = module->file_table[data].srec;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data));
+ break;
+
+ case DST__K_SRC_SETLNUM_L:
+ data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
+ curr_srec->line = data;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data));
+ break;
+
+ case DST__K_SRC_SETLNUM_W:
+ data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+ curr_srec->line = data;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data));
+ break;
+
+@@ -4536,7 +4590,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
+ curr_srec->srec = data;
+ module->file_table[curr_srec->sfile].srec = data;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data));
+ break;
+
+@@ -4544,19 +4597,16 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+ curr_srec->srec = data;
+ module->file_table[curr_srec->sfile].srec = data;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data));
+ break;
+
+ case DST__K_SRC_FORMFEED:
+- cmd_length = 1;
+ vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n"));
+ break;
+
+ default:
+ _bfd_error_handler (_("unknown source command %d"),
+ cmd);
+- cmd_length = 2;
+ break;
+ }
+
+@@ -4569,18 +4619,114 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+
+ vms_debug2 ((3, "line info\n"));
+
+- while (pcl_ptr < ptr + rec_length)
++ while (pcl_ptr - ptr < rec_length)
+ {
+ /* The command byte is signed so we must sign-extend it. */
+ int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data;
+
++ switch (cmd)
++ {
++ case DST__K_DELTA_PC_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_DELTA_PC_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_INCR_LINUM:
++ cmd_length = 2;
++ break;
++
++ case DST__K_INCR_LINUM_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_INCR_LINUM_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_SET_LINUM_INCR:
++ cmd_length = 2;
++ break;
++
++ case DST__K_SET_LINUM_INCR_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_RESET_LINUM_INCR:
++ cmd_length = 1;
++ break;
++
++ case DST__K_BEG_STMT_MODE:
++ cmd_length = 1;
++ break;
++
++ case DST__K_END_STMT_MODE:
++ cmd_length = 1;
++ break;
++
++ case DST__K_SET_LINUM_B:
++ cmd_length = 2;
++ break;
++
++ case DST__K_SET_LINUM:
++ cmd_length = 3;
++ break;
++
++ case DST__K_SET_LINUM_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_SET_PC:
++ cmd_length = 2;
++ break;
++
++ case DST__K_SET_PC_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_SET_PC_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_SET_STMTNUM:
++ cmd_length = 2;
++ break;
++
++ case DST__K_TERM:
++ cmd_length = 2;
++ break;
++
++ case DST__K_TERM_W:
++ cmd_length = 3;
++ break;
++
++ case DST__K_TERM_L:
++ cmd_length = 5;
++ break;
++
++ case DST__K_SET_ABS_PC:
++ cmd_length = 5;
++ break;
++
++ default:
++ if (cmd <= 0)
++ cmd_length = 1;
++ else
++ cmd_length = 2;
++ break;
++ }
++
++ if (pcl_ptr - ptr + cmd_length > rec_length)
++ break;
++
+ switch (cmd)
+ {
+ case DST__K_DELTA_PC_W:
+ data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ curr_pc += data;
+ curr_linenum += 1;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data));
+ break;
+
+@@ -4588,131 +4734,111 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ curr_pc += data;
+ curr_linenum += 1;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data));
+ break;
+
+ case DST__K_INCR_LINUM:
+ data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+ curr_linenum += data;
+- cmd_length = 2;
+ vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data));
+ break;
+
+ case DST__K_INCR_LINUM_W:
+ data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ curr_linenum += data;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data));
+ break;
+
+ case DST__K_INCR_LINUM_L:
+ data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ curr_linenum += data;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data));
+ break;
+
+ case DST__K_SET_LINUM_INCR:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_SET_LINUM_INCR");
+- cmd_length = 2;
+ break;
+
+ case DST__K_SET_LINUM_INCR_W:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W");
+- cmd_length = 3;
+ break;
+
+ case DST__K_RESET_LINUM_INCR:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_RESET_LINUM_INCR");
+- cmd_length = 1;
+ break;
+
+ case DST__K_BEG_STMT_MODE:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_BEG_STMT_MODE");
+- cmd_length = 1;
+ break;
+
+ case DST__K_END_STMT_MODE:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_END_STMT_MODE");
+- cmd_length = 1;
+ break;
+
+ case DST__K_SET_LINUM_B:
+ data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+ curr_linenum = data;
+- cmd_length = 2;
+ vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data));
+ break;
+
+ case DST__K_SET_LINUM:
+ data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ curr_linenum = data;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data));
+ break;
+
+ case DST__K_SET_LINUM_L:
+ data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ curr_linenum = data;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data));
+ break;
+
+ case DST__K_SET_PC:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_SET_PC");
+- cmd_length = 2;
+ break;
+
+ case DST__K_SET_PC_W:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_SET_PC_W");
+- cmd_length = 3;
+ break;
+
+ case DST__K_SET_PC_L:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_SET_PC_L");
+- cmd_length = 5;
+ break;
+
+ case DST__K_SET_STMTNUM:
+ _bfd_error_handler
+ (_("%s not implemented"), "DST__K_SET_STMTNUM");
+- cmd_length = 2;
+ break;
+
+ case DST__K_TERM:
+ data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+ curr_pc += data;
+- cmd_length = 2;
+ vms_debug2 ((4, "DST__K_TERM: %d\n", data));
+ break;
+
+ case DST__K_TERM_W:
+ data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ curr_pc += data;
+- cmd_length = 3;
+ vms_debug2 ((4, "DST__K_TERM_W: %d\n", data));
+ break;
+
+ case DST__K_TERM_L:
+ data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ curr_pc += data;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST__K_TERM_L: %d\n", data));
+ break;
+
+ case DST__K_SET_ABS_PC:
+ data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ curr_pc = data;
+- cmd_length = 5;
+ vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data));
+ break;
+
+@@ -4721,15 +4847,11 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ {
+ curr_pc -= cmd;
+ curr_linenum += 1;
+- cmd_length = 1;
+ vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n",
+ (unsigned long)curr_pc, curr_linenum));
+ }
+ else
+- {
+- _bfd_error_handler (_("unknown line command %d"), cmd);
+- cmd_length = 2;
+- }
++ _bfd_error_handler (_("unknown line command %d"), cmd);
+ break;
+ }
+
+@@ -4859,7 +4981,8 @@ build_module_list (bfd *abfd)
+ return NULL;
+
+ module = new_module (abfd);
+- if (!parse_module (abfd, module, PRIV (dst_section)->contents, -1))
++ if (!parse_module (abfd, module, PRIV (dst_section)->contents,
++ PRIV (dst_section)->size))
+ return NULL;
+ list = module;
+ }
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 07/15] binutils : Fix CVE-2023-25585
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (5 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 06/15] binutils : Fix CVE-2023-25584 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 08/15] binutils : Fix CVE-2023-1972 Steve Sakoman
` (7 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Deepthi Hemraj <deepadeepthi98@gmail.com>
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7]
Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0023-CVE-2023-25585.patch | 54 +++++++++++++++++++
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 69fb8539ba..408b503644 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -53,5 +53,6 @@ SRC_URI = "\
file://0022-CVE-2023-25584-1.patch \
file://0022-CVE-2023-25584-2.patch \
file://0022-CVE-2023-25584-3.patch \
+ file://0023-CVE-2023-25585.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
new file mode 100644
index 0000000000..e31a027b9f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
@@ -0,0 +1,54 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 12 Dec 2022 08:31:08 +0000 (+1030)
+Subject: PR29892, Field file_table of struct module is uninitialized
+X-Git-Tag: gdb-13-branchpoint~86
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7
+
+PR29892, Field file_table of struct module is uninitialized
+
+ PR 29892
+ * vms-alphs.c (new_module): Use bfd_zmalloc to alloc file_table.
