* [OE-core][scarthgap 01/18] libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 02/18] busybox: CVE-2023-42364 and CVE-2023-42365 fixes Steve Sakoman
` (16 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
These recipes come from rust sources and CVEs are reported for them
under rust-lang:rust vendor:product touple.
Especially libstd-rs needs correct CVE_PRODUCT as is it installed on
target devices (being statically linked to rust compiled binaries).
before:
cargo: CVE_PRODUCT="cargo"
cargo-c-native: CVE_PRODUCT="cargo-c"
libstd-rs: CVE_PRODUCT="libstd-rs"
rust: CVE_PRODUCT="rust"
rust-cross-canadian: CVE_PRODUCT="rust-cross-canadian-<arch>"
rust-llvm: CVE_PRODUCT="rust-llvm"
after:
cargo: CVE_PRODUCT="cargo"
cargo-c-native: CVE_PRODUCT="cargo-c"
libstd-rs: CVE_PRODUCT="rust"
rust: CVE_PRODUCT="rust"
rust-cross-canadian-x86-64: CVE_PRODUCT="rust"
rust-llvm: CVE_PRODUCT="rust-llvm"
Product for rust-llvm is uncertain and, should be handled in another
commit if it is desired to align it, too.
sqlite> select vendor, product, count(product) from products where vendor="rust-lang" group by product;
rust-lang|async-h1|2
rust-lang|cargo|5
rust-lang|future-utils|2
rust-lang|futures-task|2
rust-lang|mdbook|1
rust-lang|regex|2
rust-lang|rsa|2
rust-lang|rust|45
rust-lang|socket2|1
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e8cf1df16a6ec2785cacaf608bec5cd8496103af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/rust/libstd-rs_1.75.0.bb | 2 ++
meta/recipes-devtools/rust/rust-cross-canadian.inc | 1 +
2 files changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/rust/libstd-rs_1.75.0.bb b/meta/recipes-devtools/rust/libstd-rs_1.75.0.bb
index d2bf266f9d..fe016e72d4 100644
--- a/meta/recipes-devtools/rust/libstd-rs_1.75.0.bb
+++ b/meta/recipes-devtools/rust/libstd-rs_1.75.0.bb
@@ -15,6 +15,8 @@ S = "${RUSTSRC}/library/sysroot"
RUSTLIB_DEP = ""
inherit cargo
+CVE_PRODUCT = "rust"
+
DEPENDS:append:libc-musl = " libunwind"
# rv32 does not have libunwind ported yet
DEPENDS:remove:riscv32 = "libunwind"
diff --git a/meta/recipes-devtools/rust/rust-cross-canadian.inc b/meta/recipes-devtools/rust/rust-cross-canadian.inc
index 7bfef6d175..8a51a02293 100644
--- a/meta/recipes-devtools/rust/rust-cross-canadian.inc
+++ b/meta/recipes-devtools/rust/rust-cross-canadian.inc
@@ -1,5 +1,6 @@
SUMMARY = "Rust compiler and runtime libaries (cross-canadian for ${TARGET_ARCH} target)"
PN = "rust-cross-canadian-${TRANSLATED_TARGET_ARCH}"
+CVE_PRODUCT = "rust"
inherit rust-target-config
inherit rust-common
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 02/18] busybox: CVE-2023-42364 and CVE-2023-42365 fixes
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 01/18] libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 03/18] busybox: Add fix for CVE-2023-42366 Steve Sakoman
` (15 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
backport upstream fix for CVEs and fix the regression that introduced [1]
[1] http://lists.busybox.net/pipermail/busybox/2024-May/090766.html
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...01-awk-fix-precedence-of-relative-to.patch | 197 ++++++++++++++++++
...x-ternary-operator-and-precedence-of.patch | 96 +++++++++
meta/recipes-core/busybox/busybox_1.36.1.bb | 2 +
3 files changed, 295 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/0001-awk-fix-precedence-of-relative-to.patch
create mode 100644 meta/recipes-core/busybox/busybox/0002-awk-fix-ternary-operator-and-precedence-of.patch
diff --git a/meta/recipes-core/busybox/busybox/0001-awk-fix-precedence-of-relative-to.patch b/meta/recipes-core/busybox/busybox/0001-awk-fix-precedence-of-relative-to.patch
new file mode 100644
index 0000000000..5836cf8a00
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-awk-fix-precedence-of-relative-to.patch
@@ -0,0 +1,197 @@
+From dedc9380c76834ba64c8b526aef6f461ea4e7f2e Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 30 May 2023 16:42:18 +0200
+Subject: [PATCH 1/2] awk: fix precedence of = relative to ==
+
+Discovered while adding code to disallow assignments to non-lvalues
+
+function old new delta
+parse_expr 936 991 +55
+.rodata 105243 105247 +4
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 59/0) Total: 59 bytes
+
+CVE: CVE-2023-42364 CVE-2023-42365
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+(cherry picked from commit 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4)
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ editors/awk.c | 66 ++++++++++++++++++++++++++++++---------------
+ testsuite/awk.tests | 5 ++++
+ 2 files changed, 50 insertions(+), 21 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index ec9301e..aff86fe 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -337,7 +337,9 @@ static void debug_parse_print_tc(uint32_t n)
+ #undef P
+ #undef PRIMASK
+ #undef PRIMASK2
+-#define P(x) (x << 24)
++/* Smaller 'x' means _higher_ operator precedence */
++#define PRECEDENCE(x) (x << 24)
++#define P(x) PRECEDENCE(x)
+ #define PRIMASK 0x7F000000
+ #define PRIMASK2 0x7E000000
+
+@@ -360,7 +362,7 @@ enum {
+ OC_MOVE = 0x1f00, OC_PGETLINE = 0x2000, OC_REGEXP = 0x2100,
+ OC_REPLACE = 0x2200, OC_RETURN = 0x2300, OC_SPRINTF = 0x2400,
+ OC_TERNARY = 0x2500, OC_UNARY = 0x2600, OC_VAR = 0x2700,
+- OC_DONE = 0x2800,
++ OC_CONST = 0x2800, OC_DONE = 0x2900,
+
+ ST_IF = 0x3000, ST_DO = 0x3100, ST_FOR = 0x3200,
+ ST_WHILE = 0x3300
+@@ -440,9 +442,9 @@ static const uint32_t tokeninfo[] ALIGN4 = {
+ #define TI_PREINC (OC_UNARY|xV|P(9)|'P')
+ #define TI_PREDEC (OC_UNARY|xV|P(9)|'M')
+ TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5),
+- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-',
+- OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&',
+- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&',
++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-',
++ OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&',
++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&',
+ OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*',
+ OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1,
+ #define TI_LESS (OC_COMPARE|VV|P(39)|2)
+@@ -1290,7 +1292,7 @@ static uint32_t next_token(uint32_t expected)
+ save_tclass = tc;
+ save_info = t_info;
+ tc = TC_BINOPX;
+- t_info = OC_CONCAT | SS | P(35);
++ t_info = OC_CONCAT | SS | PRECEDENCE(35);
+ }
+
+ t_tclass = tc;
+@@ -1350,9 +1352,8 @@ static node *parse_expr(uint32_t term_tc)
+ {
+ node sn;
+ node *cn = &sn;
+- node *vn, *glptr;
++ node *glptr;
+ uint32_t tc, expected_tc;
+- var *v;
+
+ debug_printf_parse("%s() term_tc(%x):", __func__, term_tc);
+ debug_parse_print_tc(term_tc);
+@@ -1363,11 +1364,12 @@ static node *parse_expr(uint32_t term_tc)
+ expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc;
+
+ while (!((tc = next_token(expected_tc)) & term_tc)) {
++ node *vn;
+
+ if (glptr && (t_info == TI_LESS)) {
+ /* input redirection (<) attached to glptr node */
+ debug_printf_parse("%s: input redir\n", __func__);
+- cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37));
++ cn = glptr->l.n = new_node(OC_CONCAT | SS | PRECEDENCE(37));
+ cn->a.n = glptr;
+ expected_tc = TS_OPERAND | TS_UOPPRE;
+ glptr = NULL;
+@@ -1379,24 +1381,42 @@ static node *parse_expr(uint32_t term_tc)
+ * previous operators with higher priority */
+ vn = cn;
+ while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2))
+- || ((t_info == vn->info) && t_info == TI_COLON)
++ || (t_info == vn->info && t_info == TI_COLON)
+ ) {
+ vn = vn->a.n;
+ if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN);
+ }
+ if (t_info == TI_TERNARY)
+ //TODO: why?
+- t_info += P(6);
++ t_info += PRECEDENCE(6);
+ cn = vn->a.n->r.n = new_node(t_info);
+ cn->a.n = vn->a.n;
+ if (tc & TS_BINOP) {
+ cn->l.n = vn;
+-//FIXME: this is the place to detect and reject assignments to non-lvalues.
+-//Currently we allow "assignments" to consts and temporaries, nonsense like this:
+-// awk 'BEGIN { "qwe" = 1 }'
+-// awk 'BEGIN { 7 *= 7 }'
+-// awk 'BEGIN { length("qwe") = 1 }'
+-// awk 'BEGIN { (1+1) += 3 }'
++
++ /* Prevent:
++ * awk 'BEGIN { "qwe" = 1 }'
++ * awk 'BEGIN { 7 *= 7 }'
++ * awk 'BEGIN { length("qwe") = 1 }'
++ * awk 'BEGIN { (1+1) += 3 }'
++ */
++ /* Assignment? (including *= and friends) */
++ if (((t_info & OPCLSMASK) == OC_MOVE)
++ || ((t_info & OPCLSMASK) == OC_REPLACE)
++ ) {
++ debug_printf_parse("%s: MOVE/REPLACE vn->info:%08x\n", __func__, vn->info);
++ /* Left side is a (variable or array element)
++ * or function argument
++ * or $FIELD ?
++ */
++ if ((vn->info & OPCLSMASK) != OC_VAR
++ && (vn->info & OPCLSMASK) != OC_FNARG
++ && (vn->info & OPCLSMASK) != OC_FIELD
++ ) {
++ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */
++ }
++ }
++
+ expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP;
+ if (t_info == TI_PGETLINE) {
+ /* it's a pipe */
+@@ -1432,6 +1452,8 @@ static node *parse_expr(uint32_t term_tc)
+ /* one should be very careful with switch on tclass -
+ * only simple tclasses should be used (TC_xyz, not TS_xyz) */
+ switch (tc) {
++ var *v;
++
+ case TC_VARIABLE:
+ case TC_ARRAY:
+ debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__);
+@@ -1452,14 +1474,14 @@ static node *parse_expr(uint32_t term_tc)
+ case TC_NUMBER:
+ case TC_STRING:
+ debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__);
+- cn->info = OC_VAR;
++ cn->info = OC_CONST;
+ v = cn->l.v = xzalloc(sizeof(var));
+- if (tc & TC_NUMBER)
++ if (tc & TC_NUMBER) {
+ setvar_i(v, t_double);
+- else {
++ } else {
+ setvar_s(v, t_string);
+- expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */
+ }
++ expected_tc &= ~TC_UOPPOST; /* NUM++, "str"++ not allowed */
+ break;
+
+ case TC_REGEXP:
+@@ -3107,6 +3129,8 @@ static var *evaluate(node *op, var *res)
+
+ /* -- recursive node type -- */
+
++ case XC( OC_CONST ):
++ debug_printf_eval("CONST ");
+ case XC( OC_VAR ):
+ debug_printf_eval("VAR\n");
+ L.v = op->l.v;
+diff --git a/testsuite/awk.tests b/testsuite/awk.tests
+index ddc5104..a78fdcd 100755
+--- a/testsuite/awk.tests
++++ b/testsuite/awk.tests
+@@ -540,4 +540,9 @@ testing 'awk assign while assign' \
+ │ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%]
+ └────────────────────────────────────────────────────┘^C"
+
++testing "awk = has higher precedence than == (despite what gawk manpage claims)" \
++ "awk 'BEGIN { v=1; print 2==v; print 2==v=2; print v; print v=3==3; print v}'" \
++ '0\n1\n2\n1\n3\n' \
++ '' ''
++
+ exit $FAILCOUNT
diff --git a/meta/recipes-core/busybox/busybox/0002-awk-fix-ternary-operator-and-precedence-of.patch b/meta/recipes-core/busybox/busybox/0002-awk-fix-ternary-operator-and-precedence-of.patch
new file mode 100644
index 0000000000..ea3c84897b
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-awk-fix-ternary-operator-and-precedence-of.patch
@@ -0,0 +1,96 @@
+From c3bfdac8e0e9a21d524ad72036953f68d2193e52 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Tue, 21 May 2024 14:46:08 +0200
+Subject: [PATCH 2/2] awk: fix ternary operator and precedence of =
+
+Adjust the = precedence test to match behavior of gawk, mawk and
+FreeBSD. awk 'BEGIN {print v=3==3; print v}' should print two '1'.
+
+To fix this, and to unbreak the ternary conditional operator, we restore
+the precedence of = in the token list, but override this with a lower
+priority when the assignment is on the right side of a compare.
+
+This fixes commit 0256e00a9d07 (awk: fix precedence of = relative to ==) [1]
+
+CVE: CVE-2023-42364 CVE-2023-42365
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-May/090766.html]
+
+[1] https://bugs.busybox.net/show_bug.cgi?id=15871#c6
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+(cherry picked from commit 1714301c405ef03b39605c85c23f22a190cddd95)
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ editors/awk.c | 18 ++++++++++++++----
+ testsuite/awk.tests | 9 +++++++--
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index aff86fe..f320d8c 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -442,9 +442,10 @@ static const uint32_t tokeninfo[] ALIGN4 = {
+ #define TI_PREINC (OC_UNARY|xV|P(9)|'P')
+ #define TI_PREDEC (OC_UNARY|xV|P(9)|'M')
+ TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5),
+- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-',
+- OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&',
+- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&',
++#define TI_ASSIGN (OC_MOVE|VV|P(74))
++ OC_COMPARE|VV|P(39)|5, TI_ASSIGN, OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-',
++ OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&',
++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&',
+ OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*',
+ OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1,
+ #define TI_LESS (OC_COMPARE|VV|P(39)|2)
+@@ -1376,11 +1377,19 @@ static node *parse_expr(uint32_t term_tc)
+ continue;
+ }
+ if (tc & (TS_BINOP | TC_UOPPOST)) {
++ int prio;
+ debug_printf_parse("%s: TS_BINOP | TC_UOPPOST tc:%x\n", __func__, tc);
+ /* for binary and postfix-unary operators, jump back over
+ * previous operators with higher priority */
+ vn = cn;
+- while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2))
++ /* Let assignment get higher priority when used on right
++ * side in compare. i.e: 2==v=3 */
++ if (t_info == TI_ASSIGN && (vn->a.n->info & OPCLSMASK) == OC_COMPARE) {
++ prio = PRECEDENCE(38);
++ } else {
++ prio = (t_info & PRIMASK);
++ }
++ while ((prio > (vn->a.n->info & PRIMASK2))
+ || (t_info == vn->info && t_info == TI_COLON)
+ ) {
+ vn = vn->a.n;
+@@ -1412,6 +1421,7 @@ static node *parse_expr(uint32_t term_tc)
+ if ((vn->info & OPCLSMASK) != OC_VAR
+ && (vn->info & OPCLSMASK) != OC_FNARG
+ && (vn->info & OPCLSMASK) != OC_FIELD
++ && (vn->info & OPCLSMASK) != OC_COMPARE
+ ) {
+ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */
+ }
+diff --git a/testsuite/awk.tests b/testsuite/awk.tests
+index a78fdcd..d2706de 100755
+--- a/testsuite/awk.tests
++++ b/testsuite/awk.tests
+@@ -540,9 +540,14 @@ testing 'awk assign while assign' \
+ │ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%]
+ └────────────────────────────────────────────────────┘^C"
+
+-testing "awk = has higher precedence than == (despite what gawk manpage claims)" \
++testing "awk = has higher precedence than == on right side" \
+ "awk 'BEGIN { v=1; print 2==v; print 2==v=2; print v; print v=3==3; print v}'" \
+- '0\n1\n2\n1\n3\n' \
++ '0\n1\n2\n1\n1\n' \
++ '' ''
++
++testing 'awk ternary precedence' \
++ "awk 'BEGIN { a = 0 ? \"yes\": \"no\"; print a }'" \
++ 'no\n' \
+ '' ''
+
+ exit $FAILCOUNT
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 170447743c..86dc9e86bf 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -53,6 +53,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2021-42380.patch \
file://0001-awk-fix-segfault-when-compiled-by-clang.patch \
file://CVE-2023-42363.patch \
+ file://0001-awk-fix-precedence-of-relative-to.patch \
+ file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg "
# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 03/18] busybox: Add fix for CVE-2023-42366
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 01/18] libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 02/18] busybox: CVE-2023-42364 and CVE-2023-42365 fixes Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 04/18] libyaml: Fix warning regarding unpatched CVE Steve Sakoman
` (14 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...1-awk.c-fix-CVE-2023-42366-bug-15874.patch | 37 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.36.1.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/0001-awk.c-fix-CVE-2023-42366-bug-15874.patch
diff --git a/meta/recipes-core/busybox/busybox/0001-awk.c-fix-CVE-2023-42366-bug-15874.patch b/meta/recipes-core/busybox/busybox/0001-awk.c-fix-CVE-2023-42366-bug-15874.patch
new file mode 100644
index 0000000000..282c2fde5a
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-awk.c-fix-CVE-2023-42366-bug-15874.patch
@@ -0,0 +1,37 @@
+From 8542236894a8d5f7393327117bc7f64787444efc Mon Sep 17 00:00:00 2001
+From: Valery Ushakov <uwe@stderr.spb.ru>
+Date: Wed, 24 Jan 2024 22:24:41 +0300
+Subject: [PATCH] awk.c: fix CVE-2023-42366 (bug #15874)
+
+Make sure we don't read past the end of the string in next_token()
+when backslash is the last character in an (invalid) regexp.
+a fix and issue reported in bugzilla
+
+https://bugs.busybox.net/show_bug.cgi?id=15874
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-May/090766.html]
+
+CVE: CVE-2023-42366
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ editors/awk.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index f320d8c..a53b193 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -1168,9 +1168,11 @@ static uint32_t next_token(uint32_t expected)
+ s[-1] = bb_process_escape_sequence((const char **)&pp);
+ if (*p == '\\')
+ *s++ = '\\';
+- if (pp == p)
++ if (pp == p) {
++ if (*p == '\0')
++ syntax_error(EMSG_UNEXP_EOS);
+ *s++ = *p++;
+- else
++ } else
+ p = pp;
+ }
+ }
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 86dc9e86bf..bc1619d1a8 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2023-42363.patch \
file://0001-awk-fix-precedence-of-relative-to.patch \
file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
+ file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg "
# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 04/18] libyaml: Fix warning regarding unpatched CVE
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 03/18] busybox: Add fix for CVE-2023-42366 Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 05/18] qemu: upgrade 8.2.2 -> 8.2.3 Steve Sakoman
` (13 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Niko Mauno <niko.mauno@vaisala.com>
This commit incorporates changes in following master branch commits:
f3479f74c9 libyaml: Amend CVE status as 'upstream-wontfix'
3ebb2ca832 libyaml: Change CVE status to wontfix
56b6b35626 libyaml: Update status of CVE-2024-35328
which mitigate the following warning with cve-check.bbclass:
WARNING: libyaml-native-0.2.5-r0 do_cve_check: Found unpatched CVE (CVE-2024-35328), for more information check .../tmp/work/x86_64-linux/libyaml-native/0.2.5/temp/cve.log
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
index 4cb5717ece..1c6a5fcb45 100644
--- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
+++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
@@ -18,4 +18,6 @@ inherit autotools
DISABLE_STATIC:class-nativesdk = ""
DISABLE_STATIC:class-native = ""
+CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
+
BBCLASSEXTEND = "native nativesdk"
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 05/18] qemu: upgrade 8.2.2 -> 8.2.3
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 04/18] libyaml: Fix warning regarding unpatched CVE Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 06/18] package.py: Fix static debuginfo split Steve Sakoman
` (12 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
This includes fix for: CVE-2024-26327, CVE-2024-26328 and CVE-2024-3447
General changelog for 8.2: https://wiki.qemu.org/ChangeLog/8.2
Droped 0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch,
CVE-2024-3446 and CVE-2024-3567 since already contained the fix.
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...u-native_8.2.2.bb => qemu-native_8.2.3.bb} | 0
...e_8.2.2.bb => qemu-system-native_8.2.3.bb} | 0
meta/recipes-devtools/qemu/qemu.inc | 8 +-
...4-Handle-the-vsyscall-page-in-open_s.patch | 56 --------------
.../qemu/qemu/CVE-2024-3446-01.patch | 73 -------------------
.../qemu/qemu/CVE-2024-3446-02.patch | 48 ------------
.../qemu/qemu/CVE-2024-3446-03.patch | 47 ------------
.../qemu/qemu/CVE-2024-3446-04.patch | 52 -------------
.../qemu/qemu/CVE-2024-3567.patch | 48 ------------
.../qemu/{qemu_8.2.2.bb => qemu_8.2.3.bb} | 0
10 files changed, 1 insertion(+), 331 deletions(-)
rename meta/recipes-devtools/qemu/{qemu-native_8.2.2.bb => qemu-native_8.2.3.bb} (100%)
rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.2.bb => qemu-system-native_8.2.3.bb} (100%)
delete mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-01.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-02.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-03.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-04.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3567.patch
rename meta/recipes-devtools/qemu/{qemu_8.2.2.bb => qemu_8.2.3.bb} (100%)
diff --git a/meta/recipes-devtools/qemu/qemu-native_8.2.2.bb b/meta/recipes-devtools/qemu/qemu-native_8.2.3.bb
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu-native_8.2.2.bb
rename to meta/recipes-devtools/qemu/qemu-native_8.2.3.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb b/meta/recipes-devtools/qemu/qemu-system-native_8.2.3.bb
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb
rename to meta/recipes-devtools/qemu/qemu-system-native_8.2.3.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e121ae70cc..41af9ca045 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,18 +34,12 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://fixedmeson.patch \
file://no-pip.patch \
file://4a8579ad8629b57a43daa62e46cc7af6e1078116.patch \
- file://0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch \
file://0002-linux-user-loongarch64-Remove-TARGET_FORCE_SHMLBA.patch \
file://0003-linux-user-Add-strace-for-shmat.patch \
file://0004-linux-user-Rewrite-target_shmat.patch \
file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
- file://CVE-2024-3446-01.patch \
- file://CVE-2024-3446-02.patch \
- file://CVE-2024-3446-03.patch \
- file://CVE-2024-3446-04.patch \
- file://CVE-2024-3567.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
@@ -62,7 +56,7 @@ SRC_URI:append:class-native = " \
file://0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch \
"
-SRC_URI[sha256sum] = "847346c1b82c1a54b2c38f6edbd85549edeb17430b7d4d3da12620e2962bc4f3"
+SRC_URI[sha256sum] = "dc747fb366809455317601c4876bd1f6829a32a23e83fb76e45ab12c2a569964"
CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
diff --git a/meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch b/meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch
deleted file mode 100644
index 2eaebe883c..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 4517e2046610722879761bcdb60edbb2b929c848 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Wed, 28 Feb 2024 10:25:14 -1000
-Subject: [PATCH 1/5] linux-user/x86_64: Handle the vsyscall page in
- open_self_maps_{2,4}
-
-This is the only case in which we expect to have no host memory backing
-for a guest memory page, because in general linux user processes cannot
-map any pages in the top half of the 64-bit address space.
-
-Upstream-Status: Submitted [https://www.mail-archive.com/qemu-devel@nongnu.org/msg1026793.html]
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2170
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
----
- linux-user/syscall.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index a114f29a8..8307a8a61 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -7922,6 +7922,10 @@ static void open_self_maps_4(const struct open_self_maps_data *d,
- path = "[heap]";
- } else if (start == info->vdso) {
- path = "[vdso]";
-+#ifdef TARGET_X86_64
-+ } else if (start == TARGET_VSYSCALL_PAGE) {
-+ path = "[vsyscall]";
-+#endif
- }
-
- /* Except null device (MAP_ANON), adjust offset for this fragment. */
-@@ -8010,6 +8014,18 @@ static int open_self_maps_2(void *opaque, target_ulong guest_start,
- uintptr_t host_start = (uintptr_t)g2h_untagged(guest_start);
- uintptr_t host_last = (uintptr_t)g2h_untagged(guest_end - 1);
-
-+#ifdef TARGET_X86_64
-+ /*
-+ * Because of the extremely high position of the page within the guest
-+ * virtual address space, this is not backed by host memory at all.
-+ * Therefore the loop below would fail. This is the only instance
-+ * of not having host backing memory.
-+ */
-+ if (guest_start == TARGET_VSYSCALL_PAGE) {
-+ return open_self_maps_3(opaque, guest_start, guest_end, flags);
-+ }
-+#endif
-+
- while (1) {
- IntervalTreeNode *n =
- interval_tree_iter_first(d->host_maps, host_start, host_start);
---
-2.34.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-01.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-01.patch
deleted file mode 100644
index 15dbca92cd..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-01.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-rom eb546a3f49f45e6870ec91d792cd09f8a662c16e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
-Date: Thu, 4 Apr 2024 20:56:11 +0200
-Subject: [PATCH] hw/virtio: Introduce virtio_bh_new_guarded() helper
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded()
-but using the transport memory guard, instead of the device one
-(there can only be one virtio device per virtio bus).
-
-Inspired-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20240409105537.18308-2-philmd@linaro.org>
-(cherry picked from commit ec0504b989ca61e03636384d3602b7bf07ffe4da)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/eb546a3f49f45e6870ec91d792cd09f8a662c16e]
-CVE: CVE-2024-3446
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- hw/virtio/virtio.c | 10 ++++++++++
- include/hw/virtio/virtio.h | 7 +++++++
- 2 files changed, 17 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 3a160f86e..8590b8971 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -4095,3 +4095,13 @@ static void virtio_register_types(void)
- }
-
- type_init(virtio_register_types)
-+
-+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
-+ QEMUBHFunc *cb, void *opaque,
-+ const char *name)
-+{
-+ DeviceState *transport = qdev_get_parent_bus(dev)->parent;
-+
-+ return qemu_bh_new_full(cb, opaque, name,
-+ &transport->mem_reentrancy_guard);
-+}
-diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
-index c8f72850b..7d5ffdc14 100644
---- a/include/hw/virtio/virtio.h
-+++ b/include/hw/virtio/virtio.h
-@@ -22,6 +22,7 @@
- #include "standard-headers/linux/virtio_config.h"
- #include "standard-headers/linux/virtio_ring.h"
- #include "qom/object.h"
-+#include "block/aio.h"
-
- /*
- * A guest should never accept this. It implies negotiation is broken
-@@ -508,4 +509,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
- bool virtio_legacy_allowed(VirtIODevice *vdev);
- bool virtio_legacy_check_disabled(VirtIODevice *vdev);
-
-+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
-+ QEMUBHFunc *cb, void *opaque,
-+ const char *name);
-+#define virtio_bh_new_guarded(dev, cb, opaque) \
-+ virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
-+
- #endif
---
-2.25.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-02.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-02.patch
deleted file mode 100644
index 843ed43ba8..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-02.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 4f01537ced3e787bd985b8f8de5869b92657160a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
-Date: Thu, 4 Apr 2024 20:56:41 +0200
-Subject: [PATCH] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
-so the bus and device use the same guard. Otherwise the
-DMA-reentrancy protection can be bypassed.
-
-Fixes: CVE-2024-3446
-Cc: qemu-stable@nongnu.org
-Suggested-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20240409105537.18308-5-philmd@linaro.org>
-(cherry picked from commit f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4f01537ced3e787bd985b8f8de5869b92657160a]
-CVE: CVE-2024-3446
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 0e2cc8d5a..4aaced74b 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp)
- vcrypto->vqs[i].dataq =
- virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
- vcrypto->vqs[i].dataq_bh =
-- qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
-- &dev->mem_reentrancy_guard);
-+ virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
-+ &vcrypto->vqs[i]);
- vcrypto->vqs[i].vcrypto = vcrypto;
- }
-
---
-2.25.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-03.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-03.patch
deleted file mode 100644
index a24652dea3..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-03.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From fbeb0a160cbcc067c0e1f0d380cea4a31de213e3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
-Date: Thu, 4 Apr 2024 20:56:35 +0200
-Subject: [PATCH] hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
-so the bus and device use the same guard. Otherwise the
-DMA-reentrancy protection can be bypassed.
-
-Fixes: CVE-2024-3446
-Cc: qemu-stable@nongnu.org
-Suggested-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20240409105537.18308-4-philmd@linaro.org>
-(cherry picked from commit b4295bff25f7b50de1d9cc94a9c6effd40056bca)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/fbeb0a160cbcc067c0e1f0d380cea4a31de213e3]
-CVE: CVE-2024-3446
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- hw/char/virtio-serial-bus.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
-index dd619f073..1221fb7f1 100644
---- a/hw/char/virtio-serial-bus.c
-+++ b/hw/char/virtio-serial-bus.c
-@@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp)
- return;
- }
-
-- port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port,
-- &dev->mem_reentrancy_guard);
-+ port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port);
- port->elem = NULL;
- }
-
---
-2.25.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-04.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-04.patch
deleted file mode 100644
index 7f0293242d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-04.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 1b2a52712b249e14d246cd9c7db126088e6e64db Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
-Date: Thu, 4 Apr 2024 20:56:27 +0200
-Subject: [PATCH] hw/display/virtio-gpu: Protect from DMA re-entrancy bugs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6
-
-Fixes: CVE-2024-3446
-Cc: qemu-stable@nongnu.org
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Yongkang Jia <kangel@zju.edu.cn>
-Reported-by: Xiao Lei <nop.leixiao@gmail.com>
-Reported-by: Yiming Tao <taoym@zju.edu.cn>
-Buglink: https://bugs.launchpad.net/qemu/+bug/1888606
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20240409105537.18308-3-philmd@linaro.org>
-(cherry picked from commit ba28e0ff4d95b56dc334aac2730ab3651ffc3132)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1b2a52712b249e14d246cd9c7db126088e6e64db]
-CVE: CVE-2024-3446
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- hw/display/virtio-gpu.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index b016d3bac..a7b16ba07 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -1463,10 +1463,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
-
- g->ctrl_vq = virtio_get_queue(vdev, 0);
- g->cursor_vq = virtio_get_queue(vdev, 1);
-- g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g,
-- &qdev->mem_reentrancy_guard);
-- g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g,
-- &qdev->mem_reentrancy_guard);
-+ g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
-+ g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
- g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g);
- qemu_cond_init(&g->reset_cond);
- QTAILQ_INIT(&g->reslist);
---
-2.25.1
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3567.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-3567.patch
deleted file mode 100644
index f14178f881..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2024-3567.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 1cfe45956e03070f894e91b304e233b4d5b99719 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
-Date: Tue, 9 Apr 2024 19:54:05 +0200
-Subject: [PATCH] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a fragmented packet size is too short, do not try to
-calculate its checksum.
-
-Fixes: CVE-2024-3567
-Cc: qemu-stable@nongnu.org
-Reported-by: Zheyu Ma <zheyuma97@gmail.com>
-Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20240410070459.49112-1-philmd@linaro.org>
-(cherry picked from commit 83ddb3dbba2ee0f1767442ae6ee665058aeb1093)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1cfe45956e03070f894e91b304e233b4d5b99719]
-CVE: CVE-2024-3567
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- hw/net/net_tx_pkt.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
-index 2e5f58b3c..d40d508a1 100644
---- a/hw/net/net_tx_pkt.c
-+++ b/hw/net/net_tx_pkt.c
-@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt)
- uint32_t csum = 0;
- struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
-
-+ if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
-+ return false;
-+ }
-+
- if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) {
- return false;
- }
---
-2.25.1
-
diff --git a/meta/recipes-devtools/qemu/qemu_8.2.2.bb b/meta/recipes-devtools/qemu/qemu_8.2.3.bb
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu_8.2.2.bb
rename to meta/recipes-devtools/qemu/qemu_8.2.3.bb
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 06/18] package.py: Fix static debuginfo split
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 05/18] qemu: upgrade 8.2.2 -> 8.2.3 Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 07/18] package.py: Fix static library processing Steve Sakoman
` (11 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@amd.com>
Fix:
NameError: name 'shutil' is not defined
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13bdd750ae54d57a5f459e4b7d8636c864978241)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/package.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index 1511ba47c4..ffe5a2157b 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -14,6 +14,7 @@ import glob
import stat
import mmap
import subprocess
+import shutil
import oe.cachedpath
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 07/18] package.py: Fix static library processing
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 06/18] package.py: Fix static debuginfo split Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 08/18] selftest-hardlink: Add additional test cases Steve Sakoman
` (10 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@amd.com>
When PACKAGE_STRIP_STATIC is enabled the system did not pay attention to
hardlinks. This could trigger a race condition during stripping of static
libraries where multiple strips (through hardlinks) could run at the same
time triggering a truncated or modified file error.
The hardlink breaking code is based on the existing code for elf files, but
due to the nature of the symlinks needed to be done in a separate block of
code.
Add support for static-library debugfs hardlinking through the existing
inode processing code.
Print a note to the logs if the link target can't be found. This isn't
strictly an error, but may be useful for debugging an issue where a file
isn't present.
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ff371d69f60a1529ed456acb7d8e9305242e74bd)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/package.py | 56 +++++++++++++++++++++++++++++++++++-------
1 file changed, 47 insertions(+), 9 deletions(-)
diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index ffe5a2157b..af0923a63f 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -1065,6 +1065,7 @@ def process_split_and_strip_files(d):
d.getVar('INHIBIT_PACKAGE_DEBUG_SPLIT') != '1'):
checkelf = {}
checkelflinks = {}
+ checkstatic = {}
for root, dirs, files in cpath.walk(dvar):
for f in files:
file = os.path.join(root, f)
@@ -1078,10 +1079,6 @@ def process_split_and_strip_files(d):
if file in skipfiles:
continue
- if oe.package.is_static_lib(file):
- staticlibs.append(file)
- continue
-
try:
ltarget = cpath.realpath(file, dvar, False)
s = cpath.lstat(ltarget)
@@ -1093,6 +1090,13 @@ def process_split_and_strip_files(d):
continue
if not s:
continue
+
+ if oe.package.is_static_lib(file):
+ # Use a reference of device ID and inode number to identify files
+ file_reference = "%d_%d" % (s.st_dev, s.st_ino)
+ checkstatic[file] = (file, file_reference)
+ continue
+
# Check its an executable
if (s[stat.ST_MODE] & stat.S_IXUSR) or (s[stat.ST_MODE] & stat.S_IXGRP) \
or (s[stat.ST_MODE] & stat.S_IXOTH) \
@@ -1157,6 +1161,27 @@ def process_split_and_strip_files(d):
# Modified the file so clear the cache
cpath.updatecache(file)
+ # Do the same hardlink processing as above, but for static libraries
+ results = list(checkstatic.keys())
+
+ # As above, sort the results.
+ results.sort(key=lambda x: x[0])
+
+ for file in results:
+ # Use a reference of device ID and inode number to identify files
+ file_reference = checkstatic[file][1]
+ if file_reference in inodes:
+ os.unlink(file)
+ os.link(inodes[file_reference][0], file)
+ inodes[file_reference].append(file)
+ else:
+ inodes[file_reference] = [file]
+ # break hardlink
+ bb.utils.break_hardlinks(file)
+ staticlibs.append(file)
+ # Modified the file so clear the cache
+ cpath.updatecache(file)
+
def strip_pkgd_prefix(f):
nonlocal dvar
@@ -1195,11 +1220,24 @@ def process_split_and_strip_files(d):
dest = dv["libdir"] + os.path.dirname(src) + dv["dir"] + "/" + os.path.basename(target) + dv["append"]
fpath = dvar + dest
ftarget = dvar + dv["libdir"] + os.path.dirname(target) + dv["dir"] + "/" + os.path.basename(target) + dv["append"]
- bb.utils.mkdirhier(os.path.dirname(fpath))
- # Only one hardlink of separated debug info file in each directory
- if not os.access(fpath, os.R_OK):
- #bb.note("Link %s -> %s" % (fpath, ftarget))
- os.link(ftarget, fpath)
+ if os.access(ftarget, os.R_OK):
+ bb.utils.mkdirhier(os.path.dirname(fpath))
+ # Only one hardlink of separated debug info file in each directory
+ if not os.access(fpath, os.R_OK):
+ #bb.note("Link %s -> %s" % (fpath, ftarget))
+ os.link(ftarget, fpath)
+ elif (d.getVar('PACKAGE_DEBUG_STATIC_SPLIT') == '1'):
+ deststatic = dv["staticlibdir"] + os.path.dirname(src) + dv["staticdir"] + "/" + os.path.basename(file) + dv["staticappend"]
+ fpath = dvar + deststatic
+ ftarget = dvar + dv["staticlibdir"] + os.path.dirname(target) + dv["staticdir"] + "/" + os.path.basename(target) + dv["staticappend"]
+ if os.access(ftarget, os.R_OK):
+ bb.utils.mkdirhier(os.path.dirname(fpath))
+ # Only one hardlink of separated debug info file in each directory
+ if not os.access(fpath, os.R_OK):
+ #bb.note("Link %s -> %s" % (fpath, ftarget))
+ os.link(ftarget, fpath)
+ else:
+ bb.note("Unable to find inode link target %s" % (target))
# Create symlinks for all cases we were able to split symbols
for file in symlinks:
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 08/18] selftest-hardlink: Add additional test cases
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (6 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 07/18] package.py: Fix static library processing Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 09/18] create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHS Steve Sakoman
` (9 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@amd.com>
Additional test cases for debug symlink generation both binaries
and static libraries.
This also has the side effect of testing for race conditions in the
hardlink debug generation and stripping.
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7171f41c07a39a7543bb64f075d38b8e74563089)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../selftest-hardlink/selftest-hardlink.bb | 13 ++++++++++
meta/lib/oeqa/selftest/cases/package.py | 26 +++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/meta-selftest/recipes-test/selftest-hardlink/selftest-hardlink.bb b/meta-selftest/recipes-test/selftest-hardlink/selftest-hardlink.bb
index be346b8a0e..052bf0c92a 100644
--- a/meta-selftest/recipes-test/selftest-hardlink/selftest-hardlink.bb
+++ b/meta-selftest/recipes-test/selftest-hardlink/selftest-hardlink.bb
@@ -10,6 +10,9 @@ S = "${WORKDIR}"
do_compile () {
${CC} hello.c -o hello1 ${CFLAGS} ${LDFLAGS}
+
+ ${CC} hello.c -c -o hello.o ${CFLAGS}
+ ${AR} rcs libhello.a hello.o
}
do_install () {
@@ -22,9 +25,19 @@ do_install () {
ln ${D}${bindir}/hello1 ${D}${libexecdir}/hello3
ln ${D}${bindir}/hello1 ${D}${libexecdir}/hello4
+ # We need so many hardlink copies to look for specific race conditions
+ install -d ${D}${libdir}
+ install -m 0644 libhello.a ${D}${libdir}
+ for num in `seq 1 100` ; do
+ ln ${D}${libdir}/libhello.a ${D}${libdir}/libhello-${num}.a
+ done
+
dd if=/dev/zero of=${D}${bindir}/sparsetest bs=1 count=0 seek=1M
}
RDEPENDS:${PN}-gdb += "gdb"
PACKAGES =+ "${PN}-gdb"
FILES:${PN}-gdb = "${bindir}/gdb.sh"
+
+PACKAGE_STRIP_STATIC = "1"
+PACKAGE_DEBUG_STATIC_SPLIT = "1"
diff --git a/meta/lib/oeqa/selftest/cases/package.py b/meta/lib/oeqa/selftest/cases/package.py
index 1aa6c03f8a..38ed7173fe 100644
--- a/meta/lib/oeqa/selftest/cases/package.py
+++ b/meta/lib/oeqa/selftest/cases/package.py
@@ -103,11 +103,37 @@ class PackageTests(OESelftestTestCase):
dest = get_bb_var('PKGDEST', 'selftest-hardlink')
bindir = get_bb_var('bindir', 'selftest-hardlink')
+ libdir = get_bb_var('libdir', 'selftest-hardlink')
+ libexecdir = get_bb_var('libexecdir', 'selftest-hardlink')
def checkfiles():
# Recipe creates 4 hardlinked files, there is a copy in package/ and a copy in packages-split/
# so expect 8 in total.
self.assertEqual(os.stat(dest + "/selftest-hardlink" + bindir + "/hello1").st_nlink, 8)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink" + libexecdir + "/hello3").st_nlink, 8)
+
+ # Check dbg version
+ # 2 items, a copy in both package/packages-split so 4
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-dbg" + bindir + "/.debug/hello1").st_nlink, 4)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-dbg" + libexecdir + "/.debug/hello1").st_nlink, 4)
+
+ # Even though the libexecdir name is 'hello3' or 'hello4', that isn't the debug target name
+ self.assertEqual(os.path.exists(dest + "/selftest-hardlink-dbg" + libexecdir + "/.debug/hello3"), False)
+ self.assertEqual(os.path.exists(dest + "/selftest-hardlink-dbg" + libexecdir + "/.debug/hello4"), False)
+
+ # Check the staticdev libraries
+ # 101 items, a copy in both package/packages-split so 202
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-staticdev" + libdir + "/libhello.a").st_nlink, 202)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-staticdev" + libdir + "/libhello-25.a").st_nlink, 202)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-staticdev" + libdir + "/libhello-50.a").st_nlink, 202)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-staticdev" + libdir + "/libhello-75.a").st_nlink, 202)
+
+ # Check static dbg
+ # 101 items, a copy in both package/packages-split so 202
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-dbg" + libdir + "/.debug-static/libhello.a").st_nlink, 202)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-dbg" + libdir + "/.debug-static/libhello-25.a").st_nlink, 202)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-dbg" + libdir + "/.debug-static/libhello-50.a").st_nlink, 202)
+ self.assertEqual(os.stat(dest + "/selftest-hardlink-dbg" + libdir + "/.debug-static/libhello-75.a").st_nlink, 202)
# Test a sparse file remains sparse
sparsestat = os.stat(dest + "/selftest-hardlink" + bindir + "/sparsetest")
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 09/18] create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHS
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (7 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 08/18] selftest-hardlink: Add additional test cases Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 10/18] create-spdx-3.0/populate_sdk_base: Add SDK_CLASSES inherit mechanism to fix tarball SPDX manifests Steve Sakoman
` (8 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@amd.com>
When a create-spdx-* classes is processing documents, it needs to
find the document in a path that is related to the SSTATE_ARCH
when a packge is generated. The SSTATE_ARCH can be affected by
multilib configurations, resulting is something like armv8a-mlib.
When the image (or SDK) is being generated and the components are
collected, the system has no knowledge of the multilib arch and
will fail to find it, such as:
ERROR: meta-toolchain-1.0-r0 do_populate_sdk: No SPDX file found
for package libilp32-libgcc-dbg,
False sstate:libilp32-libgcc:armv8a-ilp32-mllibilp32-elf:14.1.0:r0:armv8a-ilp32:12:
sstate:libilp32-libgcc::14.1.0:r0::12:
Adding in the new SPDX_MULTILIB_SSTATE_ARCHS will provide a full
set of SSTATE_ARCHS including ones that contain the multilib
extension which will allow create-spdx-* to correctly find the
document it is looking for. This would also be valuable to any
other function doing a similar search through SSTATE_ARCH that may
have been extended with multilib configurations.
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1499c36c1054fc90f7b7268cc95285f2eca72f7)
spdx-3.0 items are not application and were removed.
spdx-common.bbclass item was moved into create-sdpx-2.2.bbclass.
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes-recipe/populate_sdk_base.bbclass | 4 ++++
meta/classes/create-spdx-2.2.bbclass | 14 ++++++++------
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/meta/classes-recipe/populate_sdk_base.bbclass b/meta/classes-recipe/populate_sdk_base.bbclass
index 81896d808f..6cb43ade30 100644
--- a/meta/classes-recipe/populate_sdk_base.bbclass
+++ b/meta/classes-recipe/populate_sdk_base.bbclass
@@ -6,6 +6,10 @@
PACKAGES = ""
+# This exists as an optimization for SPDX processing to only run in image and
+# SDK processing context. This class happens to be common to these usages.
+SPDX_MULTILIB_SSTATE_ARCHS = "${@all_multilib_tune_values(d, 'SSTATE_ARCHS')}"
+
inherit image-postinst-intercepts image-artifact-names
# Wildcards specifying complementary packages to install for every package that has been explicitly
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 4ea91f6499..d104668ffd 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -35,6 +35,8 @@ SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
+
SPDX_ORG ??= "OpenEmbedded ()"
SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
@@ -349,7 +351,7 @@ def collect_dep_recipes(d, doc, spdx_recipe):
deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
spdx_deps_file = Path(d.getVar("SPDXDEPS"))
- package_archs = d.getVar("SSTATE_ARCHS").split()
+ package_archs = d.getVar("SPDX_MULTILIB_SSTATE_ARCHS").split()
package_archs.reverse()
dep_recipes = []
@@ -389,7 +391,7 @@ def collect_dep_recipes(d, doc, spdx_recipe):
return dep_recipes
-collect_dep_recipes[vardepsexclude] = "SSTATE_ARCHS"
+collect_dep_recipes[vardepsexclude] = "SPDX_MULTILIB_SSTATE_ARCHS"
def collect_dep_sources(d, dep_recipes):
import oe.sbom
@@ -763,7 +765,7 @@ python do_create_runtime_spdx() {
providers = collect_package_providers(d)
pkg_arch = d.getVar("SSTATE_PKGARCH")
- package_archs = d.getVar("SSTATE_ARCHS").split()
+ package_archs = d.getVar("SPDX_MULTILIB_SSTATE_ARCHS").split()
package_archs.reverse()
if not is_native:
@@ -869,7 +871,7 @@ python do_create_runtime_spdx() {
oe.sbom.write_doc(d, runtime_doc, pkg_arch, "runtime", spdx_deploy, indent=get_json_indent(d))
}
-do_create_runtime_spdx[vardepsexclude] += "OVERRIDES SSTATE_ARCHS"
+do_create_runtime_spdx[vardepsexclude] += "OVERRIDES SPDX_MULTILIB_SSTATE_ARCHS"
addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work
SSTATETASKS += "do_create_runtime_spdx"
@@ -1004,7 +1006,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
import bb.compress.zstd
providers = collect_package_providers(d)
- package_archs = d.getVar("SSTATE_ARCHS").split()
+ package_archs = d.getVar("SPDX_MULTILIB_SSTATE_ARCHS").split()
package_archs.reverse()
creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -1155,4 +1157,4 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
tar.addfile(info, fileobj=index_str)
-combine_spdx[vardepsexclude] += "BB_NUMBER_THREADS SSTATE_ARCHS"
+combine_spdx[vardepsexclude] += "BB_NUMBER_THREADS SPDX_MULTILIB_SSTATE_ARCHS"
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 10/18] create-spdx-3.0/populate_sdk_base: Add SDK_CLASSES inherit mechanism to fix tarball SPDX manifests
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (8 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 09/18] create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHS Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 11/18] oeqa sdk cases: Skip SDK test cases when TCLIBC is newlib Steve Sakoman
` (7 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, "tarball" sdk based recipes don't generate SPDX manifests as they
don't include the rootfs generation classes. Split the SPDX 3.0 image class into
two so the SDK components can be included where needed.
To do this, introduce an SDK_CLASSES variable similar to IMAGE_CLASSES which
the SDK code can use.
Migrate testsdk usage to this.
Also move the image/sdk spdx classes to classes-recipe rather than the general classes
directory since they'd never be included on a global level.
For buildtools-tarball, it has its own testsdk functions so disable the class there as
a deferred inherit would overwrite it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 662396533177b72cc1d83e95841b27f7e42dcb20)
Eliminate spdx-3.0 items, not applicable to Scarthgap.
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes-recipe/populate_sdk_base.bbclass | 3 +++
meta/classes-recipe/testimage.bbclass | 2 --
meta/recipes-core/meta/buildtools-tarball.bb | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/meta/classes-recipe/populate_sdk_base.bbclass b/meta/classes-recipe/populate_sdk_base.bbclass
index 6cb43ade30..a103e7b738 100644
--- a/meta/classes-recipe/populate_sdk_base.bbclass
+++ b/meta/classes-recipe/populate_sdk_base.bbclass
@@ -4,6 +4,9 @@
# SPDX-License-Identifier: MIT
#
+SDK_CLASSES += "${@bb.utils.contains("IMAGE_CLASSES", "testimage", "testsdk", "", d)}"
+inherit_defer ${SDK_CLASSES}
+
PACKAGES = ""
# This exists as an optimization for SPDX processing to only run in image and
diff --git a/meta/classes-recipe/testimage.bbclass b/meta/classes-recipe/testimage.bbclass
index ed0d87b7a7..2f68f83dfd 100644
--- a/meta/classes-recipe/testimage.bbclass
+++ b/meta/classes-recipe/testimage.bbclass
@@ -483,5 +483,3 @@ python () {
if oe.types.boolean(d.getVar("TESTIMAGE_AUTO") or "False"):
bb.build.addtask("testimage", "do_build", "do_image_complete", d)
}
-
-inherit testsdk
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 92fbda335d..e2ce5b3ecf 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -112,6 +112,9 @@ INHIBIT_DEFAULT_DEPS = "1"
# Directory in testsdk that contains testcases
TESTSDK_CASES = "buildtools-cases"
+# We have our own code, avoid deferred inherit
+SDK_CLASSES:remove = "testsdk"
+
python do_testsdk() {
import oeqa.sdk.testsdk
testsdk = oeqa.sdk.testsdk.TestSDK()
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 11/18] oeqa sdk cases: Skip SDK test cases when TCLIBC is newlib
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (9 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 10/18] create-spdx-3.0/populate_sdk_base: Add SDK_CLASSES inherit mechanism to fix tarball SPDX manifests Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 12/18] pseudo: Fix to work with glibc 2.40 Steve Sakoman
` (6 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@amd.com>
Newlib generally requires additional components to function. Skip the
cases where newlib is known to not work.
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b9934755554e40d9980b90c3d541f4c702203561)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/sdk/cases/assimp.py | 4 ++++
meta/lib/oeqa/sdk/cases/buildcpio.py | 5 +++++
meta/lib/oeqa/sdk/cases/buildepoxy.py | 4 ++++
meta/lib/oeqa/sdk/cases/buildgalculator.py | 4 ++++
meta/lib/oeqa/sdk/cases/buildlzip.py | 5 +++++
meta/lib/oeqa/sdk/cases/gcc.py | 4 ++++
6 files changed, 26 insertions(+)
diff --git a/meta/lib/oeqa/sdk/cases/assimp.py b/meta/lib/oeqa/sdk/cases/assimp.py
index d990b1e97d..4cc30f2672 100644
--- a/meta/lib/oeqa/sdk/cases/assimp.py
+++ b/meta/lib/oeqa/sdk/cases/assimp.py
@@ -19,6 +19,10 @@ class BuildAssimp(OESDKTestCase):
"""
def setUp(self):
+ libc = self.td.get("TCLIBC")
+ if libc in [ 'newlib' ]:
+ raise unittest.SkipTest("CMakeTest class: SDK doesn't contain a supported C library")
+
if not (self.tc.hasHostPackage("nativesdk-cmake") or
self.tc.hasHostPackage("cmake-native")):
raise unittest.SkipTest("Needs cmake")
diff --git a/meta/lib/oeqa/sdk/cases/buildcpio.py b/meta/lib/oeqa/sdk/cases/buildcpio.py
index 51003b19cd..ab8fc41876 100644
--- a/meta/lib/oeqa/sdk/cases/buildcpio.py
+++ b/meta/lib/oeqa/sdk/cases/buildcpio.py
@@ -17,6 +17,11 @@ class BuildCpioTest(OESDKTestCase):
"""
Check that autotools will cross-compile correctly.
"""
+ def setUp(self):
+ libc = self.td.get("TCLIBC")
+ if libc in [ 'newlib' ]:
+ raise unittest.SkipTest("AutotoolsTest class: SDK doesn't contain a supported C library")
+
def test_cpio(self):
with tempfile.TemporaryDirectory(prefix="cpio-", dir=self.tc.sdk_dir) as testdir:
tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftp.gnu.org/gnu/cpio/cpio-2.15.tar.gz")
diff --git a/meta/lib/oeqa/sdk/cases/buildepoxy.py b/meta/lib/oeqa/sdk/cases/buildepoxy.py
index 147ee3e0ee..5b9c36fcec 100644
--- a/meta/lib/oeqa/sdk/cases/buildepoxy.py
+++ b/meta/lib/oeqa/sdk/cases/buildepoxy.py
@@ -18,6 +18,10 @@ class EpoxyTest(OESDKTestCase):
Test that Meson builds correctly.
"""
def setUp(self):
+ libc = self.td.get("TCLIBC")
+ if libc in [ 'newlib' ]:
+ raise unittest.SkipTest("MesonTest class: SDK doesn't contain a supported C library")
+
if not (self.tc.hasHostPackage("nativesdk-meson") or
self.tc.hasHostPackage("meson-native")):
raise unittest.SkipTest("EpoxyTest class: SDK doesn't contain Meson")
diff --git a/meta/lib/oeqa/sdk/cases/buildgalculator.py b/meta/lib/oeqa/sdk/cases/buildgalculator.py
index 178f07472d..28187434a1 100644
--- a/meta/lib/oeqa/sdk/cases/buildgalculator.py
+++ b/meta/lib/oeqa/sdk/cases/buildgalculator.py
@@ -18,6 +18,10 @@ class GalculatorTest(OESDKTestCase):
Test that autotools and GTK+ 3 compiles correctly.
"""
def setUp(self):
+ libc = self.td.get("TCLIBC")
+ if libc in [ 'newlib' ]:
+ raise unittest.SkipTest("GTK3Test class: SDK doesn't contain a supported C library")
+
if not (self.tc.hasTargetPackage("gtk+3", multilib=True) or \
self.tc.hasTargetPackage("libgtk-3.0", multilib=True)):
raise unittest.SkipTest("GalculatorTest class: SDK don't support gtk+3")
diff --git a/meta/lib/oeqa/sdk/cases/buildlzip.py b/meta/lib/oeqa/sdk/cases/buildlzip.py
index b4b7d85b88..afedc25178 100644
--- a/meta/lib/oeqa/sdk/cases/buildlzip.py
+++ b/meta/lib/oeqa/sdk/cases/buildlzip.py
@@ -13,6 +13,11 @@ class BuildLzipTest(OESDKTestCase):
"""
Test that "plain" compilation works, using just $CC $CFLAGS etc.
"""
+ def setUp(self):
+ libc = self.td.get("TCLIBC")
+ if libc in [ 'newlib' ]:
+ raise unittest.SkipTest("MakefileTest class: SDK doesn't contain a supported C library")
+
def test_lzip(self):
with tempfile.TemporaryDirectory(prefix="lzip", dir=self.tc.sdk_dir) as testdir:
tarball = self.fetch(testdir, self.td["DL_DIR"], "http://downloads.yoctoproject.org/mirror/sources/lzip-1.19.tar.gz")
diff --git a/meta/lib/oeqa/sdk/cases/gcc.py b/meta/lib/oeqa/sdk/cases/gcc.py
index fc28b9c3d4..e810d2c42b 100644
--- a/meta/lib/oeqa/sdk/cases/gcc.py
+++ b/meta/lib/oeqa/sdk/cases/gcc.py
@@ -26,6 +26,10 @@ class GccCompileTest(OESDKTestCase):
os.path.join(self.tc.sdk_dir, f))
def setUp(self):
+ libc = self.td.get("TCLIBC")
+ if libc in [ 'newlib' ]:
+ raise unittest.SkipTest("GccCompileTest class: SDK doesn't contain a supported C library")
+
machine = self.td.get("MACHINE")
if not (self.tc.hasHostPackage("packagegroup-cross-canadian-%s" % machine) or
self.tc.hasHostPackage("^gcc-", regex=True)):
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 12/18] pseudo: Fix to work with glibc 2.40
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (10 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 11/18] oeqa sdk cases: Skip SDK test cases when TCLIBC is newlib Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 13/18] pseudo: Update to include open symlink handling bugfix Steve Sakoman
` (5 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
glibc 2.40 renames some internal header variables. Update our hack to
work with the new version. These kinds of problems illustrate we need to
address the issue properly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 35021d650de3eecc3f42000181b39a5db5a8eaa0)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/pseudo/files/glibc238.patch | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/pseudo/files/glibc238.patch b/meta/recipes-devtools/pseudo/files/glibc238.patch
index da4b8caee3..dfb5c283f6 100644
--- a/meta/recipes-devtools/pseudo/files/glibc238.patch
+++ b/meta/recipes-devtools/pseudo/files/glibc238.patch
@@ -9,7 +9,7 @@ Index: git/pseudo_wrappers.c
===================================================================
--- git.orig/pseudo_wrappers.c
+++ git/pseudo_wrappers.c
-@@ -6,6 +6,15 @@
+@@ -6,6 +6,18 @@
* SPDX-License-Identifier: LGPL-2.1-only
*
*/
@@ -21,6 +21,9 @@ Index: git/pseudo_wrappers.c
+#undef __GLIBC_USE_ISOC2X
+#undef __GLIBC_USE_C2X_STRTOL
+#define __GLIBC_USE_C2X_STRTOL 0
++#undef __GLIBC_USE_ISOC23
++#undef __GLIBC_USE_C23_STRTOL
++#define __GLIBC_USE_C23_STRTOL 0
+
#include <assert.h>
#include <stdlib.h>
@@ -29,7 +32,7 @@ Index: git/pseudo_util.c
===================================================================
--- git.orig/pseudo_util.c
+++ git/pseudo_util.c
-@@ -8,6 +8,14 @@
+@@ -8,6 +8,17 @@
*/
/* we need access to RTLD_NEXT for a horrible workaround */
#define _GNU_SOURCE
@@ -41,6 +44,9 @@ Index: git/pseudo_util.c
+#undef __GLIBC_USE_ISOC2X
+#undef __GLIBC_USE_C2X_STRTOL
+#define __GLIBC_USE_C2X_STRTOL 0
++#undef __GLIBC_USE_ISOC23
++#undef __GLIBC_USE_C23_STRTOL
++#define __GLIBC_USE_C23_STRTOL 0
#include <ctype.h>
#include <errno.h>
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 13/18] pseudo: Update to include open symlink handling bugfix
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (11 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 12/18] pseudo: Fix to work with glibc 2.40 Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 14/18] iptables: fix memory corruption when parsing nft rules Steve Sakoman
` (4 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to a new revision which includes "Bugfix for Linux open(O_CREAT|O_EXCL)"
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 92a9710ec88c8729fa3d83baa2e63dd74d95cdf8)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 5f32b3777a..7d8f71f65d 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -14,7 +14,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "e11ae91da7d0711f5e33ea9dfbf1875dde3c1734"
+SRCREV = "374089f2ed83da4d0d4e58df067142ff99c7eb12"
S = "${WORKDIR}/git"
PV = "1.9.0+git"
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 14/18] iptables: fix memory corruption when parsing nft rules
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (12 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 13/18] pseudo: Update to include open symlink handling bugfix Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 15/18] gpgme: move gpgme-tool to own sub-package Steve Sakoman
` (3 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Christian Taedcke <christian.taedcke@weidmueller.com>
This commit fixes a memory corruption issue when iptables (with
enabled PACKAGECONFIG libnftnl) is used to access rules created by
nft.
To reproduce the issue:
nft add chain ip filter TESTCHAIN { meta mark set 123 \;}
iptables -t filter -n -L TESTCHAIN
This produced the following output:
Chain TESTCHAIN (0 references)
target prot opt source destination
MARK 0 -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x7b
malloc(): corrupted top size
Aborted (core dumped)
This commit fixes this issue.
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...se-Add-missing-braces-around-ternary.patch | 37 +++++++++++++++++++
.../iptables/iptables_1.8.10.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
diff --git a/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch b/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
new file mode 100644
index 0000000000..4cbc8bdaf4
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
@@ -0,0 +1,37 @@
+From 2026b08bce7fe87b5964f7912e1eef30f04922c1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 26 Jan 2024 18:43:10 +0100
+Subject: [PATCH] nft: ruleparse: Add missing braces around ternary
+
+The expression evaluated the sum before the ternay, consequently not
+adding target->size if tgsize was zero.
+
+Identified by ASAN for a simple rule using standard target:
+| # ebtables -A INPUT -s de:ad:be:ef:0:00 -j RETURN
+| # ebtables -D INPUT -s de:ad:be:ef:0:00 -j RETURN
+| =================================================================
+| ==18925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000120 at pc 0x7f627a4c75c5 bp 0x7ffe882b5180 sp 0x7ffe882b4928
+| READ of size 8 at 0x603000000120 thread T0
+| [...]
+
+Upstream-Status: Backport [2026b08bce7fe87b5964f7912e1eef30f04922c1]
+
+Fixes: 2a6eee89083c8 ("nft-ruleparse: Introduce nft_create_target()")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft-ruleparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
+index 0bbdf44faf..3b1cbe4fa1 100644
+--- a/iptables/nft-ruleparse.c
++++ b/iptables/nft-ruleparse.c
+@@ -94,7 +94,7 @@ __nft_create_target(struct nft_xt_ctx *ctx, const char *name, size_t tgsize)
+ if (!target)
+ return NULL;
+
+- size = XT_ALIGN(sizeof(*target->t)) + tgsize ?: target->size;
++ size = XT_ALIGN(sizeof(*target->t)) + (tgsize ?: target->size);
+
+ target->t = xtables_calloc(1, size);
+ target->t->u.target_size = size;
diff --git a/meta/recipes-extended/iptables/iptables_1.8.10.bb b/meta/recipes-extended/iptables/iptables_1.8.10.bb
index 0070264844..f1ee1efe28 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.10.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.10.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.xz \
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
file://0002-iptables-xshared.h-add-missing-sys.types.h-include.patch \
file://0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch \
+ file://0005-nft-ruleparse-Add-missing-braces-around-ternary.patch \
"
SRC_URI[sha256sum] = "5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c"
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 15/18] gpgme: move gpgme-tool to own sub-package
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (13 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 14/18] iptables: fix memory corruption when parsing nft rules Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 16/18] rt-tests: rt_bmark.py: fix TypeError Steve Sakoman
` (2 subsequent siblings)
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Patrick Wicki <patrick.wicki@siemens.com>
The gpgme-tool binary is licensed GPL-3.0-or-later. Split it out into
its own package that can be opted out of.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bbcd56bace90f4a148960a7108dc8d0e6c364903)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/gpgme/gpgme_1.23.2.bb | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-support/gpgme/gpgme_1.23.2.bb b/meta/recipes-support/gpgme/gpgme_1.23.2.bb
index d8807b3af2..55f164e4a9 100644
--- a/meta/recipes-support/gpgme/gpgme_1.23.2.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.23.2.bb
@@ -3,11 +3,18 @@ DESCRIPTION = "GnuPG Made Easy (GPGME) is a library designed to make access to G
HOMEPAGE = "http://www.gnupg.org/gpgme.html"
BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
-LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later & GPL-3.0-or-later"
+LICENSE:${PN} = "GPL-2.0-or-later & LGPL-2.1-or-later"
+LICENSE:${PN}-cpp = "GPL-2.0-or-later & LGPL-2.1-or-later"
+LICENSE:${PN}-tool = "GPL-3.0-or-later"
+LICENSE:python3-gpg = "GPL-2.0-or-later & LGPL-2.1-or-later"
+
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
file://COPYING.LESSER;md5=bbb461211a33b134d42ed5ee802b37ff \
file://src/gpgme.h.in;endline=23;md5=2f0bf06d1c7dcb28532a9d0f94a7ca1d \
- file://src/engine.h;endline=22;md5=4b6d8ba313d9b564cc4d4cfb1640af9d"
+ file://src/engine.h;endline=22;md5=4b6d8ba313d9b564cc4d4cfb1640af9d \
+ file://src/gpgme-tool.c;endline=21;md5=66c5381e0e05475792e24982d15e7ce8 \
+ "
UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
SRC_URI = "${GNUPG_MIRROR}/gpgme/${BP}.tar.bz2 \
@@ -33,6 +40,8 @@ RDEPENDS:${PN}-cpp += "libstdc++"
RDEPENDS:python3-gpg += "python3-unixadmin"
+RRECOMMENDS:${PN} += "${PN}-tool"
+
BINCONFIG = "${bindir}/gpgme-config"
# Default in configure.ac: "cl cpp python qt"
@@ -61,9 +70,10 @@ export PKG_CONFIG='pkg-config'
BBCLASSEXTEND = "native nativesdk"
-PACKAGES =+ "${PN}-cpp python3-gpg"
+PACKAGES =+ "${PN}-cpp ${PN}-tool python3-gpg"
FILES:${PN}-cpp = "${libdir}/libgpgmepp.so.*"
+FILES:${PN}-tool = "${bindir}/gpgme-tool"
FILES:python3-gpg = "${PYTHON_SITEPACKAGES_DIR}/*"
FILES:${PN}-dev += "${datadir}/common-lisp/source/gpgme/*"
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 16/18] rt-tests: rt_bmark.py: fix TypeError
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (14 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 15/18] gpgme: move gpgme-tool to own sub-package Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 17/18] watchdog: Set watchdog_module in default config Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS Steve Sakoman
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
Fix following error:
File "/usr/lib64/rt-tests/ptest/./rt_bmark.py", line 287, in run_cyclictest_once
m = rex.search(line)
^^^^^^^^^^^^^^^^
TypeError: cannot use a string pattern on a bytes-like object
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5108da4009ccd3dfc92632171d6bc4dae4507db)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-rt/rt-tests/files/rt_bmark.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-rt/rt-tests/files/rt_bmark.py b/meta/recipes-rt/rt-tests/files/rt_bmark.py
index 2a4eed412f..5d22623656 100755
--- a/meta/recipes-rt/rt-tests/files/rt_bmark.py
+++ b/meta/recipes-rt/rt-tests/files/rt_bmark.py
@@ -284,7 +284,7 @@ def run_cyclictest_once():
avg_cnt = 0
for line in res.splitlines():
- m = rex.search(line)
+ m = rex.search(line.decode('utf-8'))
if m is not None:
minlist.append(int(m.group(2)))
maxlist.append(int(m.group(4)))
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 17/18] watchdog: Set watchdog_module in default config
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (15 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 16/18] rt-tests: rt_bmark.py: fix TypeError Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 17:09 ` [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS Steve Sakoman
17 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Wadim Egorov <w.egorov@phytec.de>
systemd started to warn about used but unset environment variables.
Let us set watchdog_module=none which is used by the watchdog.service to get
rid of the following warning:
watchdog.service: Referenced but unset environment variable evaluates to an empty string: watchdog_module
Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8f1dc796c7298373e61d806e63bc121128c1c27c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/watchdog/watchdog-config/watchdog.default | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-extended/watchdog/watchdog-config/watchdog.default b/meta/recipes-extended/watchdog/watchdog-config/watchdog.default
index 647d5abca5..cee5fdc2b6 100644
--- a/meta/recipes-extended/watchdog/watchdog-config/watchdog.default
+++ b/meta/recipes-extended/watchdog/watchdog-config/watchdog.default
@@ -1,2 +1,3 @@
# Start watchdog at boot time? 0 or 1
run_watchdog=1
+watchdog_module=none
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS
2024-08-04 17:09 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (16 preceding siblings ...)
2024-08-04 17:09 ` [OE-core][scarthgap 17/18] watchdog: Set watchdog_module in default config Steve Sakoman
@ 2024-08-04 17:09 ` Steve Sakoman
2024-08-04 21:32 ` Richard Purdie
17 siblings, 1 reply; 28+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
There is a need to enable some extra tools from the rust for the build
and so this new variable will help for that
This varaible then we can use during do_configure task to add overall
values as per json format in build -> tools
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/rust/rust_1.75.0.bb | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/rust/rust_1.75.0.bb b/meta/recipes-devtools/rust/rust_1.75.0.bb
index 76e1fe2d84..c33f31d261 100644
--- a/meta/recipes-devtools/rust/rust_1.75.0.bb
+++ b/meta/recipes-devtools/rust/rust_1.75.0.bb
@@ -70,6 +70,10 @@ addtask do_test_compile after do_configure do_rust_gen_targets
do_rust_setup_snapshot[dirs] += "${WORKDIR}/rust-snapshot"
do_rust_setup_snapshot[vardepsexclude] += "UNINATIVE_LOADER"
+# there is a need to enable some more rust tools for the project
+# We can extend a list of more tools via this variable
+RUST_ENABLE_EXTRA_TOOLS ?= "rust-demangler"
+
python do_configure() {
import json
import configparser
@@ -141,7 +145,7 @@ python do_configure() {
config.add_section("build")
config.set("build", "submodules", e(False))
config.set("build", "docs", e(False))
- config.set("build", "tools", ["rust-demangler",])
+ config.set("build", "tools", e(d.getVar("RUST_ENABLE_EXTRA_TOOLS").split()))
rustc = d.expand("${WORKDIR}/rust-snapshot/bin/rustc")
config.set("build", "rustc", e(rustc))
--
2.34.1
^ permalink raw reply related [flat|nested] 28+ messages in thread* Re: [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS
2024-08-04 17:09 ` [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS Steve Sakoman
@ 2024-08-04 21:32 ` Richard Purdie
2024-08-05 8:47 ` Marko, Peter
0 siblings, 1 reply; 28+ messages in thread
From: Richard Purdie @ 2024-08-04 21:32 UTC (permalink / raw)
To: steve, openembedded-core
On Sun, 2024-08-04 at 10:09 -0700, Steve Sakoman via
lists.openembedded.org wrote:
> From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
>
> There is a need to enable some extra tools from the rust for the
> build
> and so this new variable will help for that
>
> This varaible then we can use during do_configure task to add overall
> values as per json format in build -> tools
>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> meta/recipes-devtools/rust/rust_1.75.0.bb | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
Not sure this is on master?
Cheers,
Richard
^ permalink raw reply [flat|nested] 28+ messages in thread
* RE: [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS
2024-08-04 21:32 ` Richard Purdie
@ 2024-08-05 8:47 ` Marko, Peter
2024-08-05 9:02 ` Richard Purdie
0 siblings, 1 reply; 28+ messages in thread
From: Marko, Peter @ 2024-08-05 8:47 UTC (permalink / raw)
To: richard.purdie@linuxfoundation.org, steve@sakoman.com,
openembedded-core@lists.openembedded.org
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie via lists.openembedded.org
Sent: Sunday, August 4, 2024 23:33
To: steve@sakoman.com; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS
> On Sun, 2024-08-04 at 10:09 -0700, Steve Sakoman via
> lists.openembedded.org wrote:
> > From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> >
> > There is a need to enable some extra tools from the rust for the
> > build
> > and so this new variable will help for that
> >
> > This varaible then we can use during do_configure task to add overall
> > values as per json format in build -> tools
> >
> > Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> > meta/recipes-devtools/rust/rust_1.75.0.bb | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
>
> Not sure this is on master?
>
> Cheers,
>
> Richard
This was already explained here:
https://lists.openembedded.org/g/openembedded-core/message/202732
Peter
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [OE-core][scarthgap 18/18] rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS
2024-08-05 8:47 ` Marko, Peter
@ 2024-08-05 9:02 ` Richard Purdie
0 siblings, 0 replies; 28+ messages in thread
From: Richard Purdie @ 2024-08-05 9:02 UTC (permalink / raw)
To: Marko, Peter, steve@sakoman.com,
openembedded-core@lists.openembedded.org
On Mon, 2024-08-05 at 08:47 +0000, Marko, Peter wrote:
> -----Original Message-----
> From:
> openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org
> > On Behalf Of Richard Purdie via lists.openembedded.org
> Sent: Sunday, August 4, 2024 23:33
> To: steve@sakoman.com; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][scarthgap 18/18] rust: Add new varaible
> RUST_ENABLE_EXTRA_TOOLS
>
> > On Sun, 2024-08-04 at 10:09 -0700, Steve Sakoman via
> > lists.openembedded.org wrote:
> > > From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> > >
> > > There is a need to enable some extra tools from the rust for the
> > > build
> > > and so this new variable will help for that
> > >
> > > This varaible then we can use during do_configure task to add
> > > overall
> > > values as per json format in build -> tools
> > >
> > > Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > > meta/recipes-devtools/rust/rust_1.75.0.bb | 6 +++++-
> > > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > Not sure this is on master?
> >
> > Cheers,
> >
> > Richard
>
> This was already explained here:
> https://lists.openembedded.org/g/openembedded-core/message/202732
Fair enough, thanks!
Cheers,
Richard
^ permalink raw reply [flat|nested] 28+ messages in thread