* [OE-core][kirkstone 00/23] Patch review
@ 2022-12-01 14:26 Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 01/23] grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775 Steve Sakoman
` (22 more replies)
0 siblings, 23 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:26 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4562
The following changes since commit 5b2ee67e3a5587b4c7d97d2a9bc00022d1eedae3:
create-spdx: default share_src for shared sources (2022-11-25 08:08:10 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bhabu Bindu (3):
curl: Fix CVE-2022-32221
curl: Fix CVE-2022-42916
curl: Fix CVE-2022-42915
Bruce Ashfield (5):
linux-yocto/5.15: update to v5.15.74
linux-yocto/5.15: update to v5.15.76
linux-yocto/5.15: update to v5.15.78
linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings
kern-tools: integrate ZFS speedup patch
Chee Yang Lee (1):
dropbear: fix CVE-2021-36369
Chen Qi (3):
kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
resolvconf: make it work
dhcpcd: fix to work with systemd
Dmitry Baryshkov (2):
linux-firmware: upgrade 20221012 -> 20221109
linux-firmware: add new fw file to ${PN}-qcom-adreno-a530
Enrico Jörns (1):
sstatesig: emit more helpful error message when not finding sstate
manifest
Martin Jansa (2):
tiff: refresh with devtool
tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
Polampalli, Archana (1):
libpam: fix CVE-2022-28321
Qiu, Zheng (1):
tiff: Security fix for CVE-2022-3970
Ross Burton (1):
tiff: fix a number of CVEs
Tim Orling (1):
mirrors.bbclass: update CPAN_MIRROR
Xiangyu Chen (2):
grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775
dbus: upgrade 1.14.0 -> 1.14.4
meta/classes/kernel.bbclass | 8 +
meta/classes/mirrors.bbclass | 3 +-
meta/lib/oe/sstatesig.py | 6 +-
...erflow-in-grub_font_get_glyph_intern.patch | 115 ++++
.../grub/files/CVE-2022-2601.patch | 85 +++
.../grub/files/CVE-2022-3775.patch | 95 +++
meta/recipes-bsp/grub/grub2.inc | 3 +
.../dhcpcd/dhcpcd_9.4.1.bb | 1 +
...mprove-the-sitation-of-working-with-.patch | 82 +++
...01-avoid-using-m-option-for-readlink.patch | 37 +
.../resolvconf/resolvconf_1.91.bb | 9 +-
...eswap-Byte-swap-Unix-fd-indexes-if-n.patch | 76 ---
...idate-Check-brackets-in-signature-ne.patch | 119 ----
...idate-Validate-length-of-arrays-of-f.patch | 61 --
.../dbus/{dbus_1.14.0.bb => dbus_1.14.4.bb} | 10 +-
meta/recipes-core/dropbear/dropbear.inc | 4 +-
.../dropbear/dropbear/CVE-2021-36369.patch | 145 ++++
.../pam/libpam/CVE-2022-28321-0002.patch | 205 ++++++
meta/recipes-extended/pam/libpam_1.5.2.bb | 1 +
.../kern-tools/kern-tools-native_git.bb | 2 +-
...20221012.bb => linux-firmware_20221109.bb} | 6 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +-
...-of-TIFFTAG_INKNAMES-and-related-TIF.patch | 266 ++++++++
...-the-FPE-in-tiffcrop-415-427-and-428.patch | 2 +-
...rash-when-reading-a-file-with-multip.patch | 14 +-
...ue-330-and-some-more-from-320-to-349.patch | 86 ++-
...fcrop-S-option-Make-decision-simpler.patch | 36 +
...-incompatibility-of-Z-X-Y-z-options-.patch | 59 ++
...ines-require-a-larger-buffer-fixes-2.patch | 640 ++++++++++++++++++
...al-buffer-overflow-for-ASCII-tags-wh.patch | 13 +-
...ue-380-and-382-heap-buffer-overflow-.patch | 14 +-
...-for-return-value-of-limitMalloc-392.patch | 15 +-
...ag-avoid-calling-memcpy-with-a-null-.patch | 16 +-
.../0005-fix-the-FPE-in-tiffcrop-393.patch | 15 +-
...x-heap-buffer-overflow-in-tiffcp-278.patch | 15 +-
...99c99f987dc32ae110370cfdd7df7975586b.patch | 9 +-
.../libtiff/tiff/CVE-2022-1354.patch | 8 +-
.../libtiff/tiff/CVE-2022-1355.patch | 8 +-
.../libtiff/tiff/CVE-2022-2867.patch | 2 +-
.../libtiff/tiff/CVE-2022-2869.patch | 2 +-
.../libtiff/tiff/CVE-2022-2953.patch | 30 +-
.../libtiff/tiff/CVE-2022-34526.patch | 6 +-
.../libtiff/tiff/CVE-2022-3970.patch | 38 ++
...ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 7 +-
...0712f4c3a5b449f70c57988260a667ddbdef.patch | 9 +-
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 6 +-
.../curl/curl/CVE-2022-32221.patch | 28 +
.../curl/curl/CVE-2022-42915.patch | 53 ++
.../curl/curl/CVE-2022-42916.patch | 136 ++++
meta/recipes-support/curl/curl_7.82.0.bb | 3 +
52 files changed, 2203 insertions(+), 444 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-2601.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-3775.patch
create mode 100644 meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
create mode 100644 meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
delete mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
delete mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
delete mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
rename meta/recipes-core/dbus/{dbus_1.14.0.bb => dbus_1.14.4.bb} (93%)
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20221012.bb => linux-firmware_20221109.bb} (99%)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-42915.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-42916.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 01/23] grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
@ 2022-12-01 14:26 ` Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 02/23] tiff: refresh with devtool Steve Sakoman
` (21 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:26 UTC (permalink / raw)
To: openembedded-core
From: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Backport patch from upstream to solve CVE-2022-2601 CVE-2022-3775 dependency:
font: Fix size overflow in grub_font_get_glyph_internal()
(https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532)
Backport patch from upstream to fix following CVEs:
CVE-2022-2601: font: Fix several integer overflows in grub_font_construct_glyph()
(https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e)
CVE-2022-3775: font: Fix an integer underflow in blit_comb()
(https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...erflow-in-grub_font_get_glyph_intern.patch | 115 ++++++++++++++++++
.../grub/files/CVE-2022-2601.patch | 85 +++++++++++++
.../grub/files/CVE-2022-3775.patch | 95 +++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 3 +
4 files changed, 298 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-2601.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-3775.patch
diff --git a/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..efa00a3c6c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,115 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+---
+ grub-core/font/font.c | 17 +++++++++++++----
+ include/grub/bitmap.h | 18 ++++++++++++++++++
+ include/grub/safemath.h | 2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index d09bb38..876b5b6 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ grub_int16_t xoff;
+ grub_int16_t yoff;
+ grub_int16_t dwidth;
+- int len;
++ grub_ssize_t len;
++ grub_size_t sz;
+
+ if (index_entry->glyph)
+ /* Return cached glyph. */
+@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ return 0;
+ }
+
+- len = (width * height + 7) / 8;
+- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+- if (!glyph)
++ /* Calculate real struct size of current glyph. */
++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++ grub_add (sizeof (struct grub_font_glyph), len, &sz))
++ {
++ remove_font (font);
++ return 0;
++ }
++
++ /* Allocate and initialize the glyph struct. */
++ glyph = grub_malloc (sz);
++ if (glyph == NULL)
+ {
+ remove_font (font);
+ return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+ return bitmap->mode_info.height;
+ }
+
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++ grub_uint64_t _bitmap_pixels; \
++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ struct grub_video_mode_info *mode_info);
+
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
++#define grub_cast(a, res) grub_add ((a), 0, (res))
++
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..727c509694
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,85 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 876b5b6..0ff5525 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ struct grub_video_signed_rect bounds;
+ static struct grub_font_glyph *glyph = 0;
+ static grub_size_t max_glyph_size = 0;
++ grub_size_t cur_glyph_size;
+
+ ensure_comb_space (glyph_id);
+
+@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ if (!glyph_id->ncomb && !glyph_id->attributes)
+ return main_glyph;
+
+- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++ return main_glyph;
++
++ if (max_glyph_size < cur_glyph_size)
+ {
+ grub_free (glyph);
+- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+- if (max_glyph_size < 8)
+- max_glyph_size = 8;
+- glyph = grub_malloc (max_glyph_size);
++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++ max_glyph_size = 0;
++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+ }
+ if (!glyph)
+ {
++ max_glyph_size = 0;
+ grub_errno = GRUB_ERR_NONE;
+ return main_glyph;
+ }
+
+- grub_memset (glyph, 0, sizeof (*glyph)
+- + (bounds.width * bounds.height
+- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++ grub_memset (glyph, 0, cur_glyph_size);
+
+ glyph->font = main_glyph->font;
+- glyph->width = bounds.width;
+- glyph->height = bounds.height;
+- glyph->offset_x = bounds.x;
+- glyph->offset_y = bounds.y;
++ if (bounds.width == 0 || bounds.height == 0 ||
++ grub_cast (bounds.width, &glyph->width) ||
++ grub_cast (bounds.height, &glyph->height) ||
++ grub_cast (bounds.x, &glyph->offset_x) ||
++ grub_cast (bounds.y, &glyph->offset_y))
++ return main_glyph;
+
+ if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+ grub_font_blit_glyph_mirror (glyph, main_glyph,
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..853efd0486
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,95 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 0ff5525..7b1cbde 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ ctx.bounds.height = main_glyph->height;
+
+ above_rightx = main_glyph->offset_x + main_glyph->width;
+- above_righty = ctx.bounds.y + ctx.bounds.height;
++ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+
+ above_leftx = main_glyph->offset_x;
+- above_lefty = ctx.bounds.y + ctx.bounds.height;
++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+
+- below_rightx = ctx.bounds.x + ctx.bounds.width;
++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+ below_righty = ctx.bounds.y;
+
+ comb = grub_unicode_get_comb (glyph_id);
+@@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ if (!combining_glyphs[i])
+ continue;
+- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+ /* CGJ is to avoid diacritics reordering. */
+ if (comb[i].code
+ == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ case GRUB_UNICODE_COMB_OVERLAY:
+ do_blit (combining_glyphs[i],
+ targetx,
+- (ctx.bounds.height - combining_glyphs[i]->height) / 2
+- - (ctx.bounds.height + ctx.bounds.y), &ctx);
++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+ break;
+@@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ /* Fallthrough. */
+ case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height + ctx.bounds.y + space
++ -((int) ctx.bounds.height + ctx.bounds.y + space
+ + combining_glyphs[i]->height), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+@@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height / 2 + ctx.bounds.y
++ -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ + combining_glyphs[i]->height / 2), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 47ea561002..270efd30ef 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -32,6 +32,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \
file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \
file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \
+ file://0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
+ file://CVE-2022-2601.patch \
+ file://CVE-2022-3775.patch \
"
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 02/23] tiff: refresh with devtool
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 01/23] grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775 Steve Sakoman
@ 2022-12-01 14:26 ` Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 03/23] tiff: fix a number of CVEs Steve Sakoman
` (20 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:26 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
* so that they can be easily and cleanly applied with "git am"
* manually fix CVE-2022-2953.patch commit message not to use UTF-8
quotes and replace it with human readable text from original commit:
https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...-the-FPE-in-tiffcrop-415-427-and-428.patch | 2 +-
...rash-when-reading-a-file-with-multip.patch | 14 ++-
...ue-330-and-some-more-from-320-to-349.patch | 86 +++++++++----------
...al-buffer-overflow-for-ASCII-tags-wh.patch | 13 ++-
...ue-380-and-382-heap-buffer-overflow-.patch | 14 ++-
...-for-return-value-of-limitMalloc-392.patch | 15 ++--
...ag-avoid-calling-memcpy-with-a-null-.patch | 16 ++--
.../0005-fix-the-FPE-in-tiffcrop-393.patch | 15 ++--
...x-heap-buffer-overflow-in-tiffcp-278.patch | 15 ++--
...99c99f987dc32ae110370cfdd7df7975586b.patch | 9 +-
.../libtiff/tiff/CVE-2022-1354.patch | 8 +-
.../libtiff/tiff/CVE-2022-1355.patch | 8 +-
.../libtiff/tiff/CVE-2022-2867.patch | 2 +-
.../libtiff/tiff/CVE-2022-2869.patch | 2 +-
.../libtiff/tiff/CVE-2022-2953.patch | 30 +++----
.../libtiff/tiff/CVE-2022-34526.patch | 6 +-
...ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 2 +-
...0712f4c3a5b449f70c57988260a667ddbdef.patch | 9 +-
18 files changed, 118 insertions(+), 148 deletions(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch b/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
index a28df6ed8c..a9dd42d755 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch
@@ -1,4 +1,4 @@
-From 029da2cf70e8e38f10d62d4b0be440fb9d145af0 Mon Sep 17 00:00:00 2001
+From 6cfe933df4dbac5479801b2bd10103ef7db815ee Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428)
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
index f1a4ab4251..a4d8bebe8c 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch
@@ -1,11 +1,12 @@
+From adfd6be615635705c2f4eb8dfe49e2f463786361 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple
+
CVE: CVE-2022-0865
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 24 Feb 2022 22:26:02 +0100
-Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
IFD in memory-mapped mode and when bit reversal is needed (fixes #385)
---
@@ -13,7 +14,7 @@ Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple
1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
-index 74086338..8bfa4cef 100644
+index 7408633..8bfa4ce 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
@@ -33,6 +34,3 @@ index 74086338..8bfa4cef 100644
/* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode;
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch
index 07acf5eb90..7c4feabc38 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch
@@ -1,7 +1,8 @@
-From e319508023580e2f70e6e626f745b5b2a1707313 Mon Sep 17 00:00:00 2001
+From 0ab805f46f68500da3b49d6f89380bab169bf6bb Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 10 May 2022 20:03:17 +0000
Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
+
Upstream-Status: Backport
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
---
@@ -9,7 +10,7 @@ Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
1 file changed, 210 insertions(+), 72 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 77cf6ed1..791ec5e7 100644
+index 99e4208..b596f9e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -63,20 +63,24 @@
@@ -67,7 +68,7 @@ index 77cf6ed1..791ec5e7 100644
;
/* This function could be modified to pass starting sample offset
-@@ -2121,6 +2131,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+@@ -2123,6 +2133,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
@@ -83,7 +84,7 @@ index 77cf6ed1..791ec5e7 100644
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
-@@ -2746,7 +2765,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2748,7 +2767,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int i, bytes_per_sample, sindex;
@@ -92,7 +93,7 @@ index 77cf6ed1..791ec5e7 100644
uint32_t src_byte /*, src_bit */;
uint8_t *src = in;
uint8_t *dst = out;
-@@ -2757,6 +2776,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2759,6 +2778,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -103,7 +104,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesBytes",
-@@ -2769,6 +2792,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2771,6 +2794,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -113,7 +114,7 @@ index 77cf6ed1..791ec5e7 100644
dst_rowsize = (bps * (end - start) * count) / 8;
-@@ -2812,7 +2838,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2814,7 +2840,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0;
@@ -122,7 +123,7 @@ index 77cf6ed1..791ec5e7 100644
uint8_t maskbits = 0, matchbits = 0;
uint8_t buff1 = 0, buff2 = 0;
uint8_t *src = in;
-@@ -2824,6 +2850,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2826,6 +2852,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -133,7 +134,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples8bits",
-@@ -2836,7 +2866,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2838,7 +2868,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -145,7 +146,7 @@ index 77cf6ed1..791ec5e7 100644
ready_bits = 0;
maskbits = (uint8_t)-1 >> (8 - bps);
buff1 = buff2 = 0;
-@@ -2889,7 +2922,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2891,7 +2924,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0;
@@ -154,7 +155,7 @@ index 77cf6ed1..791ec5e7 100644
uint16_t maskbits = 0, matchbits = 0;
uint16_t buff1 = 0, buff2 = 0;
uint8_t bytebuff = 0;
-@@ -2902,6 +2935,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2904,6 +2937,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -165,7 +166,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples16bits",
-@@ -2914,6 +2951,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2916,6 +2953,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -175,7 +176,7 @@ index 77cf6ed1..791ec5e7 100644
ready_bits = 0;
maskbits = (uint16_t)-1 >> (16 - bps);
-@@ -2978,7 +3018,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2980,7 +3020,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0;
@@ -184,7 +185,7 @@ index 77cf6ed1..791ec5e7 100644
uint32_t maskbits = 0, matchbits = 0;
uint32_t buff1 = 0, buff2 = 0;
uint8_t bytebuff1 = 0, bytebuff2 = 0;
-@@ -2991,6 +3031,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -2993,6 +3033,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -195,7 +196,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples24bits",
-@@ -3003,6 +3047,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3005,6 +3049,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -205,7 +206,7 @@ index 77cf6ed1..791ec5e7 100644
ready_bits = 0;
maskbits = (uint32_t)-1 >> (32 - bps);
-@@ -3087,7 +3134,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3089,7 +3136,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0 /*, shift_width = 0 */;
@@ -214,7 +215,7 @@ index 77cf6ed1..791ec5e7 100644
uint32_t longbuff1 = 0, longbuff2 = 0;
uint64_t maskbits = 0, matchbits = 0;
uint64_t buff1 = 0, buff2 = 0, buff3 = 0;
-@@ -3102,6 +3149,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3104,6 +3151,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
@@ -225,7 +226,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples32bits",
-@@ -3114,6 +3165,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3116,6 +3167,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -235,7 +236,7 @@ index 77cf6ed1..791ec5e7 100644
/* shift_width = ((bps + 7) / 8) + 1; */
ready_bits = 0;
-@@ -3193,7 +3247,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3195,7 +3249,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0;
@@ -244,7 +245,7 @@ index 77cf6ed1..791ec5e7 100644
uint8_t maskbits = 0, matchbits = 0;
uint8_t buff1 = 0, buff2 = 0;
uint8_t *src = in;
-@@ -3205,6 +3259,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3207,6 +3261,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -255,7 +256,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted8bits",
-@@ -3217,6 +3275,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3219,6 +3277,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -265,7 +266,7 @@ index 77cf6ed1..791ec5e7 100644
ready_bits = shift;
maskbits = (uint8_t)-1 >> (8 - bps);
-@@ -3273,7 +3334,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3275,7 +3336,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0;
@@ -274,7 +275,7 @@ index 77cf6ed1..791ec5e7 100644
uint16_t maskbits = 0, matchbits = 0;
uint16_t buff1 = 0, buff2 = 0;
uint8_t bytebuff = 0;
-@@ -3286,6 +3347,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3288,6 +3349,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -285,7 +286,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted16bits",
-@@ -3298,6 +3363,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3300,6 +3365,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -295,7 +296,7 @@ index 77cf6ed1..791ec5e7 100644
ready_bits = shift;
maskbits = (uint16_t)-1 >> (16 - bps);
-@@ -3363,7 +3431,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3365,7 +3433,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0;
@@ -304,7 +305,7 @@ index 77cf6ed1..791ec5e7 100644
uint32_t maskbits = 0, matchbits = 0;
uint32_t buff1 = 0, buff2 = 0;
uint8_t bytebuff1 = 0, bytebuff2 = 0;
-@@ -3376,6 +3444,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3378,6 +3446,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
@@ -321,7 +322,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted24bits",
-@@ -3388,6 +3466,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3390,6 +3468,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -331,7 +332,7 @@ index 77cf6ed1..791ec5e7 100644
ready_bits = shift;
maskbits = (uint32_t)-1 >> (32 - bps);
-@@ -3449,7 +3530,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3451,7 +3532,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
buff2 = (buff2 << 8);
bytebuff2 = bytebuff1;
ready_bits -= 8;
@@ -340,7 +341,7 @@ index 77cf6ed1..791ec5e7 100644
return (0);
} /* end extractContigSamplesShifted24bits */
-@@ -3461,7 +3542,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3463,7 +3544,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0 /*, shift_width = 0 */;
@@ -349,7 +350,7 @@ index 77cf6ed1..791ec5e7 100644
uint32_t longbuff1 = 0, longbuff2 = 0;
uint64_t maskbits = 0, matchbits = 0;
uint64_t buff1 = 0, buff2 = 0, buff3 = 0;
-@@ -3476,6 +3557,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3478,6 +3559,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
@@ -360,7 +361,7 @@ index 77cf6ed1..791ec5e7 100644
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted32bits",
-@@ -3488,6 +3573,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+@@ -3490,6 +3575,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
@@ -370,7 +371,7 @@ index 77cf6ed1..791ec5e7 100644
/* shift_width = ((bps + 7) / 8) + 1; */
ready_bits = shift;
-@@ -5429,7 +5517,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5431,7 +5519,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
{
struct offset offsets;
int i;
@@ -379,7 +380,7 @@ index 77cf6ed1..791ec5e7 100644
uint32_t seg, total, need_buff = 0;
uint32_t buffsize;
uint32_t zwidth, zlength;
-@@ -5510,8 +5598,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5512,8 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
seg = crop->zonelist[j].position;
total = crop->zonelist[j].total;
@@ -394,7 +395,7 @@ index 77cf6ed1..791ec5e7 100644
continue;
}
-@@ -5524,17 +5617,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5526,17 +5619,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->regionlist[i].x1 = offsets.startx +
(uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total);
@@ -428,7 +429,7 @@ index 77cf6ed1..791ec5e7 100644
zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
/* This is passed to extractCropZone or extractCompositeZones */
-@@ -5549,22 +5648,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5551,22 +5650,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->regionlist[i].x1 = offsets.startx;
crop->regionlist[i].x2 = offsets.endx;
@@ -471,7 +472,7 @@ index 77cf6ed1..791ec5e7 100644
zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
/* This is passed to extractCropZone or extractCompositeZones */
-@@ -5575,32 +5679,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5577,32 +5681,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->combined_width = (uint32_t)zwidth;
break;
case EDGE_RIGHT: /* zones from right to left, length from top */
@@ -539,7 +540,7 @@ index 77cf6ed1..791ec5e7 100644
case EDGE_TOP: /* width from left, zones from top to bottom */
default:
zwidth = offsets.crop_width;
-@@ -5608,6 +5722,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5610,6 +5724,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->regionlist[i].x2 = offsets.endx;
crop->regionlist[i].y1 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total);
@@ -554,7 +555,7 @@ index 77cf6ed1..791ec5e7 100644
test = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total);
if (test < 1 )
crop->regionlist[i].y2 = 0;
-@@ -5618,6 +5740,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+@@ -5620,6 +5742,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->regionlist[i].y2 = test - 1;
}
@@ -573,7 +574,7 @@ index 77cf6ed1..791ec5e7 100644
zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
/* This is passed to extractCropZone or extractCompositeZones */
-@@ -7551,7 +7685,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+@@ -7543,7 +7677,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
total_width = total_length = 0;
for (i = 0; i < crop->selections; i++)
{
@@ -583,7 +584,7 @@ index 77cf6ed1..791ec5e7 100644
crop_buff = seg_buffs[i].buffer;
if (!crop_buff)
crop_buff = (unsigned char *)limitMalloc(cropsize);
-@@ -7640,6 +7775,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+@@ -7632,6 +7767,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
@@ -593,7 +594,7 @@ index 77cf6ed1..791ec5e7 100644
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
&crop->regionlist[i].length, &crop_buff))
{
-@@ -7655,8 +7793,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+@@ -7647,8 +7785,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
* image->spp) * crop->regionlist[i].length;
}
@@ -604,6 +605,3 @@ index 77cf6ed1..791ec5e7 100644
return (0);
} /* end processCropSelections */
---
-2.33.0
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
index 72776f09ba..e79964de55 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
@@ -1,11 +1,12 @@
+From bc71e64b6f4477ed69064802b1252bab904a89b4 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+
CVE: CVE-2022-22844
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Tue, 25 Jan 2022 16:25:28 +0000
-Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
count is required (fixes #355)
---
@@ -13,7 +14,7 @@ Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
-index 8c9e23c5..e7a88c09 100644
+index 8c9e23c..e7a88c0 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -146,9 +146,19 @@ main(int argc, char* argv[])
@@ -39,5 +40,3 @@ index 8c9e23c5..e7a88c09 100644
} else if (TIFFFieldWriteCount(fip) > 0
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
int ret = 1;
---
-2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
index 812ffb232d..2becf53806 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch
@@ -1,12 +1,13 @@
+From 9b2645d830b4ad004824cf28d81f3b974faf0037 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 8 Mar 2022 17:02:44 +0000
+Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
+
CVE: CVE-2022-0891
CVE: CVE-2022-1056
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Tue, 8 Mar 2022 17:02:44 +0000
-Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
extractImageSection
---
@@ -14,7 +15,7 @@ Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in
1 file changed, 36 insertions(+), 56 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index b85c2ce7..302a7e91 100644
+index b85c2ce..302a7e9 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -105,8 +105,8 @@
@@ -214,6 +215,3 @@ index b85c2ce7..302a7e91 100644
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
index a0b856b9e1..b48a3df1a9 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch
@@ -1,18 +1,18 @@
+From b4743cc69d2f506e1f1c4db9adc8e58d75805e4d Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH] add checks for return value of limitMalloc (#392)
+
CVE: CVE-2022-0907
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001
-From: Augustus <wangdw.augustus@qq.com>
-Date: Mon, 7 Mar 2022 18:21:49 +0800
-Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392)
-
---
tools/tiffcrop.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 302a7e91..e407bf51 100644
+index 302a7e9..e407bf5 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
@@ -88,6 +88,3 @@ index 302a7e91..e407bf51 100644
* End:
*/
+
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
index 719dabaecc..6f2df44bd5 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch
@@ -1,11 +1,12 @@
+From 0343619094bfc7b8e23814f672411b008db2aa66 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+
CVE: CVE-2022-0908
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Feb 2022 15:28:43 +0100
-Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #383)
---
@@ -13,10 +14,10 @@ Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index d84147a0..4e8ce729 100644
+index d654a1c..a31109a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
-@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data);
return(0);
}
@@ -28,6 +29,3 @@ index d84147a0..4e8ce729 100644
o[(uint32_t)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
index 64dbe9ef92..21dc552036 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch
@@ -1,18 +1,18 @@
+From e56d66a033b533f26872a20cb2052473962a0f2e Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#393)
+
CVE: CVE-2022-0909
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Tue, 8 Mar 2022 16:22:04 +0000
-Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393)
-
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index a6c254fc..77da6ea4 100644
+index a6c254f..77da6ea 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
@@ -31,6 +31,3 @@ index a6c254fc..77da6ea4 100644
goto badvaluedouble;
td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
index afd5e59960..337b84d992 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch
@@ -1,18 +1,18 @@
+From 2dd282a54e5fccf9b501973e6da5f83ebde8e980 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+
CVE: CVE-2022-0924
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001
-From: 4ugustus <wangdw.augustus@qq.com>
-Date: Thu, 10 Mar 2022 08:48:00 +0000
-Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278)
-
---
tools/tiffcp.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 1f889516..552d8fad 100644
+index 1f88951..552d8fa 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
@@ -52,6 +52,3 @@ index 1f889516..552d8fad 100644
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %"PRIu32,
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
index 0b41dde606..e5b34fd258 100644
--- a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
@@ -1,4 +1,4 @@
-From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From 7b91458541769f3d7eddc55a39d01730af2489fc Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
@@ -12,10 +12,10 @@ CVE: CVE-2022-0562
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 2bbc4585..23194ced 100644
+index d84147a..ae52ad4 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
-@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
+@@ -4173,7 +4173,8 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
}
@@ -25,6 +25,3 @@ index 2bbc4585..23194ced 100644
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}
---
-GitLab
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
index 71b85cac10..989ccbfa50 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -1,4 +1,4 @@
-From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
+From 281fa3cf0e0e8a44b93478c63d90dbfb64359e88 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Dec 2021 14:37:46 +0100
Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
@@ -16,12 +16,13 @@ Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+
---
libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
1 file changed, 83 insertions(+), 79 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 8f434ef5..14c031d1 100644
+index a31109a..d7cccbe 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
@@ -207,6 +208,3 @@ index 8f434ef5..14c031d1 100644
/*
* Make sure all non-color channels are extrasamples.
* If it's not the case, define them as such.
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
index e59f5aad55..19ce68dfbc 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -1,4 +1,4 @@
-From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
+From 19d775e058bf6bb0b0e9c56f406b775f9e725355 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
@@ -9,12 +9,13 @@ Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+
---
tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index fd129bb7..8d944ff6 100644
+index 552d8fa..57eef90 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -274,19 +274,34 @@ main(int argc, char* argv[])
@@ -57,6 +58,3 @@ index fd129bb7..8d944ff6 100644
break;
case 'x':
pageInSeq = 1;
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
index ae33a3b4e7..73905acb17 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
@@ -1,4 +1,4 @@
-From 6ad097dac1d4908705f5a9d43dea76b7f2de89eb Mon Sep 17 00:00:00 2001
+From cca32f0d4f3dd2bd73d044bd6991ab3c764fc718 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 6 Feb 2022 17:53:53 +0100
Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351.
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
index 9a23e23fed..bda3427c0f 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
@@ -1,4 +1,4 @@
-From 0ec36342df880f5ad41576cb1b03061b8697dabd Mon Sep 17 00:00:00 2001
+From b4cf40182c865db554c6e67034afa6ea12c5554d Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 6 Feb 2022 10:53:45 +0100
Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
index 3a3a915688..92906521b0 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -1,16 +1,18 @@
+From 05ef5e05a0b8d18ab075e09b1ea349acc0035e67 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH] tiffcrop: disable incompatibility of -S
+
CVE: CVE-2022-2953
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
-From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Mon, 15 Aug 2022 22:11:03 +0200
-Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
- =?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
- =?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
- =?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),=20-?=
- =?UTF-8?q?Z=20and=20-z.?=
+According to Richard Nolde
+https://gitlab.com/libtiff/libtiff/-/issues/401#note_877637400 the
+tiffcrop option "-S" is also mutually exclusive to the other crop
+options (-X|-Y), -Z and -z.
+
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -18,12 +20,13 @@ Content-Transfer-Encoding: 8bit
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
+
---
- tools/tiffcrop.c | 31 ++++++++++++++++---------------
- 1 file changed, 16 insertions(+), 15 deletions(-)
+ tools/tiffcrop.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 90286a5e..c3b758ec 100644
+index b596f9e..8af85c9 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
@@ -63,7 +66,7 @@ index 90286a5e..c3b758ec 100644
" In no case should the options be applied to a given selection successively.\n"
"\n"
;
-@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+@@ -2133,13 +2133,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
@@ -82,6 +85,3 @@ index 90286a5e..c3b758ec 100644
exit(EXIT_FAILURE);
}
} /* end process_command_opts */
---
-2.34.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch
index 48ca56982f..f3f8121735 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch
@@ -1,4 +1,4 @@
-From 3fc1fdda0068981340cc7ae136173731275e2c5e Mon Sep 17 00:00:00 2001
+From 786a8b6fd1384c6e20c17729822d1f61ed569320 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Thu, 18 Aug 2022 10:46:30 +0530
Subject: [PATCH] CVE-2022-34526
@@ -6,6 +6,7 @@ Subject: [PATCH] CVE-2022-34526
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990]
CVE: CVE-2022-34526
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
---
libtiff/tif_dirinfo.c | 3 +++
1 file changed, 3 insertions(+)
@@ -24,6 +25,3 @@ index 8565dfb..0f722a5 100644
/* Check if codec specific tags are allowed for the current
* compression scheme (codec) */
switch (tif->tif_dir.td_compression) {
---
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
index 1fa6a11104..272dd3d713 100644
--- a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
@@ -1,4 +1,4 @@
-From 740111312ca6ae718f233d914662a9969e6820ee Mon Sep 17 00:00:00 2001
+From fb89eab3ed46bbb0276bdee05b570455f6a27d2f Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 6 Feb 2022 19:52:17 +0100
Subject: [PATCH] Move the crop_width and crop_length computation after the
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
index 74f9649fdf..5a84491711 100644
--- a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
@@ -1,4 +1,4 @@
-From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From 895867b72bd6c46da79de1a07d0993cd104e92cd Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
@@ -12,10 +12,10 @@ CVE: CVE-2022-0561
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 23194ced..50ebf8ac 100644
+index ae52ad4..d654a1c 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
-@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
+@@ -5766,8 +5766,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
_TIFFfree(data);
return(0);
}
@@ -27,6 +27,3 @@ index 23194ced..50ebf8ac 100644
_TIFFfree(data);
data=resizeddata;
}
---
-GitLab
-
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 03/23] tiff: fix a number of CVEs
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 01/23] grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775 Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 02/23] tiff: refresh with devtool Steve Sakoman
@ 2022-12-01 14:26 ` Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 04/23] tiff: Security fix for CVE-2022-3970 Steve Sakoman
` (19 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:26 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
Backport fixes from upstream for the following CVEs:
- CVE-2022-3599
- CVE-2022-3597
- CVE-2022-3626
- CVE-2022-3627
- CVE-2022-3570
- CVE-2022-3598
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...-of-TIFFTAG_INKNAMES-and-related-TIF.patch | 266 ++++++++
...fcrop-S-option-Make-decision-simpler.patch | 36 +
...-incompatibility-of-Z-X-Y-z-options-.patch | 59 ++
...ines-require-a-larger-buffer-fixes-2.patch | 640 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +-
5 files changed, 1005 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
new file mode 100644
index 0000000000..37859c9192
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
@@ -0,0 +1,266 @@
+From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 30 Aug 2022 16:56:48 +0200
+Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
+ TIFFTAG_NUMBEROFINKS value
+
+In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
+
+Behaviour for writing:
+ `NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
+ `NumberOfInks` is automatically set when `InkNames` is set.
+ If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
+ If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
+
+Behaviour for reading:
+ When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
+ If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
+ If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
+
+This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
+
+This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
+
+It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
+
+CVE: CVE-2022-3599
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
+ libtiff/tif_dir.h | 2 +
+ libtiff/tif_dirinfo.c | 2 +-
+ libtiff/tif_dirwrite.c | 5 ++
+ libtiff/tif_print.c | 4 ++
+ 5 files changed, 82 insertions(+), 50 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 793e8a79..816f7756 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
+ }
+
+ /*
+- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
++ * Count ink names separated by \0. Returns
+ * zero if the ink names are not as expected.
+ */
+-static uint32_t
+-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
++static uint16_t
++countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+- TIFFDirectory* td = &tif->tif_dir;
+- uint16_t i = td->td_samplesperpixel;
++ uint16_t i = 0;
++ const char *ep = s + slen;
++ const char *cp = s;
+
+ if (slen > 0) {
+- const char* ep = s+slen;
+- const char* cp = s;
+- for (; i > 0; i--) {
++ do {
+ for (; cp < ep && *cp != '\0'; cp++) {}
+ if (cp >= ep)
+ goto bad;
+ cp++; /* skip \0 */
+- }
+- return ((uint32_t)(cp - s));
++ i++;
++ } while (cp < ep);
++ return (i);
+ }
+ bad:
+ TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
+- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
+- tif->tif_name,
+- td->td_samplesperpixel,
+- (uint16_t)(td->td_samplesperpixel-i));
++ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
++ tif->tif_name, slen, i);
+ return (0);
+ }
+
+@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
+ _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
+ break;
+ case TIFFTAG_INKNAMES:
+- v = (uint16_t) va_arg(ap, uint16_vap);
+- s = va_arg(ap, char*);
+- v = checkInkNamesString(tif, v, s);
+- status = v > 0;
+- if( v > 0 ) {
+- _TIFFsetNString(&td->td_inknames, s, v);
+- td->td_inknameslen = v;
++ {
++ v = (uint16_t) va_arg(ap, uint16_vap);
++ s = va_arg(ap, char*);
++ uint16_t ninksinstring;
++ ninksinstring = countInkNamesString(tif, v, s);
++ status = ninksinstring > 0;
++ if(ninksinstring > 0 ) {
++ _TIFFsetNString(&td->td_inknames, s, v);
++ td->td_inknameslen = v;
++ /* Set NumberOfInks to the value ninksinstring */
++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
++ {
++ if (td->td_numberofinks != ninksinstring) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
++ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
++ td->td_numberofinks = ninksinstring;
++ }
++ } else {
++ td->td_numberofinks = ninksinstring;
++ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
++ }
++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
++ {
++ if (td->td_numberofinks != td->td_samplesperpixel) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
++ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
++ }
++ }
++ }
++ }
++ break;
++ case TIFFTAG_NUMBEROFINKS:
++ v = (uint16_t)va_arg(ap, uint16_vap);
++ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
++ if (TIFFFieldSet(tif, FIELD_INKNAMES))
++ {
++ if (v != td->td_numberofinks) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
++ tif->tif_name, fip->field_name, v, td->td_numberofinks);
++ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
++ status = 0;
++ }
++ } else {
++ td->td_numberofinks = (uint16_t)v;
++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
++ {
++ if (td->td_numberofinks != td->td_samplesperpixel) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
++ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
++ }
++ }
+ }
+ break;
+ case TIFFTAG_PERSAMPLE:
+@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
+ if (fip->field_bit == FIELD_CUSTOM) {
+ standard_tag = 0;
+ }
+-
+- if( standard_tag == TIFFTAG_NUMBEROFINKS )
+- {
+- int i;
+- for (i = 0; i < td->td_customValueCount; i++) {
+- uint16_t val;
+- TIFFTagValue *tv = td->td_customValues + i;
+- if (tv->info->field_tag != standard_tag)
+- continue;
+- if( tv->value == NULL )
+- return 0;
+- val = *(uint16_t *)tv->value;
+- /* Truncate to SamplesPerPixel, since the */
+- /* setting code for INKNAMES assume that there are SamplesPerPixel */
+- /* inknames. */
+- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
+- if( val > td->td_samplesperpixel )
+- {
+- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
+- "Truncating NumberOfInks from %u to %"PRIu16,
+- val, td->td_samplesperpixel);
+- val = td->td_samplesperpixel;
+- }
+- *va_arg(ap, uint16_t*) = val;
+- return 1;
+- }
+- return 0;
+- }
+
+ switch (standard_tag) {
+ case TIFFTAG_SUBFILETYPE:
+@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
+ case TIFFTAG_INKNAMES:
+ *va_arg(ap, const char**) = td->td_inknames;
+ break;
++ case TIFFTAG_NUMBEROFINKS:
++ *va_arg(ap, uint16_t *) = td->td_numberofinks;
++ break;
+ default:
+ {
+ int i;
+diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
+index 09065648..0c251c9e 100644
+--- a/libtiff/tif_dir.h
++++ b/libtiff/tif_dir.h
+@@ -117,6 +117,7 @@ typedef struct {
+ /* CMYK parameters */
+ int td_inknameslen;
+ char* td_inknames;
++ uint16_t td_numberofinks; /* number of inks in InkNames string */
+
+ int td_customValueCount;
+ TIFFTagValue *td_customValues;
+@@ -174,6 +175,7 @@ typedef struct {
+ #define FIELD_TRANSFERFUNCTION 44
+ #define FIELD_INKNAMES 46
+ #define FIELD_SUBIFD 49
++#define FIELD_NUMBEROFINKS 50
+ /* FIELD_CUSTOM (see tiffio.h) 65 */
+ /* end of support for well-known tags; codec-private tags follow */
+ #define FIELD_CODEC 66 /* base of codec-private tags */
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index 3371cb5c..3b4bcd33 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -114,7 +114,7 @@ tiffFields[] = {
+ { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
+ { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
+ { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
+- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
++ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
+ { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
+ { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
+ { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 6c86fdca..062e4610 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
+ if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
+ goto bad;
+ }
++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
++ {
++ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
++ goto bad;
++ }
+ if (TIFFFieldSet(tif,FIELD_SUBIFD))
+ {
+ if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 16ce5780..a91b9e7b 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ }
+ fputs("\n", fd);
+ }
++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
++ fprintf(fd, " NumberOfInks: %d\n",
++ td->td_numberofinks);
++ }
+ if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
+ fprintf(fd, " Thresholding: ");
+ switch (td->td_threshholding) {
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch
new file mode 100644
index 0000000000..79b4ff3f6e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch
@@ -0,0 +1,36 @@
+From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 20 Aug 2022 23:35:26 +0200
+Subject: [PATCH] tiffcrop -S option: Make decision simpler.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+---
+ tools/tiffcrop.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c3b758ec..8fd856dc 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ }
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
+- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+- Z = (crop_data->crop_mode & CROP_ZONES);
+- R = (crop_data->crop_mode & CROP_REGIONS);
+- S = (page->mode & PAGE_MODE_ROWSCOLS);
+- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
++ if (XY + Z + R + S > 1) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
new file mode 100644
index 0000000000..6a62787648
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
@@ -0,0 +1,59 @@
+From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 25 Aug 2022 16:11:41 +0200
+Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options
+ with any PAGE_MODE_x option (fixes #411 and #413)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
+
+Code analysis:
+
+With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
+In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
+
+Execution of the else-clause often leads to buffer-overflows.
+
+Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
+
+The MR solves issues #411 and #413.
+
+CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ doc/tools/tiffcrop.rst | 8 ++++++++
+ tools/tiffcrop.c | 32 +++++++++++++++++++++++++-------
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 8fd856dc..41a2ea36 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
+ exit(EXIT_FAILURE);
+ }
++
++ /* Check for not allowed combination:
++ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
++. */
++ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
++ TIFFError("tiffcrop input error",
++ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
++ exit(EXIT_FAILURE);
++ }
++
+ } /* end process_command_opts */
+
+ /* Start a new output file if one has not been previously opened or
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
new file mode 100644
index 0000000000..e10e37ccc9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
@@ -0,0 +1,640 @@
+From 1e000b3484808f1ee7a68bd276220d1cd82dec73 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Thu, 13 Oct 2022 14:33:27 +0000
+Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
+ #381, #386, #388, #389, #435)
+
+CVE: CVE-2022-3570 CVE-2022-3598
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tools/tiffcrop.c | 203 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 114 insertions(+), 89 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f96c7d60..adf0f849 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -210,6 +210,10 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+
+ #define TIFF_DIR_MAX 65534
+
++/* Some conversion subroutines require image buffers, which are at least 3 bytes
++ * larger than the necessary size for the image itself. */
++#define NUM_BUFF_OVERSIZE_BYTES 3
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+ uint32_t tmargin;
+@@ -231,7 +235,7 @@ struct offset {
+ */
+
+ struct buffinfo {
+- uint32_t size; /* size of this buffer */
++ size_t size; /* size of this buffer */
+ unsigned char *buffer; /* address of the allocated buffer */
+ };
+
+@@ -805,8 +809,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ uint32_t dst_rowsize, shift_width;
+ uint32_t bytes_per_sample, bytes_per_pixel;
+ uint32_t trailing_bits, prev_trailing_bits;
+- uint32_t tile_rowsize = TIFFTileRowSize(in);
+- uint32_t src_offset, dst_offset;
++ tmsize_t tile_rowsize = TIFFTileRowSize(in);
++ tmsize_t src_offset, dst_offset;
+ uint32_t row_offset, col_offset;
+ uint8_t *bufp = (uint8_t*) buf;
+ unsigned char *src = NULL;
+@@ -856,7 +860,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(EXIT_FAILURE);
+ }
+- tilebuf = limitMalloc(tile_buffsize + 3);
++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (tilebuf == 0)
+ return 0;
+ tilebuf[tile_buffsize] = 0;
+@@ -1019,7 +1023,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
+ for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
+ {
+ srcbuffs[sample] = NULL;
+- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
++ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!tbuff)
+ {
+ TIFFError ("readSeparateTilesIntoBuffer",
+@@ -1213,7 +1217,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
+ }
+ rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
+
+- obuf = limitMalloc (rowstripsize);
++ /* Add 3 padding bytes for extractContigSamples32bits */
++ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (obuf == NULL)
+ return 1;
+
+@@ -1226,7 +1231,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
+ stripsize = TIFFVStripSize(out, nrows);
+ src = buf + (row * rowsize);
+ total_bytes += stripsize;
+- memset (obuf, '\0', rowstripsize);
++ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
+ {
+ _TIFFfree(obuf);
+@@ -1234,10 +1239,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
+ }
+ if ((dump->outfile != NULL) && (dump->level == 1))
+ {
+- dump_info(dump->outfile, dump->format,"",
++ if (scanlinesize > 0x0ffffffffULL) {
++ dump_info(dump->infile, dump->format, "loadImage",
++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
++ scanlinesize);
++ }
++ dump_info(dump->outfile, dump->format,"",
+ "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
+- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
+- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
++ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
++ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
+ }
+
+ if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
+@@ -1264,7 +1274,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
+ uint32_t tl, tw;
+ uint32_t row, col, nrow, ncol;
+ uint32_t src_rowsize, col_offset;
+- uint32_t tile_rowsize = TIFFTileRowSize(out);
++ tmsize_t tile_rowsize = TIFFTileRowSize(out);
+ uint8_t* bufp = (uint8_t*) buf;
+ tsize_t tile_buffsize = 0;
+ tsize_t tilesize = TIFFTileSize(out);
+@@ -1307,9 +1317,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
+ }
+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
+
+- tilebuf = limitMalloc(tile_buffsize);
++ /* Add 3 padding bytes for extractContigSamples32bits */
++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (tilebuf == 0)
+ return 1;
++ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ for (row = 0; row < imagelength; row += tl)
+ {
+ nrow = (row + tl > imagelength) ? imagelength - row : tl;
+@@ -1355,7 +1367,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
+ uint32_t imagewidth, tsample_t spp,
+ struct dump_opts * dump)
+ {
+- tdata_t obuf = limitMalloc(TIFFTileSize(out));
++ /* Add 3 padding bytes for extractContigSamples32bits */
++ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
+ uint32_t tl, tw;
+ uint32_t row, col, nrow, ncol;
+ uint32_t src_rowsize, col_offset;
+@@ -1365,6 +1378,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
+
+ if (obuf == NULL)
+ return 1;
++ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
+
+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
+@@ -1790,14 +1804,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+
+ *opt_offset = '\0';
+ /* convert option to lowercase */
+- end = strlen (opt_ptr);
++ end = (unsigned int)strlen (opt_ptr);
+ for (i = 0; i < end; i++)
+ *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
+ /* Look for dump format specification */
+ if (strncmp(opt_ptr, "for", 3) == 0)
+ {
+ /* convert value to lowercase */
+- end = strlen (opt_offset + 1);
++ end = (unsigned int)strlen (opt_offset + 1);
+ for (i = 1; i <= end; i++)
+ *(opt_offset + i) = tolower((int) *(opt_offset + i));
+ /* check dump format value */
+@@ -2270,6 +2284,8 @@ main(int argc, char* argv[])
+ size_t length;
+ char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
+
++ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
++
+ little_endian = *((unsigned char *)&little_endian) & '1';
+
+ initImageData(&image);
+@@ -3222,13 +3238,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+ /* If we have a full buffer's worth, write it out */
+ if (ready_bits >= 32)
+ {
+- bytebuff1 = (buff2 >> 56);
++ bytebuff1 = (uint8_t)(buff2 >> 56);
+ *dst++ = bytebuff1;
+- bytebuff2 = (buff2 >> 48);
++ bytebuff2 = (uint8_t)(buff2 >> 48);
+ *dst++ = bytebuff2;
+- bytebuff3 = (buff2 >> 40);
++ bytebuff3 = (uint8_t)(buff2 >> 40);
+ *dst++ = bytebuff3;
+- bytebuff4 = (buff2 >> 32);
++ bytebuff4 = (uint8_t)(buff2 >> 32);
+ *dst++ = bytebuff4;
+ ready_bits -= 32;
+
+@@ -3637,13 +3653,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
+ }
+ else /* If we have a full buffer's worth, write it out */
+ {
+- bytebuff1 = (buff2 >> 56);
++ bytebuff1 = (uint8_t)(buff2 >> 56);
+ *dst++ = bytebuff1;
+- bytebuff2 = (buff2 >> 48);
++ bytebuff2 = (uint8_t)(buff2 >> 48);
+ *dst++ = bytebuff2;
+- bytebuff3 = (buff2 >> 40);
++ bytebuff3 = (uint8_t)(buff2 >> 40);
+ *dst++ = bytebuff3;
+- bytebuff4 = (buff2 >> 32);
++ bytebuff4 = (uint8_t)(buff2 >> 32);
+ *dst++ = bytebuff4;
+ ready_bits -= 32;
+
+@@ -3820,10 +3836,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
+ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
+ {
+ uint8_t* bufp = buf;
+- int32_t bytes_read = 0;
++ tmsize_t bytes_read = 0;
+ uint32_t strip, nstrips = TIFFNumberOfStrips(in);
+- uint32_t stripsize = TIFFStripSize(in);
+- uint32_t rows = 0;
++ tmsize_t stripsize = TIFFStripSize(in);
++ tmsize_t rows = 0;
+ uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
+ tsize_t scanline_size = TIFFScanlineSize(in);
+
+@@ -3836,11 +3852,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
+ bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
+ rows = bytes_read / scanline_size;
+ if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
+- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
++ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
+ strip + 1, bytes_read, stripsize);
+
+ if (bytes_read < 0 && !ignore) {
+- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
++ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
+ strip, rows);
+ return 0;
+ }
+@@ -4305,13 +4321,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
+ /* If we have a full buffer's worth, write it out */
+ if (ready_bits >= 32)
+ {
+- bytebuff1 = (buff2 >> 56);
++ bytebuff1 = (uint8_t)(buff2 >> 56);
+ *dst++ = bytebuff1;
+- bytebuff2 = (buff2 >> 48);
++ bytebuff2 = (uint8_t)(buff2 >> 48);
+ *dst++ = bytebuff2;
+- bytebuff3 = (buff2 >> 40);
++ bytebuff3 = (uint8_t)(buff2 >> 40);
+ *dst++ = bytebuff3;
+- bytebuff4 = (buff2 >> 32);
++ bytebuff4 = (uint8_t)(buff2 >> 32);
+ *dst++ = bytebuff4;
+ ready_bits -= 32;
+
+@@ -4354,10 +4370,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
+ "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
+ row + 1, col + 1, src_byte, src_bit, dst - out);
+
+- dump_long (dumpfile, format, "Match bits ", matchbits);
++ dump_wide (dumpfile, format, "Match bits ", matchbits);
+ dump_data (dumpfile, format, "Src bits ", src, 4);
+- dump_long (dumpfile, format, "Buff1 bits ", buff1);
+- dump_long (dumpfile, format, "Buff2 bits ", buff2);
++ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
++ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
+ dump_byte (dumpfile, format, "Write bits1", bytebuff1);
+ dump_byte (dumpfile, format, "Write bits2", bytebuff2);
+ dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
+@@ -4830,13 +4846,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
+ /* If we have a full buffer's worth, write it out */
+ if (ready_bits >= 32)
+ {
+- bytebuff1 = (buff2 >> 56);
++ bytebuff1 = (uint8_t)(buff2 >> 56);
+ *dst++ = bytebuff1;
+- bytebuff2 = (buff2 >> 48);
++ bytebuff2 = (uint8_t)(buff2 >> 48);
+ *dst++ = bytebuff2;
+- bytebuff3 = (buff2 >> 40);
++ bytebuff3 = (uint8_t)(buff2 >> 40);
+ *dst++ = bytebuff3;
+- bytebuff4 = (buff2 >> 32);
++ bytebuff4 = (uint8_t)(buff2 >> 32);
+ *dst++ = bytebuff4;
+ ready_bits -= 32;
+
+@@ -4879,10 +4895,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
+ "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
+ row + 1, col + 1, src_byte, src_bit, dst - out);
+
+- dump_long (dumpfile, format, "Match bits ", matchbits);
++ dump_wide (dumpfile, format, "Match bits ", matchbits);
+ dump_data (dumpfile, format, "Src bits ", src, 4);
+- dump_long (dumpfile, format, "Buff1 bits ", buff1);
+- dump_long (dumpfile, format, "Buff2 bits ", buff2);
++ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
++ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
+ dump_byte (dumpfile, format, "Write bits1", bytebuff1);
+ dump_byte (dumpfile, format, "Write bits2", bytebuff2);
+ dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
+@@ -4905,7 +4921,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
+ {
+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
+ uint32_t j;
+- int32_t bytes_read = 0;
++ tmsize_t bytes_read = 0;
+ uint16_t bps = 0, planar;
+ uint32_t nstrips;
+ uint32_t strips_per_sample;
+@@ -4971,7 +4987,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+ {
+ srcbuffs[s] = NULL;
+- buff = limitMalloc(stripsize + 3);
++ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!buff)
+ {
+ TIFFError ("readSeparateStripsIntoBuffer",
+@@ -4994,7 +5010,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
+ buff = srcbuffs[s];
+ strip = (s * strips_per_sample) + j;
+ bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
+- rows_this_strip = bytes_read / src_rowsize;
++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
+ if (bytes_read < 0 && !ignore)
+ {
+ TIFFError(TIFFFileName(in),
+@@ -6047,13 +6063,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ uint16_t input_compression = 0, input_photometric = 0;
+ uint16_t subsampling_horiz, subsampling_vert;
+ uint32_t width = 0, length = 0;
+- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
++ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
++ tmsize_t scanlinesize = 0;
+ uint32_t tw = 0, tl = 0; /* Tile width and length */
+- uint32_t tile_rowsize = 0;
++ tmsize_t tile_rowsize = 0;
+ unsigned char *read_buff = NULL;
+ unsigned char *new_buff = NULL;
+ int readunit = 0;
+- static uint32_t prev_readsize = 0;
++ static tmsize_t prev_readsize = 0;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6355,7 +6372,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
+- read_buff = (unsigned char *)limitMalloc(buffsize+3);
++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ {
+@@ -6366,11 +6383,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
+- new_buff = _TIFFrealloc(read_buff, buffsize+3);
++ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!new_buff)
+ {
+ free (read_buff);
+- read_buff = (unsigned char *)limitMalloc(buffsize+3);
++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ read_buff = new_buff;
+@@ -6443,8 +6460,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ dump_info (dump->infile, dump->format, "",
+ "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
+
++ if (scanlinesize > 0x0ffffffffULL) {
++ dump_info(dump->infile, dump->format, "loadImage",
++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
++ scanlinesize);
++ }
+ for (i = 0; i < length; i++)
+- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
++ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
+ i, read_buff + (i * scanlinesize));
+ }
+ return (0);
+@@ -7464,13 +7486,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
+ if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
+ TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
+ if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
+- int inknameslen = strlen(inknames) + 1;
++ int inknameslen = (int)strlen(inknames) + 1;
+ const char* cp = inknames;
+ while (ninks > 1) {
+ cp = strchr(cp, '\0');
+ if (cp) {
+ cp++;
+- inknameslen += (strlen(cp) + 1);
++ inknameslen += ((int)strlen(cp) + 1);
+ }
+ ninks--;
+ }
+@@ -7533,23 +7555,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+
+ if (!sect_buff)
+ {
+- sect_buff = (unsigned char *)limitMalloc(sectsize);
++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!sect_buff)
+ {
+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+ return (-1);
+ }
+- _TIFFmemset(sect_buff, 0, sectsize);
++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ {
+ if (prev_sectsize < sectsize)
+ {
+- new_buff = _TIFFrealloc(sect_buff, sectsize);
++ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!new_buff)
+ {
+ _TIFFfree (sect_buff);
+- sect_buff = (unsigned char *)limitMalloc(sectsize);
++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ sect_buff = new_buff;
+@@ -7559,7 +7581,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+ return (-1);
+ }
+- _TIFFmemset(sect_buff, 0, sectsize);
++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ }
+
+@@ -7590,17 +7612,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ cropsize = crop->bufftotal;
+ crop_buff = seg_buffs[0].buffer;
+ if (!crop_buff)
+- crop_buff = (unsigned char *)limitMalloc(cropsize);
++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ else
+ {
+ prev_cropsize = seg_buffs[0].size;
+ if (prev_cropsize < cropsize)
+ {
+- next_buff = _TIFFrealloc(crop_buff, cropsize);
++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (! next_buff)
+ {
+ _TIFFfree (crop_buff);
+- crop_buff = (unsigned char *)limitMalloc(cropsize);
++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ crop_buff = next_buff;
+@@ -7613,7 +7635,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ return (-1);
+ }
+
+- _TIFFmemset(crop_buff, 0, cropsize);
++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ seg_buffs[0].buffer = crop_buff;
+ seg_buffs[0].size = cropsize;
+
+@@ -7693,17 +7715,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ cropsize = crop->bufftotal;
+ crop_buff = seg_buffs[i].buffer;
+ if (!crop_buff)
+- crop_buff = (unsigned char *)limitMalloc(cropsize);
++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ else
+ {
+ prev_cropsize = seg_buffs[0].size;
+ if (prev_cropsize < cropsize)
+ {
+- next_buff = _TIFFrealloc(crop_buff, cropsize);
++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (! next_buff)
+ {
+ _TIFFfree (crop_buff);
+- crop_buff = (unsigned char *)limitMalloc(cropsize);
++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ crop_buff = next_buff;
+@@ -7716,7 +7738,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ return (-1);
+ }
+
+- _TIFFmemset(crop_buff, 0, cropsize);
++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ seg_buffs[i].buffer = crop_buff;
+ seg_buffs[i].size = cropsize;
+
+@@ -7832,24 +7854,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ crop_buff = *crop_buff_ptr;
+ if (!crop_buff)
+ {
+- crop_buff = (unsigned char *)limitMalloc(cropsize);
++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!crop_buff)
+ {
+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+ return (-1);
+ }
+- _TIFFmemset(crop_buff, 0, cropsize);
++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ prev_cropsize = cropsize;
+ }
+ else
+ {
+ if (prev_cropsize < cropsize)
+ {
+- new_buff = _TIFFrealloc(crop_buff, cropsize);
++ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!new_buff)
+ {
+ free (crop_buff);
+- crop_buff = (unsigned char *)limitMalloc(cropsize);
++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ else
+ crop_buff = new_buff;
+@@ -7858,7 +7880,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+ return (-1);
+ }
+- _TIFFmemset(crop_buff, 0, cropsize);
++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+ }
+ }
+
+@@ -8156,13 +8178,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
+ if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
+ TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
+ if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
+- int inknameslen = strlen(inknames) + 1;
++ int inknameslen = (int)strlen(inknames) + 1;
+ const char* cp = inknames;
+ while (ninks > 1) {
+ cp = strchr(cp, '\0');
+ if (cp) {
+ cp++;
+- inknameslen += (strlen(cp) + 1);
++ inknameslen += ((int)strlen(cp) + 1);
+ }
+ ninks--;
+ }
+@@ -8547,13 +8569,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
+ }
+ else /* If we have a full buffer's worth, write it out */
+ {
+- bytebuff1 = (buff2 >> 56);
++ bytebuff1 = (uint8_t)(buff2 >> 56);
+ *dst++ = bytebuff1;
+- bytebuff2 = (buff2 >> 48);
++ bytebuff2 = (uint8_t)(buff2 >> 48);
+ *dst++ = bytebuff2;
+- bytebuff3 = (buff2 >> 40);
++ bytebuff3 = (uint8_t)(buff2 >> 40);
+ *dst++ = bytebuff3;
+- bytebuff4 = (buff2 >> 32);
++ bytebuff4 = (uint8_t)(buff2 >> 32);
+ *dst++ = bytebuff4;
+ ready_bits -= 32;
+
+@@ -8622,12 +8644,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+ return (-1);
+ }
+
+- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
++ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
++ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+ {
+- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
++ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ return (-1);
+ }
+- _TIFFmemset(rbuff, '\0', buffsize);
++ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+
+ ibuff = *ibuff_ptr;
+ switch (rotation)
+@@ -9155,13 +9178,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
+ }
+ else /* If we have a full buffer's worth, write it out */
+ {
+- bytebuff1 = (buff2 >> 56);
++ bytebuff1 = (uint8_t)(buff2 >> 56);
+ *dst++ = bytebuff1;
+- bytebuff2 = (buff2 >> 48);
++ bytebuff2 = (uint8_t)(buff2 >> 48);
+ *dst++ = bytebuff2;
+- bytebuff3 = (buff2 >> 40);
++ bytebuff3 = (uint8_t)(buff2 >> 40);
+ *dst++ = bytebuff3;
+- bytebuff4 = (buff2 >> 32);
++ bytebuff4 = (uint8_t)(buff2 >> 32);
+ *dst++ = bytebuff4;
+ ready_bits -= 32;
+
+@@ -9252,12 +9275,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
+ {
+ case MIRROR_BOTH:
+ case MIRROR_VERT:
+- line_buff = (unsigned char *)limitMalloc(rowsize);
++ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (line_buff == NULL)
+ {
+- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
++ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
+ return (-1);
+ }
++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
+
+ dst = ibuff + (rowsize * (length - 1));
+ for (row = 0; row < length / 2; row++)
+@@ -9289,11 +9313,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
+ }
+ else
+ { /* non 8 bit per sample data */
+- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
++ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
+ {
+ TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
+ return (-1);
+ }
++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
+ bytes_per_sample = (bps + 7) / 8;
+ bytes_per_pixel = ((bps * spp) + 7) / 8;
+ if (bytes_per_pixel < (bytes_per_sample + 1))
+@@ -9305,7 +9330,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
+ {
+ row_offset = row * rowsize;
+ src = ibuff + row_offset;
+- _TIFFmemset (line_buff, '\0', rowsize);
++ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
+ switch (shift_width)
+ {
+ case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 29a2c38d8e..af9bdcfbde 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -27,6 +27,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \
file://CVE-2022-2953.patch \
+ file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \
+ file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
+ file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
+ file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
@@ -40,7 +44,6 @@ CVE_CHECK_IGNORE += "CVE-2015-7313"
# These issues only affect libtiff post-4.3.0 but before 4.4.0,
# caused by 3079627e and fixed by b4e79bfa.
CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-
# Issue is in jbig which we don't enable
CVE_CHECK_IGNORE += "CVE-2022-1210"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 04/23] tiff: Security fix for CVE-2022-3970
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (2 preceding siblings ...)
2022-12-01 14:26 ` [OE-core][kirkstone 03/23] tiff: fix a number of CVEs Steve Sakoman
@ 2022-12-01 14:26 ` Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 05/23] tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch Steve Sakoman
` (18 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:26 UTC (permalink / raw)
To: openembedded-core
From: "Qiu, Zheng" <Zheng.Qiu@windriver.com>
This patch contains a fix for CVE-2022-3970
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3970
https://security-tracker.debian.org/tracker/CVE-2022-3970
Patch generated from :
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2022-3970.patch | 38 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
new file mode 100644
index 0000000000..3779ebf646
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
@@ -0,0 +1,38 @@
+From 11c8026913e190b02266c1247e7a770e488d925e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+ strips/tiles > 2 GB
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+Upstream-Status: Accepted
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a1b6570b..9a2e0c59 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
+ return( ok );
+
+ for( i_row = 0; i_row < read_ysize; i_row++ ) {
+- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+- raster + (read_ysize - i_row - 1) * read_xsize,
++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+ read_xsize * sizeof(uint32_t) );
+- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ 0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+ }
+
+ for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ 0, sizeof(uint32_t) * tile_xsize );
+ }
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index af9bdcfbde..b3737f962e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \
file://CVE-2022-2953.patch \
+ file://CVE-2022-3970.patch \
file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \
file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 05/23] tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (3 preceding siblings ...)
2022-12-01 14:26 ` [OE-core][kirkstone 04/23] tiff: Security fix for CVE-2022-3970 Steve Sakoman
@ 2022-12-01 14:26 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 06/23] curl: Fix CVE-2022-32221 Steve Sakoman
` (17 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:26 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
* according to https://bugzilla.redhat.com/show_bug.cgi?id=2118863
this commit should be the fix for CVE-2022-2868
* resolves false-possitive entry in:
https://lists.yoctoproject.org/g/yocto-security/message/705
CVE-2022-2868 (CVSS3: 8.1 HIGH): tiff https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2868
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
index 272dd3d713..83d5db7fc6 100644
--- a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
@@ -5,11 +5,12 @@ Subject: [PATCH] Move the crop_width and crop_length computation after the
sanity check to avoid warnings when built with
-fsanitize=unsigned-integer-overflow.
-Upstream-Status: Backport
-[https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294]
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294]
Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
+CVE: CVE-2022-2868
+
---
tools/tiffcrop.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 06/23] curl: Fix CVE-2022-32221
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (4 preceding siblings ...)
2022-12-01 14:26 ` [OE-core][kirkstone 05/23] tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 07/23] curl: Fix CVE-2022-42916 Steve Sakoman
` (16 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bhabu Bindu <bhabu.bindu@kpit.com>
POST following PUT confusion
Link: https://ubuntu.com/security/CVE-2022-32221
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2022-32221.patch | 28 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 29 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
new file mode 100644
index 0000000000..b78b2ce1a8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,28 @@
+From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+CVE: CVE-2022-32221
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 03c4efdbf1e58..7289a4e78bdd0 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ }
+ else
+ data->set.method = HTTPREQ_GET;
++ data->set.upload = FALSE;
+ break;
+
+ case CURLOPT_HTTPPOST:
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 5368c91f5c..e0099f7453 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2022-32207.patch \
file://CVE-2022-32208.patch \
file://CVE-2022-35252.patch \
+ file://CVE-2022-32221.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 07/23] curl: Fix CVE-2022-42916
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (5 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 06/23] curl: Fix CVE-2022-32221 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 08/23] curl: Fix CVE-2022-42915 Steve Sakoman
` (15 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bhabu Bindu <bhabu.bindu@kpit.com>
HSTS bypass via IDN
Link: https://security-tracker.debian.org/tracker/CVE-2022-42916
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2022-42916.patch | 136 ++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 137 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-42916.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
new file mode 100644
index 0000000000..fbc592280a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
@@ -0,0 +1,136 @@
+From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9791
+
+CVE: CVE-2022-42916
+Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+Comments: Refreshed hunk
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index a3be56bced9de..690c53c81a3c1 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2012,10 +2012,56 @@
+ if(!strcasecompare("file", data->state.up.scheme))
+ return CURLE_OUT_OF_MEMORY;
+ }
++ hostname = data->state.up.hostname;
++
++ if(hostname && hostname[0] == '[') {
++ /* This looks like an IPv6 address literal. See if there is an address
++ scope. */
++ size_t hlen;
++ conn->bits.ipv6_ip = TRUE;
++ /* cut off the brackets! */
++ hostname++;
++ hlen = strlen(hostname);
++ hostname[hlen - 1] = 0;
++
++ zonefrom_url(uh, data, conn);
++ }
++
++ /* make sure the connect struct gets its own copy of the host name */
++ conn->host.rawalloc = strdup(hostname ? hostname : "");
++ if(!conn->host.rawalloc)
++ return CURLE_OUT_OF_MEMORY;
++ conn->host.name = conn->host.rawalloc;
++
++ /*************************************************************
++ * IDN-convert the hostnames
++ *************************************************************/
++ result = Curl_idnconvert_hostname(data, &conn->host);
++ if(result)
++ return result;
++ if(conn->bits.conn_to_host) {
++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
++ if(result)
++ return result;
++ }
++#ifndef CURL_DISABLE_PROXY
++ if(conn->bits.httpproxy) {
++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
++ if(result)
++ return result;
++ }
++ if(conn->bits.socksproxy) {
++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
++ if(result)
++ return result;
++ }
++#endif
+
+ #ifndef CURL_DISABLE_HSTS
++ /* HSTS upgrade */
+ if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
++ /* This MUST use the IDN decoded name */
++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+ char *url;
+ Curl_safefree(data->state.up.scheme);
+ uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+
+ (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+
+- hostname = data->state.up.hostname;
+- if(hostname && hostname[0] == '[') {
+- /* This looks like an IPv6 address literal. See if there is an address
+- scope. */
+- size_t hlen;
+- conn->bits.ipv6_ip = TRUE;
+- /* cut off the brackets! */
+- hostname++;
+- hlen = strlen(hostname);
+- hostname[hlen - 1] = 0;
+-
+- zonefrom_url(uh, data, conn);
+- }
+-
+- /* make sure the connect struct gets its own copy of the host name */
+- conn->host.rawalloc = strdup(hostname ? hostname : "");
+- if(!conn->host.rawalloc)
+- return CURLE_OUT_OF_MEMORY;
+- conn->host.name = conn->host.rawalloc;
+-
+ #ifdef ENABLE_IPV6
+ if(data->set.scope_id)
+ /* Override any scope that was set above. */
+@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ if(result)
+ goto out;
+
+- /*************************************************************
+- * IDN-convert the hostnames
+- *************************************************************/
+- result = Curl_idnconvert_hostname(data, &conn->host);
+- if(result)
+- goto out;
+- if(conn->bits.conn_to_host) {
+- result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+- if(result)
+- goto out;
+- }
+-#ifndef CURL_DISABLE_PROXY
+- if(conn->bits.httpproxy) {
+- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+- if(result)
+- goto out;
+- }
+- if(conn->bits.socksproxy) {
+- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+- if(result)
+- goto out;
+- }
+-#endif
+
+ /*************************************************************
+ * Check whether the host and the "connect to host" are equal.
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index e0099f7453..a3e29a583d 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2022-32208.patch \
file://CVE-2022-35252.patch \
file://CVE-2022-32221.patch \
+ file://CVE-2022-42916.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 08/23] curl: Fix CVE-2022-42915
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (6 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 07/23] curl: Fix CVE-2022-42916 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 09/23] dropbear: fix CVE-2021-36369 Steve Sakoman
` (14 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bhabu Bindu <bhabu.bindu@kpit.com>
HTTP proxy double-free
Link: https://security-tracker.debian.org/tracker/CVE-2022-42915
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2022-42915.patch | 53 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-42915.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42915.patch b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
new file mode 100644
index 0000000000..0f37a80e09
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
@@ -0,0 +1,53 @@
+From 55e1875729f9d9fc7315cec611bffbd2c817ad89 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH] http_proxy: restore the protocol pointer on error
+
+Reported-by: Trail of Bits
+
+Closes #9790
+
+CVE: CVE-2022-42915
+Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315cec611bffbd2c817ad89]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/http_proxy.c | 6 ++----
+ lib/url.c | 9 ---------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c62aa40..cc20b3a801941 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data)
+ Curl_dyn_free(&s->rcvbuf);
+ Curl_dyn_free(&s->req);
+
+- /* restore the protocol pointer, if not already done */
+- if(s->prot_save)
+- data->req.p.http = s->prot_save;
+- s->prot_save = NULL;
++ /* restore the protocol pointer */
++ data->req.p.http = s->prot_save;
+ data->info.httpcode = 0; /* clear it as it might've been used for the
+ proxy */
+ data->req.ignorebody = FALSE;
+diff --git a/lib/url.c b/lib/url.c
+index 690c53c81a3c1..be5ffca2d8b20 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -751,15 +751,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+ DEBUGASSERT(data);
+ infof(data, "Closing connection %ld", conn->connection_id);
+
+-#ifndef USE_HYPER
+- if(conn->connect_state && conn->connect_state->prot_save) {
+- /* If this was closed with a CONNECT in progress, cleanup this temporary
+- struct arrangement */
+- data->req.p.http = NULL;
+- Curl_safefree(conn->connect_state->prot_save);
+- }
+-#endif
+-
+ /* possible left-overs from the async name resolvers */
+ Curl_resolver_cancel(data);
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index a3e29a583d..87f4cd13aa 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2022-35252.patch \
file://CVE-2022-32221.patch \
file://CVE-2022-42916.patch \
+ file://CVE-2022-42915.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 09/23] dropbear: fix CVE-2021-36369
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (7 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 08/23] curl: Fix CVE-2022-42915 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 10/23] libpam: fix CVE-2022-28321 Steve Sakoman
` (13 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/dropbear/dropbear.inc | 4 +-
.../dropbear/dropbear/CVE-2021-36369.patch | 145 ++++++++++++++++++
2 files changed, 148 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 2d6e64cf8d..f3f085b616 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -27,7 +27,9 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://dropbear.socket \
file://dropbear.default \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
- ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
+ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+ file://CVE-2021-36369.patch \
+ "
PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
file://0006-dropbear-configuration-file.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5ff11abdd6
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ cli-auth.c | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c | 2 +-
+ cli-authpubkey.c | 1 +
+ cli-runopts.c | 7 +++++++
+ cli-session.c | 1 +
+ runopts.h | 1 +
+ session.h | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+
+ TRACE(("received msg_userauth_success"))
++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++ dropbear_exit("trivial authentication not allowed");
++ }
+ /* Note: in delayed-zlib mode, setting authdone here
+ * will enable compression in the transport layer */
+ ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+ m_free(instruction);
+
+ for (i = 0; i < num_prompts; i++) {
++ cli_ses.is_trivial_auth = 0;
+ unsigned int response_len = 0;
+ prompt = buf_getstring(ses.payload, NULL);
+ cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+
+ encrypt_packet();
+ m_burn(password, strlen(password));
+-
++ cli_ses.is_trivial_auth = 0;
+ TRACE(("leave cli_auth_password"))
+ }
+ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 42c4e3f..fa01807 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
+ buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+ cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
+ buf_free(sigbuf); /* Nothing confidential in the buffer */
++ cli_ses.is_trivial_auth = 0;
+ }
+
+ encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 3654b9a..255b47e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ cli_opts.exit_on_fwd_failure = 0;
+ #endif
++ cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+ cli_opts.localfwds = list_new();
+ opts.listen_fwd_all = 0;
+@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ "\tExitOnForwardFailure\n"
+ #endif
++ "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+ "\tUseSyslog\n"
+ #endif
+@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
+ return;
+ }
+
++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++ return;
++ }
++
+ dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 5e5af22..afb54a1 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+ /* Auth */
+ cli_ses.lastprivkey = NULL;
+ cli_ses.lastauthtype = 0;
++ cli_ses.is_trivial_auth = 1;
+
+ /* For printing "remote host closed" for the user */
+ ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 6a4a94c..01201d2 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -159,6 +159,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ int exit_on_fwd_failure;
+ #endif
++ int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+ m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index fb5b8cb..6706592 100644
+--- a/session.h
++++ b/session.h
+@@ -316,6 +316,7 @@ struct clientsession {
+
+ int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+ for the last type of auth we tried */
++ int is_trivial_auth;
+ int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+ int auth_interact_failed; /* flag whether interactive auth can still
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 10/23] libpam: fix CVE-2022-28321
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (8 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 09/23] dropbear: fix CVE-2021-36369 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 11/23] dbus: upgrade 1.14.0 -> 1.14.4 Steve Sakoman
` (12 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: "Polampalli, Archana" <archana.polampalli@windriver.com>
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows
authentication bypass for SSH logins. The pam_access.so module doesn't
correctly restrict login if a user tries to connect from an IP address
that is not resolvable via DNS. In such conditions, a user with denied
access to a machine can still get access. NOTE: the relevance of this
issue is largely limited to openSUSE Tumbleweed and openSUSE Factory;
it does not affect Linux-PAM upstream.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28321
Upstream patches:
https://github.com/linux-pam/linux-pam/commit/08992030c56c940c0707ccbc442b1c325aa01e6d
https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit b1fd799af0086347de1ec4b72d562b1fb490def1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../pam/libpam/CVE-2022-28321-0002.patch | 205 ++++++++++++++++++
meta/recipes-extended/pam/libpam_1.5.2.bb | 1 +
2 files changed, 206 insertions(+)
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
new file mode 100644
index 0000000000..e7bf03f9f7
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch
@@ -0,0 +1,205 @@
+From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Thu, 24 Feb 2022 10:37:32 +0100
+Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf
+
+According to the manual page, the following entry is valid but does not
+work:
+-:root:ALL EXCEPT localhost
+
+See https://bugzilla.suse.com/show_bug.cgi?id=1019866
+
+Patched is based on PR#226 from Josef Moellers
+
+Upstream-Status: Backport
+CVE: CVE-2022-28321
+
+Reference to upstream patch:
+[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++-------
+ 1 file changed, 76 insertions(+), 19 deletions(-)
+
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index 277192b..bca424f 100644
+--- a/modules/pam_access/pam_access.c
++++ b/modules/pam_access/pam_access.c
+@@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+ if ((str_len = strlen(string)) > tok_len
+ && strcasecmp(tok, string + str_len - tok_len) == 0)
+ return YES;
+- } else if (tok[tok_len - 1] == '.') {
++ } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
+ struct addrinfo hint;
+
+ memset (&hint, '\0', sizeof (hint));
+@@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+ return NO;
+ }
+
+- /* Assume network/netmask with an IP of a host. */
++ /* Assume network/netmask, IP address or hostname. */
+ return network_netmask_match(pamh, tok, string, item);
+ }
+
+@@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+ /*
+ * If the token has the magic value "ALL" the match always succeeds.
+ * Otherwise, return YES if the token fully matches the string.
+- * "NONE" token matches NULL string.
++ * "NONE" token matches NULL string.
+ */
+
+ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
+@@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+
+ /* network_netmask_match - match a string against one token
+ * where string is a hostname or ip (v4,v6) address and tok
+- * represents either a single ip (v4,v6) address or a network/netmask
++ * represents either a hostname, a single ip (v4,v6) address
++ * or a network/netmask
+ */
+ static int
+ network_netmask_match (pam_handle_t *pamh,
+@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh,
+ char *netmask_ptr;
+ char netmask_string[MAXHOSTNAMELEN + 1];
+ int addr_type;
++ struct addrinfo *ai = NULL;
+
+ if (item->debug)
+- pam_syslog (pamh, LOG_DEBUG,
++ pam_syslog (pamh, LOG_DEBUG,
+ "network_netmask_match: tok=%s, item=%s", tok, string);
++
+ /* OK, check if tok is of type addr/mask */
+ if ((netmask_ptr = strchr(tok, '/')) != NULL)
+ {
+@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh,
+ netmask_ptr = number_to_netmask(netmask, addr_type,
+ netmask_string, MAXHOSTNAMELEN);
+ }
+- }
++
++ /*
++ * Construct an addrinfo list from the IP address.
++ * This should not fail as the input is a correct IP address...
++ */
++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
++ {
++ return NO;
++ }
++ }
+ else
+- /* NO, then check if it is only an addr */
+- if (isipaddr(tok, NULL, NULL) != YES)
++ {
++ /*
++ * It is either an IP address or a hostname.
++ * Let getaddrinfo sort everything out
++ */
++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ {
++ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
++
+ return NO;
+ }
++ netmask_ptr = NULL;
++ }
+
+ if (isipaddr(string, NULL, NULL) != YES)
+ {
+- /* Assume network/netmask with a name of a host. */
+ struct addrinfo hint;
+
++ /* Assume network/netmask with a name of a host. */
+ memset (&hint, '\0', sizeof (hint));
+ hint.ai_flags = AI_CANONNAME;
+ hint.ai_family = AF_UNSPEC;
+
+ if (item->gai_rv != 0)
++ {
++ freeaddrinfo(ai);
+ return NO;
++ }
+ else if (!item->res &&
+ (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
++ {
++ freeaddrinfo(ai);
+ return NO;
++ }
+ else
+ {
+ struct addrinfo *runp = item->res;
++ struct addrinfo *runp1;
+
+ while (runp != NULL)
+ {
+ char buf[INET6_ADDRSTRLEN];
+
+- DIAG_PUSH_IGNORE_CAST_ALIGN;
+- inet_ntop (runp->ai_family,
+- runp->ai_family == AF_INET
+- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
+- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
+- buf, sizeof (buf));
+- DIAG_POP_IGNORE_CAST_ALIGN;
++ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
++ {
++ freeaddrinfo(ai);
++ return NO;
++ }
+
+- if (are_addresses_equal(buf, tok, netmask_ptr))
++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
+ {
+- return YES;
++ char buf1[INET6_ADDRSTRLEN];
++
++ if (runp->ai_family != runp1->ai_family)
++ continue;
++
++ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
++ {
++ freeaddrinfo(ai);
++ return NO;
++ }
++
++ if (are_addresses_equal (buf, buf1, netmask_ptr))
++ {
++ freeaddrinfo(ai);
++ return YES;
++ }
+ }
+ runp = runp->ai_next;
+ }
+ }
+ }
+ else
+- return (are_addresses_equal(string, tok, netmask_ptr));
++ {
++ struct addrinfo *runp1;
++
++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
++ {
++ char buf1[INET6_ADDRSTRLEN];
++
++ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
++
++ if (are_addresses_equal(string, buf1, netmask_ptr))
++ {
++ freeaddrinfo(ai);
++ return YES;
++ }
++ }
++ }
++
++ freeaddrinfo(ai);
+
+ return NO;
+ }
+--
+2.37.3
+
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb
index 081986ef43..dabd3256c8 100644
--- a/meta/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
file://0001-run-xtests.sh-check-whether-files-exist.patch \
file://run-ptest \
file://pam-volatiles.conf \
+ file://CVE-2022-28321-0002.patch \
"
SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 11/23] dbus: upgrade 1.14.0 -> 1.14.4
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (9 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 10/23] libpam: fix CVE-2022-28321 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 12/23] linux-yocto/5.15: update to v5.15.74 Steve Sakoman
` (11 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
License-Update: D-Bus changed to dbus.
1.14.4 has contians following CVEs, removing local patches:
CVE-2022-42012: 0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
[https://github.com/freedesktop/dbus/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
CVE-2022-42011: 0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
[https://github.com/freedesktop/dbus/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
CVE-2022-42010: 0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
[https://github.com/freedesktop/dbus/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d]
Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...eswap-Byte-swap-Unix-fd-indexes-if-n.patch | 76 -----------
...idate-Check-brackets-in-signature-ne.patch | 119 ------------------
...idate-Validate-length-of-arrays-of-f.patch | 61 ---------
.../dbus/{dbus_1.14.0.bb => dbus_1.14.4.bb} | 10 +-
4 files changed, 4 insertions(+), 262 deletions(-)
delete mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
delete mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
delete mode 100644 meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
rename meta/recipes-core/dbus/{dbus_1.14.0.bb => dbus_1.14.4.bb} (93%)
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
deleted file mode 100644
index 47f4f1e0d3..0000000000
--- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 3fb065b0752db1e298e4ada52cf4adc414f5e946 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Fri, 30 Sep 2022 13:46:31 +0100
-Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
-
-When a D-Bus message includes attached file descriptors, the body of the
-message contains unsigned 32-bit indexes pointing into an out-of-band
-array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
-these indexes as "handles" for the associated fds (not to be confused
-with a Windows HANDLE, which is a kernel object).
-
-The assertion message removed by this commit is arguably correct up to
-a point: fd-passing is only reasonable on a local machine, and no known
-operating system allows processes of differing endianness even on a
-multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
-to specify a byte-order that differs from the byte-order of the recipient.
-
-However, this doesn't account for the fact that a malicious sender
-doesn't have to restrict itself to only doing things that make sense.
-On a system with untrusted local users, a message sender could crash
-the system dbus-daemon (a denial of service) by sending a message in
-the opposite endianness that contains handles to file descriptors.
-
-Before this commit, if assertions are enabled, attempting to byteswap
-a fd index would cleanly crash the message recipient with an assertion
-failure. If assertions are disabled, attempting to byteswap a fd index
-would silently do nothing without advancing the pointer p, causing the
-message's type and the pointer into its contents to go out of sync, which
-can result in a subsequent crash (the crash demonstrated by fuzzing was
-a use-after-free, but other failure modes might be possible).
-
-In principle we could resolve this by rejecting wrong-endianness messages
-from a local sender, but it's actually simpler and less code to treat
-wrong-endianness messages as valid and byteswap them.
-
-Thanks: Evgeny Vereshchagin
-Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
-Resolves: CVE-2022-42012
-
-Upstream-Status: Backport from [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3fb065b0752db1e298e4ada52cf4adc414f5e946]
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
-Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
----
- dbus/dbus-marshal-byteswap.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
-index 27695aaf..7104e9c6 100644
---- a/dbus/dbus-marshal-byteswap.c
-+++ b/dbus/dbus-marshal-byteswap.c
-@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader *reader,
- case DBUS_TYPE_BOOLEAN:
- case DBUS_TYPE_INT32:
- case DBUS_TYPE_UINT32:
-+ case DBUS_TYPE_UNIX_FD:
- {
- p = _DBUS_ALIGN_ADDRESS (p, 4);
- *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
-@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader *reader,
- }
- break;
-
-- case DBUS_TYPE_UNIX_FD:
-- /* fds can only be passed on a local machine, so byte order must always match */
-- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
-- break;
--
- default:
- _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
- break;
---
-2.34.1
-
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
deleted file mode 100644
index f2e14fb8d5..0000000000
--- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 3e53a785dee8d1432156188a2c4260e4cbc78c4d Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Tue, 13 Sep 2022 15:10:22 +0100
-Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
- correctly
-
-In debug builds with assertions enabled, a signature with incorrectly
-nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
-in an assertion failure.
-
-In production builds without assertions enabled, a signature with
-incorrectly nested `()` and `{}` could potentially result in a crash
-or incorrect message parsing, although we do not have a concrete example
-of either of these failure modes.
-
-Thanks: Evgeny Vereshchagin
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
-Resolves: CVE-2022-42010
-
-Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/3e53a785dee8d1432156188a2c4260e4cbc78c4d]
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
-Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
----
- dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++-
- 1 file changed, 37 insertions(+), 1 deletion(-)
-
-diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
-index 4d492f3f..ae68414d 100644
---- a/dbus/dbus-marshal-validate.c
-+++ b/dbus/dbus-marshal-validate.c
-@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-
- int element_count;
- DBusList *element_count_stack;
-+ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
-+ char last_bracket;
-
- result = DBUS_VALID;
- element_count_stack = NULL;
-@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
-
- while (p != end)
- {
-+ _dbus_assert (struct_depth + dict_entry_depth >= 0);
-+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
-+
- switch (*p)
- {
- case DBUS_TYPE_BYTE:
-@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- goto out;
- }
-
-+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
-+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
- break;
-
- case DBUS_STRUCT_END_CHAR:
-@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- goto out;
- }
-
-+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
-+
-+ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
-+ {
-+ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
-+ goto out;
-+ }
-+
- _dbus_list_pop_last (&element_count_stack);
-
- struct_depth -= 1;
-+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
- break;
-
- case DBUS_DICT_ENTRY_BEGIN_CHAR:
-@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- goto out;
- }
-
-+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
-+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
- break;
-
- case DBUS_DICT_ENTRY_END_CHAR:
-@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
- result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
- goto out;
- }
--
-+
-+ _dbus_assert (struct_depth + dict_entry_depth >= 1);
-+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
-+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
-+
-+ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
-+ {
-+ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
-+ goto out;
-+ }
-+
- dict_entry_depth -= 1;
-+ opened_brackets[struct_depth + dict_entry_depth] = '\0';
-
- element_count =
- _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
---
-2.34.1
-
diff --git a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch b/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
deleted file mode 100644
index f953326f78..0000000000
--- a/meta/recipes-core/dbus/dbus/0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From b9e6a7523085a2cfceaffca7ba1ab4251f12a984 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Mon, 12 Sep 2022 13:14:18 +0100
-Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
- fixed-length items
-
-This fast-path previously did not check that the array was made up
-of an integer number of items. This could lead to assertion failures
-and out-of-bounds accesses during subsequent message processing (which
-assumes that the message has already been validated), particularly after
-the addition of _dbus_header_remove_unknown_fields(), which makes it
-more likely that dbus-daemon will apply non-trivial edits to messages.
-
-Thanks: Evgeny Vereshchagin
-Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
-Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
-Resolves: CVE-2022-42011
-
-Upstream-Status: Backport from
-[https://gitlab.freedesktop.org/dbus/dbus/-/commit/b9e6a7523085a2cfceaffca7ba1ab4251f12a984]
-
-Signed-off-by: Simon McVittie <smcv@collabora.com>
-(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
-Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
----
- dbus/dbus-marshal-validate.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
-index ae68414d..7d0d6cf7 100644
---- a/dbus/dbus-marshal-validate.c
-+++ b/dbus/dbus-marshal-validate.c
-@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader,
- */
- if (dbus_type_is_fixed (array_elem_type))
- {
-+ /* Note that fixed-size types all have sizes equal to
-+ * their alignments, so this is really the item size. */
-+ alignment = _dbus_type_get_alignment (array_elem_type);
-+ _dbus_assert (alignment == 1 || alignment == 2 ||
-+ alignment == 4 || alignment == 8);
-+
-+ /* Because the alignment is a power of 2, this is
-+ * equivalent to: (claimed_len % alignment) != 0,
-+ * but avoids slower integer division */
-+ if ((claimed_len & (alignment - 1)) != 0)
-+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
-+
- /* bools need to be handled differently, because they can
- * have an invalid value
- */
- if (array_elem_type == DBUS_TYPE_BOOLEAN)
- {
- dbus_uint32_t v;
-- alignment = _dbus_type_get_alignment (array_elem_type);
-
- while (p < array_end)
- {
---
-2.34.1
-
diff --git a/meta/recipes-core/dbus/dbus_1.14.0.bb b/meta/recipes-core/dbus/dbus_1.14.4.bb
similarity index 93%
rename from meta/recipes-core/dbus/dbus_1.14.0.bb
rename to meta/recipes-core/dbus/dbus_1.14.4.bb
index 484629e987..9684f0c6e2 100644
--- a/meta/recipes-core/dbus/dbus_1.14.0.bb
+++ b/meta/recipes-core/dbus/dbus_1.14.4.bb
@@ -6,19 +6,17 @@ SECTION = "base"
inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome
LICENSE = "AFL-2.1 | GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
- file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8"
+LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \
+ file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \
+ "
SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \
file://run-ptest \
file://tmpdir.patch \
file://dbus-1.init \
- file://0001-dbus-marshal-validate-Check-brackets-in-signature-ne.patch \
- file://0001-dbus-marshal-validate-Validate-length-of-arrays-of-f.patch \
- file://0001-dbus-marshal-byteswap-Byte-swap-Unix-fd-indexes-if-n.patch \
"
-SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4"
+SRC_URI[sha256sum] = "7c0f9b8e5ec0ff2479383e62c0084a3a29af99edf1514e9f659b81b30d4e353e"
EXTRA_OECONF = "--disable-xml-docs \
--disable-doxygen-docs \
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 12/23] linux-yocto/5.15: update to v5.15.74
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (10 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 11/23] dbus: upgrade 1.14.0 -> 1.14.4 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 13/23] linux-yocto/5.15: update to v5.15.76 Steve Sakoman
` (10 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest korg -stable release that comprises
the following commits:
a3f2f5ac9d61 Linux 5.15.74
de124365a7d2 wifi: mac80211: fix MBSSID parsing use-after-free
7d998f6b7365 mac80211: fix memory leaks with element parsing
fee48f3bdd75 mac80211: always allocate struct ieee802_11_elems
630060f11756 mac80211: mlme: find auth challenge directly
21df3a583e8e mac80211: move CRC into struct ieee802_11_elems
864f2d3482f4 mac80211: mesh: clean up rx_bcn_presp API
e5ebcbb4f967 misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic
cb9defecf381 misc: pci_endpoint_test: Aggregate params checking for xfer
2c657a0cbd48 Input: xpad - fix wireless 360 controller breaking after suspend
db4db28fccb4 Input: xpad - add supported devices as contributed on github
d15bb1f6dabe wifi: cfg80211: update hidden BSSes to avoid WARN_ON
93a3a3255407 wifi: mac80211: fix crash in beacon protection for P2P-device
fff244e9171b wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
0a8ee682e4f9 wifi: cfg80211: avoid nontransmitted BSS list corruption
bfe29873454f wifi: cfg80211: fix BSS refcounting bugs
9e99ca59ed39 wifi: cfg80211: ensure length byte is present before access
0a861bd25dad wifi: cfg80211/mac80211: reject bad MBSSID elements
9a8ef2030510 wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
398e30b67092 random: use expired timer rather than wq for mixing fast pool
984faa6fc759 random: avoid reading two cache lines on irq randomness
a937c59863d7 Revert "crypto: qat - reduce size of mapped region"
0e3ff69ee691 Revert "powerpc/rtas: Implement reentrant rtas call"
e0295c43166b USB: serial: qcserial: add new usb-id for Dell branded EM7455
76efb4897bc3 scsi: stex: Properly zero out the passthrough command structure
5fbbe7e98e9b efi: Correct Macmini DMI match in uefi cert quirk
8754dc846d03 ALSA: hda: Fix position reporting on Poulsbo
14f143fb4268 random: clamp credited irq bits to maximum mixed
be53fa6cf667 random: restore O_NONBLOCK support
2f96da3fd18f ceph: don't truncate file in atomic_open
c0c3d3d3ea41 nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure
44b1ee304bac nilfs2: fix leak of nilfs_root in case of writer thread creation failure
cb602c2b654e nilfs2: fix use-after-free bug of struct nilfs_root
1e512c65b4ad nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()
17aac9b7af2b Linux 5.15.73
f7b16f51753a Revert "clk: ti: Stop using legacy clkctrl names for omap4 and 5"
d8b1b64a070e rpmsg: qcom: glink: replace strncpy() with strscpy_pad()
d58eb80b723d USB: serial: ftdi_sio: fix 300 bps rate for SIO
5ff80339cdc3 usb: mon: make mmapped memory read only
278fefd29eea net/mlx5: Disable irq when locking lag_lock
54f382d4b7f8 wifi: cfg80211: fix MCS divisor value
0fa249414a6f mm/huge_memory: use pfn_to_online_page() in split_huge_pages_all()
f1d6894159fc mm/huge_memory: minor cleanup for split_huge_pages_all
7190afd4cd5f perf parse-events: Identify broken modifiers
f6f740f6ca3b mmc: core: Terminate infinite loop in SD-UHS voltage switch
9635e05e015a mmc: core: Replace with already defined values for readability
f2af62d909ad drm/amd/display: skip audio setup when audio stream is enabled
d444cfe6d047 drm/amd/display: update gamut remap if plane has changed
4afcb53474ae drm/amd/display: Assume an LTTPR is always present on fixed_vs links
5e76ff629a20 drm/amd/display: Fix double cursor on non-video RGB MPO
e6590139ffa3 net: atlantic: fix potential memory leak in aq_ndev_close()
005e368a61bc arch: um: Mark the stack non-executable to fix a binutils warning
5f85191bedba um: Cleanup compiler warning in arch/x86/um/tls_32.c
6827af886be8 um: Cleanup syscall_handler_t cast in syscalls_32.h
f386b373e9f7 ALSA: hda/hdmi: Fix the converter reuse for the silent stream
a36b2dc5c0da net: marvell: prestera: add support for for Aldrin2
d2588ba1a338 net/ieee802154: fix uninit value bug in dgram_sendmsg
1030659dac4e scsi: qedf: Fix a UAF bug in __qedf_probe()
f7126aa3624c ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer
968299cd58b7 dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure
17f55255af4c dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property
b2f275550136 dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling
fd425b89d040 firmware: arm_scmi: Add SCMI PM driver remove routine
e092fc3a2892 firmware: arm_scmi: Harden accesses to the sensor domains
9f81dbb934fb firmware: arm_scmi: Improve checks in the info_get operations
64b79e632869 fs: fix UAF/GPF bug in nilfs_mdt_destroy
31bdba07f6b2 powerpc/64s/radix: don't need to broadcast IPI for radix pmd collapse flush
46c22e7b094f mm: gup: fix the fast GUP race against THP collapse
88ccea0a4458 xsk: Inherit need_wakeup flag for shared sockets
f07fbefcea5b docs: update mediator information in CoC docs
cf26ddb96b4f Makefile.extrawarn: Move -Wcast-function-type-strict to W=1
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit e4d9e5bb39700022cd428bb922a329101fc0f1b0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index e573b27c9c..414f7abbc5 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "47b86b149db08838964584baec1b913c5d67c060"
-SRCREV_meta ?= "c6aba7f07aae15d63bccf5b072a6e70602c2bcef"
+SRCREV_machine ?= "cf39c84e1a884fcd4802640d20142bb506e9d3d0"
+SRCREV_meta ?= "74e1a21c730b600c344804c1bc775a6a2ee7b8e6"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.72"
+LINUX_VERSION ?= "5.15.74"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 693750860d..3b85967ca2 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.72"
+LINUX_VERSION ?= "5.15.74"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "34404e5be3791dac897da77afa6c7fa00c993f78"
-SRCREV_meta ?= "c6aba7f07aae15d63bccf5b072a6e70602c2bcef"
+SRCREV_machine ?= "61a508a44ed255900245d81ebe11bb5916e3145c"
+SRCREV_meta ?= "74e1a21c730b600c344804c1bc775a6a2ee7b8e6"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 792cf41a53..99b5c054f3 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -13,24 +13,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "84a35b23cf4c520894d0d1b91628eb019dc7901a"
-SRCREV_machine:qemuarm64 ?= "e939c4ebc789805c00a36eaf4a190df6f8f51470"
-SRCREV_machine:qemumips ?= "1adf4e5b574a5d23b4724766890ea74101d04abd"
-SRCREV_machine:qemuppc ?= "7220def162c7b2d3b4f1c6c86de0ecc19ade7d5f"
-SRCREV_machine:qemuriscv64 ?= "0b628306d1f9ea28c0e86369ce9bb87a47893c9c"
-SRCREV_machine:qemuriscv32 ?= "0b628306d1f9ea28c0e86369ce9bb87a47893c9c"
-SRCREV_machine:qemux86 ?= "0b628306d1f9ea28c0e86369ce9bb87a47893c9c"
-SRCREV_machine:qemux86-64 ?= "0b628306d1f9ea28c0e86369ce9bb87a47893c9c"
-SRCREV_machine:qemumips64 ?= "3840e1613b7fe9cc68e9cdfcaf7afa5e14fa8344"
-SRCREV_machine ?= "0b628306d1f9ea28c0e86369ce9bb87a47893c9c"
-SRCREV_meta ?= "c6aba7f07aae15d63bccf5b072a6e70602c2bcef"
+SRCREV_machine:qemuarm ?= "af0268ca8969a472d1263e83b0a78f00834b700e"
+SRCREV_machine:qemuarm64 ?= "08b455a0e020e52340bde98e4942eaf43eb12554"
+SRCREV_machine:qemumips ?= "6f7b375ea6a2736168056e6133d01aaea592e696"
+SRCREV_machine:qemuppc ?= "73b9bd277094cae3d4b39b24f79f6e29b7518fc6"
+SRCREV_machine:qemuriscv64 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
+SRCREV_machine:qemuriscv32 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
+SRCREV_machine:qemux86 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
+SRCREV_machine:qemux86-64 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
+SRCREV_machine:qemumips64 ?= "33e8f888ab9242ea807b722c0982e871edc3339f"
+SRCREV_machine ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
+SRCREV_meta ?= "74e1a21c730b600c344804c1bc775a6a2ee7b8e6"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "c68173b2012b8eba332cf9832f0ad23427d795b5"
+SRCREV_machine:class-devupstream ?= "a3f2f5ac9d61e973e383f17a95cf2aa384e2d0c4"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -38,7 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.72"
+LINUX_VERSION ?= "5.15.74"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 13/23] linux-yocto/5.15: update to v5.15.76
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (11 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 12/23] linux-yocto/5.15: update to v5.15.74 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 14/23] linux-yocto/5.15: update to v5.15.78 Steve Sakoman
` (9 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest korg -stable release that comprises
the following commits:
4f5365f77018 Linux 5.15.76
33fc9e26b7cb mm: /proc/pid/smaps_rollup: fix no vma's null-deref
b9d8cbe90a0f mmc: core: Add SD card quirk for broken discard
0ee2f0567a56 Makefile.debug: re-enable debug info for .S files
117825e9bbb1 x86/Kconfig: Drop check for -mabi=ms for CONFIG_EFI_STUB
0983205085fa ACPI: video: Force backlight native for more TongFang devices
289b56715ba6 perf: Skip and warn on unknown format 'configN' attrs
9d912a385368 mmc: sdhci-tegra: Use actual clock rate for SW tuning correction
7aeda81191fd tracing: Do not free snapshot if tracer is on cmdline
57252e7bd491 tracing: Simplify conditional compilation code in tracing_set_tracer()
20bc6d23f7f6 ksmbd: fix incorrect handling of iterate_dir
3c8cfcaa2d9a ksmbd: handle smb2 query dir request for OutputBufferLength that is too small
8754fa5dbc6e arm64: mte: move register initialization to C
ea7be82fd7e1 fs: dlm: fix invalid derefence of sb_lvbptr
0365d6af75f9 iommu/vt-d: Clean up si_domain in the init_dmars() error path
5c95d0c9d0eb iommu/vt-d: Allow NVS regions in arch_rmrr_sanity_check()
209740fd132e net: phy: dp83822: disable MDI crossover status change interrupt
ce1234573d18 net: sched: fix race condition in qdisc_graft()
91f8f5342bee net: hns: fix possible memory leak in hnae_ae_register()
50c31fa95230 wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()
d2fc83a6b55e sfc: include vport_id in filter spec hash and equal()
c2e1e59d59fa net: sched: sfb: fix null pointer access issue when sfb_init() fails
34f2a4eedc8e net: sched: delete duplicate cleanup of backlog and qlen
154f4c06d9db net: sched: cake: fix null pointer access issue when cake_init() fails
5efed7578dd4 nvmet: fix workqueue MEM_RECLAIM flushing dependency
2f2b84b02088 nvme-hwmon: kmalloc the NVME SMART log buffer
66c56b232839 nvme-hwmon: consistently ignore errors from nvme_hwmon_init
d77f6908f9ce netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
efa9dd7e679e ionic: catch NULL pointer issue on reconfig
35ece858660e net: hsr: avoid possible NULL deref in skb_clone()
e326df21da25 dm: remove unnecessary assignment statement in alloc_dev()
847301f0ee1c cifs: Fix xid leak in cifs_ses_add_channel()
8905d13b9ede cifs: Fix xid leak in cifs_flock()
27cfd3afaab0 cifs: Fix xid leak in cifs_copy_file_range()
593d877c39aa cifs: Fix xid leak in cifs_create()
a8df9d0428c7 udp: Update reuse->has_conns under reuseport_lock.
9749595feb33 scsi: lpfc: Fix memory leak in lpfc_create_port()
b9122e0e0ea8 net: phylink: add mac_managed_pm in phylink_config structure
412db9b06d3c net: phy: dp83867: Extend RX strap quirk for SGMII mode
5ce613051994 net/atm: fix proc_mpc_write incorrect return value
0eb17faedce7 sfc: Change VF mac via PF as first preference if available.
0f58940ca3c1 HID: magicmouse: Do not set BTN_MOUSE on double report
94a171c982b8 i40e: Fix DMA mappings leak
dbc01c0a4e20 tipc: fix an information leak in tipc_topsrv_kern_subscr
b294cad6f02e tipc: Fix recognition of trial period
6161c364e378 ACPI: extlog: Handle multiple records
40e5fceddfd5 drm/vc4: Add module dependency on hdmi-codec
6c5041a10324 btrfs: fix processing of delayed tree block refs during backref walking
af67578d565c btrfs: fix processing of delayed data refs during backref walking
c439cafce8cf x86/topology: Fix duplicated core ID within a package
d31f4bc22596 x86/topology: Fix multiple packages shown on a single-package system
fcc96e89b3ff media: venus: dec: Handle the case where find_format fails
b22b4823a0a5 media: mceusb: set timeout to at least timeout provided
5265cc1202a3 media: ipu3-imgu: Fix NULL pointer dereference in active selection access
1e4e71f9e197 KVM: arm64: vgic: Fix exit condition in scan_its_table()
5bf2fda26a72 kvm: Add support for arch compat vm ioctls
112a005d1ded mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
2d508b4e6536 drm/amdgpu: fix sdma doorbell init ordering on APUs
b5606e3ab1f7 cpufreq: qcom: fix memory leak in error path
d866f5982c15 x86/resctrl: Fix min_cbm_bits for AMD
8fbe13de1cc7 ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
5d6a037b3a94 ata: ahci-imx: Fix MODULE_ALIAS
30cf0dee372b hwmon/coretemp: Handle large core ID value
2f7171465f26 x86/microcode/AMD: Apply the patch early on every logical thread
93d7e2b47a72 i2c: qcom-cci: Fix ordering of pm_runtime_xx and i2c_add_adapter
14d260f94ff8 cpufreq: qcom: fix writes in read-only memory region
3006766d247b selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
1b31cb0065e2 ocfs2: fix BUG when iput after ocfs2_mknod fails
e469db818ec9 ocfs2: clear dinode links count in case of error
ded9d535be0d btrfs: enhance unsupported compat RO flags handling
537412c54712 perf/x86/intel/pt: Relax address filter validation
8ddc58e0e312 arm64: errata: Remove AES hwcap for COMPAT tasks
738515cf8bb4 usb: gadget: uvc: improve sg exit condition
db11d8c72a5d usb: gadget: uvc: giveback vb2 buffer on req complete
aee340dccf5a usb: gadget: uvc: rework uvcg_queue_next_buffer to uvcg_complete_buffer
2f54ce7392d7 usb: gadget: uvc: use on returned header len in video_encode_isoc_sg
d80db2f1450c usb: gadget: uvc: consistently use define for headerlen
f9681a67503e arm64/mm: Consolidate TCR_EL1 fields
5b20aacff7ad r8152: add PID for the Lenovo OneLink+ Dock
bd8a595958a5 Linux 5.15.75
b6e2c54be37d io-wq: Fix memory leak in worker creation
7c359e28492f gcov: support GCC 12.1 and newer compilers
8418c1672c1f thermal: intel_powerclamp: Use first online CPU as control_cpu
55c824b62067 ext4: continue to expand file system when the target size doesn't reach
0e63de6d7e4c lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5
84cd0b20fada Kconfig.debug: add toolchain checks for DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
371aaf6b48f5 Kconfig.debug: simplify the dependency of DEBUG_INFO_DWARF4/5
e1591557e3a0 drm/amd/display: Fix build breakage with CONFIG_DEBUG_FS=n
34f31a2b6679 net/ieee802154: don't warn zero-sized raw_sendmsg()
de904d0fe1cb Revert "net/ieee802154: reject zero-sized raw_sendmsg()"
9c65eef9d6c9 net: ethernet: ti: davinci_mdio: fix build for mdio bitbang uses
d7eadffce032 blk-wbt: fix that 'rwb->wc' is always set to 1 in wbt_init()
28787ff9fbea ALSA: usb-audio: Fix last interface check for registration
b8989e95d74e net: ieee802154: return -EINVAL for unknown addr type
0db2efb3bff8 mm: hugetlb: fix UAF in hugetlb_handle_userfault
98aada6e2278 io_uring/rw: fix unexpected link breakage
d6b7efc722a2 io_uring/rw: fix error'ed retry return values
e857457c6f90 io_uring/rw: fix short rw error handling
cd148d4e3183 io_uring: correct pinned_vm accounting
813d8fe5d303 io_uring/af_unix: defer registered files gc to io_uring release
c69a2324fc6b perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc
e81bf40b280b clk: bcm2835: Round UART input clock up
da17cbb229af clk: bcm2835: Make peripheral PLLC critical
20b8c456df58 usb: idmouse: fix an uninit-value in idmouse_open
ec8adf767e1c nvmet-tcp: add bounds check on Transfer Tag
1c6432884010 nvme: copy firmware_rev on each init
b9b5560b342e ext2: Use kvmalloc() for group descriptor array
8c067a3051cd scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled
39bef9c6a91b staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
b4573a2bad3c staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
eb24d93e3e01 Revert "usb: storage: Add quirk for Samsung Fit flash"
3a38985d8bfd usb: dwc3: core: Enable GUCTL1 bit 10 for fixing termination error after resume bug
9d4f84a15f9c arm64: dts: imx8mp: Add snps,gfladj-refclk-lpm-sel quirk to USB nodes
3c84c7f592c4 usb: musb: Fix musb_gadget.c rxstate overflow bug
fcd594da0b59 usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
9e86dffd0b02 md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d
f8e80792c1a8 eventfd: guard wake_up in eventfd fs calls as well
c61786dc727d HID: roccat: Fix use-after-free in roccat_read()
f7f425d61de9 soundwire: intel: fix error handling on dai registration issues
093a5463aeec soundwire: cadence: Don't overwrite msg->buf during write commands
1b4ed920b2ff bcache: fix set_at_max_writeback_rate() for multiple attached devices
eecb5ccc84a1 ata: libahci_platform: Sanity check the DT child nodes number
70b2adb1d698 blk-throttle: prevent overflow while calculating wait time
ff8551d411f1 staging: vt6655: fix potential memory leak
7c8bc374659d power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
3d6946180734 iommu/arm-smmu-v3: Make default domain type of HiSilicon PTT device to identity
c0d73be0af8c nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
9d54de866062 scsi: 3w-9xxx: Avoid disabling device if failing to enable it
d68da10b0cce dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow
518a2a1cc361 usb: host: xhci-plat: suspend/resume clks for brcm
f002aa7c0ac5 usb: host: xhci-plat: suspend and resume clocks
6bcd745c87a0 clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate
5c32cbf6ccea media: platform: fix some double free in meson-ge2d and mtk-jpeg and s5p-mfc
6f21976095c1 media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
0a07b13af04d clk: zynqmp: Fix stack-out-of-bounds in strncpy`
3680442cbaee ARM: 9242/1: kasan: Only map modules if CONFIG_KASAN_VMALLOC=n
4a89c0befca7 btrfs: don't print information about space cache or tree every remount
39a07058c762 btrfs: scrub: try to fix super block errors
f3857dd7c03a btrfs: dump extra info if one free space cache has more bitmaps than it should
d3c6d5be46de arm64: dts: imx8mq-librem5: Add bq25895 as max17055's power supply
82046b6a84e0 kselftest/arm64: Fix validatation termination record after EXTRA_CONTEXT
35365417333d ARM: dts: imx6sx: add missing properties for sram
602813650cbc ARM: dts: imx6sll: add missing properties for sram
6a12e1e23cb1 ARM: dts: imx6sl: add missing properties for sram
8c24dc621bb7 ARM: dts: imx6qp: add missing properties for sram
47666b9a11a1 ARM: dts: imx6dl: add missing properties for sram
19fe40c5185d ARM: dts: imx6q: add missing properties for sram
9361ba779152 ARM: dts: imx7d-sdb: config the max pressure for tsc2046
0f90671ff93f drm/amd/display: Remove interface for periodic interrupt 1
88fd06740659 drm/dp: Don't rewrite link config when setting phy test pattern
668806a8268b mmc: sdhci-msm: add compatible string check for sdm670
587c7da87721 drm/meson: explicitly remove aggregate driver at module unload time
d76ff04a72f9 drm/meson: reorder driver deinit sequence to fix use-after-free bug
d894db35617f drm/amdgpu: fix initial connector audio value
e3675f688d3b ASoC: SOF: pci: Change DMI match info to support all Chrome platforms
f16e1b7b3968 platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading
39da49ffa2f3 platform/chrome: cros_ec: Notify the PM of wake events during resume
74636047845c drm: panel-orientation-quirks: Add quirk for Anbernic Win600
2810061452f9 drm/vc4: vec: Fix timings for VEC modes
0506c4eae9a9 ALSA: usb-audio: Register card at the last interface
39d7a81bbb7a drm: bridge: dw_hdmi: only trigger hotplug event on link change
dfbed8c92eb8 udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
a47d92c74b1e drm/amd/display: fix overflow on MIN_I64 definition
a29f7427041a gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()
5ff7bec678ca drm/komeda: Fix handling of atomic commits in the atomic_commit_tail hook
ca163e389f0a drm: Prevent drm_copy_field() to attempt copying a NULL pointer
df5ac9392648 drm: Use size_t type for len variable in drm_copy_field()
5ab84b1596b2 drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc()
b3179865cf7e r8152: Rate limit overflow messages
d1e894f950ad Bluetooth: L2CAP: Fix user-after-free
124b7c773271 net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
5b94d48898d9 hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms
a269c3e39087 wifi: rt2x00: correctly set BBP register 86 for MT7620
b5e6ada5a5d6 wifi: rt2x00: set SoC wmac clock register
357c89074ae6 wifi: rt2x00: set VGC gain for both chains of MT7620
92e2e04da567 wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
4304b8e07579 wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
4a5eab200e43 can: bcm: check the result of can_send() in bcm_can_tx()
3423a50fa018 Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
3ac837cef1fb Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
af46b2b9b096 wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value
e33da263e965 regulator: core: Prevent integer underflow
d58c8781c0d7 Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk
232d59eca07f wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
37f15edba22d iavf: Fix race between iavf_close and iavf_reset_task
03155680191e xfrm: Update ipcomp_scratches with NULL when freed
716c526d666d thunderbolt: Add back Intel Falcon Ridge end-to-end flow control workaround
b1b4144508ad wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
839f563c5dc5 x86/mce: Retrieve poison range from hardware
1663629bc3ff tcp: annotate data-race around tcp_md5sig_pool_populated
7b03296b4f7a openvswitch: Fix overreporting of drops in dropwatch
ffd7a1dcae9a openvswitch: Fix double reporting of drops in dropwatch
d449d00a8dce net: ethernet: ti: davinci_mdio: Add workaround for errata i2329
624f03a027f2 ice: set tx_tstamps when creating new Tx rings via ethtool
2e52d858de3a bpftool: Clear errno after libcap's checks
75995ce1c926 wifi: brcmfmac: fix invalid address access when enabling SCAN log level
83b94969751a NFSD: fix use-after-free on source server when doing inter-server copy
118dc74b2bc0 NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
066b1302f2a9 x86/entry: Work around Clang __bdos() bug
06c56c9d5da8 ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable
6733222f2cc9 ARM: decompressor: Include .data.rel.ro.local
561490843445 thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
139bbbd01114 powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
a1387ae83e97 MIPS: BCM47XX: Cast memcmp() of function to (void *)
c2790fede920 cpufreq: intel_pstate: Add Tigerlake support in no-HWP mode
30eca146c89d ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address
5374638222d0 ACPI: video: Add Toshiba Satellite/Portege Z830 quirk
7ed95b080334 rcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE()
cf38a05eb1d0 rcu: Back off upon fill_page_cache_func() allocation failure
3e2d8b89f031 rcu: Avoid triggering strict-GP irq-work when RCU is idle
27d3e646dd83 fs: dlm: fix race in lowcomms
b6b87460f4eb selftest: tpm2: Add Client.__del__() to close /dev/tpm* handle
497d736784e5 f2fs: fix to account FS_CP_DATA_IO correctly
fb1dcc2a9e4b f2fs: fix race condition on setting FI_NO_EXTENT flag
6ddbd411a00a ACPI: APEI: do not add task_work to kernel thread to avoid memory leak
21f1ba52b88c thermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id
172c8a24fc83 crypto: cavium - prevent integer overflow loading firmware
12acfa1059ad crypto: marvell/octeontx - prevent integer overflows
c963ce2fa05d kbuild: rpm-pkg: fix breakage when V=1 is used
059ce6b68b76 kbuild: remove the target in signal traps when interrupted
1e9c23db31b6 tracing/osnoise: Fix possible recursive locking in stop_per_cpu_kthreads
84795de93e1f tracing: kprobe: Make gen test module work in arm and riscv
867fce09aa20 tracing: kprobe: Fix kprobe event gen test module on exit
a9990f24adfe iommu/iova: Fix module config properly
f0cac6cc02a9 cifs: return correct error in ->calc_signature()
1f1ab76e2515 crypto: qat - fix DMA transfer direction
393307b99aac crypto: inside-secure - Change swab to swab32
93538944ab0b crypto: ccp - Release dma channels before dmaengine unrgister
779a9930f3e1 crypto: akcipher - default implementation for setting a private key
0c7043a5b5c3 iommu/omap: Fix buffer overflow in debugfs
046803b74d51 cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset
771d8aa02dac crypto: hisilicon/qm - fix missing put dfx access
9bf3ec61a246 crypto: qat - fix default value of WDT timer
3bfc220e5ce3 hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()
507128a0e32d cgroup: Honor caller's cgroup NS when resolving path
8ffe511b7de7 hwrng: arm-smccc-trng - fix NO_ENTROPY handling
272093471305 crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
e0b4ebf59834 crypto: sahara - don't sleep when in softirq
8484023b5763 powerpc/pseries/vas: Pass hw_cpu_id to node associativity HCALL
7f536a8cb62d powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
1f98f8f43541 powerpc: Fix SPE Power ISA properties for e500v1 platforms
72c5b7110fba powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5
399afe92f640 x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition
592b302d8bf6 powerpc: Fix fallocate and fadvise64_64 compat parameter combination
61af84b3db81 powerpc/powernv: add missing of_node_put() in opal_export_attrs()
5be9cb6c06fa powerpc/pci_dn: Add missing of_node_put()
5a13d3f1af1c powerpc/sysdev/fsl_msi: Add missing of_node_put()
b0c0490b3c57 powerpc/math_emu/efp: Include module.h
93379dc92de0 powerpc/configs: Properly enable PAPR_SCM in pseries_defconfig
25a4fb0e1a76 mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg
b8fcd9ab0f65 mailbox: mpfs: account for mbox offsets while sending
ba2264359525 mailbox: mpfs: fix handling of the reg property
fad007a315fe clk: ast2600: BCLK comes from EPLL
3441076f83aa clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
9209e6bab75d clk: imx: scu: fix memleak on platform_device_add() fails
bdf72f2d649b clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration
e338131e980b clk: baikal-t1: Add SATA internal ref clock buffer
35b766027580 clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent
b2db8b2c5391 clk: baikal-t1: Fix invalid xGMAC PTP clock divider
435a8a39c6ae clk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD
b0bc75fe6775 spmi: pmic-arb: correct duplicate APID to PPID mapping logic
faabbb103d60 usb: mtu3: fix failed runtime suspend in host only mode
57f66534a41a dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup()
8aa96c5bc393 clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent
2dafc5afd9d6 mfd: sm501: Add check for platform_driver_register()
d43d93dbd8aa mfd: fsl-imx25: Fix check for platform_get_irq() errors
b940bb3c8154 mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init()
0715005c483e mfd: lp8788: Fix an error handling path in lp8788_probe()
aec1f073f91f mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()
53bfc1c3c751 mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe()
2f921d62c236 fsi: core: Check error number after calling ida_simple_get
041c79f6aefb RDMA/rxe: Fix resize_finish() in rxe_queue.c
959d4ee095e9 clk: qcom: gcc-sm6115: Override default Alpha PLL regs
8e556f557368 clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical
a26b0658751b scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
e87fb1fcf88f scsi: iscsi: Run recv path from workqueue
c2af03a7c1b5 scsi: iscsi: Add recv workqueue helpers
d6aafc21bef1 scsi: iscsi: Rename iscsi_conn_queue_work()
e45a1516d293 scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
6a54f769748b serial: 8250: Fix restoring termios speed after suspend
a5dba0933834 firmware: google: Test spinlock on panic path to avoid lockups
60d14575d0ba slimbus: qcom-ngd-ctrl: allow compile testing without QCOM_RPROC_COMMON
f19e5b7df545 staging: vt6655: fix some erroneous memory clean-up loops
433c33c554d7 phy: qualcomm: call clk_disable_unprepare in the error handling
c4293def8860 tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown
a91a3c2d8db8 serial: 8250: Toggle IER bits on only after irq has been set up
6be8e565a4a6 drivers: serial: jsm: fix some leaks in probe
1d05df7757f4 usb: gadget: function: fix dangling pnp_string in f_printer.c
ed2c66b75280 xhci: Don't show warning for reinit on known broken suspend
4d7d8f5cb284 IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers
e221b4f16e9e RDMA/cm: Use SLID in the work completion as the DLID in responder side
7a37c58ee72e md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
b467d9460ec2 md/raid5: Ensure stripe_fill happens on non-read IO with journal
5d8259c9d191 md: Replace snprintf with scnprintf
9e92d5ca5424 mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct()
058833dbeb8d ata: fix ata_id_has_dipm()
dad910a6d4a5 ata: fix ata_id_has_ncq_autosense()
21faddeff7bf ata: fix ata_id_has_devslp()
204cc767dcb5 ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting()
5c75d608fad5 RDMA/siw: Fix QP destroy to wait for all references dropped.
308cd50f174c RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall.
e58a0b9100ba RDMA/srp: Fix srp_abort()
dc9e4ef6b072 RDMA/irdma: Align AE id codes to correct flush code and event
84ce1a8e36bb mtd: rawnand: fsl_elbc: Fix none ECC mode
be424a7d5374 mtd: rawnand: intel: Remove undocumented compatible string
445395900b64 mtd: rawnand: intel: Read the chip-select line from the correct OF node
cbbf9cca47ac phy: phy-mtk-tphy: fix the phy type setting issue
e4be7c9495c8 phy: amlogic: phy-meson-axg-mipi-pcie-analog: Hold reference returned by of_get_parent()
88263152ff56 mtd: devices: docg3: check the return value of devm_ioremap() in the probe
a0e4ac698891 clk: qcom: sm6115: Select QCOM_GDSC
aecb632674b7 dyndbg: drop EXPORTed dynamic_debug_exec_queries
0d4421f2cb54 dyndbg: let query-modname override actual module name
0c0d9f38b087 dyndbg: fix module.dyndbg handling
49d85932f7d2 dyndbg: fix static_branch manipulation
7cb9b20941e1 dmaengine: hisilicon: Add multi-thread support for a DMA channel
b88630d9aac0 dmaengine: hisilicon: Fix CQ head update
e84aeeafe8b3 dmaengine: hisilicon: Disable channels when unregister hisi_dma
b94605f5cb99 fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
11bd8bbdf8f6 misc: ocxl: fix possible refcount leak in afu_ioctl()
c23c5e184550 RDMA/rxe: Fix the error caused by qp->sk
f2f405af70e6 RDMA/rxe: Fix "kernel NULL pointer dereference" error
2ea7caa96846 media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
23624abbc9c6 media: uvcvideo: Use entity get_cur in uvc_ctrl_set
6c5da92103bd media: uvcvideo: Fix memory leak in uvc_gpio_parse
4e2042f1adc7 media: meson: vdec: add missing clk_disable_unprepare on error in vdec_hevc_start()
aeffca434426 tty: xilinx_uartps: Fix the ignore_status
a8d772c7b853 media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop
6225501072d3 HSI: omap_ssi_port: Fix dma_map_sg error check
691f23a8475f HSI: omap_ssi: Fix refcount leak in ssi_probe
d6e750535b46 clk: tegra20: Fix refcount leak in tegra20_clock_init
e7a57fb92af5 clk: tegra: Fix refcount leak in tegra114_clock_init
417ed4432b1b clk: tegra: Fix refcount leak in tegra210_clock_init
ca5f338ef165 clk: sprd: Hold reference returned by of_get_parent()
49343bdf95eb clk: berlin: Add of_node_put() for of_get_parent()
857b719bede4 clk: qoriq: Hold reference returned by of_get_parent()
a8cbce0305b2 clk: oxnas: Hold reference returned by of_get_parent()
e0001a565c16 clk: meson: Hold reference returned by of_get_parent()
e900ec4c4f74 usb: common: debug: Check non-standard control requests
c11f48764c8b RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey
cd35ad9a7d66 iio: magnetometer: yas530: Change data type of hard_offsets to signed
23fafc2e2cf6 iio: ABI: Fix wrong format of differential capacitance channel ABI.
8169da520e8f iio: inkern: fix return value in devm_of_iio_channel_get_by_name()
504e8807fe5f iio: inkern: only release the device node when done with it
b0d4fcc3ecb8 iio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume
5db9b840ac88 iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq
c5c63736d2a1 iio: adc: at91-sama5d2_adc: check return status for pressure and touch
5f1654a0e520 iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX
017cf3b0a628 ARM: dts: exynos: fix polarity of VBUS GPIO of Origen
6c93b683ceda arm64: ftrace: fix module PLTs with mcount
bbf64eb10273 ext4: don't run ext4lazyinit for read-only filesystems
7a00a2320752 ARM: Drop CMDLINE_* dependency on ATAGS
2af04fe87ea5 ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family
2134214bc403 arm64: dts: ti: k3-j7200: fix main pinmux range
7247a1d7a46a soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA
4f7892f24281 ia64: export memory_add_physaddr_to_nid to fix cxl build error
2ef01657b2d6 ARM: dts: kirkwood: lsxl: remove first ethernet port
bf7caa3c5caf ARM: dts: kirkwood: lsxl: fix serial line
42ce4c73a468 ARM: dts: turris-omnia: Fix mpp26 pin name and comment
96d8f2b43e72 ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus
08ada28d1def soc: qcom: smem_state: Add refcounting for the 'state->of_node'
96e0028debdd soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
a29b6eb959bd locks: fix TOCTOU race when granting write lease
7e053784c4c7 memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()
2680690f9ce4 memory: of: Fix refcount leak bug in of_get_ddr_timings()
566b143aa511 memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()
10df962300c2 ALSA: hda/hdmi: Don't skip notification handling during PM operation
cc756b79a5c9 ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe
f9cb3bd55726 ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe
b7dda65fa875 ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe
b2bc9fc56a3e ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe
3c3ef19a8870 mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()
b14dc262274b ALSA: dmaengine: increment buffer pointer atomically
f5f1f5ee5048 ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
f910aca07625 ASoC: codecs: tx-macro: fix kcontrol put
b47a37ad4a44 drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
bdf54d4b0074 drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa()
635e7700c5b4 drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx
4f859884673d ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API
64545b8a9690 mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()
3ba3814c00a4 drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
a5ce83e85d79 drm/omap: dss: Fix refcount leak bugs
f5f599daa0bc drm/bochs: fix blanking
928ac9fc1ace ALSA: hda: beep: Simplify keep-power-at-enable behavior
fbb88a7c84c1 ASoC: rsnd: Add check for rsnd_mod_power_on
4610e7a4111f drm/bridge: megachips: Fix a null pointer dereference bug
079c550c57ff drm/amdgpu: add missing pci_disable_device() in amdgpu_pmops_runtime_resume()
c12daccc9017 platform/chrome: cros_ec_typec: Correct alt mode index
c317d2b8a430 platform/x86: msi-laptop: Fix resource cleanup
0e21d41bc768 platform/x86: msi-laptop: Fix old-ec check for backlight registering
6bc81c1b6313 ASoC: tas2764: Fix mute/unmute
e644497c5361 ASoC: tas2764: Drop conflicting set_bias_level power setting
35bd912ed6c0 ASoC: tas2764: Allow mono streams
fd1d3b265784 platform/chrome: fix memory corruption in ioctl
27bb672c0437 platform/chrome: fix double-free in chromeos_laptop_prepare()
57dfb855bc9e ASoC: mt6359: fix tests for platform_get_irq() failure
8a475a7732a5 drm:pl111: Add of_node_put() when breaking out of for_each_available_child_of_node()
56d2233cf573 drm/dp_mst: fix drm_dp_dpcd_read return value checks
fe6eb3d0c874 drm/bridge: parade-ps8640: Fix regulator supply order
60630834fad3 drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
26c1b4cfe56f drm/mipi-dsi: Detach devices when removing the host
652042135e08 drm/bridge: Avoid uninitialized variable warning
f369fb4deed7 drm: bridge: adv7511: unregister cec i2c device after cec adapter
20609125b8bd drm: bridge: adv7511: fix CEC power down control register offset
a624161ebe0c net: mvpp2: fix mvpp2 debugfs leak
7aef5082c56e once: add DO_ONCE_SLOW() for sleepable contexts
77bfd26cbb61 net/ieee802154: reject zero-sized raw_sendmsg()
dc4e9cd6d6a6 net: wwan: iosm: Call mutex_init before locking it
0b6516a4e3eb bnx2x: fix potential memory leak in bnx2x_tpa_stop()
30bfa5aa7228 net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
f828333ca90f hwmon: (pmbus/mp2888) Fix sensors readouts for MPS Multi-phase mp2888 controller
c91b922b4170 spi: Ensure that sg_table won't be used after being freed
49d429760df7 tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited
19d636b663e0 sctp: handle the error returned from sctp_auth_asoc_init_active_key
7bfa18b05f38 mISDN: fix use-after-free bugs in l1oip timer handlers
6f1991a940b9 eth: alx: take rtnl_lock on resume
e28a4e7f0296 vhost/vsock: Use kvmalloc/kvfree for larger packets.
5dbdd690ed83 wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM
432eecffcf1b spi: s3c64xx: Fix large transfers with DMA
1454a26cb1ab netfilter: nft_fib: Fix for rpath check with VRF devices
7d98b26684cb xfrm: Reinject transport-mode packets through workqueue
397e880acf44 Bluetooth: hci_core: Fix not handling link timeouts propertly
1331d3e1f9b5 i2c: mlxbf: support lock mechanism
9233ab8198d8 skmsg: Schedule psock work if the cached skb exists on the psock
44f1dc2e821d spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe
daa5239ea49f spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe
6b941151865e x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype
3c27a1380798 x86/microcode/AMD: Track patch allocation size explicitly
3e2b805a68ab wifi: ath11k: fix number of VHT beamformee spatial streams
5a6827cdc258 netfilter: conntrack: revisit the gc initial rescheduling bias
9c39ca418ba3 netfilter: conntrack: fix the gc rescheduling delay
b8917dce2134 Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
c087c35292ea bpf: Ensure correct locking around vulnerable function find_vpid()
a0f15af17b7d net: fs_enet: Fix wrong check in do_pd_setup
ee7c5e814fb2 Bluetooth: RFCOMM: Fix possible deadlock on socket shutdown/release
57d4f2f8a67b wifi: mt76: mt7915: do not check state before configuring implicit beamform
dea9093f24d6 wifi: mt76: mt7615: add mt7615_mutex_acquire/release in mt7615_sta_set_decap_offload
817e8b75ae06 wifi: mt76: sdio: fix transmitting packet hangs
5dc095a37fbd wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask
9973f78c19f3 wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration
5d9222c68022 bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
4ce47c5545d2 spi: meson-spicc: do not rely on busy flag in pow2 clk ops
36c484bac9ed wifi: rtl8xxxu: Fix skb misuse in TX queue selection
fefd2269e681 spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime()
e22f6499183d spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume()
37005a948677 selftests/xsk: Avoid use-after-free on ctx
69995c64e50e wifi: rtw88: add missing destroy_workqueue() on error path in rtw_core_init()
6f9484e969cb wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
d091771f511d Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend
f91e25cfa553 bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy
0e1342510490 bpf: Propagate error from htab_lock_bucket() to userspace
0b00c6130c1a bpf: Disable preemption when increasing per-cpu map_locked
68ab7690332a xsk: Fix backpressure mechanism on Tx
0559a6d96a99 x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register
e962e458bf96 spi: mt7621: Fix an error message in mt7621_spi_probe()
0a16bbc8b030 bpftool: Fix a wrong type cast in btf_dumper_int
6e8eadfa9bb1 wifi: mac80211: allow bw change during channel switch in mesh
4ed5155043c9 bpf: Fix reference state management for synchronous callbacks
3d0a101e7139 leds: lm3601x: Don't use mutex after it was destroyed
54a3201f3c1f wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
714536ff6f6c wifi: rtlwifi: 8192de: correct checking of IQK reload
80a474502ef5 NFSD: Fix handling of oversized NFSv4 COMPOUND requests
dc7f225090c2 NFSD: Protect against send buffer overflow in NFSv2 READDIR
cedaf73c8bda SUNRPC: Fix svcxdr_init_encode's buflen calculation
6b55707ff8b2 SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
aed881630557 nfsd: Fix a memory leak in an error handling path
5c4b234c44cb objtool: Preserve special st_shndx indexes in elf_update_symbol
425a2a9469d2 ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE
2647b20e043c ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd()
93296e7ab774 MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create()
993b13abde17 MIPS: SGI-IP27: Free some unused memory
959855093f94 sh: machvec: Use char[] for section boundaries
91fafd22f852 thermal: cpufreq_cooling: Check the policy first in cpufreq_cooling_register()
81fb3ee298d5 ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers
33d478eee2b5 userfaultfd: open userfaultfds with O_RDONLY
10918ebecdc9 ima: fix blocking of security.ima xattrs of unsupported algorithms
b7af9b8be891 selinux: use "grep -E" instead of "egrep"
73b8218ef4aa smb3: must initialize two ACL struct fields to zero
adf428ae46be drm/amd/display: Fix vblank refcount in vrr transition
60a517452560 drm/i915: Fix watermark calculations for gen12+ CCS+CC modifier
01bd3eaa5371 drm/i915: Fix watermark calculations for gen12+ MC CCS modifier
20018a252f19 drm/i915: Fix watermark calculations for gen12+ RC CCS modifier
861f085f81fd drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
446d40e2a8cb drm/nouveau/kms/nv140-: Disable interlacing
4dab0d27a421 staging: greybus: audio_helper: remove unused and wrong debugfs usage
28eb4bdb23e2 KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS
4f7b1e7d0f36 KVM: nVMX: Don't propagate vmcs12's PERF_GLOBAL_CTRL settings to vmcs02
be1a6a61f1b3 KVM: nVMX: Unconditionally purge queued/injected events on nested "exit"
379de01906eb KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility
e3e5baa36879 blk-wbt: call rq_qos_add() after wb_normal is initialized
e8e0a6f4b8a2 media: cedrus: Fix endless loop in cedrus_h265_skip_bits()
b76fac61c33f media: cedrus: Set the platform driver data earlier
b19254eadab3 efi: libstub: drop pointless get_memory_map() call
5cda4a11b490 thunderbolt: Explicitly enable lane adapter hotplug events at startup
d9c79fbcbdb6 tracing: Fix reading strings from synthetic events
b9ab154d22b8 tracing: Add "(fault)" name injection to kernel probes
8ae88c4842c2 tracing: Move duplicate code of trace_kprobe/eprobe.c into header
84f4be2093e1 tracing: Add ioctl() to force ring buffer waiters to wake up
32eb54a986f4 tracing: Wake up waiters when tracing is disabled
2475de2bc0de tracing: Wake up ring buffer waiters on closing of the file
48272aa48d80 tracing: Disable interrupt or preemption before acquiring arch_spinlock_t
d4ab9bc5f56e ring-buffer: Fix race between reset page and reading page
be60f698c276 ring-buffer: Add ring_buffer_wake_waiters()
5201dd81aef7 ring-buffer: Check pending waiters when doing wake ups as well
bc6d4e9d6484 ring-buffer: Have the shortest_full queue be the shortest not longest
e8d116738514 ring-buffer: Allow splice to read previous partially read pages
fb96b7489fbd ftrace: Properly unset FTRACE_HASH_FL_MOD
31dc1727c103 livepatch: fix race between fork and KLP transition
36997b75bbb3 ext4: update 'state->fc_regions_size' after successful memory allocation
417b0455a0b6 ext4: fix potential memory leak in ext4_fc_record_regions()
9b5eb368a86f ext4: fix potential memory leak in ext4_fc_record_modified_inode()
ef1607c99136 ext4: fix miss release buffer head in ext4_fc_write_inode
d29fa1ab4e62 ext4: fix dir corruption when ext4_dx_add_entry() fails
d12471b41674 ext4: place buffer head allocation before handle start
46e5f470a144 ext4: ext4_read_bh_lock() should submit IO if the buffer isn't uptodate
1f5e643b3829 ext4: don't increase iversion counter for ea_inodes
dd366295d1ec ext4: fix check for block being out of directory size
4a967fe8b043 ext4: make ext4_lazyinit_thread freezable
533c60a0b97c ext4: fix null-ptr-deref in ext4_write_info
d8e4af8314df ext4: avoid crash when inline data creation follows DIO write
56fcd0788f0d jbd2: add miss release buffer head in fc_do_one_pass()
d11d2ded2939 jbd2: fix potential use-after-free in jbd2_fc_wait_bufs
e7385c868ee0 jbd2: fix potential buffer head reference count leak
d87fe290a533 jbd2: wake up journal waiters in FIFO order, not LIFO
7434626c5eaa hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero
095493833b18 hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO
73687c53919f f2fs: fix to do sanity check on summary info
ed854f10e6af f2fs: fix to do sanity check on destination blkaddr during recovery
7f10357c9046 f2fs: increase the limit for reserve_root
0035b84223de f2fs: flush pending checkpoints when freezing super
ab4958975490 f2fs: complete checkpoints during remount
0a408c6212c1 btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer
4b996a3014ef btrfs: fix race between quota enable and quota rescan ioctl
0d9423034308 fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
95a520b591c9 ksmbd: Fix user namespace mapping
a19f316406ea ksmbd: Fix wrong return value and message length check in smb2_ioctl()
39b685562825 ksmbd: fix endless loop when encryption for response fails
2b0897e33682 fbdev: smscufx: Fix use-after-free in ufx_ops_open()
aa7b2c927e4e pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback
5d97378b3626 gpio: rockchip: request GPIO mux to pinctrl when setting direction
e0b1c16fdadd scsi: qedf: Populate sysfs attributes for vport
1d567179f277 slimbus: qcom-ngd: cleanup in probe error path
fa0aab2e45f0 slimbus: qcom-ngd: use correct error in message of pdr_add_lookup() failure
ba2159df1806 powerpc/boot: Explicitly disable usage of SPE instructions
9df2a9cdad5b powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain
75d9de25a6f8 NFSD: Protect against send buffer overflow in NFSv3 READ
2be9331ca606 NFSD: Protect against send buffer overflow in NFSv2 READ
071a076fd1b7 NFSD: Protect against send buffer overflow in NFSv3 READDIR
209a94c5192b serial: 8250: Request full 16550A feature probing for OxSemi PCIe devices
63a3d75cf18c serial: 8250: Let drivers request full 16550A feature probing
26e5c79e673c PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge
7c16d0a4e6a4 xen/gntdev: Accommodate VMA splitting
1cb73704cb47 xen/gntdev: Prevent leaking grants
43bed0a13a5c mm/mmap: undo ->mmap() when arch_validate_flags() fails
2b0072d33eb6 mm/damon: validate if the pmd entry is present before accessing
91c4eb16e804 arm64: errata: Add Cortex-A55 to the repeat tlbi list
fc0f921b7e6e drm/udl: Restore display mode on resume
064093472524 drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb()
fb3910436be4 drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error
f122bcb34f1a drm/virtio: Check whether transferred 2D BO is shmem
a95fb5d55af0 dmaengine: mxs: use platform_driver_register
e7a3334e83f9 Revert "drm/amdgpu: use dirty framebuffer helper"
4bdedc3b5341 nvme-pci: set min_align_mask before calculating max_hw_sectors
32aa0b3f0c06 nvme-multipath: fix possible hang in live ns resize with ANA access
9391cc3a787a nvmem: core: Fix memleak in nvmem_register()
7efe61dc6aa4 UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
81ab826a285d riscv: Pass -mno-relax only on lld < 15.0.0
7780bb02a069 riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb
c657b70e8074 riscv: Make VM_WRITE imply VM_READ
3c3c4fa118a4 riscv: Allow PROT_WRITE-only mmap()
af3aaee08df8 parisc: fbdev/stifb: Align graphics memory size to 4MB
dc235db7b79a RISC-V: Make port I/O string accessors actually work
8c487db000fd riscv: topology: fix default topology reporting
d46c24f307fb arm64: topology: move store_cpu_topology() to shared code
fcf0f6cbb653 regulator: qcom_rpm: Fix circular deferral regression
78d81a8a8ce1 net: thunderbolt: Enable DMA paths only after rings are enabled
3281e81ce90c hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API
e1ab98ec2bc9 ASoC: wcd934x: fix order of Slimbus unprepare/disable
a2140a9922d1 ASoC: wcd9335: fix order of Slimbus unprepare/disable
d0507b36da9f platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure
fcfeecca153d quota: Check next/prev free block number after reading from quota file
17214cfab73b HID: multitouch: Add memory barriers
219e4a0f9d68 fs: dlm: handle -EBUSY first in lock arg validation
34ed22dd2860 fs: dlm: fix race between test_bit() and queue_work()
7fa5304c4b5b i2c: designware: Fix handling of real but unexpected device interrupts
f9effcefa8be mmc: sdhci-sprd: Fix minimum clock limit
a4df91a88c3f can: kvaser_usb_leaf: Fix CAN state after restart
0c28c2c0cfa2 can: kvaser_usb_leaf: Fix TX queue out of sync after restart
b8c4f6345e0e can: kvaser_usb_leaf: Fix overread with an invalid command
de4434d6823c can: kvaser_usb: Fix use of uninitialized completion
354d768e315d usb: add quirks for Lenovo OneLink+ Dock
103b459590e1 xhci: dbc: Fix memory leak in xhci_alloc_dbc()
39f4c90b9995 iio: pressure: dps310: Reset chip after timeout
bc493cd75466 iio: pressure: dps310: Refactor startup procedure
5f6bfc1926bb iio: adc: ad7923: fix channel readings for some variants
1be580ed8403 iio: ltc2497: Fix reading conversion results
ef4018707df8 iio: dac: ad5593r: Fix i2c read protocol requirements
60480291c1fc cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
0d814a2199cf cifs: destage dirty pages before re-reading them for cache=none
15993e9a9b12 hv_netvsc: Fix race between VF offering and VF association message from host
f9dc33f23153 io_uring/net: don't update msg_name if not provided
a1bd289c10ac mtd: rawnand: atmel: Unmap streaming DMA mappings
3e4d2375d154 ALSA: hda/realtek: Add Intel Reference SSID to support headset keys
41e83faf036c ALSA: hda/realtek: Add quirk for ASUS GV601R laptop
c01f385c70db ALSA: hda/realtek: Correct pin configs for ASUS G533Z
0d50e05ecc2c ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530
ec439b97d983 ALSA: usb-audio: Fix NULL dererence at error path
0672215994e2 ALSA: usb-audio: Fix potential memory leaks
550ca3082ebd ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
45899fae65e5 ALSA: oss: Fix potential deadlock at unregistration
5ca155aa79e9 Revert "fs: check FMODE_LSEEK to control internal pipe splicing"
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 865633976508a3af002a68f0c68d36a74ce6b53c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 414f7abbc5..215a14c826 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "cf39c84e1a884fcd4802640d20142bb506e9d3d0"
-SRCREV_meta ?= "74e1a21c730b600c344804c1bc775a6a2ee7b8e6"
+SRCREV_machine ?= "8cd14c788563009eeb88f1c5ffb0c0d8bad59943"
+SRCREV_meta ?= "a120c990509eccdaa613b264a4f6c187277548df"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.74"
+LINUX_VERSION ?= "5.15.76"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 3b85967ca2..bbbca44b76 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.74"
+LINUX_VERSION ?= "5.15.76"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "61a508a44ed255900245d81ebe11bb5916e3145c"
-SRCREV_meta ?= "74e1a21c730b600c344804c1bc775a6a2ee7b8e6"
+SRCREV_machine ?= "f7afe3f65c15cc4d211ab30bc981493fd5b7d3a0"
+SRCREV_meta ?= "a120c990509eccdaa613b264a4f6c187277548df"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 99b5c054f3..f542b3cb11 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -13,24 +13,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "af0268ca8969a472d1263e83b0a78f00834b700e"
-SRCREV_machine:qemuarm64 ?= "08b455a0e020e52340bde98e4942eaf43eb12554"
-SRCREV_machine:qemumips ?= "6f7b375ea6a2736168056e6133d01aaea592e696"
-SRCREV_machine:qemuppc ?= "73b9bd277094cae3d4b39b24f79f6e29b7518fc6"
-SRCREV_machine:qemuriscv64 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
-SRCREV_machine:qemuriscv32 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
-SRCREV_machine:qemux86 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
-SRCREV_machine:qemux86-64 ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
-SRCREV_machine:qemumips64 ?= "33e8f888ab9242ea807b722c0982e871edc3339f"
-SRCREV_machine ?= "f0bee94053065c7cb8eacadfdd6bf739a2042b35"
-SRCREV_meta ?= "74e1a21c730b600c344804c1bc775a6a2ee7b8e6"
+SRCREV_machine:qemuarm ?= "d7819ee61a286d4271fbb9aa8881ec6e70cdbe11"
+SRCREV_machine:qemuarm64 ?= "38180346106d8eb46aca94bf01228fc75d4b70fa"
+SRCREV_machine:qemumips ?= "d774a943b853ed0047169ce6d71249a0f8b77307"
+SRCREV_machine:qemuppc ?= "527f0c70315df84882792510ebf2e778c5980266"
+SRCREV_machine:qemuriscv64 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
+SRCREV_machine:qemuriscv32 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
+SRCREV_machine:qemux86 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
+SRCREV_machine:qemux86-64 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
+SRCREV_machine:qemumips64 ?= "980c0d78ca192b2d0e63753ff6c5daba7b9e37de"
+SRCREV_machine ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
+SRCREV_meta ?= "a120c990509eccdaa613b264a4f6c187277548df"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "a3f2f5ac9d61e973e383f17a95cf2aa384e2d0c4"
+SRCREV_machine:class-devupstream ?= "4f5365f77018349d64386b202b37e8b737236556"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -38,7 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.74"
+LINUX_VERSION ?= "5.15.76"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 14/23] linux-yocto/5.15: update to v5.15.78
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (12 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 13/23] linux-yocto/5.15: update to v5.15.76 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 15/23] linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings Steve Sakoman
` (8 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest korg -stable release that comprises
the following commits:
509a32764e1a Linux 5.15.78
7038af4ce951 wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
b66617cc3c2f drm/i915/sdvo: Setup DDC fully before output init
73d52322c4af drm/i915/sdvo: Filter out invalid outputs more sensibly
2219b6aad345 drm/rockchip: dsi: Force synchronous probe
dd955eb4e616 drm/rockchip: dsi: Clean up 'usage_mode' when failing to attach
cfa8a89af9f2 cifs: fix regression in very old smb1 mounts
3189de0ac310 ext4,f2fs: fix readahead of verity data
a663e6ab17a2 tee: Fix tee_shm_register() for kernel TEE drivers
d46db722a0af KVM: x86: emulator: update the emulation mode after CR0 write
942aec252b23 KVM: x86: emulator: update the emulation mode after rsm
9df4bb7b3863 KVM: x86: emulator: introduce emulator_recalc_and_set_mode
311f1e51a290 KVM: x86: emulator: em_sysexit should update ctxt->mode
37a03de2d0c5 KVM: arm64: Fix bad dereference on MTE-enabled systems
167dca5e210b KVM: VMX: fully disable SGX if SECONDARY_EXEC_ENCLS_EXITING unavailable
19c2b2ffbeec KVM: x86: Mask off reserved bits in CPUID.8000001FH
553fd40d3bf7 KVM: x86: Mask off reserved bits in CPUID.80000001H
006366b96c16 KVM: x86: Mask off reserved bits in CPUID.80000008H
fc796fd861fa KVM: x86: Mask off reserved bits in CPUID.8000001AH
ef7716398a78 KVM: x86: Mask off reserved bits in CPUID.80000006H
a88998446b6d x86/syscall: Include asm/ptrace.h in syscall_wrapper header
999cff2b6ce3 ext4: fix BUG_ON() when directory entry has invalid rec_len
0a43c015e981 ext4: fix warning in 'ext4_da_release_space'
ada82803a773 parisc: Avoid printing the hardware path twice
081ff43a7786 parisc: Export iosapic_serial_irq() symbol for serial port driver
5daf985dd0f3 parisc: Make 8250_gsc driver dependend on CONFIG_PARISC
425fe99771bf perf/x86/intel: Fix pebs event constraints for SPR
4613a450172e perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]
7de3fe6a1354 perf/x86/intel: Fix pebs event constraints for ICL
71d6c33fe223 arm64: entry: avoid kprobe recursion
52be536155f5 efi: random: Use 'ACPI reclaim' memory for random seed
83b5ec7ee82d efi: random: reduce seed size to 32 bytes
0417f70b8588 fuse: add file_modified() to fallocate
2de8eec8afb7 capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
bd07f8067b35 tracing/histogram: Update document for KEYS_MAX size
27b4406f9c35 tools/nolibc/string: Fix memcmp() implementation
b5074df412bf ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()
85f3caa95579 kprobe: reverse kp->flags when arm_kprobe failed
d1b6a8e3414a tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd()
828577e0baaf tcp/udp: Make early_demux back namespacified.
88561a66777e ftrace: Fix use-after-free for dynamic ftrace_ops
450d7480705e btrfs: fix type of parameter generation in btrfs_get_dentry
007058eb8292 btrfs: fix tree mod log mishandling of reallocated nodes
336fdd295c14 btrfs: fix lost file sync on direct IO write with nowait and dsync iocb
cff805b1518f fscrypt: fix keyring memory leak on mount failure
e6f4fd85ef1e fscrypt: stop using keyrings subsystem for fscrypt_master_key
3975affcf55f af_unix: Fix memory leaks of the whole sk due to OOB skb.
4302806dbfea block, bfq: protect 'bfqd->queued' by 'bfqd->lock'
3e4697ffdfbb Bluetooth: L2CAP: Fix attempting to access uninitialized memory
81035e1201e2 Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
d78ccdce662e i2c: piix4: Fix adapter not be removed in piix4_remove()
c76ff8ae113f arm64: dts: juno: Add thermal critical trip points
7398435e616d firmware: arm_scmi: Fix devres allocation device in virtio transport
3653cdc21b9e firmware: arm_scmi: Make Rx chan_setup fail on memory errors
e514d67b2364 firmware: arm_scmi: Suppress the driver's bind attributes
4e68c5da60cd block: Fix possible memory leak for rq_wb on add_disk failure
bf822b6980a6 arm64: dts: ls208xa: specify clock frequencies for the MDIO controllers
f2329886e567 arm64: dts: ls1088a: specify clock frequencies for the MDIO controllers
33fcc55dbc5b arm64: dts: lx2160a: specify clock frequencies for the MDIO controllers
f3429a1e4924 arm64: dts: imx8: correct clock order
de2a83186ad3 ARM: dts: imx6qdl-gw59{10,13}: fix user pushbutton GPIO offset
cb9ce8910a6f clk: qcom: Update the force mem core bit for GPU clocks
bdc118249698 efi/tpm: Pass correct address to memblock_reserve
3a4d6f165eac i2c: xiic: Add platform module alias
62eea4014a9b drm/amdgpu: set vm_update_mode=0 as default for Sienna Cichlid in SRIOV case
7a2547cac2e0 HID: saitek: add madcatz variant of MMO7 mouse device ID
931c97a54cd1 scsi: core: Restrict legal sdev_state transitions via sysfs
c50ec15725e0 ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()
8ecd1db58b7a media: v4l: subdev: Fail graciously when getting try data for NULL state
f96ad391d054 media: meson: vdec: fix possible refcount leak in vdec_probe()
8b785cdcd3cb media: dvb-frontends/drxk: initialize err to 0
73dfb6421338 media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE
cbfa26936f31 media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
647c12c47ee0 media: rkisp1: Zero v4l2_subdev_format fields in when validating links
abbeb8f7271b media: rkisp1: Use correct macro for gradient registers
03b30e5a369d media: rkisp1: Initialize color space on resizer sink and source pads
d58b6b665c88 media: rkisp1: Don't pass the quantization to rkisp1_csm_config()
0e501fd0f38e s390/cio: fix out-of-bounds access on cio_ignore free
c65cc569370c s390/cio: derive cdev information only for IO-subchannels
c64be93f1e51 s390/boot: add secure boot trailer
1cdaca8f00a7 s390/uaccess: add missing EX_TABLE entries to __clear_user()
509cbbdec9d7 mtd: parsers: bcm47xxpart: Fix halfblock reads
5b8797e9dbf7 mtd: parsers: bcm47xxpart: print correct offset on read error
2f07635876bd fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards
154934c74f97 video/fbdev/stifb: Implement the stifb_fillrect() function
b524b41806e9 drm/msm/hdmi: fix IRQ lifetime
c55dd6200131 drm/msm/hdmi: Remove spurious IRQF_ONESHOT flag
d153d468c43d vsock: fix possible infinite sleep in vsock_connectible_wait_data()
0ed71af4d017 ipv6: fix WARNING in ip6_route_net_exit_late()
2b45d6d0c41c net, neigh: Fix null-ptr-deref in neigh_table_clear()
61defd6450a9 net/smc: Fix possible leaked pernet namespace in smc_init()
de889774273f stmmac: dwmac-loongson: fix invalid mdio_node
535b78739ae7 ibmvnic: Free rwi on reset success
985a88bf0b27 net: mdio: fix undefined behavior in bit shift for __mdiobus_register
aa16cac06b75 Bluetooth: L2CAP: Fix memory leak in vhci_write
a3a7b2ac64de Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
cf2719a21fdb Bluetooth: virtio_bt: Use skb_put to set length
8278a87bb1ee Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
42d20d5e2457 netfilter: ipset: enforce documented limit to prevent allocating huge memory
f46ea5fa3320 btrfs: fix ulist leaks in error paths of qgroup self tests
222a3d533027 btrfs: fix inode list leak during backref walking at find_parent_nodes()
6ba3479f9e96 btrfs: fix inode list leak during backref walking at resolve_indirect_refs()
a80634f392af isdn: mISDN: netjet: fix wrong check of device registration
029d5b7688a2 mISDN: fix possible memory leak in mISDN_register_device()
3e2129c67dac rose: Fix NULL pointer dereference in rose_send_frame()
06d7596d1872 ipvs: fix WARNING in ip_vs_app_net_cleanup()
5ee2d6b726b0 ipvs: fix WARNING in __ip_vs_cleanup_batch()
33e7783bc07e ipvs: use explicitly signed chars
6044791b7be7 netfilter: nf_tables: release flow rule object from commit path
1ffe7100411a netfilter: nf_tables: netlink notifier might race to release objects
dcc79cf735b8 net: tun: fix bugs for oversize packet when napi frags enabled
fc4b50adb400 net: sched: Fix use after free in red_enqueue()
ab80025ea7ac ata: pata_legacy: fix pdc20230_set_piomode()
dede9ba02705 net: fec: fix improper use of NETDEV_TX_BUSY
5dfdac5e3f8d nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
7486f5c90078 nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
3cba1f061bfe nfc: nxp-nci: Fix potential memory leak in nxp_nci_send()
44bc1868a4f5 nfc: fdp: Fix potential memory leak in fdp_nci_send()
4bef9a89f2f5 net: dsa: fall back to default tagger if we can't load the one from DT
06f9e0b37f7e RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()
6b3d5dcb1234 RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
9f555b1584fc net: dsa: Fix possible memory leaks in dsa_loop_init()
24641993a7dc nfs4: Fix kmemleak when allocate slot failed
0797c85433cc NFSv4.2: Fixup CLONE dest file size for zero-length count
d59722d088a9 SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed
dea7ef05deea NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
7b1c2458dec1 NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
4ec017e30089 NFSv4: Fix a potential state reclaim deadlock
e3e53c5af563 RDMA/hns: Disable local invalidate operation
85ab79ac9413 RDMA/hns: Use hr_reg_xxx() instead of remaining roce_set_xxx()
be16cc7abdae RDMA/hns: Remove magic number
ba95409d6b58 IB/hfi1: Correctly move list in sc_disable()
484d9690370e RDMA/cma: Use output interface for net_dev check
f7d9de8a0d33 KVM: x86: Add compat handler for KVM_X86_SET_MSR_FILTER
b7b66f13ac09 KVM: x86: Copy filter arg outside kvm_vm_ioctl_set_msr_filter()
0c60fa7f5518 KVM: x86: Protect the unused bits in MSR exiting flags
ad8e4868dd16 HID: playstation: add initial DualSense Edge controller support
3a44ae4afaa5 mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page
8576d7edeaa5 drm/amd/display: explicitly disable psr_feature_enable appropriately
058b3a11f748 KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1)
9ee32892c767 KVM: x86: Trace re-injected exceptions
0c9c1306d6bd serial: ar933x: Deassert Transmit Enable on ->rs485_config()
21d65b351691 scsi: lpfc: Rework MIB Rx Monitor debug info logic
d70705e131d6 scsi: lpfc: Adjust CMF total bytes and rxmonitor
9ebc6e8ad13b scsi: lpfc: Adjust bytes received vales during cmf timer interval
793d8378b74a Linux 5.15.77
1401e9336beb tcp/udp: Fix memory leak in ipv6_renew_options().
b079d3775237 serial: Deassert Transmit Enable on probe in driver-specific way
63f75fea3a72 serial: core: move RS485 configuration tasks from drivers into core
0753069d4431 can: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global FIFO receive
17ff99e2240c can: rcar_canfd: fix channel specific IRQ handling for RZ/G2L
aad798a0b39c scsi: sd: Revert "scsi: sd: Remove a local variable"
52c2329147cf arm64: Add AMPERE1 to the Spectre-BHB affected list
5397ea6a08a5 net: enetc: survive memory pressure without crashing
885a454e97c4 kcm: do not sense pfmemalloc status in kcm_sendpage()
92b4c5c3fa81 net: do not sense pfmemalloc status in skb_append_pagefrags()
ae1b08592edf net/mlx5: Fix crash during sync firmware reset
37ada47d019b net/mlx5: Update fw fatal reporter state on PCI handlers successful recover
9e6523d06a09 net/mlx5: Print more info on pci error handlers
ab3de780c176 net/mlx5: Fix possible use-after-free in async command interface
8bbff203e306 net/mlx5e: Extend SKB room check to include PTP-SQ
ee1c0ca1af7c net/mlx5e: Do not increment ESN when updating IPsec ESN state
eefa97a7a001 netdevsim: remove dir in nsim_dev_debugfs_init() when creating ports dir failed
c9589e18a60c net: broadcom: bcm4908_enet: update TX stats after actual transmission
9711616a4908 net: broadcom: bcm4908enet: remove redundant variable bytes
b317d53680b1 nh: fix scope used to find saddr when adding non gw nh
2ad284ac8866 net: bcmsysport: Indicate MAC is in charge of PHY PM
d1cfa71d5b68 net: ehea: fix possible memory leak in ehea_register_port()
588bdd7ee48f openvswitch: switch from WARN to pr_warn
9a1c1df9255b ALSA: aoa: Fix I2S device accounting
e81d7826b8f4 ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
77a754fcfec1 net: ethernet: ave: Fix MAC to be in charge of PHY PM
bc2518ec710e net: fec: limit register access on i.MX6UL
f710deeea73a perf vendor events arm64: Fix incorrect Hisi hip08 L3 metrics
eb59cb2fabd4 PM: domains: Fix handling of unavailable/disabled idle states
bde7c2acef30 net: ksz884x: fix missing pci_disable_device() on error in pcidev_init()
8927d90d56e4 i40e: Fix flow-type by setting GL_HASH_INSET registers
c39de3ae5075 i40e: Fix VF hang when reset is triggered on another VF
250bf8ab78f7 i40e: Fix ethtool rx-flow-hash setting for X722
ad3f1d9bf162 ipv6: ensure sane device mtu in tunnels
e2ec5bb78ca8 perf vendor events power10: Fix hv-24x7 metric events
f9df388ed6ea media: vivid: set num_in/outputs to 0 if not supported
4cc7d8d42047 media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced'
491c0959f01d media: v4l2-dv-timings: add sanity checks for blanking values
0f83edbe4fe9 media: vivid: dev->bitmap_cap wasn't freed in all cases
5b1fb2a28d0a media: vivid: s_fbuf: add more sanity checks
3436e5633776 PM: hibernate: Allow hybrid sleep to work with s2idle
3cc8c4088fae can: mcp251x: mcp251x_can_probe(): add missing unregister_candev() in error path
a3e09eff32d8 can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path
304a10161696 drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()
2fe6b24ce299 net-memcg: avoid stalls when under memory pressure
9b171fdcbf0e tcp: fix indefinite deferral of RTO with SACK reneging
a85d39f14aa8 tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
2437f3c5c6a6 tcp: minor optimization in tcp_add_backlog()
ef27df75912d net: lantiq_etop: don't free skb when returning NETDEV_TX_BUSY
a1e18acb0246 net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed
62086d1c4602 kcm: annotate data-races around kcm->rx_wait
342d918cf9a4 kcm: annotate data-races around kcm->rx_psock
6bb23225bb70 atlantic: fix deadlock at aq_nic_stop
4e2cbc1f0e18 drm/i915/dp: Reset frl trained flag before restarting FRL training
3d92ab0865f1 amd-xgbe: add the bit rate quirk for Molex cables
75a6d1ebf8b7 amd-xgbe: fix the SFP compliance codes check for DAC cables
98bada8fa0e3 x86/unwind/orc: Fix unreliable stack dump with gcov
88e879c9f595 nfc: virtual_ncidev: Fix memory leak in virtual_nci_send()
18c60b383df3 net: macb: Specify PHY PM management done by MAC
95c22fc1e80e net: hinic: fix the issue of double release MBOX callback of VF
6016d96a6adf net: hinic: fix the issue of CMDQ memory leaks
e6765fe8de37 net: hinic: fix memory leak when reading function table
62aa78a0c3e5 net: hinic: fix incorrect assignment issue in hinic_set_interrupt_cfg()
1e0bee973ef6 net: netsec: fix error handling in netsec_register_mdio()
7a939503fc32 tipc: fix a null-ptr-deref in tipc_topsrv_accept
c638b520ba4b perf/x86/intel/lbr: Use setup_clear_cpu_cap() instead of clear_cpu_cap()
4fdf6f978c6b ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()
b68873690373 ASoC: qcom: lpass-cpu: Mark HDMI TX parity register as volatile
eca851572df5 mtd: rawnand: intel: Add missing of_node_put() in ebu_nand_probe()
08c246c7dfef arc: iounmap() arg is volatile
739eac37ff9c sched/core: Fix comparison in sched_group_cookie_match()
ca7b0a10287e perf: Fix missing SIGTRAPs
eb77474a2a21 ASoC: qcom: lpass-cpu: mark HDMI TX registers as volatile
9b6841ab7096 KVM: selftests: Fix number of pages for memory slot in memslot_modification_stress_test
59de8738ed43 drm/msm: Fix return type of mdp4_lvds_connector_mode_valid
a560aeac2f2d media: atomisp: prevent integer overflow in sh_css_set_black_frame()
32f93e460861 media: v4l2: Fix v4l2_i2c_subdev_set_name function documentation
5a93a8288c57 net: ieee802154: fix error return code in dgram_bind()
138a13d8f5c8 ethtool: eeprom: fix null-deref on genl_info in dump
1c2b1d3bba2e mmc: block: Remove error check of hw_reset on reset
0b0d169723f4 Revert "scsi: lpfc: SLI path split: Refactor lpfc_iocbq"
7a0fce24de60 Revert "scsi: lpfc: SLI path split: Refactor fast and slow paths to native SLI4"
7a36c9de4324 Revert "scsi: lpfc: SLI path split: Refactor SCSI paths"
eb8be2dbfbb4 Revert "scsi: lpfc: Fix locking for lpfc_sli_iocbq_lookup()"
065bf71a8a53 Revert "scsi: lpfc: Fix element offset in __lpfc_sli_release_iocbq_s4()"
97dc9076ea5e Revert "scsi: lpfc: Resolve some cleanup issues following SLI path refactoring"
b32b766be44e s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser()
1ad7213fcf49 s390/futex: add missing EX_TABLE entry to __futex_atomic_op()
ae9398e837b9 perf auxtrace: Fix address filter symbol name match for modules
14009ada5712 ARC: mm: fix leakage of memory allocated for PTE
eb9ed3343ca7 pinctrl: Ingenic: JZ4755 bug fixes
94d2643df1e7 kernfs: fix use-after-free in __kernfs_remove
f1204dfc4cd7 counter: microchip-tcb-capture: Handle Signal1 read and Synapse
6fb0106c64ee mmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus
73e3901e7029 mmc: sdhci-pci-core: Disable ES for ASUS BIOS on Jasper Lake
1e8cd93ae536 mmc: core: Fix kernel panic when remove non-standard SDIO card
02e51e7cd1d3 mmc: sdhci_am654: 'select', not 'depends' REGMAP_MMIO
4c365a0c21aa coresight: cti: Fix hang in cti_disable_hw()
b32775e03969 drm/msm/dp: fix IRQ lifetime
b48949ab451e drm/msm/hdmi: fix memory corruption with too many bridges
9f035d1fb306 drm/msm/dsi: fix memory corruption with too many bridges
986a89b3717e drm/amdgpu: disallow gfxoff until GC IP blocks complete s2idle resume
a2f0934e6bdb scsi: qla2xxx: Use transport-defined speed mask for supported_speeds
2b1a3172ee4d mac802154: Fix LQI recording
46b4b1e11e52 exec: Copy oldsighand->action under spin-lock
265b6fb780f5 fs/binfmt_elf: Fix memory leak in load_elf_binary()
24030742a7b8 cpufreq: intel_pstate: hybrid: Use known scaling factor for P-cores
3423a3417f4f cpufreq: intel_pstate: Read all MSRs on the target CPU
cc6a7249842f fbdev: smscufx: Fix several use-after-free bugs
1a8b22e3f394 iio: adxl372: Fix unsafe buffer attributes
2f08cad21366 iio: temperature: ltc2983: allocate iio channels once
1bfe97f49785 iio: light: tsl2583: Fix module unloading
569709540e12 tools: iio: iio_utils: fix digit calculation
c892a81c7424 xhci: Remove device endpoints from bandwidth list when freeing the device
dfacb5c7f0a9 xhci-pci: Set runtime PM as default policy on all xHC 1.2 or later devices
64058af657ba xhci: Add quirk to reset host back to default state at shutdown
022f21e850e9 mtd: rawnand: marvell: Use correct logic for nand-keep-config
f90897c0f634 usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller
a0c54d5152d5 usb: bdc: change state when port disconnected
e0fd70ab4815 usb: dwc3: gadget: Don't set IMI for no_interrupt
ad538aea64dd usb: dwc3: gadget: Stop processing more requests on IMI
f2f53be61714 usb: gadget: uvc: fix sg handling during video encode
80ff4ef77737 usb: gadget: uvc: fix sg handling in error case
555011f6b27b USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM
311428871ba1 ALSA: rme9652: use explicitly signed char
fa8b39c7ed82 ALSA: au88x0: use explicitly signed char
8af82d330d5d ALSA: usb-audio: Add quirks for M-Audio Fast Track C400/600
259cb4dee1bb ALSA: Use del_timer_sync() before freeing timer
33ddee2b95ab can: kvaser_usb: Fix possible completions during init_completion
86da269c7567 can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb()
ead049562758 NFSv4: Add an fattr allocation to _nfs4_discover_trunking()
eb1fe9600b86 NFSv4: Fix free of uninitialized nfs4_label on referral lookup.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7514e04bf4dae3d3bbd20bb21b442f273f8d6c73)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.15.bb | 6 ++---
.../linux/linux-yocto-tiny_5.15.bb | 6 ++---
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++----------
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 215a14c826..f80cabe55d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "8cd14c788563009eeb88f1c5ffb0c0d8bad59943"
-SRCREV_meta ?= "a120c990509eccdaa613b264a4f6c187277548df"
+SRCREV_machine ?= "a0d36398b257c555381e735cd721cd8479d6762d"
+SRCREV_meta ?= "5ca1021282e796e2427f8c7769af524c433fb39d"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.15.76"
+LINUX_VERSION ?= "5.15.78"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index bbbca44b76..c09f51ce61 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.15.76"
+LINUX_VERSION ?= "5.15.78"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "f7afe3f65c15cc4d211ab30bc981493fd5b7d3a0"
-SRCREV_meta ?= "a120c990509eccdaa613b264a4f6c187277548df"
+SRCREV_machine ?= "1c3448ff6cc6d24d16c6ef6065cb642245cac627"
+SRCREV_meta ?= "5ca1021282e796e2427f8c7769af524c433fb39d"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index f542b3cb11..710accc9e2 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -13,24 +13,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base"
KBRANCH:qemux86-64 ?= "v5.15/standard/base"
KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "d7819ee61a286d4271fbb9aa8881ec6e70cdbe11"
-SRCREV_machine:qemuarm64 ?= "38180346106d8eb46aca94bf01228fc75d4b70fa"
-SRCREV_machine:qemumips ?= "d774a943b853ed0047169ce6d71249a0f8b77307"
-SRCREV_machine:qemuppc ?= "527f0c70315df84882792510ebf2e778c5980266"
-SRCREV_machine:qemuriscv64 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
-SRCREV_machine:qemuriscv32 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
-SRCREV_machine:qemux86 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
-SRCREV_machine:qemux86-64 ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
-SRCREV_machine:qemumips64 ?= "980c0d78ca192b2d0e63753ff6c5daba7b9e37de"
-SRCREV_machine ?= "d2f773f779186759d9b9a6c403fd8d533a0bff6c"
-SRCREV_meta ?= "a120c990509eccdaa613b264a4f6c187277548df"
+SRCREV_machine:qemuarm ?= "d3aa5916b2b02966ef37bfe3fc527c99754571ec"
+SRCREV_machine:qemuarm64 ?= "a1d364fbe3d8a916426a107f07b89fd0338923c7"
+SRCREV_machine:qemumips ?= "904de7b55a7e8edf4cd894fb0558efee799a314a"
+SRCREV_machine:qemuppc ?= "35d547b91124bef128a13402190ca05f54a2392e"
+SRCREV_machine:qemuriscv64 ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
+SRCREV_machine:qemuriscv32 ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
+SRCREV_machine:qemux86 ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
+SRCREV_machine:qemux86-64 ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
+SRCREV_machine:qemumips64 ?= "ae8ab2e3acaf9e14cd75a6c96f1ba43c66a1babd"
+SRCREV_machine ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
+SRCREV_meta ?= "5ca1021282e796e2427f8c7769af524c433fb39d"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "4f5365f77018349d64386b202b37e8b737236556"
+SRCREV_machine:class-devupstream ?= "509a32764e1a5692935c4f26ed96fbe94c480186"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v5.15/base"
@@ -38,7 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.76"
+LINUX_VERSION ?= "5.15.78"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 15/23] linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (13 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 14/23] linux-yocto/5.15: update to v5.15.78 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 16/23] kern-tools: integrate ZFS speedup patch Steve Sakoman
` (7 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Integrating the following commit(s) to linux-yocto/.:
f475b1a9ded qat: fix CONFIG_CRYPTO_CCM mismatch warnings
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit a3417ce85e38d514c7dc43c2ddcdacf45996fc2a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb | 2 +-
meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb | 2 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index f80cabe55d..fc1ccd9b39 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -12,7 +12,7 @@ python () {
}
SRCREV_machine ?= "a0d36398b257c555381e735cd721cd8479d6762d"
-SRCREV_meta ?= "5ca1021282e796e2427f8c7769af524c433fb39d"
+SRCREV_meta ?= "f475b1a9deddbde23f48d7d535abdd5fb133b837"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index c09f51ce61..087c30b5a5 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -15,7 +15,7 @@ KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
SRCREV_machine ?= "1c3448ff6cc6d24d16c6ef6065cb642245cac627"
-SRCREV_meta ?= "5ca1021282e796e2427f8c7769af524c433fb39d"
+SRCREV_meta ?= "f475b1a9deddbde23f48d7d535abdd5fb133b837"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 710accc9e2..d5f21daf35 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -23,7 +23,7 @@ SRCREV_machine:qemux86 ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
SRCREV_machine:qemux86-64 ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
SRCREV_machine:qemumips64 ?= "ae8ab2e3acaf9e14cd75a6c96f1ba43c66a1babd"
SRCREV_machine ?= "8cd3f1c8dc13e8fa2d9a25ce0285d3526705eea7"
-SRCREV_meta ?= "5ca1021282e796e2427f8c7769af524c433fb39d"
+SRCREV_meta ?= "f475b1a9deddbde23f48d7d535abdd5fb133b837"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 16/23] kern-tools: integrate ZFS speedup patch
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (14 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 15/23] linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 17/23] kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild Steve Sakoman
` (6 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping the SRCREV to integrat the following kern-tools change:
commit 2d01f24bc78256c709728eb3f204491bce13e0e5
Author: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Date: Fri Nov 4 23:32:38 2022 +0000
kconf_check: store some files in tmpdir
Some file systems, like ZFS, are very slow at appending to existing
files. Due to Copy-On-Write nature, they create a new copy of a file
each time we do ">>" in a shell script. This becomes very noticeable
if shell script does lots and lots of appends, like sanitize_fragment()
function in kconf_check. On my setup, do_kernel_configcheck task takes
literally hours to complete.
To fix this issue, we can store sanitized_list and fragment_errors.txt
files on tmpfs, which is extremely fast at writing. As most distros
use tmpfs for /tmp, logical step is to use `mktemp` to create
temporary files.
After completing writing to temporary locations, we can move those two
files back to ${LOGDIR}.
Also, function 'cleanup' was added to remove temporary files in case
of abnormal exit.
With this patch, do_kernel_configcheck task completes in ~2 minutes on
my setup, which is a great improvement.
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 9d50e2606eb66019044ee176f355a84a65a1499c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-kernel/kern-tools/kern-tools-native_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb b/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
index 07d7daf5fb..12f1cf516e 100644
--- a/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
+++ b/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "\
DEPENDS = "git-native"
-SRCREV = "6a4752ebbe7d242c02b3c74a5772926edd243626"
+SRCREV = "2d01f24bc78256c709728eb3f204491bce13e0e5"
PV = "0.3+git${SRCPV}"
inherit native
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 17/23] kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (15 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 16/23] kern-tools: integrate ZFS speedup patch Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 18/23] linux-firmware: upgrade 20221012 -> 20221109 Steve Sakoman
` (5 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Currently, the KERNEL_DEBUG_TIMESTAMPS is not working as expected
at rebuild. That is, even if we set it to "1", the kernel build time
is not changed. The problem could be reproduced by the following steps.
1. bitbake core-image-minimal; start image and check `uname -a` output.
2. set in local.conf: KERNEL_DEBUG_TIMESTAMPS = "1"
3. bitbake core-image-minimal; start image and check `uname -a` output.
It's expected that after enabling KERNEL_DEBUG_TIMESTAMPS, the kernel
build time will be set to current date. But it's not. This is because
the compile.h was not re-generated when do_compile task was re-executed.
In mkcompile_h, we have:
"""
# Only replace the real compile.h if the new one is different,
# in order to preserve the timestamp and avoid unnecessary
# recompilations.
# We don't consider the file changed if only the date/time changed,
# unless KBUILD_BUILD_TIMESTAMP was explicitly set (e.g. for
# reproducible builds with that value referring to a commit timestamp).
# A kernel config change will increase the generation number, thus
# causing compile.h to be updated (including date/time) due to the
# changed comment in the
# first line.
"""
It has made it very clear that it will not be re-generated unless
we have KBUILD_BUILD_TIMESTAMP set explicitly. So we set this variable
explicitly in do_compile to fix this issue.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 1b68c2d2d385013a1c535ef81172494302a36d74)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/kernel.bbclass | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index ad2b296c2d..3e7264fb98 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -361,6 +361,10 @@ kernel_do_compile() {
export KBUILD_BUILD_TIMESTAMP="$ts"
export KCONFIG_NOTIMESTAMP=1
bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
+ else
+ ts=`LC_ALL=C date`
+ export KBUILD_BUILD_TIMESTAMP="$ts"
+ bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
fi
# The $use_alternate_initrd is only set from
# do_bundle_initramfs() This variable is specifically for the
@@ -406,6 +410,10 @@ do_compile_kernelmodules() {
export KBUILD_BUILD_TIMESTAMP="$ts"
export KCONFIG_NOTIMESTAMP=1
bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
+ else
+ ts=`LC_ALL=C date`
+ export KBUILD_BUILD_TIMESTAMP="$ts"
+ bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
fi
if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then
oe_runmake -C ${B} ${PARALLEL_MAKE} modules ${KERNEL_EXTRA_ARGS}
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 18/23] linux-firmware: upgrade 20221012 -> 20221109
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (16 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 17/23] kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 19/23] linux-firmware: add new fw file to ${PN}-qcom-adreno-a530 Steve Sakoman
` (4 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
License-Update: additional files
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 6940f297243a66bd58d6adee7d690bcee9b9ccb2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...{linux-firmware_20221012.bb => linux-firmware_20221109.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20221012.bb => linux-firmware_20221109.bb} (99%)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20221012.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20221012.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb
index c7ecee0d9a..dc977c2bb7 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20221012.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb
@@ -132,7 +132,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
"
# WHENCE checksum is defined separately to ease overriding it if
# class-devupstream is selected.
-WHENCE_CHKSUM = "d6d9d74a344a78028e6b0f1df80db14b"
+WHENCE_CHKSUM = "ab4ba608dc4b757716871f9be033f0f1"
# These are not common licenses, set NO_GENERIC_LICENSE for them
# so that the license files will be copied from fetched source
@@ -209,7 +209,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw
# Pin this to the 20220509 release, override this in local.conf
SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
-SRC_URI[sha256sum] = "e9d174af729511c8cccb60ec4e0b223b3c44b67d813b42d1ab9813acfa667fa5"
+SRC_URI[sha256sum] = "c0ddffbbcf30f2e015bddd5c6d3ce1f13976b906aceabda4a57e3c41a3190701"
inherit allarch
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 19/23] linux-firmware: add new fw file to ${PN}-qcom-adreno-a530
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (17 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 18/23] linux-firmware: upgrade 20221012 -> 20221109 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 20/23] sstatesig: emit more helpful error message when not finding sstate manifest Steve Sakoman
` (3 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
Extend the linux-firmware-qcom-adreno-a530 package with the squashed
Adreno 530 zap shader.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 920bf119f35824a3531801f5e41158a8ad1bca4c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb
index dc977c2bb7..b05b960ebd 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20221109.bb
@@ -993,7 +993,7 @@ FILES:${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*"
FILES:${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw"
FILES:${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a3*_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw"
FILES:${PN}-qcom-adreno-a4xx = "${nonarch_base_libdir}/firmware/qcom/a4*_*.fw"
-FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*"
+FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/a530*.*"
FILES:${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*"
FILES:${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*"
FILES:${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 20/23] sstatesig: emit more helpful error message when not finding sstate manifest
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (18 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 19/23] linux-firmware: add new fw file to ${PN}-qcom-adreno-a530 Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 21/23] resolvconf: make it work Steve Sakoman
` (2 subsequent siblings)
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Enrico Jörns <ejo@pengutronix.de>
Since oe-core commit 64b89f3c8fc31842256c482a3039d90d3f12c1cc
("sstatesig.py: make it fatal error when sstate manifest isn't found")
errors like:
| Manifest [..]/tmp/sstate-control/manifest-x86_64_x86_64-nativesdk-dbus.populate_sysroot not found in imx8mm_dummy cortexa53-mx8mm cortexa53 armv8a-crc armv8a aarch64 allarch x86_64_x86_64-nativesdk (variant '')?
are fatal now and cannot be ignored but must be debugged.
Unfortunately, the currently emitted error message is a bit imprecise
with telling the reader what has actually gone wrong.
This commit:
* adds the word 'sstate' to the error message to clarify the scope we
are dealing with ('sstate manifests', since there are other manifests,
too)
* does not randomly print the last manifest file searched for as THE
manifest file that could not be found
Instead, we print the name of the task the sstate was searched for
* adds the word 'multilib' to variant to make clear which variant we are
talking about
* adds a separate line noting the searched pkgarchs and adds explicitly
mentions this word ('pkgarchs')
* prints a list of ALL manifest file locations attempted
* removes the '?' at the end of the message since such errors indeed
leave the question of what is the cause but the error message itself
is more like a statement.
The result for the exact same issue as noted above then looks as
follows:
| The sstate manifest for task 'dbus:populate_sysroot' (multilib variant '') could not be found.
| The pkgarchs considered were: imx8mm_dummy, cortexa53-mx8mm, cortexa53, armv8a-crc, armv8a, aarch64, allarch, x86_64_x86_64-nativesdk.
| But none of these manifests exists:
| [..]/tmp/sstate-control/manifest-imx8mm_dummy-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-cortexa53-mx8mm-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-cortexa53-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-armv8a-crc-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-armv8a-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-aarch64-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-allarch-dbus.populate_sysroot
| [..]/tmp/sstate-control/manifest-x86_64_x86_64-nativesdk-dbus.populate_sysroot
Signed-off-by: Enrico Jorns <ejo@pengutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 735ec126ec219c7cb89cb05b0e433201bb7f59eb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/sstatesig.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index f5a77bea27..bbe28efa81 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -467,11 +467,15 @@ def find_sstate_manifest(taskdata, taskdata2, taskname, d, multilibcache):
pkgarchs.append('allarch')
pkgarchs.append('${SDK_ARCH}_${SDK_ARCH}-${SDKPKGSUFFIX}')
+ searched_manifests = []
+
for pkgarch in pkgarchs:
manifest = d2.expand("${SSTATE_MANIFESTS}/manifest-%s-%s.%s" % (pkgarch, taskdata, taskname))
if os.path.exists(manifest):
return manifest, d2
- bb.fatal("Manifest %s not found in %s (variant '%s')?" % (manifest, d2.expand(" ".join(pkgarchs)), variant))
+ searched_manifests.append(manifest)
+ bb.fatal("The sstate manifest for task '%s:%s' (multilib variant '%s') could not be found.\nThe pkgarchs considered were: %s.\nBut none of these manifests exists:\n %s"
+ % (taskdata, taskname, variant, d2.expand(", ".join(pkgarchs)),"\n ".join(searched_manifests)))
return None, d2
def OEOuthashBasic(path, sigfile, task, d):
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 21/23] resolvconf: make it work
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (19 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 20/23] sstatesig: emit more helpful error message when not finding sstate manifest Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 22/23] dhcpcd: fix to work with systemd Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 23/23] mirrors.bbclass: update CPAN_MIRROR Steve Sakoman
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
The current resolvconf does not work. Make it work with the
following changes.
1. Install normalize-resolvconf, which is used by resolvconf.
2. Add dependencies: sed, util-linux-flock.
util-linux-flock is needed by our busybox does not support '-w'
by default. sed is needed because we want to avoid package
QA issue complaining sed is needed by no one provides it.
3. Add a patch to replace 'readlink -m' with 'readlink -l'.
This could avoid the runtime dependency on coreutils. The replacement
is safe as /etc always exits in OE's system.
4. Remove allarch inheritage. This is because the above RDEPENDS
change does not allow this any more. test_sstate_allarch_samesigs
would fail if we don't do this.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 1b0581fd241cc9de2feda896aefbf055dc0099dc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...01-avoid-using-m-option-for-readlink.patch | 37 +++++++++++++++++++
.../resolvconf/resolvconf_1.91.bb | 9 +++--
2 files changed, 42 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
new file mode 100644
index 0000000000..ab32f26754
--- /dev/null
+++ b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
@@ -0,0 +1,37 @@
+From 6bf2bb136a0b3961339369bc08e58b661fba0edb Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 17 Nov 2022 17:26:30 +0800
+Subject: [PATCH] avoid using -m option for readlink
+
+Use a more widely used option '-f' instead of '-m' here to
+avoid dependency on coreutils.
+
+Looking at the git history of the resolvconf repo, the '-m'
+is deliberately used. And it wants to depend on coreutils.
+But in case of OE, the existence of /etc is ensured, and busybox
+readlink provides '-f' option, so we can just use '-f'. In this
+way, the coreutils dependency is not necessary any more.
+
+Upstream-Status: Inappropriate [OE Specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ etc/resolvconf/update.d/libc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc/resolvconf/update.d/libc b/etc/resolvconf/update.d/libc
+index 1c4f6bc..f75d22c 100755
+--- a/etc/resolvconf/update.d/libc
++++ b/etc/resolvconf/update.d/libc
+@@ -57,7 +57,7 @@ fi
+ report_warning() { echo "$0: Warning: $*" >&2 ; }
+
+ resolv_conf_is_symlinked_to_dynamic_file() {
+- [ -L ${ETC}/resolv.conf ] && [ "$(readlink -m ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
++ [ -L ${ETC}/resolv.conf ] && [ "$(readlink -f ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
+ }
+
+ if ! resolv_conf_is_symlinked_to_dynamic_file ; then
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb
index 94fd2c1a70..3f1b75d07d 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb
@@ -9,10 +9,11 @@ LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
AUTHOR = "Thomas Hood"
HOMEPAGE = "http://packages.debian.org/resolvconf"
-RDEPENDS:${PN} = "bash"
+RDEPENDS:${PN} = "bash sed util-linux-flock"
SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
file://99_resolvconf \
+ file://0001-avoid-using-m-option-for-readlink.patch \
"
SRCREV = "859209d573e7aec0e95d812c6b52444591a628d1"
@@ -23,8 +24,6 @@ S = "${WORKDIR}/git"
# so we check the latest upstream from a directory that does get updated
UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/"
-inherit allarch
-
do_compile () {
:
}
@@ -39,12 +38,14 @@ do_install () {
fi
install -d ${D}${base_libdir}/${BPN}
install -d ${D}${sysconfdir}/${BPN}
+ install -d ${D}${nonarch_base_libdir}/${BPN}
ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run
install -d ${D}${sysconfdir} ${D}${base_sbindir}
install -d ${D}${mandir}/man8 ${D}${docdir}/${P}
cp -pPR etc/resolvconf ${D}${sysconfdir}/
chown -R root:root ${D}${sysconfdir}/
install -m 0755 bin/resolvconf ${D}${base_sbindir}/
+ install -m 0755 bin/normalize-resolvconf ${D}${nonarch_base_libdir}/${BPN}
install -m 0755 bin/list-records ${D}${base_libdir}/${BPN}
install -d ${D}/${sysconfdir}/network/if-up.d
install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf
@@ -64,4 +65,4 @@ pkg_postinst:${PN} () {
fi
}
-FILES:${PN} += "${base_libdir}/${BPN}"
+FILES:${PN} += "${base_libdir}/${BPN} ${nonarch_base_libdir}/${BPN}"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 22/23] dhcpcd: fix to work with systemd
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (20 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 21/23] resolvconf: make it work Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 23/23] mirrors.bbclass: update CPAN_MIRROR Steve Sakoman
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Currently, dhcpcd does not work well with systemd. When using dhcpcd
to configure network, the /etc/resolv.conf contents are not correct.
This issue could easily be reproduced by using 'qemu + slirp' to
start a systemd based image and using dhcpcd to configure network.
The expected 'nameserver 10.0.2.3' is not in /etc/resolv.conf.
The root cause of this problem is that dhcpcd assumes the resolvconf
should recognize .protocol suffix[1]. But systemd's resolvconf (which
is a symlink to resolvectl) has a limited support for traditional
resolvconf interface[2], and "may not work with all clients"[3]. This
of cource includes the clients that use the .protocol suffix.
The current situation is:
1. systemd is not going to support the .protocol suffix in the foreseeable
near future[4].
2. dhcpcd does not want to merge systemd specific patch and insists
systemd needs to consider the .protocol suffix[5][6].
It's a normal thing that people have different opinions. As a build system
that supports such combination, however, we do need to come up with a
solution to fix this typical integration problem, making dhcpcd and systemd
work together.
This patch solves this integration problem by relying on dhcpcd's ability
to manage its own resolv.conf contents. But instead of letting it to write
to /etc/resolv.conf directly, we supply the generated contents to resolvconf.
In this way, the resolvconf still stands in the central place and dhcpcd remains
a supplier to it. And the /etc/resolv.conf can get the correct contents.
With this patch, dhcpcd could work with both sysvinit and systemd.
[1] https://man.archlinux.org/man/resolvconf.8.en
[2] https://man.archlinux.org/man/resolvectl.1#COMPATIBILITY_WITH_RESOLVCONF(8)
[3] https://wiki.archlinux.org/title/systemd-resolved
[4] https://github.com/systemd/systemd/issues/25032
[5] https://github.com/NetworkConfiguration/dhcpcd/pull/152
[6] https://github.com/NetworkConfiguration/dhcpcd/issues/146
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 935ae419f51d911c73f5dc7b4a2e5e9a7b206985)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../dhcpcd/dhcpcd_9.4.1.bb | 1 +
...mprove-the-sitation-of-working-with-.patch | 82 +++++++++++++++++++
2 files changed, 83 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb
index ab6ffe986c..1d03de09c8 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb
@@ -13,6 +13,7 @@ UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/"
SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \
file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \
+ file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \
file://dhcpcd.service \
file://dhcpcd@.service \
"
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
new file mode 100644
index 0000000000..6f90c88249
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
@@ -0,0 +1,82 @@
+From 02acc4d875ee81e6fd19ef66d69c9f55b4b4a7e7 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Wed, 9 Nov 2022 16:33:18 +0800
+Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd
+
+systemd's resolvconf implementation ignores the protocol part.
+See https://github.com/systemd/systemd/issues/25032.
+
+When using 'dhcp server + dns server + dhcpcd + systemd', we
+get an integration issue, that is dhcpcd runs 'resolvconf -d eth0.ra',
+yet systemd's resolvconf treats it as eth0. This will delete the
+DNS information set by 'resolvconf -a eth0.dhcp'.
+
+Fortunately, 20-resolv.conf has the ability to build the resolv.conf
+file contents itself. We can just pass the generated contents to
+systemd's resolvconf. This way, the DNS information is not incorrectly
+deleted. Also, it does not cause behavior regression for dhcpcd
+in other cases.
+
+Upstream-Status: Inappropriate [OE Specific]
+This patch has been rejected by dhcpcd upstream.
+See details in https://github.com/NetworkConfiguration/dhcpcd/pull/152
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ hooks/20-resolv.conf | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf
+index 504a6c53..eb6e5845 100644
+--- a/hooks/20-resolv.conf
++++ b/hooks/20-resolv.conf
+@@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming"
+ NL="
+ "
+ : ${resolvconf:=resolvconf}
++resolvconf_from_systemd=false
+ if type "$resolvconf" >/dev/null 2>&1; then
+ have_resolvconf=true
++ if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then
++ resolvconf_from_systemd=true
++ fi
+ else
+ have_resolvconf=false
+ fi
+@@ -69,8 +73,13 @@ build_resolv_conf()
+ else
+ echo "# /etc/resolv.conf.tail can replace this line" >> "$cf"
+ fi
+- if change_file /etc/resolv.conf "$cf"; then
+- chmod 644 /etc/resolv.conf
++ if $resolvconf_from_systemd; then
++ [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
++ "$resolvconf" -a "$ifname" <"$cf"
++ else
++ if change_file /etc/resolv.conf "$cf"; then
++ chmod 644 /etc/resolv.conf
++ fi
+ fi
+ rm -f "$cf"
+ }
+@@ -170,7 +179,7 @@ add_resolv_conf()
+ for x in ${new_domain_name_servers}; do
+ conf="${conf}nameserver $x$NL"
+ done
+- if $have_resolvconf; then
++ if $have_resolvconf && ! $resolvconf_from_systemd; then
+ [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
+ printf %s "$conf" | "$resolvconf" -a "$ifname"
+ return $?
+@@ -186,7 +195,7 @@ add_resolv_conf()
+
+ remove_resolv_conf()
+ {
+- if $have_resolvconf; then
++ if $have_resolvconf && ($if_down || ! $resolvconf_from_systemd); then
+ "$resolvconf" -d "$ifname" -f
+ else
+ if [ -e "$resolv_conf_dir/$ifname" ]; then
+--
+2.17.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 23/23] mirrors.bbclass: update CPAN_MIRROR
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
` (21 preceding siblings ...)
2022-12-01 14:27 ` [OE-core][kirkstone 22/23] dhcpcd: fix to work with systemd Steve Sakoman
@ 2022-12-01 14:27 ` Steve Sakoman
22 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-12-01 14:27 UTC (permalink / raw)
To: openembedded-core
From: Tim Orling <ticotimo@gmail.com>
Both of these redirect to https://cpan.metacpan.org/:
http://cpan.metacpan.org/
http://search.cpan.org/CPAN/
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit f1b74fc09f70d52d9ac629b04d81aa94fd97ff40)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/mirrors.bbclass | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/classes/mirrors.bbclass b/meta/classes/mirrors.bbclass
index b8926fa6e5..3720c00ae5 100644
--- a/meta/classes/mirrors.bbclass
+++ b/meta/classes/mirrors.bbclass
@@ -61,8 +61,7 @@ osc://.*/.* http://sources.openembedded.org/ \
https?://.*/.* http://sources.openembedded.org/ \
ftp://.*/.* http://sources.openembedded.org/ \
npm://.*/?.* http://sources.openembedded.org/ \
-${CPAN_MIRROR} http://cpan.metacpan.org/ \
-${CPAN_MIRROR} http://search.cpan.org/CPAN/ \
+${CPAN_MIRROR} https://cpan.metacpan.org/ \
https?://downloads.yoctoproject.org/releases/uninative/ https://mirrors.kernel.org/yocto/uninative/ \
https?://downloads.yoctoproject.org/mirror/sources/ https://mirrors.kernel.org/yocto-sources/ \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
end of thread, other threads:[~2022-12-01 14:28 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-01 14:26 [OE-core][kirkstone 00/23] Patch review Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 01/23] grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775 Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 02/23] tiff: refresh with devtool Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 03/23] tiff: fix a number of CVEs Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 04/23] tiff: Security fix for CVE-2022-3970 Steve Sakoman
2022-12-01 14:26 ` [OE-core][kirkstone 05/23] tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 06/23] curl: Fix CVE-2022-32221 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 07/23] curl: Fix CVE-2022-42916 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 08/23] curl: Fix CVE-2022-42915 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 09/23] dropbear: fix CVE-2021-36369 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 10/23] libpam: fix CVE-2022-28321 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 11/23] dbus: upgrade 1.14.0 -> 1.14.4 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 12/23] linux-yocto/5.15: update to v5.15.74 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 13/23] linux-yocto/5.15: update to v5.15.76 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 14/23] linux-yocto/5.15: update to v5.15.78 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 15/23] linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 16/23] kern-tools: integrate ZFS speedup patch Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 17/23] kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 18/23] linux-firmware: upgrade 20221012 -> 20221109 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 19/23] linux-firmware: add new fw file to ${PN}-qcom-adreno-a530 Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 20/23] sstatesig: emit more helpful error message when not finding sstate manifest Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 21/23] resolvconf: make it work Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 22/23] dhcpcd: fix to work with systemd Steve Sakoman
2022-12-01 14:27 ` [OE-core][kirkstone 23/23] mirrors.bbclass: update CPAN_MIRROR Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.