+ (parse_module): Rewrite file_table reallocation code and clear.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7]
+
+CVE: CVE-2023-25585
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index 3b63259cc81..6ee7060b0b2 100644
+--- a/bfd/vms-alpha.c
++++ b/bfd/vms-alpha.c
+@@ -4337,7 +4337,7 @@ new_module (bfd *abfd)
+ = (struct module *) bfd_zalloc (abfd, sizeof (struct module));
+ module->file_table_count = 16; /* Arbitrary. */
+ module->file_table
+- = bfd_malloc (module->file_table_count * sizeof (struct fileinfo));
++ = bfd_zmalloc (module->file_table_count * sizeof (struct fileinfo));
+ return module;
+ }
+
+@@ -4520,15 +4520,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+ src_ptr + DST_S_B_SRC_DF_FILENAME,
+ ptr + rec_length - (src_ptr + DST_S_B_SRC_DF_FILENAME));
+
+- while (fileid >= module->file_table_count)
++ if (fileid >= module->file_table_count)
+ {
+- module->file_table_count *= 2;
++ unsigned int old_count = module->file_table_count;
++ module->file_table_count += fileid;
+ module->file_table
+ = bfd_realloc_or_free (module->file_table,
+ module->file_table_count
+ * sizeof (struct fileinfo));
+ if (module->file_table == NULL)
+ return false;
++ memset (module->file_table + old_count, 0,
++ fileid * sizeof (struct fileinfo));
+ }
+
+ module->file_table [fileid].name = filename;
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 08/15] binutils : Fix CVE-2023-1972
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (6 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 07/15] binutils : Fix CVE-2023-25585 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 09/15] binutils : Fix CVE-2023-25588 Steve Sakoman
` (6 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Deepthi Hemraj <deepadeepthi98@gmail.com>
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57]
Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0026-CVE-2023-1972.patch | 41 +++++++++++++++++++
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 408b503644..1ea17990c8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -54,5 +54,6 @@ SRC_URI = "\
file://0022-CVE-2023-25584-2.patch \
file://0022-CVE-2023-25584-3.patch \
file://0023-CVE-2023-25585.patch \
+ file://0026-CVE-2023-1972.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
new file mode 100644
index 0000000000..f86adad217
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
@@ -0,0 +1,41 @@
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 30 Mar 2023 09:10:09 +0000 (+0100)
+Subject: Fix an illegal memory access when an accessing a zer0-lengthverdef table.
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57
+
+Fix an illegal memory access when an accessing a zer0-lengthverdef table.
+
+ PR 30285
+ * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57]
+
+CVE: CVE-2023-1972
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 027d0143735..185028cbd97 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver)
+ bfd_set_error (bfd_error_file_too_big);
+ goto error_return_verdef;
+ }
++
++ if (amt == 0)
++ goto error_return_verdef;
+ elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt);
+ if (elf_tdata (abfd)->verdef == NULL)
+ goto error_return_verdef;
+@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver)
+ bfd_set_error (bfd_error_file_too_big);
+ goto error_return;
+ }
++ if (amt == 0)
++ goto error_return;
+ elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt);
+ if (elf_tdata (abfd)->verdef == NULL)
+ goto error_return;
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 09/15] binutils : Fix CVE-2023-25588
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (7 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 08/15] binutils : Fix CVE-2023-1972 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 10/15] webkitgtk: fix CVE-2022-32888 & CVE-2022-32923 Steve Sakoman
` (5 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Deepthi Hemraj <deepadeepthi98@gmail.com>
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0025-CVE-2023-25588.patch | 147 ++++++++++++++++++
2 files changed, 148 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 1ea17990c8..5c3ff3d93a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -55,5 +55,6 @@ SRC_URI = "\
file://0022-CVE-2023-25584-3.patch \
file://0023-CVE-2023-25585.patch \
file://0026-CVE-2023-1972.patch \
+ file://0025-CVE-2023-25588.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
new file mode 100644
index 0000000000..142d201c40
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
@@ -0,0 +1,147 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030)
+Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised
+X-Git-Tag: gdb-13-branchpoint~871
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1
+
+PR29677, Field `the_bfd` of `asymbol` is uninitialised
+
+Besides not initialising the_bfd of synthetic symbols, counting
+symbols when sizing didn't match symbols created if there were any
+dynsyms named "". We don't want synthetic symbols without names
+anyway, so get rid of them. Also, simplify and correct sanity checks.
