* [hardknott][PATCH 00/12] Patch review
@ 2022-02-07 9:06 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 01/12] qemu: fix CVE-2021-3713 Anuj Mittal
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
Next set of changes for hardknott. Please review.
No problems seen while testing on autobuilder.
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3196
Thanks,
Anuj
The following changes since commit d54d7e7b43da621be8e6fcca34feb7b3d49b8160:
lighttpd: backport a fix for CVE-2022-22707 (2022-01-26 11:40:00 +0800)
are available in the Git repository at:
git://push.openembedded.org/openembedded-core-contrib anujm/hardknott
Alexander Kanavin (1):
libusb1: correct SRC_URI
Bruce Ashfield (2):
linux-yocto/5.10: update to v5.10.92
linux-yocto/5.10: update to v5.10.93
Peter Kjellerstedt (1):
sstate: A third fix for for touching files inside pseudo
Ross Burton (1):
yocto-check-layer: add debug output for the layers that were found
Rudolf J Streif (1):
linux-firmware: Add CLM blob to linux-firmware-bcm4373 package
Sakib Sajal (4):
qemu: fix CVE-2021-3713
qemu: fix CVE-2021-3748
qemu: fix CVE-2021-3930
qemu: fix CVE-2021-20196
Steve Sakoman (2):
expat: fix CVE-2022-23852
expat: add missing Upstream-status, CVE tag and sign-off to
CVE-2021-46143.patch
meta/classes/sstate.bbclass | 14 +-
.../expat/expat/CVE-2021-46143.patch | 6 +
.../expat/expat/CVE-2022-23852.patch | 33 +++++
meta/recipes-core/expat/expat_2.2.10.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 5 +
.../qemu/qemu/CVE-2021-20196_1.patch | 54 ++++++++
.../qemu/qemu/CVE-2021-20196_2.patch | 67 +++++++++
.../qemu/qemu/CVE-2021-3713.patch | 68 ++++++++++
.../qemu/qemu/CVE-2021-3748.patch | 127 ++++++++++++++++++
.../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++
.../linux-firmware/linux-firmware_20211216.bb | 1 +
.../linux/linux-yocto-rt_5.10.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 ++--
meta/recipes-support/libusb/libusb1_1.0.24.bb | 6 +-
scripts/yocto-check-layer | 13 ++
16 files changed, 460 insertions(+), 26 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-23852.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
--
2.34.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [hardknott][PATCH 01/12] qemu: fix CVE-2021-3713
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 02/12] qemu: fix CVE-2021-3748 Anuj Mittal
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3713.patch | 68 +++++++++++++++++++
2 files changed, 69 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 463339e42b..3aad41088a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3607.patch \
file://CVE-2021-3608.patch \
file://CVE-2021-3682.patch \
+ file://CVE-2021-3713.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..33fca66d3d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
+From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH 08/12] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields. Add the missing checks.
