[OpenWrt-Devel] [PATCH] openvpn: update to 2.4.8
Backport two upstream commits that allow building openvpn-openssl without OpenSSLs deprecated APIs. Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8 Signed-off-by: Magnus Kroken --- Runtime-tested openvpn-mbedtls and openvpn-openssl on x86_64. openvpn-openssl was tested against libopenssl built with and without deprecated APIs. This patch can be cherry-picked to openwrt-19.07. package/network/services/openvpn/Makefile | 8 +-- ...l-dont-use-deprecated-ssleay-symbols.patch | 58 + ...enssl-add-missing-include-statements.patch | 65 +++ .../210-build_always_use_internal_lz4.patch | 2 +- .../openvpn/patches/220-disable_des.patch | 2 +- 5 files changed, 129 insertions(+), 6 deletions(-) create mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch create mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index aed9f43f80..baa8c1d07e 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.7 -PKG_RELEASE:=2 +PKG_VERSION:=2.4.8 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648 +PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91 PKG_MAINTAINER:=Felix Fietkau @@ -44,7 +44,7 @@ else endif endef -Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl +@OPENSSL_WITH_DEPRECATED) +Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL)) diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch new file mode 100644 index 00..7e9931f0f3 --- /dev/null +++ b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch @@ -0,0 +1,58 @@ +From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Sun, 26 Nov 2017 16:04:00 +0100 +Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols + +Compiling our current master against OpenSSL 1.1 with +-DOPENSSL_API_COMPAT=0x1010L screams bloody murder. This patch fixes +the errors about the deprecated SSLEAY/SSLeay symbols and defines. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <20171126150401.28565-1-stef...@karger.me> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html +Signed-off-by: Gert Doering +--- + configure.ac | 1 + + src/openvpn/openssl_compat.h | 8 + src/openvpn/ssl_openssl.c| 2 +- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/configure.ac b/configure.ac +@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$ + EVP_MD_CTX_free \ + EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ ++ OpenSSL_version \ + SSL_CTX_get_default_passwd_cb \ + SSL_CTX_get_default_passwd_cb_userdata \ + SSL_CTX_set_security_level \ +--- a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h +@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou + #endif + + /* SSLeay symbols have been renamed in OpenSSL 1.1 */ ++#ifndef OPENSSL_VERSION ++#define OPENSSL_VERSION SSLEAY_VERSION ++#endif ++ ++#ifndef HAVE_OPENSSL_VERSION ++#define OpenSSL_version SSLeay_version ++#endif ++ + #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) + #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT + #endif +--- a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c +@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char * + const char * + get_ssl_library_version(void) + { +-return SSLeay_version(SSLEAY_VERSION); ++return OpenSSL_version(OPENSSL_VERSION); + } + + #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch new file mode 100644 index 00..6a62b16500 --- /dev/null
Re: [OpenWrt-Devel] [PATCH 2/4] mtd: Activate LTO compile option
On Fri, Nov 1, 2019 at 1:55 PM Hauke Mehrtens wrote: > > This decreases the size of the mtd application by 25% on MIPS BE. > > old: > 20,597 /sbin/mtd > > new: > 16,421 /sbin/mtd > > Signed-off-by: Hauke Mehrtens > --- > package/system/mtd/Makefile | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/package/system/mtd/Makefile b/package/system/mtd/Makefile > index 2347b8b723..166bb33281 100644 > --- a/package/system/mtd/Makefile > +++ b/package/system/mtd/Makefile > @@ -36,7 +36,8 @@ endef > target=$(firstword $(subst -, ,$(BOARD))) > > MAKE_FLAGS += TARGET="$(target)" > -TARGET_CFLAGS := $(TARGET_CFLAGS) -Dtarget_$(target)=1 -Wall > +TARGET_CFLAGS += -Dtarget_$(target)=1 -Wall -flto I don't think Wall is necessary here. > +TARGET_LDFLAGS += -flto=jobserver > > ifdef CONFIG_MTD_REDBOOT_PARTS >MAKE_FLAGS += FIS_SUPPORT=1 > -- > 2.20.1 > > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 1/4] dnsmasq: Activate LTO
