[PATCH 0/4] Fix CVEs and qemu run-ptest script

[PATCH 0/4] Fix CVEs and qemu run-ptest script

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

The following changes since commit 09278be8c209976da03f63b5a956d212ac171317:

  conf/distro/include/maintainers: move toolchain to Khem Raj (2016-11-09 12:20:48 +0000)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib kangkai/fixes-20161110
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/fixes-20161110

Kai Kang (4):
  openssh: fix CVE-2016-8858
  glibc: fix CVE-2016-6323
  qemu: fix CVE-2016-7909
  qemu: update run-ptest script

 .../openssh/openssh/fix-CVE-2016-8858.patch        | 39 ++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_7.3p1.bb |  1 +
 ...k-__startcontext-as-.cantunwind-bug-20435.patch | 46 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.24.bb              |  1 +
 .../qemu/qemu/0004-fix-CVE-2016-7909.patch         | 42 ++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu/run-ptest          |  8 ++--
 meta/recipes-devtools/qemu/qemu_2.7.0.bb           |  1 +
 7 files changed, 135 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch

-- 
2.10.1

[PATCH 1/4] openssh: fix CVE-2016-8858

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Backport patch to fix CVE-2016-8858 of openssh.

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=1384860

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../openssh/openssh/fix-CVE-2016-8858.patch        | 39 ++++++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_7.3p1.bb |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
new file mode 100644
index 0000000..b26ee81
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-8858 of openssh
+
+Backport patch from upstream and drop the change of comment which can NOT be applied.
+
+Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
+CVE: CVE-2016-8858
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
+From: "markus@openbsd.org" <markus@openbsd.org>
+Date: Mon, 10 Oct 2016 19:28:48 +0000
+Subject: [PATCH] upstream commit
+
+Unregister the KEXINIT handler after message has been
+received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
+allocation of up to 128MB -- until the connection is closed. Reported by
+shilei-c at 360.cn
+
+Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
+---
+ kex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kex.c b/kex.c
+index 3f97f8c..6a94bc5 100644
+--- a/kex.c
++++ b/kex.c
+@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;
+-- 
+2.10.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 039b0ff..94eb0ed 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
            file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+           file://fix-CVE-2016-8858.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
-- 
2.10.1

[PATCH 2/4] glibc: fix CVE-2016-6323

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Backport patch to fix CVE-2016-6323 of glibc. And remove the section of
file ChangeLog which can't be applied.

Ref:
https://sourceware.org/bugzilla/show_bug.cgi?id=20435

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 ...k-__startcontext-as-.cantunwind-bug-20435.patch | 46 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.24.bb              |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch

diff --git a/meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch b/meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
new file mode 100644
index 0000000..95067d3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
@@ -0,0 +1,46 @@
+Backport patch to fix CVE-2016-6323 for glibc. And remove the section of
+ChangeLog which can't be applied.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c]
+CVE: CVE-2016-6323
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 8 Aug 2016 09:29:18 +0200
+Subject: [PATCH] arm: mark __startcontext as .cantunwind (bug 20435)
+
+__startcontext marks the bottom of the call stack of the contexts created
+by makecontext.
+---
+ ChangeLog                                | 6 ++++++
+ sysdeps/unix/sysv/linux/arm/setcontext.S | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/sysdeps/unix/sysv/linux/arm/setcontext.S b/sysdeps/unix/sysv/linux/arm/setcontext.S
+index 603e508..d1f168f 100644
+--- a/sysdeps/unix/sysv/linux/arm/setcontext.S
++++ b/sysdeps/unix/sysv/linux/arm/setcontext.S
+@@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext)
+ 
+ 	/* Called when a makecontext() context returns.  Start the
+ 	   context in R4 or fall through to exit().  */
++	/* Unwind descriptors are looked up based on PC - 2, so we have to
++	   make sure to mark the instruction preceding the __startcontext
++	   label as .cantunwind.  */
++	.fnstart
++	.cantunwind
++	nop
+ ENTRY(__startcontext)
+ 	movs    r0, r4
+ 	bne     PLTJMP(__setcontext)
+ 
+ 	@ New context was 0 - exit
+ 	b       PLTJMP(HIDDEN_JUMPTARGET(exit))
++	.fnend
+ END(__startcontext)
+ 
+ #ifdef PIC
+-- 
+2.10.1
+
diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb
index f5a21b2..475c133 100644
--- a/meta/recipes-core/glibc/glibc_2.24.bb
+++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -37,6 +37,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0024-eglibc-Forward-port-cross-locale-generation-support.patch \
            file://0025-Define-DUMMY_LOCALE_T-if-not-defined.patch \
            file://0026-build_local_scope.patch \
+           file://0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch \
 "
 
 SRC_URI += "\
-- 
2.10.1

[PATCH 3/4] qemu: fix CVE-2016-7909

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

Backport patch to fix CVE-2016-7909 of qemu.

Ref:
https://security-tracker.debian.org/tracker/CVE-2016-7909

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../qemu/qemu/0004-fix-CVE-2016-7909.patch         | 42 ++++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.7.0.bb           |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch

diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
new file mode 100644
index 0000000..e71bbf6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
@@ -0,0 +1,42 @@
+Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce]
+CVE: CVE-2016-7909
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 30 Sep 2016 00:27:33 +0530
+Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/pcnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 198a01f..3078de8 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
+     case 47: /* POLLINT */
+     case 72:
+     case 74:
++        break;
+     case 76: /* RCVRL */
+     case 78: /* XMTRL */
++        val = (val > 0) ? val : 512;
++        break;
+     case 112:
+        if (CSR_STOP(s) || CSR_SPND(s))
+            break;
+-- 
+2.10.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index a75bcdf..cef181d 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
             file://0002-fix-CVE-2016-7423.patch \
             file://0003-fix-CVE-2016-7908.patch \
+            file://0004-fix-CVE-2016-7909.patch \
 "
 
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
-- 
2.10.1

[PATCH 4/4] qemu: update run-ptest script

[kai.kang]

From: Kai Kang <kai.kang@windriver.com>

The Makefile in directory tests has been renamed, then update script
run-ptest to follow the change.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-devtools/qemu/qemu/run-ptest | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest
index f4b8e97..2206b31 100644
--- a/meta/recipes-devtools/qemu/qemu/run-ptest
+++ b/meta/recipes-devtools/qemu/qemu/run-ptest
@@ -1,8 +1,10 @@
 #!/bin/sh
 #
 #This script is used to run qemu test suites
-ptestdir=$(pwd)
-cd tests
+#
 
+ptestdir=$(dirname "$(readlink -f "$0")")
 export SRC_PATH=$ptestdir
-make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
+
+cd $ptestdir/tests
+make -f Makefile.include -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
-- 
2.10.1