+
+ PR 29677
+ * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
+
+CVE: CVE-2023-25588
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c
+index acb35e7f0c6..5279343768c 100644
+--- a/bfd/mach-o.c
++++ b/bfd/mach-o.c
+@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ bfd_mach_o_symtab_command *symtab = mdata->symtab;
+ asymbol *s;
+ char * s_start;
+- char * s_end;
+ unsigned long count, i, j, n;
+ size_t size;
+ char *names;
+- char *nul_name;
+ const char stub [] = "$stub";
+
+ *ret = NULL;
+@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ /* We need to allocate a bfd symbol for every indirect symbol and to
+ allocate the memory for its name. */
+ count = dysymtab->nindirectsyms;
+- size = count * sizeof (asymbol) + 1;
+-
++ size = 0;
+ for (j = 0; j < count; j++)
+ {
+- const char * strng;
+ unsigned int isym = dysymtab->indirect_syms[j];
++ const char *str;
+
+ /* Some indirect symbols are anonymous. */
+- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
+- /* PR 17512: file: f5b8eeba. */
+- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
++ if (isym < symtab->nsyms
++ && (str = symtab->symbols[isym].symbol.name) != NULL)
++ {
++ /* PR 17512: file: f5b8eeba. */
++ size += strnlen (str, symtab->strsize - (str - symtab->strtab));
++ size += sizeof (stub);
++ }
+ }
+
+- s_start = bfd_malloc (size);
++ s_start = bfd_malloc (size + count * sizeof (asymbol));
+ s = *ret = (asymbol *) s_start;
+ if (s == NULL)
+ return -1;
+ names = (char *) (s + count);
+- nul_name = names;
+- *names++ = 0;
+- s_end = s_start + size;
+
+ n = 0;
+ for (i = 0; i < mdata->nsects; i++)
+@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
+
+ /* PR 17512: file: 08e15eec. */
+- if (first >= count || last >= count || first > last)
++ if (first >= count || last > count || first > last)
+ goto fail;
+
+ for (j = first; j < last; j++)
+ {
+ unsigned int isym = dysymtab->indirect_syms[j];
+-
+- /* PR 17512: file: 04d64d9b. */
+- if (((char *) s) + sizeof (* s) > s_end)
+- goto fail;
+-
+- s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+- s->section = sec->bfdsection;
+- s->value = addr - sec->addr;
+- s->udata.p = NULL;
++ const char *str;
++ size_t len;
+
+ if (isym < symtab->nsyms
+- && symtab->symbols[isym].symbol.name)
++ && (str = symtab->symbols[isym].symbol.name) != NULL)
+ {
+- const char *sym = symtab->symbols[isym].symbol.name;
+- size_t len;
+-
+- s->name = names;
+- len = strlen (sym);
+- /* PR 17512: file: 47dfd4d2. */
+- if (names + len >= s_end)
++ /* PR 17512: file: 04d64d9b. */
++ if (n >= count)
+ goto fail;
+- memcpy (names, sym, len);
+- names += len;
+- /* PR 17512: file: 18f340a4. */
+- if (names + sizeof (stub) >= s_end)
++ len = strnlen (str, symtab->strsize - (str - symtab->strtab));
++ /* PR 17512: file: 47dfd4d2, 18f340a4. */
++ if (size < len + sizeof (stub))
+ goto fail;
+- memcpy (names, stub, sizeof (stub));
+- names += sizeof (stub);
++ memcpy (names, str, len);
++ memcpy (names + len, stub, sizeof (stub));
++ s->name = names;
++ names += len + sizeof (stub);
++ size -= len + sizeof (stub);
++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
++ s->section = sec->bfdsection;
++ s->value = addr - sec->addr;
++ s->udata.p = NULL;
++ s++;
++ n++;
+ }
+- else
+- s->name = nul_name;
+-
+ addr += entry_size;
+- s++;
+- n++;
+ }
+ break;
+ default:
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 10/15] webkitgtk: fix CVE-2022-32888 & CVE-2022-32923
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (8 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 09/15] binutils : Fix CVE-2023-25588 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 11/15] python3-cryptography: fix for CVE-2023-23931 Steve Sakoman
` (4 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patches to fix CVE-2022-32888 and CVE-2022-32923 for webkitgtk
2.36.8. The bugzilla IDs of the CVEs are from https://support.apple.com
which have been listed in patch headers.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../webkit/webkitgtk/CVE-2022-32888.patch | 41 ++
.../webkit/webkitgtk/CVE-2022-32923.patch | 435 ++++++++++++++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 2 +
3 files changed, 478 insertions(+)
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
new file mode 100644
index 0000000000..1a6b685450
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
@@ -0,0 +1,41 @@
+CVE: CVE-2022-32888
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/a3dd7dc]
+
+[1]: https://support.apple.com/en-us/HT213446
+[2]: https://bugs.webkit.org/show_bug.cgi?id=242047
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From a3dd7dc5f60b87a7cfd14c372e40ebd339076763 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Mon, 27 Jun 2022 21:34:55 -0700
+Subject: [PATCH] [JSC] Drop wasm stale assertion
+ https://bugs.webkit.org/show_bug.cgi?id=242047 rdar://95866655
+
+Reviewed by Mark Lam.
+
+This patch drops stale assertion in addDelegateToUnreachable.
+
+* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
+(JSC::Wasm::LLIntGenerator::addDelegateToUnreachable):
+
+Canonical link: https://commits.webkit.org/251902@main
+---
+ Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
+index 39fb39b3331f..d0d2b9725991 100644
+--- a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
++++ b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
+@@ -1182,7 +1182,6 @@ auto LLIntGenerator::addDelegateToUnreachable(ControlType& target, ControlType&
+
+ ControlTry& tryData = std::get<ControlTry>(data);
+ m_codeBlock->addExceptionHandler({ HandlerType::Delegate, tryData.m_try->location(), delegateLabel->location(), 0, m_tryDepth, targetDepth });
+- checkConsistency();
+ return { };
+ }
+
+--
+2.34.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
new file mode 100644
index 0000000000..60342a14f8
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
@@ -0,0 +1,435 @@
+CVE: CVE-2022-32923
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ef76e31]
+
+[1]: https://support.apple.com/en-us/HT213495
+[2]: https://bugs.webkit.org/show_bug.cgi?id=242964
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ef76e31a2a066c3d65a9c94a9e2cd88133260c1f Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Wed, 20 Jul 2022 19:30:48 -0700
+Subject: [PATCH] [JSC] BakcwardPropagationPhase should carry NaN / Infinity
+ handling https://bugs.webkit.org/show_bug.cgi?id=242964 rdar://96791603
+
+Reviewed by Mark Lam.
+
+For correctness, we should carry NaN / Infinity handling to make it more clear in the code generation site.
+
+* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
+(JSC::DFG::BackwardsPropagationPhase::propagate):
+* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
+(JSC::DFG::FixupPhase::fixupArithDivInt32):
+(JSC::DFG::FixupPhase::fixupArithDiv):
+* Source/JavaScriptCore/dfg/DFGGraph.h:
+* Source/JavaScriptCore/dfg/DFGNode.h:
+* Source/JavaScriptCore/dfg/DFGNodeFlags.cpp:
+(JSC::DFG::dumpNodeFlags):
+* Source/JavaScriptCore/dfg/DFGNodeFlags.h:
+(JSC::DFG::bytecodeCanIgnoreNaNAndInfinity):
+(JSC::DFG::nodeCanSpeculateInt32ForDiv):
+* Source/JavaScriptCore/dfg/DFGNodeType.h:
+
+Canonical link: https://commits.webkit.org/252675@main
+---
+ .../dfg/DFGBackwardsPropagationPhase.cpp | 51 +++++++++++--------
+ Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 6 ++-
+ Source/JavaScriptCore/dfg/DFGGraph.h | 11 ++++
+ Source/JavaScriptCore/dfg/DFGNode.h | 12 +++--
+ Source/JavaScriptCore/dfg/DFGNodeFlags.cpp | 10 ++--
+ Source/JavaScriptCore/dfg/DFGNodeFlags.h | 37 +++++++++++---
+ Source/JavaScriptCore/dfg/DFGNodeType.h | 3 +-
+ 7 files changed, 91 insertions(+), 39 deletions(-)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
+index 306ea5d6b974..83a08aff7c20 100644
+--- a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
++++ b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
+@@ -272,7 +272,7 @@ private:
+ case ValueBitNot:
+ case ArithBitNot: {
+ flags |= NodeBytecodeUsesAsInt;
+- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther);
++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther);
+ flags &= ~NodeBytecodeUsesAsArrayIndex;
+ node->child1()->mergeFlags(flags);
+ break;
+@@ -291,7 +291,7 @@ private:
+ case BitURShift:
+ case ArithIMul: {
+ flags |= NodeBytecodeUsesAsInt;
+- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther);
++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther);
+ flags &= ~NodeBytecodeUsesAsArrayIndex;
+ node->child1()->mergeFlags(flags);
+ node->child2()->mergeFlags(flags);
+@@ -308,9 +308,9 @@ private:
+
+ case StringSlice: {
+ node->child1()->mergeFlags(NodeBytecodeUsesAsValue);
+- node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++ node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+ if (node->child3())
+- node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++ node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+ break;
+ }
+
+@@ -320,11 +320,11 @@ private:
+ if (node->numChildren() == 2)
+ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsValue);
+ else if (node->numChildren() == 3) {
+- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+ m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue);
+ } else if (node->numChildren() == 4) {
+- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
+- m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
++ m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+ m_graph.varArgChild(node, 3)->mergeFlags(NodeBytecodeUsesAsValue);
+ }
+ break;
+@@ -345,6 +345,7 @@ private:
+ flags |= NodeBytecodeUsesAsNumber;
+ if (!m_allowNestedOverflowingAdditions)
+ flags |= NodeBytecodeUsesAsNumber;
++ flags |= NodeBytecodeNeedsNaNOrInfinity;
+
+ node->child1()->mergeFlags(flags);
+ node->child2()->mergeFlags(flags);
+@@ -359,6 +360,7 @@ private:
+ flags |= NodeBytecodeUsesAsNumber;
+ if (!m_allowNestedOverflowingAdditions)
+ flags |= NodeBytecodeUsesAsNumber;
++ flags |= NodeBytecodeNeedsNaNOrInfinity;
+
+ node->child1()->mergeFlags(flags);
+ node->child2()->mergeFlags(flags);
+@@ -366,7 +368,7 @@ private:
+ }
+
+ case ArithClz32: {
+- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex);
++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex);
+ flags |= NodeBytecodeUsesAsInt;
+ node->child1()->mergeFlags(flags);
+ break;
+@@ -380,6 +382,7 @@ private:
+ flags |= NodeBytecodeUsesAsNumber;
+ if (!m_allowNestedOverflowingAdditions)
+ flags |= NodeBytecodeUsesAsNumber;
++ flags |= NodeBytecodeNeedsNaNOrInfinity;
+
+ node->child1()->mergeFlags(flags);
+ node->child2()->mergeFlags(flags);
+@@ -387,6 +390,7 @@ private:
+ }
+
+ case ArithNegate: {
++ // negation does not care about NaN, Infinity, -Infinity are converted into 0 if the result is evaluated under the integer context.
+ flags &= ~NodeBytecodeUsesAsOther;
+
+ node->child1()->mergeFlags(flags);
+@@ -401,6 +405,7 @@ private:
+ flags |= NodeBytecodeUsesAsNumber;
+ if (!m_allowNestedOverflowingAdditions)
+ flags |= NodeBytecodeUsesAsNumber;
++ flags |= NodeBytecodeNeedsNaNOrInfinity;
+
+ node->child1()->mergeFlags(flags);
+ break;
+@@ -421,7 +426,7 @@ private:
+
+ node->mergeFlags(flags);
+
+- flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero;
++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+ flags &= ~NodeBytecodeUsesAsOther;
+
+ node->child1()->mergeFlags(flags);
+@@ -431,7 +436,13 @@ private:
+
+ case ValueDiv:
+ case ArithDiv: {
+- flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero;
++ // ArithDiv / ValueDiv need to have NodeBytecodeUsesAsNumber even if it is used in the context of integer.
++ // For example,
++ // ((@x / @y) + @z) | 0
++ // In this context, (@x / @y) can have integer context at first, but the result can be different if div
++ // generates NaN. Div and Mod are operations that can produce NaN / Infinity though only taking binary Int32 operands.
++ // Thus, we always need to check for overflow since it can affect downstream calculations.
++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+ flags &= ~NodeBytecodeUsesAsOther;
+
+ node->child1()->mergeFlags(flags);
+@@ -441,7 +452,7 @@ private:
+
+ case ValueMod:
+ case ArithMod: {
+- flags |= NodeBytecodeUsesAsNumber;
++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity;
+ flags &= ~NodeBytecodeUsesAsOther;
+
+ node->child1()->mergeFlags(flags);
+@@ -452,7 +463,7 @@ private:
+ case EnumeratorGetByVal:
+ case GetByVal: {
+ m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue);
+- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex);
+ break;
+ }
+
+@@ -461,13 +472,13 @@ private:
+ // Negative zero is not observable. NaN versus undefined are only observable
+ // in that you would get a different exception message. So, like, whatever: we
+ // claim here that NaN v. undefined is observable.
+- node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsArrayIndex);
++ node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex);
+ break;
+ }
+
+ case ToString:
+ case CallStringConstructor: {
+- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+ break;
+ }
+
+@@ -487,15 +498,15 @@ private:
+ case CompareBelowEq:
+ case CompareEq:
+ case CompareStrictEq: {
+- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
+- node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
++ node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+ break;
+ }
+
+ case PutByValDirect:
+ case PutByVal: {
+ m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue);
+- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);
++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity);
+ m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue);
+ break;
+ }
+@@ -508,20 +519,20 @@ private:
+ // then -0 and 0 are treated the same. We don't need NodeBytecodeUsesAsOther
+ // because if all of the cases are integers then NaN and undefined are
+ // treated the same (i.e. they will take default).
+- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt);
++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity);
+ break;
+ case SwitchChar: {
+ // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings
+ // then -0 and 0 are treated the same. We don't need NodeBytecodeUsesAsOther
+ // because if all of the cases are single-character strings then NaN
+ // and undefined are treated the same (i.e. they will take default).
+- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber);
++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNaNOrInfinity);
+ break;
+ }
+ case SwitchString:
+ // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings
+ // then -0 and 0 are treated the same.
+- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity);
+ break;
+ case SwitchCell:
+ // There is currently no point to being clever here since this is used for switching
+diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+index e8bee58ada15..b679539de2e6 100644
+--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
++++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+@@ -81,7 +81,9 @@ private:
+ if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
+ fixIntOrBooleanEdge(leftChild);
+ fixIntOrBooleanEdge(rightChild);
+- if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
++ // We need to be careful about skipping overflow check because div / mod can generate non integer values
++ // from (Int32, Int32) inputs. For now, we always check non-zero divisor.
++ if (bytecodeCanTruncateInteger(node->arithNodeFlags()) && bytecodeCanIgnoreNaNAndInfinity(node->arithNodeFlags()) && bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+ node->setArithMode(Arith::Unchecked);
+ else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+ node->setArithMode(Arith::CheckOverflow);
+@@ -122,7 +124,7 @@ private:
+
+ void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
+ {
+- if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
++ if (m_graph.divShouldSpeculateInt32(node, FixupPass)) {
+ fixupArithDivInt32(node, leftChild, rightChild);
+ return;
+ }
+diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
+index ca566d3a484e..284c87672849 100644
+--- a/Source/JavaScriptCore/dfg/DFGGraph.h
++++ b/Source/JavaScriptCore/dfg/DFGGraph.h
+@@ -373,6 +373,17 @@ public:
+
+ return shouldSpeculateInt52ForAdd(left) && shouldSpeculateInt52ForAdd(right);
+ }
++
++ bool divShouldSpeculateInt32(Node* node, PredictionPass pass)
++ {
++ // Even if inputs are Int32, div can generate NaN or Infinity.
++ // Thus, Overflow in div can be caused by these non integer values as well as actual Int32 overflow.
++ Node* left = node->child1().node();
++ Node* right = node->child2().node();
++
++ return Node::shouldSpeculateInt32OrBooleanForArithmetic(left, right)
++ && nodeCanSpeculateInt32ForDiv(node->arithNodeFlags(), node->sourceFor(pass));
++ }
+
+ bool binaryArithShouldSpeculateInt32(Node* node, PredictionPass pass)
+ {
+diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
+index f9ff50658e93..04509a3846ca 100644
+--- a/Source/JavaScriptCore/dfg/DFGNode.h
++++ b/Source/JavaScriptCore/dfg/DFGNode.h
+@@ -3308,21 +3308,25 @@ public:
+ out.printf(", @%u", child3()->index());
+ }
+
+- NodeOrigin origin;
++ NO_UNIQUE_ADDRESS NodeOrigin origin;
+
++private:
++ NO_UNIQUE_ADDRESS NodeType m_op;
++
++ NO_UNIQUE_ADDRESS unsigned m_index { std::numeric_limits<unsigned>::max() };
++
++public:
+ // References to up to 3 children, or links to a variable length set of children.
+ AdjacencyList children;
+
+ private:
+ friend class B3::SparseCollection<Node>;
+
+- unsigned m_index { std::numeric_limits<unsigned>::max() };
+- unsigned m_op : 10; // real type is NodeType
+- unsigned m_flags : 21;
+ // The virtual register number (spill location) associated with this .
+ VirtualRegister m_virtualRegister;
+ // The number of uses of the result of this operation (+1 for 'must generate' nodes, which have side-effects).
+ unsigned m_refCount;
++ NodeFlags m_flags;
+ // The prediction ascribed to this node after propagation.
+ SpeculatedType m_prediction { SpecNone };
+ // Immediate values, accesses type-checked via accessors above.
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
+index 88242947f6ef..0c53cd976c5c 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp
+@@ -74,12 +74,14 @@ void dumpNodeFlags(PrintStream& actualOut, NodeFlags flags)
+ out.print(comma, "VarArgs");
+
+ if (flags & NodeResultMask) {
+- if (!(flags & NodeBytecodeUsesAsNumber) && !(flags & NodeBytecodeNeedsNegZero))
++ if (!(flags & NodeBytecodeUsesAsNumber))
+ out.print(comma, "PureInt");
+- else if (!(flags & NodeBytecodeUsesAsNumber))
+- out.print(comma, "PureInt(w/ neg zero)");
+- else if (!(flags & NodeBytecodeNeedsNegZero))
++ else
+ out.print(comma, "PureNum");
++ if (flags & NodeBytecodeNeedsNegZero)
++ out.print(comma, "NeedsNegZero");
++ if (flags & NodeBytecodeNeedsNaNOrInfinity)
++ out.print(comma, "NeedsNaNOrInfinity");
+ if (flags & NodeBytecodeUsesAsOther)
+ out.print(comma, "UseAsOther");
+ }
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.h b/Source/JavaScriptCore/dfg/DFGNodeFlags.h
+index 2ebe3544f601..aa60db7e6ba0 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.h
++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.h
+@@ -61,18 +61,19 @@ namespace JSC { namespace DFG {
+ #define NodeBytecodeUseBottom 0x00000
+ #define NodeBytecodeUsesAsNumber 0x04000 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results.
+ #define NodeBytecodeNeedsNegZero 0x08000 // The result of this computation may be used in a context that observes -0.
+-#define NodeBytecodeUsesAsOther 0x10000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
+-#define NodeBytecodeUsesAsInt 0x20000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
+-#define NodeBytecodeUsesAsArrayIndex 0x40000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
+-#define NodeBytecodeUsesAsValue (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther)
+-#define NodeBytecodeBackPropMask (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex)
++#define NodeBytecodeNeedsNaNOrInfinity 0x10000 // The result of this computation may be used in a context that observes NaN or Infinity.
++#define NodeBytecodeUsesAsOther 0x20000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
++#define NodeBytecodeUsesAsInt 0x40000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
++#define NodeBytecodeUsesAsArrayIndex 0x80000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
++#define NodeBytecodeUsesAsValue (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther)
++#define NodeBytecodeBackPropMask (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex)
+
+ #define NodeArithFlagsMask (NodeBehaviorMask | NodeBytecodeBackPropMask)
+
+-#define NodeIsFlushed 0x80000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
++#define NodeIsFlushed 0x100000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
+
+-#define NodeMiscFlag1 0x100000
+-#define NodeMiscFlag2 0x200000
++#define NodeMiscFlag1 0x200000
++#define NodeMiscFlag2 0x400000
+
+ typedef uint32_t NodeFlags;
+
+@@ -91,6 +92,11 @@ static inline bool bytecodeCanIgnoreNegativeZero(NodeFlags flags)
+ return !(flags & NodeBytecodeNeedsNegZero);
+ }
+
++static inline bool bytecodeCanIgnoreNaNAndInfinity(NodeFlags flags)
++{
++ return !(flags & NodeBytecodeNeedsNaNOrInfinity);
++}
++
+ enum RareCaseProfilingSource {
+ BaselineRareCase, // Comes from slow case counting in the baseline JIT.
+ DFGRareCase, // Comes from OSR exit profiles.
+@@ -147,6 +153,21 @@ static inline bool nodeCanSpeculateInt32(NodeFlags flags, RareCaseProfilingSourc
+ return true;
+ }
+
++static inline bool nodeCanSpeculateInt32ForDiv(NodeFlags flags, RareCaseProfilingSource source)
++{
++ if (nodeMayOverflowInt32(flags, source)) {
++ if (bytecodeUsesAsNumber(flags))
++ return false;
++ if (!bytecodeCanIgnoreNaNAndInfinity(flags))
++ return false;
++ }
++
++ if (nodeMayNegZero(flags, source))
++ return bytecodeCanIgnoreNegativeZero(flags);
++
++ return true;
++}
++
+ static inline bool nodeCanSpeculateInt52(NodeFlags flags, RareCaseProfilingSource source)
+ {
+ if (nodeMayOverflowInt52(flags, source))
+diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
+index 8f885b570665..aad4d559ccf7 100644
+--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
++++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
+@@ -567,7 +567,7 @@ namespace JSC { namespace DFG {
+
+ // This enum generates a monotonically increasing id for all Node types,
+ // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask).
+-enum NodeType {
++enum NodeType : uint16_t {
+ #define DFG_OP_ENUM(opcode, flags) opcode,
+ FOR_EACH_DFG_OP(DFG_OP_ENUM)
+ #undef DFG_OP_ENUM
+@@ -577,6 +577,7 @@ enum NodeType {
+ #define DFG_OP_COUNT(opcode, flags) + 1
+ constexpr unsigned numberOfNodeTypes = FOR_EACH_DFG_OP(DFG_OP_COUNT);
+ #undef DFG_OP_COUNT
++static_assert(numberOfNodeTypes <= UINT16_MAX);
+
+ // Specifies the default flags for each node.
+ inline NodeFlags defaultFlags(NodeType op)
+--
+2.34.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 7b2c5c6e36..1dac4f5677 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://0001-Fix-build-without-opengl-or-es.patch \
file://reproducibility.patch \
file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
+ file://CVE-2022-32888.patch \
+ file://CVE-2022-32923.patch \
"
SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 11/15] python3-cryptography: fix for CVE-2023-23931
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (9 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 10/15] webkitgtk: fix CVE-2022-32888 & CVE-2022-32923 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 12/15] wic/bootimg-efi: if fixed-size is set then use that for mkdosfs Steve Sakoman
` (3 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Narpat Mali <narpat.mali@windriver.com>
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. In affected versions `Cipher.update_into`
would accept Python objects which implement the buffer protocol, but
provide only immutable buffers. This would allow immutable objects
(such as `bytes`) to be mutated, thus violating fundamental rules of
Python and resulting in corrupted output. This now correctly raises
an exception. This issue has been present since `update_into` was
originally introduced in cryptography 1.8.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python3-cryptography/CVE-2023-23931.patch | 49 +++++++++++++++++++
.../python/python3-cryptography_36.0.2.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
new file mode 100644
index 0000000000..5fc4878978
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
@@ -0,0 +1,49 @@
+From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 7 Feb 2023 11:34:18 -0500
+Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
+
+CVE: CVE-2023-23931
+
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 286583f93..075d68fb9 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -156,7 +156,7 @@ class _CipherContext:
+ data_processed = 0
+ total_out = 0
+ outlen = self._backend._ffi.new("int *")
+- baseoutbuf = self._backend._ffi.from_buffer(buf)
++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
+ baseinbuf = self._backend._ffi.from_buffer(data)
+
+ while data_processed != total_data_len:
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index 02127dd9c..bf3b047de 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
++++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -318,6 +318,14 @@ class TestCipherUpdateInto:
+ with pytest.raises(ValueError):
+ encryptor.update_into(b"testing", buf)
+
++ def test_update_into_immutable(self, backend):
++ key = b"\x00" * 16
++ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
++ encryptor = c.encryptor()
++ buf = b"\x00" * 32
++ with pytest.raises((TypeError, BufferError)):
++ encryptor.update_into(b"testing", buf)
++
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.cipher_supported(
+ AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index 9ef5ff39c8..c3ae0c1ab9 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -17,6 +17,7 @@ SRC_URI += " \
file://0001-Cargo.toml-specify-pem-version.patch \
file://0002-Cargo.toml-edition-2018-2021.patch \
file://fix-leak-metric.patch \
+ file://CVE-2023-23931.patch \
"
inherit pypi python_setuptools3_rust
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 12/15] wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (10 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 11/15] python3-cryptography: fix for CVE-2023-23931 Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory Steve Sakoman
` (2 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Randolph Sapp <rs@ti.com>
This is a bit of a compatibility issue more than anything. Some devices
get upset if the FAT file system contains less blocks than the
partition.
The fixed-size argument is currently respected by the partition creation
step but not by the file system creation step. Let's make it so the file
system respects this value as well.
Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/lib/wic/plugins/source/bootimg-efi.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index a65a5b9780..c28d3917c2 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -390,6 +390,13 @@ class BootimgEFIPlugin(SourcePlugin):
logger.debug("Added %d extra blocks to %s to get to %d total blocks",
extra_blocks, part.mountpoint, blocks)
+ # required for compatibility with certain devices expecting file system
+ # block count to be equal to partition block count
+ if blocks < part.fixed_size:
+ blocks = part.fixed_size
+ logger.debug("Overriding %s to %d total blocks for compatibility",
+ part.mountpoint, blocks)
+
# dosfs image, created by mkdosfs
bootimg = "%s/boot.img" % cr_workdir
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (11 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 12/15] wic/bootimg-efi: if fixed-size is set then use that for mkdosfs Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 17:25 ` Martin Jansa
2023-05-06 15:24 ` [OE-core][kirkstone 14/15] libbsd: Add correct license for all packages Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 15/15] run-postinsts: Set dependency for ldconfig to avoid boot issues Steve Sakoman
14 siblings, 1 reply; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Randolph Sapp <rs@ti.com>
Fedora/Redhat and Arch are somewhat standardized on their dtb directory
structure. Let's add some flags to configure yocto to mimic that
behavior.
Add the following variables to the kernel class:
- KERNEL_DTBDEST (controls the destination directory for dtbs)
- KERNEL_DTBVENDORED (controls if vendor subdirectories are to
be respected)
Currently KERNEL_DTBDEST is expected to be a subdir of KERNEL_IMAGEDEST
and KERNEL_DTBVENDORED is expected to be "true"/"false". This only
applies to the package directory structure. The deploydir structure is
purposely left untouched for compatibility with existing recipes.
By default this is configured to behave the same as the current recipe
and produce a flat dtb directory at KERNEL_IMAGEDEST.
Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/kernel-devicetree.bbclass | 22 +++++++++++++++++-----
meta/classes/kernel.bbclass | 2 ++
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index b4338da1b1..11b57adc92 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -6,7 +6,12 @@ python () {
d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
}
-FILES:${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
+FILES:${KERNEL_PACKAGE_NAME}-devicetree = " \
+ /${KERNEL_DTBDEST}/*.dtb \
+ /${KERNEL_DTBDEST}/*.dtbo \
+ /${KERNEL_DTBDEST}/*/*.dtb \
+ /${KERNEL_DTBDEST}/*/*.dtbo \
+"
FILES:${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
# Generate kernel+devicetree bundle
@@ -67,12 +72,16 @@ do_compile:append() {
}
do_install:append() {
+ install -d ${D}/${KERNEL_DTBDEST}
for dtbf in ${KERNEL_DEVICETREE}; do
dtb=`normalize_dtb "$dtbf"`
- dtb_ext=${dtb##*.}
- dtb_base_name=`basename $dtb .$dtb_ext`
dtb_path=`get_real_dtb_path_in_kernel "$dtb"`
- install -m 0644 $dtb_path ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
+ if [ ${KERNEL_DTBVENDORED} == "false" ]; then
+ dtb_ext=${dtb##*.}
+ dtb_base_name=`basename $dtb .$dtb_ext`
+ dtb=$dtb_base_name.$dtb_ext
+ fi
+ install -Dm 0644 $dtb_path ${D}/${KERNEL_DTBDEST}/$dtb
done
}
@@ -82,7 +91,10 @@ do_deploy:append() {
dtb_ext=${dtb##*.}
dtb_base_name=`basename $dtb .$dtb_ext`
install -d $deployDir
- install -m 0644 ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
+ if [ ${KERNEL_DTBVENDORED} == "false" ]; then
+ dtb=$dtb_base_name.$dtb_ext
+ fi
+ install -m 0644 ${D}/${KERNEL_DTBDEST}/$dtb $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
if [ "${KERNEL_IMAGETYPE_SYMLINK}" = "1" ] ; then
ln -sf $dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext $deployDir/$dtb_base_name.$dtb_ext
fi
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index b315737fd2..3e3ac2d47d 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -210,6 +210,8 @@ KERNEL_RELEASE ?= "${KERNEL_VERSION}"
# The directory where built kernel lies in the kernel tree
KERNEL_OUTPUT_DIR ?= "arch/${ARCH}/boot"
KERNEL_IMAGEDEST ?= "boot"
+KERNEL_DTBDEST ?= "${KERNEL_IMAGEDEST}"
+KERNEL_DTBVENDORED ?= "false"
#
# configuration
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* Re: [OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory
2023-05-06 15:24 ` [OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory Steve Sakoman
@ 2023-05-06 17:25 ` Martin Jansa
0 siblings, 0 replies; 26+ messages in thread
From: Martin Jansa @ 2023-05-06 17:25 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4938 bytes --]
This one doesn't work correctly, maybe better to postpone this until a fix
is in master, see:
https://lists.openembedded.org/g/openembedded-core/message/180981
and possible fix:
https://git.openembedded.org/openembedded-core-contrib/commit/?h=jansa/master&id=e2a6da5202a6671113758f9746ddbd8141a75757
Regards,
On Sat, May 6, 2023 at 5:25 PM Steve Sakoman <steve@sakoman.com> wrote:
> From: Randolph Sapp <rs@ti.com>
>
> Fedora/Redhat and Arch are somewhat standardized on their dtb directory
> structure. Let's add some flags to configure yocto to mimic that
> behavior.
>
> Add the following variables to the kernel class:
> - KERNEL_DTBDEST (controls the destination directory for dtbs)
> - KERNEL_DTBVENDORED (controls if vendor subdirectories are to
> be respected)
>
> Currently KERNEL_DTBDEST is expected to be a subdir of KERNEL_IMAGEDEST
> and KERNEL_DTBVENDORED is expected to be "true"/"false". This only
> applies to the package directory structure. The deploydir structure is
> purposely left untouched for compatibility with existing recipes.
>
> By default this is configured to behave the same as the current recipe
> and produce a flat dtb directory at KERNEL_IMAGEDEST.
>
> Signed-off-by: Randolph Sapp <rs@ti.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> meta/classes/kernel-devicetree.bbclass | 22 +++++++++++++++++-----
> meta/classes/kernel.bbclass | 2 ++
> 2 files changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/kernel-devicetree.bbclass
> b/meta/classes/kernel-devicetree.bbclass
> index b4338da1b1..11b57adc92 100644
> --- a/meta/classes/kernel-devicetree.bbclass
> +++ b/meta/classes/kernel-devicetree.bbclass
> @@ -6,7 +6,12 @@ python () {
> d.appendVar("PACKAGES", "
> ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
> }
>
> -FILES:${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb
> /${KERNEL_IMAGEDEST}/*.dtbo"
> +FILES:${KERNEL_PACKAGE_NAME}-devicetree = " \
> + /${KERNEL_DTBDEST}/*.dtb \
> + /${KERNEL_DTBDEST}/*.dtbo \
> + /${KERNEL_DTBDEST}/*/*.dtb \
> + /${KERNEL_DTBDEST}/*/*.dtbo \
> +"
> FILES:${KERNEL_PACKAGE_NAME}-image-zimage-bundle =
> "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
>
> # Generate kernel+devicetree bundle
> @@ -67,12 +72,16 @@ do_compile:append() {
> }
>
> do_install:append() {
> + install -d ${D}/${KERNEL_DTBDEST}
> for dtbf in ${KERNEL_DEVICETREE}; do
> dtb=`normalize_dtb "$dtbf"`
> - dtb_ext=${dtb##*.}
> - dtb_base_name=`basename $dtb .$dtb_ext`
> dtb_path=`get_real_dtb_path_in_kernel "$dtb"`
> - install -m 0644 $dtb_path
> ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
> + if [ ${KERNEL_DTBVENDORED} == "false" ]; then
> + dtb_ext=${dtb##*.}
> + dtb_base_name=`basename $dtb .$dtb_ext`
> + dtb=$dtb_base_name.$dtb_ext
> + fi
> + install -Dm 0644 $dtb_path ${D}/${KERNEL_DTBDEST}/$dtb
> done
> }
>
> @@ -82,7 +91,10 @@ do_deploy:append() {
> dtb_ext=${dtb##*.}
> dtb_base_name=`basename $dtb .$dtb_ext`
> install -d $deployDir
> - install -m 0644
> ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
> $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> + if [ ${KERNEL_DTBVENDORED} == "false" ]; then
> + dtb=$dtb_base_name.$dtb_ext
> + fi
> + install -m 0644 ${D}/${KERNEL_DTBDEST}/$dtb
> $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> if [ "${KERNEL_IMAGETYPE_SYMLINK}" = "1" ] ; then
> ln -sf $dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> $deployDir/$dtb_base_name.$dtb_ext
> fi
> diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
> index b315737fd2..3e3ac2d47d 100644
> --- a/meta/classes/kernel.bbclass
> +++ b/meta/classes/kernel.bbclass
> @@ -210,6 +210,8 @@ KERNEL_RELEASE ?= "${KERNEL_VERSION}"
> # The directory where built kernel lies in the kernel tree
> KERNEL_OUTPUT_DIR ?= "arch/${ARCH}/boot"
> KERNEL_IMAGEDEST ?= "boot"
> +KERNEL_DTBDEST ?= "${KERNEL_IMAGEDEST}"
> +KERNEL_DTBVENDORED ?= "false"
>
> #
> # configuration
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180996):
> https://lists.openembedded.org/g/openembedded-core/message/180996
> Mute This Topic: https://lists.openembedded.org/mt/98726684/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 6744 bytes --]
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 14/15] libbsd: Add correct license for all packages
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (12 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 13/15] kernel-devicetree: allow specification of dtb directory Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
2023-05-06 15:24 ` [OE-core][kirkstone 15/15] run-postinsts: Set dependency for ldconfig to avoid boot issues Steve Sakoman
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
BSD-4-Clause is only applicable to the {PN}-doc package as when I
check for the source code I find below files which only uses the
license BSD-4-Clause
~/sources/libbsd$ grep -rl "All advertising materials mentioning features or use of this software" *|grep -v \.1|grep -v \.5|grep -v \.8 | sort
COPYING
man/arc4random.3bsd
man/getprogname.3bsd
~/sources/libbsd$ grep -rnB5 "BSD-4"
COPYING-9-Files:
COPYING-10- man/arc4random.3bsd
COPYING-11-Copyright:
COPYING-12- Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
COPYING-13- All rights reserved.
COPYING:14:License: BSD-4-clause-Niels-Provos
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/libbsd/libbsd_0.11.5.bb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-support/libbsd/libbsd_0.11.5.bb b/meta/recipes-support/libbsd/libbsd_0.11.5.bb
index bb8766a070..21af37882f 100644
--- a/meta/recipes-support/libbsd/libbsd_0.11.5.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.11.5.bb
@@ -29,6 +29,13 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/"
# License: public-domain-Colin-Plumb
LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
LICENSE:${PN} = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
+LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD"
+
LIC_FILES_CHKSUM = "file://COPYING;md5=0b31944ca2c1075410a30f0c17379d3b"
SECTION = "libs"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread* [OE-core][kirkstone 15/15] run-postinsts: Set dependency for ldconfig to avoid boot issues
2023-05-06 15:24 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (13 preceding siblings ...)
2023-05-06 15:24 ` [OE-core][kirkstone 14/15] libbsd: Add correct license for all packages Steve Sakoman
@ 2023-05-06 15:24 ` Steve Sakoman
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
From: Arturo Buzarra <arturo.buzarra@digi.com>
If a package with a postsints script requires ldconfig, the package class adds
a ldconfig postinst fragment to initialize it before. Systemd has its own
ldconfig.service to initialize it and sometimes if both services are running
at the same time in the first boot, the first one will work, but the second
one will fail with the following error:
ldconfig[141]: /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: No such file or directory
This commit adds a ordering dependency between them to make sure that only one
service is running at the same time.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4e9d812e127dc6743f52f4881e509e8e2e833afe)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../run-postinsts/run-postinsts/run-postinsts.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
index 7f72f3388a..b6b81d5c1a 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
@@ -1,7 +1,7 @@
[Unit]
Description=Run pending postinsts
DefaultDependencies=no
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount
+After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service
Before=sysinit.target
[Service]
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread