[OE-core] [PATCH] go: ignore CVE-2023-24532
Fix for the CVE introduces new data structures which are defined in newer versions of go. Also, from upstream maintainer, "...it only affects niche configurations, namely very specific direct uses of crypto/elliptic. We found no real world protocol that could be attacked due to this." Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 7 +++ 1 file changed, 7 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 91dd886cd0..480e6caa2c 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -53,3 +53,10 @@ CVE_CHECK_IGNORE += "CVE-2021-29923" # This is specific to Microsoft Windows CVE_CHECK_IGNORE += "CVE-2022-41716" + +# Fix introduces new data structures defined in newer version of go. +# Also, from go maintainer, "it only affects niche configurations, +# namely very specific direct uses of crypto/elliptic. We found +# no real world protocol that could be attacked due to this." +# https://github.com/golang/go/issues/58647 +CVE_CHECK_IGNORE += "CVE-2023-24532" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188015): https://lists.openembedded.org/g/openembedded-core/message/188015 Mute This Topic: https://lists.openembedded.org/mt/101502595/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] go: upgrade 1.20.6 -> 1.20.7
Upgrade to latest 1.20.x release [1]: $ git log --oneline go1.20.6..go1.20.7 origin/release-branch.go1.20 adb775e309 (tag: go1.20.7, origin/release-branch.go1.20) [release-branch.go1.20] go1.20.7 659f2a2207 [release-branch.go1.20] crypto/tls: restrict RSA keys in certificates to <= 8192 bits 10d85fa0f6 [release-branch.go1.20] cmd/asm, cmd/internal/obj: generate proper atomic ops for riscv64 bd3a1f24e7 [release-branch.go1.20] net: tolerate permission errors in interface tests 6211a024b4 [release-branch.go1.20] cmd/compile: on PPC64, fix sign/zero extension when masking [1] https://github.com/golang/go/compare/go1.20.6...go1.20.7 Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.20.6.inc => go-1.20.7.inc} | 2 +- ...o-binary-native_1.20.6.bb => go-binary-native_1.20.7.bb} | 6 +++--- ...cross-canadian_1.20.6.bb => go-cross-canadian_1.20.7.bb} | 0 .../go/{go-cross_1.20.6.bb => go-cross_1.20.7.bb} | 0 .../go/{go-crosssdk_1.20.6.bb => go-crosssdk_1.20.7.bb} | 0 .../go/{go-native_1.20.6.bb => go-native_1.20.7.bb} | 0 .../go/{go-runtime_1.20.6.bb => go-runtime_1.20.7.bb} | 0 meta/recipes-devtools/go/{go_1.20.6.bb => go_1.20.7.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.20.6.inc => go-1.20.7.inc} (89%) rename meta/recipes-devtools/go/{go-binary-native_1.20.6.bb => go-binary-native_1.20.7.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.6.bb => go-cross-canadian_1.20.7.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.6.bb => go-cross_1.20.7.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.6.bb => go-crosssdk_1.20.7.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.6.bb => go-native_1.20.7.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.6.bb => go-runtime_1.20.7.bb} (100%) rename meta/recipes-devtools/go/{go_1.20.6.bb => go_1.20.7.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.6.inc b/meta/recipes-devtools/go/go-1.20.7.inc similarity index 89% rename from meta/recipes-devtools/go/go-1.20.6.inc rename to meta/recipes-devtools/go/go-1.20.7.inc index 551171b255..f7974367cc 100644 --- a/meta/recipes-devtools/go/go-1.20.6.inc +++ b/meta/recipes-devtools/go/go-1.20.7.inc @@ -15,4 +15,4 @@ SRC_URI += "\ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ " -SRC_URI[main.sha256sum] = "62ee5bc6fb55b8bae8f705e0cb8df86d6453626b4ecf93279e2867092e0b7f70" +SRC_URI[main.sha256sum] = "2c5ee9c9ec1e733b0dbbc2bdfed3f62306e51d8172bf38f4f4e542b27520f597" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.6.bb b/meta/recipes-devtools/go/go-binary-native_1.20.7.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.6.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.7.bb index 5b2f8f4352..3decde1954 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.20.6.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.20.7.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "b945ae2bb5db01a0fb4786afde64e6fbab50b67f6fa0eb6cfa4924f16a7ff1eb" -SRC_URI[go_linux_arm64.sha256sum] = "4e15ab37556e979181a1a1cc60f6d796932223a0f5351d7c83768b356f84429b" -SRC_URI[go_linux_ppc64le.sha256sum] = "a1b91a42a40bba54bfd5c96c23d72250e0c424038d0d2b5c7950b828b4905822" +SRC_URI[go_linux_amd64.sha256sum] = "f0a87f1bcae91c4b69f8dc2bc6d7e6bfcd7524fceec130af525058c0c17b1b44" +SRC_URI[go_linux_arm64.sha256sum] = "44781ae3b153c3b07651d93b6bc554e835a36e2d72a696281c1e4dad9efffe43" +SRC_URI[go_linux_ppc64le.sha256sum] = "6318a1db307c12b8afe68808bd6fae4fba1e558a85b958216096869ed506dcb3" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.20.6.bb b/meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.20.6.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb diff --git a/meta/recipes-devtools/go/go-cross_1.20.6.bb b/meta/recipes-devtools/go/go-cross_1.20.7.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.20.6.bb rename to meta/recipes-devtools/go/go-cross_1.20.7.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.20.6.bb b/meta/recipes-devtools/go/go-crosssdk_1.20.7.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.20.6.bb rename to meta/recipes-devtools/go/go-crosssdk_1.20.7.bb diff --git a/meta/recipes-devtools/go/go-native_1.2
[OE-core] [kirkstone][PATCH 3/3] go: fix CVE-2023-29406
Backport required patch to fix CVE-2023-29406. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.19/CVE-2023-29406.patch | 210 ++ 2 files changed, 211 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29406.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index d46eab01a0..b9d905a616 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2023-24536_3.patch \ file://CVE-2023-24531_1.patch \ file://CVE-2023-24531_2.patch \ +file://CVE-2023-29406.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29406.patch new file mode 100644 index 00..8a82d5c18c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29406.patch @@ -0,0 +1,210 @@ +From 3077df09879fb1aad0ccfc009fee6fc5e5f532bc Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 28 Jun 2023 13:20:08 -0700 +Subject: [PATCH] net/http: validate Host header before sending + +Verify that the Host header we send is valid. +Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" +adding an X-Evil header to HTTP/1 requests. + +Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to +header injection in the way HTTP/1 is, but x/net/http2 doesn't validate +the header and will go into a retry loop when the server rejects it. +CL 506995 adds the necessary validation to x/net/http2. + +Updates #60374 +Fixes #61075 +For CVE-2023-29406 + +Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 +Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 +Reviewed-by: Tatiana Bradley +TryBot-Result: Gopher Robot +Run-TryBot: Damien Neil +(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2) +Reviewed-on: https://go-review.googlesource.com/c/go/+/507358 +Run-TryBot: Tatiana Bradley +Reviewed-by: Roland Shoemaker + +CVE: CVE-2023-29406 +Upstream-Status: Backport [5fa6923b1ea891400153d04ddf1545e23b40041b] +Signed-off-by: Sakib Sajal +--- + src/net/http/http_test.go | 29 -- + src/net/http/request.go| 45 -- + src/net/http/request_test.go | 11 ++--- + src/net/http/transport_test.go | 18 ++ + 4 files changed, 30 insertions(+), 73 deletions(-) + +diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go +index 0d92fe5..f03272a 100644 +--- a/src/net/http/http_test.go b/src/net/http/http_test.go +@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) { + } + } + +-func TestCleanHost(t *testing.T) { +- tests := []struct { +- in, want string +- }{ +- {"www.google.com", "www.google.com"}, +- {"www.google.com foo", "www.google.com"}, +- {"www.google.com/foo", "www.google.com"}, +- {" first character is a space", ""}, +- {"[1::6]:8080", "[1::6]:8080"}, +- +- // Punycode: +- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"}, +- {"bücher.de", "xn--bcher-kva.de"}, +- {"bücher.de:8080", "xn--bcher-kva.de:8080"}, +- // Verify we convert to lowercase before punycode: +- {"BÜCHER.de", "xn--bcher-kva.de"}, +- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"}, +- // Verify we normalize to NFC before punycode: +- {"gophér.nfc", "xn--gophr-esa.nfc"},// NFC input; no work needed +- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input +- } +- for _, tt := range tests { +- got := cleanHost(tt.in) +- if tt.want != got { +- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want) +- } +- } +-} +- + // Test that cmd/go doesn't link in the HTTP server. + // + // This catches accidental dependencies between the HTTP transport and +diff --git a/src/net/http/request.go b/src/net/http/request.go +index 09cb0c7..2f4e740 100644 +--- a/src/net/http/request.go b/src/net/http/request.go +@@ -17,7 +17,6 @@ import ( + "io" + "mime" + "mime/multipart" +- "net" + "net/http/httptrace" + "net/http/internal/ascii" + "net/textproto" +@@ -27,6 +26,7 @@ import ( + "strings" + "sync" + ++ "gol
[OE-core] [kirkstone][PATCH 1/3] go: fix CVE-2023-24536
Backport required patches to fix CVE-2023-24536. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 3 + .../go/go-1.19/CVE-2023-24536_1.patch | 137 +++ .../go/go-1.19/CVE-2023-24536_2.patch | 187 ++ .../go/go-1.19/CVE-2023-24536_3.patch | 349 ++ 4 files changed, 676 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_2.patch create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_3.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 73921852fc..f8b046500a 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -36,6 +36,9 @@ SRC_URI += "\ file://CVE-2023-29405.patch \ file://CVE-2023-29402.patch \ file://CVE-2023-29400.patch \ +file://CVE-2023-24536_1.patch \ +file://CVE-2023-24536_2.patch \ +file://CVE-2023-24536_3.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch new file mode 100644 index 00..ff9ba18ec5 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch @@ -0,0 +1,137 @@ +From f8d691d335c6ac14bcbae6886b5bf8ca8bf1e6a5 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 16 Mar 2023 14:18:04 -0700 +Subject: [PATCH 1/3] mime/multipart: avoid excessive copy buffer allocations + in ReadForm + +When copying form data to disk with io.Copy, +allocate only one copy buffer and reuse it rather than +creating two buffers per file (one from io.multiReader.WriteTo, +and a second one from os.File.ReadFrom). + +Thanks to Jakob Ackermann (@das7pad) for reporting this issue. + +For CVE-2023-24536 +For #59153 +For #59269 + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802453 +Run-TryBot: Damien Neil +Reviewed-by: Julie Qiu +Reviewed-by: Roland Shoemaker +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802395 +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Change-Id: Ie405470c92abffed3356913b37d813e982c96c8b +Reviewed-on: https://go-review.googlesource.com/c/go/+/481983 +Run-TryBot: Michael Knyszek +TryBot-Result: Gopher Robot +Auto-Submit: Michael Knyszek +Reviewed-by: Matthew Dempsky + +CVE: CVE-2023-24536 +Upstream-Status: Backport [ef41a4e2face45e580c5836eaebd51629fc23f15] +Signed-off-by: Sakib Sajal +--- + src/mime/multipart/formdata.go | 15 +++-- + src/mime/multipart/formdata_test.go | 49 + + 2 files changed, 61 insertions(+), 3 deletions(-) + +diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go +index a7d4ca9..975dcb6 100644 +--- a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go +@@ -84,6 +84,7 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + maxMemoryBytes = math.MaxInt64 + } + } ++ var copyBuf []byte + for { + p, err := r.nextPart(false, maxMemoryBytes) + if err == io.EOF { +@@ -147,14 +148,22 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + } + } + numDiskFiles++ +- size, err := io.Copy(file, io.MultiReader(, p)) ++ if _, err := file.Write(b.Bytes()); err != nil { ++ return nil, err ++ } ++ if copyBuf == nil { ++ copyBuf = make([]byte, 32*1024) // same buffer size as io.Copy uses ++ } ++ // os.File.ReadFrom will allocate its own copy buffer if we let io.Copy use it. ++ type writerOnly struct{ io.Writer } ++ remainingSize, err := io.CopyBuffer(writerOnly{file}, p, copyBuf) + if err != nil { + return nil, err + } + fh.tmpfile = file.Name() +- fh.Size = size ++ fh.Size = int64(b.Len()) + remainingSize + fh.tmpoff = fileOff +- fileOff += size ++ fileOff += fh.Size + if !combineFiles { + if err := file.Close(); err != nil { + return nil, err +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index 5cded71..f5b5608 100644 +--- a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +@@ -368,3 +368,52 @@ func tes
[OE-core] [kirkstone][PATCH 2/3] go: fix CVE-2023-24531
Backport required patches from go1.21 to fix CVE-2023-24531. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 4 +- .../go/go-1.21/CVE-2023-24531_1.patch | 252 ++ .../go/go-1.21/CVE-2023-24531_2.patch | 47 3 files changed, 302 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-24531_2.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index f8b046500a..d46eab01a0 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -1,6 +1,6 @@ require go-common.inc -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -39,6 +39,8 @@ SRC_URI += "\ file://CVE-2023-24536_1.patch \ file://CVE-2023-24536_2.patch \ file://CVE-2023-24536_3.patch \ +file://CVE-2023-24531_1.patch \ +file://CVE-2023-24531_2.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch new file mode 100644 index 00..5f6d7e16a8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch @@ -0,0 +1,252 @@ +From 0f717b5f7d32bb660c01ec0366bd53c9b4c5ab5d Mon Sep 17 00:00:00 2001 +From: Michael Matloob +Date: Mon, 24 Apr 2023 16:57:28 -0400 +Subject: [PATCH 1/2] cmd/go: sanitize go env outputs + +go env, without any arguments, outputs the environment variables in +the form of a script that can be run on the host OS. On Unix, single +quote the strings and place single quotes themselves outside the +single quoted strings. On windows use the set "var=val" syntax with +the quote starting before the variable. + +Fixes #58508 + +Change-Id: Iecd379a4af7285ea9b2024f0202250c74fd9a2bd +Reviewed-on: https://go-review.googlesource.com/c/go/+/488375 +TryBot-Result: Gopher Robot +Reviewed-by: Michael Matloob +Reviewed-by: Damien Neil +Run-TryBot: Michael Matloob +Reviewed-by: Bryan Mills +Reviewed-by: Quim Muntal + +CVE: CVE-2023-24531 +Upstream-Status: Backport [f379e78951a405e7e99a60fb231eeedbf976c108] + +Signed-off-by: Sakib Sajal +--- + src/cmd/go/internal/envcmd/env.go | 60 - + src/cmd/go/internal/envcmd/env_test.go | 94 + + src/cmd/go/testdata/script/env_sanitize.txt | 5 ++ + 3 files changed, 157 insertions(+), 2 deletions(-) + create mode 100644 src/cmd/go/internal/envcmd/env_test.go + create mode 100644 src/cmd/go/testdata/script/env_sanitize.txt + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index 43b94e7..0ce8843 100644 +--- a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +@@ -6,6 +6,7 @@ + package envcmd + + import ( ++ "bytes" + "context" + "encoding/json" + "fmt" +@@ -17,6 +18,7 @@ import ( + "runtime" + "sort" + "strings" ++ "unicode" + "unicode/utf8" + + "cmd/go/internal/base" +@@ -379,9 +381,12 @@ func checkBuildConfig(add map[string]string, del map[string]bool) error { + func PrintEnv(w io.Writer, env []cfg.EnvVar) { + for _, e := range env { + if e.Name != "TERM" { ++ if runtime.GOOS != "plan9" && bytes.Contains([]byte(e.Value), []byte{0}) { ++ base.Fatalf("go: internal error: encountered null byte in environment variable %s on non-plan9 platform", e.Name) ++ } + switch runtime.GOOS { + default: +- fmt.Fprintf(w, "%s=\"%s\"\n", e.Name, e.Value) ++ fmt.Fprintf(w, "%s=%s\n", e.Name, shellQuote(e.Value)) + case "plan9": + if strings.IndexByte(e.Value, '\x00') < 0 { + fmt.Fprintf(w, "%s='%s'\n", e.Name, strings.ReplaceAll(e.Value, "'", "''")) +@@ -392,17 +397,68 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } ++ // TODO(#59979): Does
[OE-core] [mickledore][PATCH] go: update 1.20.5 -> 1.20.6
From: Jose Quaresma Upgrade to latest 1.20.x release [1]: $ git log --oneline go1.20.5..go1.20.6 origin/release-branch.go1.20 2c358ffe97 (tag: go1.20.6, origin/release-branch.go1.20) [release-branch.go1.20] go1.20.6 312920c00a [release-branch.go1.20] net/http: validate Host header before sending 4db13d762b [release-branch.go1.20] runtime: set raceignore to zero when starting a new goroutine 08a58dd8b6 [release-branch.go1.20] runtime: allow for 5 more threads in TestWindowsStackMemory* 65092835c5 [release-branch.go1.20] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64 bca817594c [release-branch.go1.20] crypto/x509: tolerate multiple matching chains in testVerify b8e67d1ddd [release-branch.go1.20] cmd/go/internal/test: don't wait for previous test actions when interrupted 3db4f8146c [release-branch.go1.20] runtime: resolve checkdead panic by refining `startm` lock handling in caller context 6b45fb7b73 [release-branch.go1.20] runtime: fallback to TEB arbitrary pointer when TLS slots are full be30960e58 [release-branch.go1.20] runtime: use 1-byte load for address checking in racecallatomic b59efe6c34 [release-branch.go1.20] net/mail: permit more characters in mail headers c32f1afb41 [release-branch.go1.20] all: make safe for new vet analyzer c7b145655b [release-branch.go1.20] cmd/go: fix tests for new builder environment 03063101a2 [release-branch.go1.20] text/template: set variables correctly in range assignment d51e322a3f [release-branch.go1.20] go/printer: error out of Fprint when it would write a '//line' directive with a multiline file path 49594244d3 [release-branch.go1.20] cmd/cover: error out if a requested source file contains a newline 4719048211 [release-branch.go1.20] cmd/cgo: error out if the source path used in line directives would contain a newline 6c606fc191 [release-branch.go1.20] cmd/go: fix TestScript/build_cwd_newline with CGO_ENABLED=0 63ad2b5811 [release-branch.go1.20] cmd/compile: do not report division by error during typecheck 95f377daad [release-branch.go1.20] cmd/go: retain extra roots to disambiguate imports in 'go mod tidy' a7a48fad7e [release-branch.go1.20] crypto/ecdsa: properly truncate P-521 hashes f5172dcd38 [release-branch.go1.20] go/build: check for invalid import paths again 8b3acefcbe [release-branch.go1.20] cmd/go: omit checksums for go.mod files needed for go version lines more often in pre-1.21 modules 1008486a9f [release-branch.go1.20] cmd/cgo: correct _cgo_flags output [1] https://github.com/golang/go/compare/go1.20.5...go1.20.6 Signed-off-by: Jose Quaresma Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 8d8216d8c4d37cc0d9508eb644653f94fff8989c) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.20.5.inc => go-1.20.6.inc} | 2 +- ...o-binary-native_1.20.5.bb => go-binary-native_1.20.6.bb} | 6 +++--- ...cross-canadian_1.20.5.bb => go-cross-canadian_1.20.6.bb} | 0 .../go/{go-cross_1.20.5.bb => go-cross_1.20.6.bb} | 0 .../go/{go-crosssdk_1.20.5.bb => go-crosssdk_1.20.6.bb} | 0 .../go/{go-native_1.20.5.bb => go-native_1.20.6.bb} | 0 .../go/{go-runtime_1.20.5.bb => go-runtime_1.20.6.bb} | 0 meta/recipes-devtools/go/{go_1.20.5.bb => go_1.20.6.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.20.5.inc => go-1.20.6.inc} (90%) rename meta/recipes-devtools/go/{go-binary-native_1.20.5.bb => go-binary-native_1.20.6.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.5.bb => go-cross-canadian_1.20.6.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.5.bb => go-cross_1.20.6.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.5.bb => go-crosssdk_1.20.6.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.5.bb => go-native_1.20.6.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.5.bb => go-runtime_1.20.6.bb} (100%) rename meta/recipes-devtools/go/{go_1.20.5.bb => go_1.20.6.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.5.inc b/meta/recipes-devtools/go/go-1.20.6.inc similarity index 90% rename from meta/recipes-devtools/go/go-1.20.5.inc rename to meta/recipes-devtools/go/go-1.20.6.inc index 9cc79a8073..6277020fec 100644 --- a/meta/recipes-devtools/go/go-1.20.5.inc +++ b/meta/recipes-devtools/go/go-1.20.6.inc @@ -17,4 +17,4 @@ SRC_URI += "\ file://CVE-2023-24531_1.patch \ file://CVE-2023-24531_2.patch \ " -SRC_URI[main.sha256sum] = "9a15c133ba2cfafe79652f4815b62e7cfc267f68df1b9454c6ab2a3ca8b96a88" +SRC_URI[main.sha256sum] = "62ee5bc6fb55b8bae8f705e0cb8df86d6453626b4ecf93279e2867092e0b7f70" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.5.bb b/meta/recipes-devtools/go/go-binary-native_1.20.6.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.5.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.6.b
[OE-core] [mickledore][PATCH] go: fix CVE-2023-24531
Backport required commits to fix CVE-2023-24531. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.20.5.inc| 2 + .../go/go/CVE-2023-24531_1.patch | 266 ++ .../go/go/CVE-2023-24531_2.patch | 47 3 files changed, 315 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2023-24531_1.patch create mode 100644 meta/recipes-devtools/go/go/CVE-2023-24531_2.patch diff --git a/meta/recipes-devtools/go/go-1.20.5.inc b/meta/recipes-devtools/go/go-1.20.5.inc index 4e4e57d5cb..9cc79a8073 100644 --- a/meta/recipes-devtools/go/go-1.20.5.inc +++ b/meta/recipes-devtools/go/go-1.20.5.inc @@ -14,5 +14,7 @@ SRC_URI += "\ file://0007-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ +file://CVE-2023-24531_1.patch \ +file://CVE-2023-24531_2.patch \ " SRC_URI[main.sha256sum] = "9a15c133ba2cfafe79652f4815b62e7cfc267f68df1b9454c6ab2a3ca8b96a88" diff --git a/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch b/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch new file mode 100644 index 00..9de701b64b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch @@ -0,0 +1,266 @@ +From c5463ec922a57d8b175c6639186ba9cbe15e6bc1 Mon Sep 17 00:00:00 2001 +From: Michael Matloob +Date: Mon, 24 Apr 2023 16:57:28 -0400 +Subject: [PATCH 1/2] cmd/go: sanitize go env outputs + +go env, without any arguments, outputs the environment variables in +the form of a script that can be run on the host OS. On Unix, single +quote the strings and place single quotes themselves outside the +single quoted strings. On windows use the set "var=val" syntax with +the quote starting before the variable. + +Fixes #58508 + +Change-Id: Iecd379a4af7285ea9b2024f0202250c74fd9a2bd +Reviewed-on: https://go-review.googlesource.com/c/go/+/488375 +TryBot-Result: Gopher Robot +Reviewed-by: Michael Matloob +Reviewed-by: Damien Neil +Run-TryBot: Michael Matloob +Reviewed-by: Bryan Mills +Reviewed-by: Quim Muntal + +CVE: CVE-2023-24531 +Upstream-Status: Backport [f379e78951a405e7e99a60fb231eeedbf976c108] + +Signed-off-by: Sakib Sajal +--- + src/cmd/go/internal/envcmd/env.go | 60 - + src/cmd/go/internal/envcmd/env_test.go | 94 + + src/cmd/go/testdata/script/env_sanitize.txt | 5 ++ + src/cmd/go/testdata/script/work_env.txt | 2 +- + 4 files changed, 158 insertions(+), 3 deletions(-) + create mode 100644 src/cmd/go/internal/envcmd/env_test.go + create mode 100644 src/cmd/go/testdata/script/env_sanitize.txt + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index fb7448a..5b52fad 100644 +--- a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +@@ -6,6 +6,7 @@ + package envcmd + + import ( ++ "bytes" + "context" + "encoding/json" + "fmt" +@@ -17,6 +18,7 @@ import ( + "runtime" + "sort" + "strings" ++ "unicode" + "unicode/utf8" + + "cmd/go/internal/base" +@@ -413,9 +415,12 @@ func checkBuildConfig(add map[string]string, del map[string]bool) error { + func PrintEnv(w io.Writer, env []cfg.EnvVar) { + for _, e := range env { + if e.Name != "TERM" { ++ if runtime.GOOS != "plan9" && bytes.Contains([]byte(e.Value), []byte{0}) { ++ base.Fatalf("go: internal error: encountered null byte in environment variable %s on non-plan9 platform", e.Name) ++ } + switch runtime.GOOS { + default: +- fmt.Fprintf(w, "%s=\"%s\"\n", e.Name, e.Value) ++ fmt.Fprintf(w, "%s=%s\n", e.Name, shellQuote(e.Value)) + case "plan9": + if strings.IndexByte(e.Value, '\x00') < 0 { + fmt.Fprintf(w, "%s='%s'\n", e.Name, strings.ReplaceAll(e.Value, "'", "''")) +@@ -426,17 +431,68 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } ++ // TODO(#59979): Does this need to be quoted like above? + fmt.Fprintf(w, "%s", s) + } + fmt.Fprintf(w, ")\n") +
[OE-core] [kirkstone][PATCH] blktrace: ask for python3 specifically
python2 has been deprecated, use python3 instead Signed-off-by: Sakib Sajal --- ...plot.py-Ask-for-python3-specifically.patch | 35 +++ meta/recipes-kernel/blktrace/blktrace_git.bb | 4 ++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch diff --git a/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch new file mode 100644 index 00..e2305a --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch @@ -0,0 +1,35 @@ +From 6f4769e6e2c5cdc1262891470995e6dead937c7a Mon Sep 17 00:00:00 2001 +From: Sakib Sajal +Date: Mon, 26 Jun 2023 17:57:36 -0400 +Subject: [PATCH] bno_plot.py, btt_plot.py: Ask for python3 specifically + +python2 is deprecated, use python3. + +Upstream-Status: Denied [https://www.spinics.net/lists/linux-btrace/msg01364.html] + +Signed-off-by: Sakib Sajal +--- + btt/bno_plot.py | 2 +- + btt/btt_plot.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btt/bno_plot.py b/btt/bno_plot.py +index 3aa4e19..d7d7159 100644 +--- a/btt/bno_plot.py b/btt/bno_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt blkno plotting interface + # +diff --git a/btt/btt_plot.py b/btt/btt_plot.py +index 40bc71f..8620d31 100755 +--- a/btt/btt_plot.py b/btt/btt_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt_plot.py: Generate matplotlib plots for BTT generate data files + # diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index bba5e04504..1c0856be7b 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -14,7 +14,9 @@ SRCREV = "366d30b9cdb20345c5d064af850d686da79b89eb" PV = "1.3.0+git${SRCPV}" -SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master" +SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master \ + file://0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch \ + " S = "${WORKDIR}/git" -- 2.40.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183433): https://lists.openembedded.org/g/openembedded-core/message/183433 Mute This Topic: https://lists.openembedded.org/mt/99798482/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [mickledore][PATCH] bno_plot.py, btt_plot.py: Ask for python3 specifically
python2 has been deprecated, use python3 instead Signed-off-by: Sakib Sajal --- ...plot.py-Ask-for-python3-specifically.patch | 35 +++ meta/recipes-kernel/blktrace/blktrace_git.bb | 4 ++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch diff --git a/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch new file mode 100644 index 00..a3b8a98589 --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch @@ -0,0 +1,35 @@ +From b8d9618cbbec5a04cf6dede0a6ceda41021b92ae Mon Sep 17 00:00:00 2001 +From: Sakib Sajal +Date: Mon, 26 Jun 2023 17:34:01 -0400 +Subject: [PATCH] bno_plot.py, btt_plot.py: Ask for python3 specifically + +python2 is deprecated, use python3. + +Upstream-Status: Denied [https://www.spinics.net/lists/linux-btrace/msg01364.html] + +Signed-off-by: Sakib Sajal +--- + btt/bno_plot.py | 2 +- + btt/btt_plot.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btt/bno_plot.py b/btt/bno_plot.py +index 3aa4e19..d7d7159 100644 +--- a/btt/bno_plot.py b/btt/bno_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt blkno plotting interface + # +diff --git a/btt/btt_plot.py b/btt/btt_plot.py +index 40bc71f..8620d31 100755 +--- a/btt/btt_plot.py b/btt/btt_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt_plot.py: Generate matplotlib plots for BTT generate data files + # diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index d0eeba3208..288784236a 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -14,7 +14,9 @@ SRCREV = "366d30b9cdb20345c5d064af850d686da79b89eb" PV = "1.3.0+git${SRCPV}" -SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master;protocol=https" +SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master;protocol=https \ + file://0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch \ + " S = "${WORKDIR}/git" -- 2.40.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183432): https://lists.openembedded.org/g/openembedded-core/message/183432 Mute This Topic: https://lists.openembedded.org/mt/99798242/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] bno_plot.py, btt_plot.py: Ask for python3 specifically
python2 has been deprecated, use python3 instead Signed-off-by: Sakib Sajal --- ...plot.py-Ask-for-python3-specifically.patch | 35 +++ meta/recipes-kernel/blktrace/blktrace_git.bb | 4 ++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch diff --git a/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch new file mode 100644 index 00..a3b8a98589 --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch @@ -0,0 +1,35 @@ +From b8d9618cbbec5a04cf6dede0a6ceda41021b92ae Mon Sep 17 00:00:00 2001 +From: Sakib Sajal +Date: Mon, 26 Jun 2023 17:34:01 -0400 +Subject: [PATCH] bno_plot.py, btt_plot.py: Ask for python3 specifically + +python2 is deprecated, use python3. + +Upstream-Status: Denied [https://www.spinics.net/lists/linux-btrace/msg01364.html] + +Signed-off-by: Sakib Sajal +--- + btt/bno_plot.py | 2 +- + btt/btt_plot.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btt/bno_plot.py b/btt/bno_plot.py +index 3aa4e19..d7d7159 100644 +--- a/btt/bno_plot.py b/btt/bno_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt blkno plotting interface + # +diff --git a/btt/btt_plot.py b/btt/btt_plot.py +index 40bc71f..8620d31 100755 +--- a/btt/btt_plot.py b/btt/btt_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt_plot.py: Generate matplotlib plots for BTT generate data files + # diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index d0eeba3208..288784236a 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -14,7 +14,9 @@ SRCREV = "366d30b9cdb20345c5d064af850d686da79b89eb" PV = "1.3.0+git${SRCPV}" -SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master;protocol=https" +SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master;protocol=https \ + file://0001-bno_plot.py-btt_plot.py-Ask-for-python3-specifically.patch \ + " S = "${WORKDIR}/git" -- 2.40.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183431): https://lists.openembedded.org/g/openembedded-core/message/183431 Mute This Topic: https://lists.openembedded.org/mt/99798201/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [mickledore][PATCH] go: Upgrade 1.20.4 -> 1.20.5
Upgrade to latest 1.20.x release: go.git$ git log --oneline go1.20.4..go1.20.5 e827d41c0a (tag: go1.20.5) [release-branch.go1.20] go1.20.5 c0ed873cd8 [release-branch.go1.20] cmd/go: disallow package directories containing newlines 356a419e2f [release-branch.go1.20] cmd/go: enforce flags with non-optional arguments fa60c381ed [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag 36144ba429 [release-branch.go1.20] runtime: implement SUID/SGID protections 5036ba77eb [release-branch.go1.20] net: skip TestFileFdBlocks if the "unix" network is not supported b249ec5655 [release-branch.go1.20] cmd/go/internal: update documentation of go test and go generate 4b95fc1e6c [release-branch.go1.20] cmd/go: save checksums for go.mod files needed for go version lines 31a1e19a59 [release-branch.go1.20] net, os: net.Conn.File.Fd should return a blocking descriptor 450c8021a5 [release-branch.go1.20] runtime: change fcntl to return two values 22741120ee [release-branch.go1.20] runtime: consistently define fcntl 9270e3be8f [release-branch.go1.20] os: if descriptor is non-blocking, retain that in Fd method 600636e931 [release-branch.go1.20] crypto/rsa: use BoringCrypto for 4096 bit keys afbe101950 [release-branch.go1.20] cmd/compile: fix bswap/load rewrite rules Signed-off-by: Sakib Sajal Signed-off-by: Richard Purdie (cherry picked from commit 3ea1e9e9d7385c78bdd513e44cea5c36444529b2) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.20.4.inc => go-1.20.5.inc} | 2 +- ...o-binary-native_1.20.4.bb => go-binary-native_1.20.5.bb} | 6 +++--- ...cross-canadian_1.20.4.bb => go-cross-canadian_1.20.5.bb} | 0 .../go/{go-cross_1.20.4.bb => go-cross_1.20.5.bb} | 0 .../go/{go-crosssdk_1.20.4.bb => go-crosssdk_1.20.5.bb} | 0 .../go/{go-native_1.20.4.bb => go-native_1.20.5.bb} | 0 .../go/{go-runtime_1.20.4.bb => go-runtime_1.20.5.bb} | 0 meta/recipes-devtools/go/{go_1.20.4.bb => go_1.20.5.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.20.4.inc => go-1.20.5.inc} (89%) rename meta/recipes-devtools/go/{go-binary-native_1.20.4.bb => go-binary-native_1.20.5.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.4.bb => go-cross-canadian_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.4.bb => go-cross_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.4.bb => go-crosssdk_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.4.bb => go-native_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.4.bb => go-runtime_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go_1.20.4.bb => go_1.20.5.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.4.inc b/meta/recipes-devtools/go/go-1.20.5.inc similarity index 89% rename from meta/recipes-devtools/go/go-1.20.4.inc rename to meta/recipes-devtools/go/go-1.20.5.inc index 05bc168e0c..4e4e57d5cb 100644 --- a/meta/recipes-devtools/go/go-1.20.4.inc +++ b/meta/recipes-devtools/go/go-1.20.5.inc @@ -15,4 +15,4 @@ SRC_URI += "\ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ " -SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" +SRC_URI[main.sha256sum] = "9a15c133ba2cfafe79652f4815b62e7cfc267f68df1b9454c6ab2a3ca8b96a88" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.4.bb b/meta/recipes-devtools/go/go-binary-native_1.20.5.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.4.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.5.bb index 87ce8a558f..a98be4af1b 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.20.4.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.20.5.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" -SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" -SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" +SRC_URI[go_linux_amd64.sha256sum] = "d7ec48cde0d3d2be2c69203bc3e0a44de8660b9c09a6e85c4732a3f7dc442612" +SRC_URI[go_linux_arm64.sha256sum] = "aa2fab0a7da20213ff975fa7876a66d47b48351558d98851b87d1cfef4360d09" +SRC_URI[go_linux_ppc64le.sha256sum] = "049b8ab07d34077b90c0642138e10207f6db14bdd1743ea994a21e228f8ca53d" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devt
[OE-core] [PATCH] go: Upgrade 1.20.4 -> 1.20.5
Upgrade to latest 1.20.x release: go.git$ git log --oneline go1.20.4..go1.20.5 e827d41c0a (tag: go1.20.5) [release-branch.go1.20] go1.20.5 c0ed873cd8 [release-branch.go1.20] cmd/go: disallow package directories containing newlines 356a419e2f [release-branch.go1.20] cmd/go: enforce flags with non-optional arguments fa60c381ed [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag 36144ba429 [release-branch.go1.20] runtime: implement SUID/SGID protections 5036ba77eb [release-branch.go1.20] net: skip TestFileFdBlocks if the "unix" network is not supported b249ec5655 [release-branch.go1.20] cmd/go/internal: update documentation of go test and go generate 4b95fc1e6c [release-branch.go1.20] cmd/go: save checksums for go.mod files needed for go version lines 31a1e19a59 [release-branch.go1.20] net, os: net.Conn.File.Fd should return a blocking descriptor 450c8021a5 [release-branch.go1.20] runtime: change fcntl to return two values 22741120ee [release-branch.go1.20] runtime: consistently define fcntl 9270e3be8f [release-branch.go1.20] os: if descriptor is non-blocking, retain that in Fd method 600636e931 [release-branch.go1.20] crypto/rsa: use BoringCrypto for 4096 bit keys afbe101950 [release-branch.go1.20] cmd/compile: fix bswap/load rewrite rules Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.20.4.inc => go-1.20.5.inc} | 2 +- ...o-binary-native_1.20.4.bb => go-binary-native_1.20.5.bb} | 6 +++--- ...cross-canadian_1.20.4.bb => go-cross-canadian_1.20.5.bb} | 0 .../go/{go-cross_1.20.4.bb => go-cross_1.20.5.bb} | 0 .../go/{go-crosssdk_1.20.4.bb => go-crosssdk_1.20.5.bb} | 0 .../go/{go-native_1.20.4.bb => go-native_1.20.5.bb} | 0 .../go/{go-runtime_1.20.4.bb => go-runtime_1.20.5.bb} | 0 meta/recipes-devtools/go/{go_1.20.4.bb => go_1.20.5.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.20.4.inc => go-1.20.5.inc} (89%) rename meta/recipes-devtools/go/{go-binary-native_1.20.4.bb => go-binary-native_1.20.5.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.4.bb => go-cross-canadian_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.4.bb => go-cross_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.4.bb => go-crosssdk_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.4.bb => go-native_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.4.bb => go-runtime_1.20.5.bb} (100%) rename meta/recipes-devtools/go/{go_1.20.4.bb => go_1.20.5.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.4.inc b/meta/recipes-devtools/go/go-1.20.5.inc similarity index 89% rename from meta/recipes-devtools/go/go-1.20.4.inc rename to meta/recipes-devtools/go/go-1.20.5.inc index 05bc168e0c..4e4e57d5cb 100644 --- a/meta/recipes-devtools/go/go-1.20.4.inc +++ b/meta/recipes-devtools/go/go-1.20.5.inc @@ -15,4 +15,4 @@ SRC_URI += "\ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ " -SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" +SRC_URI[main.sha256sum] = "9a15c133ba2cfafe79652f4815b62e7cfc267f68df1b9454c6ab2a3ca8b96a88" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.4.bb b/meta/recipes-devtools/go/go-binary-native_1.20.5.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.4.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.5.bb index 87ce8a558f..a98be4af1b 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.20.4.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.20.5.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" -SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" -SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" +SRC_URI[go_linux_amd64.sha256sum] = "d7ec48cde0d3d2be2c69203bc3e0a44de8660b9c09a6e85c4732a3f7dc442612" +SRC_URI[go_linux_arm64.sha256sum] = "aa2fab0a7da20213ff975fa7876a66d47b48351558d98851b87d1cfef4360d09" +SRC_URI[go_linux_ppc64le.sha256sum] = "049b8ab07d34077b90c0642138e10207f6db14bdd1743ea994a21e228f8ca53d" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb b/meta/recipes-devtools/go/go-cross-canadian_1.20.5.bb similarity index 100% rename from me
[OE-core] [mickledore][PATCH v2 2/2] go: Use -no-pie to build target cgo
From: Khem Raj Fixes go: ELF binary /usr/lib/go/pkg/tool/linux_arm64/pprof has relocations in .text go: ELF binary /usr/lib/go/bin/go has relocations in .text [textrel] Signed-off-by: Khem Raj Signed-off-by: Richard Purdie (cherry picked from commit a27d39aebd5966b57c20518381cb06ba8373) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go_1.20.4.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/go/go_1.20.4.bb b/meta/recipes-devtools/go/go_1.20.4.bb index 587ee55944..46f5fbc6be 100644 --- a/meta/recipes-devtools/go/go_1.20.4.bb +++ b/meta/recipes-devtools/go/go_1.20.4.bb @@ -3,7 +3,7 @@ require go-target.inc inherit linuxloader -CGO_LDFLAGS:append:mips = " -no-pie" +CGO_LDFLAGS:append = " -no-pie" export GO_LDSO = "${@get_linuxloader(d)}" export CC_FOR_TARGET = "gcc" -- 2.40.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182296): https://lists.openembedded.org/g/openembedded-core/message/182296 Mute This Topic: https://lists.openembedded.org/mt/99282964/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [mickledore][PATCH v2 1/2] go: Upgrade 1.20.1 -> 1.20.4
From: Khem Raj - Remove already upstreamed patches - Brings a list of changes [1] [2] [3] [1] https://github.com/golang/go/issues?q=milestone%3AGo1.20.2+label%3ACherryPickApproved [2] https://github.com/golang/go/issues?q=milestone%3AGo1.20.3+label%3ACherryPickApproved [3] https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved Signed-off-by: Khem Raj Signed-off-by: Richard Purdie (cherry picked from commit e043bfb42156c59c93c6a4816528a63cfdaccc3e) Signed-off-by: Sakib Sajal --- .../go/{go-1.20.1.inc => go-1.20.4.inc} | 5 +- ...e_1.20.1.bb => go-binary-native_1.20.4.bb} | 6 +- ..._1.20.1.bb => go-cross-canadian_1.20.4.bb} | 0 ...{go-cross_1.20.1.bb => go-cross_1.20.4.bb} | 0 ...osssdk_1.20.1.bb => go-crosssdk_1.20.4.bb} | 0 ...o-native_1.20.1.bb => go-native_1.20.4.bb} | 0 ...runtime_1.20.1.bb => go-runtime_1.20.4.bb} | 0 ...ompile-instantiated-generic-methods-.patch | 90 .../go/go/CVE-2023-24532.patch| 208 -- .../go/go/CVE-2023-24537.patch| 89 .../go/{go_1.20.1.bb => go_1.20.4.bb} | 0 11 files changed, 4 insertions(+), 394 deletions(-) rename meta/recipes-devtools/go/{go-1.20.1.inc => go-1.20.4.inc} (77%) rename meta/recipes-devtools/go/{go-binary-native_1.20.1.bb => go-binary-native_1.20.4.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.1.bb => go-cross-canadian_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.1.bb => go-cross_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.1.bb => go-crosssdk_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.1.bb => go-native_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.1.bb => go-runtime_1.20.4.bb} (100%) delete mode 100644 meta/recipes-devtools/go/go/0010-cmd-compile-re-compile-instantiated-generic-methods-.patch delete mode 100644 meta/recipes-devtools/go/go/CVE-2023-24532.patch delete mode 100644 meta/recipes-devtools/go/go/CVE-2023-24537.patch rename meta/recipes-devtools/go/{go_1.20.1.bb => go_1.20.4.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.1.inc b/meta/recipes-devtools/go/go-1.20.4.inc similarity index 77% rename from meta/recipes-devtools/go/go-1.20.1.inc rename to meta/recipes-devtools/go/go-1.20.4.inc index 179f0e29eb..05bc168e0c 100644 --- a/meta/recipes-devtools/go/go-1.20.1.inc +++ b/meta/recipes-devtools/go/go-1.20.4.inc @@ -14,8 +14,5 @@ SRC_URI += "\ file://0007-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ -file://0010-cmd-compile-re-compile-instantiated-generic-methods-.patch \ -file://CVE-2023-24532.patch \ -file://CVE-2023-24537.patch \ " -SRC_URI[main.sha256sum] = "b5c1a3af52c385a6d1c76aed5361cf26459023980d0320de7658bae3915831a2" +SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.1.bb b/meta/recipes-devtools/go/go-binary-native_1.20.4.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.1.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.4.bb index 239334552a..87ce8a558f 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.20.1.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.20.4.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "000a5b1fca4f75895f78befeb2eecf10bfff3c428597f3f1e69133b63b911b02" -SRC_URI[go_linux_arm64.sha256sum] = "5e5e2926733595e6f3c5b5ad1089afac11c1490351855e87849d0e7702b1ec2e" -SRC_URI[go_linux_ppc64le.sha256sum] = "85cfd4b89b48c94030783b6e9e619e35557862358b846064636361421d0b0c52" +SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" +SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" +SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.20.1.bb b/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.20.1.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-cross_1.20.1.bb b/meta/recipes-devtools/go/go-cross_1.20.4.bb similarity index 100
Re: [OE-core] [kirkstone][PATCH] go: fix CVE-2023-24540
On 2023-05-24 11:26, Steve Sakoman wrote: CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wed, May 24, 2023 at 3:59 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org wrote: Hi Sakib, Its good to have full URL link inside .patch file as below: CVE: CVE-2023-24540 Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] Its good have some information on CVE specifications in commit message: go: Fix CVE-2023-24540 References: https://nvd.nist.gov/vuln/detail/CVE-2023-24540 Upstream patch: https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go 1.19.9) I've taken the patch and made the above referenced changes, so no need for a v2. Thanks for the patch and the review! Steve Thanks for the feedback, I will incorporate the changes in the upcoming patches! Sakib -Original Message- Backport from go-1.19: html/template: handle all JS whitespace characters Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.19/CVE-2023-24540.patch | 93 +++ 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index d7cb47ebf4..e5e9d841c4 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -30,6 +30,7 @@ SRC_URI += "\ file://CVE-2023-24537.patch \ file://CVE-2023-24534.patch \ file://CVE-2023-24538.patch \ +file://CVE-2023-24540.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch new file mode 100644 index 00..4ed9ba7096 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch @@ -0,0 +1,93 @@ +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 11 Apr 2023 16:27:43 +0100 +Subject: [PATCH] html/template: handle all JS whitespace characters + +Rather than just a small set. Character class as defined by \s [0]. + +Thanks to Juho Nurminen of Mattermost for reporting this. + +For #59721 +Fixes #59813 +Fixes CVE-2023-24540 + +[0] +https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_E +xpressions/Character_Classes + +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba +Reviewed-on: +https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 +Reviewed-by: Julie Qiu +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: +https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 +Run-TryBot: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +TryBot-Bypass: Carlos Amedee +Run-TryBot: Carlos Amedee + +CVE: CVE-2023-24540 +Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797] + +Signed-off-by: Sakib Sajal +--- + src/html/template/js.go | 8 +++- + src/html/template/js_test.go | 11 +++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go index +b888eaf..35994f0 100644 +--- a/src/html/template/js.go b/src/html/template/js.go +@@ -13,6 +13,11 @@ import ( + "unicode/utf8" + ) + ++// jsWhitespace contains all of the JS whitespace characters, as ++defined // by the \s character class. ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" ++ + // nextJSCtx returns the context that determines whether a slash after +the // given run of tokens starts a regular expression instead of a +division // operator: / or /=. +@@ -26,7 +31,8 @@ import ( + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: + // +https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") ++ // Trim all JS whitespace characters ++ s = bytes.TrimRight(s, jsWhitespace) + if len(s) == 0 { + return preceding + } +diff --git a/src/html/template/js_test.go +b/src/html/template/js_test.go index d7ee47b..8f5d76d 100644 +--- a/src/html/template/js_test.go b/src/html/template/js_test.go +@@ -81,14 +81,17 @@ func TestNextJsC
[OE-core] [PATCH] go: update 1.20.1 -> 1.20.4
ease-branch.go1.20] all: update vendored golang.org/x/net Signed-off-by: Sakib Sajal --- .../go/{go-1.20.1.inc => go-1.20.4.inc} | 5 +- ...e_1.20.1.bb => go-binary-native_1.20.4.bb} | 6 +- ..._1.20.1.bb => go-cross-canadian_1.20.4.bb} | 0 ...{go-cross_1.20.1.bb => go-cross_1.20.4.bb} | 0 ...osssdk_1.20.1.bb => go-crosssdk_1.20.4.bb} | 0 ...o-native_1.20.1.bb => go-native_1.20.4.bb} | 0 ...runtime_1.20.1.bb => go-runtime_1.20.4.bb} | 0 ...ompile-instantiated-generic-methods-.patch | 90 .../go/go/CVE-2023-24532.patch| 208 -- .../go/go/CVE-2023-24537.patch| 89 .../go/{go_1.20.1.bb => go_1.20.4.bb} | 0 11 files changed, 4 insertions(+), 394 deletions(-) rename meta/recipes-devtools/go/{go-1.20.1.inc => go-1.20.4.inc} (77%) rename meta/recipes-devtools/go/{go-binary-native_1.20.1.bb => go-binary-native_1.20.4.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.1.bb => go-cross-canadian_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.1.bb => go-cross_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.1.bb => go-crosssdk_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.1.bb => go-native_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.1.bb => go-runtime_1.20.4.bb} (100%) delete mode 100644 meta/recipes-devtools/go/go/0010-cmd-compile-re-compile-instantiated-generic-methods-.patch delete mode 100644 meta/recipes-devtools/go/go/CVE-2023-24532.patch delete mode 100644 meta/recipes-devtools/go/go/CVE-2023-24537.patch rename meta/recipes-devtools/go/{go_1.20.1.bb => go_1.20.4.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.1.inc b/meta/recipes-devtools/go/go-1.20.4.inc similarity index 77% rename from meta/recipes-devtools/go/go-1.20.1.inc rename to meta/recipes-devtools/go/go-1.20.4.inc index 179f0e29eb..05bc168e0c 100644 --- a/meta/recipes-devtools/go/go-1.20.1.inc +++ b/meta/recipes-devtools/go/go-1.20.4.inc @@ -14,8 +14,5 @@ SRC_URI += "\ file://0007-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ -file://0010-cmd-compile-re-compile-instantiated-generic-methods-.patch \ -file://CVE-2023-24532.patch \ -file://CVE-2023-24537.patch \ " -SRC_URI[main.sha256sum] = "b5c1a3af52c385a6d1c76aed5361cf26459023980d0320de7658bae3915831a2" +SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.1.bb b/meta/recipes-devtools/go/go-binary-native_1.20.4.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.1.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.4.bb index 239334552a..87ce8a558f 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.20.1.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.20.4.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "000a5b1fca4f75895f78befeb2eecf10bfff3c428597f3f1e69133b63b911b02" -SRC_URI[go_linux_arm64.sha256sum] = "5e5e2926733595e6f3c5b5ad1089afac11c1490351855e87849d0e7702b1ec2e" -SRC_URI[go_linux_ppc64le.sha256sum] = "85cfd4b89b48c94030783b6e9e619e35557862358b846064636361421d0b0c52" +SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" +SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" +SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.20.1.bb b/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.20.1.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-cross_1.20.1.bb b/meta/recipes-devtools/go/go-cross_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.20.1.bb rename to meta/recipes-devtools/go/go-cross_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.20.1.bb b/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.20.1.bb rename to meta/recipes-devtools/go/go-crosssdk_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-native_1.20.1.bb b/meta/recipe
[OE-core] [kirkstone][PATCH] go: fix CVE-2023-24540
Backport from go-1.19: html/template: handle all JS whitespace characters Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.19/CVE-2023-24540.patch | 93 +++ 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index d7cb47ebf4..e5e9d841c4 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -30,6 +30,7 @@ SRC_URI += "\ file://CVE-2023-24537.patch \ file://CVE-2023-24534.patch \ file://CVE-2023-24538.patch \ +file://CVE-2023-24540.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch new file mode 100644 index 00..4ed9ba7096 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch @@ -0,0 +1,93 @@ +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 11 Apr 2023 16:27:43 +0100 +Subject: [PATCH] html/template: handle all JS whitespace characters + +Rather than just a small set. Character class as defined by \s [0]. + +Thanks to Juho Nurminen of Mattermost for reporting this. + +For #59721 +Fixes #59813 +Fixes CVE-2023-24540 + +[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes + +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 +Reviewed-by: Julie Qiu +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 +Run-TryBot: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +TryBot-Bypass: Carlos Amedee +Run-TryBot: Carlos Amedee + +CVE: CVE-2023-24540 +Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797] + +Signed-off-by: Sakib Sajal +--- + src/html/template/js.go | 8 +++- + src/html/template/js_test.go | 11 +++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index b888eaf..35994f0 100644 +--- a/src/html/template/js.go b/src/html/template/js.go +@@ -13,6 +13,11 @@ import ( + "unicode/utf8" + ) + ++// jsWhitespace contains all of the JS whitespace characters, as defined ++// by the \s character class. ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" ++ + // nextJSCtx returns the context that determines whether a slash after the + // given run of tokens starts a regular expression instead of a division + // operator: / or /=. +@@ -26,7 +31,8 @@ import ( + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: + // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") ++ // Trim all JS whitespace characters ++ s = bytes.TrimRight(s, jsWhitespace) + if len(s) == 0 { + return preceding + } +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index d7ee47b..8f5d76d 100644 +--- a/src/html/template/js_test.go b/src/html/template/js_test.go +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) { + {jsCtxDivOp, "0"}, + // Dots that are part of a number are div preceders. + {jsCtxDivOp, "0."}, ++ // Some JS interpreters treat NBSP as a normal space, so ++ // we must too in order to properly escape things. ++ {jsCtxRegexp, "=\u00A0"}, + } + + for _, test := range tests { +- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } +- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, te
[OE-core] [mickledore][PATCH] go: update 1.20.1 -> 1.20.4
ease-branch.go1.20] all: update vendored golang.org/x/net Signed-off-by: Sakib Sajal --- .../go/{go-1.20.1.inc => go-1.20.4.inc} | 5 +- ...e_1.20.1.bb => go-binary-native_1.20.4.bb} | 6 +- ..._1.20.1.bb => go-cross-canadian_1.20.4.bb} | 0 ...{go-cross_1.20.1.bb => go-cross_1.20.4.bb} | 0 ...osssdk_1.20.1.bb => go-crosssdk_1.20.4.bb} | 0 ...o-native_1.20.1.bb => go-native_1.20.4.bb} | 0 ...runtime_1.20.1.bb => go-runtime_1.20.4.bb} | 0 ...ompile-instantiated-generic-methods-.patch | 90 .../go/go/CVE-2023-24532.patch| 208 -- .../go/go/CVE-2023-24537.patch| 89 .../go/{go_1.20.1.bb => go_1.20.4.bb} | 0 11 files changed, 4 insertions(+), 394 deletions(-) rename meta/recipes-devtools/go/{go-1.20.1.inc => go-1.20.4.inc} (77%) rename meta/recipes-devtools/go/{go-binary-native_1.20.1.bb => go-binary-native_1.20.4.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.20.1.bb => go-cross-canadian_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.20.1.bb => go-cross_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.20.1.bb => go-crosssdk_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.20.1.bb => go-native_1.20.4.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.20.1.bb => go-runtime_1.20.4.bb} (100%) delete mode 100644 meta/recipes-devtools/go/go/0010-cmd-compile-re-compile-instantiated-generic-methods-.patch delete mode 100644 meta/recipes-devtools/go/go/CVE-2023-24532.patch delete mode 100644 meta/recipes-devtools/go/go/CVE-2023-24537.patch rename meta/recipes-devtools/go/{go_1.20.1.bb => go_1.20.4.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.20.1.inc b/meta/recipes-devtools/go/go-1.20.4.inc similarity index 77% rename from meta/recipes-devtools/go/go-1.20.1.inc rename to meta/recipes-devtools/go/go-1.20.4.inc index 179f0e29eb..05bc168e0c 100644 --- a/meta/recipes-devtools/go/go-1.20.1.inc +++ b/meta/recipes-devtools/go/go-1.20.4.inc @@ -14,8 +14,5 @@ SRC_URI += "\ file://0007-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ -file://0010-cmd-compile-re-compile-instantiated-generic-methods-.patch \ -file://CVE-2023-24532.patch \ -file://CVE-2023-24537.patch \ " -SRC_URI[main.sha256sum] = "b5c1a3af52c385a6d1c76aed5361cf26459023980d0320de7658bae3915831a2" +SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" diff --git a/meta/recipes-devtools/go/go-binary-native_1.20.1.bb b/meta/recipes-devtools/go/go-binary-native_1.20.4.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.20.1.bb rename to meta/recipes-devtools/go/go-binary-native_1.20.4.bb index 239334552a..87ce8a558f 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.20.1.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.20.4.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "000a5b1fca4f75895f78befeb2eecf10bfff3c428597f3f1e69133b63b911b02" -SRC_URI[go_linux_arm64.sha256sum] = "5e5e2926733595e6f3c5b5ad1089afac11c1490351855e87849d0e7702b1ec2e" -SRC_URI[go_linux_ppc64le.sha256sum] = "85cfd4b89b48c94030783b6e9e619e35557862358b846064636361421d0b0c52" +SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" +SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" +SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.20.1.bb b/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.20.1.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-cross_1.20.1.bb b/meta/recipes-devtools/go/go-cross_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.20.1.bb rename to meta/recipes-devtools/go/go-cross_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.20.1.bb b/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.20.1.bb rename to meta/recipes-devtools/go/go-crosssdk_1.20.4.bb diff --git a/meta/recipes-devtools/go/go-native_1.20.1.bb b/meta/recipe
Re: [OE-core] [kirkstone][PATCH v2] go: fix CVE-2022-2879 and CVE-2022-41720
On 2023-03-22 12:21, Steve Sakoman wrote: CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. On Tue, Mar 21, 2023 at 9:36 AM Sakib Sajal wrote: Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720. Modified the original fix for CVE-2022-2879 to remove a testdata tarball and any references to it since git binary diffs are not supported in quilt. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 2 + ...01-archive-tar-limit-size-of-headers.patch | 177 ++ ...d-escapes-from-os.DirFS-and-http.Dir.patch | 514 ++ 3 files changed, 693 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch create mode 100644 meta/recipes-devtools/go/go-1.18/0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 99662bd298..a6081bdee7 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -20,6 +20,8 @@ SRC_URI += "\ file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ file://CVE-2022-41715.patch \ file://CVE-2022-41717.patch \ +file://0001-archive-tar-limit-size-of-headers.patch \ +file://0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch \ Could you please resubmit with the patch file names changed to reflect the CVE they are fixing? i.e. file://CVE-2022-2879.patch \ file://CVE-2022-41720.patch \ Thanks! Steve Done! Sakib " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch new file mode 100644 index 00..0315e1a3ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 2 Sep 2022 20:45:18 -0700 +Subject: [PATCH] archive/tar: limit size of headers + +Set a 1MiB limit on special file blocks (PAX headers, GNU long names, +GNU link names), to avoid reading arbitrarily large amounts of data +into memory. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting +this issue. + +Fixes CVE-2022-2879 +Updates #54853 +Fixes #55925 + +Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/156 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Roland Shoemaker +(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 +Reviewed-by: Damien Neil +Reviewed-by: Julie Qiu +Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +Reviewed-by: Dmitri Shuralyov +Run-TryBot: Carlos Amedee +TryBot-Result: Gopher Robot + +CVE: CVE-2022-2879 +Upstream-Status: Backport [0a723816cd205576945fa57fbdde7e6532d59d08] +Signed-off-by: Sakib Sajal +--- + src/archive/tar/format.go | 4 + src/archive/tar/reader.go | 14 -- + src/archive/tar/reader_test.go | 8 +++- + src/archive/tar/writer.go | 3 +++ + src/archive/tar/writer_test.go | 27 +++ + 5 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index cfe24a5..6642364 100644 +--- a/src/archive/tar/format.go b/src/archive/tar/format.go +@@ -143,6 +143,10 @@ const ( + blockSize = 512 // Size of each block in a tar stream + nameSize = 100 // Max length of the name field in USTAR format + prefixSize = 155 // Max length of the prefix field in USTAR format ++ ++ // Max length of a special file (PAX header, GNU long name or link). ++ // This matches the limit used by libarchive. ++ maxSpecialFileSize = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 1b1d5b4..f645af8 100644 +--- a/src/archive/tar/reader.go b/src/archive/tar/reader.go +@@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { + continue // This is a meta header affecting the next header + case TypeGNULongName, TypeGNULongLink: + format.mayOnlyBe(FormatGNU) +- realname, err := io.ReadAll(tr) ++ realname, err := readSpecialFile(tr) + if err != nil { +
[OE-core] [kirkstone][PATCH v2] go: fix CVE-2022-2879 and CVE-2022-41720
Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720. Modified the original fix for CVE-2022-2879 to remove a testdata tarball and any references to it since git binary diffs are not supported in quilt. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 2 + .../go/go-1.18/CVE-2022-2879.patch| 177 ++ .../go/go-1.18/CVE-2022-41720.patch | 514 ++ 3 files changed, 693 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 99662bd298..856c14de40 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -20,6 +20,8 @@ SRC_URI += "\ file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ file://CVE-2022-41715.patch \ file://CVE-2022-41717.patch \ +file://CVE-2022-2879.patch \ +file://CVE-2022-41720.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch new file mode 100644 index 00..0315e1a3ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 2 Sep 2022 20:45:18 -0700 +Subject: [PATCH] archive/tar: limit size of headers + +Set a 1MiB limit on special file blocks (PAX headers, GNU long names, +GNU link names), to avoid reading arbitrarily large amounts of data +into memory. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting +this issue. + +Fixes CVE-2022-2879 +Updates #54853 +Fixes #55925 + +Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/156 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Roland Shoemaker +(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 +Reviewed-by: Damien Neil +Reviewed-by: Julie Qiu +Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +Reviewed-by: Dmitri Shuralyov +Run-TryBot: Carlos Amedee +TryBot-Result: Gopher Robot + +CVE: CVE-2022-2879 +Upstream-Status: Backport [0a723816cd205576945fa57fbdde7e6532d59d08] +Signed-off-by: Sakib Sajal +--- + src/archive/tar/format.go | 4 + src/archive/tar/reader.go | 14 -- + src/archive/tar/reader_test.go | 8 +++- + src/archive/tar/writer.go | 3 +++ + src/archive/tar/writer_test.go | 27 +++ + 5 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index cfe24a5..6642364 100644 +--- a/src/archive/tar/format.go b/src/archive/tar/format.go +@@ -143,6 +143,10 @@ const ( + blockSize = 512 // Size of each block in a tar stream + nameSize = 100 // Max length of the name field in USTAR format + prefixSize = 155 // Max length of the prefix field in USTAR format ++ ++ // Max length of a special file (PAX header, GNU long name or link). ++ // This matches the limit used by libarchive. ++ maxSpecialFileSize = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 1b1d5b4..f645af8 100644 +--- a/src/archive/tar/reader.go b/src/archive/tar/reader.go +@@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { + continue // This is a meta header affecting the next header + case TypeGNULongName, TypeGNULongLink: + format.mayOnlyBe(FormatGNU) +- realname, err := io.ReadAll(tr) ++ realname, err := readSpecialFile(tr) + if err != nil { + return nil, err + } +@@ -293,7 +293,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { + // parsePAX parses PAX headers. + // If an extended header (type 'x') is invalid, ErrHeader is returned + func parsePAX(r io.Reader) (map[string]string, error) { +- buf, err := io.ReadAll(r) ++ buf, err := readSpecialFile(r) + if err != nil { + return nil, err + } +@@ -826,6 +826,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { + return n, err + } + ++// readSpecialFile is like io.ReadAll except it returns ++// ErrFieldTooLong if more than maxSpecialFileSize is read. ++func r
[OE-core] [kirkstone][PATCH v2] go: fix CVE-2022-2879 and CVE-2022-41720
Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720. Modified the original fix for CVE-2022-2879 to remove a testdata tarball and any references to it since git binary diffs are not supported in quilt. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 2 + ...01-archive-tar-limit-size-of-headers.patch | 177 ++ ...d-escapes-from-os.DirFS-and-http.Dir.patch | 514 ++ 3 files changed, 693 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch create mode 100644 meta/recipes-devtools/go/go-1.18/0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 99662bd298..a6081bdee7 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -20,6 +20,8 @@ SRC_URI += "\ file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ file://CVE-2022-41715.patch \ file://CVE-2022-41717.patch \ +file://0001-archive-tar-limit-size-of-headers.patch \ +file://0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch new file mode 100644 index 00..0315e1a3ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 2 Sep 2022 20:45:18 -0700 +Subject: [PATCH] archive/tar: limit size of headers + +Set a 1MiB limit on special file blocks (PAX headers, GNU long names, +GNU link names), to avoid reading arbitrarily large amounts of data +into memory. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting +this issue. + +Fixes CVE-2022-2879 +Updates #54853 +Fixes #55925 + +Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/156 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Roland Shoemaker +(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 +Reviewed-by: Damien Neil +Reviewed-by: Julie Qiu +Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +Reviewed-by: Dmitri Shuralyov +Run-TryBot: Carlos Amedee +TryBot-Result: Gopher Robot + +CVE: CVE-2022-2879 +Upstream-Status: Backport [0a723816cd205576945fa57fbdde7e6532d59d08] +Signed-off-by: Sakib Sajal +--- + src/archive/tar/format.go | 4 + src/archive/tar/reader.go | 14 -- + src/archive/tar/reader_test.go | 8 +++- + src/archive/tar/writer.go | 3 +++ + src/archive/tar/writer_test.go | 27 +++ + 5 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index cfe24a5..6642364 100644 +--- a/src/archive/tar/format.go b/src/archive/tar/format.go +@@ -143,6 +143,10 @@ const ( + blockSize = 512 // Size of each block in a tar stream + nameSize = 100 // Max length of the name field in USTAR format + prefixSize = 155 // Max length of the prefix field in USTAR format ++ ++ // Max length of a special file (PAX header, GNU long name or link). ++ // This matches the limit used by libarchive. ++ maxSpecialFileSize = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 1b1d5b4..f645af8 100644 +--- a/src/archive/tar/reader.go b/src/archive/tar/reader.go +@@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { + continue // This is a meta header affecting the next header + case TypeGNULongName, TypeGNULongLink: + format.mayOnlyBe(FormatGNU) +- realname, err := io.ReadAll(tr) ++ realname, err := readSpecialFile(tr) + if err != nil { + return nil, err + } +@@ -293,7 +293,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { + // parsePAX parses PAX headers. + // If an extended header (type 'x') is invalid, ErrHeader is returned + func parsePAX(r io.Reader) (map[string]string, error) { +- buf, err := io.ReadAll(r) ++ buf, err := readSpecialFile(r) + if err != nil { + return nil, err + } +@@ -826,6 +826,16 @@ func
Re: [OE-core] [kirkstone][PATCH] go: fix CVE-2022-2879 and CVE-2022-41720
On 2023-03-20 17:05, Randy MacLeod wrote: On 2023-03-20 16:09, Sakib Sajal via lists.openembedded.org wrote: Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720. Modified the original fix for CVE-2022-2879 to remove a testdata tarball and any references to it since git binary diffs are not supported in quilt. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 36 +- ...01-archive-tar-limit-size-of-headers.patch | 177 ++ ...d-escapes-from-os.DirFS-and-http.Dir.patch | 514 ++ 3 files changed, 710 insertions(+), 17 deletions(-) create mode 100644 meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch create mode 100644 meta/recipes-devtools/go/go-1.18/0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 99662bd298..f5cf192361 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -4,23 +4,25 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.18:" LIC_FILES_CHKSUM ="file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" -SRC_URI += "\ -file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ -file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ -file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ -file://0004-ld-add-soname-to-shareable-objects.patch \ -file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ -file://0006-cmd-dist-separate-host-and-target-builds.patch \ -file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ -file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ -file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ -file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ -file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ -file://CVE-2022-27664.patch \ -file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ -file://CVE-2022-41715.patch \ -file://CVE-2022-41717.patch \ -" +SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ Nack. Sakib, You said this works for you but if you look at: ❯ cat meta/recipes-devtools/go/go-1.17.13.inc require go-common.inc FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.18:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" SRC_URI += "\ ... and then ❯ grep SRC_URI meta/recipes-devtools/go/go-common.inc SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main; You see that you should stick with the += operator. I think you said that devtool changed that , right? If so, and if we can learn why this change even built for you, then consider opening a bug against devtool. ../Randy Yes, this change was done by "devtool update-recipe go" I do not think what devtool did is wrong. go-common.inc is included only by go-1.17.13.inc and the SRC_URI from go-common.inc is included in the SRC_URI for go-1.17.13.inc, in the correct order too, so technically you do not need the += in go-1.17.13.inc file. Regardless SRC_URI change should not be part of CVE fix, sending a v2 by updating the recipe manually. Sakib +file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ +file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ +file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ +file://0004-ld-add-soname-to-shareable-objects.patch \ +file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ +file://0006-cmd-dist-separate-host-and-target-builds.patch \ +file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ +file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ +file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ +file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ +file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ +file://CVE-2022-27664.patch \ +file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ +file://CVE-2022-41715.patch \ +file://CVE-2022-41717.patch \ +file://0001-archive-tar-limit-size-of-headers.patch \ +file://0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch \ + " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" # Upstream don't believe it is a signifiant real world issue and will only diff --git a/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch new file mode 100644 index 00..0315e1a3ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:
[OE-core] [kirkstone][PATCH] go: fix CVE-2022-2879 and CVE-2022-41720
Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720. Modified the original fix for CVE-2022-2879 to remove a testdata tarball and any references to it since git binary diffs are not supported in quilt. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 36 +- ...01-archive-tar-limit-size-of-headers.patch | 177 ++ ...d-escapes-from-os.DirFS-and-http.Dir.patch | 514 ++ 3 files changed, 710 insertions(+), 17 deletions(-) create mode 100644 meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch create mode 100644 meta/recipes-devtools/go/go-1.18/0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 99662bd298..f5cf192361 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -4,23 +4,25 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.18:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" -SRC_URI += "\ -file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ -file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ -file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ -file://0004-ld-add-soname-to-shareable-objects.patch \ -file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ -file://0006-cmd-dist-separate-host-and-target-builds.patch \ -file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ -file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ -file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ -file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ -file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ -file://CVE-2022-27664.patch \ -file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ -file://CVE-2022-41715.patch \ -file://CVE-2022-41717.patch \ -" +SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ + file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ + file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ + file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ + file://0004-ld-add-soname-to-shareable-objects.patch \ + file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ + file://0006-cmd-dist-separate-host-and-target-builds.patch \ + file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ + file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ + file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ + file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ + file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ + file://CVE-2022-27664.patch \ + file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ + file://CVE-2022-41715.patch \ + file://CVE-2022-41717.patch \ + file://0001-archive-tar-limit-size-of-headers.patch \ + file://0002-os-net-http-avoid-escapes-from-os.DirFS-and-http.Dir.patch \ + " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" # Upstream don't believe it is a signifiant real world issue and will only diff --git a/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch new file mode 100644 index 00..0315e1a3ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/0001-archive-tar-limit-size-of-headers.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 2 Sep 2022 20:45:18 -0700 +Subject: [PATCH] archive/tar: limit size of headers + +Set a 1MiB limit on special file blocks (PAX headers, GNU long names, +GNU link names), to avoid reading arbitrarily large amounts of data +into memory. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting +this issue. + +Fixes CVE-2022-2879 +Updates #54853 +Fixes #55925 + +Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/156 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Roland Shoemaker +(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 +Reviewed-by: Damien Neil +Reviewed-by: Julie Qiu +Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +Reviewed-by: Dmitri Shuralyov +Run-TryBot: C
[OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-2347 and CVE-2022-30790
Backport appropriate patches to fix CVE-2022-2347 and CVE-2022-30790. Signed-off-by: Sakib Sajal --- .../u-boot/files/CVE-2022-2347_1.patch| 129 +++ .../u-boot/files/CVE-2022-2347_2.patch| 66 .../u-boot/files/CVE-2022-30790.patch | 149 ++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 + 4 files changed, 347 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch new file mode 100644 index 00..34ee82c3a5 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch @@ -0,0 +1,129 @@ +From 9d2d2deabc49dbedf93a7192b25f55d9933fcede Mon Sep 17 00:00:00 2001 +From: Venkatesh Yadav Abbarapu +Date: Thu, 3 Nov 2022 09:37:48 +0530 +Subject: [PATCH 1/2] usb: gadget: dfu: Fix the unchecked length field + +DFU implementation does not bound the length field in USB +DFU download setup packets, and it does not verify that +the transfer direction. Fixing the length and transfer +direction. + +CVE-2022-2347 + +Signed-off-by: Venkatesh Yadav Abbarapu +Reviewed-by: Marek Vasut + +CVE: CVE-2022-2347 +Upstream-Status: Backport [fbce985e28eaca3af82afecc11961aadaf971a7e] +Signed-off-by: Sakib Sajal +--- + drivers/usb/gadget/f_dfu.c | 56 +- + 1 file changed, 37 insertions(+), 19 deletions(-) + +diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c +index 4bedc7d3a1..33ef62f8ba 100644 +--- a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c +@@ -321,21 +321,29 @@ static int state_dfu_idle(struct f_dfu *f_dfu, + u16 len = le16_to_cpu(ctrl->wLength); + int value = 0; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + switch (ctrl->bRequest) { + case USB_REQ_DFU_DNLOAD: +- if (len == 0) { +- f_dfu->dfu_state = DFU_STATE_dfuERROR; +- value = RET_STALL; +- break; ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ if (len == 0) { ++ f_dfu->dfu_state = DFU_STATE_dfuERROR; ++ value = RET_STALL; ++ break; ++ } ++ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; ++ f_dfu->blk_seq_num = w_value; ++ value = handle_dnload(gadget, len); + } +- f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; +- f_dfu->blk_seq_num = w_value; +- value = handle_dnload(gadget, len); + break; + case USB_REQ_DFU_UPLOAD: +- f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; +- f_dfu->blk_seq_num = 0; +- value = handle_upload(req, len); ++ if (ctrl->bRequestType == USB_DIR_IN) { ++ f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; ++ f_dfu->blk_seq_num = 0; ++ value = handle_upload(req, len); ++ if (value >= 0 && value < len) ++ f_dfu->dfu_state = DFU_STATE_dfuIDLE; ++ } + break; + case USB_REQ_DFU_ABORT: + /* no zlp? */ +@@ -424,11 +432,15 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, + u16 len = le16_to_cpu(ctrl->wLength); + int value = 0; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + switch (ctrl->bRequest) { + case USB_REQ_DFU_DNLOAD: +- f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; +- f_dfu->blk_seq_num = w_value; +- value = handle_dnload(gadget, len); ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; ++ f_dfu->blk_seq_num = w_value; ++ value = handle_dnload(gadget, len); ++ } + break; + case USB_REQ_DFU_ABORT: + f_dfu->dfu_state = DFU_STATE_dfuIDLE; +@@ -511,13 +523,17 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, + u16 len = le16_to_cpu(ctrl->wLength); + int value = 0; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + switch (ctrl->bRequest) { + case USB_REQ_DFU_UPLOAD: +- /* state transition if less data then requested */ +- f_dfu->blk_seq_num = w_value; +- value = handle_upload(req, len); +- if (value >= 0 && value < len) +- f_dfu->dfu_state = DFU_STAT
[OE-core] [kirkstone][PATCH] git: upgrade 2.35.5 -> 2.35.7
Upgrade git to latest 2.37.x release to address security issues CVE-2022-23521 and CVE-2022-41903. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/git/{git_2.35.5.bb => git_2.35.7.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/git/{git_2.35.5.bb => git_2.35.7.bb} (98%) diff --git a/meta/recipes-devtools/git/git_2.35.5.bb b/meta/recipes-devtools/git/git_2.35.7.bb similarity index 98% rename from meta/recipes-devtools/git/git_2.35.5.bb rename to meta/recipes-devtools/git/git_2.35.7.bb index be4e3ca1d3..1dd5915703 100644 --- a/meta/recipes-devtools/git/git_2.35.5.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb @@ -165,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "2cca63fe7bebb5b4bf8efea7b46b12bb89c16ff9711b6b6d845928501d00d0a3" +SRC_URI[tarball.sha256sum] = "fc849272a95cc7457091221a645fcd753b3b1984767ee3323fb6a0aa944bbcb4" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177218): https://lists.openembedded.org/g/openembedded-core/message/177218 Mute This Topic: https://lists.openembedded.org/mt/96993658/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [langdale][PATCH] git: upgrade 2.37.4 -> 2.37.6
Upgrade git to latest 2.37.x release to address security issues CVE-2022-23521 and CVE-2022-41903. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/git/{git_2.37.4.bb => git_2.37.6.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/git/{git_2.37.4.bb => git_2.37.6.bb} (98%) diff --git a/meta/recipes-devtools/git/git_2.37.4.bb b/meta/recipes-devtools/git/git_2.37.6.bb similarity index 98% rename from meta/recipes-devtools/git/git_2.37.4.bb rename to meta/recipes-devtools/git/git_2.37.6.bb index 2205a50d16..638b08a0cf 100644 --- a/meta/recipes-devtools/git/git_2.37.4.bb +++ b/meta/recipes-devtools/git/git_2.37.6.bb @@ -165,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "a638c9bf9e45e8d48592076266adaa9b7aa272a99ee2aee2e166a649a9ba8a03" +SRC_URI[tarball.sha256sum] = "626e4c338f72b170e2b3afb1cb2161f6fbe4fb1d0749154f1ebfb5f0a57ec25f" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177213): https://lists.openembedded.org/g/openembedded-core/message/177213 Mute This Topic: https://lists.openembedded.org/mt/96992538/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] go: fix CVE-2022-2880
Backport patch to fix CVE-2022-2880. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + ...util-avoid-query-parameter-smuggling.patch | 178 ++ 2 files changed, 179 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index b18de66f42..9c467d63b2 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -17,6 +17,7 @@ SRC_URI += "\ file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://CVE-2022-27664.patch \ +file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch b/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch new file mode 100644 index 00..80fba1446e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch @@ -0,0 +1,178 @@ +From c8bdf59453c95528a444a85e1b206c1c09eb20f6 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 22 Sep 2022 13:32:00 -0700 +Subject: [PATCH] net/http/httputil: avoid query parameter smuggling + +Query parameter smuggling occurs when a proxy's interpretation +of query parameters differs from that of a downstream server. +Change ReverseProxy to avoid forwarding ignored query parameters. + +Remove unparsable query parameters from the outbound request + + * if req.Form != nil after calling ReverseProxy.Director; and + * before calling ReverseProxy.Rewrite. + +This change preserves the existing behavior of forwarding the +raw query untouched if a Director hook does not parse the query +by calling Request.ParseForm (possibly indirectly). + +Fixes #55842 +For #54663 +For CVE-2022-2880 + +Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/432976 +Reviewed-by: Roland Shoemaker +Reviewed-by: Brad Fitzpatrick +TryBot-Result: Gopher Robot +Run-TryBot: Damien Neil +(cherry picked from commit 7c84234142149bd24a4096c6cab691d3593f3431) +Reviewed-on: https://go-review.googlesource.com/c/go/+/433695 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2022-2880 +Upstream-Status: Backport [9d2c73a9fd69e45876509bb3bdb2af99bf77da1e] + +Signed-off-by: Sakib Sajal +--- + src/net/http/httputil/reverseproxy.go | 36 +++ + src/net/http/httputil/reverseproxy_test.go | 74 ++ + 2 files changed, 110 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 8b63368..c76eec6 100644 +--- a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +@@ -249,6 +249,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + } + + p.Director(outreq) ++ if outreq.Form != nil { ++ outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery) ++ } + outreq.Close = false + + reqUpType := upgradeType(outreq.Header) +@@ -628,3 +631,36 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) { + _, err := io.Copy(c.backend, c.user) + errc <- err + } ++ ++func cleanQueryParams(s string) string { ++ reencode := func(s string) string { ++ v, _ := url.ParseQuery(s) ++ return v.Encode() ++ } ++ for i := 0; i < len(s); { ++ switch s[i] { ++ case ';': ++ return reencode(s) ++ case '%': ++ if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) { ++ return reencode(s) ++ } ++ i += 3 ++ default: ++ i++ ++ } ++ } ++ return s ++} ++ ++func ishex(c byte) bool { ++ switch { ++ case '0' <= c && c <= '9': ++ return true ++ case 'a' <= c && c <= 'f': ++ return true ++ case 'A' <= c && c <= 'F': ++ return true ++ } ++ return false ++} +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index 4b6ad77..8c0a4f1 100644 +--- a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +@@ -1517,3 +1517,77 @@ func TestJoinURLPath(t *testing.T) { + } + } + } ++ ++const ( ++ testWantsCleanQuery = true ++ testWantsRawQuery = false ++) +
Re: [OE-core] [kirkstone][PATCH] blktrace: ask for python3 specifically
From: Alexander Kanavin Sent: November 3, 2022 4:06 PM To: Sajal, Sakib Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [kirkstone][PATCH] blktrace: ask for python3 specifically > This patch should be sent upstream first. Same as in your master submission. > > Alex Please refer to the mail I sent for master branch: https://lists.openembedded.org/g/openembedded-core/message/173393?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C0%2Cblktrace%2C20%2C2%2C0%2C94790255 Sakib -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173394): https://lists.openembedded.org/g/openembedded-core/message/173394 Mute This Topic: https://lists.openembedded.org/mt/94791449/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] blktrace: ask for python3 specifically
From: Alexander Kanavin Sent: November 3, 2022 3:00 PM To: Sajal, Sakib Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH] blktrace: ask for python3 specifically On Thu, 3 Nov 2022 at 19:34, Sakib Sajal wrote: >> >> python2 has been deprecated, use python3 instead >> >> +Upstream-Status: Inappropriate (OE-specific) > >This is not inappropriate, or oe-specific, please send the patch upstream >first. > >Alex I have already sent a patch to upstream blktrace which was rejected: https://www.spinics.net/lists/linux-btrace/msg01364.html In summary, upstream maintainers see the following on their distro: axboe@m1max ~> which python /usr/bin/python axboe@m1max ~> /usr/bin/python --version Python 3.10.7 axboe@m1max ~> env python Python 3.10.7 (main, Sep 8 2022, 14:34:29) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> while on yocto: root@qemux86-64:~# which python root@qemux86-64:~# which python3 /usr/bin/python3 root@qemux86-64:~# /usr/bin/python3 --version Python 3.11.0 root@qemux86-64:~# env python env: can't execute 'python': No such file or directory root@qemux86-64:~# env python3 Python 3.11.0 (main, Oct 24 2022, 17:48:40) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> python symlink to python3 is not required by python development community and is a choice left for distributions to make. If you look at oe-core, most, if not all, packages are changing the shebang to python3: oe-core.git$ grep -r "env python3" | wc -l 166 Regards, Sakib Re: [PATCH] bno_plot.py: Ask for python3 specifically Linux Btrace<https://www.spinics.net/lists/linux-btrace/msg01364.html> Linux Btrace: Re: [PATCH] bno_plot.py: Ask for python3 specifically www.spinics.net -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173393): https://lists.openembedded.org/g/openembedded-core/message/173393 Mute This Topic: https://lists.openembedded.org/mt/94790255/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] blktrace: ask for python3 specifically
python2 has been deprecated, use python3 instead Signed-off-by: Sakib Sajal --- ...plot.py-ask-for-python3-specifically.patch | 35 +++ meta/recipes-kernel/blktrace/blktrace_git.bb | 5 ++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch diff --git a/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch new file mode 100644 index 00..42412678f7 --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch @@ -0,0 +1,35 @@ +From c6776fb9c990830357e71a0e75805e7ce25877cc Mon Sep 17 00:00:00 2001 +From: Sakib Sajal +Date: Thu, 3 Nov 2022 12:29:59 -0400 +Subject: [PATCH] bno_plot.py, btt_plot.py: ask for python3 specifically + +python2 has been deprecated, use python3 instead + +Upstream-Status: Inappropriate (OE-specific) + +Signed-off-by: Sakib Sajal +--- + btt/bno_plot.py | 2 +- + btt/btt_plot.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btt/bno_plot.py b/btt/bno_plot.py +index 3aa4e19..d7d7159 100644 +--- a/btt/bno_plot.py b/btt/bno_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt blkno plotting interface + # +diff --git a/btt/btt_plot.py b/btt/btt_plot.py +index 40bc71f..8620d31 100755 +--- a/btt/btt_plot.py b/btt/btt_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt_plot.py: Generate matplotlib plots for BTT generate data files + # diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index bba5e04504..c278e066c7 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -9,12 +9,15 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" DEPENDS = "libaio" +RDEPENDS:${PN} = "python3" SRCREV = "366d30b9cdb20345c5d064af850d686da79b89eb" PV = "1.3.0+git${SRCPV}" -SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master" +SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master \ + file://0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch \ + " S = "${WORKDIR}/git" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172652): https://lists.openembedded.org/g/openembedded-core/message/172652 Mute This Topic: https://lists.openembedded.org/mt/94791449/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] blktrace: ask for python3 specifically
python2 has been deprecated, use python3 instead Signed-off-by: Sakib Sajal --- ...plot.py-ask-for-python3-specifically.patch | 35 +++ meta/recipes-kernel/blktrace/blktrace_git.bb | 5 ++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch diff --git a/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch new file mode 100644 index 00..42412678f7 --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch @@ -0,0 +1,35 @@ +From c6776fb9c990830357e71a0e75805e7ce25877cc Mon Sep 17 00:00:00 2001 +From: Sakib Sajal +Date: Thu, 3 Nov 2022 12:29:59 -0400 +Subject: [PATCH] bno_plot.py, btt_plot.py: ask for python3 specifically + +python2 has been deprecated, use python3 instead + +Upstream-Status: Inappropriate (OE-specific) + +Signed-off-by: Sakib Sajal +--- + btt/bno_plot.py | 2 +- + btt/btt_plot.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btt/bno_plot.py b/btt/bno_plot.py +index 3aa4e19..d7d7159 100644 +--- a/btt/bno_plot.py b/btt/bno_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt blkno plotting interface + # +diff --git a/btt/btt_plot.py b/btt/btt_plot.py +index 40bc71f..8620d31 100755 +--- a/btt/btt_plot.py b/btt/btt_plot.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python ++#! /usr/bin/env python3 + # + # btt_plot.py: Generate matplotlib plots for BTT generate data files + # diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index bba5e04504..c278e066c7 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -9,12 +9,15 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" DEPENDS = "libaio" +RDEPENDS:${PN} = "python3" SRCREV = "366d30b9cdb20345c5d064af850d686da79b89eb" PV = "1.3.0+git${SRCPV}" -SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master" +SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master \ + file://0001-bno_plot.py-btt_plot.py-ask-for-python3-specifically.patch \ + " S = "${WORKDIR}/git" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172649): https://lists.openembedded.org/g/openembedded-core/message/172649 Mute This Topic: https://lists.openembedded.org/mt/94790255/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] lighttpd: upgrade 1.4.66 -> 1.4.67
From: wangmy Changelog: = * Update comment about TCP_INFO on OpenBSD * [mod_ajp13] fix crash with bad response headers (fixes #3170) * [core] handle RDHUP when collecting chunked body * [core] tweak streaming request body to backends * [core] handle ENOSPC with pwritev() (#3171) * [core] manually calculate off_t max (fixes #3171) * [autoconf] force large file support (#3171) * [multiple] quiet coverity warnings using casts * [meson] add license keyword to project declaration Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 7a399862bb2e1503fbffa18e7ec0767643f76132) Signed-off-by: Sakib Sajal --- .../lighttpd/{lighttpd_1.4.66.bb => lighttpd_1.4.67.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/lighttpd/{lighttpd_1.4.66.bb => lighttpd_1.4.67.bb} (97%) diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.67.bb similarity index 97% rename from meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb rename to meta/recipes-extended/lighttpd/lighttpd_1.4.67.bb index 801162867c..838881f238 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.67.bb @@ -19,7 +19,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t file://lighttpd \ " -SRC_URI[sha256sum] = "47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b" +SRC_URI[sha256sum] = "7e04d767f51a8d824b32e2483ef2950982920d427d1272ef4667f49d6f89f358" DEPENDS = "virtual/crypt" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#172635): https://lists.openembedded.org/g/openembedded-core/message/172635 Mute This Topic: https://lists.openembedded.org/mt/94758399/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] go: update 1.19.2 -> 1.19.3
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.19.2.inc => go-1.19.3.inc} | 2 +- ...o-binary-native_1.19.2.bb => go-binary-native_1.19.3.bb} | 6 +++--- ...cross-canadian_1.19.2.bb => go-cross-canadian_1.19.3.bb} | 0 .../go/{go-cross_1.19.2.bb => go-cross_1.19.3.bb} | 0 .../go/{go-crosssdk_1.19.2.bb => go-crosssdk_1.19.3.bb} | 0 .../go/{go-native_1.19.2.bb => go-native_1.19.3.bb} | 0 .../go/{go-runtime_1.19.2.bb => go-runtime_1.19.3.bb} | 0 meta/recipes-devtools/go/{go_1.19.2.bb => go_1.19.3.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.19.2.inc => go-1.19.3.inc} (89%) rename meta/recipes-devtools/go/{go-binary-native_1.19.2.bb => go-binary-native_1.19.3.bb} (78%) rename meta/recipes-devtools/go/{go-cross-canadian_1.19.2.bb => go-cross-canadian_1.19.3.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.19.2.bb => go-cross_1.19.3.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.19.2.bb => go-crosssdk_1.19.3.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.19.2.bb => go-native_1.19.3.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.19.2.bb => go-runtime_1.19.3.bb} (100%) rename meta/recipes-devtools/go/{go_1.19.2.bb => go_1.19.3.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.19.2.inc b/meta/recipes-devtools/go/go-1.19.3.inc similarity index 89% rename from meta/recipes-devtools/go/go-1.19.2.inc rename to meta/recipes-devtools/go/go-1.19.3.inc index 206ee3ca45..1245faba93 100644 --- a/meta/recipes-devtools/go/go-1.19.2.inc +++ b/meta/recipes-devtools/go/go-1.19.3.inc @@ -15,4 +15,4 @@ SRC_URI += "\ file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://filter-build-paths.patch \ " -SRC_URI[main.sha256sum] = "2ce930d70a931de660fdaf271d70192793b1b240272645bf0275779f6704df6b" +SRC_URI[main.sha256sum] = "18ac263e39210bcf68d85f4370e97fb1734166995a1f63fb38b4f6e07d90d212" diff --git a/meta/recipes-devtools/go/go-binary-native_1.19.2.bb b/meta/recipes-devtools/go/go-binary-native_1.19.3.bb similarity index 78% rename from meta/recipes-devtools/go/go-binary-native_1.19.2.bb rename to meta/recipes-devtools/go/go-binary-native_1.19.3.bb index 65d7c9de49..1eed2cde41 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.19.2.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.19.3.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "5e8c5a74fe6470dd7e055a461acda8bb4050ead8c2df70f227e3ff7d8eb7eeb6" -SRC_URI[go_linux_arm64.sha256sum] = "b62a8d9654436c67c14a0c91e931d50440541f09eb991a987536cb982903126d" -SRC_URI[go_linux_ppc64le.sha256sum] = "37e1d4342f7103aeb9babeabe8c71ef3dba23db28db525071119e94b2aa21d7d" +SRC_URI[go_linux_amd64.sha256sum] = "74b9640724fd4e6bb0ed2a1bc44ae813a03f1e72a4c76253e2d5c015494430ba" +SRC_URI[go_linux_arm64.sha256sum] = "99de2fe112a52ab748fb175edea64b313a0c8d51d6157dba683a6be163fd5eab" +SRC_URI[go_linux_ppc64le.sha256sum] = "741dad06e7b17fe2c9cd9586b4048cec087ca1f7a317389b14e89b26c25d3542" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.19.2.bb b/meta/recipes-devtools/go/go-cross-canadian_1.19.3.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.19.2.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.19.3.bb diff --git a/meta/recipes-devtools/go/go-cross_1.19.2.bb b/meta/recipes-devtools/go/go-cross_1.19.3.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.19.2.bb rename to meta/recipes-devtools/go/go-cross_1.19.3.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.19.2.bb b/meta/recipes-devtools/go/go-crosssdk_1.19.3.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.19.2.bb rename to meta/recipes-devtools/go/go-crosssdk_1.19.3.bb diff --git a/meta/recipes-devtools/go/go-native_1.19.2.bb b/meta/recipes-devtools/go/go-native_1.19.3.bb similarity index 100% rename from meta/recipes-devtools/go/go-native_1.19.2.bb rename to meta/recipes-devtools/go/go-native_1.19.3.bb diff --git a/meta/recipes-devtools/go/go-runtime_1.19.2.bb b/meta/recipes-devtools/go/go-runtime_1.19.3.bb similarity index 100% rename from meta/recipes-devtools/go/go-runtime_1.19.2.bb rename to meta/recipes-devtools/go/go-runtime_1.19.3.bb diff --git a/meta/recipes-devtools/go/go_1.19.2.bb b/meta/recipes-devtools/go/go_1.19.3.bb similarity index 100% rename from meta/recipes-devtools/go/go_1.19.2.bb rename to meta/recipes-devtools/go/go_1.19.3.bb -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Li
[OE-core] [kirkstone][PATCH 1/2] lighttpd: upgrade 1.4.64 -> 1.4.65
se newer mbedtls 3.2.0+ interfaces * [mod_webdav] opt for partial PUT via copy/rename * [core] quiet compiler warning * [multiple] recognize HTTP QUERY method * [multiple] limit scope of socket config options * [core] fix config typo reading large int from str * [core] h2 prio sort urgency, incr, then stream id * [core] send Priority resp hdr w/ .css, .js re-prio * [multiple] reset http vers, avoid rare crash (fixes #3152) * [core] delay response to http auth invalid creds * [core] connection_state_machine_h2 only if con->h2 * [core] default server.max-keep-alive-requests 1000 * [mod_magnet] set script env in func first upvalue * [mod_magnet] rewrite lighty.r as table of userdata * [mod_status] con->h2 instead of r->http_version * [mod_setenv] cleanup user-provided hdr sloppiness * [core] remove func decls duplicated in plugin.h * [mod_status] fix counting of HTTP/2 bytes written * [mod_magnet] no local server port on unix domain * [mod_extforward] unix domain socket pedantic chks * [core] sketch support for abstract sockets * [mod_magnet] magnet_plugin_stats_table() fn * [mod_magnet] magnet_script_setup_global_state() fn * [mod_magnet] lighty.server.* table w/ new function * [mod_accesslog] do not double-count hdr len in %I * [mod_magnet] reduce magnet_env_get_id() scanning * [mod_magnet] tighten magnet_env_get_buffer_by_id() * [mod_status] reusable code for r->state strings * [core] reusable code for r->state strings * [mod_magnet] expose r->state to lua scripts * [mod_magnet] tighten magnet_env_set() * [mod_magnet] lighty.r.req_item[] accessors * [mod_magnet] expose r->keep_alive to lua scripts * [mod_magnet] lighty.c.hrtime high-resolution time * [mod_magnet] lighty.r.resp_body.get * [mod_magnet] deprecate r.req_attr["response.*] * [mod_magnet] separate funcs for uri_path_raw * [mod_magnet] lighty.c.stat high precision time * [mod_magnet] format multiline err traceback * [mod_magnet] adjust p->conf.stage checks * [mod_magnet] further isolate legacy API result tbl * [core] buffer_append_char() convenience func * [mod_accesslog] accesslog.escaping = "json" * [multiple] use buffer_append_char() * [mod_accesslog] remove begin/end tags from %{}t * [core] fix configparser_simplify_regex() comment * [multiple] simplify bytes_in/bytes_out accounting * [mod_accesslog] reorder fields in switch() * [core] remove unused srv->con_* counters * [mod_magnet] read-only access to r->server_name * [core] buffer_append_bs_escaped() * [core] buffer_append_string_c_escaped ASCII optim * [mod_magnet] backspace-escape encode/decode * [mod_status] display HTTP/2 control stream w/ reqs * [multiple] use preferred syntax for Content-Type * [doc] regenerate doc/config/conf.d/mime.conf * [multiple] rename status_counter -> plugin_stats * [core] feature-flag server.metrics-high-precision * [mod_magnet] quiet coverity false positive * [mod_wolfssl] compile fix for OpenWRT * [mod_webdav] If-None-Match: * on non-existent * [mod_magnet] r.req_body .collect .get .set .add * [mod_cgi] fix detection of failing error handler (fixes #3157) * [core] "url-invalid-utf8-reject" normalization opt * [mod_magnet] skip req body collect warn if modsec3 * [build] update descriptions to remove old lua ver * [core] use current dir if context->basedir blank * [multiple] application/javascript text/javascript * [core] reset internal flags after graceful restart * [TLS] inherit ssl.engine from global scope * [core] avoid server.use-ipv6 warning after SIGUSR1 * [mod_webdav] alt handling PROPFIND on collection * [mod_mbedtls] fix crt chain construction logic * [core] h2 SETTINGS_INITIAL_WINDOW_SIZE 64k (fixes #3089) * [core] increase session window size to 256k * [core] h2: avoid sending small WINDOW_UPDATE frames * [core] h2: avoid sending tiny DATA frames * [core] update cached tables with Priority header * [tests] test stubs for http_header.c and http_kv.c Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 47188fa0dc19f160085554360c81bd9f363837d5) Signed-off-by: Sakib Sajal --- .../lighttpd/{lighttpd_1.4.64.bb => lighttpd_1.4.65.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/lighttpd/{lighttpd_1.4.64.bb => lighttpd_1.4.65.bb} (97%) diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb similarity index 97% rename from meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb rename to meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb index 8d2e77e011..10aa27f072 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb @@ -19,7 +19,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases
[OE-core] [kirkstone][PATCH 2/2] lighttpd: upgrade 1.4.65 -> 1.4.66
From: Alexander Kanavin Signed-off-by: Alexander Kanavin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 3163134b0f58c58aaabe4e957c30109e63b2d60f) Signed-off-by: Sakib Sajal --- .../lighttpd/{lighttpd_1.4.65.bb => lighttpd_1.4.66.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/lighttpd/{lighttpd_1.4.65.bb => lighttpd_1.4.66.bb} (97%) diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb similarity index 97% rename from meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb rename to meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb index 10aa27f072..801162867c 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.65.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb @@ -19,7 +19,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t file://lighttpd \ " -SRC_URI[sha256sum] = "bf0fa68a629fbc404023a912b377e70049331d6797bcbb4b3e8df4c3b42328be" +SRC_URI[sha256sum] = "47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b" DEPENDS = "virtual/crypt" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170601): https://lists.openembedded.org/g/openembedded-core/message/170601 Mute This Topic: https://lists.openembedded.org/mt/93658479/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][meta-oe][PATCH] minicoredumper: retry elf parsing as long as needed
Maximum number of tries, in rare cases, is insufficient for elf parse. Backport patch that fixes the issue. Signed-off-by: Sakib Sajal Signed-off-by: Khem Raj (cherry picked from commit e231c86e282eefff0e8164551f75f8e01682abe6) Signed-off-by: Sakib Sajal --- ...-retry-elf-parsing-as-long-as-needed.patch | 128 ++ .../minicoredumper/minicoredumper_2.0.1.bb| 1 + 2 files changed, 129 insertions(+) create mode 100644 meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch diff --git a/meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch b/meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch new file mode 100644 index 0..8d5b8b6cb --- /dev/null +++ b/meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch @@ -0,0 +1,128 @@ +From 7a8c6a06c86e133e4346b1dc66483bd8d0d3c716 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Tue, 24 Aug 2021 21:10:43 +0200 +Subject: [PATCH] minicoredumper: retry elf parsing as long as needed + +As was reported in github issue #2 ("maximum number of tries +insufficient, in rare cases, for elf parse"), the number of retries +for parsing a process may be insufficient. Rather than setting an +upper limit on the maximum number of retries, track the number of +headers seen. As long as the number of seen headers is greater than +the previous try, try again. + +In order to avoid introducing any new issues, preserve the behavior +of retrying at least 10 times, even if no new headers are seen. + +Reported-by: github.com/ssajal-wr +Signed-off-by: John Ogness + +Upstream-Status: Backport [7a8c6a06c86e133e4346b1dc66483bd8d0d3c716] + +Signed-off-by: Sakib Sajal +--- + src/minicoredumper/corestripper.c | 30 +++--- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/src/minicoredumper/corestripper.c b/src/minicoredumper/corestripper.c +index d96d1df..c96b350 100644 +--- a/src/minicoredumper/corestripper.c b/src/minicoredumper/corestripper.c +@@ -761,7 +761,7 @@ static int init_log(struct dump_info *di) + typedef int elf_parse_cb(struct dump_info *di, Elf *elf, GElf_Phdr *phdr); + + static int do_elf_ph_parse(struct dump_info *di, GElf_Phdr *type, +- elf_parse_cb *callback) ++ elf_parse_cb *callback, size_t *phnum_found) + { + GElf_Ehdr ehdr_mem; + GElf_Ehdr *ehdr; +@@ -770,6 +770,9 @@ static int do_elf_ph_parse(struct dump_info *di, GElf_Phdr *type, + size_t phnum; + size_t cnt; + ++ if (phnum_found) ++ *phnum_found = 0; ++ + /* start from beginning of core */ + if (lseek64(di->elf_fd, 0, SEEK_SET) == -1) { + info("lseek failed: %s", strerror(errno)); +@@ -809,6 +812,9 @@ static int do_elf_ph_parse(struct dump_info *di, GElf_Phdr *type, + goto out; + } + ++ if (phnum_found) ++ *phnum_found = phnum; ++ + for (cnt = 0; cnt < phnum; cnt++) { + GElf_Phdr phdr_mem; + GElf_Phdr *phdr; +@@ -891,7 +897,7 @@ static int vma_cb(struct dump_info *di, Elf *elf, GElf_Phdr *phdr) + /* + * Tries to parse the found ELF headers and reads all vmas from it. + */ +-static int parse_vma_info(struct dump_info *di) ++static int parse_vma_info(struct dump_info *di, size_t *phnum_found) + { + unsigned long min_off = ULONG_MAX; + unsigned long max_len = 0; +@@ -911,7 +917,7 @@ static int parse_vma_info(struct dump_info *di) + memset(, 0, sizeof(type)); + type.p_type = PT_LOAD; + type.p_flags = PF_R; +- if (do_elf_ph_parse(di, , vma_cb) != 0) ++ if (do_elf_ph_parse(di, , vma_cb, phnum_found) != 0) + return -1; + + for (v = di->vma; v; v = v->next) { +@@ -1614,8 +1620,10 @@ int add_core_data(struct dump_info *di, off64_t dest_offset, size_t len, + */ + static int init_src_core(struct dump_info *di, int src) + { ++ size_t last_phnum = 0; + int tries = 0; + int ret = -1; ++ size_t phnum; + size_t len; + char *buf; + long pos; +@@ -1642,7 +1650,7 @@ again: + goto out; + + /* try to elf-parse the core to read vma info */ +- ret = parse_vma_info(di); ++ ret = parse_vma_info(di, ); + + /* restore our position */ + if (lseek64(di->elf_fd, pos, SEEK_SET) == -1) +@@ -1653,9 +1661,17 @@ again: + + tries++; + +- /* maybe try again */ +- if (tries < 10) ++ if (phnum > last_phnum) { ++ /* new headers found, keep trying */ ++ last_phnum = phnum; + goto again; ++ } else if (tries < 10) { ++ /* ++
[OE-core] [kirkstone][meta-oe][PATCH] minicoredumper: retry elf parsing as long as needed
Maximum number of tries, in rare cases, is insufficient for elf parse. Backport patch that fixes the issue. Signed-off-by: Sakib Sajal Signed-off-by: Khem Raj (cherry picked from commit e231c86e282eefff0e8164551f75f8e01682abe6) Signed-off-by: Sakib Sajal --- ...-retry-elf-parsing-as-long-as-needed.patch | 128 ++ .../minicoredumper/minicoredumper_2.0.1.bb| 1 + 2 files changed, 129 insertions(+) create mode 100644 meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch diff --git a/meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch b/meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch new file mode 100644 index 0..8d5b8b6cb --- /dev/null +++ b/meta-oe/recipes-kernel/minicoredumper/files/0001-minicoredumper-retry-elf-parsing-as-long-as-needed.patch @@ -0,0 +1,128 @@ +From 7a8c6a06c86e133e4346b1dc66483bd8d0d3c716 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Tue, 24 Aug 2021 21:10:43 +0200 +Subject: [PATCH] minicoredumper: retry elf parsing as long as needed + +As was reported in github issue #2 ("maximum number of tries +insufficient, in rare cases, for elf parse"), the number of retries +for parsing a process may be insufficient. Rather than setting an +upper limit on the maximum number of retries, track the number of +headers seen. As long as the number of seen headers is greater than +the previous try, try again. + +In order to avoid introducing any new issues, preserve the behavior +of retrying at least 10 times, even if no new headers are seen. + +Reported-by: github.com/ssajal-wr +Signed-off-by: John Ogness + +Upstream-Status: Backport [7a8c6a06c86e133e4346b1dc66483bd8d0d3c716] + +Signed-off-by: Sakib Sajal +--- + src/minicoredumper/corestripper.c | 30 +++--- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/src/minicoredumper/corestripper.c b/src/minicoredumper/corestripper.c +index d96d1df..c96b350 100644 +--- a/src/minicoredumper/corestripper.c b/src/minicoredumper/corestripper.c +@@ -761,7 +761,7 @@ static int init_log(struct dump_info *di) + typedef int elf_parse_cb(struct dump_info *di, Elf *elf, GElf_Phdr *phdr); + + static int do_elf_ph_parse(struct dump_info *di, GElf_Phdr *type, +- elf_parse_cb *callback) ++ elf_parse_cb *callback, size_t *phnum_found) + { + GElf_Ehdr ehdr_mem; + GElf_Ehdr *ehdr; +@@ -770,6 +770,9 @@ static int do_elf_ph_parse(struct dump_info *di, GElf_Phdr *type, + size_t phnum; + size_t cnt; + ++ if (phnum_found) ++ *phnum_found = 0; ++ + /* start from beginning of core */ + if (lseek64(di->elf_fd, 0, SEEK_SET) == -1) { + info("lseek failed: %s", strerror(errno)); +@@ -809,6 +812,9 @@ static int do_elf_ph_parse(struct dump_info *di, GElf_Phdr *type, + goto out; + } + ++ if (phnum_found) ++ *phnum_found = phnum; ++ + for (cnt = 0; cnt < phnum; cnt++) { + GElf_Phdr phdr_mem; + GElf_Phdr *phdr; +@@ -891,7 +897,7 @@ static int vma_cb(struct dump_info *di, Elf *elf, GElf_Phdr *phdr) + /* + * Tries to parse the found ELF headers and reads all vmas from it. + */ +-static int parse_vma_info(struct dump_info *di) ++static int parse_vma_info(struct dump_info *di, size_t *phnum_found) + { + unsigned long min_off = ULONG_MAX; + unsigned long max_len = 0; +@@ -911,7 +917,7 @@ static int parse_vma_info(struct dump_info *di) + memset(, 0, sizeof(type)); + type.p_type = PT_LOAD; + type.p_flags = PF_R; +- if (do_elf_ph_parse(di, , vma_cb) != 0) ++ if (do_elf_ph_parse(di, , vma_cb, phnum_found) != 0) + return -1; + + for (v = di->vma; v; v = v->next) { +@@ -1614,8 +1620,10 @@ int add_core_data(struct dump_info *di, off64_t dest_offset, size_t len, + */ + static int init_src_core(struct dump_info *di, int src) + { ++ size_t last_phnum = 0; + int tries = 0; + int ret = -1; ++ size_t phnum; + size_t len; + char *buf; + long pos; +@@ -1642,7 +1650,7 @@ again: + goto out; + + /* try to elf-parse the core to read vma info */ +- ret = parse_vma_info(di); ++ ret = parse_vma_info(di, ); + + /* restore our position */ + if (lseek64(di->elf_fd, pos, SEEK_SET) == -1) +@@ -1653,9 +1661,17 @@ again: + + tries++; + +- /* maybe try again */ +- if (tries < 10) ++ if (phnum > last_phnum) { ++ /* new headers found, keep trying */ ++ last_phnum = phnum; + goto again; ++ } else if (tries < 10) { ++ /* ++
[OE-core] [hardknott][PATCH] dpkg: fix CVE-2022-1664
Backport patch to fix CVE-2022-1664. Signed-off-by: Sakib Sajal --- ...ive-Prevent-directory-traversal-for-.patch | 329 ++ meta/recipes-devtools/dpkg/dpkg_1.20.7.1.bb | 1 + 2 files changed, 330 insertions(+) create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch diff --git a/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch b/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch new file mode 100644 index 00..9333080d0e --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch @@ -0,0 +1,329 @@ +From b4d16af26edae8a40bfaffdabdb6a4560de9f4b6 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Tue, 3 May 2022 02:09:32 +0200 +Subject: [PATCH] Dpkg::Source::Archive: Prevent directory traversal for + in-place extracts + +For untrusted v2 and v3 source package formats that include a debian.tar +archive, when we are extracting it, we do that as an in-place extraction, +which can lead to directory traversal situations on specially crafted +orig.tar and debian.tar tarballs. + +GNU tar replaces entries on the filesystem by the entries present on +the tarball, but it will follow symlinks when the symlink pathname +itself is not present as an actual directory on the tarball. + +This means we can create an orig.tar where there's a symlink pointing +out of the source tree root directory, and then a debian.tar that +contains an entry within that symlink as if it was a directory, without +a directory entry for the symlink pathname itself, which will be +extracted following the symlink outside the source tree root. + +This is currently noted as expected in GNU tar documentation. But even +if there was a new extraction mode avoiding this problem we'd need such +new version. Using perl's Archive::Tar would solve the problem, but +switching to such different pure perl implementation, could cause +compatibility or performance issues. + +What we do is when we are requested to perform an in-place extract, we +instead still use a temporary directory, then walk that directory and +remove any matching entry in the destination directory, replicating what +GNU tar would do, but in addition avoiding the directory traversal issue +for symlinks. Which should work with any tar implementation and be safe. + +Reported-by: Max Justicz +Stable-Candidates: 1.18.x 1.19.x 1.20.x +Fixes: commit 0c0057a27fecccab77d2b3cffa9a7d172846f0b4 (1.14.17) +Fixes: CVE-2022-1664 +(cherry picked from commit 7a6c03cb34d4a09f35df2f10779cbf1b70a5200b) + +Upstream-Status: Backport [58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5] +CVE: CVE-2022-1664 + +Signed-off-by: Sakib Sajal +--- + scripts/Dpkg/Source/Archive.pm | 122 +--- + scripts/t/Dpkg_Source_Archive.t | 110 +++- + 2 files changed, 204 insertions(+), 28 deletions(-) + +diff --git a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm +index 33c181b20..2ddd04af8 100644 +--- a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm +@@ -21,9 +21,11 @@ use warnings; + our $VERSION = '0.01'; + + use Carp; ++use Errno qw(ENOENT); + use File::Temp qw(tempdir); + use File::Basename qw(basename); + use File::Spec; ++use File::Find; + use Cwd; + + use Dpkg (); +@@ -110,19 +112,13 @@ sub extract { + my %spawn_opts = (wait_child => 1); + + # Prepare destination +-my $tmp; +-if ($opts{in_place}) { +-$spawn_opts{chdir} = $dest; +-$tmp = $dest; # So that fixperms call works +-} else { +-my $template = basename($self->get_filename()) . '.tmp-extract.X'; +-unless (-e $dest) { +-# Kludge so that realpath works +-mkdir($dest) or syserr(g_('cannot create directory %s'), $dest); +-} +-$tmp = tempdir($template, DIR => Cwd::realpath("$dest/.."), CLEANUP => 1); +-$spawn_opts{chdir} = $tmp; ++my $template = basename($self->get_filename()) . '.tmp-extract.X'; ++unless (-e $dest) { ++# Kludge so that realpath works ++mkdir($dest) or syserr(g_('cannot create directory %s'), $dest); + } ++my $tmp = tempdir($template, DIR => Cwd::realpath("$dest/.."), CLEANUP => 1); ++$spawn_opts{chdir} = $tmp; + + # Prepare stuff that handles the input of tar + $self->ensure_open('r', delete_sig => [ 'PIPE' ]); +@@ -145,22 +141,94 @@ sub extract { + # have to be calculated using mount options and other madness. + fixperms($tmp) unless $opts{no_fixperms}; + +-# Stop here if we extracted in-place as there's nothing to move around +-return if $opts{in_place}; +- +-# Rename extracted directory +-opendir(my $dir_dh, $tmp) or syserr(g_('cannot opendir %s'), $tmp); +-my @entries = grep { $_ ne '.' &&
[OE-core] [PATCH 1/2] qemu: fix CVE-2021-3507
Backport required patches to fix CVE-2021-3507. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3507_1.patch | 92 ++ .../qemu/qemu/CVE-2021-3507_2.patch | 115 ++ 3 files changed, 209 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index bcaa56bbba..9fdb8c6428 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -29,6 +29,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \ file://qemu-7.0.0-glibc-2.36.patch \ file://CVE-2022-35414.patch \ + file://CVE-2021-3507_1.patch \ + file://CVE-2021-3507_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch new file mode 100644 index 00..24fd2c5ed3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch @@ -0,0 +1,92 @@ +From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:32 +0100 +Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun + (CVE-2021-3507) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the 82078 datasheet, if the end-of-track (EOT byte in +the FIFO) is more than the number of sectors per side, the +command is terminated unsuccessfully: + +* 5.2.5 DATA TRANSFER TERMINATION + + The 82078 supports terminal count explicitly through + the TC pin and implicitly through the underrun/over- + run and end-of-track (EOT) functions. For full sector + transfers, the EOT parameter can define the last + sector to be transferred in a single or multisector + transfer. If the last sector to be transferred is a par- + tial sector, the host can stop transferring the data in + mid-sector, and the 82078 will continue to complete + the sector as if a hardware TC was received. The + only difference between these implicit functions and + TC is that they return "abnormal termination" result + status. Such status indications can be ignored if they + were expected. + +* 6.1.3 READ TRACK + + This command terminates when the EOT specified + number of sectors have been read. If the 82078 + does not find an I D Address Mark on the diskette + after the second· occurrence of a pulse on the + INDX# pin, then it sets the IC code in Status Regis- + ter 0 to "01" (Abnormal termination), sets the MA bit + in Status Register 1 to "1", and terminates the com- + mand. + +* 6.1.6 VERIFY + + Refer to Table 6-6 and Table 6-7 for information + concerning the values of MT and EC versus SC and + EOT value. + +* Table 6·6. Result Phase Table + +* Table 6-7. Verify Command Result Phase Table + +Fix by aborting the transfer when EOT > # Sectors Per Side. + +Cc: qemu-sta...@nongnu.org +Cc: Hervé Poussineau +Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") +Reported-by: Alexander Bulekov +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <2028115733.4038610-2-phi...@redhat.com> +Reviewed-by: Hanna Reitz +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] +CVE: CVE-2021-3507 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 8 + 1 file changed, 8 insertions(+) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 347875a0c..57bb35579 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) + int tmp; + fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); + tmp = (fdctrl->fifo[6] - ks + 1); ++if (tmp < 0) { ++FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); ++fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); ++fdctrl->fifo[3] = kt; ++fdctrl->fifo[4] = kh; ++fdctrl->fifo[5] = ks; ++return; ++} + if (fdctrl->fifo[0] & 0x80) + tmp += fdctrl->fifo[6]; + fdctrl->data_len *= tmp; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch new file mode 100644 index 00..acc93e897b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch @@ -0,0 +1,115 @@ +F
[OE-core] [PATCH 2/2] qemu: fix CVE-2022-0216
Backport required patches to fix CVE-2022-0216. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2022-0216_1.patch | 42 + .../qemu/qemu/CVE-2022-0216_2.patch | 146 ++ 3 files changed, 190 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 9fdb8c6428..56fc7aaf55 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -31,6 +31,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2022-35414.patch \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ + file://CVE-2022-0216_1.patch \ + file://CVE-2022-0216_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 00..56fc34ce5a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch @@ -0,0 +1,42 @@ +From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcasc...@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index c8773f73f..99ea42d49 100644 +--- a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +-if (current_req) { ++if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch new file mode 100644 index 00..f332154b6a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch @@ -0,0 +1,146 @@ +From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in + lsi_do_msgout (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcasc...@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/lsi53c895a.c | 3 +- + tests/qtest/fuzz-lsi53c895a-test.c | 76 ++ + 2 files changed, 78 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 99ea42d49..ad5f5e5f3 100644 +--- a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +-current_req->req = NULL; ++current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++current_req = NULL; + } + + /* As the curr
[OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-33967
Backport patch to fix CVE-2022-33967. Signed-off-by: Sakib Sajal --- ...s-squashfs-Use-kcalloc-when-relevant.patch | 64 +++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch new file mode 100644 index 00..70fdbb1031 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch @@ -0,0 +1,64 @@ +From 50d4b8b9effcf9dc9e5a90034de2f0003fb063f0 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Mon, 27 Jun 2022 12:20:03 +0200 +Subject: [PATCH] fs/squashfs: Use kcalloc when relevant + +A crafted squashfs image could embed a huge number of empty metadata +blocks in order to make the amount of malloc()'d memory overflow and be +much smaller than expected. Because of this flaw, any random code +positioned at the right location in the squashfs image could be memcpy'd +from the squashfs structures into U-Boot code location while trying to +access the rearmost blocks, before being executed. + +In order to prevent this vulnerability from being exploited in eg. a +secure boot environment, let's add a check over the amount of data +that is going to be allocated. Such a check could look like: + +if (!elem_size || n > SIZE_MAX / elem_size) + return NULL; + +The right way to do it would be to enhance the calloc() implementation +but this is quite an impacting change for such a small fix. Another +solution would be to add the check before the malloc call in the +squashfs implementation, but this does not look right. So for now, let's +use the kcalloc() compatibility function from Linux, which has this +check. + +Fixes: c5100613037 ("fs/squashfs: new filesystem") +Reported-by: Tatsuhiko Yasumatsu +Signed-off-by: Miquel Raynal +Tested-by: Tatsuhiko Yasumatsu + +Upstream-Status: Backport [7f7fb9937c6cb49dd35153bd6708872b390b0a44] +CVE: CVE-2022-33967 + +Signed-off-by: Sakib Sajal +--- + fs/squashfs/sqfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index e2d91c654c..10e63afbce 100644 +--- a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table) + goto free_itb; + } + +- *inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE); ++ *inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE, ++ GFP_KERNEL); + if (!*inode_table) { + ret = -ENOMEM; + goto free_itb; +-- +2.33.0 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 147f6e8183..0cb0e33282 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -5,6 +5,7 @@ SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-riscv-fix-build-with-binutils-2.38.patch \ file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \ file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ + file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169645): https://lists.openembedded.org/g/openembedded-core/message/169645 Mute This Topic: https://lists.openembedded.org/mt/93134588/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-30552
Backport patch to fix CVE-2022-30552. Signed-off-by: Sakib Sajal --- ...e-minimum-IP-fragmented-datagram-siz.patch | 207 ++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 208 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch b/meta/recipes-bsp/u-boot/files/0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch new file mode 100644 index 00..3f9cc7776b --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch @@ -0,0 +1,207 @@ +From c7cab39de5e4b22620248a190b3d2ee46cff38c2 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 26 May 2022 11:14:37 -0300 +Subject: [PATCH] net: Check for the minimum IP fragmented datagram size + +Nicolas Bidron and Nicolas Guigo reported the two bugs below: + +" +--BUG 1-- + +In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of +`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE` +and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len` +comprised between `0` and `7`. This will ultimately result in a +truncated division by `8` resulting value of `0` forcing the hole +metadata and fragment to point to the same location. The subsequent +memcopy will overwrite the hole metadata with the fragment data. Through +a second fragment, this can be exploited to write to an arbitrary offset +controlled by that overwritten hole metadata value. + +This bug is only exploitable locally as it requires crafting two packets +the first of which would most likely be dropped through routing due to +its unexpectedly low Total Length. However, this bug can potentially be +exploited to root linux based embedded devices locally. + +```C +static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) +{ + static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN); + static u16 first_hole, total_len; + struct hole *payload, *thisfrag, *h, *newh; + struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff; + uchar *indata = (uchar *)ip; + int offset8, start, len, done = 0; + u16 ip_off = ntohs(ip->ip_off); + + /* payload starts after IP header, this fragment is in there */ + payload = (struct hole *)(pkt_buff + IP_HDR_SIZE); + offset8 = (ip_off & IP_OFFS); + thisfrag = payload + offset8; + start = offset8 * 8; + len = ntohs(ip->ip_len) - IP_HDR_SIZE; +``` + +The last line of the previous excerpt from `u-boot/net/net.c` shows how +the attacker can control the value of `len` to be strictly lower than +`8` by issuing a packet with `ip_len` between `21` and `27` +(`IP_HDR_SIZE` has a value of `20`). + +Also note that `offset8` here is `0` which leads to `thisfrag = payload`. + +```C + } else if (h >= thisfrag) { + /* overlaps with initial part of the hole: move this hole */ + newh = thisfrag + (len / 8); + *newh = *h; + h = newh; + if (h->next_hole) + payload[h->next_hole].prev_hole = (h - payload); + if (h->prev_hole) + payload[h->prev_hole].next_hole = (h - payload); + else + first_hole = (h - payload); + + } else { +``` + +Lower down the same function, execution reaches the above code path. +Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note +that `first_hole` here is `0` since `h` and `payload` point to the same +location. + +```C + /* finally copy this fragment and possibly return whole packet */ + memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len); +``` + +Finally, in the above excerpt the `memcpy` overwrites the hole metadata +since `thisfrag` and `h` both point to the same location. The hole +metadata is effectively overwritten with arbitrary data from the +fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`, +`next_hole`, and `prev_hole` of the `first_hole` can be controlled by +the attacker. + +Finally the arbitrary offset write occurs through a second fragment that +only needs to be crafted to write data in the hole pointed to by the +previously controlled hole metadata (`next_hole`) from the first packet. + + ### Recommendation + +Handle cases where `len` is strictly lower than 8 by preventing the +overwrite of the hole metadata during the memcpy of the fragment. This +could be achieved by either: +* Moving the location where the hole metadata is stored when `len` is +lower than `8`. +* Or outright rejecting fragmented IP datagram with a Total Length +(`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP +datagram size (as defined as the minimum fragment of 8 octets in the IP +Specification Document: +[RFC791](https://datatracker.ietf.org/doc/html/rfc
[OE-core] [kirkstone][PATCH] go: update v1.17.12 -> v1.17.13
Update to latest v1.17.x release. Contains fix for CVE-2022-32189. go.git$ git log --oneline go1.17.12^..go1.17.13 15da892a49 (tag: go1.17.13, origin/release-branch.go1.17) [release-branch.go1.17] go1.17.13 703c8ab7e5 [release-branch.go1.17] math/big: check buffer lengths in GobDecode d9242f7a8c [release-branch.go1.17] cmd/compile: do not use special literal assignment if LHS is address-taken 489c148578 [release-branch.go1.17] cmd/compile: fix prove pass when upper condition is <= maxint 66c60f076c [release-branch.go1.17] runtime: clear timerModifiedEarliest when last timer is deleted c25b12fb81 [release-branch.go1.17] runtime: use saved LR when unwinding through morestack 1ed3c127da (tag: go1.17.12) [release-branch.go1.17] go1.17.12 Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.17.12.inc => go-1.17.13.inc} | 2 +- ...o-binary-native_1.17.12.bb => go-binary-native_1.17.13.bb} | 4 ++-- ...cross-canadian_1.17.12.bb => go-cross-canadian_1.17.13.bb} | 0 .../go/{go-cross_1.17.12.bb => go-cross_1.17.13.bb} | 0 .../go/{go-crosssdk_1.17.12.bb => go-crosssdk_1.17.13.bb} | 0 .../go/{go-native_1.17.12.bb => go-native_1.17.13.bb} | 0 .../go/{go-runtime_1.17.12.bb => go-runtime_1.17.13.bb} | 0 meta/recipes-devtools/go/{go_1.17.12.bb => go_1.17.13.bb} | 0 8 files changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-devtools/go/{go-1.17.12.inc => go-1.17.13.inc} (92%) rename meta/recipes-devtools/go/{go-binary-native_1.17.12.bb => go-binary-native_1.17.13.bb} (83%) rename meta/recipes-devtools/go/{go-cross-canadian_1.17.12.bb => go-cross-canadian_1.17.13.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.17.12.bb => go-cross_1.17.13.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.17.12.bb => go-crosssdk_1.17.13.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.17.12.bb => go-native_1.17.13.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.17.12.bb => go-runtime_1.17.13.bb} (100%) rename meta/recipes-devtools/go/{go_1.17.12.bb => go_1.17.13.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.17.12.inc b/meta/recipes-devtools/go/go-1.17.13.inc similarity index 92% rename from meta/recipes-devtools/go/go-1.17.12.inc rename to meta/recipes-devtools/go/go-1.17.13.inc index 77a983f9d0..95d0fb7e98 100644 --- a/meta/recipes-devtools/go/go-1.17.12.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -17,7 +17,7 @@ SRC_URI += "\ file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ " -SRC_URI[main.sha256sum] = "0d51b5b3f280c0f01f534598c0219db5878f337da6137a9ee698777413607209" +SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" # Upstream don't believe it is a signifiant real world issue and will only # fix in 1.17 onwards where we can drop this. diff --git a/meta/recipes-devtools/go/go-binary-native_1.17.12.bb b/meta/recipes-devtools/go/go-binary-native_1.17.13.bb similarity index 83% rename from meta/recipes-devtools/go/go-binary-native_1.17.12.bb rename to meta/recipes-devtools/go/go-binary-native_1.17.13.bb index b034950721..4ee0148417 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.17.12.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.17.13.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "6e5203fbdcade4aa4331e441fd2e1db8444681a6a6c72886a37ddd11caa415d4" -SRC_URI[go_linux_arm64.sha256sum] = "74a4832d0f150a2d768a6781553494ba84152e854ebef743c4092cd9d1f66a9f" +SRC_URI[go_linux_amd64.sha256sum] = "4cdd2bc664724dc7db94ad51b503512c5ae7220951cac568120f64f8e94399fc" +SRC_URI[go_linux_arm64.sha256sum] = "914daad3f011cc2014dea799bb7490442677e4ad6de0b2ac3ded6cee7e3f493d" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.17.12.bb b/meta/recipes-devtools/go/go-cross-canadian_1.17.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.17.12.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.17.13.bb diff --git a/meta/recipes-devtools/go/go-cross_1.17.12.bb b/meta/recipes-devtools/go/go-cross_1.17.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.17.12.bb rename to meta/recipes-devtools/go/go-cross_1.17.13.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.17.12.bb b/meta/recipes-devtools/go/go-crosssdk_1.17.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosss
Re: [OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-33103
On 2022-08-10 12:30, Steve Sakoman wrote: [Please note: This e-mail is from an EXTERNAL e-mail address] On Wed, Aug 10, 2022 at 5:35 AM Sakib Sajal wrote: Steve, did you miss this patch? I did :-( I've got it now. Sorry about that. No worries! :) Steve On 2022-07-26 15:18, Sakib Sajal wrote: Backport patch to resolve CVE-2022-33103. Signed-off-by: Sakib Sajal --- ..._read-Prevent-arbitrary-code-executi.patch | 80 +++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch new file mode 100644 index 00..b1650f6baa --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch @@ -0,0 +1,80 @@ +From 65f1066f5abe291c7b10b6075fd60776074a38a9 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 9 Jun 2022 16:02:06 +0200 +Subject: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution + +Following Jincheng's report, an out-of-band write leading to arbitrary +code execution is possible because on one side the squashfs logic +accepts directory names up to 65535 bytes (u16), while U-Boot fs logic +accepts directory names up to 255 bytes long. + +Prevent such an exploit from happening by capping directory name sizes +to 255. Use a define for this purpose so that developers can link the +limitation to its source and eventually kill it some day by dynamically +allocating this array (if ever desired). + +Link: https://lore.kernel.org/all/CALO=dhfb+yboxxvr5kcsk0ifdg+e7ywko4-e+72kjbcs8jb...@mail.gmail.com +Reported-by: Jincheng Wang +Signed-off-by: Miquel Raynal +Tested-by: Jincheng Wang + +CVE: CVE-2022-33103 +Upstream-Status: Backport [2ac0baab4aff1a0b45067d0b62f00c15f4e86856] + +Signed-off-by: Sakib Sajal +--- + fs/squashfs/sqfs.c | 8 +--- + include/fs.h | 4 +++- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index e2d91c654c..a145d754cc 100644 +--- a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +@@ -973,6 +973,7 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + int i_number, offset = 0, ret; + struct fs_dirent *dent; + unsigned char *ipos; ++u16 name_size; + + dirs = (struct squashfs_dir_stream *)fs_dirs; + if (!dirs->size) { +@@ -1055,9 +1056,10 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + return -SQFS_STOP_READDIR; + } + +-/* Set entry name */ +-strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1); +-dent->name[dirs->entry->name_size + 1] = '\0'; ++/* Set entry name (capped at FS_DIRENT_NAME_LEN which is a U-Boot limitation) */ ++name_size = min_t(u16, dirs->entry->name_size + 1, FS_DIRENT_NAME_LEN - 1); ++strncpy(dent->name, dirs->entry->name, name_size); ++dent->name[name_size] = '\0'; + + offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH; + dirs->entry_count--; +diff --git a/include/fs.h b/include/fs.h +index 1c79e299fd..6cb7ec89f4 100644 +--- a/include/fs.h b/include/fs.h +@@ -161,6 +161,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len, + #define FS_DT_REG 8 /* regular file */ + #define FS_DT_LNK 10/* symbolic link */ + ++#define FS_DIRENT_NAME_LEN 256 ++ + /** + * struct fs_dirent - directory entry + * +@@ -181,7 +183,7 @@ struct fs_dirent { + /** change_time:time of last modification */ + struct rtc_time change_time; + /** name: file name */ +-char name[256]; ++char name[FS_DIRENT_NAME_LEN]; + }; + + /* Note: fs_dir_stream should be treated as opaque to the user of fs layer */ +-- +2.33.0 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index f2443723e2..a6a15d698f 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -4,6 +4,7 @@ require u-boot.inc SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-riscv-fix-build-with-binutils-2.38.patch \ file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \ + file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169272): https://lists.openembedded.org/g/openembed
Re: [OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-33103
Steve, did you miss this patch? On 2022-07-26 15:18, Sakib Sajal wrote: Backport patch to resolve CVE-2022-33103. Signed-off-by: Sakib Sajal --- ..._read-Prevent-arbitrary-code-executi.patch | 80 +++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch new file mode 100644 index 00..b1650f6baa --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch @@ -0,0 +1,80 @@ +From 65f1066f5abe291c7b10b6075fd60776074a38a9 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 9 Jun 2022 16:02:06 +0200 +Subject: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution + +Following Jincheng's report, an out-of-band write leading to arbitrary +code execution is possible because on one side the squashfs logic +accepts directory names up to 65535 bytes (u16), while U-Boot fs logic +accepts directory names up to 255 bytes long. + +Prevent such an exploit from happening by capping directory name sizes +to 255. Use a define for this purpose so that developers can link the +limitation to its source and eventually kill it some day by dynamically +allocating this array (if ever desired). + +Link: https://lore.kernel.org/all/CALO=dhfb+yboxxvr5kcsk0ifdg+e7ywko4-e+72kjbcs8jb...@mail.gmail.com +Reported-by: Jincheng Wang +Signed-off-by: Miquel Raynal +Tested-by: Jincheng Wang + +CVE: CVE-2022-33103 +Upstream-Status: Backport [2ac0baab4aff1a0b45067d0b62f00c15f4e86856] + +Signed-off-by: Sakib Sajal +--- + fs/squashfs/sqfs.c | 8 +--- + include/fs.h | 4 +++- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index e2d91c654c..a145d754cc 100644 +--- a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +@@ -973,6 +973,7 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + int i_number, offset = 0, ret; + struct fs_dirent *dent; + unsigned char *ipos; ++ u16 name_size; + + dirs = (struct squashfs_dir_stream *)fs_dirs; + if (!dirs->size) { +@@ -1055,9 +1056,10 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + return -SQFS_STOP_READDIR; + } + +- /* Set entry name */ +- strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1); +- dent->name[dirs->entry->name_size + 1] = '\0'; ++ /* Set entry name (capped at FS_DIRENT_NAME_LEN which is a U-Boot limitation) */ ++ name_size = min_t(u16, dirs->entry->name_size + 1, FS_DIRENT_NAME_LEN - 1); ++ strncpy(dent->name, dirs->entry->name, name_size); ++ dent->name[name_size] = '\0'; + + offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH; + dirs->entry_count--; +diff --git a/include/fs.h b/include/fs.h +index 1c79e299fd..6cb7ec89f4 100644 +--- a/include/fs.h b/include/fs.h +@@ -161,6 +161,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len, + #define FS_DT_REG 8 /* regular file */ + #define FS_DT_LNK 10/* symbolic link */ + ++#define FS_DIRENT_NAME_LEN 256 ++ + /** + * struct fs_dirent - directory entry + * +@@ -181,7 +183,7 @@ struct fs_dirent { + /** change_time:time of last modification */ + struct rtc_time change_time; + /** name: file name */ +- char name[256]; ++ char name[FS_DIRENT_NAME_LEN]; + }; + + /* Note: fs_dir_stream should be treated as opaque to the user of fs layer */ +-- +2.33.0 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index f2443723e2..a6a15d698f 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -4,6 +4,7 @@ require u-boot.inc SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-riscv-fix-build-with-binutils-2.38.patch \ file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \ + file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169198): https://lists.openembedded.org/g/openembedded-core/message/169198 Mute This Topic: https://lists.openembedded.org/mt/92635002/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH 5/5] qemu: fix CVE-2022-0216
Backport relevant patches to fix CVE-2022-0216. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2022-0216_1.patch | 42 +++ .../qemu/qemu/CVE-2022-0216_2.patch | 52 +++ 3 files changed, 96 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 44d4c9ca2f..a493ac8add 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -41,6 +41,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3929.patch \ file://CVE-2021-4158.patch \ file://CVE-2022-0358.patch \ + file://CVE-2022-0216_1.patch \ + file://CVE-2022-0216_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 00..de7458fc72 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch @@ -0,0 +1,42 @@ +From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcasc...@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 85e907a78..8033cf050 100644 +--- a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +-if (current_req) { ++if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch new file mode 100644 index 00..12f5a602da --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch @@ -0,0 +1,52 @@ +From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in + lsi_do_msgout (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcasc...@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 8033cf050..fbe3fa3dd 100644 +--- a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +-current_req->req = NULL; ++current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=
[OE-core] [kirkstone][PATCH 2/5] qemu: fix CVE-2021-3929
Backport patch to fix CVE-2021-3929. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3929.patch | 70 +++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index dd30313fdd..53bad5c453 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2022-35414.patch \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ + file://CVE-2021-3929.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 00..7555e5bc40 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch @@ -0,0 +1,70 @@ +From 12daeafc9868c1ebe482d580494f9e6d3d5c260f Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Fri, 17 Dec 2021 10:44:01 +0100 +Subject: [PATCH] hw/nvme: fix CVE-2021-3929 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the +device itself. This still allows DMA to MMIO regions of other devices +(e.g. doing P2P DMA to the controller memory buffer of another NVMe +device). + +Fixes: CVE-2021-3929 +Reported-by: Qiuhao Li +Reviewed-by: Keith Busch +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Klaus Jensen + +Upstream-Status: Backport [736b01642d85be832385063f278fe7cd4ffb5221] +CVE: CVE-2021-3929 + +Signed-off-by: Sakib Sajal +--- + hw/nvme/ctrl.c | 22 ++ + 1 file changed, 22 insertions(+) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c417..eda52c6ac 100644 +--- a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) + return memory_region_get_ram_ptr(>pmr.dev->mr) + (addr - n->pmr.cba); + } + ++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) ++{ ++hwaddr hi, lo; ++ ++/* ++ * The purpose of this check is to guard against invalid "local" access to ++ * the iomem (i.e. controller registers). Thus, we check against the range ++ * covered by the 'bar0' MemoryRegion since that is currently composed of ++ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, ++ * that if the device model is ever changed to allow the CMB to be located ++ * in BAR0 as well, then this must be changed. ++ */ ++lo = n->bar0.addr; ++hi = lo + int128_get64(n->bar0.size); ++ ++return addr >= lo && addr < hi; ++} ++ + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + hwaddr hi = addr + size - 1; +@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) + + trace_pci_nvme_map_addr(addr, len); + ++if (nvme_addr_is_iomem(n, addr)) { ++return NVME_DATA_TRAS_ERROR; ++} ++ + if (nvme_addr_is_cmb(n, addr)) { + cmb = true; + } else if (nvme_addr_is_pmr(n, addr)) { +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169192): https://lists.openembedded.org/g/openembedded-core/message/169192 Mute This Topic: https://lists.openembedded.org/mt/92937190/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH 4/5] qemu: fix CVE-2022-0358
Backport patch to fix CVE-2022-0358. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-0358.patch | 106 ++ 2 files changed, 107 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1d04ad3c67..44d4c9ca2f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ file://CVE-2021-4158.patch \ + file://CVE-2022-0358.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch new file mode 100644 index 00..8eb1475638 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch @@ -0,0 +1,106 @@ +From 4d2558ec9336d3614a43f7437c9cf74793ae3a87 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups + (CVE-2022-0358) + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO +Suggested-by: Miklos Szeredi +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Vivek Goyal +Message-Id: +Signed-off-by: Dr. David Alan Gilbert + dgilbert: Fixed missing {}'s style nit + +Upstream-Status: Backport [449e8171f96a6a944d1f3b7d3627ae059eae21ca] +CVE: CVE-2022-0358 + +Signed-off-by: Sakib Sajal +--- + tools/virtiofsd/passthrough_ll.c | 27 +++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 64b5b4fbb..b3d0674f6 100644 +--- a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "qemu/cutils.h" + #include "passthrough_helpers.h" +@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++int ret; ++ ++ret = getgroups(0, NULL); ++if (ret == -1) { ++fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++exit(1); ++} ++ ++if (!ret) { ++return; ++} ++ ++/* Drop all supplementary groups. We should not need it */ ++ret = setgroups(0, NULL); ++if (ret == -1) { ++fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++exit(1); ++} ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) + + qemu_init_exec_dir(argv[0]); + ++drop_supplementary_groups(); ++ + pthread_mutex_init(, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169195): https://lists.openembedded.org/g/openembedded-core/message/169195 Mute This Topic: https://lists.openembedded.org/mt/92937193/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH 1/5] qemu: fix CVE-2021-3507
Backport relevant patches to fix CVE-2021-3507. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3507_1.patch | 92 ++ .../qemu/qemu/CVE-2021-3507_2.patch | 115 ++ 3 files changed, 209 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 54a68e1730..dd30313fdd 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -36,6 +36,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-4206.patch \ file://CVE-2021-4207.patch \ file://CVE-2022-35414.patch \ + file://CVE-2021-3507_1.patch \ + file://CVE-2021-3507_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch new file mode 100644 index 00..4201610f4d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch @@ -0,0 +1,92 @@ +From 963ac2cd5186b28fbfdecd15ac43afe1dbaf871a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:32 +0100 +Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun + (CVE-2021-3507) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the 82078 datasheet, if the end-of-track (EOT byte in +the FIFO) is more than the number of sectors per side, the +command is terminated unsuccessfully: + +* 5.2.5 DATA TRANSFER TERMINATION + + The 82078 supports terminal count explicitly through + the TC pin and implicitly through the underrun/over- + run and end-of-track (EOT) functions. For full sector + transfers, the EOT parameter can define the last + sector to be transferred in a single or multisector + transfer. If the last sector to be transferred is a par- + tial sector, the host can stop transferring the data in + mid-sector, and the 82078 will continue to complete + the sector as if a hardware TC was received. The + only difference between these implicit functions and + TC is that they return "abnormal termination" result + status. Such status indications can be ignored if they + were expected. + +* 6.1.3 READ TRACK + + This command terminates when the EOT specified + number of sectors have been read. If the 82078 + does not find an I D Address Mark on the diskette + after the second· occurrence of a pulse on the + INDX# pin, then it sets the IC code in Status Regis- + ter 0 to "01" (Abnormal termination), sets the MA bit + in Status Register 1 to "1", and terminates the com- + mand. + +* 6.1.6 VERIFY + + Refer to Table 6-6 and Table 6-7 for information + concerning the values of MT and EC versus SC and + EOT value. + +* Table 6·6. Result Phase Table + +* Table 6-7. Verify Command Result Phase Table + +Fix by aborting the transfer when EOT > # Sectors Per Side. + +Cc: qemu-sta...@nongnu.org +Cc: Hervé Poussineau +Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") +Reported-by: Alexander Bulekov +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <2028115733.4038610-2-phi...@redhat.com> +Reviewed-by: Hanna Reitz +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] +CVE: CVE-2021-3507 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 8 + 1 file changed, 8 insertions(+) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 21d18ac2e..24b05406e 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -1529,6 +1529,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) + int tmp; + fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); + tmp = (fdctrl->fifo[6] - ks + 1); ++if (tmp < 0) { ++FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); ++fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); ++fdctrl->fifo[3] = kt; ++fdctrl->fifo[4] = kh; ++fdctrl->fifo[5] = ks; ++return; ++} + if (fdctrl->fifo[0] & 0x80) + tmp += fdctrl->fifo[6]; + fdctrl->data_len *= tmp; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch new file mode 100644 index 00..9f00d9c0d0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch @@ -0,0 +1,115 @@ +From ec5725982f811d9728ad1f9940df0e9349397e67 Mon Sep 1
[OE-core] [kirkstone][PATCH 3/5] qemu: fix CVE-2021-4158
Backport patch to fix CVE-2021-4158. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4158.patch | 46 +++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 53bad5c453..1d04ad3c67 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ + file://CVE-2021-4158.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch new file mode 100644 index 00..f6de53244f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch @@ -0,0 +1,46 @@ +From a0b64c6d078acb9bcfae600e22bf99a9a7deca7c Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 21 Dec 2021 09:45:44 -0500 +Subject: [PATCH] acpi: validate hotplug selector on access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bus is looked up on a pci write, we didn't +validate that the lookup succeeded. +Fuzzers thus can trigger QEMU crash by dereferencing the NULL +bus pointer. + +Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device") +Fixes: CVE-2021-4158 +Cc: "Igor Mammedov" +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Ani Sinha + +Upstream-Status: Backport [9bd6565ccee68f72d5012e24646e12a1c662827e] +CVE: CVE-2021-4158 + +Signed-off-by: Sakib Sajal +--- + hw/acpi/pcihp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +index 30405b511..a5e182dd3 100644 +--- a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data, + } + + bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); ++if (!bus) { ++break; ++} + QTAILQ_FOREACH_SAFE(kid, >qbus.children, sibling, next) { + Object *o = OBJECT(kid->child); + PCIDevice *dev = PCI_DEVICE(o); +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#169193): https://lists.openembedded.org/g/openembedded-core/message/169193 Mute This Topic: https://lists.openembedded.org/mt/92937191/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-33103
Backport patch to resolve CVE-2022-33103. Signed-off-by: Sakib Sajal --- ..._read-Prevent-arbitrary-code-executi.patch | 80 +++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch new file mode 100644 index 00..b1650f6baa --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch @@ -0,0 +1,80 @@ +From 65f1066f5abe291c7b10b6075fd60776074a38a9 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 9 Jun 2022 16:02:06 +0200 +Subject: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution + +Following Jincheng's report, an out-of-band write leading to arbitrary +code execution is possible because on one side the squashfs logic +accepts directory names up to 65535 bytes (u16), while U-Boot fs logic +accepts directory names up to 255 bytes long. + +Prevent such an exploit from happening by capping directory name sizes +to 255. Use a define for this purpose so that developers can link the +limitation to its source and eventually kill it some day by dynamically +allocating this array (if ever desired). + +Link: https://lore.kernel.org/all/CALO=dhfb+yboxxvr5kcsk0ifdg+e7ywko4-e+72kjbcs8jb...@mail.gmail.com +Reported-by: Jincheng Wang +Signed-off-by: Miquel Raynal +Tested-by: Jincheng Wang + +CVE: CVE-2022-33103 +Upstream-Status: Backport [2ac0baab4aff1a0b45067d0b62f00c15f4e86856] + +Signed-off-by: Sakib Sajal +--- + fs/squashfs/sqfs.c | 8 +--- + include/fs.h | 4 +++- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index e2d91c654c..a145d754cc 100644 +--- a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +@@ -973,6 +973,7 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + int i_number, offset = 0, ret; + struct fs_dirent *dent; + unsigned char *ipos; ++ u16 name_size; + + dirs = (struct squashfs_dir_stream *)fs_dirs; + if (!dirs->size) { +@@ -1055,9 +1056,10 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + return -SQFS_STOP_READDIR; + } + +- /* Set entry name */ +- strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1); +- dent->name[dirs->entry->name_size + 1] = '\0'; ++ /* Set entry name (capped at FS_DIRENT_NAME_LEN which is a U-Boot limitation) */ ++ name_size = min_t(u16, dirs->entry->name_size + 1, FS_DIRENT_NAME_LEN - 1); ++ strncpy(dent->name, dirs->entry->name, name_size); ++ dent->name[name_size] = '\0'; + + offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH; + dirs->entry_count--; +diff --git a/include/fs.h b/include/fs.h +index 1c79e299fd..6cb7ec89f4 100644 +--- a/include/fs.h b/include/fs.h +@@ -161,6 +161,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len, + #define FS_DT_REG 8 /* regular file */ + #define FS_DT_LNK 10/* symbolic link */ + ++#define FS_DIRENT_NAME_LEN 256 ++ + /** + * struct fs_dirent - directory entry + * +@@ -181,7 +183,7 @@ struct fs_dirent { + /** change_time:time of last modification */ + struct rtc_time change_time; + /** name: file name */ +- char name[256]; ++ char name[FS_DIRENT_NAME_LEN]; + }; + + /* Note: fs_dir_stream should be treated as opaque to the user of fs layer */ +-- +2.33.0 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index f2443723e2..a6a15d698f 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -4,6 +4,7 @@ require u-boot.inc SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-riscv-fix-build-with-binutils-2.38.patch \ file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \ + file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#168511): https://lists.openembedded.org/g/openembedded-core/message/168511 Mute This Topic: https://lists.openembedded.org/mt/92635002/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] git: upgrade v2.35.3 -> v2.35.4
Minor upgrade which includes fix for CVE-2022-29187. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/git/{git_2.35.3.bb => git_2.35.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/git/{git_2.35.3.bb => git_2.35.4.bb} (98%) diff --git a/meta/recipes-devtools/git/git_2.35.3.bb b/meta/recipes-devtools/git/git_2.35.4.bb similarity index 98% rename from meta/recipes-devtools/git/git_2.35.3.bb rename to meta/recipes-devtools/git/git_2.35.4.bb index 794045c8b7..18f39875db 100644 --- a/meta/recipes-devtools/git/git_2.35.3.bb +++ b/meta/recipes-devtools/git/git_2.35.4.bb @@ -165,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "cad708072d5c0b390c71651f5edb44143f00b357766973470bf9adebc0944c03" +SRC_URI[tarball.sha256sum] = "4970108bdc227e2c3687899f8fc7501c54c839dcc42f4d999ac9e3e3f52df583" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#168495): https://lists.openembedded.org/g/openembedded-core/message/168495 Mute This Topic: https://lists.openembedded.org/mt/92621931/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] go: update v1.17.10 -> v1.17.12
go.git$ git log --oneline go1.17.10..go1.17.12 1ed3c127da (tag: go1.17.12) [release-branch.go1.17] go1.17.12 cd54600b86 [release-branch.go1.17] encoding/gob: add a depth limit for ignored fields 76f8b7304d [release-branch.go1.17] path/filepath: fix stack exhaustion in Glob 8c1d8c8362 [release-branch.go1.17] io/fs: fix stack exhaustion in Glob 0117dee7dc [release-branch.go1.17] compress/gzip: fix stack exhaustion bug in Reader.Read ba8788ebce [release-branch.go1.17] go/parser: limit recursion depth 2678d0c957 [release-branch.go1.17] encoding/xml: limit depth of nesting in unmarshal 58facfbe7d [release-branch.go1.17] encoding/xml: use iterative Skip, rather than recursive ed2f33e1a7 [release-branch.go1.17] net/http: preserve nil values in Header.Clone d13431c37a [release-branch.go1.17] net/http: don't strip whitespace from Transfer-Encoding headers ae2dfcc1c8 [release-branch.go1.17] runtime: add race annotations to cbs.lock fc07039e23 [release-branch.go1.17] runtime: add race annotations to metricsSema 9ef614f5aa [release-branch.go1.17] cmd/compile: allow 128-bit values to be spilled b1be664d64 [release-branch.go1.17] runtime: store consistent total allocation stats as uint64 77cc1c0def [release-branch.go1.17] cmd/go: pass --no-decorate when listing git tags for a commit 8d2935ab7c [release-branch.go1.17] cmd/dist: test cgo internal linking on darwin-arm64 651a8d81ba [release-branch.go1.17] cmd/dist: skip internal linking tests on arm64 26cdea3acc (tag: go1.17.11) [release-branch.go1.17] go1.17.11 4c69fd51a9 [release-branch.go1.17] path/filepath: do not remove prefix "." when following path contains ":". 909881db03 [release-branch.go1.17] misc/cgo/testsanitizers: buffer the signal channel in TestTSAN/tsan11 03c2e56f68 [release-branch.go1.17] crypto/tls: avoid extra allocations in steady-state Handshake calls c15a8e2dbb [release-branch.go1.17] crypto/tls: randomly generate ticket_age_add 590b53fac9 [release-branch.go1.17] os/exec: return clear error for missing cmd.Path 2be03d789d [release-branch.go1.17] crypto/rand: properly handle large Read on windows 65701ad2b4 [release-branch.go1.17] misc/cgo/testsanitizers: use buffered channel in tsan12.go e846f3f2d6 [release-branch.go1.17] runtime: skip TestGdbBacktrace flakes matching a known GDB internal error a9003376d5 [release-branch.go1.17] cmd/dist: consistently set PWD when executing a command in a different directory 0e7138a102 [release-branch.go1.17] runtime: mark TestGcSys as flaky Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.17.10.inc => go-1.17.12.inc} | 2 +- ...o-binary-native_1.17.10.bb => go-binary-native_1.17.12.bb} | 4 ++-- ...cross-canadian_1.17.10.bb => go-cross-canadian_1.17.12.bb} | 0 .../go/{go-cross_1.17.10.bb => go-cross_1.17.12.bb} | 0 .../go/{go-crosssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} | 0 .../go/{go-native_1.17.10.bb => go-native_1.17.12.bb} | 0 .../go/{go-runtime_1.17.10.bb => go-runtime_1.17.12.bb} | 0 meta/recipes-devtools/go/{go_1.17.10.bb => go_1.17.12.bb} | 0 8 files changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-devtools/go/{go-1.17.10.inc => go-1.17.12.inc} (92%) rename meta/recipes-devtools/go/{go-binary-native_1.17.10.bb => go-binary-native_1.17.12.bb} (83%) rename meta/recipes-devtools/go/{go-cross-canadian_1.17.10.bb => go-cross-canadian_1.17.12.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.17.10.bb => go-cross_1.17.12.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.17.10.bb => go-native_1.17.12.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.17.10.bb => go-runtime_1.17.12.bb} (100%) rename meta/recipes-devtools/go/{go_1.17.10.bb => go_1.17.12.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.17.10.inc b/meta/recipes-devtools/go/go-1.17.12.inc similarity index 92% rename from meta/recipes-devtools/go/go-1.17.10.inc rename to meta/recipes-devtools/go/go-1.17.12.inc index e71feb5d02..77a983f9d0 100644 --- a/meta/recipes-devtools/go/go-1.17.10.inc +++ b/meta/recipes-devtools/go/go-1.17.12.inc @@ -17,7 +17,7 @@ SRC_URI += "\ file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ " -SRC_URI[main.sha256sum] = "299e55af30f15691b015d8dcf8ecae72412412569e5b2ece20361753a456f2f9" +SRC_URI[main.sha256sum] = "0d51b5b3f280c0f01f534598c0219db5878f337da6137a9ee698777413607209" # Upstream don't believe it is a signifiant real world issue and will only # fix in 1.17 onwards where we can drop this. diff --git a/meta/recipes-devtools/go/go-binary-native_1.17.10.bb b/meta/recipes-devtools/go/go-binary-native_1.17.12.bb similarity index 83% rename from meta/recipes-devtools/go/go-binary-native_1.17.10.bb rename to m
[OE-core] [kirkstone][PATCH] dpkg: fix CVE-2022-1664
Backport patch to fix CVE-2022-1664. Signed-off-by: Sakib Sajal --- ...ive-Prevent-directory-traversal-for-.patch | 328 ++ meta/recipes-devtools/dpkg/dpkg_1.21.4.bb | 1 + 2 files changed, 329 insertions(+) create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch diff --git a/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch b/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch new file mode 100644 index 00..d249d854fb --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch @@ -0,0 +1,328 @@ +From 6d8a6799639f8853a2af1f9036bc70fddbfdd2a2 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Tue, 3 May 2022 02:09:32 +0200 +Subject: [PATCH] Dpkg::Source::Archive: Prevent directory traversal for + in-place extracts + +For untrusted v2 and v3 source package formats that include a debian.tar +archive, when we are extracting it, we do that as an in-place extraction, +which can lead to directory traversal situations on specially crafted +orig.tar and debian.tar tarballs. + +GNU tar replaces entries on the filesystem by the entries present on +the tarball, but it will follow symlinks when the symlink pathname +itself is not present as an actual directory on the tarball. + +This means we can create an orig.tar where there's a symlink pointing +out of the source tree root directory, and then a debian.tar that +contains an entry within that symlink as if it was a directory, without +a directory entry for the symlink pathname itself, which will be +extracted following the symlink outside the source tree root. + +This is currently noted as expected in GNU tar documentation. But even +if there was a new extraction mode avoiding this problem we'd need such +new version. Using perl's Archive::Tar would solve the problem, but +switching to such different pure perl implementation, could cause +compatibility or performance issues. + +What we do is when we are requested to perform an in-place extract, we +instead still use a temporary directory, then walk that directory and +remove any matching entry in the destination directory, replicating what +GNU tar would do, but in addition avoiding the directory traversal issue +for symlinks. Which should work with any tar implementation and be safe. + +Reported-by: Max Justicz +Stable-Candidates: 1.18.x 1.19.x 1.20.x +Fixes: commit 0c0057a27fecccab77d2b3cffa9a7d172846f0b4 (1.14.17) +Fixes: CVE-2022-1664 + +CVE: CVE-2022-1664 +Upstream-Status: Backport [7a6c03cb34d4a09f35df2f10779cbf1b70a5200b] + +Signed-off-by: Sakib Sajal +--- + scripts/Dpkg/Source/Archive.pm | 122 +--- + scripts/t/Dpkg_Source_Archive.t | 110 +++- + 2 files changed, 204 insertions(+), 28 deletions(-) + +diff --git a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm +index 33c181b20..2ddd04af8 100644 +--- a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm +@@ -21,9 +21,11 @@ use warnings; + our $VERSION = '0.01'; + + use Carp; ++use Errno qw(ENOENT); + use File::Temp qw(tempdir); + use File::Basename qw(basename); + use File::Spec; ++use File::Find; + use Cwd; + + use Dpkg (); +@@ -110,19 +112,13 @@ sub extract { + my %spawn_opts = (wait_child => 1); + + # Prepare destination +-my $tmp; +-if ($opts{in_place}) { +-$spawn_opts{chdir} = $dest; +-$tmp = $dest; # So that fixperms call works +-} else { +-my $template = basename($self->get_filename()) . '.tmp-extract.X'; +-unless (-e $dest) { +-# Kludge so that realpath works +-mkdir($dest) or syserr(g_('cannot create directory %s'), $dest); +-} +-$tmp = tempdir($template, DIR => Cwd::realpath("$dest/.."), CLEANUP => 1); +-$spawn_opts{chdir} = $tmp; ++my $template = basename($self->get_filename()) . '.tmp-extract.X'; ++unless (-e $dest) { ++# Kludge so that realpath works ++mkdir($dest) or syserr(g_('cannot create directory %s'), $dest); + } ++my $tmp = tempdir($template, DIR => Cwd::realpath("$dest/.."), CLEANUP => 1); ++$spawn_opts{chdir} = $tmp; + + # Prepare stuff that handles the input of tar + $self->ensure_open('r', delete_sig => [ 'PIPE' ]); +@@ -145,22 +141,94 @@ sub extract { + # have to be calculated using mount options and other madness. + fixperms($tmp) unless $opts{no_fixperms}; + +-# Stop here if we extracted in-place as there's nothing to move around +-return if $opts{in_place}; +- +-# Rename extracted directory +-opendir(my $dir_dh, $tmp) or syserr(g_('cannot opendir %s'), $tmp); +-my @entries = grep { $_ ne '.' && $_ ne '..' } readdir($dir_dh); +-closedir($dir_dh); +-my $don
[OE-core] [PATCH][V2] u-boot: upgrade 2022.04 -> 2022.07
License change came due to U-Boot commit: fba0882bcd Add valgrind headers to U-Boot Signed-off-by: Sakib Sajal --- meta/recipes-bsp/u-boot/u-boot-common.inc | 4 ++-- .../{u-boot-tools_2022.04.bb => u-boot-tools_2022.07.bb} | 0 .../u-boot/{u-boot_2022.04.bb => u-boot_2022.07.bb} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-bsp/u-boot/{u-boot-tools_2022.04.bb => u-boot-tools_2022.07.bb} (100%) rename meta/recipes-bsp/u-boot/{u-boot_2022.04.bb => u-boot_2022.07.bb} (100%) diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 8fc33608d0..d7fd3c7227 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -7,12 +7,12 @@ SECTION = "bootloaders" DEPENDS += "flex-native bison-native" LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025" +LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1" PE = "1" # We use the revision in order to avoid having to fetch it from the # repo during parse -SRCREV = "e4b6ebd3de982ae7185dbf689a030e73fd06e0d2" +SRCREV = "e092e3250270a1016c877da7bdd9384f14b1321e" SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master" diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2022.04.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2022.07.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot-tools_2022.04.bb rename to meta/recipes-bsp/u-boot/u-boot-tools_2022.07.bb diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.04.bb b/meta/recipes-bsp/u-boot/u-boot_2022.07.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot_2022.04.bb rename to meta/recipes-bsp/u-boot/u-boot_2022.07.bb -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#167935): https://lists.openembedded.org/g/openembedded-core/message/167935 Mute This Topic: https://lists.openembedded.org/mt/92335149/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] u-boot: upgrade 2022.04 -> 2022.07
On 2022-07-12 04:41, ZHIZHIKIN Andrey wrote: [Please note: This e-mail is from an EXTERNAL e-mail address] Hello Sakib, Alex just chased me up, but nevertheless... -Original Message- From: Sakib Sajal Sent: Tuesday, July 12, 2022 4:37 AM To: openembedded-core@lists.openembedded.org Subject: [PATCH] u-boot: upgrade 2022.04 -> 2022.07 Signed-off-by: Sakib Sajal --- meta/recipes-bsp/u-boot/u-boot-common.inc | 4 ++-- .../{u-boot-tools_2022.04.bb => u-boot-tools_2022.07.bb} | 0 .../u-boot/{u-boot_2022.04.bb => u-boot_2022.07.bb} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-bsp/u-boot/{u-boot-tools_2022.04.bb => u-boot- tools_2022.07.bb} (100%) rename meta/recipes-bsp/u-boot/{u-boot_2022.04.bb => u-boot_2022.07.bb} (100%) diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u- boot/u-boot-common.inc index 8fc33608d0..d7fd3c7227 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -7,12 +7,12 @@ SECTION = "bootloaders" DEPENDS += "flex-native bison-native" LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025" +LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1" Please explain in the commit message that License change came due to U-Boot commit fba0882bcdfd ("Add valgrind headers to U-Boot"). Thanks for pointing that out, v2 sent! PE = "1" # We use the revision in order to avoid having to fetch it from the # repo during parse -SRCREV = "e4b6ebd3de982ae7185dbf689a030e73fd06e0d2" +SRCREV = "e092e3250270a1016c877da7bdd9384f14b1321e" SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master" diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2022.04.bb b/meta/recipes- bsp/u-boot/u-boot-tools_2022.07.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot-tools_2022.04.bb rename to meta/recipes-bsp/u-boot/u-boot-tools_2022.07.bb diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.04.bb b/meta/recipes-bsp/u- boot/u-boot_2022.07.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot_2022.04.bb rename to meta/recipes-bsp/u-boot/u-boot_2022.07.bb -- 2.33.0 -- andrey -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#167934): https://lists.openembedded.org/g/openembedded-core/message/167934 Mute This Topic: https://lists.openembedded.org/mt/92325569/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] u-boot: upgrade 2022.04 -> 2022.07
Signed-off-by: Sakib Sajal --- meta/recipes-bsp/u-boot/u-boot-common.inc | 4 ++-- .../{u-boot-tools_2022.04.bb => u-boot-tools_2022.07.bb} | 0 .../u-boot/{u-boot_2022.04.bb => u-boot_2022.07.bb} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-bsp/u-boot/{u-boot-tools_2022.04.bb => u-boot-tools_2022.07.bb} (100%) rename meta/recipes-bsp/u-boot/{u-boot_2022.04.bb => u-boot_2022.07.bb} (100%) diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 8fc33608d0..d7fd3c7227 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -7,12 +7,12 @@ SECTION = "bootloaders" DEPENDS += "flex-native bison-native" LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025" +LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1" PE = "1" # We use the revision in order to avoid having to fetch it from the # repo during parse -SRCREV = "e4b6ebd3de982ae7185dbf689a030e73fd06e0d2" +SRCREV = "e092e3250270a1016c877da7bdd9384f14b1321e" SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master" diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2022.04.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2022.07.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot-tools_2022.04.bb rename to meta/recipes-bsp/u-boot/u-boot-tools_2022.07.bb diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.04.bb b/meta/recipes-bsp/u-boot/u-boot_2022.07.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot_2022.04.bb rename to meta/recipes-bsp/u-boot/u-boot_2022.07.bb -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#167888): https://lists.openembedded.org/g/openembedded-core/message/167888 Mute This Topic: https://lists.openembedded.org/mt/92325569/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] u-boot: fix CVE-2022-34835
Backport patch to fix CVE-2022-34835. Signed-off-by: Sakib Sajal --- ...ffer-overflow-vulnerability-in-i2c-m.patch | 126 ++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 127 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch b/meta/recipes-bsp/u-boot/files/0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch new file mode 100644 index 00..04ded5b119 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch @@ -0,0 +1,126 @@ +From 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 10 Jun 2022 14:50:25 + +Subject: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md + command + +When running "i2c md 0 0 8100", the function do_i2c_md parses the +length into an unsigned int variable named length. The value is then +moved to a signed variable: + +int nbytes = length; +#define DISP_LINE_LEN 16 +int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes; +ret = dm_i2c_read(dev, addr, linebuf, linebytes); + +On systems where integers are 32 bits wide, 0x8100 is a negative +value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned +0x8100 instead of 16. + +The consequence is that the function which reads from the i2c device +(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill +but with a size parameter which is too large. In some cases, this could +trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c +(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to +a 16-bit integer. This is because function i2c_transfer expects an +unsigned short length. In such a case, an attacker who can control the +response of an i2c device can overwrite the return address of a function +and execute arbitrary code through Return-Oriented Programming. + +Fix this issue by using unsigned integers types in do_i2c_md. While at +it, make also alen unsigned, as signed sizes can cause vulnerabilities +when people forgot to check that they can be negative. + +Signed-off-by: Nicolas Iooss +Reviewed-by: Heiko Schocher + +CVE: CVE-2022-34835 +Upstream-Status: Backport [8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409] + +Signed-off-by: Sakib Sajal +--- + cmd/i2c.c | 24 + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/cmd/i2c.c b/cmd/i2c.c +index 9050b2b8d2..bd04b14024 100644 +--- a/cmd/i2c.c b/cmd/i2c.c +@@ -200,10 +200,10 @@ void i2c_init_board(void) + * + * Returns the address length. + */ +-static uint get_alen(char *arg, int default_len) ++static uint get_alen(char *arg, uint default_len) + { +- int j; +- int alen; ++ uintj; ++ uintalen; + + alen = default_len; + for (j = 0; j < 8; j++) { +@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc, + { + uintchip; + uintdevaddr, length; +- int alen; ++ uintalen; + u_char *memaddr; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) +@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc, + { + uintchip; + uintdevaddr, length; +- int alen; ++ uintalen; + u_char *memaddr; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) +@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc, + { + uintchip; + uintaddr, length; +- int alen; +- int j, nbytes, linebytes; ++ uintalen; ++ uintj, nbytes, linebytes; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) + struct udevice *dev; +@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc, + { + uintchip; + ulong addr; +- int alen; ++ uintalen; + uchar byte; +- int count; ++ uintcount; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) + struct udevice *dev; +@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc, + { + uintchip; + ulong addr; +- int alen; +- int count; ++ uintalen; ++ uintcount; + uchar byte; + ulong crc; + ulong err; +@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) + { + uintchip; +- int alen; ++ uintalen; + uintaddr; + uintlength; + u_char bytes[16]; +-- +2.25.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 0d2464d74b..f2443723e2
Re: [OE-core] [PATCH 1/4] qemu: fix CVE-2021-4145
This patch is for hardknott branch On 2022-05-31 18:08, Sakib Sajal wrote: Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts") Hence, backport both the patches to resolve the CVE. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-4145_1.patch | 67 +++ .../qemu/qemu/CVE-2021-4145_2.patch | 85 +++ 3 files changed, 154 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 568ef1be94..aa372810ce 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3930.patch \ file://CVE-2021-20196_1.patch \ file://CVE-2021-20196_2.patch \ + file://CVE-2021-4145_1.patch \ + file://CVE-2021-4145_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch new file mode 100644 index 00..02eae727d5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch @@ -0,0 +1,67 @@ +From 59fe260a352156261ad0d89be446e5dd0ac96de3 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Sat, 3 Jul 2021 00:16:36 +0300 +Subject: [PATCH 1/2] block/mirror: fix active mirror dead-lock in + mirror_wait_on_conflicts + +It's possible that requests start to wait each other in +mirror_wait_on_conflicts(). To avoid it let's use same technique as in +block/io.c in bdrv_wait_serialising_requests_locked() / +bdrv_find_conflicting_request(): don't wait on intersecting request if +it is already waiting for some other request. + +For details of the dead-lock look at testIntersectingActiveIO() +test-case which we actually fixing now. + +Fixes: d06107ade0ce74dc39739bac80de84b51ec18546 +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20210702211636.228981-4-vsement...@virtuozzo.com> +Signed-off-by: Kevin Wolf + +CVE: CVE-2021-4145 +Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288] + +Signed-off-by: Sakib Sajal +--- + block/mirror.c | 12 + tests/qemu-iotests/151 | 0 + 2 files changed, 12 insertions(+) + mode change 100755 => 100644 tests/qemu-iotests/151 + +diff --git a/block/mirror.c b/block/mirror.c +index 8e1ad6ece..fab008568 100644 +--- a/block/mirror.c b/block/mirror.c +@@ -106,6 +106,7 @@ struct MirrorOp { + bool is_in_flight; + CoQueue waiting_requests; + Coroutine *co; ++MirrorOp *waiting_for_op; + + QTAILQ_ENTRY(MirrorOp) next; + }; +@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self, + if (ranges_overlap(self_start_chunk, self_nb_chunks, +op_start_chunk, op_nb_chunks)) + { ++/* ++ * If the operation is already (indirectly) waiting for us, or ++ * will wait for us as soon as it wakes up, then just go on ++ * (instead of producing a deadlock in the former case). ++ */ ++if (op->waiting_for_op) { ++continue; ++} ++ ++self->waiting_for_op = op; + qemu_co_queue_wait(>waiting_requests, NULL); ++self->waiting_for_op = NULL; + break; + } + } +diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151 +old mode 100755 +new mode 100644 +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch new file mode 100644 index 00..891664375c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch @@ -0,0 +1,85 @@ +From 09036c63a4a498d65de0d035211b01f0482e3533 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Sep 2021 14:45:33 +0200 +Subject: [PATCH 2/2] block/mirror: fix NULL pointer dereference in + mirror_wait_on_conflicts() + +In mirror_iteration() we call mirror_wait_on_conflicts() with +`self` parameter set to NULL. + +Starting from commit d44dae1a7c we dereference `self` pointer in +mirror_wait_on_conflicts() without checks if it is not NULL. + +Backtrace: + Program terminated with signal SIGSEGV, Segmentation fault. + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../block/mirror.c:172 + 172 self->waiting_for_op = op; + [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))] +
Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
This set of patches is for hardknott branch. On 2022-05-31 18:08, Sakib Sajal wrote: Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65 .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++ 4 files changed, 284 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..5605ece5bb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2021-3750_1.patch \ + file://CVE-2021-3750_2.patch \ + file://CVE-2021-3750_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch new file mode 100644 index 00..8381661886 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch @@ -0,0 +1,60 @@ +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Peter Maydell + +CVE: CVE-2021-3750 +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] + +Signed-off-by: Sakib Sajal +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d6..44368e285 100644 +--- a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch new file mode 100644 index 00..82d2675ab2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch @@ -0,0 +1,65 @@ +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Alexander Bulekov +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-3-phi...@redhat.com> +Signed-off-by: Thomas Huth + +CVE: CVE-2021-3750 +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] + +Signed-off-by: Sakib Sajal +--- + softmmu/physmem.c | 11 +++ + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 2cd1de4a2..68612afbd 100644 +--- a/softmmu/physmem.c b/softmmu/physmem.c +@@ -2792
[OE-core][hardknott][PATCH 4/4] qemu: fix CVE-2021-4206
Backport fix to resolve CVE-2021-4206: fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4206.patch | 89 +++ 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 898377d11b..b6595a7731 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750_2.patch \ file://CVE-2021-3750_3.patch \ file://CVE-2022-26353.patch \ + file://CVE-2021-4206.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 00..bc76d3a206 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From 1ed7525cc9d9a98ef126e9803b09f50aa9f2e3bf Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcasc...@redhat.com> +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2021-4206 +Upstream-Status: Backport [fa892e9abb728e76afcf27323ab29c57fb0fe7aa] + +Signed-off-by: Sakib Sajal +--- + hw/display/qxl-render.c | 7 +++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 3ce2e57b8..c2ecef706 100644 +--- a/hw/display/qxl-render.c b/hw/display/qxl-render.c +@@ -246,6 +246,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++if (!c) { ++qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++cursor->header.width, cursor->header.height); ++goto fail; ++} ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index bef0d7d69..e30dbdcb3 100644 +--- a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +@@ -510,6 +510,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d..835f0802f 100644 +--- a/ui/cursor.c b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +-int datasize = width * height * sizeof(uint32_t); ++size_t datasize = width * height * sizeof(uint32_t); ++ ++if (width > 512 || height > 512) { ++return NULL; ++} + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166348): https://lists.openembedded.org/g/openembedded-core/message/166348 Mute This Topic: https://lists.openembedded.org/mt/91468551/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][hardknott][PATCH 3/4] qemu: fix CVE-2022-26353
Backport fix to resolve CVE-2022-26353: abe300d9d8 virtio-net: fix map leaking on error during receive Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26353.patch| 44 +++ 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5605ece5bb..898377d11b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750_1.patch \ file://CVE-2021-3750_2.patch \ file://CVE-2021-3750_3.patch \ + file://CVE-2022-26353.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch new file mode 100644 index 00..e76444b9fe --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch @@ -0,0 +1,44 @@ +From 2263354a272db3e520687af31675684c9c705456 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: [PATCH] virtio-net: fix map leaking on error during receive + +Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +tries to fix the use after free of the sg by caching the virtqueue +elements in an array and unmap them at once after receiving the +packets, But it forgot to unmap the cached elements on error which +will lead to leaking of mapping and other unexpected results. + +Fixing this by detaching the cached elements on error. This addresses +CVE-2022-26353. + +Reported-by: Victor Tom +Cc: qemu-sta...@nongnu.org +Fixes: CVE-2022-26353 +Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang + +CVE: CVE-2022-26353 +Upstream-Status: Backport [abe300d9d894f7138e1af7c8e9c88c04bfe98b37] + +Signed-off-by: Sakib Sajal +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index df1d30e2c..a351d16b5 100644 +--- a/hw/net/virtio-net.c b/hw/net/virtio-net.c +@@ -1795,6 +1795,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } + +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166347): https://lists.openembedded.org/g/openembedded-core/message/166347 Mute This Topic: https://lists.openembedded.org/mt/91468549/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145
Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts") Hence, backport both the patches to resolve the CVE. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-4145_1.patch | 67 +++ .../qemu/qemu/CVE-2021-4145_2.patch | 85 +++ 3 files changed, 154 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 568ef1be94..aa372810ce 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3930.patch \ file://CVE-2021-20196_1.patch \ file://CVE-2021-20196_2.patch \ + file://CVE-2021-4145_1.patch \ + file://CVE-2021-4145_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch new file mode 100644 index 00..02eae727d5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch @@ -0,0 +1,67 @@ +From 59fe260a352156261ad0d89be446e5dd0ac96de3 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Sat, 3 Jul 2021 00:16:36 +0300 +Subject: [PATCH 1/2] block/mirror: fix active mirror dead-lock in + mirror_wait_on_conflicts + +It's possible that requests start to wait each other in +mirror_wait_on_conflicts(). To avoid it let's use same technique as in +block/io.c in bdrv_wait_serialising_requests_locked() / +bdrv_find_conflicting_request(): don't wait on intersecting request if +it is already waiting for some other request. + +For details of the dead-lock look at testIntersectingActiveIO() +test-case which we actually fixing now. + +Fixes: d06107ade0ce74dc39739bac80de84b51ec18546 +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20210702211636.228981-4-vsement...@virtuozzo.com> +Signed-off-by: Kevin Wolf + +CVE: CVE-2021-4145 +Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288] + +Signed-off-by: Sakib Sajal +--- + block/mirror.c | 12 + tests/qemu-iotests/151 | 0 + 2 files changed, 12 insertions(+) + mode change 100755 => 100644 tests/qemu-iotests/151 + +diff --git a/block/mirror.c b/block/mirror.c +index 8e1ad6ece..fab008568 100644 +--- a/block/mirror.c b/block/mirror.c +@@ -106,6 +106,7 @@ struct MirrorOp { + bool is_in_flight; + CoQueue waiting_requests; + Coroutine *co; ++MirrorOp *waiting_for_op; + + QTAILQ_ENTRY(MirrorOp) next; + }; +@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self, + if (ranges_overlap(self_start_chunk, self_nb_chunks, +op_start_chunk, op_nb_chunks)) + { ++/* ++ * If the operation is already (indirectly) waiting for us, or ++ * will wait for us as soon as it wakes up, then just go on ++ * (instead of producing a deadlock in the former case). ++ */ ++if (op->waiting_for_op) { ++continue; ++} ++ ++self->waiting_for_op = op; + qemu_co_queue_wait(>waiting_requests, NULL); ++self->waiting_for_op = NULL; + break; + } + } +diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151 +old mode 100755 +new mode 100644 +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch new file mode 100644 index 00..891664375c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch @@ -0,0 +1,85 @@ +From 09036c63a4a498d65de0d035211b01f0482e3533 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Sep 2021 14:45:33 +0200 +Subject: [PATCH 2/2] block/mirror: fix NULL pointer dereference in + mirror_wait_on_conflicts() + +In mirror_iteration() we call mirror_wait_on_conflicts() with +`self` parameter set to NULL. + +Starting from commit d44dae1a7c we dereference `self` pointer in +mirror_wait_on_conflicts() without checks if it is not NULL. + +Backtrace: + Program terminated with signal SIGSEGV, Segmentation fault. + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../block/mirror.c:172 + 172 self->waiting_for_op = op; + [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))] + (gdb) bt + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../bloc
[OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750
Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65 .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++ 4 files changed, 284 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..5605ece5bb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2021-3750_1.patch \ + file://CVE-2021-3750_2.patch \ + file://CVE-2021-3750_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch new file mode 100644 index 00..8381661886 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch @@ -0,0 +1,60 @@ +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Peter Maydell + +CVE: CVE-2021-3750 +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] + +Signed-off-by: Sakib Sajal +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d6..44368e285 100644 +--- a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch new file mode 100644 index 00..82d2675ab2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch @@ -0,0 +1,65 @@ +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Alexander Bulekov +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-3-phi...@redhat.com> +Signed-off-by: Thomas Huth + +CVE: CVE-2021-3750 +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] + +Signed-off-by: Sakib Sajal +--- + softmmu/physmem.c | 11 +++ + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 2cd1de4a2..68612afbd 100644 +--- a/softmmu/physmem.c b/softmmu/physmem.c +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + hw
[OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65 .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++ 4 files changed, 284 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..5605ece5bb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2021-3750_1.patch \ + file://CVE-2021-3750_2.patch \ + file://CVE-2021-3750_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch new file mode 100644 index 00..8381661886 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch @@ -0,0 +1,60 @@ +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Peter Maydell + +CVE: CVE-2021-3750 +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] + +Signed-off-by: Sakib Sajal +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d6..44368e285 100644 +--- a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch new file mode 100644 index 00..82d2675ab2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch @@ -0,0 +1,65 @@ +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Alexander Bulekov +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-3-phi...@redhat.com> +Signed-off-by: Thomas Huth + +CVE: CVE-2021-3750 +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] + +Signed-off-by: Sakib Sajal +--- + softmmu/physmem.c | 11 +++ + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 2cd1de4a2..68612afbd 100644 +--- a/softmmu/physmem.c b/softmmu/physmem.c +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + hw
[OE-core] [PATCH 1/4] qemu: fix CVE-2021-4145
Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts") Hence, backport both the patches to resolve the CVE. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-4145_1.patch | 67 +++ .../qemu/qemu/CVE-2021-4145_2.patch | 85 +++ 3 files changed, 154 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 568ef1be94..aa372810ce 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3930.patch \ file://CVE-2021-20196_1.patch \ file://CVE-2021-20196_2.patch \ + file://CVE-2021-4145_1.patch \ + file://CVE-2021-4145_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch new file mode 100644 index 00..02eae727d5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch @@ -0,0 +1,67 @@ +From 59fe260a352156261ad0d89be446e5dd0ac96de3 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Sat, 3 Jul 2021 00:16:36 +0300 +Subject: [PATCH 1/2] block/mirror: fix active mirror dead-lock in + mirror_wait_on_conflicts + +It's possible that requests start to wait each other in +mirror_wait_on_conflicts(). To avoid it let's use same technique as in +block/io.c in bdrv_wait_serialising_requests_locked() / +bdrv_find_conflicting_request(): don't wait on intersecting request if +it is already waiting for some other request. + +For details of the dead-lock look at testIntersectingActiveIO() +test-case which we actually fixing now. + +Fixes: d06107ade0ce74dc39739bac80de84b51ec18546 +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20210702211636.228981-4-vsement...@virtuozzo.com> +Signed-off-by: Kevin Wolf + +CVE: CVE-2021-4145 +Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288] + +Signed-off-by: Sakib Sajal +--- + block/mirror.c | 12 + tests/qemu-iotests/151 | 0 + 2 files changed, 12 insertions(+) + mode change 100755 => 100644 tests/qemu-iotests/151 + +diff --git a/block/mirror.c b/block/mirror.c +index 8e1ad6ece..fab008568 100644 +--- a/block/mirror.c b/block/mirror.c +@@ -106,6 +106,7 @@ struct MirrorOp { + bool is_in_flight; + CoQueue waiting_requests; + Coroutine *co; ++MirrorOp *waiting_for_op; + + QTAILQ_ENTRY(MirrorOp) next; + }; +@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self, + if (ranges_overlap(self_start_chunk, self_nb_chunks, +op_start_chunk, op_nb_chunks)) + { ++/* ++ * If the operation is already (indirectly) waiting for us, or ++ * will wait for us as soon as it wakes up, then just go on ++ * (instead of producing a deadlock in the former case). ++ */ ++if (op->waiting_for_op) { ++continue; ++} ++ ++self->waiting_for_op = op; + qemu_co_queue_wait(>waiting_requests, NULL); ++self->waiting_for_op = NULL; + break; + } + } +diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151 +old mode 100755 +new mode 100644 +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch new file mode 100644 index 00..891664375c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch @@ -0,0 +1,85 @@ +From 09036c63a4a498d65de0d035211b01f0482e3533 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Sep 2021 14:45:33 +0200 +Subject: [PATCH 2/2] block/mirror: fix NULL pointer dereference in + mirror_wait_on_conflicts() + +In mirror_iteration() we call mirror_wait_on_conflicts() with +`self` parameter set to NULL. + +Starting from commit d44dae1a7c we dereference `self` pointer in +mirror_wait_on_conflicts() without checks if it is not NULL. + +Backtrace: + Program terminated with signal SIGSEGV, Segmentation fault. + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../block/mirror.c:172 + 172 self->waiting_for_op = op; + [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))] + (gdb) bt + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../bloc
[OE-core] [PATCH 3/4] qemu: fix CVE-2022-26353
Backport fix to resolve CVE-2022-26353: abe300d9d8 virtio-net: fix map leaking on error during receive Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26353.patch| 44 +++ 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5605ece5bb..898377d11b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750_1.patch \ file://CVE-2021-3750_2.patch \ file://CVE-2021-3750_3.patch \ + file://CVE-2022-26353.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch new file mode 100644 index 00..e76444b9fe --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch @@ -0,0 +1,44 @@ +From 2263354a272db3e520687af31675684c9c705456 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: [PATCH] virtio-net: fix map leaking on error during receive + +Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +tries to fix the use after free of the sg by caching the virtqueue +elements in an array and unmap them at once after receiving the +packets, But it forgot to unmap the cached elements on error which +will lead to leaking of mapping and other unexpected results. + +Fixing this by detaching the cached elements on error. This addresses +CVE-2022-26353. + +Reported-by: Victor Tom +Cc: qemu-sta...@nongnu.org +Fixes: CVE-2022-26353 +Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang + +CVE: CVE-2022-26353 +Upstream-Status: Backport [abe300d9d894f7138e1af7c8e9c88c04bfe98b37] + +Signed-off-by: Sakib Sajal +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index df1d30e2c..a351d16b5 100644 +--- a/hw/net/virtio-net.c b/hw/net/virtio-net.c +@@ -1795,6 +1795,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } + +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166341): https://lists.openembedded.org/g/openembedded-core/message/166341 Mute This Topic: https://lists.openembedded.org/mt/91462669/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 4/4] qemu: fix CVE-2021-4206
Backport fix to resolve CVE-2021-4206: fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4206.patch | 89 +++ 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 898377d11b..b6595a7731 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750_2.patch \ file://CVE-2021-3750_3.patch \ file://CVE-2022-26353.patch \ + file://CVE-2021-4206.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 00..bc76d3a206 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From 1ed7525cc9d9a98ef126e9803b09f50aa9f2e3bf Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcasc...@redhat.com> +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2021-4206 +Upstream-Status: Backport [fa892e9abb728e76afcf27323ab29c57fb0fe7aa] + +Signed-off-by: Sakib Sajal +--- + hw/display/qxl-render.c | 7 +++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 3ce2e57b8..c2ecef706 100644 +--- a/hw/display/qxl-render.c b/hw/display/qxl-render.c +@@ -246,6 +246,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++if (!c) { ++qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++cursor->header.width, cursor->header.height); ++goto fail; ++} ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index bef0d7d69..e30dbdcb3 100644 +--- a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +@@ -510,6 +510,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d..835f0802f 100644 +--- a/ui/cursor.c b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +-int datasize = width * height * sizeof(uint32_t); ++size_t datasize = width * height * sizeof(uint32_t); ++ ++if (width > 512 || height > 512) { ++return NULL; ++} + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166343): https://lists.openembedded.org/g/openembedded-core/message/166343 Mute This Topic: https://lists.openembedded.org/mt/91462671/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 2/2] qemu: fix CVE-2022-26354
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26354.patch| 59 +++ 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..934e5ee932 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2022-26354.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch new file mode 100644 index 00..ae8c490177 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch @@ -0,0 +1,59 @@ +From 1c53fa2c574ebacf8bb20c73e35ae4b96dcf0476 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 28 Feb 2022 10:50:58 +0100 +Subject: [PATCH 3/3] vhost-vsock: detach the virqueue element in case of error + +In vhost_vsock_common_send_transport_reset(), if an element popped from +the virtqueue is invalid, we should call virtqueue_detach_element() to +detach it from the virtqueue before freeing its memory. + +Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") +Fixes: CVE-2022-26354 +Cc: qemu-sta...@nongnu.org +Reported-by: VictorV +Signed-off-by: Stefano Garzarella +Message-Id: <20220228095058.27899-1-sgarz...@redhat.com> +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Upstream-Status: Backport [8d1b247f3748ac4078524130c6d7ae42b6140aaf] +Signed-off-by: Sakib Sajal +--- + hw/virtio/vhost-vsock-common.c | 10 +++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c +index 5b2ebf349..45ea58c3a 100644 +--- a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c +@@ -129,19 +129,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) + if (elem->out_num) { + error_report("invalid vhost-vsock event virtqueue element with " + "out buffers"); +-goto out; ++goto err; + } + + if (iov_from_buf(elem->in_sg, elem->in_num, 0, + , sizeof(event)) != sizeof(event)) { + error_report("vhost-vsock event virtqueue element is too short"); +-goto out; ++goto err; + } + + virtqueue_push(vq, elem, sizeof(event)); + virtio_notify(VIRTIO_DEVICE(vvc), vq); + +-out: ++g_free(elem); ++return; ++ ++err: ++virtqueue_detach_element(vq, elem, 0); + g_free(elem); + } + +-- +2.33.0 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164299): https://lists.openembedded.org/g/openembedded-core/message/164299 Mute This Topic: https://lists.openembedded.org/mt/90434625/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 1/2] qemu: fix CVE-2021-4145
Fix CVE by backporting relevant patches. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-4145_1.patch | 60 ++ .../qemu/qemu/CVE-2021-4145_2.patch | 83 +++ 3 files changed, 145 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 568ef1be94..aa372810ce 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3930.patch \ file://CVE-2021-20196_1.patch \ file://CVE-2021-20196_2.patch \ + file://CVE-2021-4145_1.patch \ + file://CVE-2021-4145_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch new file mode 100644 index 00..9ea6c7e47c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch @@ -0,0 +1,60 @@ +From 748bf90148bbbaedd75fe1b2c47b3617710523bd Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Sat, 3 Jul 2021 00:16:36 +0300 +Subject: [PATCH 1/3] block/mirror: fix active mirror dead-lock in + mirror_wait_on_conflicts + +It's possible that requests start to wait each other in +mirror_wait_on_conflicts(). To avoid it let's use same technique as in +block/io.c in bdrv_wait_serialising_requests_locked() / +bdrv_find_conflicting_request(): don't wait on intersecting request if +it is already waiting for some other request. + +For details of the dead-lock look at testIntersectingActiveIO() +test-case which we actually fixing now. + +Fixes: d06107ade0ce74dc39739bac80de84b51ec18546 +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20210702211636.228981-4-vsement...@virtuozzo.com> +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288] +Signed-off-by: Sakib Sajal +--- + block/mirror.c | 12 + 1 file changed, 12 insertions(+) + +diff --git a/block/mirror.c b/block/mirror.c +index 8e1ad6ece..fab008568 100644 +--- a/block/mirror.c b/block/mirror.c +@@ -106,6 +106,7 @@ struct MirrorOp { + bool is_in_flight; + CoQueue waiting_requests; + Coroutine *co; ++MirrorOp *waiting_for_op; + + QTAILQ_ENTRY(MirrorOp) next; + }; +@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self, + if (ranges_overlap(self_start_chunk, self_nb_chunks, +op_start_chunk, op_nb_chunks)) + { ++/* ++ * If the operation is already (indirectly) waiting for us, or ++ * will wait for us as soon as it wakes up, then just go on ++ * (instead of producing a deadlock in the former case). ++ */ ++if (op->waiting_for_op) { ++continue; ++} ++ ++self->waiting_for_op = op; + qemu_co_queue_wait(>waiting_requests, NULL); ++self->waiting_for_op = NULL; + break; + } + } +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch new file mode 100644 index 00..57f1dca5f0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch @@ -0,0 +1,83 @@ +From ba51b041eea7da8faf955770092d6f6ba7f21037 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Sep 2021 14:45:33 +0200 +Subject: [PATCH 2/3] block/mirror: fix NULL pointer dereference in + mirror_wait_on_conflicts() + +In mirror_iteration() we call mirror_wait_on_conflicts() with +`self` parameter set to NULL. + +Starting from commit d44dae1a7c we dereference `self` pointer in +mirror_wait_on_conflicts() without checks if it is not NULL. + +Backtrace: + Program terminated with signal SIGSEGV, Segmentation fault. + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../block/mirror.c:172 + 172 self->waiting_for_op = op; + [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))] + (gdb) bt + #0 mirror_wait_on_conflicts (self=0x0, s=, offset=, bytes=) + at ../block/mirror.c:172 + #1 0x5610c5d9d631 in mirror_run (job=0x5610c76a2c00, errp=) at ../block/mirror.c:491 + #2 0x5610c5d58726 in job_co_entry (opaque=0x5610c76a2c00) at ../job.c:917 + #3 0x5610c5f046c6 in coroutine_trampoline (i0=, i1=) + at ../util/coroutine-ucontext.c:173 + #4 0x7f0909975820 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91 +
[OE-core] [PATCH] perl: generate alternative link for streamzip
streamzip is also provided by io-compress-perl, so add an alternative link for streamzip. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/perl/perl_5.34.0.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/perl/perl_5.34.0.bb b/meta/recipes-devtools/perl/perl_5.34.0.bb index 8a1db7ed35..73fd2e0a79 100644 --- a/meta/recipes-devtools/perl/perl_5.34.0.bb +++ b/meta/recipes-devtools/perl/perl_5.34.0.bb @@ -220,7 +220,7 @@ ALTERNATIVE_PRIORITY = "100" ALTERNATIVE:${PN}-misc = "corelist cpan enc2xs encguess h2ph h2xs instmodsh json_pp libnetcfg \ piconv pl2pm pod2html pod2man pod2text pod2usage podchecker \ - prove ptar ptardiff ptargrep shasum splain xsubpp zipdetails" + prove ptar ptardiff ptargrep shasum splain streamzip xsubpp zipdetails" ALTERNATIVE_LINK_NAME[corelist] = "${bindir}/corelist" ALTERNATIVE_LINK_NAME[cpan] = "${bindir}/cpan" ALTERNATIVE_LINK_NAME[enc2xs] = "${bindir}/enc2xs" @@ -243,6 +243,7 @@ ALTERNATIVE_LINK_NAME[ptardiff] = "${bindir}/ptardiff" ALTERNATIVE_LINK_NAME[ptargrep] = "${bindir}/ptargrep" ALTERNATIVE_LINK_NAME[shasum] = "${bindir}/shasum" ALTERNATIVE_LINK_NAME[splain] = "${bindir}/splain" +ALTERNATIVE_LINK_NAME[streamzip] = "${bindir}/streamzip" ALTERNATIVE_LINK_NAME[xsubpp] = "${bindir}/xsubpp" ALTERNATIVE_LINK_NAME[zipdetails] = "${bindir}/zipdetails" -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#163436): https://lists.openembedded.org/g/openembedded-core/message/163436 Mute This Topic: https://lists.openembedded.org/mt/89856099/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH] go: upgrade 1.16.13 -> 1.16.14
go 1.16.14 release includes fix for CVE-2022-23806. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.16.13.inc => go-1.16.14.inc} | 4 ++-- ...o-binary-native_1.16.13.bb => go-binary-native_1.16.14.bb} | 4 ++-- ...cross-canadian_1.16.13.bb => go-cross-canadian_1.16.14.bb} | 0 .../go/{go-cross_1.16.13.bb => go-cross_1.16.14.bb} | 0 .../go/{go-crosssdk_1.16.13.bb => go-crosssdk_1.16.14.bb} | 0 .../go/{go-native_1.16.13.bb => go-native_1.16.14.bb} | 0 .../go/{go-runtime_1.16.13.bb => go-runtime_1.16.14.bb} | 0 meta/recipes-devtools/go/{go_1.16.13.bb => go_1.16.14.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.16.13.inc => go-1.16.14.inc} (91%) rename meta/recipes-devtools/go/{go-binary-native_1.16.13.bb => go-binary-native_1.16.14.bb} (83%) rename meta/recipes-devtools/go/{go-cross-canadian_1.16.13.bb => go-cross-canadian_1.16.14.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.16.13.bb => go-cross_1.16.14.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.16.13.bb => go-crosssdk_1.16.14.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.16.13.bb => go-native_1.16.14.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.16.13.bb => go-runtime_1.16.14.bb} (100%) rename meta/recipes-devtools/go/{go_1.16.13.bb => go_1.16.14.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.16.13.inc b/meta/recipes-devtools/go/go-1.16.14.inc similarity index 91% rename from meta/recipes-devtools/go/go-1.16.13.inc rename to meta/recipes-devtools/go/go-1.16.14.inc index 8675afc3bb..6482c6fa7c 100644 --- a/meta/recipes-devtools/go/go-1.16.13.inc +++ b/meta/recipes-devtools/go/go-1.16.14.inc @@ -1,7 +1,7 @@ require go-common.inc GO_BASEVERSION = "1.16" -PV = "1.16.13" +PV = "1.16.14" FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -18,7 +18,7 @@ SRC_URI += "\ file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ file://0001-encoding-xml-handle-leading-trailing-or-double-colon.patch \ " -SRC_URI[main.sha256sum] = "b0926654eaeb01ef43816638f42d7b1681f2d3f41b9559f07735522b7afad41a" +SRC_URI[main.sha256sum] = "467898cd3a216de54dcb9014f541efe77e9b79a7154dbc1fd2dd778b0c63fb56" # Upstream don't believe it is a signifiant real world issue and will only # fix in 1.17 onwards where we can drop this. diff --git a/meta/recipes-devtools/go/go-binary-native_1.16.13.bb b/meta/recipes-devtools/go/go-binary-native_1.16.14.bb similarity index 83% rename from meta/recipes-devtools/go/go-binary-native_1.16.13.bb rename to meta/recipes-devtools/go/go-binary-native_1.16.14.bb index 6e498a17be..419fc4ffcf 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.16.13.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.16.14.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "275fc03c90c13b0bbff13125a43f1f7a9f9c00a0d5a9f2d5b16dbc2fa2c6e12a" -SRC_URI[go_linux_arm64.sha256sum] = "3dd8e14837105cbfedf7124c7f8c524ce492748c370036c7316ef99e18d116d7" +SRC_URI[go_linux_amd64.sha256sum] = "f4f5f02eb6809ac5bf19b5ad517b23504fd5fc036f6487651968ad36aa7a20e0" +SRC_URI[go_linux_arm64.sha256sum] = "5e59056e36704acb25809bcdb27191f27593cb7aba4d716b523008135a1e764a" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.16.13.bb b/meta/recipes-devtools/go/go-cross-canadian_1.16.14.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.16.13.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.16.14.bb diff --git a/meta/recipes-devtools/go/go-cross_1.16.13.bb b/meta/recipes-devtools/go/go-cross_1.16.14.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.16.13.bb rename to meta/recipes-devtools/go/go-cross_1.16.14.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.16.13.bb b/meta/recipes-devtools/go/go-crosssdk_1.16.14.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.16.13.bb rename to meta/recipes-devtools/go/go-crosssdk_1.16.14.bb diff --git a/meta/recipes-devtools/go/go-native_1.16.13.bb b/meta/recipes-devtools/go/go-native_1.16.14.bb similarity index 100% rename from meta/recipes-devtools/go/go-native_1.16.13.bb rename to meta/recipes-devtools/go/go-native_1.16.14.bb diff --git a/meta/recipes-devtools/go/go-runtime_1.16.13.bb b/meta/recipes-devtools/go/go-runtime_1.16.14.bb similarit
Re: [OE-core] [hardknott] qemu CVE backports
Hi Anuj, The patches did go through. However, the patches are sent in two different threads, the first patch in one thread and patches 2 to 8 in another thread. Please merge the commits accordingly. Sorry for the noise. Sakib On 2022-02-02 11:21, Sakib Sajal wrote: Hi, I am having trouble sending multiple patches at a time. I will individually send the patches in reply to this mail. Sorry for the inconvenience. Sakib -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161221): https://lists.openembedded.org/g/openembedded-core/message/161221 Mute This Topic: https://lists.openembedded.org/mt/88861937/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott] qemu CVE backports
Hi, I am having trouble sending multiple patches at a time. I will individually send the patches in reply to this mail. Sorry for the inconvenience. Sakib -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161219): https://lists.openembedded.org/g/openembedded-core/message/161219 Mute This Topic: https://lists.openembedded.org/mt/88861937/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 5/8] qemu: fix CVE-2021-3713
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3713.patch | 68 +++ 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4198d3a52c..970aa96608 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ file://CVE-2021-3594.patch \ + file://CVE-2021-3713.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 00..33fca66d3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,68 @@ +From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH 08/12] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann +Reported-by: Chen Zhe +Reported-by: Tan Jingguo +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210818120505.1258262-2-kra...@redhat.com> +(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a) +Signed-off-by: Michael Roth + +Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1] +CVE: CVE-2021-3713 + +Signed-off-by: Sakib Sajal +--- + hw/usb/dev-uas.c | 11 +++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index cec071d96..157734eb0 100644 +--- a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++if (p->stream > UAS_MAX_STREAMS) { ++goto err_stream; ++} + if (p->stream) { + QTAILQ_FOREACH(st, >results, next) { + if (st->stream == p->stream) { +@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++if (p->stream > UAS_MAX_STREAMS) { ++goto err_stream; ++} + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++error_report("%s: invalid stream %d", __func__, p->stream); ++p->status = USB_RET_STALL; ++return; + } + + static void usb_uas_unrealize(USBDevice *dev) +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161212): https://lists.openembedded.org/g/openembedded-core/message/161212 Mute This Topic: https://lists.openembedded.org/mt/88860987/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 8/8] qemu: fix CVE-2021-20196
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-20196_1.patch | 54 +++ .../qemu/qemu/CVE-2021-20196_2.patch | 67 +++ 3 files changed, 123 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4a5379893c..3401fd7194 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3713.patch \ file://CVE-2021-3748.patch \ file://CVE-2021-3930.patch \ + file://CVE-2021-20196_1.patch \ + file://CVE-2021-20196_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 00..8b1ad0423b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch @@ -0,0 +1,54 @@ +From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-2-phi...@redhat.com +Signed-off-by: John Snow + +Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2] +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 9 +++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 4c2c35e22..854b4f172 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -61,6 +61,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ + // + /* qdev floppy bus */ + +@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) + } + + if (!dev->conf.blk) { +-/* Anonymous BlockBackend for an empty drive */ +-dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++dev->conf.blk = blk_create_empty_drive(); + ret = blk_attach_dev(dev->conf.blk, qdev); + assert(ret == 0); + +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 00..dd442ccb8f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch @@ -0,0 +1,67 @@ +From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. + +Cc: qemu-sta...@nongnu.org +Fixes: CVE-2021-20196 +Reported-by: Gaoning Pan (Ant Security Light-Year Lab) +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-3-phi...@redhat.com +BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: John Snow + +Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233] +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 854b4f172..a736c4d14 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +-return get_drv(fdctrl, fdctrl->cur_drv); ++FDrive *cur_dr
[OE-core] [hardknott][PATCH 6/8] qemu: fix CVE-2021-3748
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3748.patch | 127 ++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 970aa96608..7648ce9a38 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3595_2.patch \ file://CVE-2021-3594.patch \ file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 00..4765f24739 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,127 @@ +From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-sta...@nongnu.org +Signed-off-by: Jason Wang + +Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6] +CVE: CVE-2021-3748 + +Signed-off-by: Sakib Sajal +--- + hw/net/virtio-net.c | 39 --- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 9179013ac..df1d30e2c 100644 +--- a/hw/net/virtio-net.c b/hw/net/virtio-net.c +@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +-size_t offset, i, guest_offset; ++size_t offset, i, guest_offset, j; ++ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++if (i == VIRTQUEUE_MAX_SIZE) { ++virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++err = size; ++goto err; ++} ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +-return -1; ++err = -1; ++goto err; + } + + if (elem->in_num < 1) { +@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +-return -1; ++err = -1; ++goto err; + } + + sg = elem->in_sg; +@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +-return size; ++err = size; ++goto err; + } + +-/* signal other side */ +-virtqueue_fill(q->rx_vq, elem, total, i++); +-g_free(elem); ++elems[i] = elem; ++lens[i] = total; ++i++; + } + + if (mhdr_cnt) { +@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + _buffers, sizeof mhdr.num_buffers); + } + ++for (j = 0; j < i; j++) { ++/* signal other side */ ++virtqueue_fil
[OE-core] [hardknott][PATCH 3/8] qemu: fix CVE-2021-3595
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3595_1.patch | 41 +++ .../qemu/qemu/CVE-2021-3595_2.patch | 253 ++ 3 files changed, 296 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6b544a4344..811bdff426 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -74,6 +74,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3592_2.patch \ file://CVE-2021-3592_3.patch \ file://CVE-2021-3593.patch \ + file://CVE-2021-3595_1.patch \ + file://CVE-2021-3595_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch new file mode 100644 index 00..9a0d39aa05 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch @@ -0,0 +1,41 @@ +From 6b62a09d6c264cb84f560a418beb027f47bc5069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:34:30 +0400 +Subject: [PATCH 05/12] tftp: check tftp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3595 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [3f17948137155f025f7809fdc38576d5d2451c3d] +CVE: CVE-2021-3595 + +Signed-off-by: Sakib Sajal +--- + slirp/src/tftp.c | 6 +- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index c6950ee10..e06911d42 100644 +--- a/slirp/src/tftp.c b/slirp/src/tftp.c +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +-struct tftp_t *tp = (struct tftp_t *)m->m_data; ++struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ ++if (tp == NULL) { ++return; ++} + + switch (ntohs(tp->tp_op)) { + case TFTP_RRQ: +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch new file mode 100644 index 00..2c95bf74a1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch @@ -0,0 +1,253 @@ +From d71caef98e331268519578fc0437e2ac02586940 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 20:01:20 +0400 +Subject: [PATCH 06/12] tftp: introduce a header structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using a composed structure and potentially reading past the +incoming buffer, use a different structure for the header. + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [990163cf3ac86b7875559f49602c4d76f46f6f30] +CVE: CVE-2021-3595 + +Signed-off-by: Sakib Sajal +--- + slirp/src/tftp.c | 60 +--- + slirp/src/tftp.h | 6 - + 2 files changed, 36 insertions(+), 30 deletions(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index e06911d42..a19c889d3 100644 +--- a/slirp/src/tftp.c b/slirp/src/tftp.c +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt) + } + + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -75,7 +75,7 @@ found: + memcpy(>client_addr, srcsas, sockaddr_size(srcsas)); + spt->fd = -1; + spt->block_size = 512; +-spt->client_port = tp->udp.uh_sport; ++spt->client_port = hdr->udp.uh_sport; + spt->slirp = slirp; + + tftp_session_update(spt); +@@ -84,7 +84,7 @@ found: + } + + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, + + if (tftp_session_in_use(spt)) { + if (sockaddr_equal(>client_addr, srcsas)) { +-if (spt->client_port == tp->udp.uh_sport) { ++if (spt->client_port == hdr->udp.uh_sport) { + return k; + } + } +@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_dat
[OE-core] [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3592_1.patch | 58 ++ .../qemu/qemu/CVE-2021-3592_2.patch | 165 ++ .../qemu/qemu/CVE-2021-3592_3.patch | 40 + 4 files changed, 266 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 463339e42b..6c00bf274b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -70,6 +70,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3607.patch \ file://CVE-2021-3608.patch \ file://CVE-2021-3682.patch \ + file://CVE-2021-3592_1.patch \ + file://CVE-2021-3592_2.patch \ + file://CVE-2021-3592_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch new file mode 100644 index 00..e374959594 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch @@ -0,0 +1,58 @@ +From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 15:58:25 +0400 +Subject: [PATCH 01/12] Add mtod_check() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent security issues demonstrate the lack of safety care when casting +a mbuf to a particular structure type. At least, it should check that +the buffer is large enough. The following patches will make use of this +function. + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal +--- + slirp/src/mbuf.c | 11 +++ + slirp/src/mbuf.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c +index 54ec721eb..cb2e97108 100644 +--- a/slirp/src/mbuf.c b/slirp/src/mbuf.c +@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) + + return (struct mbuf *)0; + } ++ ++void *mtod_check(struct mbuf *m, size_t len) ++{ ++if (m->m_len >= len) { ++return m->m_data; ++} ++ ++DEBUG_ERROR("mtod failed"); ++ ++return NULL; ++} +diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h +index 546e7852c..2015e3232 100644 +--- a/slirp/src/mbuf.h b/slirp/src/mbuf.h +@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); + void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); ++void *mtod_check(struct mbuf *, size_t len); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch new file mode 100644 index 00..799a95417e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch @@ -0,0 +1,165 @@ +From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 19:25:28 +0400 +Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet + memory buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field +from the structure, to help with the following patch checking for +minimal header size. Modify the bootp_reply() function to take the +buffer boundaries and avoiding potential buffer overflow. + +Related to CVE-2021-3592. + +https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal +--- + slirp/src/bootp.c | 26 +++--- + slirp/src/bootp.h | 2 +- + slirp/src/mbuf.c | 5 + + slirp/src/mbuf.h | 1 + + 4 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c +index 46e96810a..e0db8d196 100644 +--- a/slirp/src/bootp.c b/slirp/src/bootp.c +@@ -92,21 +92,22 @@ found: + return bc; + } + +-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, ++static void dhcp_decode(const struct bootp_t *bp, ++const uint8_t *bp_end, ++int *pmsg_type, + struct in_addr *preq_addr) + { +-const uint8_t *p, *p_end; ++const uint8_t *p; + int len, tag; + + *pmsg_type = 0; + preq_addr->s_addr = htonl(0L);
[OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3593.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6c00bf274b..6b544a4344 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3592_1.patch \ file://CVE-2021-3592_2.patch \ file://CVE-2021-3592_3.patch \ + file://CVE-2021-3593.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch new file mode 100644 index 00..dd14c240a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch @@ -0,0 +1,40 @@ +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:32:55 +0400 +Subject: [PATCH 04/12] upd6: check udp6_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3593 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b] +CVE: CVE-2021-3593 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp6.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c +index 6f9486bbc..8c490e4d1 100644 +--- a/slirp/src/udp6.c b/slirp/src/udp6.c +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) + ip = mtod(m, struct ip6 *); + m->m_len -= iphlen; + m->m_data += iphlen; +-uh = mtod(m, struct udphdr *); ++uh = mtod_check(m, sizeof(struct udphdr)); ++if (uh == NULL) { ++goto bad; ++} + m->m_len += iphlen; + m->m_data -= iphlen; + +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161215): https://lists.openembedded.org/g/openembedded-core/message/161215 Mute This Topic: https://lists.openembedded.org/mt/88860990/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 7/8] qemu: fix CVE-2021-3930
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3930.patch | 53 +++ 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7648ce9a38..4a5379893c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -79,6 +79,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3594.patch \ file://CVE-2021-3713.patch \ file://CVE-2021-3748.patch \ + file://CVE-2021-3930.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 00..bfbe5cee33 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE + SELECT commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-sta...@nongnu.org +Reported-by: Alexander Bulekov +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8] +CVE: CVE-2021-3930 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/scsi-disk.c | 6 ++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index 90841ad79..5b44ed7d8 100644 +--- a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +@@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++/* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++if (page == MODE_PAGE_ALLS) { ++return -1; ++} ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, , 0); +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161211): https://lists.openembedded.org/g/openembedded-core/message/161211 Mute This Topic: https://lists.openembedded.org/mt/88860986/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3594.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 811bdff426..4198d3a52c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3593.patch \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ + file://CVE-2021-3594.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch new file mode 100644 index 00..c99ba7a7cc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch @@ -0,0 +1,40 @@ +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 07/12] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824] +CVE: CVE-2021-3594 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp.c b/slirp/src/udp.c +index 0ad44d7c0..18b4acdfa 100644 +--- a/slirp/src/udp.c b/slirp/src/udp.c +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +-ip = mtod(m, struct ip *); ++ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++if (ip == NULL) { ++goto bad; ++} + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161210): https://lists.openembedded.org/g/openembedded-core/message/161210 Mute This Topic: https://lists.openembedded.org/mt/88860985/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593
Please disregard, sorry for the barrage of incomplete patch set. On 2022-01-14 1:03 p.m., Sakib Sajal wrote: Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3593.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6c00bf274b..6b544a4344 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3592_1.patch \ file://CVE-2021-3592_2.patch \ file://CVE-2021-3592_3.patch \ + file://CVE-2021-3593.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch new file mode 100644 index 00..dd14c240a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch @@ -0,0 +1,40 @@ +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:32:55 +0400 +Subject: [PATCH 04/12] upd6: check udp6_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3593 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b] +CVE: CVE-2021-3593 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp6.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c +index 6f9486bbc..8c490e4d1 100644 +--- a/slirp/src/udp6.c b/slirp/src/udp6.c +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) + ip = mtod(m, struct ip6 *); + m->m_len -= iphlen; + m->m_data += iphlen; +-uh = mtod(m, struct udphdr *); ++uh = mtod_check(m, sizeof(struct udphdr)); ++if (uh == NULL) { ++goto bad; ++} + m->m_len += iphlen; + m->m_data -= iphlen; + +-- +2.31.1 + -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160583): https://lists.openembedded.org/g/openembedded-core/message/160583 Mute This Topic: https://lists.openembedded.org/mt/88427080/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594
Please disregard, sorry for the barrage of incomplete patch set. On 2022-01-14 1:03 p.m., Sakib Sajal wrote: Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3594.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 811bdff426..4198d3a52c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3593.patch \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ + file://CVE-2021-3594.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch new file mode 100644 index 00..c99ba7a7cc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch @@ -0,0 +1,40 @@ +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 07/12] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824] +CVE: CVE-2021-3594 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp.c b/slirp/src/udp.c +index 0ad44d7c0..18b4acdfa 100644 +--- a/slirp/src/udp.c b/slirp/src/udp.c +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +-ip = mtod(m, struct ip *); ++ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++if (ip == NULL) { ++goto bad; ++} + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.31.1 + -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160582): https://lists.openembedded.org/g/openembedded-core/message/160582 Mute This Topic: https://lists.openembedded.org/mt/88427076/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 8/8] qemu: fix CVE-2021-20196
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-20196_1.patch | 54 +++ .../qemu/qemu/CVE-2021-20196_2.patch | 67 +++ 3 files changed, 123 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4a5379893c..3401fd7194 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3713.patch \ file://CVE-2021-3748.patch \ file://CVE-2021-3930.patch \ + file://CVE-2021-20196_1.patch \ + file://CVE-2021-20196_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 00..8b1ad0423b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch @@ -0,0 +1,54 @@ +From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-2-phi...@redhat.com +Signed-off-by: John Snow + +Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2] +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 9 +++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 4c2c35e22..854b4f172 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -61,6 +61,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ + // + /* qdev floppy bus */ + +@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) + } + + if (!dev->conf.blk) { +-/* Anonymous BlockBackend for an empty drive */ +-dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++dev->conf.blk = blk_create_empty_drive(); + ret = blk_attach_dev(dev->conf.blk, qdev); + assert(ret == 0); + +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 00..dd442ccb8f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch @@ -0,0 +1,67 @@ +From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. + +Cc: qemu-sta...@nongnu.org +Fixes: CVE-2021-20196 +Reported-by: Gaoning Pan (Ant Security Light-Year Lab) +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-3-phi...@redhat.com +BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: John Snow + +Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233] +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 854b4f172..a736c4d14 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +-return get_drv(fdctrl, fdctrl->cur_drv); ++FDrive *cur_dr
[OE-core] [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3594.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 811bdff426..4198d3a52c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3593.patch \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ + file://CVE-2021-3594.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch new file mode 100644 index 00..c99ba7a7cc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch @@ -0,0 +1,40 @@ +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 07/12] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824] +CVE: CVE-2021-3594 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp.c b/slirp/src/udp.c +index 0ad44d7c0..18b4acdfa 100644 +--- a/slirp/src/udp.c b/slirp/src/udp.c +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +-ip = mtod(m, struct ip *); ++ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++if (ip == NULL) { ++goto bad; ++} + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160576): https://lists.openembedded.org/g/openembedded-core/message/160576 Mute This Topic: https://lists.openembedded.org/mt/88426915/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 6/8] qemu: fix CVE-2021-3748
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3748.patch | 127 ++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 970aa96608..7648ce9a38 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3595_2.patch \ file://CVE-2021-3594.patch \ file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 00..4765f24739 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,127 @@ +From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-sta...@nongnu.org +Signed-off-by: Jason Wang + +Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6] +CVE: CVE-2021-3748 + +Signed-off-by: Sakib Sajal +--- + hw/net/virtio-net.c | 39 --- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 9179013ac..df1d30e2c 100644 +--- a/hw/net/virtio-net.c b/hw/net/virtio-net.c +@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +-size_t offset, i, guest_offset; ++size_t offset, i, guest_offset, j; ++ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++if (i == VIRTQUEUE_MAX_SIZE) { ++virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++err = size; ++goto err; ++} ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +-return -1; ++err = -1; ++goto err; + } + + if (elem->in_num < 1) { +@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +-return -1; ++err = -1; ++goto err; + } + + sg = elem->in_sg; +@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +-return size; ++err = size; ++goto err; + } + +-/* signal other side */ +-virtqueue_fill(q->rx_vq, elem, total, i++); +-g_free(elem); ++elems[i] = elem; ++lens[i] = total; ++i++; + } + + if (mhdr_cnt) { +@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + _buffers, sizeof mhdr.num_buffers); + } + ++for (j = 0; j < i; j++) { ++/* signal other side */ ++virtqueue_fil
[OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3593.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6c00bf274b..6b544a4344 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3592_1.patch \ file://CVE-2021-3592_2.patch \ file://CVE-2021-3592_3.patch \ + file://CVE-2021-3593.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch new file mode 100644 index 00..dd14c240a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch @@ -0,0 +1,40 @@ +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:32:55 +0400 +Subject: [PATCH 04/12] upd6: check udp6_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3593 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b] +CVE: CVE-2021-3593 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp6.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c +index 6f9486bbc..8c490e4d1 100644 +--- a/slirp/src/udp6.c b/slirp/src/udp6.c +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) + ip = mtod(m, struct ip6 *); + m->m_len -= iphlen; + m->m_data += iphlen; +-uh = mtod(m, struct udphdr *); ++uh = mtod_check(m, sizeof(struct udphdr)); ++if (uh == NULL) { ++goto bad; ++} + m->m_len += iphlen; + m->m_data -= iphlen; + +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160575): https://lists.openembedded.org/g/openembedded-core/message/160575 Mute This Topic: https://lists.openembedded.org/mt/88426914/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3592_1.patch | 58 ++ .../qemu/qemu/CVE-2021-3592_2.patch | 165 ++ .../qemu/qemu/CVE-2021-3592_3.patch | 40 + 4 files changed, 266 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 463339e42b..6c00bf274b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -70,6 +70,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3607.patch \ file://CVE-2021-3608.patch \ file://CVE-2021-3682.patch \ + file://CVE-2021-3592_1.patch \ + file://CVE-2021-3592_2.patch \ + file://CVE-2021-3592_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch new file mode 100644 index 00..e374959594 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch @@ -0,0 +1,58 @@ +From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 15:58:25 +0400 +Subject: [PATCH 01/12] Add mtod_check() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent security issues demonstrate the lack of safety care when casting +a mbuf to a particular structure type. At least, it should check that +the buffer is large enough. The following patches will make use of this +function. + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal +--- + slirp/src/mbuf.c | 11 +++ + slirp/src/mbuf.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c +index 54ec721eb..cb2e97108 100644 +--- a/slirp/src/mbuf.c b/slirp/src/mbuf.c +@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) + + return (struct mbuf *)0; + } ++ ++void *mtod_check(struct mbuf *m, size_t len) ++{ ++if (m->m_len >= len) { ++return m->m_data; ++} ++ ++DEBUG_ERROR("mtod failed"); ++ ++return NULL; ++} +diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h +index 546e7852c..2015e3232 100644 +--- a/slirp/src/mbuf.h b/slirp/src/mbuf.h +@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); + void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); ++void *mtod_check(struct mbuf *, size_t len); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch new file mode 100644 index 00..799a95417e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch @@ -0,0 +1,165 @@ +From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 19:25:28 +0400 +Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet + memory buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field +from the structure, to help with the following patch checking for +minimal header size. Modify the bootp_reply() function to take the +buffer boundaries and avoiding potential buffer overflow. + +Related to CVE-2021-3592. + +https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275] +CVE: CVE-2021-3592 + +Signed-off-by: Sakib Sajal +--- + slirp/src/bootp.c | 26 +++--- + slirp/src/bootp.h | 2 +- + slirp/src/mbuf.c | 5 + + slirp/src/mbuf.h | 1 + + 4 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c +index 46e96810a..e0db8d196 100644 +--- a/slirp/src/bootp.c b/slirp/src/bootp.c +@@ -92,21 +92,22 @@ found: + return bc; + } + +-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, ++static void dhcp_decode(const struct bootp_t *bp, ++const uint8_t *bp_end, ++int *pmsg_type, + struct in_addr *preq_addr) + { +-const uint8_t *p, *p_end; ++const uint8_t *p; + int len, tag; + + *pmsg_type = 0; + preq_addr->s_addr = htonl(0L);
[OE-core] [hardknott][PATCH] go: upgrade 1.16.10 -> 1.16.13
Release 1.16.13 includes fixes for CVE-2021-44716 and CVE-2021-44717. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/go/{go-1.16.10.inc => go-1.16.13.inc} | 4 ++-- ...o-binary-native_1.16.10.bb => go-binary-native_1.16.13.bb} | 4 ++-- ...cross-canadian_1.16.10.bb => go-cross-canadian_1.16.13.bb} | 0 .../go/{go-cross_1.16.10.bb => go-cross_1.16.13.bb} | 0 .../go/{go-crosssdk_1.16.10.bb => go-crosssdk_1.16.13.bb} | 0 .../go/{go-native_1.16.10.bb => go-native_1.16.13.bb} | 0 .../go/{go-runtime_1.16.10.bb => go-runtime_1.16.13.bb} | 0 meta/recipes-devtools/go/{go_1.16.10.bb => go_1.16.13.bb} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.16.10.inc => go-1.16.13.inc} (91%) rename meta/recipes-devtools/go/{go-binary-native_1.16.10.bb => go-binary-native_1.16.13.bb} (83%) rename meta/recipes-devtools/go/{go-cross-canadian_1.16.10.bb => go-cross-canadian_1.16.13.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.16.10.bb => go-cross_1.16.13.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.16.10.bb => go-crosssdk_1.16.13.bb} (100%) rename meta/recipes-devtools/go/{go-native_1.16.10.bb => go-native_1.16.13.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.16.10.bb => go-runtime_1.16.13.bb} (100%) rename meta/recipes-devtools/go/{go_1.16.10.bb => go_1.16.13.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.16.10.inc b/meta/recipes-devtools/go/go-1.16.13.inc similarity index 91% rename from meta/recipes-devtools/go/go-1.16.10.inc rename to meta/recipes-devtools/go/go-1.16.13.inc index 08c85b275b..8675afc3bb 100644 --- a/meta/recipes-devtools/go/go-1.16.10.inc +++ b/meta/recipes-devtools/go/go-1.16.13.inc @@ -1,7 +1,7 @@ require go-common.inc GO_BASEVERSION = "1.16" -PV = "1.16.10" +PV = "1.16.13" FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -18,7 +18,7 @@ SRC_URI += "\ file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ file://0001-encoding-xml-handle-leading-trailing-or-double-colon.patch \ " -SRC_URI[main.sha256sum] = "a905472011585e403d00d2a41de7ced29b8884309d73482a307f689fd0f320b5" +SRC_URI[main.sha256sum] = "b0926654eaeb01ef43816638f42d7b1681f2d3f41b9559f07735522b7afad41a" # Upstream don't believe it is a signifiant real world issue and will only # fix in 1.17 onwards where we can drop this. diff --git a/meta/recipes-devtools/go/go-binary-native_1.16.10.bb b/meta/recipes-devtools/go/go-binary-native_1.16.13.bb similarity index 83% rename from meta/recipes-devtools/go/go-binary-native_1.16.10.bb rename to meta/recipes-devtools/go/go-binary-native_1.16.13.bb index 4866c9f847..6e498a17be 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.16.10.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.16.13.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}; -SRC_URI[go_linux_amd64.sha256sum] = "414cd18ce1d193769b9e97d2401ad718755ab47816e13b2a1cde203d263b55cf" -SRC_URI[go_linux_arm64.sha256sum] = "bfe1d4b82626c742b4690a832ca59a21e3d702161556f3c0ed26dffb368927e9" +SRC_URI[go_linux_amd64.sha256sum] = "275fc03c90c13b0bbff13125a43f1f7a9f9c00a0d5a9f2d5b16dbc2fa2c6e12a" +SRC_URI[go_linux_arm64.sha256sum] = "3dd8e14837105cbfedf7124c7f8c524ce492748c370036c7316ef99e18d116d7" UPSTREAM_CHECK_URI = "https://golang.org/dl/; UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.16.10.bb b/meta/recipes-devtools/go/go-cross-canadian_1.16.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.16.10.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.16.13.bb diff --git a/meta/recipes-devtools/go/go-cross_1.16.10.bb b/meta/recipes-devtools/go/go-cross_1.16.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.16.10.bb rename to meta/recipes-devtools/go/go-cross_1.16.13.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.16.10.bb b/meta/recipes-devtools/go/go-crosssdk_1.16.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.16.10.bb rename to meta/recipes-devtools/go/go-crosssdk_1.16.13.bb diff --git a/meta/recipes-devtools/go/go-native_1.16.10.bb b/meta/recipes-devtools/go/go-native_1.16.13.bb similarity index 100% rename from meta/recipes-devtools/go/go-native_1.16.10.bb rename to meta/recipes-devtools/go/go-native_1.16.13.bb diff --git a/meta/recipes-devtools/go/go-runtime_1.16.10.bb b/meta/recipes-devtools/go/go-runtime_1.16.13.
Re: [OE-core] [hardknott][PATCH 3/8] qemu: CVE-2021-3595
Please disregard this set of patches, somehow it failed to send the first 2 and one in the middle. sending a V3. Sorry for inconvenience On 2022-01-13 7:06 p.m., Sakib Sajal wrote: Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3595_1.patch | 41 +++ .../qemu/qemu/CVE-2021-3595_2.patch | 253 ++ 3 files changed, 296 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6b544a4344..811bdff426 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -74,6 +74,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3592_2.patch \ file://CVE-2021-3592_3.patch \ file://CVE-2021-3593.patch \ + file://CVE-2021-3595_1.patch \ + file://CVE-2021-3595_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch new file mode 100644 index 00..aefaff01cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch @@ -0,0 +1,41 @@ +From 6b62a09d6c264cb84f560a418beb027f47bc5069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:34:30 +0400 +Subject: [PATCH 05/12] tftp: check tftp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3595 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport +CVE: CVE-2021-3595 + +Signed-off-by: Sakib Sajal +--- + slirp/src/tftp.c | 6 +- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index c6950ee10..e06911d42 100644 +--- a/slirp/src/tftp.c b/slirp/src/tftp.c +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +-struct tftp_t *tp = (struct tftp_t *)m->m_data; ++struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ ++if (tp == NULL) { ++return; ++} + + switch (ntohs(tp->tp_op)) { + case TFTP_RRQ: +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch new file mode 100644 index 00..1ffa6ca988 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch @@ -0,0 +1,253 @@ +From d71caef98e331268519578fc0437e2ac02586940 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 20:01:20 +0400 +Subject: [PATCH 06/12] tftp: introduce a header structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using a composed structure and potentially reading past the +incoming buffer, use a different structure for the header. + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport +CVE: CVE-2021-3595 + +Signed-off-by: Sakib Sajal +--- + slirp/src/tftp.c | 60 +--- + slirp/src/tftp.h | 6 - + 2 files changed, 36 insertions(+), 30 deletions(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index e06911d42..a19c889d3 100644 +--- a/slirp/src/tftp.c b/slirp/src/tftp.c +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt) + } + + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -75,7 +75,7 @@ found: + memcpy(>client_addr, srcsas, sockaddr_size(srcsas)); + spt->fd = -1; + spt->block_size = 512; +-spt->client_port = tp->udp.uh_sport; ++spt->client_port = hdr->udp.uh_sport; + spt->slirp = slirp; + + tftp_session_update(spt); +@@ -84,7 +84,7 @@ found: + } + + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, + + if (tftp_session_in_use(spt)) { + if (sockaddr_equal(>client_addr, srcsas)) { +-if (spt->client_port == tp->udp.uh_sport) { ++if (spt->client_port == hdr->udp.uh_sport) { +
[OE-core] [hardknott][PATCH 8/8] qemu: CVE-2021-20196
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-20196_1.patch | 54 +++ .../qemu/qemu/CVE-2021-20196_2.patch | 67 +++ 3 files changed, 123 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4a5379893c..3401fd7194 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3713.patch \ file://CVE-2021-3748.patch \ file://CVE-2021-3930.patch \ + file://CVE-2021-20196_1.patch \ + file://CVE-2021-20196_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 00..bc513277ac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch @@ -0,0 +1,54 @@ +From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-2-phi...@redhat.com +Signed-off-by: John Snow + +Upstream-Status: Backport +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 9 +++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 4c2c35e22..854b4f172 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -61,6 +61,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ + // + /* qdev floppy bus */ + +@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) + } + + if (!dev->conf.blk) { +-/* Anonymous BlockBackend for an empty drive */ +-dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++dev->conf.blk = blk_create_empty_drive(); + ret = blk_attach_dev(dev->conf.blk, qdev); + assert(ret == 0); + +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 00..1e39ed81b1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch @@ -0,0 +1,67 @@ +From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. + +Cc: qemu-sta...@nongnu.org +Fixes: CVE-2021-20196 +Reported-by: Gaoning Pan (Ant Security Light-Year Lab) +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-3-phi...@redhat.com +BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: John Snow + +Upstream-Status: Backport +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 854b4f172..a736c4d14 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +-return get_drv(fdctrl, fdctrl->cur_drv); ++FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); ++ ++if (!cur_drv->blk) { ++/* ++
[OE-core] [hardknott][PATCH 6/8] qemu: CVE-2021-3748
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3748.patch | 127 ++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 970aa96608..7648ce9a38 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3595_2.patch \ file://CVE-2021-3594.patch \ file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 00..a8f57c30b6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,127 @@ +From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-sta...@nongnu.org +Signed-off-by: Jason Wang + +Upstream-Status: Backport +CVE: CVE-2021-3748 + +Signed-off-by: Sakib Sajal +--- + hw/net/virtio-net.c | 39 --- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 9179013ac..df1d30e2c 100644 +--- a/hw/net/virtio-net.c b/hw/net/virtio-net.c +@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +-size_t offset, i, guest_offset; ++size_t offset, i, guest_offset, j; ++ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++if (i == VIRTQUEUE_MAX_SIZE) { ++virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++err = size; ++goto err; ++} ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +-return -1; ++err = -1; ++goto err; + } + + if (elem->in_num < 1) { +@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +-return -1; ++err = -1; ++goto err; + } + + sg = elem->in_sg; +@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +-return size; ++err = size; ++goto err; + } + +-/* signal other side */ +-virtqueue_fill(q->rx_vq, elem, total, i++); +-g_free(elem); ++elems[i] = elem; ++lens[i] = total; ++i++; + } + + if (mhdr_cnt) { +@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + _buffers, sizeof mhdr.num_buffers); + } + ++for (j = 0; j < i; j++) { ++/* signal other side */ ++virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++
[OE-core] [hardknott][PATCH 3/8] qemu: CVE-2021-3595
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3595_1.patch | 41 +++ .../qemu/qemu/CVE-2021-3595_2.patch | 253 ++ 3 files changed, 296 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6b544a4344..811bdff426 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -74,6 +74,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3592_2.patch \ file://CVE-2021-3592_3.patch \ file://CVE-2021-3593.patch \ + file://CVE-2021-3595_1.patch \ + file://CVE-2021-3595_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch new file mode 100644 index 00..aefaff01cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch @@ -0,0 +1,41 @@ +From 6b62a09d6c264cb84f560a418beb027f47bc5069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:34:30 +0400 +Subject: [PATCH 05/12] tftp: check tftp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3595 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport +CVE: CVE-2021-3595 + +Signed-off-by: Sakib Sajal +--- + slirp/src/tftp.c | 6 +- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index c6950ee10..e06911d42 100644 +--- a/slirp/src/tftp.c b/slirp/src/tftp.c +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +-struct tftp_t *tp = (struct tftp_t *)m->m_data; ++struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ ++if (tp == NULL) { ++return; ++} + + switch (ntohs(tp->tp_op)) { + case TFTP_RRQ: +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch new file mode 100644 index 00..1ffa6ca988 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch @@ -0,0 +1,253 @@ +From d71caef98e331268519578fc0437e2ac02586940 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 20:01:20 +0400 +Subject: [PATCH 06/12] tftp: introduce a header structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using a composed structure and potentially reading past the +incoming buffer, use a different structure for the header. + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport +CVE: CVE-2021-3595 + +Signed-off-by: Sakib Sajal +--- + slirp/src/tftp.c | 60 +--- + slirp/src/tftp.h | 6 - + 2 files changed, 36 insertions(+), 30 deletions(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index e06911d42..a19c889d3 100644 +--- a/slirp/src/tftp.c b/slirp/src/tftp.c +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt) + } + + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -75,7 +75,7 @@ found: + memcpy(>client_addr, srcsas, sockaddr_size(srcsas)); + spt->fd = -1; + spt->block_size = 512; +-spt->client_port = tp->udp.uh_sport; ++spt->client_port = hdr->udp.uh_sport; + spt->slirp = slirp; + + tftp_session_update(spt); +@@ -84,7 +84,7 @@ found: + } + + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, + + if (tftp_session_in_use(spt)) { + if (sockaddr_equal(>client_addr, srcsas)) { +-if (spt->client_port == tp->udp.uh_sport) { ++if (spt->client_port == hdr->udp.uh_sport) { + return k; + } + } +@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt, + } + + static void tftp_udp_output(struct tftp_session
[OE-core] [hardknott][PATCH 4/8] qemu: CVE-2021-3594
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3594.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 811bdff426..4198d3a52c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3593.patch \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ + file://CVE-2021-3594.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch new file mode 100644 index 00..ec2a254c7d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch @@ -0,0 +1,40 @@ +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 07/12] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport +CVE: CVE-2021-3594 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp.c b/slirp/src/udp.c +index 0ad44d7c0..18b4acdfa 100644 +--- a/slirp/src/udp.c b/slirp/src/udp.c +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +-ip = mtod(m, struct ip *); ++ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++if (ip == NULL) { ++goto bad; ++} + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160548): https://lists.openembedded.org/g/openembedded-core/message/160548 Mute This Topic: https://lists.openembedded.org/mt/88409940/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [hardknott][PATCH 4/8] qemu: CVE-2021-3594
Please disregard this set of patches, somehow it failed to send the first 3. sending a V2. Sorry for inconvenience On 2022-01-13 6:35 p.m., Sakib Sajal wrote: Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3594.patch | 40 +++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 811bdff426..4198d3a52c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3593.patch \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ + file://CVE-2021-3594.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch new file mode 100644 index 00..ec2a254c7d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch @@ -0,0 +1,40 @@ +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 07/12] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau + +Upstream-Status: Backport +CVE: CVE-2021-3594 + +Signed-off-by: Sakib Sajal +--- + slirp/src/udp.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/slirp/src/udp.c b/slirp/src/udp.c +index 0ad44d7c0..18b4acdfa 100644 +--- a/slirp/src/udp.c b/slirp/src/udp.c +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +-ip = mtod(m, struct ip *); ++ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++if (ip == NULL) { ++goto bad; ++} + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.31.1 + -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160546): https://lists.openembedded.org/g/openembedded-core/message/160546 Mute This Topic: https://lists.openembedded.org/mt/88409940/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 6/8] qemu: CVE-2021-3748
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3748.patch | 127 ++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 970aa96608..7648ce9a38 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3595_2.patch \ file://CVE-2021-3594.patch \ file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 00..a8f57c30b6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,127 @@ +From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-sta...@nongnu.org +Signed-off-by: Jason Wang + +Upstream-Status: Backport +CVE: CVE-2021-3748 + +Signed-off-by: Sakib Sajal +--- + hw/net/virtio-net.c | 39 --- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 9179013ac..df1d30e2c 100644 +--- a/hw/net/virtio-net.c b/hw/net/virtio-net.c +@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +-size_t offset, i, guest_offset; ++size_t offset, i, guest_offset, j; ++ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++if (i == VIRTQUEUE_MAX_SIZE) { ++virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++err = size; ++goto err; ++} ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +-return -1; ++err = -1; ++goto err; + } + + if (elem->in_num < 1) { +@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +-return -1; ++err = -1; ++goto err; + } + + sg = elem->in_sg; +@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +-return size; ++err = size; ++goto err; + } + +-/* signal other side */ +-virtqueue_fill(q->rx_vq, elem, total, i++); +-g_free(elem); ++elems[i] = elem; ++lens[i] = total; ++i++; + } + + if (mhdr_cnt) { +@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + _buffers, sizeof mhdr.num_buffers); + } + ++for (j = 0; j < i; j++) { ++/* signal other side */ ++virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++
[OE-core] [hardknott][PATCH 8/8] qemu: CVE-2021-20196
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-20196_1.patch | 54 +++ .../qemu/qemu/CVE-2021-20196_2.patch | 67 +++ 3 files changed, 123 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4a5379893c..3401fd7194 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3713.patch \ file://CVE-2021-3748.patch \ file://CVE-2021-3930.patch \ + file://CVE-2021-20196_1.patch \ + file://CVE-2021-20196_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 00..bc513277ac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch @@ -0,0 +1,54 @@ +From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-2-phi...@redhat.com +Signed-off-by: John Snow + +Upstream-Status: Backport +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 9 +++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 4c2c35e22..854b4f172 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -61,6 +61,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ + // + /* qdev floppy bus */ + +@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) + } + + if (!dev->conf.blk) { +-/* Anonymous BlockBackend for an empty drive */ +-dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++dev->conf.blk = blk_create_empty_drive(); + ret = blk_attach_dev(dev->conf.blk, qdev); + assert(ret == 0); + +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 00..1e39ed81b1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch @@ -0,0 +1,67 @@ +From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. + +Cc: qemu-sta...@nongnu.org +Fixes: CVE-2021-20196 +Reported-by: Gaoning Pan (Ant Security Light-Year Lab) +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-3-phi...@redhat.com +BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: John Snow + +Upstream-Status: Backport +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 854b4f172..a736c4d14 100644 +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +-return get_drv(fdctrl, fdctrl->cur_drv); ++FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); ++ ++if (!cur_drv->blk) { ++/* ++
[OE-core] [hardknott][PATCH 5/8] qemu: CVE-2021-3713
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3713.patch | 68 +++ 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4198d3a52c..970aa96608 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3595_1.patch \ file://CVE-2021-3595_2.patch \ file://CVE-2021-3594.patch \ + file://CVE-2021-3713.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 00..d7e17876db --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,68 @@ +From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH 08/12] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann +Reported-by: Chen Zhe +Reported-by: Tan Jingguo +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210818120505.1258262-2-kra...@redhat.com> +(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a) +Signed-off-by: Michael Roth + +Upstream-Status: Backport +CVE: CVE-2021-3713 + +Signed-off-by: Sakib Sajal +--- + hw/usb/dev-uas.c | 11 +++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index cec071d96..157734eb0 100644 +--- a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++if (p->stream > UAS_MAX_STREAMS) { ++goto err_stream; ++} + if (p->stream) { + QTAILQ_FOREACH(st, >results, next) { + if (st->stream == p->stream) { +@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++if (p->stream > UAS_MAX_STREAMS) { ++goto err_stream; ++} + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++error_report("%s: invalid stream %d", __func__, p->stream); ++p->status = USB_RET_STALL; ++return; + } + + static void usb_uas_unrealize(USBDevice *dev) +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160541): https://lists.openembedded.org/g/openembedded-core/message/160541 Mute This Topic: https://lists.openembedded.org/mt/88409937/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 7/8] qemu: CVE-2021-3930
Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3930.patch | 53 +++ 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7648ce9a38..4a5379893c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -79,6 +79,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3594.patch \ file://CVE-2021-3713.patch \ file://CVE-2021-3748.patch \ + file://CVE-2021-3930.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 00..368bd12704 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE + SELECT commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-sta...@nongnu.org +Reported-by: Alexander Bulekov +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport +CVE: CVE-2021-3930 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/scsi-disk.c | 6 ++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index 90841ad79..5b44ed7d8 100644 +--- a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +@@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++/* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++if (page == MODE_PAGE_ALLS) { ++return -1; ++} ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, , 0); +-- +2.31.1 + -- 2.33.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160543): https://lists.openembedded.org/g/openembedded-core/message/160543 Mute This Topic: https://lists.openembedded.org/mt/88409939/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-