+
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+
+Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
+CVE: CVE-2021-3713
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index cec071d96..157734eb0 100644
+--- a/hw/usb/dev-uas.c
++++ b/hw/usb/dev-uas.c
+@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+ }
+ break;
+ case UAS_PIPE_ID_STATUS:
++ if (p->stream > UAS_MAX_STREAMS) {
++ goto err_stream;
++ }
+ if (p->stream) {
+ QTAILQ_FOREACH(st, &uas->results, next) {
+ if (st->stream == p->stream) {
+@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+ break;
+ case UAS_PIPE_ID_DATA_IN:
+ case UAS_PIPE_ID_DATA_OUT:
++ if (p->stream > UAS_MAX_STREAMS) {
++ goto err_stream;
++ }
+ if (p->stream) {
+ req = usb_uas_find_request(uas, p->stream);
+ } else {
+@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+ p->status = USB_RET_STALL;
+ break;
+ }
++
++err_stream:
++ error_report("%s: invalid stream %d", __func__, p->stream);
++ p->status = USB_RET_STALL;
++ return;
+ }
+
+ static void usb_uas_unrealize(USBDevice *dev)
+--
+2.31.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 02/12] qemu: fix CVE-2021-3748
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 01/12] qemu: fix CVE-2021-3713 Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 03/12] qemu: fix CVE-2021-3930 Anuj Mittal
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3748.patch | 127 ++++++++++++++++++
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3aad41088a..5c1c88db25 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -71,6 +71,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3608.patch \
file://CVE-2021-3682.patch \
file://CVE-2021-3713.patch \
+ file://CVE-2021-3748.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..4765f24739
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
+From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
+
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+
+This addresses CVE-2021-3748.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6]
+CVE: CVE-2021-3748
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 9179013ac..df1d30e2c 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ VirtIONet *n = qemu_get_nic_opaque(nc);
+ VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+ VirtIODevice *vdev = VIRTIO_DEVICE(n);
++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++ size_t lens[VIRTQUEUE_MAX_SIZE];
+ struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+ struct virtio_net_hdr_mrg_rxbuf mhdr;
+ unsigned mhdr_cnt = 0;
+- size_t offset, i, guest_offset;
++ size_t offset, i, guest_offset, j;
++ ssize_t err;
+
+ if (!virtio_net_can_receive(nc)) {
+ return -1;
+@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ total = 0;
+
++ if (i == VIRTQUEUE_MAX_SIZE) {
++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
++ err = size;
++ goto err;
++ }
++
+ elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+ if (!elem) {
+ if (i) {
+@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ n->guest_hdr_len, n->host_hdr_len,
+ vdev->guest_features);
+ }
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ if (elem->in_num < 1) {
+@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ "virtio-net receive queue contains no in buffers");
+ virtqueue_detach_element(q->rx_vq, elem, 0);
+ g_free(elem);
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ sg = elem->in_sg;
+@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ if (!n->mergeable_rx_bufs && offset < size) {
+ virtqueue_unpop(q->rx_vq, elem, total);
+ g_free(elem);
+- return size;
++ err = size;
++ goto err;
+ }
+
+- /* signal other side */
+- virtqueue_fill(q->rx_vq, elem, total, i++);
+- g_free(elem);
++ elems[i] = elem;
++ lens[i] = total;
++ i++;
+ }
+
+ if (mhdr_cnt) {
+@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ &mhdr.num_buffers, sizeof mhdr.num_buffers);
+ }
+
++ for (j = 0; j < i; j++) {
++ /* signal other side */
++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++ g_free(elems[j]);
++ }
++
+ virtqueue_flush(q->rx_vq, i);
+ virtio_notify(vdev, q->rx_vq);
+
+ return size;
++
++err:
++ for (j = 0; j < i; j++) {
++ g_free(elems[j]);
++ }
++
++ return err;
+ }
+
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+--
+2.31.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 03/12] qemu: fix CVE-2021-3930
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 01/12] qemu: fix CVE-2021-3713 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 02/12] qemu: fix CVE-2021-3748 Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 04/12] qemu: fix CVE-2021-20196 Anuj Mittal
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3930.patch | 53 +++++++++++++++++++
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5c1c88db25..35aa3e1d7e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -72,6 +72,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3682.patch \
file://CVE-2021-3713.patch \
file://CVE-2021-3748.patch \
+ file://CVE-2021-3930.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
new file mode 100644
index 0000000000..bfbe5cee33
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
@@ -0,0 +1,53 @@
+From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
+ SELECT commands
+
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8]
+CVE: CVE-2021-3930
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index 90841ad79..5b44ed7d8 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+ uint8_t *p = *p_outbuf + 2;
+ int length;
+
++ assert(page < ARRAY_SIZE(mode_sense_valid));
+ if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+ return -1;
+ }
+@@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+ return -1;
+ }
+
++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
++ if (page == MODE_PAGE_ALLS) {
++ return -1;
++ }
++
+ p = mode_current;
+ memset(mode_current, 0, inlen + 2);
+ len = mode_sense_page(s, page, &p, 0);
+--
+2.31.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 04/12] qemu: fix CVE-2021-20196
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (2 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 03/12] qemu: fix CVE-2021-3930 Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 05/12] sstate: A third fix for for touching files inside pseudo Anuj Mittal
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-20196_1.patch | 54 +++++++++++++++
.../qemu/qemu/CVE-2021-20196_2.patch | 67 +++++++++++++++++++
3 files changed, 123 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 35aa3e1d7e..568ef1be94 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -73,6 +73,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3713.patch \
file://CVE-2021-3748.patch \
file://CVE-2021-3930.patch \
+ file://CVE-2021-20196_1.patch \
+ file://CVE-2021-20196_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
new file mode 100644
index 0000000000..8b1ad0423b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
@@ -0,0 +1,54 @@
+From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-2-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2]
+CVE: CVE-2021-20196
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 4c2c35e22..854b4f172 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -61,6 +61,12 @@
+ } while (0)
+
+
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++}
++
+ /********************************************************/
+ /* qdev floppy bus */
+
+@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp)
+ }
+
+ if (!dev->conf.blk) {
+- /* Anonymous BlockBackend for an empty drive */
+- dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++ dev->conf.blk = blk_create_empty_drive();
+ ret = blk_attach_dev(dev->conf.blk, qdev);
+ assert(ret == 0);
+
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
new file mode 100644
index 0000000000..dd442ccb8f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
+From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20196
+Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-3-philmd@redhat.com
+BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233]
+CVE: CVE-2021-20196
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 854b4f172..a736c4d14 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+- return get_drv(fdctrl, fdctrl->cur_drv);
++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++ if (!cur_drv->blk) {
++ /*
++ * Kludge: empty drive line selected. Create an anonymous
++ * BlockBackend to avoid NULL deref with various BlockBackend
++ * API calls within this model (CVE-2021-20196).
++ * Due to the controller QOM model limitations, we don't
++ * attach the created to the controller device.
++ */
++ cur_drv->blk = blk_create_empty_drive();
++ }
++ return cur_drv;
+ }
+
+ /* Status A register : 0x00 (read-only) */
+--
+2.31.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 05/12] sstate: A third fix for for touching files inside pseudo
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (3 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 04/12] qemu: fix CVE-2021-20196 Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 06/12] linux-yocto/5.10: update to v5.10.92 Anuj Mittal
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
This continues where commit676757f "sstate: fix touching files inside
pseudo" and commit 29fc8599 "sstate: another fix for touching files
inside pseudo" left off.
The previous changes switched from trying to check if the sstate file is
writable before touching it, to always touching the sstate file and
ignoring any errors. However, if the sstate file is actually a symbolic
link that links to nothing, this would actually result in an empty
sstate file being created. And this in turn leads to that future
setscene tasks will fail when they try to unpack the empty file.
Change the code so that if an sstate file linking to nothing already
exists, it is overwritten with the new sstate file. Also change it so
that the temporary file that is used is always removed, even if ln
fails to link the sstate file to it.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
(cherry picked from commit b2a5d9bc61e0b2b7e0f187a262a514952ed30563)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/classes/sstate.bbclass | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index da29225983..caa25815e0 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -827,14 +827,18 @@ sstate_create_package () {
fi
chmod 0664 $TFILE
# Skip if it was already created by some other process
- if [ ! -e ${SSTATE_PKG} ]; then
+ if [ -h ${SSTATE_PKG} ] && [ ! -e ${SSTATE_PKG} ]; then
+ # There is a symbolic link, but it links to nothing.
+ # Forcefully replace it with the new file.
+ ln -f $TFILE ${SSTATE_PKG} || true
+ elif [ ! -e ${SSTATE_PKG} ]; then
# Move into place using ln to attempt an atomic op.
# Abort if it already exists
- ln $TFILE ${SSTATE_PKG} && rm $TFILE
+ ln $TFILE ${SSTATE_PKG} || true
else
- rm $TFILE
+ touch ${SSTATE_PKG} 2>/dev/null || true
fi
- touch ${SSTATE_PKG} 2>/dev/null || true
+ rm $TFILE
}
python sstate_sign_package () {
@@ -864,7 +868,7 @@ python sstate_report_unihash() {
sstate_unpack_package () {
tar -xvzf ${SSTATE_PKG}
# update .siginfo atime on local/NFS mirror if it is a symbolic link
- [ ! -h ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true
+ [ ! -h ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true
# update each symbolic link instead of any referenced file
touch --no-dereference ${SSTATE_PKG} 2>/dev/null || true
[ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig 2>/dev/null || true
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 06/12] linux-yocto/5.10: update to v5.10.92
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (4 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 05/12] sstate: A third fix for for touching files inside pseudo Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 07/12] linux-yocto/5.10: update to v5.10.93 Anuj Mittal
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:
c982c1a83932 Linux 5.10.92
c0091233f3d8 staging: greybus: fix stack size warning with UBSAN
66d21c005d9b drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
2d4fda471dc3 staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn()
3609fed7ac8b media: Revert "media: uvcvideo: Set unique vdev name based in type"
9b3c761e78d5 random: fix crash on multiple early calls to add_bootloader_randomness()
61cca7d191c7 random: fix data race on crng init time
3de9478230c3 random: fix data race on crng_node_pool
43c494294f30 can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
45221a57b609 can: isotp: convert struct tpcon::{idx,len} to unsigned int
bd61ae808b15 can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
f68e60001735 mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
5f76445a31b7 veth: Do not record rx queue hint in veth_xmit
ddfa53825f3d mmc: sdhci-pci: Add PCI ID for Intel ADL
2e691f9894cc ath11k: Fix buffer overflow when scanning with extraie
a87cecf94375 USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
15982330b61d USB: core: Fix bug in resuming hub's handling of wakeup requests
413108ce3b56 ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100
b6dd07023699 Bluetooth: bfusb: fix division by zero in send path
869e1677a058 Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0
c20021ce945f Bluetooth: btusb: Add support for Foxconn MT7922A
83493918380f Bluetooth: btusb: Add two more Bluetooth parts for WCN6855
294c0dd80d8a Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
35ab8c9085b0 bpf: Fix out of bounds access from invalid *_or_null type verification
c84fbba8a945 workqueue: Fix unbind_workers() VS wq_worker_running() race
c39d68ab3836 md: revert io stats accounting
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 35dfcd31518e66fc4dc1f2283bd3320f994c868b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../linux/linux-yocto-rt_5.10.bb | 6 ++---
.../linux/linux-yocto-tiny_5.10.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index ca7d5dd97c..a1986adcd5 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "85c14e209f1ab7cee673735c4561e656b4e65217"
-SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc"
+SRCREV_machine ?= "73ddd15bb13083c63f183814223b1f064f707964"
+SRCREV_meta ?= "940dd7a24ebe6ad709d6912a24660dadf34ece83"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.10.91"
+LINUX_VERSION ?= "5.10.92"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index dbfeea6c82..13a1ec8cce 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.10.91"
+LINUX_VERSION ?= "5.10.92"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "2227ab16358ca3193f03d0cd8509092076aeffbb"
-SRCREV_machine ?= "b3fdab7a9f3c11a61565cead0445883a61081583"
-SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc"
+SRCREV_machine_qemuarm ?= "05c74d1b7b9b5ce5b386e2dbb787f1b00bbfdcb8"
+SRCREV_machine ?= "3c4b46871c0220942e07fc2c73ba94ac04b0d9ca"
+SRCREV_meta ?= "940dd7a24ebe6ad709d6912a24660dadf34ece83"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 82dfb0f903..827b5aa32e 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86 ?= "v5.10/standard/base"
KBRANCH_qemux86-64 ?= "v5.10/standard/base"
KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "fb570663823bd492e4c8d4339be825bda4210dc6"
-SRCREV_machine_qemuarm64 ?= "5a52b700c1693a95b8efa54cb65bec7807a75cd2"
-SRCREV_machine_qemumips ?= "8eb8a801f5f4764c362aefd5e97e704755cf740b"
-SRCREV_machine_qemuppc ?= "21b014e385a6b54a2fd7d667a1b556c69cda77de"
-SRCREV_machine_qemuriscv64 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
-SRCREV_machine_qemuriscv32 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
-SRCREV_machine_qemux86 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
-SRCREV_machine_qemux86-64 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
-SRCREV_machine_qemumips64 ?= "5468343e50389dba73b5d441289d5094bd0dc9f0"
-SRCREV_machine ?= "77c8d144b066f69e009ce2ee540a593b11eb736a"
-SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc"
+SRCREV_machine_qemuarm ?= "1e8e1a5927984c545448b4b15974addf670b0f5d"
+SRCREV_machine_qemuarm64 ?= "c42d48cae11e605f70cfc6f64dbc23711bfbf8cf"
+SRCREV_machine_qemumips ?= "0366c14c30f0ca1f9d4a793632ba9cdc86e7225e"
+SRCREV_machine_qemuppc ?= "4570b1179fe4eda809fa2b89a06e6acf95e35fc8"
+SRCREV_machine_qemuriscv64 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
+SRCREV_machine_qemuriscv32 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
+SRCREV_machine_qemux86 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
+SRCREV_machine_qemux86-64 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
+SRCREV_machine_qemumips64 ?= "f2a78b852f4afb30a5e453a8b1eac3e785cbfc39"
+SRCREV_machine ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
+SRCREV_meta ?= "940dd7a24ebe6ad709d6912a24660dadf34ece83"
# remap qemuarm to qemuarma15 for the 5.8 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.91"
+LINUX_VERSION ?= "5.10.92"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 07/12] linux-yocto/5.10: update to v5.10.93
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (5 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 06/12] linux-yocto/5.10: update to v5.10.92 Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 08/12] linux-firmware: Add CLM blob to linux-firmware-bcm4373 package Anuj Mittal
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:
fd187a492557 Linux 5.10.93
bed97c903621 mtd: fixup CFI on ixp4xx
f50803b519c3 powerpc/pseries: Get entry and uaccess flush required bits from H_GET_CPU_CHARACTERISTICS
68c1aa82be00 ALSA: hda/realtek: Re-order quirk entries for Lenovo
4d15a17d065d ALSA: hda/realtek: Add quirk for Legion Y9000X 2020
d7b41464f1b7 ALSA: hda: ALC287: Add Lenovo IdeaPad Slim 9i 14ITL5 speaker quirk
87246ae94b73 ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after reboot from Windows
9c27e513fb33 ALSA: hda/realtek: Add speaker fixup for some Yoga 15ITL5 devices
4c7fb4d519e5 KVM: x86: remove PMU FIXED_CTR3 from msrs_to_save_all
6b8c3a185377 firmware: qemu_fw_cfg: fix kobject leak in probe error path
889c73305b48 firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
ff9588cf1592 firmware: qemu_fw_cfg: fix sysfs information leak
358a4b054abe rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled
93c4506f9f8b media: uvcvideo: fix division by zero at stream start
4c3f70be6f3a video: vga16fb: Only probe for EGA and VGA 16 color graphic cards
161e43ab8cc1 9p: only copy valid iattrs in 9P2000.L setattr implementation
0e6c0f3f4055 KVM: s390: Clarify SIGP orders versus STOP/RESTART
413b427f5fff KVM: x86: Register Processor Trace interrupt hook iff PT enabled in guest
723acd75a062 perf: Protect perf_guest_cbs with RCU
eadde287a62e vfs: fs_context: fix up param length parsing in legacy_parse_param
c5f38277163e remoteproc: qcom: pil_info: Don't memcpy_toio more than is provided
5d88e24b23af orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc()
0084fefe2960 devtmpfs regression fix: reconfigure on each mount
ee40594c95ae kbuild: Add $(KBUILD_HOSTLDFLAGS) to 'has_libelf' test
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4f3dd05c163efe6da87a58ab9e1df61b83ed4444)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../linux/linux-yocto-rt_5.10.bb | 6 ++---
.../linux/linux-yocto-tiny_5.10.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
index a1986adcd5..48d2694995 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "73ddd15bb13083c63f183814223b1f064f707964"
-SRCREV_meta ?= "940dd7a24ebe6ad709d6912a24660dadf34ece83"
+SRCREV_machine ?= "ba47a407fe04203adb0ab5e164597c958cd9e334"
+SRCREV_meta ?= "7df27e6d296dfa16f289883c0661eed45059360c"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.10.92"
+LINUX_VERSION ?= "5.10.93"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
index 13a1ec8cce..eb42c407fa 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.10.92"
+LINUX_VERSION ?= "5.10.93"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "05c74d1b7b9b5ce5b386e2dbb787f1b00bbfdcb8"
-SRCREV_machine ?= "3c4b46871c0220942e07fc2c73ba94ac04b0d9ca"
-SRCREV_meta ?= "940dd7a24ebe6ad709d6912a24660dadf34ece83"
+SRCREV_machine_qemuarm ?= "ceb1f194e59c9dd3bdd83d51bb0994f3db23bf61"
+SRCREV_machine ?= "878e5c1469550bb0f8778d16d4adbe7d48b0b28d"
+SRCREV_meta ?= "7df27e6d296dfa16f289883c0661eed45059360c"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
index 827b5aa32e..e67bf54c98 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb
@@ -13,17 +13,17 @@ KBRANCH_qemux86 ?= "v5.10/standard/base"
KBRANCH_qemux86-64 ?= "v5.10/standard/base"
KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "1e8e1a5927984c545448b4b15974addf670b0f5d"
-SRCREV_machine_qemuarm64 ?= "c42d48cae11e605f70cfc6f64dbc23711bfbf8cf"
-SRCREV_machine_qemumips ?= "0366c14c30f0ca1f9d4a793632ba9cdc86e7225e"
-SRCREV_machine_qemuppc ?= "4570b1179fe4eda809fa2b89a06e6acf95e35fc8"
-SRCREV_machine_qemuriscv64 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
-SRCREV_machine_qemuriscv32 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
-SRCREV_machine_qemux86 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
-SRCREV_machine_qemux86-64 ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
-SRCREV_machine_qemumips64 ?= "f2a78b852f4afb30a5e453a8b1eac3e785cbfc39"
-SRCREV_machine ?= "b0f8d81ad4c501e24f062e080f38fb8a7873b68a"
-SRCREV_meta ?= "940dd7a24ebe6ad709d6912a24660dadf34ece83"
+SRCREV_machine_qemuarm ?= "50c0e06718fb2b264619ce8d82608877d1e62a81"
+SRCREV_machine_qemuarm64 ?= "7907c5eb81e9a51307b5269d546999ebf47d9d59"
+SRCREV_machine_qemumips ?= "e9c51de36554662082afc08c6e54599b310c7951"
+SRCREV_machine_qemuppc ?= "77f361ea5eb293dcfe122ecb65f33ba32fd12501"
+SRCREV_machine_qemuriscv64 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d"
+SRCREV_machine_qemuriscv32 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d"
+SRCREV_machine_qemux86 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d"
+SRCREV_machine_qemux86-64 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d"
+SRCREV_machine_qemumips64 ?= "b668a352c94a8c29e585608e8302cacb1350f5ed"
+SRCREV_machine ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d"
+SRCREV_meta ?= "7df27e6d296dfa16f289883c0661eed45059360c"
# remap qemuarm to qemuarma15 for the 5.8 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.10.92"
+LINUX_VERSION ?= "5.10.93"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 08/12] linux-firmware: Add CLM blob to linux-firmware-bcm4373 package
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (6 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 07/12] linux-yocto/5.10: update to v5.10.93 Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 09/12] yocto-check-layer: add debug output for the layers that were found Anuj Mittal
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Rudolf J Streif <rudolf.streif@ibeeto.com>
The Country Local Matrix (CLM) blob brcmfmac4373-sdio.clm_blob was not
included with the files for the linux-firmware-bcm4373 package
but instead packaged with linux-firmware.
Signed-off-by: Rudolf J Streif <rudolf.streif@ibeeto.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 18ba64d4a12e7275381cf34fe72b757accbb1544)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
(cherry picked from commit 289a849f8f639cd2546153827fc265a9409f5538)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb
index 92b6ff5157..07389f6982 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb
@@ -751,6 +751,7 @@ FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pc
FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \
${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \
${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \
+ ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \
"
LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 09/12] yocto-check-layer: add debug output for the layers that were found
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (7 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 08/12] linux-firmware: Add CLM blob to linux-firmware-bcm4373 package Anuj Mittal
@ 2022-02-07 9:06 ` Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 10/12] libusb1: correct SRC_URI Anuj Mittal
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:06 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
When debugging weird yocto-check-layer output it is useful to know
what the tool found when looking for layers.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 711e2d4d7baf36f8497741c14268d7f72d0db016)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
(cherry picked from commit 6ff05fe05a23d4355c3a33a03350dea025133689)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
scripts/yocto-check-layer | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer
index 6975b09502..00a16d18fc 100755
--- a/scripts/yocto-check-layer
+++ b/scripts/yocto-check-layer
@@ -41,6 +41,12 @@ def test_layer(td, layer, test_software_layer_signatures):
tc.loadTests(CASES_PATHS)
return tc.runTests()
+def dump_layer_debug(layer):
+ logger.debug("Found layer %s (%s)" % (layer["name"], layer["path"]))
+ collections = layer.get("collections", {})
+ if collections:
+ logger.debug("%s collections: %s" % (layer["name"], ", ".join(collections)))
+
def main():
parser = argparse.ArgumentParser(
description="Yocto Project layer checking tool",
@@ -106,6 +112,13 @@ def main():
else:
dep_layers = layers
+ logger.debug("Found additional layers:")
+ for l in additional_layers:
+ dump_layer_debug(l)
+ logger.debug("Found dependency layers:")
+ for l in dep_layers:
+ dump_layer_debug(l)
+
logger.info("Detected layers:")
for layer in layers:
if layer['type'] == LayerType.ERROR_BSP_DISTRO:
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 10/12] libusb1: correct SRC_URI
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (8 preceding siblings ...)
2022-02-07 9:06 ` [hardknott][PATCH 09/12] yocto-check-layer: add debug output for the layers that were found Anuj Mittal
@ 2022-02-07 9:07 ` Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 11/12] expat: fix CVE-2022-23852 Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 12/12] expat: add missing Upstream-status, CVE tag and sign-off to CVE-2021-46143.patch Anuj Mittal
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:07 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d4c37ca1f1e97d53045521e9894dc9ed5b1c22a1)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
(cherry picked from commit 0fccab0724769a862e31e635ffa1db3ba2f37312)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-support/libusb/libusb1_1.0.24.bb | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-support/libusb/libusb1_1.0.24.bb b/meta/recipes-support/libusb/libusb1_1.0.24.bb
index 92e66b1b16..76a707b70f 100644
--- a/meta/recipes-support/libusb/libusb1_1.0.24.bb
+++ b/meta/recipes-support/libusb/libusb1_1.0.24.bb
@@ -1,7 +1,7 @@
SUMMARY = "Userspace library to access USB (version 1.0)"
DESCRIPTION = "A cross-platform library to access USB devices from Linux, \
macOS, Windows, OpenBSD/NetBSD, Haiku and Solaris userspace."
-HOMEPAGE = "http://libusb.sf.net"
+HOMEPAGE = "https://libusb.info"
BUGTRACKER = "http://www.libusb.org/report"
SECTION = "libs"
@@ -10,10 +10,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
BBCLASSEXTEND = "native nativesdk"
-SRC_URI = "${SOURCEFORGE_MIRROR}/libusb/libusb-${PV}.tar.bz2 \
+SRC_URI = "https://github.com/libusb/libusb/releases/download/v${PV}/libusb-${PV}.tar.bz2 \
file://run-ptest \
"
+UPSTREAM_CHECK_URI = "https://github.com/libusb/libusb/releases"
+
SRC_URI[sha256sum] = "7efd2685f7b327326dcfb85cee426d9b871fd70e22caa15bb68d595ce2a2b12a"
S = "${WORKDIR}/libusb-${PV}"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 11/12] expat: fix CVE-2022-23852
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (9 preceding siblings ...)
2022-02-07 9:07 ` [hardknott][PATCH 10/12] libusb1: correct SRC_URI Anuj Mittal
@ 2022-02-07 9:07 ` Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 12/12] expat: add missing Upstream-status, CVE tag and sign-off to CVE-2021-46143.patch Anuj Mittal
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:07 UTC (permalink / raw)
To: openembedded-core
From: Steve Sakoman <steve@sakoman.com>
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer
for configurations with a nonzero XML_CONTEXT_BYTES.
Backport patch from:
https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
CVE: CVE-2022-23852
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit af81bb9d10c0f1e9dcaffc1bbc18ef780eea7127)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../expat/expat/CVE-2022-23852.patch | 33 +++++++++++++++++++
meta/recipes-core/expat/expat_2.2.10.bb | 1 +
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-23852.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23852.patch b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
new file mode 100644
index 0000000000..41425c108b
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
@@ -0,0 +1,33 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
+
+CVE: CVE-2022-23852
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
++ /* Detect and prevent integer overflow */
++ if (keep > INT_MAX - neededSize) {
++ parser->m_errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize
diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.2.10.bb
index e5415361d8..074441dc2a 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.2.10.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
file://CVE-2022-22822-27.patch \
file://CVE-2021-45960.patch \
file://CVE-2021-46143.patch \
+ file://CVE-2022-23852.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [hardknott][PATCH 12/12] expat: add missing Upstream-status, CVE tag and sign-off to CVE-2021-46143.patch
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
` (10 preceding siblings ...)
2022-02-07 9:07 ` [hardknott][PATCH 11/12] expat: fix CVE-2022-23852 Anuj Mittal
@ 2022-02-07 9:07 ` Anuj Mittal
11 siblings, 0 replies; 13+ messages in thread
From: Anuj Mittal @ 2022-02-07 9:07 UTC (permalink / raw)
To: openembedded-core
From: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 7e33aa25acc0c29b8f5e78757c6557e614eb1434)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-core/expat/expat/CVE-2021-46143.patch | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-core/expat/expat/CVE-2021-46143.patch b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
index d6bafba0ff..b1a726d9a8 100644
--- a/meta/recipes-core/expat/expat/CVE-2021-46143.patch
+++ b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
@@ -4,6 +4,12 @@ Date: Sat, 25 Dec 2021 20:52:08 +0100
Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
doProlog (CVE-2021-46143)
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
+
+CVE: CVE-2021-46143
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
expat/lib/xmlparse.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.34.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2022-02-07 9:07 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-07 9:06 [hardknott][PATCH 00/12] Patch review Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 01/12] qemu: fix CVE-2021-3713 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 02/12] qemu: fix CVE-2021-3748 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 03/12] qemu: fix CVE-2021-3930 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 04/12] qemu: fix CVE-2021-20196 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 05/12] sstate: A third fix for for touching files inside pseudo Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 06/12] linux-yocto/5.10: update to v5.10.92 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 07/12] linux-yocto/5.10: update to v5.10.93 Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 08/12] linux-firmware: Add CLM blob to linux-firmware-bcm4373 package Anuj Mittal
2022-02-07 9:06 ` [hardknott][PATCH 09/12] yocto-check-layer: add debug output for the layers that were found Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 10/12] libusb1: correct SRC_URI Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 11/12] expat: fix CVE-2022-23852 Anuj Mittal
2022-02-07 9:07 ` [hardknott][PATCH 12/12] expat: add missing Upstream-status, CVE tag and sign-off to CVE-2021-46143.patch Anuj Mittal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.