On Fri, Nov 1, 2019 at 1:55 PM Hauke Mehrtens wrote: > > This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE. A small note on LTO: These packages do not generate libraries, but sometimes, LTO messes up dynamic linking (static even more so). For example: https://github.com/openwrt/packages/blob/master/libs/libwangle/Makefile#L31 is missing -flto specifically because a package that depends on it (openr, not in the packages feed yet) fails to link libwangle when -flto is specified for libwangle (a specific function was optimized out of the library). > > old: > 202,020 /usr/sbin/dnsmasq > > new: > 185,676 /usr/sbin/dnsmasq > > Signed-off-by: Hauke Mehrtens > --- > package/network/services/dnsmasq/Makefile | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/network/services/dnsmasq/Makefile > b/package/network/services/dnsmasq/Makefile > index 5c114eb1c6..e86b031e3f 100644 > --- a/package/network/services/dnsmasq/Makefile > +++ b/package/network/services/dnsmasq/Makefile > @@ -127,8 +127,8 @@ endef > Package/dnsmasq-dhcpv6/conffiles = $(Package/dnsmasq/conffiles) > Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles) > > -TARGET_CFLAGS += -ffunction-sections -fdata-sections > -TARGET_LDFLAGS += -Wl,--gc-sections I am curious why these were removed. > +TARGET_CFLAGS += -flto > +TARGET_LDFLAGS += -flto=jobserver > > COPTS = -DHAVE_UBUS \ > $(if $(CONFIG_IPV6),,-DNO_IPV6) > -- > 2.20.1 > > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/4] mtd: Activate LTO compile option
This decreases the size of the mtd application by 25% on MIPS BE. old: 20,597 /sbin/mtd new: 16,421 /sbin/mtd Signed-off-by: Hauke Mehrtens --- package/system/mtd/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/system/mtd/Makefile b/package/system/mtd/Makefile index 2347b8b723..166bb33281 100644 --- a/package/system/mtd/Makefile +++ b/package/system/mtd/Makefile @@ -36,7 +36,8 @@ endef target=$(firstword $(subst -, ,$(BOARD))) MAKE_FLAGS += TARGET="$(target)" -TARGET_CFLAGS := $(TARGET_CFLAGS) -Dtarget_$(target)=1 -Wall +TARGET_CFLAGS += -Dtarget_$(target)=1 -Wall -flto +TARGET_LDFLAGS += -flto=jobserver ifdef CONFIG_MTD_REDBOOT_PARTS MAKE_FLAGS += FIS_SUPPORT=1 -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/4] dnsmasq: Activate LTO
This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE. old: 202,020 /usr/sbin/dnsmasq new: 185,676 /usr/sbin/dnsmasq Signed-off-by: Hauke Mehrtens --- package/network/services/dnsmasq/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 5c114eb1c6..e86b031e3f 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -127,8 +127,8 @@ endef Package/dnsmasq-dhcpv6/conffiles = $(Package/dnsmasq/conffiles) Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles) -TARGET_CFLAGS += -ffunction-sections -fdata-sections -TARGET_LDFLAGS += -Wl,--gc-sections +TARGET_CFLAGS += -flto +TARGET_LDFLAGS += -flto=jobserver COPTS = -DHAVE_UBUS \ $(if $(CONFIG_IPV6),,-DNO_IPV6) -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/4] swconfig: Activate LTO compile option
This decreases the size of the swconfig application by 25% on MIPS BE. old: 16,916 /sbin/swconfig new: 12,565 /sbin/swconfig Signed-off-by: Hauke Mehrtens --- package/network/config/swconfig/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/network/config/swconfig/Makefile b/package/network/config/swconfig/Makefile index 8b1d6cd64a..4d3e572d82 100644 --- a/package/network/config/swconfig/Makefile +++ b/package/network/config/swconfig/Makefile @@ -23,6 +23,9 @@ define Package/swconfig TITLE:=Switch configuration utility endef +TARGET_CFLAGS += -flto +TARGET_LDFLAGS += -flto=jobserver + TARGET_CPPFLAGS := \ -D_GNU_SOURCE \ -I$(STAGING_DIR)/usr/include/libnl-tiny \ -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 4/4] usign: Activate LTO compile option
This decreases the size of the usign application by 16% on MIPS BE. old: 24,597 /usr/bin/usign new: 20,501 /usr/bin/usign Signed-off-by: Hauke Mehrtens --- package/system/usign/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/system/usign/Makefile b/package/system/usign/Makefile index 836b1524d3..ab7fda33a3 100644 --- a/package/system/usign/Makefile +++ b/package/system/usign/Makefile @@ -30,6 +30,9 @@ define Package/usign TITLE:=OpenWrt signature verification utility endef +TARGET_CFLAGS += -flto +TARGET_LDFLAGS += -flto=jobserver + CMAKE_OPTIONS += \ -DUSE_LIBUBOX=on -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] rules.mk: remove "$(STAGING_DIR)/include"
On Fri, Nov 1, 2019 at 12:21 PM Sebastian Kemper wrote: > > On Fri, Nov 01, 2019 at 12:06:39PM -0700, Rosen Penev wrote: > > Would it also make sense to remove $(STAGING_DIR)/lib ? Locally, it > > seems libpam gets installed there (probably a bug). > > Quoting FHS 3.0 regarding /lib's purpose: "The /lib directory contains > those shared library images needed to boot the system and run the > commands in the root filesystem, ie. by binaries in /bin and /sbin." > > I think /lib should stay. OTOH, many modern distros just symlink everything to /usr. Anyway, Acked-by: Rosen Penev > > Regards, > Seb ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] rules.mk: remove "$(STAGING_DIR)/include"
On Fri, Nov 01, 2019 at 12:06:39PM -0700, Rosen Penev wrote: > Would it also make sense to remove $(STAGING_DIR)/lib ? Locally, it > seems libpam gets installed there (probably a bug). Quoting FHS 3.0 regarding /lib's purpose: "The /lib directory contains those shared library images needed to boot the system and run the commands in the root filesystem, ie. by binaries in /bin and /sbin." I think /lib should stay. Regards, Seb ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] rules.mk: remove "$(STAGING_DIR)/include"
On Fri, Nov 1, 2019 at 2:21 AM Jo-Philipp Wich wrote: > > Hi, > > [...] > > > Removing this directory from TARGET_CPPFLAGS will cut down the log noise > > a bit. Not only will CPPFLAGS be shorter, there will be less warnings > > set off by "-Wmissing-include-dirs" (or even failures when paired with > > "-Werror"). After all the directory does not even _exist_ in the SDKs, > > which are used on the build bots when building packages (see [1] and > > [2]). Would it also make sense to remove $(STAGING_DIR)/lib ? Locally, it seems libpam gets installed there (probably a bug). > > [...] > > > Signed-off-by: Sebastian Kemper > > Acked-by: Jo-Philipp Wich > > > I wanted to look into this for a long time but never had the motivation > to actually do comprehensive tests of the impacts of the removal. > > So, thanks for looking into that - its fine from my side. > > ~ Jo > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd 2/2] instance: Warn about unexpected number of parameters
Warn when the number of allocated parameters for the jail argv does not match the number of used parameters. This normally leads to a buffer overflow. Signed-off-by: Hauke Mehrtens --- service/instance.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/service/instance.c b/service/instance.c index 4bb2207..3098ff3 100644 --- a/service/instance.c +++ b/service/instance.c @@ -337,8 +337,12 @@ instance_run(struct service_instance *in, int _stdout, int _stderr) ULOG_WARN("Seccomp support for %s::%s not available\n", in->srv->name, in->name); #endif - if (in->has_jail) + if (in->has_jail) { argc = jail_run(in, argv); + if (argc != in->jail.argc) + ULOG_WARN("expected %i jail params, used %i for %s::%s\n", + in->jail.argc, argc, in->srv->name, in->name); + } blobmsg_for_each_attr(cur, in->command, rem) argv[argc++] = blobmsg_data(cur); -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd 1/2] instance: ujail: Fix allocated size for no_new_privs parameter
When the no_new_privs parameter is given, thei size of the array which contains the argv pointers is not increased in instance_jail_parse() which causes a buffer overflow. Fix this by requesting one more entry in instance_jail_parse() for the allocation. Fixes: dfd5816bcbef ("instance, ujail: wire no_new_privs (-c) option") Cc: Etienne CHAMPETIER Signed-off-by: Hauke Mehrtens --- service/instance.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/service/instance.c b/service/instance.c index b4284e7..4bb2207 100644 --- a/service/instance.c +++ b/service/instance.c @@ -829,6 +829,9 @@ instance_jail_parse(struct service_instance *in, struct blob_attr *attr) if (in->seccomp) jail->argc += 2; + if (in->no_new_privs) + jail->argc++; + return 1; } -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH uci 1/2] util: Fix error path
Unlock and close the stream in case some file operations in uci_open_stream() fail. Signed-off-by: Hauke Mehrtens --- util.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/util.c b/util.c index 12aec9b..8572e81 100644 --- a/util.c +++ b/util.c @@ -221,17 +221,21 @@ __private FILE *uci_open_stream(struct uci_context *ctx, const char *filename, c ret = flock(fd, (write ? LOCK_EX : LOCK_SH)); if ((ret < 0) && (errno != ENOSYS)) - goto error; + goto error_close; ret = lseek(fd, 0, pos); if (ret < 0) - goto error; + goto error_unlock; file = fdopen(fd, (write ? "w+" : "r")); if (file) goto done; +error_unlock: + flock(fd, LOCK_UN); +error_close: + close(fd); error: UCI_THROW(ctx, UCI_ERR_IO); done: -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH uci 2/2] build: Add -Wclobbered to detect problems with longjmp
When we jump back to a save point in UCI_THROW() with longjmp all the registers will be reset to the old values when we called UCI_TRAP_SAVE() last time, but the memory is not restored. This will revert all the variables which are stored in registers, but not the variables stored on the stack. Mark all the variables which the compiler could put into a register as volatile to store them safely on the stack and make sure they have the defined current values also after longjmp was called. This also activates a compiler warning which should warn us in such cases. This could fix some potential problem in error paths like the one reported in CVE-2019-15513. Signed-off-by: Hauke Mehrtens --- CMakeLists.txt | 2 +- delta.c| 20 ++-- file.c | 11 ++- list.c | 4 ++-- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 170eb0b..578c021 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 2.6) PROJECT(uci C) SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "") -ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -I. -DUCI_PREFIX="${CMAKE_INSTALL_PREFIX}") +ADD_DEFINITIONS(-Os -Wall -Werror -Wclobbered --std=gnu99 -g3 -I. -DUCI_PREFIX="${CMAKE_INSTALL_PREFIX}") OPTION(UCI_DEBUG "debugging support" OFF) OPTION(UCI_DEBUG_TYPECAST "typecast debugging support" OFF) diff --git a/delta.c b/delta.c index 386167d..52ebe3b 100644 --- a/delta.c +++ b/delta.c @@ -100,7 +100,7 @@ int uci_set_savedir(struct uci_context *ctx, const char *dir) { char *sdir; struct uci_element *e, *tmp; - bool exists = false; + volatile bool exists = false; UCI_HANDLE_ERR(ctx); UCI_ASSERT(ctx, dir != NULL); @@ -259,7 +259,7 @@ error: static int uci_parse_delta(struct uci_context *ctx, FILE *stream, struct uci_package *p) { struct uci_parse_context *pctx; - int changes = 0; + volatile int changes = 0; /* make sure no memory from previous parse attempts is leaked */ uci_cleanup(ctx); @@ -294,8 +294,8 @@ error: /* returns the number of changes that were successfully parsed */ static int uci_load_delta_file(struct uci_context *ctx, struct uci_package *p, char *filename, FILE **f, bool flush) { - FILE *stream = NULL; - int changes = 0; + FILE *volatile stream = NULL; + volatile int changes = 0; UCI_TRAP_SAVE(ctx, done); stream = uci_open_stream(ctx, filename, NULL, SEEK_SET, flush, false); @@ -317,8 +317,8 @@ __private int uci_load_delta(struct uci_context *ctx, struct uci_package *p, boo { struct uci_element *e; char *filename = NULL; - FILE *f = NULL; - int changes = 0; + FILE *volatile f = NULL; + volatile int changes = 0; if (!p->has_delta) return 0; @@ -419,9 +419,9 @@ done: int uci_revert(struct uci_context *ctx, struct uci_ptr *ptr) { - char *package = NULL; - char *section = NULL; - char *option = NULL; + char *volatile package = NULL; + char *volatile section = NULL; + char *volatile option = NULL; UCI_HANDLE_ERR(ctx); uci_expand_ptr(ctx, ptr, false); @@ -463,7 +463,7 @@ error: int uci_save(struct uci_context *ctx, struct uci_package *p) { - FILE *f = NULL; + FILE *volatile f = NULL; char *filename = NULL; struct uci_element *e, *tmp; struct stat statbuf; diff --git a/file.c b/file.c index 7333e48..321b66b 100644 --- a/file.c +++ b/file.c @@ -721,10 +721,10 @@ static void uci_file_commit(struct uci_context *ctx, struct uci_package **packag { struct uci_package *p = *package; FILE *f1, *f2 = NULL; - char *name = NULL; - char *path = NULL; + char *volatile name = NULL; + char *volatile path = NULL; char *filename = NULL; - bool do_rename = false; + volatile bool do_rename = false; int fd; if (!p->path) { @@ -881,12 +881,13 @@ static char **uci_list_config_files(struct uci_context *ctx) return configs; } -static struct uci_package *uci_file_load(struct uci_context *ctx, const char *name) +static struct uci_package *uci_file_load(struct uci_context *ctx, +const char *volatile name) { struct uci_package *package = NULL; char *filename; bool confdir; - FILE *file = NULL; + FILE *volatile file = NULL; switch (name[0]) { case '.': diff --git a/list.c b/list.c index 78efbaf..41a8702 100644 --- a/list.c +++ b/list.c @@ -623,8 +623,8 @@ int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr) { /* NB: UCI_INTERNAL use means without delta tracking */ bool internal = ctx && ctx->internal; - struct uci_option *prev = NULL; - const char *value2 = NULL; + struct uci_option *volatile prev = NULL; +
Re: [OpenWrt-Devel] v5.4 as next kernel / ipq806x
On 11/1/19 2:12 AM, Andre Valentin wrote: Hello, I also did several tests on the 4.19 ipq806x (NBG6817). I noticed that VPN throuput (IPsec Performance) dropped to 30% with exactly the same config (kernel and openwrt), kernel crypto and arm crypto stuff tested. Also the whole system feels a bit slowier. Timers (clock, ddr) in dts have been compared, also checked in the running system. I'm a fan of 419, but this needs be solved before and I have no clue where to look. Any ideas? There has been some discussion on the forum around IPSec performance and kmod-crypto-ctr for the similar ipq40xx. It may provide insight. https://forum.openwrt.org/t/ipsec-differences-between-devices-is-kmod-crypto-ctr-the-problem/44461?u=jeff https://github.com/openwrt/openwrt/pull/2518 I haven't been following it very closely, but as I was surprised that the IPQ4019-based EA8300's OpenVPN throughput was only about 50% better than that of a QCA9558 or QCA9563, I put catching up on the topic on my list. Jeff ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 3/4] mediatek: cosmetic fixes for mt7629-lynx-rfb
On Fri, Nov 1, 2019 at 3:10 PM wrote: > > Hi, > > > @@ -75,6 +76,7 @@ > > gmac0: mac@0 { > > compatible = "mediatek,eth-mac"; > > reg = <0>; > > + mtd-mac-address = < 0x2a>; > > Strange indent here ... Ouch...This entire eth node uses spaces for indentation, and the tab width in my editor is 4 spaces... Fixed in my staging tree: https://git.openwrt.org/?p=openwrt/staging/981213.git;a=shortlog;h=refs/heads/mt7629_target Regards, Chuanhong Guo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] iwinfo: add several QC/A device ids
Add device ids for AR9462, QCA9862, QCA9880 v1 mPCIe cards and Ubiquiti branded QCA9880 v2 PCI wifi found in LiteBeam 5ac. Signed-off-by: Tomislav Požega --- --- a/hardware.txt +++ b/hardware.txt @@ -1,6 +1,7 @@ # libiwinfo hardware database # vendor id | device id | subsystem vendor id | subsystem device id | # txpower offset | frequency offset | "vendor name" | "device name" +0x0777 0x11ac 0x0777 0xe7f90 0 "Ubiquiti" "LiteBeam 5AC" 0x 0x 0x 0xb1020 0 "Ubiquiti" "PowerStation2 (18V)" 0x 0x 0x 0xb2020 0 "Ubiquiti" "PowerStation2 (16D)" 0x 0x 0x 0xb3020 0 "Ubiquiti" "PowerStation2 (EXT)" @@ -152,7 +153,10 @@ 0x168c 0x0033 0x19b6 0xd0140 0 "MikroTik" "R11e-5HnD" 0x168c 0x0033 0x19b6 0xd0570 0 "MikroTik" "R11e-5HnDr2" 0x168c 0x0033 0x19b6 0xd0160 0 "MikroTik" "R11e-2HPnD" +0x168c 0x0034 0x17aa 0x32140 0 "Atheros" "AR9462" 0x168c 0x003c 0x 0x0 0 "Qualcomm Atheros" "QCA9880" +0x168c 0x003c 0x168c 0x32230 0 "Qualcomm Atheros" "QCA9880" +0x168c 0x003c 0x1a56 0x14200 0 "Qualcomm Atheros" "QCA9862" 0x168c 0x003c 0x19b6 0xd03c0 0 "Mikrotik" "R11e-5HacT" 0x168c 0x0046 0x168c 0xcafe0 0 "Qualcomm Atheros" "QCA9984" 0x168c 0x0050 0x 0x0 0 "Qualcomm Atheros" "QCA9887" ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] CVE-2019-15513 analysis
Hi, At the prpl Summit 2019 I saw a slide with 4 CVEs which are filled against OpenWrt and there was one listed I was not aware of at that time, CVE-2019-15513. According to the CVE details page it was filled against OpenWrt on 23.8.2019 and OpenWrt was not informed before or after this was filled against OpenWrt, we only saw this by luck. https://www.cvedetails.com/cve/CVE-2019-15513/ The details are "described" in this pdf file which is partly in Mandarin: https://github.com/TeamSeri0us/pocs/blob/master/iot/morouter/motorola%E8%B7%AF%E7%94%B1%E5%99%A8%E6%96%87%E4%BB%B6%E8%A7%A3%E9%94%81%E6%BC%8F%E6%B4%9E.pdf This paper only looks at the disassembled binary even when the source is open source. Petr (ynezz) tried to reproduce this, but was not able to do so with a recent OpenWrt. Later we found that this problem was fixed in OpenWrt 15.05.1 and later more than 4 years ago. The problem was already reported here, but not as a security problem: https://github.com/openwrt/packages/issues/1231 This problem was fixed by Yousong in this commits over 4 years ago: https://git.openwrt.org/?p=project/uci.git;a=commitdiff;h=19e29ffc15dbd958e8e6a648ee0982c68353516f This commit allows longer lines: https://git.openwrt.org/?p=project/uci.git;a=commitdiff;h=4b52bdbdbec3c84afeab5c3167e69f7c6012b2f3 The problem was that uci_open_stream() opens the given filename and also locks it with flock() so that other processes can not use it. In this case the lock on the file is not released which causes a dead lock in uci and something hangs, no code executing or something similar possible, just one process hangs. This can normally only be called by root. UCI makes use of setjmp() and longjmp() for error handling. When an error occurs it jumps back to the save point. This is encapsulated in UCI_TRAP_SAVE() and UCI_THROW(). longjmp() saves all the registers, so variables which are stored in memory are not restored, but variables stored in registers are restored to their old values. When uci_getln() is called with a string of more than 4096 bytes it runs into an error case and calls UCI_THROW() which jumps back to the last save point, in this case to uci_load_delta_file(). In this description it gets called in this way: uci_load_delta_file() -> uci_parse_delta() -> uci_getln() uci_load_delta_file() looked liked this: --- /* returns the number of changes that were successfully parsed */ static int uci_load_delta_file(struct uci_context *ctx, struct uci_package *p, char *filename, FILE **f, bool flush) { FILE *stream = NULL; int changes = 0; UCI_TRAP_SAVE(ctx, done); stream = uci_open_stream(ctx, filename, NULL, SEEK_SET, flush, false); if (p) changes = uci_parse_delta(ctx, stream, p); UCI_TRAP_RESTORE(ctx); done: if (f) *f = stream; else if (stream) uci_close_stream(stream); return changes; } --- https://git.openwrt.org/?p=project/uci.git;a=blob;f=delta.c;h=459d2c7ddfd5d4443c24c02a76952d40319bb871;hb=556215152a216c179fe2ca7db9b1de7036ceda60#l289 When uci_parse_delta() calls UCI_THROW() it jumps to done. The problem is that stream is stored in a register and not on the stack because the compiler thinks this is ok. Then stream will be restored to the original value which is NULL and we loose the reference to the original stream file pointer. uci_close_stream() will not be called and the file pointer is not unlocked and also not closed. This problem was fixed in OpenWrt 15.05.1. The CVE says it does not need authentication, as far as I understand this root permissions are needed to exploit this problem, it could also be possible over Luci. It could be that these Motorola CX2L MWR04L and MWR03 devices where this problem was found use UCI in a different way in their vendor FW which forked OpenWrt, but I do not have these devices, the source code or the binaries of these devices. If you find a security problem in OpenWrt please get in contact with us at cont...@openwrt.org preferable before publishing it, but at least after you published it. I do not like it, when a CVE is just filled without informing us. Do not assume that some random vendor in which firmware you found this problem reports the problem back to us, normally they only fork OpenWrt and do not care about upstream OpenWrt. If you find a problem in OpenWrt please talk to OpenWrt! If you see a CVE against OpenWrt and there is no communication on the normal OpenWrt mailings about it, please ask on the public mailling list if someone knows about this, this is already the 2. CVE filled against OpenWrt where we did not got informed at all. Hauke signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org
[OpenWrt-Devel] [PATCH 1/1] ipq40xx: ipq4019: Add new device Compex WPJ419
This device contains 2 flash devices. One NOR (32M) and one NAND (128M). U-boot and caldata are on the NOR, the firmware on the NAND. SoC:IPQ4019 CPU:4x 710MHz ARMv7 RAM:256MB FLASH: NOR:32MB NAND:128MB ETH:2x GMAC Gigabit POE:802.3 af/at POE, IEEE802.3af/IEEE802.3at(48-56V) WIFI: 1x 2.4Ghz Atheros qca4019 2x2 MU-MIMO 1x 5.0Ghz Atheros qca4019 2x2 MU-MIMO USB:1x 3.0 PCI:1x Mini PCIe SIM:1x Slot SD: 1x MicroSD slot BTN:Reset LED:- Power - Ethernet UART: 1x Serial Port 4 Pin Connector (UART) 1x Serial Port 6 Pin Connector (High Speed UART) POWER: 12V 2A Installation Initial flashing can only be done via u-boot using the following commands: tftpboot openwrt-ipq40xx-generic-compex_wpj419-squashfs-nand-factory.ubi nand erase.chip; nand write ${fileaddr} 0x0 ${filesize} res Signed-off-by: Daniel Danzberger --- .../ipq40xx/base-files/etc/board.d/02_network | 1 + .../etc/hotplug.d/firmware/11-ath10k-caldata | 2 + .../base-files/lib/upgrade/platform.sh| 3 + .../arch/arm/boot/dts/qcom-ipq4019-wpj419.dts | 374 ++ target/linux/ipq40xx/image/Makefile | 14 + .../901-arm-boot-add-dts-files.patch | 3 +- 6 files changed, 396 insertions(+), 1 deletion(-) create mode 100644 target/linux/ipq40xx/files-4.19/arch/arm/boot/dts/qcom-ipq4019-wpj419.dts diff --git a/target/linux/ipq40xx/base-files/etc/board.d/02_network b/target/linux/ipq40xx/base-files/etc/board.d/02_network index 25402b7eb4..dafd83234e 100755 --- a/target/linux/ipq40xx/base-files/etc/board.d/02_network +++ b/target/linux/ipq40xx/base-files/etc/board.d/02_network @@ -48,6 +48,7 @@ ipq40xx_setup_interfaces() ucidef_set_interface_lan "eth0" ;; avm,fritzrepeater-3000|\ + compex,wpj419|\ compex,wpj428) ucidef_set_interface_lan "eth0 eth1" ;; diff --git a/target/linux/ipq40xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata b/target/linux/ipq40xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata index 2336ef3c7b..d4e4cc49ec 100644 --- a/target/linux/ipq40xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata +++ b/target/linux/ipq40xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata @@ -70,6 +70,7 @@ case "$FIRMWARE" in /usr/bin/fritz_cal_extract -i 1 -s 0x3C800 -e 0x207 -l 12064 -o /lib/firmware/$FIRMWARE $(find_mtd_chardev "urlader1") || \ /usr/bin/fritz_cal_extract -i 1 -s 0x3D000 -e 0x207 -l 12064 -o /lib/firmware/$FIRMWARE $(find_mtd_chardev "urlader1") ;; + compex,wpj419 |\ compex,wpj428 |\ engenius,eap1300 |\ openmesh,a42 |\ @@ -133,6 +134,7 @@ case "$FIRMWARE" in /usr/bin/fritz_cal_extract -i 1 -s 0x3D000 -e 0x208 -l 12064 -o /lib/firmware/$FIRMWARE $(find_mtd_chardev "urlader1") || \ /usr/bin/fritz_cal_extract -i 1 -s 0x3C000 -e 0x208 -l 12064 -o /lib/firmware/$FIRMWARE $(find_mtd_chardev "urlader1") ;; + compex,wpj419 |\ compex,wpj428 |\ engenius,eap1300 |\ openmesh,a42 |\ diff --git a/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh b/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh index 3445f2b50f..96f865c67e 100644 --- a/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh +++ b/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh @@ -73,6 +73,9 @@ platform_do_upgrade() { CI_KERNPART="linux" nand_do_upgrade "$1" ;; + compex,wpj419) + nand_do_upgrade "$1" + ;; linksys,ea6350v3 |\ linksys,ea8300) platform_do_upgrade_linksys "$1" diff --git a/target/linux/ipq40xx/files-4.19/arch/arm/boot/dts/qcom-ipq4019-wpj419.dts b/target/linux/ipq40xx/files-4.19/arch/arm/boot/dts/qcom-ipq4019-wpj419.dts new file mode 100644 index 00..b6eb99278b --- /dev/null +++ b/target/linux/ipq40xx/files-4.19/arch/arm/boot/dts/qcom-ipq4019-wpj419.dts @@ -0,0 +1,374 @@ +/* Copyright (c) 2015, The Linux Foundation. All rights reserved. + * Copyright (c) 2019, Nguyen Dinh Phi + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE
[OpenWrt-Devel] [PATCH 0/1] ipq40xx: Add new device Compex WPJ419
Changes since the last PR: - previous 2 patches have been dropped. - spi-nand flash driver is used instead of the old mt29f. - reboot hang problem is fixed by using the 'broken-flash-reset' dts property. - u-boot-env partition is no longer read-only. - bootargs are appended in the dts file and no longer need to be set in the bootloader. - style and naming issues have been resovled. - drop msm bus header and dts file. - fix sysupgrade, add nand flash handler for wpj419 - Use only 64MB of the nand flash, because the bootloader expects the ubi part to be only 64MB. This is due to the old mt29f driver, whcih detected the flash with only 64MB instread of 128MB. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [openwrt] Patch notification: 1 patch updated
Hello, The following patch (submitted by you) has been updated in Patchwork: * openwrt: [OpenWrt-Devel,v2] hostapd: add IEEE 802.11k support - http://patchwork.ozlabs.org/patch/1187712/ - for: OpenWrt development was: New now: Superseded This email is a notification only - you do not need to respond. Happy patchworking. -- This is an automated mail sent by the Patchwork system at patchwork.ozlabs.org. To stop receiving these notifications, edit your mail settings at: http://patchwork.ozlabs.org/mail/ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] rules.mk: remove "$(STAGING_DIR)/include"
Hi, [...] > Removing this directory from TARGET_CPPFLAGS will cut down the log noise > a bit. Not only will CPPFLAGS be shorter, there will be less warnings > set off by "-Wmissing-include-dirs" (or even failures when paired with > "-Werror"). After all the directory does not even _exist_ in the SDKs, > which are used on the build bots when building packages (see [1] and > [2]). [...] > Signed-off-by: Sebastian Kemper Acked-by: Jo-Philipp Wich I wanted to look into this for a long time but never had the motivation to actually do comprehensive tests of the impacts of the removal. So, thanks for looking into that - its fine from my side. ~ Jo signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] rules.mk: remove "$(STAGING_DIR)/include"
"$(STAGING_DIR)/include" was carried over from buildroot-ng to OpenWrt in commit 60c1f0f64d23003a19a07d6b9638542130f6641d. buildroot has dropped this directory a long time ago. In OpenWrt the directory is still created by the PrepareStaging macro and is part of the default TARGET_CPPFLAGS. But nothing at all installs headers into this directory, nor should anything be installed under this path. Removing this directory from TARGET_CPPFLAGS will cut down the log noise a bit. Not only will CPPFLAGS be shorter, there will be less warnings set off by "-Wmissing-include-dirs" (or even failures when paired with "-Werror"). After all the directory does not even _exist_ in the SDKs, which are used on the build bots when building packages (see [1] and [2]). make[8]: Entering directory '/builder/shared-workdir/build/sdk/build_dir/target-aarch64_generic_musl/libmbim-1.20.0/src/common' CC libmbim_common_la-mbim-common.lo cc1: error: /builder/shared-workdir/build/sdk/staging_dir/target-aarch64_generic_musl/include: No such file or directory [-Werror=missing-include-dirs] cc1: all warnings being treated as errors [1] https://github.com/openwrt/packages/issues/10377 [2] https://github.com/openwrt/packages/pull/10378 Signed-off-by: Sebastian Kemper --- rules.mk | 2 +- tools/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules.mk b/rules.mk index fbf42f725d..66ddea2883 100644 --- a/rules.mk +++ b/rules.mk @@ -174,7 +174,7 @@ TARGET_CFLAGS:=$(TARGET_OPTIMIZATION)$(if $(CONFIG_DEBUG), -g3) $(call qstrip,$( TARGET_CXXFLAGS = $(TARGET_CFLAGS) TARGET_ASFLAGS_DEFAULT = $(TARGET_CFLAGS) TARGET_ASFLAGS = $(TARGET_ASFLAGS_DEFAULT) -TARGET_CPPFLAGS:=-I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include +TARGET_CPPFLAGS:=-I$(STAGING_DIR)/usr/include TARGET_LDFLAGS:=-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib ifneq ($(CONFIG_EXTERNAL_TOOLCHAIN),) LIBGCC_S_PATH=$(realpath $(wildcard $(call qstrip,$(CONFIG_LIBGCC_ROOT_DIR))/$(call qstrip,$(CONFIG_LIBGCC_FILE_SPEC diff --git a/tools/Makefile b/tools/Makefile index 23671cba91..2f57d25525 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -123,7 +123,7 @@ define PrepareStaging $(if $(QUIET),,set -x;) \ mkdir -p "$$dir"; \ cd "$$dir"; \ - mkdir -p bin lib include stamp; \ + mkdir -p bin lib stamp; \ ); done endef -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] v5.4 as next kernel / ipq806x
Hello, I also did several tests on the 4.19 ipq806x (NBG6817). I noticed that VPN throuput (IPsec Performance) dropped to 30% with exactly the same config (kernel and openwrt), kernel crypto and arm crypto stuff tested. Also the whole system feels a bit slowier. Timers (clock, ddr) in dts have been compared, also checked in the running system. I'm a fan of 419, but this needs be solved before and I have no clue where to look. Any ideas? Kind regards, André Am 30.10.19 um 22:16 schrieb Stefan Lippers-Hollmann: > Hi > > On 2019-10-30, Adrian Schmutzler wrote: >> 1. We currently have work-in-progress 4.19 support PRs for ramips, >> ipq806x and bcm63xx, still with considerable work to do at least for >> the first two (IIRC). > > Kernel 4.19 has been working fine on ipq806x (nbg6817) for me so far, > I've been using it a for couple of months now and the pending pull > request[0] is functional. Yes, there might be further optimization steps > possible, but none of that is necessary to switch ipq806x from v4.14 to > v4.19 now'ish (routing throughput is already significantly better in > v4.19, jumbo frames no longer crash stmmac, so I do consider the current > state of the v4.19 patches for ipq806x to be an improvement over v4.14). > > Regards > Stefan Lippers-Hollmann > > [0] https://github.com/openwrt/openwrt/pull/2472 > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > smime.p7s Description: S/MIME Cryptographic Signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 3/4] mediatek: cosmetic fixes for mt7629-lynx-rfb
Hi, > @@ -75,6 +76,7 @@ > gmac0: mac@0 { > compatible = "mediatek,eth-mac"; > reg = <0>; > + mtd-mac-address = < 0x2a>; Strange indent here ... > phy-mode = "sgmii"; > fixed-link { > speed = <1000>; @@ -86,6 +88,7 @@ > gmac1: mac@1 { > compatible = "mediatek,eth-mac"; > reg = <1>; > + mtd-mac-address = < 0x24>; ... and here. Best Adrian openpgp-digital-signature.asc Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel