* [OE-core][kirkstone 1/5] wpa-supplicant: Patch CVE-2023-52160
2024-07-31 12:02 [OE-core][kirkstone 0/5] Patch review Steve Sakoman
@ 2024-07-31 12:02 ` Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 2/5] llvm: Fix CVE-2023-46049 Steve Sakoman
` (3 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2024-07-31 12:02 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
PEAP client: Update Phase 2 authentication requirements. Also see
https://www.top10vpn.com/research/wifi-vulnerabilities/
Patch is copied from scarthgap, the recipes differ too much for
cherry-pick even if they have the same version.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...te-Phase-2-authentication-requiremen.patch | 213 ++++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.10.bb | 1 +
2 files changed, 214 insertions(+)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
new file mode 100644
index 0000000000..bc2db972c3
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
@@ -0,0 +1,213 @@
+From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+ (private_key/client_cert) is no used and TLS session resumption was
+ not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2023-52160
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
+
+Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/eap_peer/eap_config.h | 8 ++++++
+ src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c | 6 +++++
+ src/eap_peer/eap_tls_common.h | 5 ++++
+ wpa_supplicant/wpa_supplicant.conf | 7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index 3238f74..047eec2 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -469,6 +469,14 @@ struct eap_peer_config {
+ * 1 = use cryptobinding if server supports it
+ * 2 = require cryptobinding
+ *
++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++ * tunnel) behavior for PEAP:
++ * 0 = do not require Phase 2 authentication
++ * 1 = require Phase 2 authentication when client certificate
++ * (private_key/client_cert) is no used and TLS session resumption was
++ * not used (default)
++ * 2 = require Phase 2 authentication in all cases
++ *
+ * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ * uuid=Device_UUID
+ *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 12e30df..6080697 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ u8 cmk[20];
+ int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ * is enabled. */
++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+
+
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ }
+
++ if (os_strstr(phase1, "phase2_auth=0")) {
++ data->phase2_auth = NO_AUTH;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Do not require Phase 2 authentication");
++ } else if (os_strstr(phase1, "phase2_auth=1")) {
++ data->phase2_auth = FOR_INITIAL;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Require Phase 2 authentication for initial connection");
++ } else if (os_strstr(phase1, "phase2_auth=2")) {
++ data->phase2_auth = ALWAYS;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Require Phase 2 authentication for all cases");
++ }
+ #ifdef EAP_TNC
+ if (os_strstr(phase1, "tnc=soh2")) {
+ data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ data->force_peap_version = -1;
+ data->peap_outer_success = 2;
+ data->crypto_binding = OPTIONAL_BINDING;
++ data->phase2_auth = FOR_INITIAL;
+
+ if (config && config->phase1)
+ eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+
+
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++ struct eap_peap_data *data)
++{
++ if ((data->phase2_auth == ALWAYS ||
++ (data->phase2_auth == FOR_INITIAL &&
++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++ !data->ssl.client_cert_conf) ||
++ data->phase2_eap_started) &&
++ !data->phase2_eap_success)
++ return false;
++ return true;
++}
++
++
+ /**
+ * eap_tlv_process - Process a received EAP-TLV message and generate a response
+ * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ " - force failed Phase 2");
+ resp_status = EAP_TLV_RESULT_FAILURE;
+ ret->decision = DECISION_FAIL;
++ } else if (!peap_phase2_sufficient(sm, data)) {
++ wpa_printf(MSG_INFO,
++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++ resp_status = EAP_TLV_RESULT_FAILURE;
++ ret->decision = DECISION_FAIL;
+ } else {
+ resp_status = EAP_TLV_RESULT_SUCCESS;
+ ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ /* EAP-Success within TLS tunnel is used to indicate
+ * shutdown of the TLS channel. The authentication has
+ * been completed. */
+- if (data->phase2_eap_started &&
+- !data->phase2_eap_success) {
++ if (!peap_phase2_sufficient(sm, data)) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ "Success used to indicate success, "
+ "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ struct eap_peap_data *data = priv;
++
+ return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+- data->phase2_success;
++ data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+
+
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index c1837db..a53eeb1 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+
+ sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+
++ if (!phase2)
++ data->client_cert_conf = params->client_cert ||
++ params->client_cert_blob ||
++ params->private_key ||
++ params->private_key_blob;
++
+ return 0;
+ }
+
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 9ac0012..3348634 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ * tls_v13 - Whether TLS v1.3 or newer is used
+ */
+ int tls_v13;
++
++ /**
++ * client_cert_conf: Whether client certificate has been configured
++ */
++ bool client_cert_conf;
+ };
+
+
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 6619d6b..d63f73c 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1321,6 +1321,13 @@ fast_reauth=1
+ # * 0 = do not use cryptobinding (default)
+ # * 1 = use cryptobinding if server supports it
+ # * 2 = require cryptobinding
++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++# tunnel) behavior for PEAP:
++# * 0 = do not require Phase 2 authentication
++# * 1 = require Phase 2 authentication when client certificate
++# (private_key/client_cert) is no used and TLS session resumption was
++# not used (default)
++# * 2 = require Phase 2 authentication in all cases
+ # EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ # pbc=1.
+ #
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index 6e80ac7de3..70f1fd6fc9 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://wpa_supplicant.conf \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
+ file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
"
SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [OE-core][kirkstone 2/5] llvm: Fix CVE-2023-46049
2024-07-31 12:02 [OE-core][kirkstone 0/5] Patch review Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 1/5] wpa-supplicant: Patch CVE-2023-52160 Steve Sakoman
@ 2024-07-31 12:02 ` Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 3/5] llvm: Fix CVE-2024-31852 Steve Sakoman
` (2 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2024-07-31 12:02 UTC (permalink / raw)
To: openembedded-core
From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
[Bitcode] Add some missing GetTypeByID failure checks
Print an error instead of crashing.
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../llvm/llvm/CVE-2023-46049.patch | 34 +++++++++++++++++++
meta/recipes-devtools/llvm/llvm_git.bb | 1 +
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2023-46049.patch
diff --git a/meta/recipes-devtools/llvm/llvm/CVE-2023-46049.patch b/meta/recipes-devtools/llvm/llvm/CVE-2023-46049.patch
new file mode 100644
index 0000000000..c34e9ae69c
--- /dev/null
+++ b/meta/recipes-devtools/llvm/llvm/CVE-2023-46049.patch
@@ -0,0 +1,34 @@
+commit c2515a8f2be5dd23354c9891f41ad104000f88c4
+Author: Nikita Popov <npopov@redhat.com>
+Date: Tue Sep 26 16:51:40 2023 +0200
+
+ [Bitcode] Add some missing GetTypeByID failure checks
+
+ Print an error instead of crashing.
+
+ Fixes https://github.com/llvm/llvm-project/issues/67388.
+
+Upstream-Status: Backport [https://github.com/llvm/llvm-project/commit/c2515a8f2be5dd23354c9891f41ad104000f88c4]
+CVE: CVE-2023-46049
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+--- a/llvm/lib/Bitcode/Reader/MetadataLoader.cpp 2022-01-20 13:31:59.000000000 -0800
++++ b/llvm/lib/Bitcode/Reader/MetadataLoader.cpp 2024-07-28 21:35:31.062992219 -0700
+@@ -1235,7 +1235,7 @@
+ }
+
+ Type *Ty = getTypeByID(Record[0]);
+- if (Ty->isMetadataTy() || Ty->isVoidTy()) {
++ if (!Ty || Ty->isMetadataTy() || Ty->isVoidTy()) {
+ dropRecord();
+ break;
+ }
+@@ -1277,7 +1277,7 @@
+ return error("Invalid record");
+
+ Type *Ty = getTypeByID(Record[0]);
+- if (Ty->isMetadataTy() || Ty->isVoidTy())
++ if (!Ty || Ty->isMetadataTy() || Ty->isVoidTy())
+ return error("Invalid record");
+
+ MetadataList.assignValue(
diff --git a/meta/recipes-devtools/llvm/llvm_git.bb b/meta/recipes-devtools/llvm/llvm_git.bb
index cedbfb138e..dbf1ff45d4 100644
--- a/meta/recipes-devtools/llvm/llvm_git.bb
+++ b/meta/recipes-devtools/llvm/llvm_git.bb
@@ -33,6 +33,7 @@ SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=http
file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \
file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \
file://0001-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \
+ file://CVE-2023-46049.patch;striplevel=2 \
"
UPSTREAM_CHECK_GITTAGREGEX = "llvmorg-(?P<pver>\d+(\.\d+)+)"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [OE-core][kirkstone 3/5] llvm: Fix CVE-2024-31852
2024-07-31 12:02 [OE-core][kirkstone 0/5] Patch review Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 1/5] wpa-supplicant: Patch CVE-2023-52160 Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 2/5] llvm: Fix CVE-2023-46049 Steve Sakoman
@ 2024-07-31 12:02 ` Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 4/5] wireless-regdb: upgrade 2024.01.23 -> 2024.05.08 Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 5/5] gcc-runtime: remove bashism Steve Sakoman
4 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2024-07-31 12:02 UTC (permalink / raw)
To: openembedded-core
From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../llvm/llvm/CVE-2024-31852-1.patch | 85 +++++++++++++
.../llvm/llvm/CVE-2024-31852-2.patch | 117 ++++++++++++++++++
meta/recipes-devtools/llvm/llvm_git.bb | 2 +
3 files changed, 204 insertions(+)
create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-31852-1.patch
create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-31852-2.patch
diff --git a/meta/recipes-devtools/llvm/llvm/CVE-2024-31852-1.patch b/meta/recipes-devtools/llvm/llvm/CVE-2024-31852-1.patch
new file mode 100644
index 0000000000..7cf4a52715
--- /dev/null
+++ b/meta/recipes-devtools/llvm/llvm/CVE-2024-31852-1.patch
@@ -0,0 +1,85 @@
+commit b1a5ee1febd8a903cec3dfdad61d57900dc3823e
+Author: Florian Hahn <flo@fhahn.com>
+Date: Wed Dec 20 16:56:15 2023 +0100
+
+ [ARM] Check all terms in emitPopInst when clearing Restored for LR. (#75527)
+
+ emitPopInst checks a single function exit MBB. If other paths also exit
+ the function and any of there terminators uses LR implicitly, it is not
+ save to clear the Restored bit.
+
+ Check all terminators for the function before clearing Restored.
+
+ This fixes a mis-compile in outlined-fn-may-clobber-lr-in-caller.ll
+ where the machine-outliner previously introduced BLs that clobbered LR
+ which in turn is used by the tail call return.
+
+ Alternative to #73553
+
+Upstream-Status: Backport [https://github.com/llvm/llvm-project/commit/b1a5ee1febd8a903cec3dfdad61d57900dc3823e]
+CVE: CVE-2024-31852
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+---
+diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
+index 025e43444f9c..a9acf338ebf5 100644
+--- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp
++++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
+@@ -1236,9 +1236,6 @@ void ARMFrameLowering::emitPopInst(MachineBasicBlock &MBB,
+ // Fold the return instruction into the LDM.
+ DeleteRet = true;
+ LdmOpc = AFI->isThumbFunction() ? ARM::t2LDMIA_RET : ARM::LDMIA_RET;
+- // We 'restore' LR into PC so it is not live out of the return block:
+- // Clear Restored bit.
+- Info.setRestored(false);
+ }
+
+ // If NoGap is true, pop consecutive registers and then leave the rest
+@@ -2292,6 +2289,33 @@ void ARMFrameLowering::determineCalleeSaves(MachineFunction &MF,
+ AFI->setLRIsSpilled(SavedRegs.test(ARM::LR));
+ }
+
++void ARMFrameLowering::processFunctionBeforeFrameFinalized(
++ MachineFunction &MF, RegScavenger *RS) const {
++ TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS);
++
++ MachineFrameInfo &MFI = MF.getFrameInfo();
++ if (!MFI.isCalleeSavedInfoValid())
++ return;
++
++ // Check if all terminators do not implicitly use LR. Then we can 'restore' LR
++ // into PC so it is not live out of the return block: Clear the Restored bit
++ // in that case.
++ for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) {
++ if (Info.getReg() != ARM::LR)
++ continue;
++ if (all_of(MF, [](const MachineBasicBlock &MBB) {
++ return all_of(MBB.terminators(), [](const MachineInstr &Term) {
++ return !Term.isReturn() || Term.getOpcode() == ARM::LDMIA_RET ||
++ Term.getOpcode() == ARM::t2LDMIA_RET ||
++ Term.getOpcode() == ARM::tPOP_RET;
++ });
++ })) {
++ Info.setRestored(false);
++ break;
++ }
++ }
++}
++
+ void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF,
+ BitVector &SavedRegs) const {
+ TargetFrameLowering::getCalleeSaves(MF, SavedRegs);
+diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.h b/llvm/lib/Target/ARM/ARMFrameLowering.h
+index 9822e2321bb4..266d642bb97b 100644
+--- a/llvm/lib/Target/ARM/ARMFrameLowering.h
++++ b/llvm/lib/Target/ARM/ARMFrameLowering.h
+@@ -58,6 +58,9 @@ public:
+ void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs,
+ RegScavenger *RS) const override;
+
++ void processFunctionBeforeFrameFinalized(
++ MachineFunction &MF, RegScavenger *RS = nullptr) const override;
++
+ void adjustForSegmentedStacks(MachineFunction &MF,
+ MachineBasicBlock &MBB) const override;
+
+
diff --git a/meta/recipes-devtools/llvm/llvm/CVE-2024-31852-2.patch b/meta/recipes-devtools/llvm/llvm/CVE-2024-31852-2.patch
new file mode 100644
index 0000000000..b6082b0ef3
--- /dev/null
+++ b/meta/recipes-devtools/llvm/llvm/CVE-2024-31852-2.patch
@@ -0,0 +1,117 @@
+commit 0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2
+Author: ostannard <oliver.stannard@arm.com>
+Date: Mon Feb 26 12:23:25 2024 +0000
+
+ [ARM] Update IsRestored for LR based on all returns (#82745)
+
+ PR #75527 fixed ARMFrameLowering to set the IsRestored flag for LR based
+ on all of the return instructions in the function, not just one.
+ However, there is also code in ARMLoadStoreOptimizer which changes
+ return instructions, but it set IsRestored based on the one instruction
+ it changed, not the whole function.
+
+ The fix is to factor out the code added in #75527, and also call it from
+ ARMLoadStoreOptimizer if it made a change to return instructions.
+
+ Fixes #80287.
+
+ (cherry picked from commit 749384c08e042739342c88b521c8ba5dac1b9276)
+
+Upstream-Status: Backport [https://github.com/llvm/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2]
+CVE: CVE-2024-31852
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+---
+diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
+index a9acf338ebf5..13d3cbf650ed 100644
+--- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp
++++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
+@@ -2289,10 +2289,7 @@ void ARMFrameLowering::determineCalleeSaves(MachineFunction &MF,
+ AFI->setLRIsSpilled(SavedRegs.test(ARM::LR));
+ }
+
+-void ARMFrameLowering::processFunctionBeforeFrameFinalized(
+- MachineFunction &MF, RegScavenger *RS) const {
+- TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS);
+-
++void ARMFrameLowering::updateLRRestored(MachineFunction &MF) {
+ MachineFrameInfo &MFI = MF.getFrameInfo();
+ if (!MFI.isCalleeSavedInfoValid())
+ return;
+@@ -2316,6 +2313,12 @@ void ARMFrameLowering::processFunctionBeforeFrameFinalized(
+ }
+ }
+
++void ARMFrameLowering::processFunctionBeforeFrameFinalized(
++ MachineFunction &MF, RegScavenger *RS) const {
++ TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS);
++ updateLRRestored(MF);
++}
++
+ void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF,
+ BitVector &SavedRegs) const {
+ TargetFrameLowering::getCalleeSaves(MF, SavedRegs);
+diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.h b/llvm/lib/Target/ARM/ARMFrameLowering.h
+index 67505b61a5e1..b13b76d7086c 100644
+--- a/llvm/lib/Target/ARM/ARMFrameLowering.h
++++ b/llvm/lib/Target/ARM/ARMFrameLowering.h
+@@ -58,6 +58,10 @@ public:
+ void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs,
+ RegScavenger *RS) const override;
+
++ /// Update the IsRestored flag on LR if it is spilled, based on the return
++ /// instructions.
++ static void updateLRRestored(MachineFunction &MF);
++
+ void processFunctionBeforeFrameFinalized(
+ MachineFunction &MF, RegScavenger *RS = nullptr) const override;
+
+diff --git a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp
+index fd06bfdf352c..561c1396190d 100644
+--- a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp
++++ b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp
+@@ -2060,17 +2060,6 @@ bool ARMLoadStoreOpt::MergeReturnIntoLDM(MachineBasicBlock &MBB) {
+ MO.setReg(ARM::PC);
+ PrevMI.copyImplicitOps(*MBB.getParent(), *MBBI);
+ MBB.erase(MBBI);
+- // We now restore LR into PC so it is not live-out of the return block
+- // anymore: Clear the CSI Restored bit.
+- MachineFrameInfo &MFI = MBB.getParent()->getFrameInfo();
+- // CSI should be fixed after PrologEpilog Insertion
+- assert(MFI.isCalleeSavedInfoValid() && "CSI should be valid");
+- for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) {
+- if (Info.getReg() == ARM::LR) {
+- Info.setRestored(false);
+- break;
+- }
+- }
+ return true;
+ }
+ }
+@@ -2118,16 +2107,24 @@ bool ARMLoadStoreOpt::runOnMachineFunction(MachineFunction &Fn) {
+ isThumb2 = AFI->isThumb2Function();
+ isThumb1 = AFI->isThumbFunction() && !isThumb2;
+
+- bool Modified = false;
++ bool Modified = false, ModifiedLDMReturn = false;
+ for (MachineFunction::iterator MFI = Fn.begin(), E = Fn.end(); MFI != E;
+ ++MFI) {
+ MachineBasicBlock &MBB = *MFI;
+ Modified |= LoadStoreMultipleOpti(MBB);
+ if (STI->hasV5TOps())
+- Modified |= MergeReturnIntoLDM(MBB);
++ ModifiedLDMReturn |= MergeReturnIntoLDM(MBB);
+ if (isThumb1)
+ Modified |= CombineMovBx(MBB);
+ }
++ Modified |= ModifiedLDMReturn;
++
++ // If we merged a BX instruction into an LDM, we need to re-calculate whether
++ // LR is restored. This check needs to consider the whole function, not just
++ // the instruction(s) we changed, because there may be other BX returns which
++ // still need LR to be restored.
++ if (ModifiedLDMReturn)
++ ARMFrameLowering::updateLRRestored(Fn);
+
+ Allocator.DestroyAll();
+ return Modified;
+
diff --git a/meta/recipes-devtools/llvm/llvm_git.bb b/meta/recipes-devtools/llvm/llvm_git.bb
index dbf1ff45d4..6c2e8a5570 100644
--- a/meta/recipes-devtools/llvm/llvm_git.bb
+++ b/meta/recipes-devtools/llvm/llvm_git.bb
@@ -34,6 +34,8 @@ SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=http
file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \
file://0001-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \
file://CVE-2023-46049.patch;striplevel=2 \
+ file://CVE-2024-31852-1.patch;striplevel=2 \
+ file://CVE-2024-31852-2.patch;striplevel=2 \
"
UPSTREAM_CHECK_GITTAGREGEX = "llvmorg-(?P<pver>\d+(\.\d+)+)"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [OE-core][kirkstone 4/5] wireless-regdb: upgrade 2024.01.23 -> 2024.05.08
2024-07-31 12:02 [OE-core][kirkstone 0/5] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-07-31 12:02 ` [OE-core][kirkstone 3/5] llvm: Fix CVE-2024-31852 Steve Sakoman
@ 2024-07-31 12:02 ` Steve Sakoman
2024-07-31 12:02 ` [OE-core][kirkstone 5/5] gcc-runtime: remove bashism Steve Sakoman
4 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2024-07-31 12:02 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0823e8ea83ac907b37bc9eb0ec7dc32862997eff)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ireless-regdb_2024.01.23.bb => wireless-regdb_2024.05.08.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.01.23.bb => wireless-regdb_2024.05.08.bb} (94%)
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb
index 8fde236ab4..95e33d9fb1 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "c8a61c9acf76fa7eb4239e89f640dee3e87098d9f69b4d3518c9c60fc6d20c55"
+SRC_URI[sha256sum] = "9aee1d86ebebb363b714bec941b2820f31e3b7f1a485ddc9fcbd9985c7d3e7c4"
inherit bin_package allarch
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [OE-core][kirkstone 5/5] gcc-runtime: remove bashism
2024-07-31 12:02 [OE-core][kirkstone 0/5] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-07-31 12:02 ` [OE-core][kirkstone 4/5] wireless-regdb: upgrade 2024.01.23 -> 2024.05.08 Steve Sakoman
@ 2024-07-31 12:02 ` Steve Sakoman
4 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2024-07-31 12:02 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Debian 12 no longer supports replacing dash with bash as default shell.
Therefore to achieve compatibility with Debian 12, all bashisms need
to be removed.
Shell comparison via == gives an error with dash and thus the condition
is always false.
(From OE-Core rev: 3723b26f82219ff71823335d550dbf29086d63d4)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/gcc/gcc-runtime.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc b/meta/recipes-devtools/gcc/gcc-runtime.inc
index d019b0790b..3aa8fe4045 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime.inc
+++ b/meta/recipes-devtools/gcc/gcc-runtime.inc
@@ -145,7 +145,7 @@ do_install:append:class-target () {
ln -s ../${TARGET_SYS}/ext ${D}${includedir}/c++/${BINV}/${TARGET_ARCH}${TARGET_VENDOR_MULTILIB_ORIGINAL}-${TARGET_OS}/ext
fi
- if [ "${TARGET_ARCH}" == "x86_64" -a "${MULTILIB_VARIANTS}" != "" ];then
+ if [ "${TARGET_ARCH}" = "x86_64" -a "${MULTILIB_VARIANTS}" != "" ];then
ln -sf ../${X86ARCH32}${TARGET_VENDOR}-${TARGET_OS} ${D}${includedir}/c++/${BINV}/${TARGET_ARCH}${TARGET_VENDOR}-${TARGET_OS}/32
fi
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread