* [warrior 01/43] binutils: fix CVE-2019-12972 CVE-2019-9071
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 02/43] binutils: CVE-2019-9070 is same as CVE-2019-9071 Armin Kuster
` (41 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
(From OE-Core rev: 093f0914f261a27d58ecba9c1e9d3b78a35af012)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.32.inc | 2 +
.../binutils/binutils/CVE-2019-12972.patch | 51 +++++++
.../binutils/binutils/CVE-2019-9071.patch | 164 +++++++++++++++++++++
3 files changed, 217 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 49e6827..31c24a3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -48,6 +48,8 @@ SRC_URI = "\
file://CVE-2019-9075.patch \
file://CVE-2019-9076.patch \
file://CVE-2019-9077.patch \
+ file://CVE-2019-9071.patch \
+ file://CVE-2019-12972.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 0000000..07d1d65
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,51 @@
+From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+ PR 24689
+ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
+Upstream-Status: Backport
+CVE: CVE-2019-12972
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 91f09e6346..e66fb40a2c 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2019-06-21 Alan Modra <amodra@gmail.com>
++
++ PR 24689
++ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
++
+ 2019-02-20 Alan Modra <amodra@gmail.com>
+
+ PR 24236
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index ec5ea766de..a35a629087 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd)
+ /* A further sanity check. */
+ if (i_ehdrp->e_shnum != 0)
+ {
+- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ {
+ /* PR 2257:
+ We used to just goto got_wrong_format_error here
+--
+2.20.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
new file mode 100644
index 0000000..26f4809
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -0,0 +1,164 @@
+From c1202057eb9161a86af27d867703235fee7b7555 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 10 Apr 2019 15:49:36 +0100
+Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug
+ when demangling a pathalogically constructed mangled name.
+
+ PR 89394
+ * cp-demangle.c (cplus_demangle_fill_name): Reject negative
+ lengths.
+ (d_count_templates_scopes): Replace num_templates and num_scopes
+ parameters with a struct d_print_info pointer parameter. Adjust
+ body of the function accordingly. Add recursion counter and check
+ that the recursion limit is not reached.
+ (d_print_init): Pass dpi parameter to d_count_templates_scopes.
+ Reset recursion counter afterwards, unless the recursion limit was
+ reached.
+
+CVE: CVE-2019-9071
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ ChangeLog | 16 ++++++++++++++
+ libiberty/cp-demangle.c | 48 ++++++++++++++++++++++-------------------
+ 2 files changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index cd631a15b6..4df3aaa62c 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,19 @@
++2019-04-10 Nick Clifton <nickc@redhat.com>
++
++ * libiberty: Sync with gcc. Bring in:
++ 2019-04-10 Nick Clifton <nickc@redhat.com>
++
++ PR 89394
++ * cp-demangle.c (cplus_demangle_fill_name): Reject negative
++ lengths.
++ (d_count_templates_scopes): Replace num_templates and num_scopes
++ parameters with a struct d_print_info pointer parameter. Adjust
++ body of the function accordingly. Add recursion counter and check
++ that the recursion limit is not reached.
++ (d_print_init): Pass dpi parameter to d_count_templates_scopes.
++ Reset recursion counter afterwards, unless the recursion limit was
++ reached.
++
+ 2018-06-24 Nick Clifton <nickc@redhat.com>
+
+ 2.32 branch created.
+diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
+index b34b485692..779b4e763a 100644
+--- a/libiberty/cp-demangle.c
++++ b/libiberty/cp-demangle.c
+@@ -861,7 +861,7 @@ CP_STATIC_IF_GLIBCPP_V3
+ int
+ cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
+ {
+- if (p == NULL || s == NULL || len == 0)
++ if (p == NULL || s == NULL || len <= 0)
+ return 0;
+ p->d_printing = 0;
+ p->type = DEMANGLE_COMPONENT_NAME;
+@@ -4061,7 +4061,7 @@ d_growable_string_callback_adapter (const char *s, size_t l, void *opaque)
+ are larger than the actual numbers encountered. */
+
+ static void
+-d_count_templates_scopes (int *num_templates, int *num_scopes,
++d_count_templates_scopes (struct d_print_info *dpi,
+ const struct demangle_component *dc)
+ {
+ if (dc == NULL)
+@@ -4081,13 +4081,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
+ break;
+
+ case DEMANGLE_COMPONENT_TEMPLATE:
+- (*num_templates)++;
++ dpi->num_copy_templates++;
+ goto recurse_left_right;
+
+ case DEMANGLE_COMPONENT_REFERENCE:
+ case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+ if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+- (*num_scopes)++;
++ dpi->num_saved_scopes++;
+ goto recurse_left_right;
+
+ case DEMANGLE_COMPONENT_QUAL_NAME:
+@@ -4152,42 +4152,42 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
+ case DEMANGLE_COMPONENT_TAGGED_NAME:
+ case DEMANGLE_COMPONENT_CLONE:
+ recurse_left_right:
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_left (dc));
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_right (dc));
++ /* PR 89394 - Check for too much recursion. */
++ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
++ /* FIXME: There ought to be a way to report to the
++ user that the recursion limit has been reached. */
++ return;
++
++ ++ dpi->recursion;
++ d_count_templates_scopes (dpi, d_left (dc));
++ d_count_templates_scopes (dpi, d_right (dc));
++ -- dpi->recursion;
+ break;
+
+ case DEMANGLE_COMPONENT_CTOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_ctor.name);
++ d_count_templates_scopes (dpi, dc->u.s_ctor.name);
+ break;
+
+ case DEMANGLE_COMPONENT_DTOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_dtor.name);
++ d_count_templates_scopes (dpi, dc->u.s_dtor.name);
+ break;
+
+ case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_extended_operator.name);
++ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
+ break;
+
+ case DEMANGLE_COMPONENT_FIXED_TYPE:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_fixed.length);
++ d_count_templates_scopes (dpi, dc->u.s_fixed.length);
+ break;
+
+ case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
+ case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
+- d_count_templates_scopes (num_templates, num_scopes,
+- d_left (dc));
++ d_count_templates_scopes (dpi, d_left (dc));
+ break;
+
+ case DEMANGLE_COMPONENT_LAMBDA:
+ case DEMANGLE_COMPONENT_DEFAULT_ARG:
+- d_count_templates_scopes (num_templates, num_scopes,
+- dc->u.s_unary_num.sub);
++ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
+ break;
+ }
+ }
+@@ -4222,8 +4222,12 @@ d_print_init (struct d_print_info *dpi, demangle_callbackref callback,
+ dpi->next_copy_template = 0;
+ dpi->num_copy_templates = 0;
+
+- d_count_templates_scopes (&dpi->num_copy_templates,
+- &dpi->num_saved_scopes, dc);
++ d_count_templates_scopes (dpi, dc);
++ /* If we did not reach the recursion limit, then reset the
++ current recursion value back to 0, so that we can print
++ the templates. */
++ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
++ dpi->recursion = 0;
+ dpi->num_copy_templates *= dpi->num_saved_scopes;
+
+ dpi->current_template = NULL;
+--
+2.20.1
+
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 02/43] binutils: CVE-2019-9070 is same as CVE-2019-9071
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
2019-09-01 14:35 ` [warrior 01/43] binutils: fix CVE-2019-12972 CVE-2019-9071 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 03/43] python: fix CVE-2019-9740 Armin Kuster
` (40 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
See:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89395
(From OE-Core rev: cef180de3684491f1ac4180ddbcc102121222181)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
index 26f4809..f025399 100644
--- a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -16,6 +16,7 @@ Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug
reached.
CVE: CVE-2019-9071
+CVE: CVE-2019-9070
Upstream-Status: Backport
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 03/43] python: fix CVE-2019-9740
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
2019-09-01 14:35 ` [warrior 01/43] binutils: fix CVE-2019-12972 CVE-2019-9071 Armin Kuster
2019-09-01 14:35 ` [warrior 02/43] binutils: CVE-2019-9070 is same as CVE-2019-9071 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 04/43] libxslt: fix CVE-2019-13117 CVE-2019-13118 Armin Kuster
` (39 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
(From OE-Core rev: 8eddac3305b7b428565103cde88cba444e3f0dd0)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../python/python/CVE-2019-9740.patch | 215 +++++++++++++++++++++
meta/recipes-devtools/python/python_2.7.16.bb | 1 +
2 files changed, 216 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch
diff --git a/meta/recipes-devtools/python/python/CVE-2019-9740.patch b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
new file mode 100644
index 0000000..066ac68
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
@@ -0,0 +1,215 @@
+From bb8071a4cae5ab3fe321481dd3d73662ffb26052 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Tue, 21 May 2019 15:12:33 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
+ (GH-13154) (GH-13315)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib2.urlopen. This
+addresses a potential security problem for applications that do not
+sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when
+python is built without SSL to fix test failures.
+
+Use httplib.InvalidURL instead of ValueError as the new error case's
+exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+
+(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
+
+Notes on backport to Python 2.7:
+
+* test_urllib tests urllib.urlopen() which quotes the URL and so is
+ not vulerable to HTTP Header Injection.
+* Add tests to test_urllib2 on urllib2.urlopen().
+* Reject non-ASCII characters: range 0x80-0xff.
+
+Upstream-Status: Backport
+CVE: CVE-2019-9740
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/httplib.py | 16 ++++++
+ Lib/test/test_urllib.py | 25 +++++++++
+ Lib/test/test_urllib2.py | 51 ++++++++++++++++++-
+ Lib/test/test_xmlrpc.py | 8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
+ 5 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index 60a8fb4e355f..1b41c346e090 100644
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -247,6 +247,16 @@
+ _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+ _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+
++# These characters are not allowed within HTTP URL paths.
++# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740. Includes control characters such as \r\n.
++# Restrict non-ASCII characters above \x7f (0x80-0xff).
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
++# Arguably only these _should_ allowed:
++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -927,6 +937,12 @@ def putrequest(self, method, url, skip_host=0, skip_accept_encoding=0):
+ self._method = method
+ if not url:
+ url = '/'
++ # Prevent CVE-2019-9740.
++ match = _contains_disallowed_url_pchar_re.search(url)
++ if match:
++ raise InvalidURL("URL can't contain control characters. %r "
++ "(found at least %r)"
++ % (url, match.group()))
+ hdr = '%s %s %s' % (method, url, self._http_vsn_str)
+
+ self._output(hdr)
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c0693..d7778d4194f3 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -257,6 +257,31 @@ def test_url_fragment(self):
+ finally:
+ self.unfakehttp()
+
++ def test_url_with_control_char_rejected(self):
++ for char_no in range(0, 0x21) + range(0x7f, 0x100):
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test%s/" % char
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # urllib quotes the URL so there is no injection.
++ resp = urllib.urlopen("http:" + schemeless_url)
++ self.assertNotIn(char, resp.geturl())
++ finally:
++ self.unfakehttp()
++
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # urllib quotes the URL so there is no injection.
++ resp = urllib.urlopen("http:" + schemeless_url)
++ self.assertNotIn(' ', resp.geturl())
++ self.assertNotIn('\r', resp.geturl())
++ self.assertNotIn('\n', resp.geturl())
++ finally:
++ self.unfakehttp()
++
+ def test_read_bogus(self):
+ # urlopen() should raise IOError for many error codes.
+ self.fakehttp('''HTTP/1.1 401 Authentication Required
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 6d24d5ddf83c..9531818e16b2 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -15,6 +15,9 @@
+ except ImportError:
+ ssl = None
+
++from test.test_urllib import FakeHTTPMixin
++
++
+ # XXX
+ # Request
+ # CacheFTPHandler (hard to write)
+@@ -1262,7 +1265,7 @@ def _test_basic_auth(self, opener, auth_handler, auth_header,
+ self.assertEqual(len(http_handler.requests), 1)
+ self.assertFalse(http_handler.requests[0].has_header(auth_header))
+
+-class MiscTests(unittest.TestCase):
++class MiscTests(unittest.TestCase, FakeHTTPMixin):
+
+ def test_build_opener(self):
+ class MyHTTPHandler(urllib2.HTTPHandler): pass
+@@ -1317,6 +1320,52 @@ def test_unsupported_algorithm(self):
+ "Unsupported digest authentication algorithm 'invalid'"
+ )
+
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_control_char_rejected(self):
++ for char_no in range(0, 0x21) + range(0x7f, 0x100):
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test%s/" % char
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ escaped_char_repr = repr(char).replace('\\', r'\\')
++ InvalidURL = httplib.InvalidURL
++ with self.assertRaisesRegexp(
++ InvalidURL, "contain control.*" + escaped_char_repr):
++ urllib2.urlopen("http:" + schemeless_url)
++ with self.assertRaisesRegexp(
++ InvalidURL, "contain control.*" + escaped_char_repr):
++ urllib2.urlopen("https:" + schemeless_url)
++ finally:
++ self.unfakehttp()
++
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # We explicitly test urllib2.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ InvalidURL = httplib.InvalidURL
++ with self.assertRaisesRegexp(
++ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++ urllib2.urlopen("http:" + schemeless_url)
++ with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
++ urllib2.urlopen("https:" + schemeless_url)
++ finally:
++ self.unfakehttp()
++
++
+
+ class RequestTests(unittest.TestCase):
+
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index 36b3be67fd6b..90ccb30716ff 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -659,7 +659,13 @@ def test_dotted_attribute(self):
+ def test_partial_post(self):
+ # Check that a partial POST doesn't make the server loop: issue #14001.
+ conn = httplib.HTTPConnection(ADDR, PORT)
+- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++ conn.send('POST /RPC2 HTTP/1.0\r\n'
++ 'Content-Length: 100\r\n\r\n'
++ 'bye HTTP/1.1\r\n'
++ 'Host: %s:%s\r\n'
++ 'Accept-Encoding: identity\r\n'
++ 'Content-Length: 0\r\n\r\n'
++ % (ADDR, PORT))
+ conn.close()
+
+ class SimpleServerEncodingTestCase(BaseServerTestCase):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 000000000000..47cb899df1af
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index d70342f..c6160ae 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -34,6 +34,7 @@ SRC_URI += " \
file://bpo-35907-cve-2019-9948-fix.patch \
file://bpo-36216-cve-2019-9636.patch \
file://bpo-36216-cve-2019-9636-fix.patch \
+ file://CVE-2019-9740.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 04/43] libxslt: fix CVE-2019-13117 CVE-2019-13118
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (2 preceding siblings ...)
2019-09-01 14:35 ` [warrior 03/43] python: fix CVE-2019-9740 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 05/43] glibc: CVE-2018-20796 is same as CVE-2019-9169 Armin Kuster
` (38 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libxslt/files/CVE-2019-13117.patch | 33 ++++++++++
.../libxslt/files/CVE-2019-13118.patch | 76 ++++++++++++++++++++++
meta/recipes-support/libxslt/libxslt_1.1.33.bb | 2 +
3 files changed, 111 insertions(+)
create mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13117.patch
create mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13118.patch
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
new file mode 100644
index 0000000..ef3f270
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13117
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ tokens->tokens[tokens->nTokens].token = val - 1;
+ ix += len;
+ val = xmlStringCurrentChar(NULL, format+ix, &len);
+- }
++ } else {
++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++ tokens->tokens[tokens->nTokens].width = 1;
++ }
+ } else if ( (val == (xmlChar)'A') ||
+ (val == (xmlChar)'a') ||
+ (val == (xmlChar)'I') ||
+--
+2.21.0
+
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
new file mode 100644
index 0000000..595e6c2
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13118
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++ int gchar;
+
+ len = xmlStrlen(self->grouping);
+- pchar = xsltGetUTF8Char(self->grouping, &len);
++ gchar = xsltGetUTF8Char(self->grouping, &len);
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+ format_info.group,
+- pchar, len);
++ gchar, len);
+ } else
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++ <xsl:decimal-format name="f" grouping-separator="⠢"/>
++ <xsl:template match="/">
++ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.21.0
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
index 42b21c7..92d3099 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.33.bb
@@ -10,6 +10,8 @@ DEPENDS = "libxml2"
SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
file://0001-Fix-security-framework-bypass.patch \
+ file://CVE-2019-13117.patch \
+ file://CVE-2019-13118.patch \
"
SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 05/43] glibc: CVE-2018-20796 is same as CVE-2019-9169
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (3 preceding siblings ...)
2019-09-01 14:35 ` [warrior 04/43] libxslt: fix CVE-2019-13117 CVE-2019-13118 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 06/43] libid3tag: handle unknown encodings (CVE-2017-11550) Armin Kuster
` (37 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
See:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://www.securityfocus.com/bid/107160
(From OE-Core rev: 7e90506534ed2a70680382cf28614f02fdb98409)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/glibc/glibc/CVE-2019-9169.patch | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
index bc40361..cf3744b 100644
--- a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -1,4 +1,5 @@
CVE: CVE-2019-9169
+CVE: CVE-2018-20796
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 06/43] libid3tag: handle unknown encodings (CVE-2017-11550)
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (4 preceding siblings ...)
2019-09-01 14:35 ` [warrior 05/43] glibc: CVE-2018-20796 is same as CVE-2019-9169 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 07/43] libid3tag: CVE-2017-11551 is the same as CVE-2004-2779 Armin Kuster
` (36 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
(From OE-Core rev: 5090afc1b07e62f70ebcf63a7abb75b8552f0a52)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libid3tag/libid3tag/unknown-encoding.patch | 39 ++++++++++++++++++++++
.../libid3tag/libid3tag_0.15.1b.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
new file mode 100644
index 0000000..f0867b5
--- /dev/null
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
@@ -0,0 +1,39 @@
+In case of an unknown/invalid encoding, id3_parse_string() will
+return NULL, but the return value wasn't checked resulting
+in segfault in id3_ucs4_length(). This is the only place
+the return value wasn't checked.
+
+Patch taken from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/
+
+CVE: CVE-2017-11550
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf
+--- libid3tag-0.15.1b~/compat.gperf 2004-01-23 09:41:32.000000000 +0000
++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000
+@@ -236,6 +236,10 @@
+
+ encoding = id3_parse_uint(&data, 1);
+ string = id3_parse_string(&data, end - data, encoding, 0);
++ if (!string)
++ {
++ continue;
++ }
+
+ if (id3_ucs4_length(string) < 4) {
+ free(string);
+diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c
+--- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.000000000 +0000
++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000
+@@ -165,6 +165,9 @@
+ case ID3_FIELD_TEXTENCODING_UTF_8:
+ ucs4 = id3_utf8_deserialize(ptr, length);
+ break;
++ default:
++ /* FIXME: Unknown encoding! Print warning? */
++ return NULL;
+ }
+
+ if (ucs4 && !full) {
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index 43edd3f..0312a61 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -14,6 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
file://obsolete_automake_macros.patch \
file://0001-Fix-gperf-3.1-incompatibility.patch \
file://10_utf16.patch \
+ file://unknown-encoding.patch \
"
UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 07/43] libid3tag: CVE-2017-11551 is the same as CVE-2004-2779
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (5 preceding siblings ...)
2019-09-01 14:35 ` [warrior 06/43] libid3tag: handle unknown encodings (CVE-2017-11550) Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 08/43] tiff: fix CVE-2019-6128 Armin Kuster
` (35 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
(From OE-Core rev: 0663e5f8f906803685f018061d51fd6277916e50)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch b/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch
index 8d09ce7..10e0890 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch
@@ -6,6 +6,7 @@ https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch
Upstream-Status: Pending
CVE: CVE-2004-2779
+CVE: CVE-2017-11551
Signed-off-by: Changqing Li <changqing.li@windriver.com>
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 08/43] tiff: fix CVE-2019-6128
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (6 preceding siblings ...)
2019-09-01 14:35 ` [warrior 07/43] libid3tag: CVE-2017-11551 is the same as CVE-2004-2779 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 09/43] tiff: fix CVE-2019-7663 Armin Kuster
` (34 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
(From OE-Core rev: 7293e417dd9bdd04fe0fec177a76c9286234ed46)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libtiff/tiff/CVE-2019-6128.patch | 52 ++++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 2 +-
2 files changed, 53 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
new file mode 100644
index 0000000..6f1fd4d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
@@ -0,0 +1,52 @@
+CVE: CVE-2019-6128
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Wed, 23 Jan 2019 15:03:53 -0500
+Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
+
+pal2rgb failed to free memory on a few errors. This was reported
+here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
+---
+ tools/pal2rgb.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502ec..9492f1cf1 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ shortv != PHOTOMETRIC_PALETTE) {
+ fprintf(stderr, "%s: Expecting a palette image.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ fprintf(stderr,
+ "%s: No colormap (not a valid palette image).\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ if (bitspersample != 8) {
+ fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ out = TIFFOpen(argv[optind+1], "w");
+- if (out == NULL)
++ if (out == NULL) {
++ (void) TIFFClose(in);
+ return (-2);
++ }
+ cpTags(in, out);
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
+--
+2.21.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index 152fa81..a82d744 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -6,8 +6,8 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
+ file://CVE-2019-6128.patch"
"
-
SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 09/43] tiff: fix CVE-2019-7663
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (7 preceding siblings ...)
2019-09-01 14:35 ` [warrior 08/43] tiff: fix CVE-2019-6128 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 10/43] libsdl: CVE fixes Armin Kuster
` (33 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
(From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libtiff/tiff/CVE-2019-7663.patch | 77 ++++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 3 +-
2 files changed, 79 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
new file mode 100644
index 0000000..f244fb2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
@@ -0,0 +1,77 @@
+CVE: CVE-2019-7663
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
+
+fixes bug 2833
+---
+ tools/tiffcp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2f406e2d..f0ee2c02 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ int status = 1;
+ uint32 imagew = TIFFRasterScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew*spp;
++ int iskew;
+ tsize_t tilesize = TIFFTileSize(in);
+ tdata_t tilebuf;
+ uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
++ if (spp > (0x7fffffff / tilew))
++ {
++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++ return 0;
++ }
++ iskew = imagew - tilew*spp;
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
+--
+2.20.1
+
+
+From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 21:42:03 +0100
+Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
+
+---
+ tools/tiffcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index f0ee2c02..8c81aa4f 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include <ctype.h>
+
+@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
+- if (spp > (0x7fffffff / tilew))
++ if (spp > (INT_MAX / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+--
+2.20.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
index a82d744..8e3e227 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
@@ -6,7 +6,8 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
- file://CVE-2019-6128.patch"
+ file://CVE-2019-6128.patch \
+ file://CVE-2019-7663.patch \
"
SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 10/43] libsdl: CVE fixes
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (8 preceding siblings ...)
2019-09-01 14:35 ` [warrior 09/43] tiff: fix CVE-2019-7663 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 11/43] gstreamer1.0-vaapi: backport jpeg encode/decode fixes Armin Kuster
` (32 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libsdl/libsdl-1.2.15/CVE-2019-7572.patch | 114 ++++++++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7574.patch | 68 ++++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7575.patch | 81 +++++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7576.patch | 80 +++++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7577.patch | 123 +++++++++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7578.patch | 64 +++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7635.patch | 63 +++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7637.patch | 192 +++++++++++++++++++++
.../libsdl/libsdl-1.2.15/CVE-2019-7638.patch | 38 ++++
meta/recipes-graphics/libsdl/libsdl_1.2.15.bb | 9 +
10 files changed, 832 insertions(+)
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
create mode 100644 meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
new file mode 100644
index 0000000..c41c2de
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7572.patch
@@ -0,0 +1,114 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560182231 25200
+# Mon Jun 10 08:57:11 2019 -0700
+# Branch SDL-1.2
+# Node ID a8afedbcaea0e84921dc770195c4699bda3ccdc5
+# Parent faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
+CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+If data chunk was longer than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to write past the output
+buffer. This patch fixes it.
+
+Based on patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560041863 25200
+# Sat Jun 08 17:57:43 2019 -0700
+# Branch SDL-1.2
+# Node ID e52413f5258600878f9a10d2f92605a729aa8976
+# Parent 4e73be7b47877ae11d2279bd916910d469d18f8e
+CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+If an IMA ADPCM block contained an initial index out of step table
+range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
+this bogus value and that lead to a buffer overread.
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7572
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r faf9abbcfb5f -r a8afedbcaea0 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700
+@@ -346,7 +346,7 @@
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *encoded_end, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -373,6 +373,7 @@
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+@@ -392,6 +393,7 @@
+ }
+
+ /* Store the initial sample we start with */
++ if (decoded + 2 > decoded_end) goto invalid_size;
+ decoded[0] = (Uint8)(state[c].sample&0xFF);
+ decoded[1] = (Uint8)(state[c].sample>>8);
+ decoded += 2;
+@@ -402,6 +404,8 @@
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
+ if (encoded + 4 > encoded_end) goto invalid_size;
++ if (decoded + 4 * 4 * channels > decoded_end)
++ goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+
+diff -r 4e73be7b4787 -r e52413f52586 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Sat Jun 01 18:27:46 2019 +0100
++++ b/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700
+@@ -264,6 +264,14 @@
+ };
+ Sint32 delta, step;
+
++ /* Clamp index value. The inital value can be invalid. */
++ if ( state->index > 88 ) {
++ state->index = 88;
++ } else
++ if ( state->index < 0 ) {
++ state->index = 0;
++ }
++
+ /* Compute difference and new sample value */
+ step = step_table[state->index];
+ delta = step >> 3;
+@@ -275,12 +283,6 @@
+
+ /* Update index value */
+ state->index += index_table[nybble];
+- if ( state->index > 88 ) {
+- state->index = 88;
+- } else
+- if ( state->index < 0 ) {
+- state->index = 0;
+- }
+
+ /* Clamp output sample */
+ if ( state->sample > max_audioval ) {
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
new file mode 100644
index 0000000..9fd53da
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7574.patch
@@ -0,0 +1,68 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560181859 25200
+# Mon Jun 10 08:50:59 2019 -0700
+# Branch SDL-1.2
+# Node ID a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
+# Parent 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
+CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+If data chunk was shorter than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to read past the data chunk
+buffer. This patch fixes it.
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7574
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r 388987dff7bf -r a6e3d2f5183e src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
+@@ -331,7 +331,7 @@
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct IMA_ADPCM_decodestate *state;
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ unsigned int c, channels;
+
+@@ -347,6 +347,7 @@
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) *
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -362,6 +363,7 @@
+ while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ /* Fill the state information for this block */
+ state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ encoded += 2;
+@@ -384,6 +386,7 @@
+ samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ while ( samplesleft > 0 ) {
+ for ( c=0; c<channels; ++c ) {
++ if (encoded + 4 > encoded_end) goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ c, channels, &state[c]);
+ encoded += 4;
+@@ -395,6 +398,10 @@
+ }
+ SDL_free(freeable);
+ return(0);
++invalid_size:
++ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
new file mode 100644
index 0000000..a3e8416
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7575.patch
@@ -0,0 +1,81 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560183905 25200
+# Mon Jun 10 09:25:05 2019 -0700
+# Branch SDL-1.2
+# Node ID a936f9bd3e381d67d8ddee8b9243f85799ea4798
+# Parent fcbecae427951bac1684baaba2ade68221315140
+CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
+is longer, decoding continued past the output audio buffer.
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7575
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r fcbecae42795 -r a936f9bd3e38 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 09:25:05 2019 -0700
+@@ -122,7 +122,7 @@
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *encoded_end, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+@@ -142,6 +142,7 @@
+ return(-1);
+ }
+ decoded = *audio_buf;
++ decoded_end = decoded + *audio_len;
+
+ /* Get ready... Go! */
+ stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -149,7 +150,7 @@
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
+- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+@@ -179,6 +180,7 @@
+ coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+
+ /* Store the two initial samples we start with */
++ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ decoded[0] = state[0]->iSamp2&0xFF;
+ decoded[1] = state[0]->iSamp2>>8;
+ decoded += 2;
+@@ -200,7 +202,8 @@
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
+- if (encoded + 1 > encoded_end) goto too_short;
++ if (encoded + 1 > encoded_end) goto invalid_size;
++ if (decoded + 4 > decoded_end) goto invalid_size;
+
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+@@ -223,8 +226,8 @@
+ }
+ SDL_free(freeable);
+ return(0);
+-too_short:
+- SDL_SetError("Too short chunk for a MS ADPCM decoder");
++invalid_size:
++ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
+ invalid_predictor:
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch
new file mode 100644
index 0000000..d9a5052
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7576.patch
@@ -0,0 +1,80 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560182783 25200
+# Mon Jun 10 09:06:23 2019 -0700
+# Branch SDL-1.2
+# Node ID fcbecae427951bac1684baaba2ade68221315140
+# Parent a8afedbcaea0e84921dc770195c4699bda3ccdc5
+CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in InitMS_ADPCM
+If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7573
+https://bugzilla.libsdl.org/show_bug.cgi?id=4491
+CVE-2019-7576
+https://bugzilla.libsdl.org/show_bug.cgi?id=4490
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7573
+CVE: CVE-2019-7576
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r a8afedbcaea0 -r fcbecae42795 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Mon Jun 10 08:57:11 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 09:06:23 2019 -0700
+@@ -44,12 +44,13 @@
+ struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+ int i;
+
+ /* Set the rogue pointer to the MS_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@
+ MS_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@
+ return(-1);
+ }
+ for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++ if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ rogue_feel += sizeof(Uint16);
+ }
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -495,7 +502,7 @@
+ break;
+ case MS_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitMS_ADPCM(format) < 0 ) {
++ if ( InitMS_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
new file mode 100644
index 0000000..92e40ae
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7577.patch
@@ -0,0 +1,123 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560182051 25200
+# Mon Jun 10 08:54:11 2019 -0700
+# Branch SDL-1.2
+# Node ID 416136310b88cbeeff8773e573e90ac1e22b3526
+# Parent a6e3d2f5183e1cc300ad993e10e9ce077e13bd9c
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+If RIFF/WAV data chunk length is shorter then expected for an audio
+format defined in preceeding RIFF/WAV format headers, a buffer
+overread can happen.
+
+This patch fixes it by checking a MS ADPCM data to be decoded are not
+past the initialized buffer.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560182069 25200
+# Mon Jun 10 08:54:29 2019 -0700
+# Branch SDL-1.2
+# Node ID faf9abbcfb5fe0d0ca23c4bf0394aa226ceccf02
+# Parent 416136310b88cbeeff8773e573e90ac1e22b3526
+CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and MS_ADPCM_decode
+If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
+predictor (a valid predictor's value is between 0 and 6 inclusive),
+a buffer overread can happen when the predictor is used as an index
+into an array of MS ADPCM coefficients.
+
+The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
+MS_ADPCM_decode() and later when dereferencing a coef pointer in
+MS_ADPCM_nibble().
+
+This patch fixes it by checking the MS ADPCM predictor values fit
+into the valid range.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7577
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r a6e3d2f5183e -r 416136310b88 src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Mon Jun 10 08:50:59 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
+@@ -115,7 +115,7 @@
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ struct MS_ADPCM_decodestate *state[2];
+- Uint8 *freeable, *encoded, *decoded;
++ Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ Sint32 encoded_len, samplesleft;
+ Sint8 nybble, stereo;
+ Sint16 *coeff[2];
+@@ -124,6 +124,7 @@
+ /* Allocate the proper sized output buffer */
+ encoded_len = *audio_len;
+ encoded = *audio_buf;
++ encoded_end = encoded + encoded_len;
+ freeable = *audio_buf;
+ *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) *
+ MS_ADPCM_state.wSamplesPerBlock*
+@@ -141,6 +142,7 @@
+ state[1] = &MS_ADPCM_state.state[stereo];
+ while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ /* Grab the initial information for this block */
++ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ state[0]->hPredictor = *encoded++;
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+@@ -188,6 +190,8 @@
+ samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ MS_ADPCM_state.wavefmt.channels;
+ while ( samplesleft > 0 ) {
++ if (encoded + 1 > encoded_end) goto too_short;
++
+ nybble = (*encoded)>>4;
+ new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ decoded[0] = new_sample&0xFF;
+@@ -209,6 +213,10 @@
+ }
+ SDL_free(freeable);
+ return(0);
++too_short:
++ SDL_SetError("Too short chunk for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
+
+
+diff -r 416136310b88 -r faf9abbcfb5f src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Mon Jun 10 08:54:11 2019 -0700
++++ b/src/audio/SDL_wave.c Mon Jun 10 08:54:29 2019 -0700
+@@ -147,6 +147,9 @@
+ if ( stereo ) {
+ state[1]->hPredictor = *encoded++;
+ }
++ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++ goto invalid_predictor;
++ }
+ state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ encoded += sizeof(Sint16);
+ if ( stereo ) {
+@@ -217,6 +220,10 @@
+ SDL_SetError("Too short chunk for a MS ADPCM decoder");
+ SDL_free(freeable);
+ return(-1);
++invalid_predictor:
++ SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++ SDL_free(freeable);
++ return(-1);
+ }
+
+ struct IMA_ADPCM_decodestate {
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch
new file mode 100644
index 0000000..7028890
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7578.patch
@@ -0,0 +1,64 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560042129 25200
+# Sat Jun 08 18:02:09 2019 -0700
+# Branch SDL-1.2
+# Node ID 388987dff7bf8f1e214e69c2e4f1aa31e06396b5
+# Parent e52413f5258600878f9a10d2f92605a729aa8976
+CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7578
+https://bugzilla.libsdl.org/show_bug.cgi?id=4494
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7578
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r e52413f52586 -r 388987dff7bf src/audio/SDL_wave.c
+--- a/src/audio/SDL_wave.c Sat Jun 08 17:57:43 2019 -0700
++++ b/src/audio/SDL_wave.c Sat Jun 08 18:02:09 2019 -0700
+@@ -222,11 +222,12 @@
+ struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+- Uint8 *rogue_feel;
++ Uint8 *rogue_feel, *rogue_feel_end;
+
+ /* Set the rogue pointer to the IMA_ADPCM specific data */
++ if (length < sizeof(*format)) goto too_short;
+ IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -235,11 +236,16 @@
+ IMA_ADPCM_state.wavefmt.bitspersample =
+ SDL_SwapLE16(format->bitspersample);
+ rogue_feel = (Uint8 *)format+sizeof(*format);
++ rogue_feel_end = (Uint8 *)format + length;
+ if ( sizeof(*format) == 16 ) {
+ rogue_feel += sizeof(Uint16);
+ }
++ if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ return(0);
++too_short:
++ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++ return(-1);
+ }
+
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -471,7 +477,7 @@
+ break;
+ case IMA_ADPCM_CODE:
+ /* Try to understand this */
+- if ( InitIMA_ADPCM(format) < 0 ) {
++ if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+ was_error = 1;
+ goto done;
+ }
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch
new file mode 100644
index 0000000..78af1b0
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1560259692 25200
+# Tue Jun 11 06:28:12 2019 -0700
+# Branch SDL-1.2
+# Node ID f1f5878be5dbf63c1161a8ee52b8a86ece30e552
+# Parent a936f9bd3e381d67d8ddee8b9243f85799ea4798
+CVE-2019-7635: Reject BMP images with pixel colors out the palette
+If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
+than the palette offers an SDL_Surface with a palette of the indicated
+number of used colors is created. If some of the image's pixel
+refer to a color number higher then the maximal used colors, a subsequent
+bliting operation on the surface will look up a color past a blit map
+(that is based on the palette) memory. I.e. passing such SDL_Surface
+to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
+a blit function.
+
+This patch fixes it by validing each pixel's color to be less than the
+maximal color number in the palette. A validation failure raises an
+error from a SDL_LoadBMP_RW() function.
+
+CVE-2019-7635
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7635
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c Mon Jun 10 09:25:05 2019 -0700
++++ b/src/video/SDL_bmp.c Tue Jun 11 06:28:12 2019 -0700
+@@ -308,6 +308,12 @@
+ }
+ *(bits+i) = (pixel>>shift);
+ pixel <<= ExpandBMP;
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ } }
+ break;
+
+@@ -318,6 +324,16 @@
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
++ for ( i=0; i<surface->w; ++i ) {
++ if ( bits[i] >= biClrUsed ) {
++ SDL_SetError(
++ "A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ /* Byte-swap the pixels if needed. Note that the 24bpp
+ case has already been taken care of above. */
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
new file mode 100644
index 0000000..c95338e
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7637.patch
@@ -0,0 +1,192 @@
+# HG changeset patch
+# User Petr Písař <ppisar@redhat.com>
+# Date 1552788984 25200
+# Sat Mar 16 19:16:24 2019 -0700
+# Branch SDL-1.2
+# Node ID 9b0e5c555c0f5ce6d2c3c19da6cc2c7fb5048bf2
+# Parent 4646533663ae1d80c2cc6b2d6dbfb37c62491c1e
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+If a too large width is passed to SDL_SetVideoMode() the width travels
+to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
+BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
+variable. During this arithmetics an integer overflow can happen (e.g.
+the value is clamped as 65532). As a result SDL_Surface with a pitch
+smaller than width * BytesPerPixel is created, too small pixel buffer
+is allocated and when the SDL_Surface is processed in SDL_FillRect()
+a buffer overflow occurs.
+
+This can be reproduced with "./graywin -width 21312312313123213213213"
+command.
+
+This patch fixes is by using a very careful arithmetics in
+SDL_CalculatePitch(). If an overflow is detected, an error is reported
+back as a special 0 value. We assume that 0-width surfaces do not
+occur in the wild. Since SDL_CalculatePitch() is a private function,
+we can change the semantics.
+
+CVE-2019-7637
+https://bugzilla.libsdl.org/show_bug.cgi?id=4497
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2019-7637
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
+--- a/src/video/SDL_pixels.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/SDL_pixels.c Sat Mar 16 19:16:24 2019 -0700
+@@ -286,26 +286,53 @@
+ }
+ }
+ /*
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+ */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+- Uint16 pitch;
++ unsigned int pitch = 0;
+
+ /* Surface should be 4-byte aligned for speed */
+- pitch = surface->w*surface->format->BytesPerPixel;
++ /* The code tries to prevent from an Uint16 overflow. */;
++ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++ pitch += (unsigned int)surface->w;
++ if (pitch < surface->w) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ }
+ switch (surface->format->BitsPerPixel) {
+ case 1:
+- pitch = (pitch+7)/8;
++ if (pitch % 8) {
++ pitch = pitch / 8 + 1;
++ } else {
++ pitch = pitch / 8;
++ }
+ break;
+ case 4:
+- pitch = (pitch+1)/2;
++ if (pitch % 2) {
++ pitch = pitch / 2 + 1;
++ } else {
++ pitch = pitch / 2;
++ }
+ break;
+ default:
+ break;
+ }
+- pitch = (pitch + 3) & ~3; /* 4-byte aligning */
+- return(pitch);
++ /* 4-byte aligning */
++ if (pitch & 3) {
++ if (pitch + 3 < pitch) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ pitch = (pitch + 3) & ~3;
++ }
++ if (pitch > 0xFFFF) {
++ SDL_SetError("A scanline is too wide");
++ return(0);
++ }
++ return((Uint16)pitch);
+ }
+ /*
+ * Match an RGB value to a particular palette index
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
+--- a/src/video/gapi/SDL_gapivideo.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/gapi/SDL_gapivideo.c Sat Mar 16 19:16:24 2019 -0700
+@@ -733,6 +733,9 @@
+ video->w = gapi->w = width;
+ video->h = gapi->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Small fix for WinCE/Win32 - when activating window
+ SDL_VideoSurface is equal to zero, so activating code
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
+--- a/src/video/nanox/SDL_nxvideo.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/nanox/SDL_nxvideo.c Sat Mar 16 19:16:24 2019 -0700
+@@ -378,6 +378,10 @@
+ current -> w = width ;
+ current -> h = height ;
+ current -> pitch = SDL_CalculatePitch (current) ;
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ NX_ResizeImage (this, current, flags) ;
+ }
+
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
+--- a/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/ps2gs/SDL_gsvideo.c Sat Mar 16 19:16:24 2019 -0700
+@@ -479,6 +479,9 @@
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Memory map the DMA area for block memory transfer */
+ if ( ! mapped_mem ) {
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
+--- a/src/video/ps3/SDL_ps3video.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/ps3/SDL_ps3video.c Sat Mar 16 19:16:24 2019 -0700
+@@ -339,6 +339,9 @@
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Alloc aligned mem for current->pixels */
+ s_pixels = memalign(16, current->h * current->pitch);
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
+--- a/src/video/windib/SDL_dibvideo.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/windib/SDL_dibvideo.c Sat Mar 16 19:16:24 2019 -0700
+@@ -675,6 +675,9 @@
+ video->w = width;
+ video->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ /* Small fix for WinCE/Win32 - when activating window
+ SDL_VideoSurface is equal to zero, so activating code
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
+--- a/src/video/windx5/SDL_dx5video.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/windx5/SDL_dx5video.c Sat Mar 16 19:16:24 2019 -0700
+@@ -1127,6 +1127,9 @@
+ video->w = width;
+ video->h = height;
+ video->pitch = SDL_CalculatePitch(video);
++ if (!current->pitch) {
++ return(NULL);
++ }
+
+ #ifndef NO_CHANGEDISPLAYSETTINGS
+ /* Set fullscreen mode if appropriate.
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
+--- a/src/video/x11/SDL_x11video.c Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/x11/SDL_x11video.c Sat Mar 16 19:16:24 2019 -0700
+@@ -1225,6 +1225,10 @@
+ current->w = width;
+ current->h = height;
+ current->pitch = SDL_CalculatePitch(current);
++ if (!current->pitch) {
++ current = NULL;
++ goto done;
++ }
+ if (X11_ResizeImage(this, current, flags) < 0) {
+ current = NULL;
+ goto done;
diff --git a/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch
new file mode 100644
index 0000000..dab9aae
--- /dev/null
+++ b/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7638.patch
@@ -0,0 +1,38 @@
+# HG changeset patch
+# User Sam Lantinga <slouken@libsdl.org>
+# Date 1550504903 28800
+# Mon Feb 18 07:48:23 2019 -0800
+# Branch SDL-1.2
+# Node ID 19d8c3b9c25143f71a34ff40ce1df91b4b3e3b78
+# Parent 8586f153eedec4c4e07066d6248ebdf67f10a229
+Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c
+
+Petr Pisar
+
+The reproducer has these data in BITMAPINFOHEADER:
+
+biSize = 40
+biBitCount = 8
+biClrUsed = 131075
+
+SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
+
+CVE: CVE-2019-7638
+CVE: CVE-2019-7636
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c Sun Jan 13 15:27:50 2019 +0100
++++ b/src/video/SDL_bmp.c Mon Feb 18 07:48:23 2019 -0800
+@@ -233,6 +233,10 @@
+ if ( palette ) {
+ if ( biClrUsed == 0 ) {
+ biClrUsed = 1 << biBitCount;
++ } else if ( biClrUsed > (1 << biBitCount) ) {
++ SDL_SetError("BMP file has an invalid number of colors");
++ was_error = SDL_TRUE;
++ goto done;
+ }
+ if ( biSize == 12 ) {
+ for ( i = 0; i < (int)biClrUsed; ++i ) {
diff --git a/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb
index 7718d11..7a01908 100644
--- a/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb
+++ b/meta/recipes-graphics/libsdl/libsdl_1.2.15.bb
@@ -18,6 +18,15 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \
file://libsdl-1.2.15-xdata32.patch \
file://pkgconfig.patch \
file://0001-build-Pass-tag-CC-explictly-when-using-libtool.patch \
+ file://CVE-2019-7577.patch \
+ file://CVE-2019-7574.patch \
+ file://CVE-2019-7572.patch \
+ file://CVE-2019-7578.patch \
+ file://CVE-2019-7575.patch \
+ file://CVE-2019-7635.patch \
+ file://CVE-2019-7637.patch \
+ file://CVE-2019-7638.patch \
+ file://CVE-2019-7576.patch \
"
UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 11/43] gstreamer1.0-vaapi: backport jpeg encode/decode fixes
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (9 preceding siblings ...)
2019-09-01 14:35 ` [warrior 10/43] libsdl: CVE fixes Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 12/43] package: Improve determinism Armin Kuster
` (31 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Backport patches from 1.15 to fix JPEG encode/decode issues when
using VAAPI with Intel media-driver. See for details:
https://bugzilla.gnome.org/show_bug.cgi?id=796705
https://bugzilla.gnome.org/show_bug.cgi?id=796505
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...der-release-VA-buffers-after-vaEndPicture.patch | 45 +++++++++++++++
...ibs-encoder-jpeg-set-component-id-and-Tqi.patch | 65 ++++++++++++++++++++++
.../gstreamer/gstreamer1.0-vaapi_1.14.4.bb | 2 +
3 files changed, 112 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
new file mode 100644
index 0000000..b52e61b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch
@@ -0,0 +1,45 @@
+From bb8894aaf934b3af4d44cf54e860510fe4d615b3 Mon Sep 17 00:00:00 2001
+From: Tianhao Liu <tianhao.liu@intel.com>
+Date: Thu, 7 Jun 2018 09:34:11 +0800
+Subject: [PATCH] libs: decoder: release VA buffers after vaEndPicture
+
+This change is due a problem decoding JPEGs with Intel's media-driver:
+no image was generated.
+
+This patch relases the VA buffers after vaEndPicture() is called,
+and not before (after vaRenderPicture()).
+
+https://bugzilla.gnome.org/show_bug.cgi?id=796505
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer-vaapi/commit/bb8894aaf934b3af4d44cf54e860510fe4d615b3]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gst-libs/gst/vaapi/gstvaapidecoder_objects.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_objects.c b/gst-libs/gst/vaapi/gstvaapidecoder_objects.c
+index 20d4f55..2dd4c27 100644
+--- a/gst-libs/gst/vaapi/gstvaapidecoder_objects.c
++++ b/gst-libs/gst/vaapi/gstvaapidecoder_objects.c
+@@ -304,12 +304,17 @@ gst_vaapi_picture_decode (GstVaapiPicture * picture)
+ status = vaRenderPicture (va_display, va_context, va_buffers, 2);
+ if (!vaapi_check_status (status, "vaRenderPicture()"))
+ return FALSE;
++ }
++
++ status = vaEndPicture (va_display, va_context);
++
++ for (i = 0; i < picture->slices->len; i++) {
++ GstVaapiSlice *const slice = g_ptr_array_index (picture->slices, i);
+
+ vaapi_destroy_buffer (va_display, &slice->param_id);
+ vaapi_destroy_buffer (va_display, &slice->data_id);
+ }
+
+- status = vaEndPicture (va_display, va_context);
+ if (!vaapi_check_status (status, "vaEndPicture()"))
+ return FALSE;
+ return TRUE;
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch
new file mode 100644
index 0000000..eb1228b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi/0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch
@@ -0,0 +1,65 @@
+From f5eb4faa5914f3745820e557ac2401a7d738be66 Mon Sep 17 00:00:00 2001
+From: Tianhao Liu <tianhao.liu@intel.com>
+Date: Wed, 4 Jul 2018 12:51:10 +0800
+Subject: [PATCH] libs: encoder: jpeg: set component id and Tqi
+
+This change is due a problem encoding JPEGs with Intel's
+media-driver: green/black image when playback jpeg
+
+This patch sets component identifier and quantization table
+destination selector in frame header to support packing headers
+by Intel's media-driver that does not accept packed header
+in AP level.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=796705
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer-vaapi/commit/f5eb4faa5914f3745820e557ac2401a7d738be66]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c b/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c
+index b3f409d..8491fbc 100644
+--- a/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c
++++ b/gst-libs/gst/vaapi/gstvaapiencoder_jpeg.c
+@@ -205,6 +205,7 @@ fill_picture (GstVaapiEncoderJpeg * encoder,
+ GstVaapiEncPicture * picture,
+ GstVaapiCodedBuffer * codedbuf, GstVaapiSurfaceProxy * surface)
+ {
++ guint i;
+ VAEncPictureParameterBufferJPEG *const pic_param = picture->param;
+
+ memset (pic_param, 0, sizeof (VAEncPictureParameterBufferJPEG));
+@@ -224,6 +225,11 @@ fill_picture (GstVaapiEncoderJpeg * encoder,
+ pic_param->num_scan = 1;
+ pic_param->num_components = encoder->n_components;
+ pic_param->quality = encoder->quality;
++ for (i = 0; i < pic_param->num_components; i++) {
++ pic_param->component_id[i] = i + 1;
++ if (i != 0)
++ pic_param->quantiser_table_selector[i] = 1;
++ }
+ return TRUE;
+ }
+
+@@ -437,13 +443,11 @@ generate_frame_hdr (GstJpegFrameHdr * frame_hdr, GstVaapiEncoderJpeg * encoder,
+ frame_hdr->num_components = pic_param->num_components;
+
+ for (i = 0; i < frame_hdr->num_components; i++) {
+- frame_hdr->components[i].identifier = i + 1;
++ frame_hdr->components[i].identifier = pic_param->component_id[i];
+ frame_hdr->components[i].horizontal_factor = encoder->h_samp[i];
+ frame_hdr->components[i].vertical_factor = encoder->v_samp[i];
+- if (i == 0)
+- frame_hdr->components[i].quant_table_selector = 0;
+- else
+- frame_hdr->components[i].quant_table_selector = 1;
++ frame_hdr->components[i].quant_table_selector =
++ pic_param->quantiser_table_selector[i];
+ }
+ }
+
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.14.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.14.4.bb
index 3896434..6243edd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.14.4.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.14.4.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c"
SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz \
file://0001-gst-vaapi-Makefile.am-Add-EGL_CFLAGS-to-libgstvaapi-.patch \
file://0001-vaapsink-downgrade-to-marginal.patch \
+ file://0001-libs-encoder-jpeg-set-component-id-and-Tqi.patch \
+ file://0001-libs-decoder-release-VA-buffers-after-vaEndPicture.patch \
"
SRC_URI[md5sum] = "2fae3442f5f23e7354a0c592bc7b9065"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 12/43] package: Improve determinism
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (10 preceding siblings ...)
2019-09-01 14:35 ` [warrior 11/43] gstreamer1.0-vaapi: backport jpeg encode/decode fixes Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 13/43] patch: fix CVE-2019-13636 Armin Kuster
` (30 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Its possible in cases with multiple shlib providers we were not being
deterministic. Add in a couple of sorted() calls to fix the shlibs and
pkgconfig cases with this potential issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/package.bbclass | 2 +-
meta/lib/oe/package.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index eef1f7b..2c44fc1 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -1918,7 +1918,7 @@ python package_do_pkgconfig () {
for dir in reversed(shlibs_dirs):
if not os.path.exists(dir):
continue
- for file in os.listdir(dir):
+ for file in sorted(os.listdir(dir)):
m = re.match(r'^(.*)\.pclist$', file)
if m:
pkg = m.group(1)
diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index b595132..b8585d4 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -265,7 +265,7 @@ def read_shlib_providers(d):
bb.debug(2, "Reading shlib providers in %s" % (dir))
if not os.path.exists(dir):
continue
- for file in os.listdir(dir):
+ for file in sorted(os.listdir(dir)):
m = list_re.match(file)
if m:
dep_pkg = m.group(1)
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 13/43] patch: fix CVE-2019-13636
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (11 preceding siblings ...)
2019-09-01 14:35 ` [warrior 12/43] package: Improve determinism Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 14/43] python3: fix CVE-2019-9740 Armin Kuster
` (29 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../patch/patch/CVE-2019-13636.patch | 113 +++++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 1 +
2 files changed, 114 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
diff --git a/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
new file mode 100644
index 0000000..9f8b6db
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
@@ -0,0 +1,113 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+
+CVE: CVE-2019-13636
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ src/inp.c | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
++++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+ {
+ if (S_ISREG (instat.st_mode))
+ {
+- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++ int flags = O_RDONLY | binary_transput;
+ size_t buffered = 0, n;
++ int ifd;
++
++ if (! follow_symlinks)
++ flags |= O_NOFOLLOW;
++ ifd = safe_open (filename, flags, 0);
+ if (ifd < 0)
+ pfatal ("can't open file %s", quotearg (filename));
+
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++ int flags = O_RDONLY | binary_transput;
+ int ifd;
+ FILE *ifp;
+ int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+
+ if (instat.st_size == 0)
+ filename = NULL_DEVICE;
+- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++ if (! follow_symlinks)
++ flags |= O_NOFOLLOW;
++ if ((ifd = safe_open (filename, flags, 0)) < 0
+ || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+ pfatal ("Can't open file %s", quotearg (filename));
+ if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+
+ try_makedirs_errno = ENOENT;
+ safe_unlink (bakname);
+- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ {
+ if (errno != try_makedirs_errno)
+ pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++ int from_flags = O_RDONLY | O_BINARY;
+ int fromfd;
+ ssize_t i;
+
+- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++ if (! follow_symlinks)
++ from_flags |= O_NOFOLLOW;
++ if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (from));
+ while ((i = read (fromfd, buf, bufsize)) != 0)
+ {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ else
+ {
+ assert (S_ISREG (mode));
++ if (! follow_symlinks)
++ to_flags |= O_NOFOLLOW;
+ tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ to_dir_known_to_exist);
+ copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++ int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+ int tofd;
+
+- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++ if (! follow_symlinks)
++ to_flags |= O_NOFOLLOW;
++ if ((tofd = safe_open (to, to_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (to));
+ copy_to_fd (from, tofd);
+ if (close (tofd) != 0)
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 85b0db7..8cf20a3 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
+ file://CVE-2019-13636.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 14/43] python3: fix CVE-2019-9740
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (12 preceding siblings ...)
2019-09-01 14:35 ` [warrior 13/43] patch: fix CVE-2019-13636 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 15/43] ghostscript: fix CVE-2019-3839 Armin Kuster
` (28 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:
https://bugs.python.org/issue30458
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../python/python3/CVE-2019-9740.patch | 151 +++++++++++++++++++++
meta/recipes-devtools/python/python3_3.7.2.bb | 1 +
2 files changed, 152 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2019-9740.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9740.patch b/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
new file mode 100644
index 0000000..9bb336d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
@@ -0,0 +1,151 @@
+From 7e200e0763f5b71c199aaf98bd5588f291585619 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Tue, 7 May 2019 17:28:47 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
+ (GH-13154)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
+
+Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+Upstream-Status: Backport[https://github.com/python/cpython/commit/7e200e0763f5b71c199aaf98bd5588f291585619]
+CVE: CVE-2019-9740
+CVE: CVE-2019-9947
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/http/client.py | 15 ++++++
+ Lib/test/test_urllib.py | 53 +++++++++++++++++++
+ Lib/test/test_xmlrpc.py | 7 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
+ 4 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 1de151c38e92..2afd452fe30f 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -140,6 +140,16 @@
+ _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
+ _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
+
++# These characters are not allowed within HTTP URL paths.
++# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740. Includes control characters such as \r\n.
++# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++# Arguably only these _should_ allowed:
++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1101,6 +1111,11 @@ def putrequest(self, method, url, skip_host=False,
+ self._method = method
+ if not url:
+ url = '/'
++ # Prevent CVE-2019-9740.
++ match = _contains_disallowed_url_pchar_re.search(url)
++ if match:
++ raise InvalidURL(f"URL can't contain control characters. {url!r} "
++ f"(found at least {match.group()!r})")
+ request = '%s %s %s' % (method, url, self._http_vsn_str)
+
+ # Non-ASCII characters should have been eliminated earlier
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 2ac73b58d832..7214492eca9d 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -329,6 +329,59 @@ def test_willclose(self):
+ finally:
+ self.unfakehttp()
+
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_control_char_rejected(self):
++ for char_no in list(range(0, 0x21)) + [0x7f]:
++ char = chr(char_no)
++ schemeless_url = f"//localhost:7777/test{char}/"
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ escaped_char_repr = repr(char).replace('\\', r'\\')
++ InvalidURL = http.client.InvalidURL
++ with self.assertRaisesRegex(
++ InvalidURL, f"contain control.*{escaped_char_repr}"):
++ urllib.request.urlopen(f"http:{schemeless_url}")
++ with self.assertRaisesRegex(
++ InvalidURL, f"contain control.*{escaped_char_repr}"):
++ urllib.request.urlopen(f"https:{schemeless_url}")
++ # This code path quotes the URL so there is no injection.
++ resp = urlopen(f"http:{schemeless_url}")
++ self.assertNotIn(char, resp.geturl())
++ finally:
++ self.unfakehttp()
++
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ InvalidURL = http.client.InvalidURL
++ with self.assertRaisesRegex(
++ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++ urllib.request.urlopen(f"http:{schemeless_url}")
++ with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
++ urllib.request.urlopen(f"https:{schemeless_url}")
++ # This code path quotes the URL so there is no injection.
++ resp = urlopen(f"http:{schemeless_url}")
++ self.assertNotIn(' ', resp.geturl())
++ self.assertNotIn('\r', resp.geturl())
++ self.assertNotIn('\n', resp.geturl())
++ finally:
++ self.unfakehttp()
++
+ def test_read_0_9(self):
+ # "0.9" response accepted (but not "simple responses" without
+ # a status line)
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index 32263f7f0b3b..0e002ec4ef9f 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -945,7 +945,12 @@ def test_unicode_host(self):
+ def test_partial_post(self):
+ # Check that a partial POST doesn't make the server loop: issue #14001.
+ conn = http.client.HTTPConnection(ADDR, PORT)
+- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++ conn.send('POST /RPC2 HTTP/1.0\r\n'
++ 'Content-Length: 100\r\n\r\n'
++ 'bye HTTP/1.1\r\n'
++ f'Host: {ADDR}:{PORT}\r\n'
++ 'Accept-Encoding: identity\r\n'
++ 'Content-Length: 0\r\n\r\n'.encode('ascii'))
+ conn.close()
+
+ def test_context_manager(self):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 000000000000..ed8027fb4d64
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
diff --git a/meta/recipes-devtools/python/python3_3.7.2.bb b/meta/recipes-devtools/python/python3_3.7.2.bb
index dc851cb..6da806b 100644
--- a/meta/recipes-devtools/python/python3_3.7.2.bb
+++ b/meta/recipes-devtools/python/python3_3.7.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \
file://CVE-2018-20852.patch \
file://CVE-2019-9636.patch \
+ file://CVE-2019-9740.patch \
"
SRC_URI_append_class-native = " \
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 15/43] ghostscript: fix CVE-2019-3839
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (13 preceding siblings ...)
2019-09-01 14:35 ` [warrior 14/43] python3: fix CVE-2019-9740 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 16/43] rng-tools: fix very long shutdown delay with systemd Armin Kuster
` (27 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ghostscript/CVE-2019-3839-0008.patch | 440 +++++++++++++++++++++
.../ghostscript/ghostscript_9.26.bb | 1 +
2 files changed, 441 insertions(+)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
new file mode 100644
index 0000000..4be1c84
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
@@ -0,0 +1,440 @@
+From c253752ef731f49922e0a97490d1ef09ca697c91 Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Thu, 31 Jan 2019 11:31:30 -0800
+Subject: [PATCH] Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF
+ interp).
+
+We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict
+where needed so we can undef it after the last PDF interp file has
+run (pdf_sec.ps).
+
+CVE: CVE-2019-3839
+Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9]
+Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
+---
+ Resource/Init/pdf_base.ps | 11 ++++----
+ Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++--------------------
+ Resource/Init/pdf_font.ps | 9 +++---
+ Resource/Init/pdf_main.ps | 25 +++++++++--------
+ Resource/Init/pdf_ops.ps | 11 ++++----
+ Resource/Init/pdf_sec.ps | 4 ++-
+ 6 files changed, 60 insertions(+), 59 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index e35e0e373..13dd51f46 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -23,7 +23,6 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+
+ % Define the name interpretation dictionary for reading values.
+@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef
+
+ /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
+ PDFDEBUG {
+- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
++ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if
+ PDFSTEP {
+- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
++ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
+ PDFSTEPcount 1 gt {
+- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
++ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+ } executeonly
+ {
+ dup ==only
+@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef
+ ( ? ) print flush 1 //false .outputpage
+ (%stdin) (r) file 255 string readline {
+ token {
+- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
++ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput
+ } executeonly
+ {
+- pdfdict /PDFSTEPcount 1 .forceput
++ //pdfdict /PDFSTEPcount 1 .forceput
+ } executeonly ifelse % token
+ } {
+ pop /PDFSTEP //false def % EOF on stdin
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 36c41a9a3..2e39c87d2 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -18,8 +18,7 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin
+ pdfdict begin
+
+ % For simplicity, we use a single interpretation dictionary for all
+@@ -113,7 +112,7 @@ pdfdict begin
+
+ /resolvefunction { % <fndict> resolvefunction <function>
+ .resolvefn
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
+ } bind executeonly def
+
+ /resolvefnproc { % <fndict> resolvefnproc <proc>
+@@ -1086,7 +1085,7 @@ currentdict end readonly def
+ %% finished running the PaintProc.
+
+ /.actual_pdfpaintproc { % <patdict> <resdict> .pdfpaintproc -
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
+ PDFfile fileposition 3 1 roll
+ q
+ 1 index /PaintType oget 1 eq {
+@@ -1121,21 +1120,21 @@ currentdict end readonly def
+ Q
+ }{
+ (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -1144,21 +1143,21 @@ currentdict end readonly def
+ } loop
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -1169,7 +1168,7 @@ currentdict end readonly def
+ /pdfemptycount exch def
+
+ Q
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
+ PDFfile exch setfileposition
+ } bind executeonly odef
+
+@@ -1240,7 +1239,7 @@ currentdict end readonly def
+ ] cvx put
+ dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse
+ dup /.pattern_uses_transparency 1 index patternusestransparency put
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
+ } bind executeonly def
+
+ /ignore_color_op ( **** Error: Ignoring a color operation in a cached context.\n Output may be incorrect.\n) readonly def
+@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef
+ } bind executeonly def
+
+ /IncrementAppearanceNumber {
+- pdfdict /AppearanceNumber .knownget {
+- 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
++ //pdfdict /AppearanceNumber .knownget {
++ 1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput
+ } executeonly
+ {
+- pdfdict /AppearanceNumber 0 .forceput
++ //pdfdict /AppearanceNumber 0 .forceput
+ } executeonly ifelse
+ }bind executeonly odef
+
+ /MakeAppearanceName {
+- pdfdict /AppearanceNumber get
++ //pdfdict /AppearanceNumber get
+ 10 string cvs
+ dup length 10 add string dup 0 (\{FormName) putinterval
+ dup 3 -1 roll
+@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef
+ gsave initclip
+ MakeNewAppearanceName
+ .pdfFormName
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
+- pdfdict /.PreservePDFForm true .forceput
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
++ //pdfdict /.PreservePDFForm true .forceput
+ DoForm
+- pdfdict /.PreservePDFForm 3 -1 roll .forceput
++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ grestore
+ } bind executeonly odef
+
+ /DoForm {
+ %% save the current value, if its true we will set it to false later, in order
+ %% to prevent us preserving Forms which are used *from* an annotation /Appearance.
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
+
+ %% We may alter the Default* colour spaces, if the Resources
+ %% ColorSpace entry contains one of them. But we don't want that
+@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef
+ pdfemptycount countdictstack 3 -1 roll
+ /pdfemptycount count 4 sub store
+
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse
+ {
+ %% We must *not* preserve any subsidiary forms (curently at least) as PDF
+ %% form preservation doesn't really work. This is used just for Annotation
+ %% Appearances currently, and if they should happen to use a form, we do not
+ %% want to preserve it.
+- pdfdict /.PreservePDFForm false .forceput
++ //pdfdict /.PreservePDFForm false .forceput
+ /q cvx /execform cvx 5 -2 roll
+ } executeonly
+ {
+@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef
+ saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop
+ end
+ } if
+- pdfdict /.PreservePDFForm 3 -1 roll .forceput
++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ } bind executeonly odef
+
+ /_dops_save 1 array def
+@@ -2714,13 +2713,13 @@ drawopdict begin
+ % Start by getting the object number for a Form XObject
+ dup Page /XObject obj_get dup 0 eq not {
+ % Now get the recording dictionary and see if that object number has been seen
+- pdfdict /Recursive_XObject_D get 1 index known {
++ //pdfdict /Recursive_XObject_D get 1 index known {
+ ( **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print
+ ( Output may be incorrect.\n) pdfformaterror
+ //false
+ }{
+ % We haven't seen it yet, so record it.
+- pdfdict /Recursive_XObject_D get 1 index null put
++ //pdfdict /Recursive_XObject_D get 1 index null put
+ 3 1 roll
+ //true
+ }ifelse
+@@ -2758,7 +2757,7 @@ drawopdict begin
+ ( Output may be incorrect.\n) pdfformaterror
+ } ifelse
+ PDFfile exch setfileposition
+- pdfdict /Recursive_XObject_D get exch undef
++ //pdfdict /Recursive_XObject_D get exch undef
+ }{
+ % Otherwise ignore it and tidy up the stacks
+ pop pop
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index 7e35c02ac..6b09be61f 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -37,8 +37,7 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin % from userdict at this point
+ pdfdict begin
+
+ % We cache the PostScript font in an additional element of the
+@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef
+ .pdfruncontext
+ countdictstack BuildCharDictDepth sub
+ {
+- pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
++ //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
+ {
+ (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+ pdfformatwarning
+- pdfdict /.Qqwarning_issued //true .forceput
++ //pdfdict /.Qqwarning_issued //true .forceput
+ } executeonly if
+ Q
+ } repeat
+@@ -2361,7 +2360,7 @@ currentdict /bndef undef
+ dup //null eq
+ {pop}
+ {
+- pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
++ //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
+ exch dup /.OrigUniqueIDXUID .knownget not
+ {
+ dup /XUID .knownget not
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 0a8929a2a..c1de1b0ef 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -18,8 +18,9 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
++/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it
++userdict /GS_PDF_ProcSet undef
+
+ % Patch in an obsolete variable used by some third-party software.
+ /#? //false def
+@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef
+ /Page //null def
+ /DSCPageCount 0 def
+ /PDFSave //null def
+- GS_PDF_ProcSet begin
+- pdfdict begin
++ //pdfdict /GS_PDF_ProcSet get begin
++ //pdfdict begin
+ pdfopen begin
+ /CumulativePageCount currentpagedevice /PageCount get def
+ } bind executeonly def
+@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef
+ %% copied to a temporary file) and store it in pdfdict. We will use this for
+ %% hashing fonts to detect if fonts with the same name are from different files.
+ %%
+- dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput
++ dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput
+
+ //runpdfbegin exec
+ //pdf_collection_files exec
+@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef
+ } bind executeonly def
+
+ /pdfopenfile { % <file> pdfopenfile <dict>
+- pdfdict readonly pop % can't do it any earlier than this
++ //pdfdict readonly pop % can't do it any earlier than this
+ 32 dict begin
+ /LocalResources 0 dict def
+ /DefaultQstate //null def % establish binding
+@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef
+ StreamRunAborted not {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef
+ Repaired % pass Repaired state around the restore
+ RepairedAnError
+ PDFSave restore
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //false .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //false .forceput
+ .setglobal
+ /RepairedAnError exch def
+ /Repaired exch def
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index 34e2fbd58..46de547f7 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -24,6 +24,7 @@
+ systemdict /pdfmark known not
+ { userdict /pdfmark { cleartomark } bind executeonly put } if
+
++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse
+ userdict /GS_PDF_ProcSet 256 dict dup begin
+
+ % ---------------- Abbreviations ---------------- %
+@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
+
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps
+index d8cc94c86..163dd6877 100644
+--- a/Resource/Init/pdf_sec.ps
++++ b/Resource/Init/pdf_sec.ps
+@@ -39,7 +39,6 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+
+ % Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
+@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef
+ } bind executeonly def
+
+ end % pdfdict
++
++systemdict /pdfdict .forceundef % hide pdfdict
++
+ .setglobal
+--
+2.17.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
index 2630084..03e4569 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${SRC_URI_BASE} \
file://CVE-2019-3835-0004.patch \
file://CVE-2019-3838-0001.patch \
file://CVE-2019-3838-0002.patch \
+ file://CVE-2019-3839-0008.patch \
"
SRC_URI_class-native = "${SRC_URI_BASE} \
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 16/43] rng-tools: fix very long shutdown delay with systemd
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (14 preceding siblings ...)
2019-09-01 14:35 ` [warrior 15/43] ghostscript: fix CVE-2019-3839 Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 17/43] psmisc: Fix dependency for USE_NLS=no Armin Kuster
` (26 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: "Bedel, Alban" <alban.bedel@aerq.com>
The systemd service file has DefaultDependencies=no but is not
properly configured to also stop the unit. Because of this the unit
keep running after shutdown but systemd still waits for it to finish to
then later resort to a hard kill. All this take 1m30s with the default
configuration.
To fix this problem add the missing Before=shutdown.target and
Conflicts=shutdown.target to have systemd stop the unit on shutdown.
Signed-off-by: Alban Bedel <alban.bedel@aerq.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-support/rng-tools/rng-tools/rngd.service | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index f0355db..5c8253b 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -2,7 +2,8 @@
Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
-Before=sysinit.target
+Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
[Service]
ExecStart=@SBINDIR@/rngd -f -r /dev/hwrng
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 17/43] psmisc: Fix dependency for USE_NLS=no
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (15 preceding siblings ...)
2019-09-01 14:35 ` [warrior 16/43] rng-tools: fix very long shutdown delay with systemd Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 18/43] systemd: Backport OpenSSL BUF_MEM fix Armin Kuster
` (25 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Jason Wessel <jason.wessel@windriver.com>
When using USE_NLS="no" in the local.conf psmisc will fail to
compile as follows:
| autoreconf: Entering directory `.'
| autoreconf: running: autopoint --force
| autoreconf: failed to run autopoint: No such file or directory
| autoreconf: autopoint is needed because this package uses Gettext
| ERROR: autoreconf execution failed.
This is because the gettext.bbclass returns gettext-minimal-native for
the host dependency which does not include autopoint. The autopoint
utility is required to build psmisc, so it needs to list
gettext-native as a dependency.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-extended/psmisc/psmisc.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/psmisc/psmisc.inc b/meta/recipes-extended/psmisc/psmisc.inc
index 82ef947..594a10c 100644
--- a/meta/recipes-extended/psmisc/psmisc.inc
+++ b/meta/recipes-extended/psmisc/psmisc.inc
@@ -7,7 +7,7 @@ command sends a specified signal (SIGTERM if nothing is specified) to \
processes identified by name. The fuser command identifies the PIDs \
of processes that are using specified files or filesystems."
SECTION = "base"
-DEPENDS = "ncurses virtual/libintl"
+DEPENDS = "ncurses virtual/libintl gettext-native"
LICENSE = "GPLv2"
SRC_URI = "${SOURCEFORGE_MIRROR}/psmisc/psmisc-${PV}.tar.gz"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 18/43] systemd: Backport OpenSSL BUF_MEM fix
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (16 preceding siblings ...)
2019-09-01 14:35 ` [warrior 17/43] psmisc: Fix dependency for USE_NLS=no Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-04 11:56 ` Adrian Bunk
2019-09-01 14:35 ` [warrior 19/43] package.bbclass: fix directories setuid and setgid bits Armin Kuster
` (24 subsequent siblings)
42 siblings, 1 reply; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Alex Kiernan <alex.kiernan@gmail.com>
Building `systemd-resolve` from systemd 242 with OpenSSL 1.1.1c and enabling
DNS over TLS ends up calling abort (on 32 bit armhf):
Program terminated with signal SIGABRT, Aborted.
#0 __libc_do_syscall () at libc-do-syscall.S:49
49 libc-do-syscall.S: No such file or directory.
(gdb) where
#0 __libc_do_syscall () at libc-do-syscall.S:49
#1 0xb6940ea4 in __libc_signal_restore_set (set=0xbec68b78) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
#2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3 0xb69336e0 in __GI_abort () at abort.c:79
#4 0xb6968428 in __libc_message (action=action@entry=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
#5 0xb696c7e6 in malloc_printerr (str=<optimized out>) at malloc.c:5352
#6 0xb696ca1a in munmap_chunk (p=<optimized out>) at malloc.c:2840
#7 0xb6bd1c4a in CRYPTO_clear_realloc (str=0xd0e59a, old_len=388, num=<optimized out>, file=0xb6c300dc "../../../../../../workspace/sources/openssl/crypto/buffer/buffer.c", line=135)
at ../../../../../../workspace/sources/openssl/crypto/mem.c:290
#8 0xb6b5da3a in BUF_MEM_grow_clean (str=0xcfb960, len=len@entry=393) at ../../../../../../workspace/sources/openssl/crypto/buffer/buffer.c:135
#9 0xb6b486a0 in mem_write (b=0xcf8300, in=0xd07c6b "\027\003\003", inl=24) at ../../../../../../workspace/sources/openssl/crypto/bio/bss_mem.c:235
#10 0xb6b45c86 in bwrite_conv (bio=<optimized out>, data=<optimized out>, datal=<optimized out>, written=0xbec68ec8) at ../../../../../../workspace/sources/openssl/crypto/bio/bio_meth.c:77
#11 0xb6b452d4 in bio_write_intern (written=0xbec68ec8, dlen=24, data=0xd07c6b, b=0xcf8300) at ../../../../../../workspace/sources/openssl/crypto/bio/bio_lib.c:343
#12 bio_write_intern (b=0xcf8300, data=0xd07c6b, dlen=24, written=0xbec68ec8) at ../../../../../../workspace/sources/openssl/crypto/bio/bio_lib.c:320
#13 0xb6b455b2 in BIO_write (b=<optimized out>, data=<optimized out>, dlen=<optimized out>) at ../../../../../../workspace/sources/openssl/crypto/bio/bio_lib.c:363
#14 0xb6cabd1a in ssl3_write_pending (s=s@entry=0xcfd2d8, type=type@entry=23, buf=buf@entry=0xcfcc28 "", len=len@entry=2, written=written@entry=0xbec698b0) at ../../../../../../workspace/sources/openssl/ssl/record/rec_layer_s3.c:1146
#15 0xb6cac72e in do_ssl3_write (s=s@entry=0xcfd2d8, type=type@entry=23, buf=buf@entry=0xcfcc28 "", pipelens=pipelens@entry=0xbec698b4, numpipes=numpipes@entry=1, create_empty_fragment=create_empty_fragment@entry=0,
written=written@entry=0xbec698b0) at ../../../../../../workspace/sources/openssl/ssl/record/rec_layer_s3.c:1107
#16 0xb6cac92e in ssl3_write_bytes (s=0xcfd2d8, type=23, buf_=0xcfcc28, len=<optimized out>, written=0xbec699c0) at ../../../../../../workspace/sources/openssl/ssl/record/rec_layer_s3.c:613
#17 0xb6cb1698 in ssl3_write (s=<optimized out>, buf=0xcfcc28, len=2, written=0xbec699c0) at ../../../../../../workspace/sources/openssl/ssl/s3_lib.c:4460
#18 0xb6cb87b2 in ssl_write_internal (s=<optimized out>, buf=buf@entry=0xcfcc28, num=num@entry=2, written=written@entry=0xbec699c0) at ../../../../../../workspace/sources/openssl/ssl/ssl_lib.c:1943
#19 0xb6cb8896 in SSL_write (s=<optimized out>, buf=buf@entry=0xcfcc28, num=num@entry=2) at ../../../../../../workspace/sources/openssl/ssl/ssl_lib.c:1957
#20 0x004ddac8 in dnstls_stream_write (stream=stream@entry=0xcfca60, buf=0xcfcc28 "", count=2) at ../git/src/resolve/resolved-dnstls-openssl.c:270
#21 0x004d8d5c in dns_stream_writev (s=s@entry=0xcfca60, iov=iov@entry=0xbec69b4c, iovcnt=iovcnt@entry=2, flags=flags@entry=0) at ../git/src/resolve/resolved-dns-stream.c:225
#22 0x004d9516 in on_stream_io (es=<optimized out>, fd=<optimized out>, revents=4, userdata=0xcfca60) at ../git/src/resolve/resolved-dns-stream.c:334
#23 0xb6e7f020 in source_dispatch (s=0xcf3658) at ../git/src/libsystemd/sd-event/sd-event.c:2821
#24 0xb6e806b0 in sd_event_dispatch (e=e@entry=0xced6d0) at ../git/src/libsystemd/sd-event/sd-event.c:3234
#25 0xb6e807f6 in sd_event_run (e=0xced6d0, timeout=<optimized out>) at ../git/src/libsystemd/sd-event/sd-event.c:3291
#26 0xb6e809bc in sd_event_loop (e=0xced6d0) at ../git/src/libsystemd/sd-event/sd-event.c:3312
#27 0x004bb64c in run (argv=<optimized out>, argc=<optimized out>) at ../git/src/resolve/resolved.c:84
#28 main (argc=<optimized out>, argv=<optimized out>) at ../git/src/resolve/resolved.c:91
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...lved-Fix-incorrect-use-of-OpenSSL-BUF_MEM.patch | 41 ++++++++++++++++++++++
meta/recipes-core/systemd/systemd_241.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-resolved-Fix-incorrect-use-of-OpenSSL-BUF_MEM.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-resolved-Fix-incorrect-use-of-OpenSSL-BUF_MEM.patch b/meta/recipes-core/systemd/systemd/0001-resolved-Fix-incorrect-use-of-OpenSSL-BUF_MEM.patch
new file mode 100644
index 0000000..f0ae1db
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-resolved-Fix-incorrect-use-of-OpenSSL-BUF_MEM.patch
@@ -0,0 +1,41 @@
+From 18bddeaaf225d5becfc10cd2c6a1d037c90574a2 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Tue, 11 Jun 2019 15:10:21 +0200
+Subject: [PATCH] resolved: Fix incorrect use of OpenSSL BUF_MEM
+
+Fixes: #12763
+Upstream-Status: Backport [Not yet released]
+ https://github.com/systemd/systemd/commit/18bddeaaf225d5becfc10cd2c6a1d037c90574a2
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+---
+ src/resolve/resolved-dnstls-openssl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
+index f269e4d6487f..5d9223007581 100644
+--- a/src/resolve/resolved-dnstls-openssl.c
++++ b/src/resolve/resolved-dnstls-openssl.c
+@@ -6,6 +6,7 @@
+
+ #include <openssl/bio.h>
+ #include <openssl/err.h>
++#include <string.h>
+
+ #include "io-util.h"
+ #include "resolved-dns-stream.h"
+@@ -34,9 +35,11 @@ static int dnstls_flush_write_buffer(DnsStream *stream) {
+ return ss;
+ } else {
+ stream->dnstls_data.write_buffer->length -= ss;
+- stream->dnstls_data.write_buffer->data += ss;
+
+ if (stream->dnstls_data.write_buffer->length > 0) {
++ memmove(stream->dnstls_data.write_buffer->data,
++ stream->dnstls_data.write_buffer->data + ss,
++ stream->dnstls_data.write_buffer->length);
+ stream->dnstls_events |= EPOLLOUT;
+ return -EAGAIN;
+ }
+--
+2.17.1
+
diff --git a/meta/recipes-core/systemd/systemd_241.bb b/meta/recipes-core/systemd/systemd_241.bb
index eb3242d..3ebbbb7 100644
--- a/meta/recipes-core/systemd/systemd_241.bb
+++ b/meta/recipes-core/systemd/systemd_241.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://touchscreen.rules \
file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
file://0001-meson-declare-version.h-as-dep-for-various-targets-t.patch \
file://0001-meson-declare-version.h-as-dependency-for-systemd.patch \
+ file://0001-resolved-Fix-incorrect-use-of-OpenSSL-BUF_MEM.patch \
"
# patches needed by musl
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 19/43] package.bbclass: fix directories setuid and setgid bits
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (17 preceding siblings ...)
2019-09-01 14:35 ` [warrior 18/43] systemd: Backport OpenSSL BUF_MEM fix Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 20/43] qemu: add a patch fixing the native build on newer kernels Armin Kuster
` (23 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Joël Esponde <joel.esponde@easymile.com>
populate_packages relies on ``mkdir`` to both create a directory and set
its permissions. However, ``mkdir`` honors the ``umask`` value.
Therefore, some bits may be lost in the operation. In our case, the
setgid bit on the directories were lost.
This commit fixes this by having a distinct call to create the directory
and to set the permissions.
Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot@easymile.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/package.bbclass | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 2c44fc1..472d542 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -1210,7 +1210,8 @@ python populate_packages () {
src = os.path.join(src, p)
dest = os.path.join(dest, p)
fstat = cpath.stat(src)
- os.mkdir(dest, fstat.st_mode)
+ os.mkdir(dest)
+ os.chmod(dest, fstat.st_mode)
os.chown(dest, fstat.st_uid, fstat.st_gid)
if p not in seen:
seen.append(p)
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 20/43] qemu: add a patch fixing the native build on newer kernels
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (18 preceding siblings ...)
2019-09-01 14:35 ` [warrior 19/43] package.bbclass: fix directories setuid and setgid bits Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:35 ` [warrior 21/43] mesa: Update 19.0.1 -> 19.0.8 Armin Kuster
` (22 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
The build fails on qemu-native if we're using kernels after commit
0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream
patch that fixes the issue.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
...fix-to-handle-variably-sized-SIOCGSTAMP-w.patch | 339 +++++++++++++++++++++
2 files changed, 340 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e503aa8..ecf13dc 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0018-fix-CVE-2018-20191.patch \
file://0019-fix-CVE-2018-20216.patch \
file://CVE-2019-3812.patch \
+ file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch b/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
new file mode 100644
index 0000000..f7939b8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
@@ -0,0 +1,339 @@
+From 8104018ba4c66e568d2583a3a0ee940851ee7471 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrangé <berrange@redhat.com>
+Date: Tue, 23 Jul 2019 17:50:00 +0200
+Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
+ kernels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The SIOCGSTAMP symbol was previously defined in the
+asm-generic/sockios.h header file. QEMU sees that header
+indirectly via sys/socket.h
+
+In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
+the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
+Instead it provides only SIOCGSTAMP_OLD, which only uses a
+32-bit time_t on 32-bit architectures.
+
+The linux/sockios.h header then defines SIOCGSTAMP using
+either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
+SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
+on 32-bit architectures
+
+To cope with this we must now convert the old and new type from
+the target to the host one.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+---
+Uptream-status: Backport (upstream commit: 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2)
+
+ linux-user/ioctls.h | 21 +++++-
+ linux-user/syscall.c | 140 +++++++++++++++++++++++++++++--------
+ linux-user/syscall_defs.h | 30 +++++++-
+ linux-user/syscall_types.h | 6 --
+ 4 files changed, 159 insertions(+), 38 deletions(-)
+
+diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
+index ae8951625f..e6a27ad9d6 100644
+--- a/linux-user/ioctls.h
++++ b/linux-user/ioctls.h
+@@ -219,8 +219,25 @@
+ IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
+ IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
+ IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
+- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
+- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
++
++ /*
++ * We can't use IOCTL_SPECIAL() because it will set
++ * host_cmd to XXX_OLD and XXX_NEW and these macros
++ * are not defined with kernel prior to 5.2.
++ * We must set host_cmd to the same value as in target_cmd
++ * otherwise the consistency check in syscall_init()
++ * will trigger an error.
++ * host_cmd is ignored by the do_ioctl_XXX() helpers.
++ * FIXME: create a macro to define this kind of entry
++ */
++ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
++ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
++ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
++ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
++ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
++ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
++ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
++ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
+
+ IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
+ IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index 96cd4bf86d..6df480e13d 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -37,6 +37,7 @@
+ #include <sched.h>
+ #include <sys/timex.h>
+ #include <sys/socket.h>
++#include <linux/sockios.h>
+ #include <sys/un.h>
+ #include <sys/uio.h>
+ #include <poll.h>
+@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv,
+ {
+ struct target_timeval *target_tv;
+
+- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
++ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
+ return -TARGET_EFAULT;
++ }
+
+ __get_user(tv->tv_sec, &target_tv->tv_sec);
+ __get_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
+ {
+ struct target_timeval *target_tv;
+
+- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
++ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
++ return -TARGET_EFAULT;
++ }
++
++ __put_user(tv->tv_sec, &target_tv->tv_sec);
++ __put_user(tv->tv_usec, &target_tv->tv_usec);
++
++ unlock_user_struct(target_tv, target_tv_addr, 1);
++
++ return 0;
++}
++
++static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
++ const struct timeval *tv)
++{
++ struct target__kernel_sock_timeval *target_tv;
++
++ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
+ return -TARGET_EFAULT;
++ }
+
+ __put_user(tv->tv_sec, &target_tv->tv_sec);
+ __put_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
+ return 0;
+ }
+
++static inline abi_long target_to_host_timespec(struct timespec *host_ts,
++ abi_ulong target_addr)
++{
++ struct target_timespec *target_ts;
++
++ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
++ return -TARGET_EFAULT;
++ }
++ __get_user(host_ts->tv_sec, &target_ts->tv_sec);
++ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++ unlock_user_struct(target_ts, target_addr, 0);
++ return 0;
++}
++
++static inline abi_long host_to_target_timespec(abi_ulong target_addr,
++ struct timespec *host_ts)
++{
++ struct target_timespec *target_ts;
++
++ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++ return -TARGET_EFAULT;
++ }
++ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++ unlock_user_struct(target_ts, target_addr, 1);
++ return 0;
++}
++
++static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
++ struct timespec *host_ts)
++{
++ struct target__kernel_timespec *target_ts;
++
++ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++ return -TARGET_EFAULT;
++ }
++ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++ unlock_user_struct(target_ts, target_addr, 1);
++ return 0;
++}
++
+ static inline abi_long copy_from_user_timezone(struct timezone *tz,
+ abi_ulong target_tz_addr)
+ {
+@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp,
+ return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
+ }
+
++static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
++ int fd, int cmd, abi_long arg)
++{
++ struct timeval tv;
++ abi_long ret;
++
++ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
++ if (is_error(ret)) {
++ return ret;
++ }
++
++ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
++ if (copy_to_user_timeval(arg, &tv)) {
++ return -TARGET_EFAULT;
++ }
++ } else {
++ if (copy_to_user_timeval64(arg, &tv)) {
++ return -TARGET_EFAULT;
++ }
++ }
++
++ return ret;
++}
++
++static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
++ int fd, int cmd, abi_long arg)
++{
++ struct timespec ts;
++ abi_long ret;
++
++ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
++ if (is_error(ret)) {
++ return ret;
++ }
++
++ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
++ if (host_to_target_timespec(arg, &ts)) {
++ return -TARGET_EFAULT;
++ }
++ } else{
++ if (host_to_target_timespec64(arg, &ts)) {
++ return -TARGET_EFAULT;
++ }
++ }
++
++ return ret;
++}
++
+ #ifdef TIOCGPTPEER
+ static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
+ int fd, int cmd, abi_long arg)
+@@ -6160,32 +6270,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1,
+ }
+ #endif
+
+-static inline abi_long target_to_host_timespec(struct timespec *host_ts,
+- abi_ulong target_addr)
+-{
+- struct target_timespec *target_ts;
+-
+- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
+- return -TARGET_EFAULT;
+- __get_user(host_ts->tv_sec, &target_ts->tv_sec);
+- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+- unlock_user_struct(target_ts, target_addr, 0);
+- return 0;
+-}
+-
+-static inline abi_long host_to_target_timespec(abi_ulong target_addr,
+- struct timespec *host_ts)
+-{
+- struct target_timespec *target_ts;
+-
+- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
+- return -TARGET_EFAULT;
+- __put_user(host_ts->tv_sec, &target_ts->tv_sec);
+- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+- unlock_user_struct(target_ts, target_addr, 1);
+- return 0;
+-}
+-
+ static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
+ abi_ulong target_addr)
+ {
+diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
+index 12c8407144..c918419306 100644
+--- a/linux-user/syscall_defs.h
++++ b/linux-user/syscall_defs.h
+@@ -208,16 +208,34 @@ struct target_linger {
+ abi_int l_linger; /* How long to linger for */
+ };
+
++#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
++struct target_timeval {
++ abi_long tv_sec;
++ abi_int tv_usec;
++};
++#define target__kernel_sock_timeval target_timeval
++#else
+ struct target_timeval {
+ abi_long tv_sec;
+ abi_long tv_usec;
+ };
+
++struct target__kernel_sock_timeval {
++ abi_llong tv_sec;
++ abi_llong tv_usec;
++};
++#endif
++
+ struct target_timespec {
+ abi_long tv_sec;
+ abi_long tv_nsec;
+ };
+
++struct target__kernel_timespec {
++ abi_llong tv_sec;
++ abi_llong tv_nsec;
++};
++
+ struct target_timezone {
+ abi_int tz_minuteswest;
+ abi_int tz_dsttime;
+@@ -743,8 +761,16 @@ struct target_pollfd {
+ #define TARGET_SIOCATMARK 0x8905
+ #define TARGET_SIOCGPGRP 0x8904
+ #endif
+-#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
+-#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
++#if defined(TARGET_SH4)
++#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval)
++#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
++#else
++#define TARGET_SIOCGSTAMP_OLD 0x8906
++#define TARGET_SIOCGSTAMPNS_OLD 0x8907
++#endif
++
++#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2])
++#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
+
+ /* Networking ioctls */
+ #define TARGET_SIOCADDRT 0x890B /* add routing table entry */
+diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
+index b98a23b0f1..4e36983826 100644
+--- a/linux-user/syscall_types.h
++++ b/linux-user/syscall_types.h
+@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
+ STRUCT(sockaddr,
+ TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
+
+-STRUCT(timeval,
+- MK_ARRAY(TYPE_LONG, 2))
+-
+-STRUCT(timespec,
+- MK_ARRAY(TYPE_LONG, 2))
+-
+ STRUCT(rtentry,
+ TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
+ TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,
+--
+2.21.0
+
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 21/43] mesa: Update 19.0.1 -> 19.0.8
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (19 preceding siblings ...)
2019-09-01 14:35 ` [warrior 20/43] qemu: add a patch fixing the native build on newer kernels Armin Kuster
@ 2019-09-01 14:35 ` Armin Kuster
2019-09-01 14:36 ` [warrior 22/43] qemu: fix CVE-2018-20815 Armin Kuster
` (21 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:35 UTC (permalink / raw)
To: openembedded-core
From: Fabio Berton <fabio.berton@ossystems.com.br>
This commit adds the following changes:
Updates from 19.0.8:
- Mesa 19.0.8 is an emergency bug fix release which fixes a critical
bug found in the 19.0.7 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.8.html
Updates from 19.0.7:
- Mesa 19.0.7 is a bug fix release which fixes bugs found since the
19.0.6 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.7.html
Updates from 19.0.6:
- Mesa 19.0.6 is a bug fix release which fixes bugs found since the
19.0.5 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.6.html
Updates from 19.0.5:
- Mesa 19.0.5 is a bug fix release which fixes bugs found since the
19.0.4 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.5.html
Updates from 19.0.4:
- Mesa 19.0.4 is a bug fix release which fixes bugs found since the
19.0.3 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.4.html
Updates from 19.0.3:
- Mesa 19.0.3 is a bug fix release which fixes bugs found since the
19.0.2 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.3.html
Updates from 19.0.2:
- Mesa 19.0.2 is a bug fix release which fixes bugs found since the
19.0.1 release.
Full log:
https://www.mesa3d.org/relnotes/19.0.2.html
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-graphics/mesa/{mesa-gl_19.0.1.bb => mesa-gl_19.0.8.bb} | 0
meta/recipes-graphics/mesa/{mesa_19.0.1.bb => mesa_19.0.8.bb} | 4 ++--
2 files changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-graphics/mesa/{mesa-gl_19.0.1.bb => mesa-gl_19.0.8.bb} (100%)
rename meta/recipes-graphics/mesa/{mesa_19.0.1.bb => mesa_19.0.8.bb} (85%)
diff --git a/meta/recipes-graphics/mesa/mesa-gl_19.0.1.bb b/meta/recipes-graphics/mesa/mesa-gl_19.0.8.bb
similarity index 100%
rename from meta/recipes-graphics/mesa/mesa-gl_19.0.1.bb
rename to meta/recipes-graphics/mesa/mesa-gl_19.0.8.bb
diff --git a/meta/recipes-graphics/mesa/mesa_19.0.1.bb b/meta/recipes-graphics/mesa/mesa_19.0.8.bb
similarity index 85%
rename from meta/recipes-graphics/mesa/mesa_19.0.1.bb
rename to meta/recipes-graphics/mesa/mesa_19.0.8.bb
index d90be8a..8cb80b5 100644
--- a/meta/recipes-graphics/mesa/mesa_19.0.1.bb
+++ b/meta/recipes-graphics/mesa/mesa_19.0.8.bb
@@ -7,8 +7,8 @@ SRC_URI = "https://mesa.freedesktop.org/archive/mesa-${PV}.tar.xz \
file://0004-use-PKG_CHECK_VAR-for-defining-WAYLAND_PROTOCOLS_DAT.patch \
"
-SRC_URI[md5sum] = "19636bb3da35c21f43040d31e575d5ce"
-SRC_URI[sha256sum] = "6884163c0ea9e4c98378ab8fecd72fe7b5f437713a14471beda378df247999d4"
+SRC_URI[md5sum] = "9634964d87f1ce8d0230493e43f34c50"
+SRC_URI[sha256sum] = "d017eb53a810c32dabeedf6ca2238ae1e897ce9090e470e9ce1d6c9e3f1b0862"
#because we cannot rely on the fact that all apps will use pkgconfig,
#make eglplatform.h independent of MESA_EGL_NO_X11_HEADER
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 22/43] qemu: fix CVE-2018-20815
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (20 preceding siblings ...)
2019-09-01 14:35 ` [warrior 21/43] mesa: Update 19.0.1 -> 19.0.8 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 23/43] linux-yocto/4.19: update to 4.19.57 and -rt22 Armin Kuster
` (20 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2018-20815.patch | 38 ++++++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index ecf13dc..3de87d3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0019-fix-CVE-2018-20216.patch \
file://CVE-2019-3812.patch \
file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
+ file://CVE-2018-20815.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
new file mode 100644
index 0000000..c9508d9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
@@ -0,0 +1,38 @@
+From 8bb018af1a7f2b9965f872a4b1121864e73e1b61 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: [PATCH] device_tree.c: Don't use load_image()
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/da885fe1ee8b4589047484bd7fa05a4905b52b17]
+CVE: CVE-2018-20815
+Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f6..296278e12a 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+ /* First allocate space in qemu for device tree */
+ fdt = g_malloc0(dt_size);
+
+- dt_file_load_size = load_image(filename_path, fdt);
++ dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+ if (dt_file_load_size < 0) {
+ error_report("Unable to open device tree file '%s'",
+ filename_path);
+--
+2.17.1
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 23/43] linux-yocto/4.19: update to 4.19.57 and -rt22
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (21 preceding siblings ...)
2019-09-01 14:36 ` [warrior 22/43] qemu: fix CVE-2018-20815 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 24/43] linux-yocto/4.19: update to v4.19.61 Armin Kuster
` (19 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating the linux-yocto 4.19 recipe to the latest -stable and -rt
releases.
We also integrate a configuration change to support ptests on scsci
targets:
scsi-debug: include core scsi support for standalone inclusion
The -stable changes comprise the following commits:
1a0592436669 Linux 4.19.57
3919d91f4d36 arm64: insn: Fix ldadd instruction encoding
9c423fd89a2b usb: dwc3: Reset num_trbs after skipping
2bbb6b547fbe tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
89c49e7b6b0a RDMA: Directly cast the sockaddr union to sockaddr
a319c8ff4f09 futex: Update comments and docs about return values of arch futex code
4423a82cbde3 bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd
436869e0cd6d arm64: futex: Avoid copying out uninitialised stack in failed cmpxchg()
ba6340a7297f bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err
79c6a8c09978 bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro
613bc37f74c9 bpf: fix unconnected udp hooks
a7177b94aff4 bpf: fix nested bpf tracepoints with per-cpu data
4992d4af5881 bpf: lpm_trie: check left child of last leftmost node for NULL
5e558f9a6d7b bpf: simplify definition of BPF_FIB_LOOKUP related flags
7d2c0ec20cb2 tun: wake up waitqueues after IFF_UP is set
a08b915457d6 tipc: check msg->req data len in tipc_nl_compat_bearer_disable
fdf3e98e1fd9 tipc: change to use register_pernet_device
32b711f57ce7 team: Always enable vlan tx offload
eeb770d6ab77 sctp: change to hold sk after auth shkey is created successfully
9b7b0aab4750 net: stmmac: set IC bit when transmitting frames with HW timestamp
a373bf728188 net: stmmac: fixed new system time seconds value calculation
7d76fc211609 net: remove duplicate fetch in sock_getsockopt
05dceb60e5dd net/packet: fix memory leak in packet_set_ring()
7c92f3efbad0 ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
0f3451723ddc bonding: Always enable vlan tx offload
a4709127e5dd af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
64032e2d9ba8 eeprom: at24: fix unexpected timeout under high load
c22cea5a21b2 irqchip/mips-gic: Use the correct local interrupt map registers
dd9f2fb59e01 SUNRPC: Clean up initialisation of the struct rpc_rqst
b78ad2169282 cpu/speculation: Warn on unsupported mitigations= parameter
27380331755f NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O
01a02a98ab1c KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit NPT
327460322c7c x86/resctrl: Prevent possible overrun during bitmap operations
1746dc529104 x86/microcode: Fix the microcode load on CPU hotplug for real
690049eddb0c x86/speculation: Allow guests to use SSBD even if host does not
ee71e97285c2 scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
2ba0a5009607 dm log writes: make sure super sector log updates are written in order
87cf811ab6fb mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
1192fb703d09 mm: hugetlb: soft-offline: dissolve_free_huge_page() return zero on !PageHuge
aab629188848 mm: soft-offline: return -EBUSY if set_hwpoison_free_buddy_page() fails
bcfed145e583 clk: socfpga: stratix10: fix divider entry for the emac clocks
75f5d78d9fbe fs/binfmt_flat.c: make load_flat_shared_library() work
49e9b499a34d mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask
6a811c099186 fs/proc/array.c: allow reporting eip/esp for all coredumping threads
385cacd953b9 usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup
6edcdd0e6d8f usb: dwc3: gadget: remove wait_end_transfer
d7ff2e3ff0e0 usb: dwc3: gadget: move requests to cancelled_list
bba5f9878f67 usb: dwc3: gadget: introduce cancelled_list
65e1f3403108 usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs()
56092bd50eb9 usb: dwc3: gadget: use num_trbs when skipping TRBs on ->dequeue()
2a2b1c4dc510 usb: dwc3: gadget: track number of TRBs per request
420b1237c79f usb: dwc3: gadget: combine unaligned and zero flags
62805d31969b Revert "usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup"
3726d8d0b60f qmi_wwan: Fix out-of-bounds read
cfbe930c7142 net/9p: include trans_common.h to fix missing prototype warning.
6518b4126b3f 9p/trans_fd: put worker reqs on destroy
6fad469c84fc 9p/trans_fd: abort p9_read_work if req status changed
39bf142ae0ca 9p: potential NULL dereference
6490cdf9d29d 9p: p9dirent_read: check network-provided name length
e48e7e27e4df 9p/rdma: remove useless check in cm_event_handler
fb0cbbd8dec7 9p: acl: fix uninitialized iattr access
3dc511c9ccb9 9p: Rename req to rreq in trans_fd
04ee7e7b4795 9p/rdma: do not disconnect on down_interruptible EAGAIN
3665a4d9dca1 9p: Add refcount to p9_req_t
fa3625794f1a 9p: rename p9_free_req() function
be87f21e6b25 9p: add a per-client fcall kmem_cache
1555583b63b3 9p: embed fcall in req to round down buffer allocs
3ea4cf422323 9p: Use a slab for allocating requests
f8bc5f1a3aba 9p/xen: fix check for xenbus_read error in front_probe
a8782ce02687 IB/hfi1: Close PSM sdma_progress sleep window
fec1a13bdfa9 Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP"
85a3b1ef969b arm64: Don't unconditionally add -Wno-psabi to KBUILD_CFLAGS
6461a4543b34 perf header: Fix unchecked usage of strncpy()
0bf5d53b53c8 perf help: Remove needless use of strncpy()
6e75d9272c92 perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul
aec3002d07fd Linux 4.19.56
cd3e49394cb0 powerpc/mm/64s/hash: Reallocate context ids on fork
8c4fe20091cd x86/resctrl: Don't stop walking closids when a locksetup group is found
d451b505b676 mac80211: Do not use stack memory with scatterlist for GMAC
72dc6786d77a nl80211: fix station_info pertid memory leak
1e1007ac47d8 mac80211: handle deauthentication/disassociation from TDLS peer
ccf6a155844b {nl,mac}80211: allow 4addr AP operation on crypto controlled devices
0e879ef1cb5b mac80211: drop robust management frames from unknown TA
17d941dc3033 cfg80211: fix memory leak of wiphy device name
5293c79c6f60 SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write
db7f1076c0bd Bluetooth: Fix regression with minimum encryption key size alignment
5e9a6c68de0f Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
64e370233a07 staging: erofs: add requirements field in superblock
e6803ce36d49 drm/vmwgfx: Use the backdoor port if the HB port is not available
7499528bb078 arm64: ssbd: explicitly depend on <linux/prctl.h>
3e16b5c25466 arm64/sve: <uapi/asm/ptrace.h> should not depend on <uapi/linux/prctl.h>
2296fd59eb30 ARM: dts: am57xx-idk: Remove support for voltage switching for SD card
cc87ab841bb1 ARM: dts: dra76x: Update MMC2_HS200_MANUAL1 iodelay values
03426208d1f9 ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX
48ee85dc9c52 powerpc/bpf: use unsigned division instruction for 64-bit operations
a96ac5cb8a56 riscv: mm: synchronize MMU after pte change
5ad9a23e6dae can: purge socket error queue on sock destruct
4ea81cc49c59 can: flexcan: fix timeout when set small bitrate
f6a2c8b3c24a can: xilinx_can: use correct bittiming_const for CAN FD core
c592b1c3a994 btrfs: start readahead also in seed devices
17f1dca21d16 nvme: Fix u32 overflow in the number of namespace list calculation
71d019a6dae9 arm64: Silence gcc warnings about arch ABI drift
d72a4c78c124 hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
6029e5818805 hwmon: (core) add thermal sensors only if dev->of_node is present
153f2d97d0d7 s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
cedb209bfa5a net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set
5327e985e61e scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous()
04ceb1348973 scsi: ufs: Check that space was properly alloced in copy_query_response
e1a101a9dae9 scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
1f74977c2740 nvmet: fix data_len to 0 for bdev-backed write_zeroes
8388af891e0e drm/arm/hdlcd: Allow a bit of clock tolerance
7c7c88deb14d drm/arm/hdlcd: Actually validate CRTC modes
1fcb0e389538 drm/arm/mali-dp: Add a loop around the second set CVAL and try 5 times
377958c3ff2c net: ethernet: mediatek: Use NET_IP_ALIGN to judge if HW RX_2BYTE_OFFSET is enabled
ee2f9878bc04 net: ethernet: mediatek: Use hw_feature to judge if HWLRO is supported
16cdab63987c sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD
7b460a9bb13d mdesc: fix a missing-check bug in get_vdev_port_node_info()
6bf97a6cb6ce net: hns: Fix loopback test failed at copper ports
4336ba249b7d net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0
bf51ec92a35e selftests: vm: install test_vmalloc.sh for run_vmtests
a0e8215eb9f8 kselftest/cgroup: fix incorrect test_core skip
59243d6fb45c kselftest/cgroup: fix unexpected testing failure on test_core
9c2eebe31d75 kselftest/cgroup: fix unexpected testing failure on test_memcontrol
ae0d1c08843d xtensa: Fix section mismatch between memblock_reserve and mem_reserve
3089c0ea8a1f MIPS: uprobes: remove set but not used variable 'epc'
63542eb24ab9 IB/hfi1: Validate page aligned for a given virtual address
4d61fc383bb5 IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value
830991121773 IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
3fe551cc9e4e IB/rdmavt: Fix alloc_qpn() WARN_ON()
3333e0409424 parisc: Fix compiler warnings in float emulation code
f9dd0f0928a3 parport: Fix mem leak in parport_register_dev_model
4c950c8bb31a fpga: dfl: Add lockdep classes for pdata->lock
505de32ea952 fpga: dfl: afu: Pass the correct device to dma_mapping_error()
7b2145e22247 ARC: [plat-hsdk]: Add missing FIFO size entry in GMAC node
15004afd9845 ARC: [plat-hsdk]: Add missing multicast filter bins number to GMAC node
8f3793bfa3ea dmaengine: sprd: Fix block length overflow
e478abd4ebf7 dmaengine: dw-axi-dmac: fix null dereference when pointer first is null
4c21b761b40e ARC: fix build warnings
d64f99ef010d brcmfmac: sdio: Don't tune while the card is off
0ad82f2eb3f6 brcmfmac: sdio: Disable auto-tuning around commands expected to fail
31c99580687a apparmor: enforce nullbyte at end of tag string
eb2b0bf5c4a4 apparmor: fix PROFILE_MEDIATES for untrusted input
1d08fe254fd6 Input: silead - add MSSL0017 to acpi_device_id
ebd7dda84ec2 Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
9f3559e4f6cd Input: synaptics - enable SMBus on ThinkPad E480 and E580
e61e41ffcfeb iio: temperature: mlx90632 Relax the compatibility check
303386b31bfb IB/hfi1: Silence txreq allocation warnings
7cc9c9930947 IB/hfi1: Validate fault injection opcode user input
17027034a47b usb: xhci: Don't try to recover an endpoint if port is in error state.
d606a82ccc0a xhci: detect USB 3.2 capable host controllers correctly
e6563039674d usb: chipidea: udc: workaround for endpoint conflict issue
0746b2f50142 scsi: ufs: Avoid runtime suspend possibly being blocked forever
98467b8fda41 mmc: core: Prevent processing SDIO IRQs when the card is suspended
0349dbebbb0b mmc: core: Add sdio_retune_hold_now() and sdio_retune_release()
7ed49e1bf5b3 mmc: core: API to temporarily disable retuning for SDIO CRC errors
4b6d290cc1c1 mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when tuning
4c15ded55979 s390/ap: rework assembler functions to use unions for in/out register variables
fb48fb155e1b s390/jump_label: Use "jdd" constraint on gcc9
0319ef1d40ff ovl: fix bogus -Wmaybe-unitialized warning
639e8c2f0910 ovl: don't fail with disconnected lower NFS
f1c5aa5eda08 ovl: detect overlapping layers
a00f405e133f ovl: make i_ino consistent with st_ino in more cases
d6623379d895 ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls
3cb5d7fa8f7d ovl: support the FS_IOC_FS[SG]ETXATTR ioctls
76343a1363f8 gcc-9: silence 'address-of-packed-member' warning
6a997c3a239a objtool: Support per-function rodata sections
c493ead38adb tracing: Silence GCC 9 array bounds warning
78778071092e Linux 4.19.55
dad3a9314ac9 tcp: refine memory limit test in tcp_fragment()
63bbbcd8ed53 Linux 4.19.54
e8e448b08450 Abort file_remove_privs() for non-reg. files
465ce9a50f8a coredump: fix race condition between collapse_huge_page() and core dumping
c7fb6b75def2 ocfs2: fix error path kobject memory leak
fedb1b9c9191 mlxsw: spectrum: Prevent force of 56G
114e8135ae00 scsi: libsas: delete sas port if expander discover failed
89ede9d8b5b8 scsi: scsi_dh_alua: Fix possible null-ptr-deref
cb7c6c33d3bb scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask
214c5933ffcf scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
7b9e10944f0d net: phy: dp83867: Set up RGMII TX delay
7698ad8c14c7 net: phylink: ensure consistent phy interface mode
8fb2c7969009 net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
467f902643f5 arm64: use the correct function type for __arm64_sys_ni_syscall
98fd62e0a157 arm64: use the correct function type in SYSCALL_DEFINE0
c5fdfaedecc2 arm64: fix syscall_fn_t type
df6384e0f42e KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu
b376683f6ab1 KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
4acce744284c xenbus: Avoid deadlock during suspend due to open transactions
66f33b2bd2d8 xen/pvcalls: Remove set but not used variable
d92ebe0c1d26 ia64: fix build errors by exporting paddr_to_nid()
60a3e3b9e5ec perf record: Fix s390 missing module symbol and warning for non-root users
be0e62666da1 perf namespace: Protect reading thread's namespace
7d523e33f4b6 perf data: Fix 'strncat may truncate' build failure with recent gcc
e9fcebe01822 configfs: Fix use-after-free when accessing sd->s_dentry
ab7a3d9accae ALSA: hda - Force polling mode on CNL for fixing codec communication
7bea5618eaf9 i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
197501af7ff3 net: aquantia: fix LRO with FCS error
388534d45f04 net: aquantia: tx clean budget logic error
b7ca3f331d57 drm/etnaviv: lock MMU while dumping core
ee61fb4de955 ACPI/PCI: PM: Add missing wakeup.flags.valid checks
bc19b50b80ca net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
9a3208b66cc1 net: stmmac: update rx tail pointer register to fix rx dma hang issue.
3fbcef3350ab gpio: fix gpio-adp5588 build errors
991ea848a5c9 perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page data
c133c9db233d perf/ring_buffer: Add ordering to rb->nest increment
cca19ab29a1a perf/ring_buffer: Fix exposing a temporarily decreased data_head
a35e78220a9f x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
8e5666cdb36b mISDN: make sure device name is NUL terminated
f3885eecd253 usb: xhci: Fix a potential null pointer dereference in xhci_debugfs_create_endpoint()
930d31a6f344 powerpc/powernv: Return for invalid IMC domain
00ed897d618e clk: ti: clkctrl: Fix clkdm_clk handling
ef4ffa0f0b67 selftests: netfilter: missing error check when setting up veth interface
61c83de6e622 ipvs: Fix use-after-free in ip_vs_in
883ce78cded5 netfilter: nf_queue: fix reinject verdict handling
5a9c29cc2140 perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints
dd9b6de79b67 Staging: vc04_services: Fix a couple error codes
97605ba68790 net: mvpp2: prs: Use the correct helpers when removing all VID filters
b6a1eabf72a0 net: mvpp2: prs: Fix parser range for VID filtering
4642a659ab96 net/mlx5: Avoid reloading already removed devices
1b201b63b647 vsock/virtio: set SOCK_DONE on peer shutdown
b86a5ccda5c3 tipc: purge deferredq list for each grp member in tipc_group_delete
e1b0c311b790 sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
d7fcb54ed2a9 sctp: Free cookie before we memdup a new one
4bb4ba362cc1 nfc: Ensure presence of required attributes in the deactivate_target handler
7530c3f3d5b9 net: openvswitch: do not free vport if register_netdevice() is failed.
fc762c999768 net: dsa: rtl8366: Fix up VLAN filtering
103835df6821 neigh: fix use-after-free read in pneigh_get_next
2980196db6c1 lapb: fixed leak of control-blocks.
7eadfacd2be2 ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
a5ae5920426e hv_netvsc: Set probe mode to sync
674dc77bd3ec be2net: Fix number of Rx queues used for flow hashing
10faaa359b41 ax25: fix inconsistent lock state in ax25_destroy_timer
9f31eb60d7a2 Linux 4.19.53
90fc261d509e rtc: pcf8523: don't return invalid date when battery is low
04757d0e3789 drm: add fallback override/firmware EDID modes workaround
29a6026624cd drm/edid: abstract override/firmware EDID retrieval
e93ce57f60ca x86/resctrl: Prevent NULL pointer dereference when local MBM is disabled
0257fc9aa53f x86/mm/KASLR: Compute the size of the vmemmap section properly
5e3d10d9375d x86/kasan: Fix boot with 5-level paging and KASAN
ecec31ce4f33 x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback
fa982c692b2f RAS/CEC: Fix binary search function
e40db40e45cc RAS/CEC: Convert the timer callback to a workqueue
ca4c34037bb9 timekeeping: Repair ktime_get_coarse*() granularity
0fcd1432f8b0 USB: serial: option: add Telit 0x1260 and 0x1261 compositions
5080fb4b3828 USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
d5f20ee10ac0 USB: serial: pl2303: add Allied Telesis VT-Kit3
c00cd066a024 USB: usb-storage: Add new ID to ums-realtek
3c7439e2eab9 USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
f05b0bf073ef usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression)
63feb7e69fdc usb: dwc2: Fix DMA cache alignment issues
15bc8e8d4dad drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
328648ac6aa5 drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
2399b2ac2be7 tools/kvm_stat: fix fields filter for child events
f69f5679ff8f KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
9d8f338c92cc KVM: x86/pmu: do not mask the value that is written to fixed PMUs
04d2a113a283 KVM: x86/pmu: mask the result of rdpmc according to the width of the counters
60b300975e5f KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid instrumentation
9366f5dc8409 usbnet: ipheth: fix racing condition
86895090621c tracing: Prevent hist_field_var_ref() from accessing NULL tracing_map_elts
b64df8133c2e selftests/timers: Add missing fflush(stdout) calls
3e1d7417b4d6 selftests: fib_rule_tests: fix local IPv4 address typo
90a564549b4a libnvdimm: Fix compilation warnings with W=1
ccc9ba8d2508 scsi: bnx2fc: fix incorrect cast to u64 on shift operation
d7a32c8a1ce1 platform/x86: pmc_atom: Add several Beckhoff Automation boards to critclk_systems DMI table
1a80d9ff8253 platform/x86: pmc_atom: Add Lex 3I380D industrial PC to critclk_systems DMI table
c0d3e166e16a nvme: fix memory leak for power latency tolerance
ddda7e850bf1 nvme: release namespace SRCU protection before performing controller ioctls
3188fcebbcbd nvme: merge nvme_ns_ioctl into nvme_ioctl
54261634bdf8 nvme: remove the ifdef around nvme_nvm_ioctl
a6515af9b839 nvme: fix srcu locking on error return in nvme_get_ns_from_disk
c4e97af6bff4 arm64/mm: Inhibit huge-vmap with ptdump
0e50da1e7ced scsi: lpfc: add check for loss of ndlp when sending RRQ
334d1a2373af scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show
32d3f7d9dec1 scsi: qedi: remove set but not used variables 'cdev' and 'udev'
f3a7a1137ffc scsi: qedi: remove memset/memcpy to nfunc and use func instead
ae3787d433f7 f2fs: fix to avoid accessing xattr across the boundary
32f26da4b769 Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
fcc1ce5b4f42 s390/kasan: fix strncpy_from_user kasan checks
eddfe9672ed2 Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
731ebeeda51f ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
b52fd8af8db3 ALSA: seq: Protect in-kernel ioctl calls with mutex
82055ad3d3ed x86/uaccess, kcov: Disable stack protector
b08ec06c94fc drm/i915/sdvo: Implement proper HDMI audio support for SDVO
b7398f45e3d6 ASoC: fsl_asrc: Fix the issue about unsupported rate
d7d15ac38ba6 ASoC: cs42xx8: Add regcache mask dirty
c3b85bda41f0 cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
e599bfe54305 bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached
973fc2b3434b bcache: fix stack corruption by PRECEDING_KEY()
da3b915a57c3 i2c: acorn: fix i2c warning
d3e58022c017 iommu/arm-smmu: Avoid constant zero in TLBI writes
31e216cf9dc2 ptrace: restore smp_rmb() in __ptrace_may_access()
662b831dde61 signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
54a20289cbfb mm/vmscan.c: fix trying to reclaim unevictable LRU page
6b9aa7ac48d7 fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
553a1f0d3c69 mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
b7f8bbbbb973 libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
88fe03076062 ALSA: firewire-motu: fix destruction of data for isochronous resources
786b1b40dfb9 ALSA: hda/realtek - Update headset mode for ALC256
27effeff4533 ALSA: oxfw: allow PCM capture for Stanton SCS.1m
b59c93226489 Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops"
9fbd67c56529 HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary
dd1d71ad57a4 HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth
529013533d73 HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact
3e9c0eb15932 HID: wacom: Don't report anything prior to the tool entering range
52a7d604615a HID: wacom: Don't set tool type until we're in range
fa212dd5a604 HID: multitouch: handle faulty Elo touch device
9ae306d8dbc8 nouveau: Fix build with CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT disabled
d54e1b848e99 drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)
6500aa436df4 Linux 4.19.52
59222807fcc9 tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
7f9f8a37e563 tcp: add tcp_min_snd_mss sysctl
ec83921899a5 tcp: tcp_fragment() should apply sane memory limits
c09be31461ed tcp: limit payload size of sacked skbs
7aa823a959e1 Linux 4.19.51
b323914cd033 ALSA: seq: Cover unsubscribe_port() in list_mutex
3af96f3497b7 drm/vc4: fix fb references in async update
afec706807cd ovl: support stacked SEEK_HOLE/SEEK_DATA
22dac6cc9549 ovl: check the capability before cred overridden
b616b9dbc5f6 Revert "drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)"
8e5483aeae0d Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
526972e95ef9 percpu: do not search past bitmap when allocating an area
d4d5dce6d329 gpio: vf610: Do not share irq_chip
28229df6ad13 soc: renesas: Identify R-Car M3-W ES1.3
db54e08c5832 usb: typec: fusb302: Check vconn is off when we start toggling
ce183fad3aa8 ARM: exynos: Fix undefined instruction during Exynos5422 resume
384642ff6465 pwm: Fix deadlock warning when removing PWM device
7905b2331338 ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
78002e383be7 pwm: tiehrpwm: Update shadow register for disabling PWMs
9fdcb04e80e1 dmaengine: idma64: Use actual device for DMA transfers
da00c89fce7a ice: Add missing case in print_link_msg for printing flow control
456e3563725a gpio: gpio-omap: add check for off wake capable gpios
47d281bbbff9 PCI: xilinx: Check for __get_free_pages() failure
b5a185ee30d7 block, bfq: increase idling for weight-raised queues
e06d7a92796c video: imsttfb: fix potential NULL pointer dereferences
1f2611af4581 video: hgafb: fix potential NULL pointer dereference
5957f6f5aaa6 scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags
c2c7b6fee389 PCI: rcar: Fix 64bit MSI message address handling
dd54e70c47de PCI: rcar: Fix a potential NULL pointer dereference
272f8c3ddd31 net: hns3: return 0 and print warning when hit duplicate MAC
5a286ced4911 power: supply: max14656: fix potential use-before-alloc
901daed2f173 platform/x86: intel_pmc_ipc: adding error handling
613752b3a8fb ARM: OMAP2+: pm33xx-core: Do not Turn OFF CEFUSE as PPA may be using it
668440f6ee3f drm/amd/display: Use plane->color_space for dpp if specified
671fc9007c48 PCI: rpadlpar: Fix leaked device_node references in add/remove paths
b531acbd86d2 ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
584cabc69aee ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
02936545fbea ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA
36a7fda0595b ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA
c84911bb39d1 ARM: dts: imx6sll: Specify IMX6SLL_CLK_IPG as "ipg" clock to SDMA
a2e661f99c4d ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
461f4183926c ARM: dts: imx53: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
998860d0384d ARM: dts: imx50: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
70465bbbaeae ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
57f89084a7e1 soc: rockchip: Set the proper PWM for rk3288
b16594860a30 clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
8e9dd864d6a7 soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
f7c0e67054d8 PCI: keystone: Prevent ARM32 specific code to be compiled for ARM64
a357310a5774 platform/chrome: cros_ec_proto: check for NULL transfer function
b78a9b2818d5 i40e: Queues are reserved despite "Invalid argument" error
aeb743dbe936 x86/PCI: Fix PCI IRQ routing table memory leak
47e6a354e248 net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending
31aa2a7a8566 switchtec: Fix unintended mask of MRPC event
4b19a45eed4d iommu/arm-smmu-v3: Don't disable SMMU in kdump kernel
f7883f9b5a67 vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING"
806e83958482 nfsd: avoid uninitialized variable warning
b4330e4a7c12 nfsd: allow fh_want_write to be called twice
ae35c325d8fd fuse: retrieve: cap requested size to negotiated max_write
1c2e974628d1 nvmem: sunxi_sid: Support SID on A83T and H5
0412a8857198 nvmem: core: fix read buffer in place
962ce4023178 ALSA: hda - Register irq handler after the chip initialization
028b3d8d549e netfilter: nf_flow_table: fix netdev refcnt leak
650a4b7c5d66 netfilter: nf_flow_table: check ttl value in flow offload data path
52d7b067fadf nvme-pci: shutdown on timeout during deletion
6ce2ad24ae9c nvme-pci: unquiesce admin queue on shutdown
e9db931283fd PCI: designware-ep: Use aligned ATU window for raising MSI interrupts
a7f27994b207 misc: pci_endpoint_test: Fix test_reg_bar to be updated in pci_endpoint_test
ed6efdb74438 iommu/vt-d: Set intel_iommu_gfx_mapped correctly
525b5265fd75 blk-mq: move cancel of requeue_work into blk_mq_release
d6c80b609d81 watchdog: fix compile time error of pretimeout governors
0f50c30c8470 watchdog: imx2_wdt: Fix set_timeout for big timeout values
dc58e4027430 netfilter: nf_tables: fix base chain stat rcu_dereference usage
2d433cc9bd31 mips: Make sure dt memory regions are valid
2aed9dfe1e5d netfilter: nf_conntrack_h323: restore boundary check correctness
d0941980fd81 netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast
217ec4a6e4ef mmc: mmci: Prevent polling for busy detection in IRQ context
06382ad6cf31 ovl: do not generate duplicate fsnotify events for "fake" path
5fbe39bfd1e0 PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi()
a6b79e2c7c02 PCI: dwc: Free MSI in dw_pcie_host_init() error path
a4aa02826701 uml: fix a boot splat wrt use of cpu_all_mask
4dc146d47fea configfs: fix possible use-after-free in configfs_register_group
5329dcafead2 percpu: remove spurious lock dependency between percpu and sched
8d7ebdd109b4 f2fs: fix to do checksum even if inode page is uptodate
640248545436 f2fs: fix to do sanity check on valid block count of segment
101e48feb661 f2fs: fix to use inline space only if inline_xattr is enable
45624f0e8142 f2fs: fix to avoid panic in dec_valid_block_count()
47a92acf9ebf f2fs: fix to clear dirty inode in error path of f2fs_iget()
ca9fcbc5a5f5 f2fs: fix to do sanity check on free nid
f3aa313d0d4f f2fs: fix to avoid panic in f2fs_remove_inode_page()
0325c5cce544 f2fs: fix to avoid panic in f2fs_inplace_write_data()
8490bf2d6176 f2fs: fix to avoid panic in do_recover_data()
0b50d08c5d85 ntp: Allow TAI-UTC offset to be set to zero
102f6e1249fb mailbox: stm32-ipcc: check invalid irq
c5b2c8249ff3 pwm: meson: Use the spin-lock only to protect register modifications
689fe88d51aa EDAC/mpc85xx: Prevent building as a module
f9ee13ce21db bpf: fix undefined behavior in narrow load handling
991b51048c49 drm/nouveau/kms/gv100-: fix spurious window immediate interlocks
20e1a16702d9 objtool: Don't use ignore flag for fake jumps
124c23dca3ac drm/bridge: adv7511: Fix low refresh rate selection
2a3f2b43a9e3 drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change
f9706dd945e9 perf/x86/intel: Allow PEBS multi-entry in watermark mode
5540d0146151 mfd: twl6040: Fix device init errors for ACCCTL register
3b8892bea9eb drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration
e9a8c9805f58 mfd: intel-lpss: Set the device in reset state when init
12c57327a128 mfd: tps65912-spi: Add missing of table registration
1196b79a20f7 drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER
fd77a5117721 thermal: rcar_gen3_thermal: disable interrupt in .remove
c50c4fb0cb62 kernel/sys.c: prctl: fix false positive in validate_prctl_map()
515d18ced8e1 mm/slab.c: fix an infinite loop in leaks_show()
13e1ea0881da mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
38c5fce7fc48 mm: page_mkclean vs MADV_DONTNEED race
77a01e33570c mm/cma.c: fix the bitmap status to show failed allocation reason
25511676362d initramfs: free initrd memory if opening /initrd.image fails
e5f8857ea972 mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
5094a85d6d93 mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE
ffaafd27b067 hugetlbfs: on restore reserve error path retain subpool reservation
85e1a6c4b3e5 mm/hmm: select mmu notifier when selecting HMM
e0c3fc1f8fe3 ARM: prevent tracing IPI_CPU_BACKTRACE
4d3811a60e10 drm/pl111: Initialize clock spinlock early
20de754a7d88 ipc: prevent lockup on alloc_msg and free_msg
91ae202e2c88 sysctl: return -EINVAL if val violates minmax
5b6619b4d206 fs/fat/file.c: issue flush after the writeback of FAT
2a89e4c5ee2e rapidio: fix a NULL pointer dereference when create_workqueue() fails
768292d05361 Linux 4.19.50
51dc284e2a87 ethtool: check the return value of get_regs_len
645fa685bb20 ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
ec8a9eb2a6c1 TTY: serial_core, add ->install
6bdc692f5c9e drm/i915/gvt: Initialize intel_gvt_gtt_entry in stack
fbb7e114e6e6 drm: don't block fb changes for async plane updates
6600ec2600d6 drm/i915: Maintain consistent documentation subsection ordering
360e00e290a3 drm/i915/fbc: disable framebuffer compression on GeminiLake
554f4253700e drm/i915: Fix I915_EXEC_RING_MASK
f3dcc88d531f drm/amdgpu: remove ATPX_DGPU_REQ_POWER_FOR_DISPLAYS check when hotplug-in
84c82ab8f133 drm/radeon: prefer lower reference dividers
748a97ec6c15 drm/amdgpu/psp: move psp version specific function pointers to early_init
98a8cb0282ab drm: add non-desktop quirks to Sensics and OSVR headsets.
610382337557 drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)
490290b0415f drm: add non-desktop quirk for Valve HMDs
ac222e8a50af drm/msm: fix fb references in async update
6470aa05ae15 drm/gma500/cdv: Check vbt config bits when detecting lvds panels
7fbcb7d1031d test_firmware: Use correct snprintf() limit
67bdeb0c6f5c genwqe: Prevent an integer overflow in the ioctl
221c44d2d7fa Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
2d9d3ab541a6 MIPS: pistachio: Build uImage.gz by default
eee609635076 MIPS: Bounds check virt_addr_valid
b9b75a460076 xen-blkfront: switch kcalloc to kvcalloc for large array allocation
7aad9269a6e8 s390/mm: fix address space detection in exception handling
7737eff01711 i2c: xiic: Add max_read_len quirk
b598ddc7b9fc x86/insn-eval: Fix use-after-free access to LDT entry
4d166206cf41 x86/power: Fix 'nosmt' vs hibernation triple fault during resume
f4d0227ff170 pstore/ram: Run without kernel crash dump region
aa73a3b205a4 pstore: Set tfm to NULL on free_buf_for_compression
d4128a1b580c pstore: Convert buf_lock to semaphore
c63ce7166daf pstore: Remove needless lock during console writes
a3b8b4ad6db7 fuse: fallocate: fix return with locked inode
56e3f73e838a NFSv4.1: Fix bug only first CB_NOTIFY_LOCK is handled
ea0327b47754 NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter
384c1d931b5e parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
6726307d2008 rcu: locking and unlocking need to always be at least barriers
39e597d283b0 mtd: spinand: macronix: Fix ECC Status Read
2488b9f9afde ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
0b16d956ee5b ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
d769853dbdaa Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied"
396244b6ecf0 pktgen: do not sleep with the thread lock held.
da096fe1a6a4 packet: unconditionally free po->rollover
be0343af1291 net/tls: replace the sleeping lock around RX resync with a bit lock
9740f4ff1a66 net: sfp: read eeprom in maximum 16 byte increments
7700d5afff30 net: rds: fix memory leak in rds_ib_flush_mr_pool
c6a020e0117f net: mvpp2: Use strscpy to handle stat strings
d305d61fcf96 net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
831d6d077874 net: ethernet: ti: cpsw_ethtool: fix ethtool ring param set
893e2a5f5cf6 neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
9fd19a3b4f61 ipv6: fix the check before getting the cookie in rt6_get_cookie
daa11cc841d6 ipv4: not do cache for local delivery if bc_forwarding is enabled
05b933f25a83 Fix memory leak in sctp_process_init
d6782b8c5c18 ethtool: fix potential userspace buffer overflow
bb7b450e61a1 Linux 4.19.49
9861e2cd4616 media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
b52ca352489b of: overlay: set node fields from properties when add new overlay node
15151d0013c9 of: overlay: validate overlay properties #address-cells and #size-cells
26dace362e7f scsi: lpfc: Fix backport of faf5a744f4f8 ("scsi: lpfc: avoid uninitialized variable warning")
ca309fef7a69 x86/kprobes: Set instruction page as executable
b49ca4bf1b9c x86/ftrace: Set trampoline pages as executable
6fa953c94882 x86/ftrace: Do not call function graph from dynamic trampolines
9d57cfd4e9d8 binder: fix race between munmap() and direct reclaim
137c838f177b Revert "binder: fix handling of misaligned binder object"
385dab299c8a Revert "x86/build: Move _etext to actual end of .text"
9468870f7cbd include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
2a0f719db71c Compiler Attributes: add support for __copy (gcc >= 9)
390a0fd31b02 drm/lease: Make sure implicit planes are leased
699f0e9d24c8 drm/rockchip: shutdown drm subsystem on shutdown
1ca811507e41 drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz
1f1372206e0b drm/sun4i: Fix sun8i HDMI PHY clock initialization
3a20515c3c44 drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set
1715a46322fa drm/tegra: gem: Fix CPU-cache maintenance for BO's allocated using get_pages()
132137d1bfa1 gcc-plugins: Fix build failures under Darwin host
873041930dab Revert "lockd: Show pid of lockd for remote locks"
297a251062c0 CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
32d57c0c063c cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case
f6a39f877feb staging: wlan-ng: fix adapter initialization failure
27a4b6c8c1cf staging: vc04_services: prevent integer overflow in create_pagelist()
3078e80b03c8 serial: sh-sci: disable DMA for uart_console
ff818b449a5b vt/fbcon: deinitialize resources in visual_init() after failed memory allocation
6e322a9e42cd evm: check hash algorithm passed to init_desc()
f85b87a9a2a8 ima: show rules with IMA_INMASK correctly
21158982f6b7 doc: Cope with Sphinx logging deprecations
c0742228bba6 doc: Cope with the deprecation of AutoReporter
301b18edbf56 docs: Fix conf.py for Sphinx 2.0
871953434bd9 arm64: Fix the arm64_personality() syscall wrapper redirection
6f8d26270ce3 kernel/signal.c: trace_signal_deliver when signal_group_exit
8b057ad846c5 memcg: make it work on sparse non-0-node systems
4e29e2ecf186 tty: max310x: Fix external crystal register setup
a071517b85cc tty: serial: msm_serial: Fix XON/XOFF
bb03290431bc i2c: synquacer: fix synquacer_i2c_doxfer() return value
d2d8f6401254 i2c: mlxcpld: Fix wrong initialization order in probe
88ad86b80782 drm/nouveau/i2c: Disable i2c bus access after ->fini()
6a2fbec70766 KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID
3834630ef4d3 ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops
9cfd6c36759b ALSA: hda/realtek - Set default power save node to 0
eb2eeec920fb ALSA: line6: Assure canceling delayed work at disconnection
ca221cf9ab6f powerpc/perf: Fix MMCRA corruption by bhrb_filter
55a94d81f536 KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts
badbe1abbd59 s390/crypto: fix possible sleep during spinlock aquired
83c874cf6861 s390/crypto: fix gcm-aes-s390 selftest failures
5dede5c9e605 iio: adc: ti-ads8688: fix timestamp is not updated in buffer
06c5ec6fd0b1 iio: dac: ds4422/ds4424 fix chip verification
8a652fd142c3 Btrfs: incremental send, fix file corruption when no-holes feature is enabled
a81071110d25 Btrfs: fix fsync not persisting changed attributes of a directory
37fe038328a2 Btrfs: fix race updating log root item during fsync
7301bbeae98f Btrfs: fix wrong ctime and mtime of a directory after log replay
da32e0303d5f tracing: Avoid memory leak in predicate_parse()
9756c7e0cdc7 scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
e8bd0dffe816 scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
c18a0ecc411a brcmfmac: fix NULL pointer derefence during USB disconnect
1f64751af190 media: smsusb: better handle optional alignment
e6df98cafc9c media: usb: siano: Fix false-positive "uninitialized variable" warning
35b104456652 media: usb: siano: Fix general protection fault in smsusb
b4c1b4a61f78 USB: rio500: fix memory leak in close after disconnect
d2d93077bac3 USB: rio500: refuse more than one device at a time
d8c1703932bc USB: Add LPM quirk for Surface Dock GigE adapter
d27ea5e9eb4a USB: sisusbvga: fix oops in error path of sisusb_probe
a43bb9e83155 USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
2fc485b0008e usbip: usbip_host: fix stub_dev lock context imbalance regression
e3724d69b732 usbip: usbip_host: fix BUG: sleeping function called from invalid context
9690202da222 usb: xhci: avoid null pointer deref when bos field is NULL
8e30ba04a20a xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
32adfa3d92e7 xhci: Use %zu for printing size_t type
eebcff780603 xhci: update bounce buffer with correct sg num
759766bf2aec include/linux/bitops.h: sanitize rotate primitives
89156c1005d2 sparc64: Fix regression in non-hypervisor TLB flush xcall
e109a984cf38 Linux 4.19.48
ca75a9fc5ba4 tipc: fix modprobe tipc failed after switch order of device registration
ab69a2304210 Revert "tipc: fix modprobe tipc failed after switch order of device registration"
99dcf4a4dd2e xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
0276ebf16675 jump_label: move 'asm goto' support test to Kconfig
753328727cab compiler.h: give up __compiletime_assert_fallback()
fd45cd4530eb include/linux/compiler*.h: define asm_volatile_goto
2bb9c7e42836 crypto: vmx - ghash: do nosimd fallback manually
fb6cf4f3704b net/tls: don't ignore netdev notifications if no TLS features
fb69403ec2ff net/tls: fix state removal with feature flags off
27d8ad1d8ea9 bnxt_en: Fix aggregation buffer leak under OOM condition.
a1a926fc68c7 net: stmmac: dma channel control register need to be init first
1db0bcc27c78 net/mlx5e: Disable rxhash when CQE compress is enabled
e0d95806b05d net/mlx5: Allocate root ns memory using kzalloc to match kfree
4421d31753ec tipc: Avoid copying bytes beyond the supplied data
06442f45e5cf net/mlx5: Avoid double free in fs init error unwinding path
fb836d014e37 usbnet: fix kernel crash after disconnect
191989817df9 net: stmmac: fix reset gpio free missing
6ab968473140 net: sched: don't use tc_action->order during action dump
33f737a4307d net: phy: marvell10g: report if the PHY fails to boot firmware
c2d4b2feb057 net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
de9d6a730cc0 net: mvneta: Fix err code path of probe
39fd0dc4a556 net-gro: fix use-after-free read in napi_gro_frags()
4294c3475035 net: fec: fix the clk mismatch in failed_reset path
566dc17b993d net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT
2d04f32c8861 llc: fix skb leak in llc_build_and_send_ui_pkt()
442176668ecf ipv6: Fix redirect with VRF
ed753b394321 ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
46702dd5d504 ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST
e9f94e480f3e ipv4/igmp: fix another memory leak in igmpv3_del_delrec()
07480da0c8a1 inet: switch IP ID generator to siphash
9c9144e78996 cxgb4: offload VLAN flows regardless of VLAN ethtype
3cde0a250845 bonding/802.3ad: fix slave link initialization transition states
0df021b2e841 Linux 4.19.47
26433652f0e4 NFS: Fix a double unlock from nfs_match,get_client
1a686177acde drm/sun4i: dsi: Enforce boundaries on the start delay
6956c0e3cf33 vfio-ccw: Prevent quiesce function going into an infinite loop
476e87eb7f78 drm/sun4i: dsi: Change the start delay calculation
00734a9e7329 drm: Wake up next in drm_read() chain if we are forced to putback the event
d6dea92a4862 drm/drv: Hold ref on parent device during drm_device lifetime
473bc1af7a22 drm/v3d: Handle errors from IRQ setup.
b9c8f86f50ac ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
cc211863ac79 spi: Fix zero length xfer bug
8f7f333af9f6 spi: imx: stop buffer overflow in RX FIFO flush
3ae1817a29e7 spi: rspi: Fix sequencer reset during initialization
676aec9b8f11 drm/omap: dsi: Fix PM for display blank with paired dss_pll calls
bdc095631d50 spi : spi-topcliff-pch: Fix to handle empty DMA buffers
98eb1b80fea7 scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
755dc83020a5 media: saa7146: avoid high stack usage with clang
584e06c0ed20 scsi: lpfc: Fix fc4type information for FDMI
aecb245fdd90 scsi: lpfc: Fix FDMI manufacturer attribute value
4192c77f50dc media: vimc: zero the media_device on probe
fd1ade15f299 media: go7007: avoid clang frame overflow warning with KASAN
6d16d2e130e4 media: gspca: do not resubmit URBs when streaming has stopped
acf41fb8df45 media: vimc: stream: fix thread state before sleep
aeea87865aa7 scsi: ufs: fix a missing check of devm_reset_control_get
62e79f4c6bc0 drm/amd/display: Set stream->mode_changed when connectors change
fc5293ab6c48 drm/amd/display: Fix Divide by 0 in memory calculations
91435fce9b24 media: staging: davinci_vpfe: disallow building with COMPILE_TEST
f51db48c1220 media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
e93677055a5a media: dvbsky: Avoid leaking dvb frontend
ab934f0ac158 media: si2165: fix a missing check of return value
561bd5615604 igb: Exclude device from suspend direct complete optimization
b6bc20249423 tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers
5ec9ba494db2 e1000e: Disable runtime PM on CNP+
495e34e62c3b thunderbolt: property: Fix a NULL pointer dereference
70611b1b81c4 drm/amd/display: fix releasing planes when exiting odm
988dab7f5778 thunderbolt: Fix to check for kmemdup failure
877a202f9b27 thunderbolt: Fix to check return value of ida_simple_get
b9291078edce hwrng: omap - Set default quality
6b2d1934d1f9 dmaengine: tegra210-adma: use devm_clk_*() helpers
25204fe6a3f8 batman-adv: allow updating DAT entry timeouts on incoming ARP Replies
a2ace9b24387 selinux: avoid uninitialized variable warning
c7595096daf9 scsi: lpfc: avoid uninitialized variable warning
ac9149bc1402 scsi: qla4xxx: avoid freeing unallocated dma memory
239156e0c04a usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
506b28fb9982 rcuperf: Fix cleanup path for invalid perf_type strings
75a96196d4c4 x86/mce: Handle varying MCA bank counts
aa7919e37fee rcutorture: Fix cleanup path for invalid torture_type strings
3d036cbaab92 x86/mce: Fix machine_check_poll() tests for error types
3c2b1ae4410c overflow: Fix -Wtype-limits compilation warnings
19ae270d1ce0 tty: ipwireless: fix missing checks for ioremap
3392cc5f3ce3 virtio_console: initialize vtermno value for ports
e819d4a13688 scsi: qedf: Add missing return in qedf_post_io_req() in the fcport offload check
dc0f37b780e9 timekeeping: Force upper bound for setting CLOCK_REALTIME
ee40c8a3efc2 thunderbolt: Fix to check the return value of kmemdup
c8eecd658220 thunderbolt: property: Fix a missing check of kzalloc
1de8f9653585 efifb: Omit memory map check on legacy boot
356f05fdd490 media: gspca: Kill URBs on USB device disconnect
2a9331ced525 media: wl128x: prevent two potential buffer overflows
6b5693f20dd8 media: video-mux: fix null pointer dereferences
bc75207a54dd kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice.
ba906246e38b spi: tegra114: reset controller on probe
2cd236c27157 HID: logitech-hidpp: change low battery level threshold from 31 to 30 percent
fb2c65b4a279 cxgb3/l2t: Fix undefined behaviour
71efe4c70afc ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
b6b7a78cf997 ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
69f67200cfd6 HID: core: move Usage Page concatenation to Main item
256f63c6806d sh: sh7786: Add explicit I/O cast to sh7786_mm_sel()
8ea279184619 RDMA/hns: Fix bad endianess of port_pd variable
65ec64f28a88 chardev: add additional check for minor range overlap
fc242af86d07 x86/uaccess: Fix up the fixup
5007453c7144 x86/ia32: Fix ia32_restore_sigcontext() AC leak
4614b0bb8f65 x86/uaccess, signal: Fix AC=1 bloat
1a3188d737ce x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP
da30c277c4fd wil6210: fix return code of wmi_mgmt_tx and wmi_mgmt_tx_ext
e667aef54f8a arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
e3980dbef43a drm/panel: otm8009a: Add delay at the end of initialization
cb5946e5c86a scsi: ufs: Avoid configuring regulator with undefined voltage range
31318d4ae3ae scsi: ufs: Fix regulator load and icc-level configuration
c9e44a1a734a rtlwifi: fix potential NULL pointer dereference
bd2ab045df4a rtc: xgene: fix possible race condition
e29aba14e8db brcmfmac: fix Oops when bringing up interface during USB disconnect
8a412ed97184 brcmfmac: fix race during disconnect when USB completion is in progress
ce55a5941ed4 brcmfmac: fix WARNING during USB disconnect in case of unempty psq
4b2f0ebc306b brcmfmac: convert dev_init_lock mutex to completion
59ec3ad30ab8 b43: shut up clang -Wuninitialized variable warning
7c9d97f3b11d brcmfmac: fix missing checks for kmemdup
a27ce4840f89 mwifiex: Fix mem leak in mwifiex_tm_cmd
7be8d4251bf7 rtlwifi: fix a potential NULL pointer dereference
f8f54929bd23 selftests/bpf: ksym_search won't check symbols exists
ef8e5a78406d iio: adc: ti-ads7950: Fix improper use of mlock
36a59a036896 iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
dd106d198dee iio: hmc5843: fix potential NULL pointer dereferences
d7c773412f4b iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
ce59174d4e69 drm/pl111: fix possible object reference leak
e758471be038 x86/build: Keep local relocations with ld.lld
2b18febc8cdc block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR
9d8b1d5db780 cpufreq: kirkwood: fix possible object reference leak
f9ead9f4d145 cpufreq: pmac32: fix possible object reference leak
513a7f8e8929 cpufreq/pasemi: fix possible object reference leak
9612f4040f05 cpufreq: ppc_cbe: fix possible object reference leak
f8a91441b2a1 qmi_wwan: Add quirk for Quectel dynamic config
1b6141cd052b selftests: cgroup: fix cleanup path in test_memcg_subtree_control()
9c594cae285c s390: cio: fix cio_irb declaration
c3c614380548 s390/mm: silence compiler warning when compiling without CONFIG_PGSTE
a07de9b98fbf x86/microcode: Fix the ancient deprecated microcode loading method
a3713f2cebdc s390: zcrypt: initialize variables before_use
e91146984939 clk: rockchip: Make rkpwm a critical clock on rk3288
c9aa87e5f345 extcon: arizona: Disable mic detect if running when driver is removed
822342658459 clk: rockchip: Fix video codec clocks on rk3288
cbaab786ee67 PM / core: Propagate dev->power.wakeup_path when no callbacks
d8a36f841803 drm/amdgpu: fix old fence check in amdgpu_fence_emit
e107bc69cc59 mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
019ca0bf8d91 mmc: sdhci-of-esdhc: add erratum A-009204 support
80118cba1f78 mmc: sdhci-of-esdhc: add erratum eSDHC5 support
fa291e89997a mmc_spi: add a status check for spi_sync_locked
059c2f5326a0 mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers
aa06e61237ab scsi: libsas: Do discovery on empty PHY to update PHY info
4e98f3b11a7a hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
8cfe000d0a69 hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
48b31e8a025f hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
e7dbe597ea55 hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
fbdce79e7c3b hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
1cd4902d9088 perf/x86/intel/cstate: Add Icelake support
ea6ff1bb3d00 perf/x86/intel/rapl: Add Icelake support
3a9a1fd14b27 perf/x86/msr: Add Icelake support
9754bab2057e RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
b0f6ac8c81e0 arm64: vdso: Fix clock_getres() for CLOCK_REALTIME
9082058b549a ACPI/IORT: Reject platform device creation on NUMA node mapping failure
4a9c84499e11 i40e: don't allow changes to HW VLAN stripping on active port VLANs
e3e8cdacdcce i40e: Able to add up to 16 MAC filters on an untrusted VF
267b3c6b3f45 phy: mapphone-mdm6600: add gpiolib dependency
3ecda6884660 phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode
63b4f89d03c2 drm: etnaviv: avoid DMA API warning when importing buffers
f843f848c567 x86/irq/64: Limit IST stack overflow check to #DB stack
97abdfa81f1c USB: core: Don't unbind interfaces following device reset failure
3711c9885278 s390/qeth: handle error from qeth_update_from_chp_desc()
5d5652b51c87 thunderbolt: Take domain lock in switch sysfs attribute callbacks
afee27f38253 irq_work: Do not raise an IPI when queueing work on the local CPU
dee2faf0ac0c drm/msm: a5xx: fix possible object reference leak
e0b75a798651 staging: vc04_services: handle kzalloc failure
355673f80835 sched/core: Handle overflow in cpu_shares_write_u64
7053046e350f sched/rt: Check integer overflow at usec to nsec conversion
925275d0cc5d sched/core: Check quota and period overflow at usec to nsec conversion
4e4d5cea79a7 cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock
944c58523731 random: add a spinlock_t to struct batched_entropy
6fa6381a2da0 random: fix CRNG initialization when random.trust_cpu=1
fec8a09f79ec powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX
f488832c2099 powerpc/numa: improve control of topology updates
ad393793794e block: fix use-after-free on gendisk
30f8da71c730 iio: adc: stm32-dfsdm: fix unmet direct dependencies detected
11ad52770a42 media: pvrusb2: Prevent a buffer overflow
a90ce66af211 media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
2096b3ba3274 media: stm32-dcmi: fix crash when subdev do not expose any formats
6c21fa849a5a audit: fix a memory leak bug
9fcfaab61420 media: ov2659: make S_FMT succeed even if requested format doesn't match
e3a9d646ecf2 media: au0828: stop video streaming only when last user stops
3ccd89123b67 media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
81a0b6ff0209 media: coda: clear error return value before picture run
83544b04a406 dmaengine: at_xdmac: remove BUG_ON macro in tasklet
bfb9e836cf26 perf/arm-cci: Remove broken race mitigation
2d1df7fada2d clk: rockchip: undo several noc and special clocks as critical on rk3288
86a1de9c8d76 pinctrl: samsung: fix leaked of_node references
c3933fd4a8ee pinctrl: pistachio: fix leaked of_node references
12e7faac49e2 HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
1eafabe144f4 Bluetooth: hci_qca: Give enough time to ROME controller to bootup.
189b396a2580 mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
f46ae1cd7cec x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
3dc1e338ae5f smpboot: Place the __percpu annotation correctly
0fcb3cd5af98 x86/build: Move _etext to actual end of .text
58a0c2194bac vfio-ccw: Release any channel program when releasing/removing vfio-ccw mdev
8c1c78109a74 vfio-ccw: Do not call flush_workqueue while holding the spinlock
e0d25d17841a RDMA/cma: Consider scope_id while binding to ipv6 ll address
06740892db92 bcache: avoid clang -Wunintialized warning
330b67980381 bcache: add failure check to run_cache_set() for journal replay
cd83c78897d5 bcache: fix failure in journal relplay
29b166da7a4e bcache: return error immediately in bch_journal_replay()
8034a6b89990 bcache: avoid potential memleak of list of journal_replay(s) in the CACHE_SYNC branch of run_cache_set
e82df5f1e54a crypto: sun4i-ss - Fix invalid calculation of hash end
213e152316ed nvme-rdma: fix a NULL deref when an admin connect times out
c24860f40b66 nvme: set 0 capacity if namespace block size exceeds PAGE_SIZE
31de7f1d07b5 net: cw1200: fix a NULL pointer dereference
eacec4367998 rsi: Fix NULL pointer dereference in kmalloc
9d54cca8f939 mwifiex: prevent an array overflow
c2582f213897 ASoC: fsl_sai: Update is_slave_mode with correct value
67d812fbe303 slimbus: fix a potential NULL pointer dereference in of_qcom_slim_ngd_register
0cbef22f67ba libbpf: fix samples/bpf build failure due to undefined UINT32_MAX
ca5b9d63e9b1 mac80211/cfg80211: update bss channel on channel switch
1d057fefa045 dmaengine: pl330: _stop: clear interrupt status
cadb16d9e0f3 s390: qeth: address type mismatch warning
99079ceefb7c w1: fix the resume command API
07da741d48c4 sched/nohz: Run NOHZ idle load balancer on HK_FLAG_MISC CPUs
216155aab507 s390/kexec_file: Fix detection of text segment in ELF loader
6697d0b3f5b5 scsi: qedi: Abort ep termination if offload not scheduled
bc90af686912 rtc: stm32: manage the get_irq probe defer case
7fd0d9d10e5d rtc: 88pm860x: prevent use-after-free on device remove
0ea8b7cf9436 iwlwifi: pcie: don't crash on invalid RX interrupt
bd3d8f4cb956 btrfs: Don't panic when we can't find a root key
431cbaec1287 btrfs: fix panic during relocation after ENOSPC before writeback happens
1084fc9afbe3 Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve
8715ce033eb3 x86/modules: Avoid breaking W^X while loading modules
34f3a58f06da scsi: qla2xxx: Fix hardirq-unsafe locking
6ce116871011 scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in tcm_qla2xxx_close_session()
55b95ce89ce7 scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending()
de3cd35f5195 scsi: qla2xxx: Fix a qla24xx_enable_msix() error path
73026db866db sched/cpufreq: Fix kobject memleak
0fe8ed038e88 powerpc/watchdog: Use hrtimers for per-CPU heartbeat
efa336f785df arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable
9152b0815430 ARM: vdso: Remove dependency with the arch_timer driver internals
2d2017675b1a media: stm32-dcmi: return appropriate error codes during probe
5744fd7fa1d1 drm/nouveau/bar/nv50: ensure BAR is mapped
07bb9a71ee27 ACPI / property: fix handling of data_nodes in acpi_get_next_subnode()
c00f0fbd2e85 brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
57667dc86bef spi: pxa2xx: fix SCR (divisor) calculation
5cf668cf1110 ASoC: imx: fix fiq dependencies
b8bd069f855f powerpc/perf: Fix loop exit condition in nest_imc_event_init
1a6767f5f152 powerpc/boot: Fix missing check of lseek() return value
741853944fea powerpc/perf: Return accordingly on invalid chip-id in
49c0fa1f35c1 ASoC: hdmi-codec: unlock the device on startup errors
663411719895 usb: dwc3: move synchronize_irq() out of the spinlock protected block
1a7be0fe0777 usb: dwc2: gadget: Increase descriptors count for ISOC's
fc8c5907d8fc ASoC: Intel: kbl_da7219_max98357a: Map BTN_0 to KEY_PLAYPAUSE
b676f6c0b552 pinctrl: zte: fix leaked of_node references
8603d49906b2 Bluetooth: Ignore CC events not matching the last HCI command
6d9cfab853ca hv_netvsc: fix race that may miss tx queue wakeup
83eaba87e73e net: ena: gcc 8: fix compilation warning
19c2dd5025bb dmaengine: tegra210-dma: free dma controller in remove()
7ffd692bfce7 bpftool: exclude bash-completion/bpftool from .gitignore pattern
6d9f8909e540 selftests/bpf: set RLIMIT_MEMLOCK properly for test_libbpf_open.c
f3ed010f2bfe tools/bpf: fix perf build error with uClibc (seen on ARC)
d96a6c31e42e mmc: core: Verify SD bus width
c4b51dbcccfc gfs2: Fix occasional glock use-after-free
fa4aaa09d17e IB/hfi1: Fix WQ_MEM_RECLAIM warning
36296b0034ae NFS: make nfs_match_client killable
506961a7a4ef cxgb4: Fix error path in cxgb4_init_module
bac852089281 gfs2: Fix lru_count going negative
06a67c0f4abb Revert "btrfs: Honour FITRIM range constraints during free space trim"
7c2bcb3cca03 acct_on(): don't mess with freeze protection
7d562a90a88b at76c50x-usb: Don't register led_trigger if usb_register_driver failed
363aa80a51c9 batman-adv: mcast: fix multicast tt/tvlv worker locking
003e2d74c554 bpf: devmap: fix use-after-free Read in __dev_map_entry_free
3de79cb0ceb2 ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
c8275cbe2bd8 media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
0595e0d173f0 media: vb2: add waiting_in_dqbuf flag
aec118ecf579 media: serial_ir: Fix use-after-free in serial_ir_init_module
bdf3da72ae79 media: cpia2: Fix use-after-free in cpia2_exit
de2d09ebff2f fbdev: fix WARNING in __alloc_pages_nodemask bug
86c43c40fe05 ovl: relax WARN_ON() for overlapping layers use case
9c0339dd381d btrfs: honor path->skip_locking in backref code
2eefb4a3894e arm64: errata: Add workaround for Cortex-A76 erratum #1463225
8783c4128c37 brcmfmac: add subtype check for event handling in data path
cc240e057c1d brcmfmac: assure SSID length from firmware is limited
43caa29c99db bpf: add bpf_jit_limit knob to restrict unpriv allocations
cc1afc1050a9 NFSv4.1 fix incorrect return value in copy_file_range
e1eed6928b3e NFSv4.2 fix unnecessary retry in nfs4_copy_file_range
0bad28e92ced fbdev: fix divide error in fb_var_to_videomode
b8304d918c02 udlfb: fix some inconsistent NULL checking
94e1f96667b4 btrfs: sysfs: don't leak memory when failing add fsid
946ad2ecef61 btrfs: sysfs: Fix error path kobject memory leak
92f907d7d63b Btrfs: fix race between ranged fsync and writeback of adjacent ranges
4f9a774dda97 Btrfs: avoid fallback to transaction commit during fsync of files with holes
7ec747c811ab Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path
ce21e6586eec btrfs: don't double unlock on error in btrfs_punch_hole
fdc78eedc54d gfs2: Fix sign extension bug in gfs2_update_stats
53cd8ae3eeb1 arm64/iommu: handle non-remapped addresses in ->mmap and ->get_sgtable
9c15fff28194 arm64/kernel: kaslr: reduce module randomization range to 2 GB
ee6d3eb31112 libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead
709a93054118 kvm: svm/avic: fix off-by-one in checking host APIC ID
5b69ceee2196 mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time problem
227e01537baf mmc: sdhci-iproc: cygnus: Set NO_HISPD bit to fix HS50 data hold time problem
792d65fc49a7 crypto: vmx - CTR: always increment IV as quadword
136b8cef4e4f Revert "scsi: sd: Keep disk read-only when re-reading partition"
ac7480a5b504 sbitmap: fix improper use of smp_mb__before_atomic()
b78255d6cffb bio: fix improper use of smp_mb__before_atomic()
432ec4fa6cd2 KVM: x86: fix return value for reserved EFER
70d33cce97f0 f2fs: Fix use of number of devices
5220582c427b ext4: wait for outstanding dio during truncate in nojournal mode
71e430fd593b ext4: do not delete unlinked inode from orphan list on failed truncate
1d84eb87efce x86: Hide the int3_emulate_call/jmp functions from UML
8b2fc0058255 Linux 4.19.46
fcac71697a15 fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
107e215c2962 bpf, lru: avoid messing with eviction heuristics upon syscall lookup
2bb3c5470aaf bpf: add map_lookup_elem_sys_only for lookups from syscall side
3ded3aaa4aa8 bpf: relax inode permission check for retrieving bpf program
c33563e9ec87 Revert "selftests/bpf: skip verifier tests for unsupported program types"
90110ffd86ae driver core: Postpone DMA tear-down until after devres release for probe failure
430908054540 md/raid: raid5 preserve the writeback action after the parity check
3d25b7f5c3be Revert "Don't jump to compute_result state from check_result state"
a0b1dde1e686 perf/x86/intel: Fix race in intel_pmu_disable_event()
7aea2f94cc64 perf bench numa: Add define for RUSAGE_THREAD if not present
a06fdd99a339 ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
f037116fe05b x86/mm/mem_encrypt: Disable all instrumentation for early SME setup
290da8e79c83 sched/cpufreq: Fix kobject memleak
2da19da7abb8 iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb()
7341daa0548e qmi_wwan: new Wistron, ZTE and D-Link devices
c1528193f643 bpf: Fix preempt_enable_no_resched() abuse
aea54f613534 power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
a1251522a522 KVM: arm/arm64: Ensure vcpu target is unset on reset failure
36ae546a0046 net: ieee802154: fix missing checks for regmap_update_bits
9c045d8c9739 mac80211: Fix kernel panic due to use of txq after free
a0a49d8712de x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012
a469646862aa PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored
b21ca2769b0f apparmorfs: fix use-after-free on symlink traversal
9a0467e1f671 securityfs: fix use-after-free on symlink traversal
900bf351dd84 power: supply: cpcap-battery: Fix division by zero
b7771cb0143b clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0)
a654a73de29f xfrm4: Fix uninitialized memory read in _decode_session4
6faa62060624 xfrm: Honor original L3 slave device in xfrmi policy lookup
3716c2625099 esp4: add length check for UDP encapsulation
d410ef75886a xfrm: clean up xfrm protocol checks
159269cc6456 vti4: ipip tunnel deregistration fixes.
64f214ce563f xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
c9516503fe53 xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
fea685000caf fuse: Add FOPEN_STREAM to use stream_open()
f9eccf6ca1e0 dm mpath: always free attached_handler_name in parse_path()
9407680a7bb7 dm integrity: correctly calculate the size of metadata area
3b92ff729cb3 dm delay: fix a crash when invalid device is specified
90cc71127a3c dm zoned: Fix zone report handling
ff0699a5e5d0 dm cache metadata: Fix loading discard bitset
d5c352305d42 PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum
b51a033317cd PCI: Factor out pcie_retrain_link() function
7bc992e215c8 PCI: rcar: Add the initialization of PCIe link in resume_noirq()
2e7574982502 PCI/AER: Change pci_aer_init() stub to return void
8c30e1499335 PCI: Init PCIe feature bits for managed host bridge alloc
29d031402718 PCI: Mark Atheros AR9462 to avoid bus reset
f4be6b7ee294 PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken
2cf1dce1bfa5 fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
27968d821368 fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
f1c97f633375 fbdev: sm712fb: fix support for 1024x768-16 mode
b415308ae49a fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
02f89dd99c83 fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
7e1b9659a43a fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
b0f08070903d fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
d30768975973 fbdev: sm712fb: fix brightness control on reboot, don't set SR30
702156cd1a9a fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types
e738fb38cf2e objtool: Allow AR to be overridden with HOSTAR
9ae0f86ceaa7 MIPS: perf: Fix build with CONFIG_CPU_BMIPS5000 enabled
05fab3457210 perf intel-pt: Fix sample timestamp wrt non-taken branches
ba86f8f84fd5 perf intel-pt: Fix improved sample timestamp
3ed850ab2a9c perf intel-pt: Fix instructions sampling rate
5e011f3319fe memory: tegra: Fix integer overflow on tick value calculation
fb8c9c900d4e tracing: Fix partial reading of trace event's id file
07b487eb5762 ftrace/x86_64: Emulate call function while updating in breakpoint handler
ba246f64b0a5 x86_64: Allow breakpoints to emulate call instructions
01b6fdcecd5a x86_64: Add gap to int3 to allow for call emulation
77ca91441696 ceph: flush dirty inodes before proceeding with remount
b18339bc1d05 iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
a9676c96e7e0 ovl: fix missing upper fs freeze protection on copy up for ioctl
979d2433b873 fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
a452f733f93e fuse: fix writepages on 32bit
42f59b83f0cf udlfb: introduce a rendering mutex
fb36a97654a7 udlfb: fix sleeping inside spinlock
1b8c955691d4 udlfb: delete the unused parameter for dlfb_handle_damage
3487804cf6dc clk: rockchip: fix wrong clock definitions for rk3328
fe082b99d57b clk: mediatek: Disable tuner_en before change PLL rate
5bfba9529cea clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
1a7adc2edb98 clk: hi3660: Mark clk_gate_ufs_subsys as critical
04f34b76368f PNFS fallback to MDS if no deviceid found
d3dd6057d2d6 NFS4: Fix v4.0 client state corruption when mount
5e7f9e905ff8 media: imx: Clear fwnode link struct for each endpoint iteration
ef12f5b54da4 media: imx: csi: Allow unknown nearest upstream entities
77e178708136 media: ov6650: Fix sensor possibly not detected on probe
86d67dbdf0a0 phy: ti-pipe3: fix missing bit-wise or operator when assigning val
939db6fdbea6 cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
a29b8829291e of: fix clang -Wunsequenced for be32_to_cpu()
a36430769ee5 p54: drop device reference count if fails to enable device
88cfd822f9d0 intel_th: msu: Fix single mode with IOMMU
c939121b5435 dcache: sort the freeing-without-RCU-delay mess for good.
10cb519c3e34 md: add mddev->pers to avoid potential NULL pointer dereference
3deaa1dc2f70 md: batch flush requests.
7f6b9285cada Revert "MD: fix lock contention for flush bios"
7928396df91e proc: prevent changes to overridden credentials
bbd559ad3ca7 brd: re-enable __GFP_HIGHMEM in brd_insert_page()
d9ec75d048d7 stm class: Fix channel bitmap on 32-bit systems
44bc4e8815a4 stm class: Fix channel free in stm output free path
85b94de88046 parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code
e5621f7e13f6 parisc: Use PA_ASM_LEVEL in boot code
615260c947b4 parisc: Skip registering LED when running in QEMU
9aabffe8c2a6 parisc: Export running_on_qemu symbol for modules
b11efd3262ef net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled
79742133aff2 net/mlx5: Imply MLXFW in mlx5_core
9f12f4c922d4 vsock/virtio: Initialize core virtio vsock before registering the driver
4b900077784f tipc: fix modprobe tipc failed after switch order of device registration
4af8a327aeba vsock/virtio: free packets during the socket release
2f7025b0a3b3 tipc: switch order of device registration to fix a crash
2636da604e76 rtnetlink: always put IFLA_LINK for links with a link-netnsid
c73ed24c385a ppp: deflate: Fix possible crash in deflate_init
e4a6df16b441 nfp: flower: add rcu locks when accessing netdev for tunnels
948cd616504c net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions
3620e546b177 net: test nouarg before dereferencing zerocopy pointers
0495c8b03545 net/mlx4_core: Change the error print to info print
746f8cd570ba net: avoid weird emergency message
466cadba6013 net: Always descend into dsa/
6bc3240adde5 ipv6: prevent possible fib6 leaks
81a61a95812e ipv6: fix src addr routing with the exception table
c3a072597748 Linux 4.19.45
e8816d3bc595 ext4: don't update s_rev_level if not required
6172ae55a187 ext4: fix compile error when using BUFFER_TRACE
953e826e8d0f pstore: Refactor compression initialization
fea8b84765a1 pstore: Allocate compression during late_initcall()
f4bf101be366 pstore: Centralize init/exit routines
627bb2d93b4d iov_iter: optimize page_copy_sane()
866f011181ff libnvdimm/namespace: Fix label tracking error
756eda9bc8b7 xen/pvh: set xen_domain_type to HVM in xen_pvh_init
98bdd33883db kbuild: turn auto.conf.cmd into a mandatory include file
38f114887ca4 KVM: lapic: Busy wait for timer to expire when using hv_timer
3b5ea2df6cf6 KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
5b8567682489 jbd2: fix potential double free
95482af27161 ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
e0e1dc65bb13 ALSA: hda/realtek - Fixup headphone noise via runtime suspend
ae3155123704 ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14)
316063bf7d11 ext4: avoid panic during forced reboot due to aborted journal
c19db366c0a8 ext4: fix use-after-free in dx_release()
0db24122bd7f ext4: fix data corruption caused by overlapping unaligned and aligned IO
25d010f4e0ec ext4: zero out the unused memory region in the extent tree block
c907ce3fd552 tty: Don't force RISCV SBI console as preferred console
986d3453bee4 fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
a80da82d0840 crypto: ccm - fix incompatibility between "ccm" and "ccm_base"
f6de0a3b1e66 ipmi:ssif: compare block number correctly for multi-part return messages
88681649ed8c bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
ecfc882f6441 bcache: fix a race between cache register and cacheset unregister
8a8f671b3dad Btrfs: do not start a transaction at iterate_extent_inodes()
0388d45afc50 Btrfs: do not start a transaction during fiemap
74ca0a7671cc Btrfs: send, flush dellaloc in order to avoid data loss
8b13bb911f0c btrfs: Honour FITRIM range constraints during free space trim
87dcf0c61985 btrfs: Correctly free extent buffer in case btree_read_extent_buffer_pages fails
d8925a1fee71 btrfs: Check the first key and level for cached extent buffer
45123ae534e0 ext4: fix ext4_show_options for file systems w/o journal
f795247578aa ext4: actually request zeroing of inode table after grow
2a18c9c76718 ext4: fix use-after-free race with debug_want_extra_isize
b12a8d80a46e ext4: avoid drop reference to iloc.bh twice
f0f805f8b9e7 ext4: ignore e_value_offs for xattrs with value-in-ea-inode
71478ef67d7c ext4: make sanity check in mballoc more strict
001fe0dab4ea jbd2: check superblock mapped prior to committing
0fd2df64f142 tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
d90824ecb887 tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0
6a01793e0763 mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write
dc6d69bde829 mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
5185672f2acf mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
770e46b38ebe ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle
8bae43985571 userfaultfd: use RCU to free the task struct when fork fails
3574bc98e2fe ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
a3ccc156f365 hugetlb: use same fault hash key for shared and private mappings
0b16b09a723e mm/hugetlb.c: don't put_page in lock of hugetlb_lock
58db3813680e mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses
f580a54bbd52 mm/mincore.c: make mincore() more conservative
681f3695d514 crypto: ccree - handle tee fips error during power management resume
4fb3d87ee7b7 crypto: ccree - add function to handle cryptocell tee fips error
65f5c14a6011 crypto: ccree - HOST_POWER_DOWN_EN should be the last CC access during suspend
1a4fc3d29632 crypto: ccree - pm resume first enable the source clk
120ab825c6fd crypto: ccree - don't map AEAD key and IV on stack
ca687cdb6159 crypto: ccree - use correct internal state sizes for export
766121a0a798 crypto: ccree - don't map MAC key on stack
7560c0adad34 crypto: ccree - fix mem leak on error path
642de1c00a14 crypto: ccree - remove special handling of chained sg
1bfceb375034 bpf, arm64: remove prefetch insn in xadd mapping
f3714257c422 ASoC: codec: hdac_hdmi add device_link to card device
975ef5c2f6ca ASoC: fsl_esai: Fix missing break in switch statement
df9f111db871 ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
7295359bd6ac ASoC: max98090: Fix restore of DAPM Muxes
e13bac4031eb ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)
d33f6063b7c3 ALSA: hda/realtek - EAPD turn on later
4ac6316a7c0f ALSA: hda/hdmi - Consider eld_valid when reporting jack event
8c827cda2864 ALSA: hda/hdmi - Read the pin sense from register when repolling
30dda277333e ALSA: usb-audio: Fix a memory leak bug
741e3efd8174 ALSA: line6: toneport: Fix broken usage of timer for delayed execution
003cf675eb07 mmc: core: Fix tag set memory leak
d42d342022b1 crypto: arm64/aes-neonbs - don't access already-freed walk.iv
69b9d32d5139 crypto: arm/aes-neonbs - don't access already-freed walk.iv
b7d2adfd0512 crypto: rockchip - update IV buffer to contain the next IV
9a61ab689867 crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
63efe31cf544 crypto: arm64/gcm-aes-ce - fix no-NEON fallback code
e7fd8a2862e0 crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
7a19a4bef218 crypto: crct10dif-generic - fix use via crypto_shash_digest()
aabf86f24d9f crypto: skcipher - don't WARN on unprocessed data after slow walk step
66f5de68cb61 crypto: vmx - fix copy-paste error in CTR mode
07d677ae4db4 crypto: ccp - Do not free psp_master when PLATFORM_INIT fails
fe632ee5ade8 crypto: chacha20poly1305 - set cra_name correctly
3b5ddd5ea016 crypto: salsa20 - don't access already-freed walk.iv
7a32ad34b889 crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues
c1ec6beac625 crypto: crypto4xx - fix ctr-aes missing output IV
2ea1a37d0138 sched/x86: Save [ER]FLAGS on context switch
d8d751efec28 arm64: Save and restore OSDLR_EL1 across suspend/resume
f273cd16554a arm64: Clear OSDLR_EL1 on CPU boot
26e7d2ad97b9 arm64: compat: Reduce address limit
6d696ceb15a3 arm64: arch_timer: Ensure counter register reads occur with seqlock held
222abad906ba arm64: mmap: Ensure file offset is treated as unsigned
592127e9c1bb power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the blacklist
26eb5e7fa08d power: supply: axp288_charger: Fix unchecked return value
921bc15462e2 ARM: exynos: Fix a leaked reference by adding missing of_node_put
6eaeee1e7845 mmc: sdhci-of-arasan: Add DTS property to disable DCMDs.
e2c436d9268f ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3
abea1fb53266 ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260
8cf1bbca4467 arm64: dts: rockchip: Disable DCMDs on RK3399's eMMC controller.
7b72ca6312ab objtool: Fix function fallthrough detection
b185029f5c41 x86/speculation/mds: Improve CPU buffer clear documentation
393ca9ea37fb x86/speculation/mds: Revert CPU buffer clear on double fault exit
7761dbf58d22 locking/rwsem: Prevent decrement of reader count before increment
dafc674bbcb1 Linux 4.19.44
9fa23ea14e8f PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary
76888d135c4e PCI: hv: Add hv_pci_remove_slots() when we unload the driver
a47e0054253f PCI: hv: Fix a memory leak in hv_eject_device_work()
4179b8580219 powerpc/booke64: set RI in default MSR
71b20cdb4353 powerpc/powernv/idle: Restore IAMR after idle
69c2b71cb0c1 powerpc/book3s/64: check for NULL pointer in pgd_alloc()
e9ec5073c90d drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
ee3b53d89967 drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
afa485dc6f17 tipc: fix hanging clients using poll with EPOLLOUT flag
98652e0b0a1b isdn: bas_gigaset: use usb_fill_int_urb() properly
17d8a9ebaa99 tuntap: synchronize through tfiles array instead of tun->numqueues
9c79732f98a8 tuntap: fix dividing by zero in ebpf queue selection
737713e6d835 vrf: sit mtu should not be updated when vrf netdev is the link
e38406070729 vlan: disable SIOCSHWTSTAMP in container
dfdfad3d188f selinux: do not report error on connect(AF_UNSPEC)
9f51d6f72063 packet: Fix error path in packet_init
2e95eb9c92f7 net: ucc_geth - fix Oops when changing number of buffers in the ring
210057b79e71 net: seeq: fix crash caused by not set dev.parent
dfd919285f27 net: macb: Change interrupt and napi enable order in open
68df8383f3ca net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering
9284895b7ee6 net: dsa: Fix error cleanup path in dsa_init_module
da2e770f0c4a ipv4: Fix raw socket lookup for local traffic
947fec630c41 fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied
c7b5e55be825 dpaa_eth: fix SG frame cleanup
a79feef32392 bridge: Fix error path for kobject_init_and_add()
9c2cda31196a bonding: fix arp_validate toggling in active-backup mode
0dc9ad4e904d powerpc/64s: Include cpu header
db1b4aa651df um: Don't hardcode path as it is architecture dependent
85f347944a6b Don't jump to compute_result state from check_result state
ace28a8efdd4 rtlwifi: rtl8723ae: Fix missing break in switch statement
d756d1dea670 mwl8k: Fix rate_idx underflow
c300c98a94b4 cw1200: fix missing unlock on error in cw1200_hw_scan()
575260507647 x86/kprobes: Avoid kretprobe recursion bug
322a57551d06 nfc: nci: Potential off by one in ->pipes[] array
f5e60565e6bd NFC: nci: Add some bounds checking in nci_hci_cmd_received()
21e9515b7d16 net: strparser: partially revert "strparser: Call skb_unclone conditionally"
85b9e8694f9c net/tls: fix the IV leaks
e38c6748d1cc mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue
835ae6cc28d9 mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue
880a328e197b mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue
a80f62f781c2 mlxsw: spectrum_switchdev: Add MDB entries in prepare phase
fb7c783b3139 net: fec: manage ahb clock in runtime pm
c18731c2786c netfilter: nf_tables: add missing ->release_ops() in error path of newrule()
5014aa937422 netfilter: nf_tables: use-after-free in dynamic operations
9965da064e9a usb: typec: Fix unchecked return value
68321994225d mm/memory.c: fix modifying of page protection by insert_pfn()
bc3361461fcb net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode
19f4f94fdb2a powerpc/smp: Fix NMI IPI xmon timeout
f8bd34d1d399 powerpc/smp: Fix NMI IPI timeout
6a60fb62c82a mm/memory_hotplug.c: drop memory device reference after find_memory_block()
fb67c97c4e2f RDMA/hns: Bugfix for mapping user db
afc7cebbbb5e Input: synaptics-rmi4 - fix possible double free
f621bc1bd7f4 drm/sun4i: Unbind components before releasing DRM and memory
21b71e191bd8 spi: ST ST95HF NFC: declare missing of table
09185e359827 spi: Micrel eth switch: declare missing of table
3835cb5a911f ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is disabled
521ae4da71cc drm/imx: don't skip DP channel disable for background plane
df3a97d197a3 gpu: ipu-v3: dp: fix CSC handling
3a53fa469d60 netfilter: fix nf_l4proto_log_invalid to log invalid packets
5bc3d4491821 selftests/net: correct the return value for run_netsocktests
24b1c849ce9d drm/sun4i: Fix component unbinding and component master deletion
1973df1ec5bc drm/sun4i: Set device driver data at bind time for use in unbind
005325b7f026 s390: ctcm: fix ctcm_new_device error return code
ca8648816e3d MIPS: perf: ath79: Fix perfcount IRQ assignment
743a5a951d4d netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()
7b115755fb9d netfilter: ctnetlink: don't use conntrack/expect object addresses as id
4e1994ef6365 ipvs: do not schedule icmp errors from tunnels
cb9a11d017c6 selftests: netfilter: check icmp pkttoobig errors are set as related
74e9b761fba0 init: initialize jump labels before command line option parsing
6536de8232c8 mm: fix inactive list balancing between NUMA nodes and cgroups
1134736869ef scsi: aic7xxx: fix EISA support
ba87f547b0f7 ocelot: Don't sleep in atomic context (irqs_disabled())
9e4fd5e0b81a ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash
7d4d8683e925 tools lib traceevent: Fix missing equality check for strcmp
0c8afd514df0 KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
d39f3cc71382 KVM: fix spectrev1 gadgets
4074bc379b1f x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T
3b51d71365e0 x86/build/lto: Fix truncated .bss with -fdata-sections
8eb64692d6e2 s390/pkey: add one more argument space for debug feature entry
e360515f41fc drm/amd/display: If one stream full updates, full update all planes
58be7c109cea afs: Unlock pages for __pagevec_release()
08f2c299b38c qede: fix write to free'd pointer error and double free of ptp
090b74020014 vxge: fix return of a free'd memblock on a failed dma mapping
f83beff28048 mISDN: Check address length before reading address family
e4525c9d9ada selftests: fib_tests: Fix 'Command line is not complete' errors
7828986b84ba clocksource/drivers/oxnas: Fix OX820 compatible
6a414ef36840 clocksource/drivers/npcm: select TIMER_OF
068d1cce7801 drm/amd/display: extending AUX SW Timeout
2773e7454f4f s390/3270: fix lockdep false positive on view->lock
4c8c9d514917 libnvdimm/pmem: fix a possible OOB access when read and write pmem
f2565d0e5277 nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
1d918120e37d mac80211: fix memory accounting with A-MSDU aggregation
9d4da01f7d66 cfg80211: Handle WMM rules in regulatory domain intersection
35e2abbaffa2 mac80211: Increase MAX_MSG_LEN
bbe1ab38e1a2 mac80211: fix unaligned access in mesh table hash function
e28e5055eacd s390/dasd: Fix capacity calculation for large volumes
af5b7a150ef8 libnvdimm/btt: Fix a kmemdup failure check
f7ab4818f74e HID: input: add mapping for "Toggle Display" key
bbdccc170adf HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
dc30867da997 HID: input: add mapping for Expose/Overview key
e94f852e2034 libnvdimm/namespace: Fix a potential NULL pointer dereference
5f72e3a021a6 acpi/nfit: Always dump _DSM output payload
f07db1f1f54c iio: adc: xilinx: prevent touching unclocked h/w on remove
6400212ae3b6 iio: adc: xilinx: fix potential use-after-free on probe
06d5ea398e55 iio: adc: xilinx: fix potential use-after-free on remove
5640d0781267 USB: serial: fix unthrottle races
4c416eef65a7 virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace
e361ccccdd51 kernfs: fix barrier usage in __kernfs_new_node()
f1917f21c8f6 hwmon: (pwm-fan) Disable PWM if fetching cooling data fails
87cc345aefc9 platform/x86: dell-laptop: fix rfkill functionality
381eaca5017f platform/x86: thinkpad_acpi: Disable Bluetooth for some machines
efe6802e812b platform/x86: sony-laptop: Fix unintentional fall-through
824c212908b6 bfq: update internal depth state when queue depth changes
3351e9d39947 Linux 4.19.43
b21bde49d386 x86/speculation/mds: Fix documentation typo
8e65568e9d23 Documentation: Correct the possible MDS sysfs values
2e4c54890226 x86/mds: Add MDSUM variant to the MDS documentation
12a0dad799fb x86/speculation/mds: Add 'mitigations=' support for MDS
59a14fb5832c s390/speculation: Support 'mitigations=' cmdline option
74857f69fec5 powerpc/speculation: Support 'mitigations=' cmdline option
af5332dd991e x86/speculation: Support 'mitigations=' cmdline option
8cb932aca5d6 cpu/speculation: Add 'mitigations=' cmdline option
7ba793ae7b9f x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
e9ae32266605 x86/speculation/mds: Fix comment
b9faa4652867 x86/speculation/mds: Add SMT warning message
b3a63d9c7453 x86/speculation: Move arch_smt_update() call to after mitigation decisions
f7a119a762ef x86/speculation/mds: Add mds=full,nosmt cmdline option
cfaa3d76301e Documentation: Add MDS vulnerability documentation
e3803099d2f4 Documentation: Move L1TF to separate directory
c50e81fe8a13 x86/speculation/mds: Add mitigation mode VMWERV
8230c2028dce x86/speculation/mds: Add sysfs reporting for MDS
2951067089a3 x86/speculation/mds: Add mitigation control for MDS
4df98b3f3161 x86/speculation/mds: Conditionally clear CPU buffers on idle entry
b39dc9a8cced x86/kvm/vmx: Add MDS protection when L1D Flush is not active
e4fa775b5606 x86/speculation/mds: Clear CPU buffers on exit to user
1f7c31be1e04 x86/speculation/mds: Add mds_clear_cpu_buffers()
de89ff6f1674 x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
aca9e8d8e2ce x86/speculation/mds: Add BUG_MSBDS_ONLY
2e9104aa2633 x86/speculation/mds: Add basic bug infrastructure for MDS
00b76324bd35 x86/speculation: Consolidate CPU whitelists
e09450ffa980 x86/msr-index: Cleanup bit defines
ca0056d97840 kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
1f1bc8222ce7 x86/cpu: Sanitize FAM6_ATOM naming
34aae15cb179 Documentation/l1tf: Fix small spelling typo
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb | 6 +++---
meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb | 8 ++++----
meta/recipes-kernel/linux/linux-yocto_4.19.bb | 20 ++++++++++----------
3 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
index 6604bdf..a431773 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "4dbcaca4c9ff89e866d2b5d01df005f317c618a4"
-SRCREV_meta ?= "ad235db461bf4595c668700ca8a909c322009cc1"
+SRCREV_machine ?= "dac3a011d5832c5f94ffac569559f05014746f01"
+SRCREV_meta ?= "772b96e00bb4d0dc4d2a18d2f7da7d5df53bf368"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.19.44"
+LINUX_VERSION ?= "4.19.57"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
index 4ca11d7..993f294 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.19.44"
+LINUX_VERSION ?= "4.19.57"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "a3cd9d732b27e78f94634924b7232b6280dae002"
-SRCREV_machine ?= "f0c6c85e155632580bd44a5db01cbb19dcc1559c"
-SRCREV_meta ?= "ad235db461bf4595c668700ca8a909c322009cc1"
+SRCREV_machine_qemuarm ?= "36a736baed7fedb11c7c39b3e8d06e165e9e4d06"
+SRCREV_machine ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
+SRCREV_meta ?= "772b96e00bb4d0dc4d2a18d2f7da7d5df53bf368"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.19.bb b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
index a5fdafe..7ee67cf 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
@@ -11,22 +11,22 @@ KBRANCH_qemux86 ?= "v4.19/standard/base"
KBRANCH_qemux86-64 ?= "v4.19/standard/base"
KBRANCH_qemumips64 ?= "v4.19/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "c12bc1a098be009c44582e75af630ff573155473"
-SRCREV_machine_qemuarm64 ?= "f0c6c85e155632580bd44a5db01cbb19dcc1559c"
-SRCREV_machine_qemumips ?= "18ba7160ac7a094bf9659649c537303201eb022e"
-SRCREV_machine_qemuppc ?= "f0c6c85e155632580bd44a5db01cbb19dcc1559c"
-SRCREV_machine_qemux86 ?= "f0c6c85e155632580bd44a5db01cbb19dcc1559c"
-SRCREV_machine_qemux86-64 ?= "f0c6c85e155632580bd44a5db01cbb19dcc1559c"
-SRCREV_machine_qemumips64 ?= "d9c77fe2a6038848fbadd660882b78e590c3252e"
-SRCREV_machine ?= "f0c6c85e155632580bd44a5db01cbb19dcc1559c"
-SRCREV_meta ?= "ad235db461bf4595c668700ca8a909c322009cc1"
+SRCREV_machine_qemuarm ?= "c093532d256a8c46a4e73a940998ddec916f63be"
+SRCREV_machine_qemuarm64 ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
+SRCREV_machine_qemumips ?= "8bac53c36a72ab7dc343f754a76094c41c633c77"
+SRCREV_machine_qemuppc ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
+SRCREV_machine_qemux86 ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
+SRCREV_machine_qemux86-64 ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
+SRCREV_machine_qemumips64 ?= "bbc2fcd94ccdb48977a7bf3fcbbc56ef785a0bd1"
+SRCREV_machine ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
+SRCREV_meta ?= "772b96e00bb4d0dc4d2a18d2f7da7d5df53bf368"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA} \
"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "4.19.44"
+LINUX_VERSION ?= "4.19.57"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 24/43] linux-yocto/4.19: update to v4.19.61
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (22 preceding siblings ...)
2019-09-01 14:36 ` [warrior 23/43] linux-yocto/4.19: update to 4.19.57 and -rt22 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 25/43] boost: Fix build and enable context and coroutines on aarch64 Armin Kuster
` (18 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Integrating the korg -stable commits that comprise the following
changes:
7250956f6eaf Linux 4.19.61
025eb12bb4b0 dm bufio: fix deadlock with loop device
404f59e265ac dt-bindings: allow up to four clocks for orion-mdio
03e6a668ea1f net: mvmdio: allow up to four clocks to be specified for orion-mdio
dd87cc633ba5 blkcg: update blkcg_print_stat() to handle larger outputs
73efdc5d7d3b blk-iolatency: clear use_delay when io.latency is set to zero
1ab644bd02ab blk-throttle: fix zero wait time for iops throttled group
91da712ff592 usb: Handle USB3 remote wakeup for LPM enabled devices correctly
152ddf9f0458 Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
98318cd31b95 intel_th: msu: Fix single mode with disabled IOMMU
d6328d7c1a71 mtd: spinand: read returns badly if the last page has bitflips
94f1db42a968 mtd: rawnand: mtk: Correct low level time calculation of r/w cycle
30c6b34759f6 eCryptfs: fix a couple type promotion bugs
92e23f5fc049 mmc: sdhci-msm: fix mutex while in spinlock
01982f7bcc9d powerpc/pseries: Fix oops in hotplug memory notifier
e725502b8548 powerpc/powernv/npu: Fix reference leak
1e3b61cbc30d powerpc/watchpoint: Restore NV GPRs while returning from exception
237ac0d73b55 powerpc/32s: fix suspend/resume when IBATs 4-7 are used
7961981718d6 parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
a6a0daa775e8 parisc: Ensure userspace privilege for ptraced processes in regset functions
ef5c2e165ab0 crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
376b80276d84 gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
ef30c0739439 xfs: abort unaligned nowait directio early
669c867972c0 xfs: serialize unaligned dio writes against all other dio writes
d61d885b17b0 xfs: fix reporting supported extra file attributes for statx()
f614ef7a34b0 xfs: reserve blocks for ifree transaction during log recovery
424543a53ae0 xfs: don't ever put nlink > 0 inodes on the unlinked list
3a895cc066c0 xfs: rename m_inotbt_nores to m_finobt_nores
2ab62234e823 xfs: don't overflow xattr listent buffer
1dc8b13cc66d xfs: flush removing page cache in xfs_reflink_remap_prep
788920d12b95 xfs: fix pagecache truncation prior to reflink
41f64437f030 include/asm-generic/bug.h: fix "cut here" for WARN_ON for __WARN_TAINT architectures
afa3e571cde3 coda: pass the host file in vma->vm_file on mmap
2c0222b48e77 libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
656d06dab4d6 HID: wacom: correct touch resolution x/y typo
1c871b4006b2 HID: wacom: generic: Correct pad syncing
46f71a15abe7 HID: wacom: generic: only switch the mode on devices with LEDs
cb4c2b94f629 IB/mlx5: Report correctly tag matching rendezvous capability
4bd953241d81 Btrfs: add missing inode version, ctime and mtime updates when punching hole
fffedf5cf67e Btrfs: fix fsync not persisting dentry deletions due to inode evictions
110850fffeb0 Btrfs: fix data loss after inode eviction, renaming it, and fsync it
6b71c62ea9da PCI: qcom: Ensure that PERST is asserted for at least 100 ms
529e71cae929 PCI: Do not poll for PME if the device is in D3cold
4d8504004c86 PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
f0ff76a42ef5 intel_th: pci: Add Ice Lake NNPI support
66a13b5e4e9c drm/edid: parse CEA blocks embedded in DisplayID
9854e06842bc perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs
82c46f7b0918 perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs
a847a5225432 perf/x86/intel: Fix spurious NMI on fixed counter
0d4c0bb70665 x86/boot: Fix memory leak in default_get_smp_config()
b52807e607f1 9p/virtio: Add cleanup path in p9_virtio_init
1253882d64d0 9p/xen: Add cleanup path in p9_trans_xen_init
007e5aaf287c xen/events: fix binding user event channels to cpus
e380170b3b3a dm zoned: fix zone state management race
1e4247d7958b padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
0489d808a5f2 drm/nouveau/i2c: Enable i2c pads & busses during preinit
c77cbc873586 kconfig: fix missing choice values in auto.conf
2c7b50c7b1d0 fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
ba271659ad42 arm64: tegra: Fix AGIC register range
ba27a25df6df KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
87bae91a0fe9 media: videobuf2-dma-sg: Prevent size from overflowing
cb2e2b0ae554 media: videobuf2-core: Prevent size alignment wrapping buffer size to 0
deb78bd24e0c media: coda: Remove unbalanced and unneeded mutex unlock
fc0232e24541 media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
a4c4c06f1755 ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
8ba78e4d564e ALSA: hda/realtek - Fixed Headphone Mic can't record on Dell platform
c92212a81617 ALSA: seq: Break too long mutex context in the write loop
eb6c84e4b4f2 raid5-cache: Need to do start() part job after adding journal device
3f42c0000b23 ASoC: dapm: Adapt for debugfs API change
677b2aa3be5c lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
0b174bac4e43 pnfs: Fix a problem where we gratuitously start doing I/O through the MDS
f64ff5914f00 pNFS: Fix a typo in pnfs_update_layout
603e7497bf27 pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error
5347e61954fc NFSv4: Handle the special Linux file open access mode
6825ff011c7c iwlwifi: fix RF-Kill interrupt while FW load for gen2 devices
a32e2ceca0ef iwlwifi: don't WARN when calling iwl_get_shared_mem_conf with RF-Kill
d9ce0788da91 iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X
04c52c105a38 iwlwifi: pcie: don't service an interrupt that was masked
7ebddd5fe217 arm64: tegra: Update Jetson TX1 GPU regulator timings
042451b921b1 regulator: s2mps11: Fix buck7 and buck8 wrong voltages
8da63aa46e26 Input: alps - fix a mismatch between a condition check and its comment
81368a9a98d9 Input: synaptics - whitelist Lenovo T580 SMBus intertouch
cfb9250619c8 Input: alps - don't handle ALPS cs19 trackpoint-only device
d657077eda7b Input: gtco - bounds check collection indent level
f11ba9df8eed bcache: destroy dc->writeback_write_wq if failed to create dc->writeback_thread
2ab14861d2eb bcache: fix mistaken sysfs entry for io_error counter
3c466df8fc59 bcache: ignore read-ahead request failure on backing device
4fc48cd21a31 bcache: Revert "bcache: free heap cache_set->flush_btree in bch_journal_free"
ab966241d59a bcache: Revert "bcache: fix high CPU occupancy during journal"
58169c189bd6 Revert "bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()"
c3b7d27f3746 crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
a9fd1795fee6 crypto: ccp/gcm - use const time tag comparison.
561c4424f1e3 crypto: ccp - memset structure fields to zero before reuse
13805a5df489 crypto: crypto4xx - block ciphers should only accept complete blocks
17e63172d536 crypto: crypto4xx - fix blocksize for cfb and ofb
4598094d24c7 crypto: crypto4xx - fix AES CTR blocksize value
1c9b0a766513 crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
eb99c084da28 crypto: arm64/sha2-ce - correct digest for empty data in finup
4230e09e61e6 crypto: arm64/sha1-ce - correct digest for empty data in finup
52f07c1ac70e crypto: ccp - Validate the the error value used to index error messages
bed97f646997 crypto: ghash - fix unaligned memory access in ghash_setkey()
ce7ec07abaf7 scsi: mac_scsi: Fix pseudo DMA implementation, take 2
de769c762626 scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
3e9534fa5046 scsi: megaraid_sas: Fix calculation of target ID
1334a3e2d6d0 scsi: core: Fix race on creating sense cache
58f59f6072ab Revert "scsi: ncr5380: Increase register polling limit"
7cfded7a705c scsi: NCR5380: Always re-enable reselection interrupt
d91baba81a6e scsi: NCR5380: Reduce goto statements in NCR5380_select()
e73db096691e xen: let alloc_xenballooned_pages() fail if not enough memory free
ff54c44f1038 floppy: fix out-of-bounds read in copy_buffer
a9444d9d0f6f floppy: fix invalid pointer dereference in drive_name
5b565f3276f3 floppy: fix out-of-bounds read in next_valid_format
6e34fd07484a floppy: fix div-by-zero in setup_format_params
7c16c5eae41a iavf: fix dereference of null rx_buffer pointer
e9896b29d010 net: mvmdio: defer probe of orion-mdio if a clock is not ready
5f6c5f5ae25e gtp: fix use-after-free in gtp_newlink()
141222216438 gtp: fix use-after-free in gtp_encap_destroy()
0a5eca2c949c gtp: fix Illegal context switch in RCU read-side critical section.
e117a04133c6 gtp: fix suspicious RCU usage
202de90df2b7 Bluetooth: validate BLE connection interval updates
ca33af18b5fc gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()
0fdb922d0ef0 Bluetooth: Check state in l2cap_disconnect_rsp
3b57b7a3a82a perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64
c814f618b799 Bluetooth: 6lowpan: search for destination address in all peers
c82c4910e9e6 Bluetooth: Add new 13d3:3501 QCA_ROME device
1cbce19bd697 Bluetooth: Add new 13d3:3491 QCA_ROME device
578658df21d5 Bluetooth: hci_bcsp: Fix memory leak in rx_skb
9d47bd217539 tools: bpftool: Fix json dump crash on powerpc
2ad04d31bb3e gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
157d1c7a1a00 bonding: validate ip header before check IPPROTO_IGMP
88f751b066f2 selftests: bpf: fix inlines in test_lwt_seg6local
ef5b204336b3 bpf, libbpf, smatch: Fix potential NULL pointer dereference
0f2f2cebe64d rxrpc: Fix oops in tracepoint
ca37b9a74689 net: usb: asix: init MAC address buffers
51216937c319 bnx2x: Prevent ptp_task to be rescheduled indefinitely
e358d2ab42f8 perf stat: Fix group lookup for metric group
a64e018be77a perf stat: Make metric event lookup more robust
7343178ccf7d bpf: fix uapi bpf_prog_info fields alignment
af3790a46a55 iwlwifi: mvm: Drop large non sta frames
036184af23e0 igb: clear out skb->tstamp after reading the txtime
0024b12b776c net: mvpp2: prs: Don't override the sign bit in SRAM parser shift
05592b9b7f25 ath10k: destroy sdio workqueue while remove sdio module
26d86b29e806 net: hns3: add some error checking in hclge_tm module
ddfdbcccd71a net: hns3: fix a -Wformat-nonliteral compile warning
95d084809495 bcache: fix potential deadlock in cached_def_free()
4b7758e9c4ed bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
81b88c05bc45 bcache: acquire bch_register_lock later in cached_dev_free()
d81080a0bcf8 bcache: check CACHE_SET_IO_DISABLE bit in bch_journal()
57cfb755c356 bcache: check CACHE_SET_IO_DISABLE in allocator code
e78d1d234469 EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
e54cc89e6f0a wil6210: drop old event after wmi_call timeout
0388597d0627 crypto: asymmetric_keys - select CRYPTO_HASH where needed
1dea395c9e12 crypto: serpent - mark __serpent_setkey_sbox noinline
b346070c72cd ixgbe: Check DDM existence in transceiver before access
0340c621eca8 rslib: Fix handling of of caller provided syndrome
8ba93c59441a rslib: Fix decoding of shortened codes
dad0b17e4a4e xsk: Properly terminate assignment in xskq_produce_flush_desc
e69fac59c493 clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
12e20eca894b libata: don't request sense data on !ZAC ATA devices
6e6bc34f8570 ASoC: Intel: hdac_hdmi: Set ops to NULL on remove
1182ff224847 perf tools: Increase MAX_NR_CPUS and MAX_CACHES
7201cc227d4a ath10k: fix PCIE device wake up failed
8a808fadc9f7 ath10k: add missing error handling
fe2ceeb4cffc ipvs: fix tinfo memory leak in start_sync_thread
20de38d282b3 mt7601u: fix possible memory leak when the device is disconnected
033577880135 x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
3f7952b275c8 mt7601u: do not schedule rx_tasklet when the device has been disconnected
6f6e126e1995 rtlwifi: rtl8192cu: fix error handle when usb probe failed
41864adfee2e net: stmmac: sun8i: force select external PHY when no internal one
bce037abc29f media: hdpvr: fix locking and a missing msleep
43b9fdc48377 media: vimc: cap: check v4l2_fill_pixfmt return value
d562537dbf0d media: coda: increment sequence offset for the last returned frame
3697c12c4425 media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
6fd3e9f65db9 media: coda: fix mpeg2 sequence number handling
c647c00f28af acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
b9f547b7bdd9 timer_list: Guard procfs specific code
d86c0b73f75b ntp: Limit TAI-UTC offset
8d8f0b9009d0 media: i2c: fix warning same module names
6439110fbeee media: s5p-mfc: Make additional clocks optional
57de3c78f0b7 ipvs: defer hook registration to avoid leaks
06a3cd416224 ipsec: select crypto ciphers for xfrm_algo
723ba7938492 arm64: Do not enable IRQs for ct_user_exit
010bfbc93424 lightnvm: pblk: fix freeing of merged pages
762bba1b7ee7 nvme-pci: set the errno on ctrl state change error
c876a66553d7 nvme-pci: properly report state change failure in nvme_reset_work
f0c83dd15ee1 nvme: fix possible io failures when removing multipathed ns
10cc3a65a55b EDAC/sysfs: Fix memory leak when creating a csrow object
f6502ce4f050 ACPICA: Clear status of GPEs on first direct enable
3ae98dc2db1e blk-iolatency: only account submitted bios
a952f7c384aa x86/cacheinfo: Fix a -Wtype-limits warning
3252b29ea41b ipoib: correcly show a VF hardware address
0e2af9b06c00 vhost_net: disable zerocopy by default
4c57957ed6c8 perf evsel: Make perf_evsel__name() accept a NULL argument
9e0bcb59b6c0 x86/atomic: Fix smp_mb__{before,after}_atomic()
dd0260fd1e3a perf/x86/intel/uncore: Handle invalid event coding for free-running counter
7fc96cd2b0de sched/fair: Fix "runnable_avg_yN_inv" not used warnings
d8b7db6c5004 sched/core: Add __sched tag for io_schedule()
930655b01367 xfrm: fix sa selector validation
b7d66bbc8ad3 blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
c8f75e753784 block: null_blk: fix race condition for null_del_dev
1a3706d8f800 net: hns3: fix for skb leak when doing selftest
6a47a42f51cf qed: iWARP - Fix tc for MPA ll2 connection
670fb965da03 x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS
366ae49ed78c rcu: Force inlining of rcu_read_lock()
1fb3ce14f28d ASoC: meson: axg-tdm: fix sample clock inversion
32df4043aed4 x86/cpu: Add Ice Lake NNPI to Intel family
914026d58100 selinux: fix empty write to keycreate file
10e3788e6575 media: s5p-mfc: fix reading min scratch buffer size on MFC v6/v7
7c10f8941b95 bpf: silence warning messages in core
b01bf44c363d regmap: fix bulk writes on paged registers
544cd592ca72 gpio: omap: ensure irq is enabled before wakeup
ddeef7a00050 gpio: omap: fix lack of irqstatus_raw0 for OMAP4
79644b600850 iommu: Fix a leak in iommu_insert_resv_region
f2a4624be8f3 media: fdp1: Support M3N and E3 platforms
63e53991d791 media: uvcvideo: Fix access to uninitialized fields on probe error
c844f4da9b92 irqchip/meson-gpio: Add support for Meson-G12A SoC
eac8b39d089a perf report: Fix OOM error in TUI mode on s390
be32a9dc3f62 perf test 6: Fix missing kvm module load for s390
3662d8bca087 perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
ac510285d40b ipset: Fix memory accounting for hash types on resize
c7bf2df45044 net: sfp: add mutex to prevent concurrent state checks
fa4059c5497e RAS/CEC: Fix pfn insertion
99dcd701465f s390/qdio: handle PENDING state for QEBSM devices
a76f32cbd38c net: axienet: Fix race condition causing TX hang
9d643358386d net: fec: Do not use netdev messages too early
403c43921479 crypto: inside-secure - do not rely on the hardware last bit for result descriptors
50331c64f3dd net: stmmac: modify default value of tx-frames
1a0a837afc41 net: stmmac: dwmac4: fix flow control issue
713737cac327 perf jvmti: Address gcc string overflow warning for strncpy()
fb83987cbe6b arm64: mm: make CONFIG_ZONE_DMA32 configurable
c360eb592938 cpupower : frequency-set -r option misses the last cpu in related cpu list
cac3032062e5 net: hns3: set ops to null when unregister ad_dev
35407917b0bc media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
2fbde2746597 locking/lockdep: Fix merging of hlocks with non-zero references
909034b8ac64 batman-adv: Fix duplicated OGMs on NETDEV_UP
aa2ad8b6fb2f tua6100: Avoid build warnings.
9072450736d0 crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
9d25aedef08f crypto: talitos - properly handle split ICV.
fc25cfb03ea2 net: phy: Check against net_device being NULL
ef10d46d04a5 media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
e36f25627362 media: saa7164: fix remove_proc_entry warning
ea904c9f6a33 media: mc-device.c: don't memset __user pointer contents
a6dd4862b98f perf annotate TUI browser: Do not use member from variable within its own initialization
71b029a5d908 fscrypt: clean up some BUG_ON()s in block encryption/decryption
2c6acf7478aa xfrm: Fix xfrm sel prefix length validation
0544b64ceb64 af_key: fix leaks in key_pol_get_resp and dump_sp.
b397462a010d signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
1c8e736115cd qed: Set the doorbell address correctly
df6680de7a20 net: stmmac: dwmac4/5: Clear unused address entries
d3969670cb5a net: stmmac: dwmac1000: Clear unused address entries
810441651a8a media: media_device_enum_links32: clean a reserved field
6fb470ace862 media: vpss: fix a potential NULL pointer dereference
70da38e80509 media: marvell-ccic: fix DMA s/g desc number calculation
add712b63185 media: ov7740: avoid invalid framesize setting
b0e199e13495 crypto: talitos - fix skcipher failure due to wrong output IV
6452712f95e3 media: spi: IR LED: add missing of table registration
94f2b518a788 media: dvb: usb: fix use after free in dvb_usb_device_exit
8f855c09e2af batman-adv: fix for leaked TVLV handler.
83d133c96aad regmap: debugfs: Fix memory leak in regmap_debugfs_init
2b5b12c0c1b7 ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
da153c0c5746 wil6210: fix spurious interrupts in 3-msi
a4bf4fecff16 ath10k: add peer id check in ath10k_peer_find_by_id
83c911f4bd68 ath6kl: add some bounds checking
42dcbf20e182 ath9k: Check for errors when reading SREV register
7e19e658e535 ath10k: Do not send probe response template for mesh
009edc622bba wil6210: fix potential out-of-bounds read
09593c25b975 dmaengine: imx-sdma: fix use-after-free on probe error path
06e15cf5aead scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
37cb02da44dc arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
73ebefc814ef MIPS: fix build on non-linux hosts
7202df6be6ec MIPS: ath79: fix ar933x uart parity mode
be9b6782a9eb Linux 4.19.60
d173ce091c1a x86/entry/32: Fix ENDPROC of common_spurious
466bdfc6c4d6 drm/udl: move to embedding drm device inside udl device.
af48f7d79fae drm/udl: Replace drm_dev_unref with drm_dev_put
cfd99eccede5 drm/udl: introduce a macro to convert dev to udl.
8f14cf159e9f regmap-irq: do not write mask register if mask_base is zero
820b010743ee crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
b24c6403633d crypto: talitos - fix hash on SEC1.
ff1ce8ef1f88 crypto: talitos - move struct talitos_edesc into talitos.h
b578b87bcab6 s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
b1d52630b12a s390/qdio: (re-)initialize tiqdio list entries
02eb533e940a s390: fix stfle zero padding
9db915738e40 ARC: hide unused function unw_hdr_alloc
fc6975ee932b x86/irq: Seperate unused system vectors from spurious entry again
9494cd392885 x86/irq: Handle spurious interrupt after shutdown gracefully
7897f5a443fb x86/ioapic: Implement irq_get_irqchip_state() callback
6074f6043c49 genirq: Add optional hardware synchronization for shutdown
3f10ccc29780 genirq: Fix misleading synchronize_irq() documentation
578db1aa595b genirq: Delay deactivation in free_irq()
2656ee5a5ad5 linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL
9c875e8556d4 pinctrl: mediatek: Update cur_mask in mask/mask ops
f6e01328cb0e cpu/hotplug: Fix out-of-bounds read when setting fail state
fa99487a43cf pinctrl: mediatek: Ignore interrupts that are wake only during resume
cd2646e57ec5 HID: multitouch: Add pointstick support for ALPS Touchpad
9ea3b131441e HID: chicony: add another quirk for PixArt mouse
94968c37b6d3 x86/boot/64: Add missing fixup_pointer() for next_early_pgt access
729d25f43b64 x86/boot/64: Fix crash if kernel image crosses page table boundary
136847140cc8 dm verity: use message limit for data block corruption message
042be78692ae dm table: don't copy from a NULL pointer in realloc_argv()
0fc080bc9a72 pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order
00640eb0eafa ARM: dts: imx6ul: fix PWM[1-4] interrupts
a8cc2a2c2841 sis900: fix TX completion
3232bccddeba ppp: mppe: Add softdep to arc4
5ec7753c7c9e be2net: fix link failure after ethtool offline test
2a6ee36917f0 x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz
fdfff855cd36 afs: Fix uninitialised spinlock afs_volume::cb_break_lock
d47f06ab0c0e ARM: omap2: remove incorrect __init annotation
5d3c45538151 ARM: dts: gemini Fix up DNS-313 compatible string
afda29dc5ac6 perf/core: Fix perf_sample_regs_user() mm check
627fdcc9b718 efi/bgrt: Drop BGRT status field reserved bits check
cf4deb2d4de6 clk: ti: clkctrl: Fix returning uninitialized data
ff232a47567f irqchip/gic-v3-its: Fix command queue pointer comparison bug
244db54441a1 firmware: improve LSM/IMA security behaviour
079d7f16a973 drivers: base: cacheinfo: Ensure cpu hotplug work is done before Intel RDT
68048dce650e nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header
86859ef10d25 Input: synaptics - enable SMBUS on T480 thinkpad trackpad
438a3dc6f2c3 e1000e: start network tx queue only when link is up
8020568b404b Revert "e1000e: fix cyclic resets at link up with active tx"
3bd837bfe431 Linux 4.19.59
70bae382b3dc staging: rtl8712: reduce stack usage, again
b46475ecd930 staging: bcm2835-camera: Handle empty EOS buffers whilst streaming
0ee144effcc3 staging: bcm2835-camera: Remove check of the number of buffers supplied
fcbc6ddcd624 staging: bcm2835-camera: Ensure all buffers are returned on disable
4502c43d7f3b staging: bcm2835-camera: Replace spinlock protecting context_map with mutex
22a20b9f6d9f staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work
cc396afa1959 MIPS: Remove superfluous check for __linux__
d202b5adccfb VMCI: Fix integer overflow in VMCI handle arrays
486c32325caa carl9170: fix misuse of device driver API
524ad00e80b7 binder: fix memory leak in error path
294b893a41cd lkdtm: support llvm-objcopy
5c90a2ecd08a HID: Add another Primax PIXART OEM mouse quirk
c04c751bef87 staging: comedi: amplc_pci230: fix null pointer deref on interrupt
4e49c6c91c18 staging: comedi: dt282x: fix a null pointer deref on interrupt
8419fd562a09 drivers/usb/typec/tps6598x.c: fix 4CC cmd write
63b3028cd590 drivers/usb/typec/tps6598x.c: fix portinfo width
57e16e0d8c68 usb: renesas_usbhs: add a workaround for a race condition of workqueue
aa9a8038ea8b usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset()
cac4a04202fb usb: gadget: ether: Fix race between gether_disconnect and rx_submit
449a8d08a4bc p54usb: Fix race between disconnect and firmware loading
135d9ba3b285 Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled"
0891268f36a2 USB: serial: option: add support for GosunCn ME3630 RNDIS mode
0a1c811bf033 USB: serial: ftdi_sio: add ID for isodebug v1
bb902b6c87ff mwifiex: Don't abort on small, spec-compliant vendor IEs
ffbbd626e1ce mwifiex: Abort at too short BSS descriptor element
a2a24b57c27a Documentation/admin: Remove the vsyscall=native documentation
8a815007f5fe Documentation: Add section about CPU vulnerabilities for Spectre
bd9604022eb3 x86/tls: Fix possible spectre-v1 in do_get_thread_area()
68ff28291a4f x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
d8e26651ce8d perf pmu: Fix uncore PMU alias list for ARM64
018524b75852 block, bfq: NULL out the bic when it's no longer valid
ff75e5f41e88 ALSA: hda/realtek - Headphone Mic can't record after S3
87c3262b00d8 ALSA: usb-audio: Fix parse of UAC2 Extension Units
ef374f5a2731 media: stv0297: fix frequency range limit
5db079eb0acd udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
0fc3e9b9b603 fscrypt: don't set policy for a dead directory
e9f76b954336 net :sunrpc :clnt :Fix xps refcount imbalance on the error path
810cfc3d9d2e NFS4: Only set creation opendata if O_CREAT
7075654ce7d0 net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge()
606561e16186 quota: fix a problem about transfer quota
5ad566af08c1 scsi: qedi: Check targetname while finding boot target information
37232abb6ea3 net: lio_core: fix potential sign-extension overflow on large shift
740b2ac49518 ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
a02ac12d2d48 drm: return -EFAULT if copy_to_user() fails
4c938a635fc3 bnx2x: Check if transceiver implements DDM before access
270ae00a0346 md: fix for divide error in status_resync
5533d9ed4112 mmc: core: complete HS400 before checking status
2da80536f629 qmi_wwan: extend permitted QMAP mux_id value range
dc84e98393f7 qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode
dbc6a83cf2bc qmi_wwan: add support for QMAP padding in the RX path
292ba5b1faf4 bpf, x64: fix stack layout of JITed bpf code
4c2ce7addda8 bpf, devmap: Add missing RCU read lock on flush
ab44f8bcf2e5 bpf, devmap: Add missing bulk queue free
8d09e862103b bpf, devmap: Fix premature entry free on destroying map
ba0afe520ee9 mac80211: do not start any work during reconfigure flow
de8cf2c0bc64 mac80211: only warn once on chanctx_conf being NULL
9c2dd6d47131 ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
3bbcc8b9ad37 ARM: davinci: da850-evm: call regulator_has_full_constraints()
443250665388 mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed
512bbb114b99 KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
41420ac584d7 Input: imx_keypad - make sure keyboard can always wake up system
b71f312e9bf7 riscv: Fix udelay in RV32.
122c6a71c08d drm/vmwgfx: fix a warning due to missing dma_parms
d3861d4ca94c drm/vmwgfx: Honor the sg list segment size limitation
c0b12abd1828 s390/boot: disable address-of-packed-member warning
e71daed5176f ARM: dts: am335x phytec boards: Fix cd-gpios active level
822c2ee81c63 ibmvnic: Fix unchecked return codes of memory allocations
0f06004d16be ibmvnic: Refresh device multicast list after reset
e65dd528bb8e ibmvnic: Do not close unopened driver during reset
374180b11b29 net: phy: rename Asix Electronics PHY driver
473a75c7fab5 can: af_can: Fix error path of can_init()
486954277fc1 can: m_can: implement errata "Needless activation of MRAF irq"
270149f78b9c can: mcp251x: add support for mcp25625
33672c74b484 dt-bindings: can: mcp251x: add mcp25625 support
07c96e8e8021 soundwire: intel: set dai min and max channels correctly
c7e427e28a3a mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
8e115a079940 iwlwifi: Fix double-free problems in iwl_req_fw_callback()
d4c0f752c1d2 mwifiex: Fix possible buffer overflows at parsing bss descriptor
b8588a0981b7 mac80211: free peer keys before vif down in mesh
acc42e5c2322 mac80211: mesh: fix RCU warning
e3868c1a462f staging:iio:ad7150: fix threshold mode config bit
6b1ce3971e05 soundwire: stream: fix out of boundary access on port properties
6be857082611 bpf: sockmap, fix use after free from sleep in psock backlog workqueue
bc84982f977d mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he()
3c24a931e972 samples, bpf: suppress compiler warning
e7779115bbd9 samples, bpf: fix to change the buffer size for read()
fe01e93c3fd1 Input: elantech - enable middle button support on 2 ThinkPads
2883fc1ece69 soc: bcm: brcmstb: biuctrl: Register writes require a barrier
2f1c962a7416 soc: brcmstb: Fix error path for unsupported CPUs
e8250f730410 crypto: talitos - rename alternative AEAD algos.
7a6bfa08b938 Linux 4.19.58
f37de75cb8eb dmaengine: imx-sdma: remove BD_INTR for channel0
018c968de710 dmaengine: qcom: bam_dma: Fix completed descriptors count
870de1499505 MIPS: have "plain" make calls build dtbs for selected platforms
8957895b35de MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
2b8f8a80ca8b MIPS: Fix bounds check virt_addr_valid
80b25628ff26 svcrdma: Ignore source port when computing DRC hash
8129a10ce78f nfsd: Fix overflow causing non-working mounts on 1 TB machines
f25c06955f8d KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
f6472f50fbfc KVM: x86: degrade WARN to pr_warn_ratelimited
ac0024baf073 netfilter: ipv6: nf_defrag: accept duplicate fragments again
54e8cf41b20b bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
e6c288f7307e net: hns: fix unsigned comparison to less than zero
4f24801ef50b sc16is7xx: move label 'err_spi' to correct section
318244f3641a netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
a8891c5e2251 ip6: fix skb leak in ip6frag_expire_frag_queue()
382bc84da904 rds: Fix warning.
7e6af1fa80b8 ALSA: hda: Initialize power_state field properly
c8c88293bf72 net: hns: Fixes the missing put_device in positive leg for roce reset
6bf9677300f3 x86/boot/compressed/64: Do not corrupt EDX on EFER.LME=1 setting
b91ec6ae14da selftests: fib_rule_tests: Fix icmp proto with ipv6
e2851c3ee0be scsi: tcmu: fix use after free
04096b3beace mac80211: mesh: fix missing unlock on error in table_path_del()
e2379b044d67 f2fs: don't access node/meta inode mapping after iput
e9fde78c3a4f drm/fb-helper: generic: Don't take module ref for fbcon
7821bcce20aa media: s5p-mfc: fix incorrect bus assignment in virtual child device
3ddc2a100706 net/smc: move unhash before release of clcsock
cd54dc4cd37d mlxsw: spectrum: Handle VLAN device unlinking
a8a296abee36 tty: rocket: fix incorrect forward declaration of 'rp_init()'
fb814f215013 btrfs: Ensure replaced device doesn't have pending chunk allocation
27ce6c2675f6 mm/vmscan.c: prevent useless kswapd loops
c854d9b6ef8d ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()
2e716c3b562d drm/imx: only send event on crtc disable if kept disabled
8ec242fd431b drm/imx: notify drm core before sending event during crtc disable
d2d061351d64 drm/etnaviv: add missing failure path to destroy suballoc
ec5d99e18d30 drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE
ec6d8c9e6687 drm/amd/powerplay: use hardware fan control if no powerplay fan table
b6d56f4f6a49 arm64: kaslr: keep modules inside module region when KASAN is enabled
7cab3dfa6d74 ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node
c8790d7f76be tracing/snapshot: Resize spare buffer if size changed
052b31810085 fs/userfaultfd.c: disable irqs for fault_pending and event locks
ea38007107d6 lib/mpi: Fix karactx leak in mpi_powm
7df1e2f59bde ALSA: hda/realtek - Change front mic location for Lenovo M710q
899377c50e60 ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
d9b6936b134e ALSA: usb-audio: fix sign unintended sign extension on left shifts
7f52af5e9baa ALSA: line6: Fix write on zero-sized buffer
3663bf2baa97 ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
9d2ac58c1ef9 ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
ae3fa28f0938 crypto: cryptd - Fix skcipher instance memory leak
015c20532ace crypto: user - prevent operating on larval algorithms
54435b7fff7b ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
600d3712ae12 drm/i915/dmc: protect against reading random memory
2b39351e3844 ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper()
938044171949 module: Fix livepatch/ftrace module text permissions race
220adcc0e0ca tracing: avoid build warning with HAVE_NOP_MCOUNT
79fccb9815db mm/mlock.c: change count_mm_mlocked_page_nr return type
4fce0a79e985 scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE
b7747ecb82be cpuset: restore sanity to cpuset_cpus_allowed_fallback()
e33aeb9a7c0a i2c: pca-platform: Fix GPIO lookup code
7cf431edfb71 platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow
c241f3fbfa1a platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration
f853112772b0 platform/x86: intel-vbtn: Report switch events when event wakes device
2ac96173bee0 platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi
027e043f9c78 drm: panel-orientation-quirks: Add quirk for GPD MicroPC
2446563dd6d7 drm: panel-orientation-quirks: Add quirk for GPD pocket2
8be5629b9622 scsi: hpsa: correct ioaccel2 chaining
c1bef204c70a SoC: rt274: Fix internal jack assignment in set_jack callback
1023af0c069d ALSA: hdac: fix memory release for SST and SOF drivers
26a6acde2a42 usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
9be058f5dd70 usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
5284327f4e17 x86/CPU: Add more Icelake model numbers
74929087384f ASoC: sun4i-i2s: Add offset to RX channel select
32475634e8a8 ASoC: sun4i-i2s: Fix sun8i tx channel offset mask
7b7486398a32 ASoC: max98090: remove 24-bit format support if RJ is 0
3b60f98ef496 drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable()
34e5e1c4874f drm/mediatek: clear num_pipes when unbind driver
a8a86e9a5533 drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver
79e095d234bb drm/mediatek: unbind components in mtk_drm_unbind()
319f4699bcaa drm/mediatek: fix unbind functions
dbd94f4938c6 spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
3f8d3c9506a5 ASoC: ak4458: rstn_control - return a non-zero on error only
3c3dd68c48e8 ASoC: soc-pcm: BE dai needs prepare when pause release after resume
4c31b4b4ba65 ASoC: ak4458: add return value for ak4458_probe
0c19bcdb0db9 ASoC : cs4265 : readable register too low
c549680ed59b netfilter: nft_flow_offload: IPCB is only valid for ipv4 family
041c181e6ba0 netfilter: nft_flow_offload: don't offload when sequence numbers need adjustment
48f611ecea0e netfilter: nft_flow_offload: set liberal tracking mode for tcp
3b2734bc839d netfilter: nf_flow_table: ignore DF bit setting
869eec894663 md/raid0: Do not bypass blocking queue entered for raid0 bios
c9d8d3e9d7a0 block: Fix a NULL pointer dereference in generic_make_request()
5dd6139a0aa2 Bluetooth: Fix faulty expression for minimum encryption key size check
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb | 6 +++---
meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb | 8 ++++----
meta/recipes-kernel/linux/linux-yocto_4.19.bb | 20 ++++++++++----------
3 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
index a431773..213a21e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "dac3a011d5832c5f94ffac569559f05014746f01"
-SRCREV_meta ?= "772b96e00bb4d0dc4d2a18d2f7da7d5df53bf368"
+SRCREV_machine ?= "ca2e3322f4c5678eaef6434c808d0842c805d74d"
+SRCREV_meta ?= "960be4218436fbbb3500e019f7abf02fa94e6aac"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.19.57"
+LINUX_VERSION ?= "4.19.61"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
index 993f294..a4be4b5 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.19.57"
+LINUX_VERSION ?= "4.19.61"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "36a736baed7fedb11c7c39b3e8d06e165e9e4d06"
-SRCREV_machine ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
-SRCREV_meta ?= "772b96e00bb4d0dc4d2a18d2f7da7d5df53bf368"
+SRCREV_machine_qemuarm ?= "b5a2efa31290f31384971494031285d394635938"
+SRCREV_machine ?= "4ec6f255163da37a4c83528e5835b6b9baccee63"
+SRCREV_meta ?= "960be4218436fbbb3500e019f7abf02fa94e6aac"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.19.bb b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
index 7ee67cf..9c794ba 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
@@ -11,22 +11,22 @@ KBRANCH_qemux86 ?= "v4.19/standard/base"
KBRANCH_qemux86-64 ?= "v4.19/standard/base"
KBRANCH_qemumips64 ?= "v4.19/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "c093532d256a8c46a4e73a940998ddec916f63be"
-SRCREV_machine_qemuarm64 ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
-SRCREV_machine_qemumips ?= "8bac53c36a72ab7dc343f754a76094c41c633c77"
-SRCREV_machine_qemuppc ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
-SRCREV_machine_qemux86 ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
-SRCREV_machine_qemux86-64 ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
-SRCREV_machine_qemumips64 ?= "bbc2fcd94ccdb48977a7bf3fcbbc56ef785a0bd1"
-SRCREV_machine ?= "b1d253af9cdeb237b4875ca6184c0cbdfbe65e70"
-SRCREV_meta ?= "772b96e00bb4d0dc4d2a18d2f7da7d5df53bf368"
+SRCREV_machine_qemuarm ?= "ca3cb923f8d7962c6d47a8d29923e52da1818854"
+SRCREV_machine_qemuarm64 ?= "4ec6f255163da37a4c83528e5835b6b9baccee63"
+SRCREV_machine_qemumips ?= "f624314048dfac57e47ac91d89ca3dc8395ca47a"
+SRCREV_machine_qemuppc ?= "4ec6f255163da37a4c83528e5835b6b9baccee63"
+SRCREV_machine_qemux86 ?= "4ec6f255163da37a4c83528e5835b6b9baccee63"
+SRCREV_machine_qemux86-64 ?= "4ec6f255163da37a4c83528e5835b6b9baccee63"
+SRCREV_machine_qemumips64 ?= "ca47368b698795cd5cada84dbfcceda1f47da1aa"
+SRCREV_machine ?= "4ec6f255163da37a4c83528e5835b6b9baccee63"
+SRCREV_meta ?= "960be4218436fbbb3500e019f7abf02fa94e6aac"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA} \
"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "4.19.57"
+LINUX_VERSION ?= "4.19.61"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 25/43] boost: Fix build and enable context and coroutines on aarch64
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (23 preceding siblings ...)
2019-09-01 14:36 ` [warrior 24/43] linux-yocto/4.19: update to v4.19.61 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 26/43] rsync: fix CVEs for included zlib Armin Kuster
` (17 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: "Bedel, Alban" <alban.bedel@aerq.com>
Like for ARM bjam need some hints about the ABI to properly build on
aarch64. While at it also enable context and coroutine as these are
supported on aarch64.
Signed-off-by: Alban Bedel <alban.bedel@aerq.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-support/boost/boost.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/boost/boost.inc b/meta/recipes-support/boost/boost.inc
index 9be3717..c2e2cbb 100644
--- a/meta/recipes-support/boost/boost.inc
+++ b/meta/recipes-support/boost/boost.inc
@@ -33,6 +33,7 @@ BOOST_LIBS_append_x86 = " context coroutine"
BOOST_LIBS_append_x86-64 = " context coroutine"
BOOST_LIBS_append_powerpc = " context coroutine"
BOOST_LIBS_append_arm = " context coroutine"
+BOOST_LIBS_append_aarch64 = " context coroutine"
# need consistent settings for native builds (x86 override not applied for native)
BOOST_LIBS_remove_class-native = " context coroutine"
# does not compile
@@ -151,6 +152,7 @@ BJAM_OPTS_append_x86-x32 = " abi=x32 address-model=64"
# cross compiling for arm fails to detect abi, so provide some help
BJAM_OPTS_append_arm = " abi=aapcs architecture=arm"
+BJAM_OPTS_append_aarch64 = " abi=aapcs address-model=64 architecture=arm"
do_configure() {
cp -f ${S}/boost/config/platform/linux.hpp ${S}/boost/config/platform/linux-gnueabi.hpp
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 26/43] rsync: fix CVEs for included zlib
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (24 preceding siblings ...)
2019-09-01 14:36 ` [warrior 25/43] boost: Fix build and enable context and coroutines on aarch64 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 27/43] patch: fix CVE-2019-13638 Armin Kuster
` (16 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
rsync includes its own copy of zlib and doesn't recommend linking with
the system version [1].
Import CVE fixes that impact zlib version 1.2.8 [2] that is currently used
by rsync.
[1] https://git.samba.org/rsync.git/?p=rsync.git;a=blob;f=zlib/README.rsync
[2] https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3agnu%3azlib%3a1.2.8
(From OE-Core rev: a55fbb4cb489853dfb0b4553f6e187c3f3633f48)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../rsync/files/CVE-2016-9840.patch | 75 +++++++
.../rsync/files/CVE-2016-9841.patch | 228 +++++++++++++++++++++
.../rsync/files/CVE-2016-9842.patch | 33 +++
.../rsync/files/CVE-2016-9843.patch | 53 +++++
meta/recipes-devtools/rsync/rsync_3.1.3.bb | 4 +
5 files changed, 393 insertions(+)
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9842.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2016-9843.patch
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
new file mode 100644
index 0000000..7581887
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
@@ -0,0 +1,75 @@
+From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 21 Sep 2016 23:35:50 -0700
+Subject: [PATCH] Remove offset pointer optimization in inftrees.c.
+
+inftrees.c was subtracting an offset from a pointer to an array,
+in order to provide a pointer that allowed indexing starting at
+the offset. This is not compliant with the C standard, for which
+the behavior of a pointer decremented before its allocated memory
+is undefined. Per the recommendation of a security audit of the
+zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this tiny optimization was removed, in order
+to avoid the possibility of undefined behavior.
+
+CVE: CVE-2016-9840
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ inftrees.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/zlib/inftrees.c b/zlib/inftrees.c
+index 22fcd666..0d2670d5 100644
+--- a/zlib/inftrees.c
++++ b/zlib/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+ code FAR *next; /* next available space in table */
+ const unsigned short FAR *base; /* base value table to use */
+ const unsigned short FAR *extra; /* extra bits table to use */
+- int end; /* use base and extra for symbol > end */
++ unsigned match; /* use base and extra for symbol >= match */
+ unsigned short count[MAXBITS+1]; /* number of codes of each length */
+ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
+ static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+ switch (type) {
+ case CODES:
+ base = extra = work; /* dummy value--not used */
+- end = 19;
++ match = 20;
+ break;
+ case LENS:
+ base = lbase;
+- base -= 257;
+ extra = lext;
+- extra -= 257;
+- end = 256;
++ match = 257;
+ break;
+ default: /* DISTS */
+ base = dbase;
+ extra = dext;
+- end = -1;
++ match = 0;
+ }
+
+ /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+ for (;;) {
+ /* create table entry */
+ here.bits = (unsigned char)(len - drop);
+- if ((int)(work[sym]) < end) {
++ if (work[sym] + 1 < match) {
+ here.op = (unsigned char)0;
+ here.val = work[sym];
+ }
+- else if ((int)(work[sym]) > end) {
+- here.op = (unsigned char)(extra[work[sym]]);
+- here.val = base[work[sym]];
++ else if (work[sym] >= match) {
++ here.op = (unsigned char)(extra[work[sym] - match]);
++ here.val = base[work[sym] - match];
+ }
+ else {
+ here.op = (unsigned char)(32 + 64); /* end of block */
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
new file mode 100644
index 0000000..3942176
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
@@ -0,0 +1,228 @@
+From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 21 Sep 2016 22:25:21 -0700
+Subject: [PATCH] Use post-increment only in inffast.c.
+
+An old inffast.c optimization turns out to not be optimal anymore
+with modern compilers, and furthermore was not compliant with the
+C standard, for which decrementing a pointer before its allocated
+memory is undefined. Per the recommendation of a security audit of
+the zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this "optimization" was removed, in order to
+avoid the possibility of undefined behavior.
+
+CVE: CVE-2016-9841
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ zlib/inffast.c | 81 +++++++++++++++++++++----------------------------------
+ 1 file changed, 31 insertions(+), 50 deletions(-)
+
+diff --git a/zlib/inffast.c b/zlib/inffast.c
+index bda59ceb..f0d163db 100644
+--- a/zlib/inffast.c
++++ b/zlib/inffast.c
+@@ -10,25 +10,6 @@
+
+ #ifndef ASMINF
+
+-/* Allow machine dependent optimization for post-increment or pre-increment.
+- Based on testing to date,
+- Pre-increment preferred for:
+- - PowerPC G3 (Adler)
+- - MIPS R5000 (Randers-Pehrson)
+- Post-increment preferred for:
+- - none
+- No measurable difference:
+- - Pentium III (Anderson)
+- - M68060 (Nikl)
+- */
+-#ifdef POSTINC
+-# define OFF 0
+-# define PUP(a) *(a)++
+-#else
+-# define OFF 1
+-# define PUP(a) *++(a)
+-#endif
+-
+ /*
+ Decode literal, length, and distance codes and write out the resulting
+ literal and match bytes until either not enough input or output is
+@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+
+ /* copy state to local variables */
+ state = (struct inflate_state FAR *)strm->state;
+- in = strm->next_in - OFF;
++ in = strm->next_in;
+ last = in + (strm->avail_in - 5);
+- out = strm->next_out - OFF;
++ out = strm->next_out;
+ beg = out - (start - strm->avail_out);
+ end = out + (strm->avail_out - 257);
+ #ifdef INFLATE_STRICT
+@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ input data or output space */
+ do {
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = lcode[hold & lmask];
+@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
+ "inflate: literal '%c'\n" :
+ "inflate: literal 0x%02x\n", here.val));
+- PUP(out) = (unsigned char)(here.val);
++ *out++ = (unsigned char)(here.val);
+ }
+ else if (op & 16) { /* length base */
+ len = (unsigned)(here.val);
+ op &= 15; /* number of extra bits */
+ if (op) {
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ len += (unsigned)hold & ((1U << op) - 1);
+@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ }
+ Tracevv((stderr, "inflate: length %u\n", len));
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = dcode[hold & dmask];
+@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ dist = (unsigned)(here.val);
+ op &= 15; /* number of extra bits */
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ }
+@@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+ if (len <= op - whave) {
+ do {
+- PUP(out) = 0;
++ *out++ = 0;
+ } while (--len);
+ continue;
+ }
+ len -= op - whave;
+ do {
+- PUP(out) = 0;
++ *out++ = 0;
+ } while (--op > whave);
+ if (op == 0) {
+ from = out - dist;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--len);
+ continue;
+ }
+ #endif
+ }
+- from = window - OFF;
++ from = window;
+ if (wnext == 0) { /* very common case */
+ from += wsize - op;
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ if (op < len) { /* some from end of window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+- from = window - OFF;
++ from = window;
+ if (wnext < len) { /* some from start of window */
+ op = wnext;
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+ }
+ while (len > 2) {
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ }
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ else {
+ from = out - dist; /* copy direct from output */
+ do { /* minimum length is three */
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ } while (len > 2);
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ }
+@@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ hold &= (1U << bits) - 1;
+
+ /* update state and return */
+- strm->next_in = in + OFF;
+- strm->next_out = out + OFF;
++ strm->next_in = in;
++ strm->next_out = out;
+ strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
+ strm->avail_out = (unsigned)(out < end ?
+ 257 + (end - out) : 257 - (out - end));
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch
new file mode 100644
index 0000000..810d8a3
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch
@@ -0,0 +1,33 @@
+From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Sat, 5 Sep 2015 17:45:55 -0700
+Subject: [PATCH] Avoid shifts of negative values inflateMark().
+
+The C standard says that bit shifts of negative integers is
+undefined. This casts to unsigned values to assure a known
+result.
+
+CVE: CVE-2016-9842
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/zlib/inflate.c b/zlib/inflate.c
+index 2889e3a0..a7184167 100644
+--- a/zlib/inflate.c
++++ b/zlib/inflate.c
+@@ -1506,9 +1506,10 @@ z_streamp strm;
+ {
+ struct inflate_state FAR *state;
+
+- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
++ if (strm == Z_NULL || strm->state == Z_NULL)
++ return (long)(((unsigned long)0 - 1) << 16);
+ state = (struct inflate_state FAR *)strm->state;
+- return ((long)(state->back) << 16) +
++ return (long)(((unsigned long)((long)state->back)) << 16) +
+ (state->mode == COPY ? state->length :
+ (state->mode == MATCH ? state->was - state->length : 0));
+ }
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch
new file mode 100644
index 0000000..ea2e42f
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch
@@ -0,0 +1,53 @@
+From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 28 Sep 2016 20:20:25 -0700
+Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
+
+There was a small optimization for PowerPCs to pre-increment a
+pointer when accessing a word, instead of post-incrementing. This
+required prefacing the loop with a decrement of the pointer,
+possibly pointing before the object passed. This is not compliant
+with the C standard, for which decrementing a pointer before its
+allocated memory is undefined. When tested on a modern PowerPC
+with a modern compiler, the optimization no longer has any effect.
+Due to all that, and per the recommendation of a security audit of
+the zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this "optimization" was removed, in order to
+avoid the possibility of undefined behavior.
+
+CVE: CVE-2016-9843
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ crc32.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/zlib/crc32.c b/zlib/crc32.c
+index 979a7190..05733f4e 100644
+--- a/zlib/crc32.c
++++ b/zlib/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+
+ /* ========================================================================= */
+-#define DOBIG4 c ^= *++buf4; \
++#define DOBIG4 c ^= *buf4++; \
+ c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+ crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+ }
+
+ buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+- buf4--;
+ while (len >= 32) {
+ DOBIG32;
+ len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+ DOBIG4;
+ len -= 4;
+ }
+- buf4++;
+ buf = (const unsigned char FAR *)buf4;
+
+ if (len) do {
diff --git a/meta/recipes-devtools/rsync/rsync_3.1.3.bb b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
index 29cb231..ffb1d06 100644
--- a/meta/recipes-devtools/rsync/rsync_3.1.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
@@ -11,6 +11,10 @@ DEPENDS = "popt"
SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://rsyncd.conf \
file://makefile-no-rebuild.patch \
+ file://CVE-2016-9840.patch \
+ file://CVE-2016-9841.patch \
+ file://CVE-2016-9842.patch \
+ file://CVE-2016-9843.patch \
"
SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 27/43] patch: fix CVE-2019-13638
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (25 preceding siblings ...)
2019-09-01 14:36 ` [warrior 26/43] rsync: fix CVEs for included zlib Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 28/43] patch: backport fixes Armin Kuster
` (15 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Trevor Gamblin <trevor.gamblin@windriver.com>
(From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...ke-ed-directly-instead-of-using-the-shell.patch | 44 ++++++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 0000000..f60dfe8
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+
+CVE: CVE-2019-13638
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ *outname_needs_removal = true;
+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+ fflush (stdout);
+
+ pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ else if (pid == 0)
+ {
+ dup2 (tmpfd, 0);
+- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ assert (outname[0] != '!' && outname[0] != '-');
++ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
+ _exit (2);
+ }
+ else
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8cf20a3..8908910 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
file://CVE-2019-13636.patch \
+ file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 28/43] patch: backport fixes
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (26 preceding siblings ...)
2019-09-01 14:36 ` [warrior 27/43] patch: fix CVE-2019-13638 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 29/43] dpkg: Use less as pager Armin Kuster
` (14 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
The original fix for CVE-2018-1000156 was incomplete. Backport more
fixes done later for a complete fix.
Also see:
https://savannah.gnu.org/bugs/index.php?53820
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...k-temporary-file-on-failed-ed-style-patch.patch | 93 ++++++++++++++++++++++
...ak-temporary-file-on-failed-multi-file-ed.patch | 80 +++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 2 +
3 files changed, 175 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
create mode 100644 meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 0000000..9891526
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
+From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 3 May 2018 14:31:55 +0200
+Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
+
+Now that we write ed-style patches to a temporary file before we
+apply them, we need to ensure that the temporary file is removed
+before we leave, even on fatal error.
+
+* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+ tmpname. Don't unlink the file directly, instead tag it for removal
+ at exit time.
+* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/common.h | 2 ++
+ src/pch.c | 12 +++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index ec50b40..22238b5 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
++XTERN char const * TMPEDNAME;
+
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
++XTERN bool TMPEDNAME_needs_removal;
+
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/pch.c b/src/pch.c
+index 16e001a..c1a62cf 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
+ file_offset beginning_of_this_line;
+ size_t chars_read;
+ FILE *tmpfp = 0;
+- char const *tmpname;
+ int tmpfd;
+ pid_t pid;
+
+@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
+ invalid commands and treats the next line as a new command, which
+ can lead to arbitrary command execution. */
+
+- tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++ tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+ if (tmpfd == -1)
+- pfatal ("Can't create temporary file %s", quotearg (tmpname));
++ pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
++ TMPEDNAME_needs_removal = true;
+ tmpfp = fdopen (tmpfd, "w+b");
+ if (! tmpfp)
+- pfatal ("Can't open stream for file %s", quotearg (tmpname));
++ pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+ }
+
+ for (;;) {
+@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
+ write_fatal ();
+
+ if (lseek (tmpfd, 0, SEEK_SET) == -1)
+- pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+-
++ pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
+ if (! dry_run && ! skip_rest_of_patch) {
+ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+ *outname_needs_removal = true;
+@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
+ }
+
+ fclose (tmpfp);
+- safe_unlink (tmpname);
+
+ if (ofp)
+ {
+--
+2.17.0
+
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 0000000..d6a219a
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
+From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 7 May 2018 15:14:45 +0200
+Subject: Don't leak temporary file on failed multi-file ed-style patch
+
+The previous fix worked fine with single-file ed-style patches, but
+would still leak temporary files in the case of multi-file ed-style
+patch. Fix that case as well, and extend the test case to check for
+it.
+
+* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
+ the next file in a patch.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/patch.c | 1 +
+ tests/ed-style | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/patch.c b/src/patch.c
+index 9146597..81c7a02 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -236,6 +236,7 @@ main (int argc, char **argv)
+ }
+ remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+ }
++ remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+
+ if (! skip_rest_of_patch && ! file_type)
+ {
+diff --git a/tests/ed-style b/tests/ed-style
+index 6b6ef9d..504e6e5 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -38,3 +38,34 @@ EOF
+ check 'cat foo' <<EOF
+ foo
+ EOF
++
++# Test the case where one ed-style patch modifies several files
++
++cat > ed3.diff <<EOF
++--- foo
+++++ foo
++1c
++bar
++.
++--- baz
+++++ baz
++0a
++baz
++.
++EOF
++
++# Apparently we can't create a file with such a patch, while it works fine
++# when the file name is provided on the command line
++cat > baz <<EOF
++EOF
++
++check 'patch -e -i ed3.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++bar
++EOF
++
++check 'cat baz' <<EOF
++baz
++EOF
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8908910..5d7f55f 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -8,6 +8,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
file://CVE-2019-13636.patch \
file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
+ file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
+ file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 29/43] dpkg: Use less as pager
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (27 preceding siblings ...)
2019-09-01 14:36 ` [warrior 28/43] patch: backport fixes Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 30/43] icecc.bbclass: catch subprocess.CalledProcessError Armin Kuster
` (13 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Ricardo Ribalda Delgado <ricardo@ribalda.com>
Debian traditionaly uses /usr/bin/pager as the system pager, which is a
link to the user preferred pager. This is a Debianism.
Without this patch:
root@qt5122:~# dpkg -l
sh: pager: command not found
dpkg-query: error: showing package list on pager subprocess returned error exit status 127
Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
| 21 +++++++++++++++++++++
meta/recipes-devtools/dpkg/dpkg_1.19.4.bb | 1 +
2 files changed, 22 insertions(+)
create mode 100644 meta/recipes-devtools/dpkg/dpkg/pager.patch
--git a/meta/recipes-devtools/dpkg/dpkg/pager.patch b/meta/recipes-devtools/dpkg/dpkg/pager.patch
new file mode 100644
index 0000000..e56b9d2
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/pager.patch
@@ -0,0 +1,21 @@
+pager: Use less instead of pager
+
+pager is a Debianism. Istead use directly pager.
+
+Upstream-Status: Inappropriate [OE-Core integration specific]
+
+Suggested-by: Burton, Ross <ross.burton@intel.com>
+Signed-off-by: Ricardo Ribalda <ricardo@ribalda.com>
+diff --git a/lib/dpkg/dpkg.h b/lib/dpkg/dpkg.h
+index 2bb067a..6cbce80 100644
+--- a/lib/dpkg/dpkg.h
++++ b/lib/dpkg/dpkg.h
+@@ -95,7 +95,7 @@ DPKG_BEGIN_DECLS
+ #define MAXUPDATES 250
+
+ #define DEFAULTSHELL "sh"
+-#define DEFAULTPAGER "pager"
++#define DEFAULTPAGER "less"
+
+ #define MD5HASHLEN 32
+ #define MAXTRIGDIRECTIVE 256
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
index c3dbda7..e6083e2 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.19.4.bb
@@ -13,6 +13,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/d/${BPN}/${BPN}_${PV}.tar.xz \
file://0006-add-musleabi-to-known-target-tripets.patch \
file://0007-dpkg-deb-build.c-Remove-usage-of-clamp-mtime-in-tar.patch \
file://0001-dpkg-Support-muslx32-build.patch \
+ file://pager.patch \
"
SRC_URI_append_class-native = " file://glibc2.5-sync_file_range.patch \
file://tweak-options-require-tar-1.27.patch \
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 30/43] icecc.bbclass: catch subprocess.CalledProcessError
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (28 preceding siblings ...)
2019-09-01 14:36 ` [warrior 29/43] dpkg: Use less as pager Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 31/43] meson: backport fix for builds with -Werror=return-type Armin Kuster
` (12 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
* this might be related to:
commit d2fcaeb153fdc3f8d7143ea823139f1537055ff1
Author: Douglas Royds <douglas.royds@taitradio.com>
Date: Thu Dec 20 11:59:47 2018 +1300
icecc: Don't generate recipe-sysroot symlinks at recipe-parsing time
* it's still a bit unclear when and why this happends, but I'm seeing
random tasks sometimes failing with:
WARNING: Exception during build_dependencies for set_icecc_env
WARNING: Error during finalise of /build/meta-oe/meta-python/recipes-devtools/python/python-markupsafe_1.0.bb
ERROR: Traceback (most recent call last):
File "/build/bitbake/lib/bb/data_smart.py", line 411, in expandWithRefs
s = __expand_python_regexp__.sub(varparse.python_sub, s)
File "/build/bitbake/lib/bb/data_smart.py", line 136, in python_sub
value = utils.better_eval(codeobj, DataContext(self.d), {'d' : self.d})
File "/build/bitbake/lib/bb/utils.py", line 421, in better_eval
return eval(source, ctx, locals)
File "Var <set_icecc_env>", line 1, in <module>
File "/build/oe-core/meta/classes/icecc.bbclass", line 287, in icecc_get_and_check_tool
link_path = icecc_get_tool_link(t, d)
File "/build/oe-core/meta/classes/icecc.bbclass", line 246, in icecc_get_tool_link
return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
File "/usr/lib/python3.6/subprocess.py", line 336, in check_output
**kwargs).stdout
File "/usr/lib/python3.6/subprocess.py", line 418, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'readlink -f /build/BUILD/work/qemux86-oe-linux/python-markupsafe/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-oe-linux/x86_64-oe-linux-g++' returned non-zero exit status 1.
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/build/bitbake/bin/bitbake-worker", line 239, in child
the_data = bb_cache.loadDataFull(fn, appends)
File "/build/bitbake/lib/bb/cache.py", line 327, in loadDataFull
bb_data = self.load_bbfile(virtualfn, appends, virtonly=True)
File "/build/bitbake/lib/bb/cache.py", line 340, in load_bbfile
datastores = parse_recipe(bb_data, bbfile, appends, mc)
File "/build/bitbake/lib/bb/cache.py", line 303, in parse_recipe
bb_data = bb.parse.handle(bbfile, bb_data)
File "/build/bitbake/lib/bb/parse/__init__.py", line 107, in handle
return h['handle'](fn, data, include)
File "/build/bitbake/lib/bb/parse/parse_py/BBHandler.py", line 142, in handle
return ast.multi_finalize(fn, d)
File "/build/bitbake/lib/bb/parse/ast.py", line 386, in multi_finalize
finalize(fn, d)
File "/build/bitbake/lib/bb/parse/ast.py", line 351, in finalize
bb.parse.siggen.finalise(fn, d, variant)
File "/build/bitbake/lib/bb/siggen.py", line 147, in finalise
taskdeps = self._build_data(fn, d)
File "/build/bitbake/lib/bb/siggen.py", line 118, in _build_data
tasklist, gendeps, lookupcache = bb.data.generate_dependencies(d)
File "/build/bitbake/lib/bb/data.py", line 388, in generate_dependencies
deps[dep], values[dep] = build_dependencies(dep, keys, shelldeps, varflagsexcl, d)
File "/build/bitbake/lib/bb/data.py", line 317, in build_dependencies
value, parsedvar = d.getVarFlag(key, "_content", False, retparser=True)
File "/build/bitbake/lib/bb/data_smart.py", line 802, in getVarFlag
parser = self.expandWithRefs(value, cachename)
File "/build/bitbake/lib/bb/data_smart.py", line 424, in expandWithRefs
raise ExpansionError(varname, s, exc).with_traceback(tb) from exc
File "/build/bitbake/lib/bb/data_smart.py", line 411, in expandWithRefs
s = __expand_python_regexp__.sub(varparse.python_sub, s)
File "/build/bitbake/lib/bb/data_smart.py", line 136, in python_sub
value = utils.better_eval(codeobj, DataContext(self.d), {'d' : self.d})
File "/build/bitbake/lib/bb/utils.py", line 421, in better_eval
return eval(source, ctx, locals)
File "Var <set_icecc_env>", line 1, in <module>
File "/build/oe-core/meta/classes/icecc.bbclass", line 287, in icecc_get_and_check_tool
link_path = icecc_get_tool_link(t, d)
File "/build/oe-core/meta/classes/icecc.bbclass", line 246, in icecc_get_tool_link
return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
File "/usr/lib/python3.6/subprocess.py", line 336, in check_output
**kwargs).stdout
File "/usr/lib/python3.6/subprocess.py", line 418, in run
output=stdout, stderr=stderr)
bb.data_smart.ExpansionError: Failure expanding variable set_icecc_env, expression was if [ "${@use_icecc(bb, d)}" = "no" ]
then
return
fi
ICECC_VERSION="${@icecc_version(bb, d)}"
if [ "x${ICECC_VERSION}" = "x" ]
then
bbwarn "Cannot use icecc: could not get ICECC_VERSION"
return
fi
ICE_PATH="${@icecc_path(bb, d)}"
if [ "x${ICE_PATH}" = "x" ]
then
bbwarn "Cannot use icecc: could not get ICE_PATH"
return
fi
ICECC_BIN="${@get_icecc(d)}"
if [ -z "${ICECC_BIN}" ]; then
bbwarn "Cannot use icecc: icecc binary not found"
return
fi
if [ -z "$(which patchelf patchelf-uninative)" ]; then
bbwarn "Cannot use icecc: patchelf not found"
return
fi
# Create symlinks to icecc in the recipe-sysroot directory
mkdir -p ${ICE_PATH}
if [ -n "${KERNEL_CC}" ]; then
compilers="${@get_cross_kernel_cc(bb,d)}"
else
compilers="x86_64-oe-linux-gcc x86_64-oe-linux-g++"
fi
for compiler in $compilers; do
ln -sf ${ICECC_BIN} ${ICE_PATH}/$compiler
done
ICECC_CC="${@icecc_get_and_check_tool(bb, d, "gcc")}"
ICECC_CXX="${@icecc_get_and_check_tool(bb, d, "g++")}"
# cannot use icecc_get_and_check_tool here because it assumes as without target_sys prefix
ICECC_WHICH_AS="${@bb.utils.which(os.getenv('PATH'), 'as')}"
if [ ! -x "${ICECC_CC}" -o ! -x "${ICECC_CXX}" ]
then
bbwarn "Cannot use icecc: could not get ICECC_CC or ICECC_CXX"
return
fi
ICE_VERSION=`$ICECC_CC -dumpversion`
ICECC_VERSION=`echo ${ICECC_VERSION} | sed -e "s/@VERSION@/$ICE_VERSION/g"`
if [ ! -x "/build/BUILD/work/qemux86-oe-linux/python-markupsafe/1.0-r0/recipe-sysroot-native/usr/bin/icecc-create-env" ]
then
bbwarn "Cannot use icecc: invalid ICECC_ENV_EXEC"
return
fi
ICECC_AS="`${ICECC_CC} -print-prog-name=as`"
# for target recipes should return something like:
# /OE/tmp-eglibc/sysroots/x86_64-linux/usr/libexec/arm920tt-oe-linux-gnueabi/gcc/arm-oe-linux-gnueabi/4.8.2/as
# and just "as" for native, if it returns "as" in current directory (for whatever reason) use "as" from PATH
if [ "`dirname "${ICECC_AS}"`" = "." ]
then
ICECC_AS="${ICECC_WHICH_AS}"
fi
if [ ! -f "${ICECC_VERSION}.done" ]
then
mkdir -p "`dirname "${ICECC_VERSION}"`"
# the ICECC_VERSION generation step must be locked by a mutex
# in order to prevent race conditions
if flock -n "${ICECC_VERSION}.lock" \
/build/BUILD/work/qemux86-oe-linux/python-markupsafe/1.0-r0/recipe-sysroot-native/usr/bin/icecc-create-env "${ICECC_CC}" "${ICECC_CXX}" "${ICECC_AS}" "${ICECC_VERSION}"
then
touch "${ICECC_VERSION}.done"
elif ! wait_for_file "${ICECC_VERSION}.done" 30
then
# locking failed so wait for ${ICECC_VERSION}.done to appear
bbwarn "Timeout waiting for ${ICECC_VERSION}.done"
return
fi
fi
# Don't let ccache find the icecream compiler links that have been created, otherwise
# it can end up invoking icecream recursively.
export CCACHE_PATH="$PATH"
export CCACHE_DISABLE="1"
export ICECC_VERSION ICECC_CC ICECC_CXX
export PATH="$ICE_PATH:$PATH"
bbnote "Using icecc path: $ICE_PATH"
bbnote "Using icecc tarball: $ICECC_VERSION"
which triggered exception CalledProcessError: Command 'readlink -f /build/BUILD/work/qemux86-oe-linux/python-markupsafe/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-oe-linux/x86_64-oe-linux-g++' returned non-zero exit status 1.
ERROR: Task (virtual:multilib:lib32:/build/meta-oe/meta-python/recipes-devtools/python/python-markupsafe_1.0.bb:do_patch) failed with exit code '1'
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/icecc.bbclass | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/classes/icecc.bbclass b/meta/classes/icecc.bbclass
index edb0e10..63d8b4d 100644
--- a/meta/classes/icecc.bbclass
+++ b/meta/classes/icecc.bbclass
@@ -243,7 +243,11 @@ def icecc_get_external_tool(bb, d, tool):
def icecc_get_tool_link(tool, d):
import subprocess
- return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
+ try:
+ return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
+ except subprocess.CalledProcessError as e:
+ bb.note("icecc: one of the tools probably disappeared during recipe parsing, cmd readlink -f %s returned %d:\n%s" % (tool, e.returncode, e.output.decode("utf-8")))
+ return tool
def icecc_get_path_tool(tool, d):
# This is a little ugly, but we want to make sure we add an actual
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 31/43] meson: backport fix for builds with -Werror=return-type
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (29 preceding siblings ...)
2019-09-01 14:36 ` [warrior 30/43] icecc.bbclass: catch subprocess.CalledProcessError Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 32/43] powertop: import a fix from buildroot Armin Kuster
` (11 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/meson/meson.inc | 1 +
...-return-statements-that-are-seen-with-Wer.patch | 84 ++++++++++++++++++++++
2 files changed, 85 insertions(+)
create mode 100644 meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
diff --git a/meta/recipes-devtools/meson/meson.inc b/meta/recipes-devtools/meson/meson.inc
index 2d18f72..bfe9851 100644
--- a/meta/recipes-devtools/meson/meson.inc
+++ b/meta/recipes-devtools/meson/meson.inc
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/mesonbuild/meson/releases/download/${PV}/meson-${P
file://cross-prop-default.patch \
file://many-cross.patch \
file://cross-libdir.patch \
+ file://0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch \
"
SRC_URI[sha256sum] = "ef9f14326ec1e30d3ba1a26df0f92826ede5a79255ad723af78a2691c37109fd"
SRC_URI[md5sum] = "0267b0871266056184c484792572c682"
diff --git a/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch b/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
new file mode 100644
index 0000000..1f22755
--- /dev/null
+++ b/meta/recipes-devtools/meson/meson/0001-Fix-missing-return-statements-that-are-seen-with-Wer.patch
@@ -0,0 +1,84 @@
+From 7e83cf1edac2a57c08ebb1ce7f21c2a539d5c300 Mon Sep 17 00:00:00 2001
+From: Martin Liska <mliska@suse.cz>
+Date: Mon, 15 Jul 2019 10:06:17 +0200
+Subject: [PATCH] Fix missing return statements that are seen with
+ -Werror=return-type.
+
+Error example:
+
+Code:
+
+ #include <locale.h>
+ int main () {
+ /* If it's not defined as a macro, try to use as a symbol */
+ #ifndef LC_MESSAGES
+ LC_MESSAGES;
+ #endif
+ }
+Compiler stdout:
+
+Compiler stderr:
+ In file included from /usr/include/locale.h:25,
+ from /tmp/tmpep_i4iwg/testfile.c:2:
+/usr/include/features.h:382:4: warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]
+ 382 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+ | ^~~~~~~
+/tmp/tmpep_i4iwg/testfile.c: In function 'main':
+/tmp/tmpep_i4iwg/testfile.c:8:9: error: control reaches end of non-void function [-Werror=return-type]
+ 8 | }
+ | ^
+cc1: some warnings being treated as errors
+
+Upstream-Status: Backport
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ mesonbuild/compilers/c.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mesonbuild/compilers/c.py b/mesonbuild/compilers/c.py
+index b0096459..69cf84a4 100644
+--- a/mesonbuild/compilers/c.py
++++ b/mesonbuild/compilers/c.py
+@@ -387,6 +387,7 @@ class CCompiler(Compiler):
+ #ifndef {symbol}
+ {symbol};
+ #endif
++ return 0;
+ }}'''
+ return self.compiles(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies)
+@@ -563,6 +564,7 @@ class CCompiler(Compiler):
+ {prefix}
+ int main(int argc, char **argv) {{
+ {type} something;
++ return 0;
+ }}'''
+ if not self.compiles(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies):
+@@ -598,6 +600,7 @@ class CCompiler(Compiler):
+ {prefix}
+ int main(int argc, char **argv) {{
+ {type} something;
++ return 0;
+ }}'''
+ if not self.compiles(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies):
+@@ -672,6 +675,7 @@ class CCompiler(Compiler):
+ #include <stdio.h>
+ int main(int argc, char *argv[]) {{
+ printf ("{fmt}", {cast} {f}());
++ return 0;
+ }}'''.format(**fargs)
+ res = self.run(code, env, extra_args=extra_args, dependencies=dependencies)
+ if not res.compiled:
+@@ -823,6 +827,7 @@ class CCompiler(Compiler):
+ #error "No definition for __builtin_{func} found in the prefix"
+ #endif
+ #endif
++ return 0;
+ }}'''
+ return self.links(t.format(**fargs), env, extra_args=extra_args,
+ dependencies=dependencies)
+--
+2.17.1
+
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 32/43] powertop: import a fix from buildroot
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (30 preceding siblings ...)
2019-09-01 14:36 ` [warrior 31/43] meson: backport fix for builds with -Werror=return-type Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 33/43] binutils: fix CVE-2019-14250 CVE-2019-14444 Armin Kuster
` (10 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../0001-wakeup_xxx.h-include-limits.h.patch | 55 ++++++++++++++++++++++
meta/recipes-kernel/powertop/powertop_2.10.bb | 1 +
2 files changed, 56 insertions(+)
create mode 100644 meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch
diff --git a/meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch b/meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch
new file mode 100644
index 0000000..7bfca8a
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0001-wakeup_xxx.h-include-limits.h.patch
@@ -0,0 +1,55 @@
+From 4c24fdd8e0a42359df7308155b2d43c28a5e02fd Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Mon, 20 May 2019 20:25:00 +0200
+Subject: [PATCH] wakeup_xxx.h: include limits.h
+
+limits.h must be included to define PATH_MAX otherwise build will fail
+on:
+
+In file included from wakeup/wakeup_ethernet.cpp:45:0:
+wakeup/wakeup_ethernet.h:35:16: error: 'PATH_MAX' was not declared in this scope
+ char eth_path[PATH_MAX];
+
+In file included from wakeup/wakeup_usb.cpp:45:0:
+wakeup/wakeup_usb.h:35:16: error: 'PATH_MAX' was not declared in this scope
+ char usb_path[PATH_MAX];
+
+Fixes:
+ - http://autobuild.buildroot.org/results/a0b3337cf4a827e6566f8b15b6bb180f0dcef7a3
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+
+Upstream-Status: Submitted [https://lists.01.org/pipermail/powertop/2019-May/002052.html]
+---
+ src/wakeup/wakeup_ethernet.h | 1 +
+ src/wakeup/wakeup_usb.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/wakeup/wakeup_ethernet.h b/src/wakeup/wakeup_ethernet.h
+index 682bf95..e0fa628 100644
+--- a/src/wakeup/wakeup_ethernet.h
++++ b/src/wakeup/wakeup_ethernet.h
+@@ -25,6 +25,7 @@
+ #ifndef _INCLUDE_GUARD_ETHERNET_WAKEUP_H
+ #define _INCLUDE_GUARD_ETHERNET_WAKEUP_H
+
++#include <limits.h>
+ #include <vector>
+
+ #include "wakeup.h"
+diff --git a/src/wakeup/wakeup_usb.h b/src/wakeup/wakeup_usb.h
+index f7a1f7e..15898e3 100644
+--- a/src/wakeup/wakeup_usb.h
++++ b/src/wakeup/wakeup_usb.h
+@@ -25,6 +25,7 @@
+ #ifndef _INCLUDE_GUARD_USB_WAKEUP_H
+ #define _INCLUDE_GUARD_USB_WAKEUP_H
+
++#include <limits.h>
+ #include <vector>
+
+ #include "wakeup.h"
+--
+2.20.1
+
diff --git a/meta/recipes-kernel/powertop/powertop_2.10.bb b/meta/recipes-kernel/powertop/powertop_2.10.bb
index d943ba9..5be8d23 100644
--- a/meta/recipes-kernel/powertop/powertop_2.10.bb
+++ b/meta/recipes-kernel/powertop/powertop_2.10.bb
@@ -7,6 +7,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
SRC_URI = "http://01.org/sites/default/files/downloads/powertop-v${PV}.tar.gz \
+ file://0001-wakeup_xxx.h-include-limits.h.patch \
"
SRC_URI[md5sum] = "a69bd55901cf919cc564187402ea2c9c"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 33/43] binutils: fix CVE-2019-14250 CVE-2019-14444
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (31 preceding siblings ...)
2019-09-01 14:36 ` [warrior 32/43] powertop: import a fix from buildroot Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 34/43] pango: fix CVE-2019-1010238 Armin Kuster
` (9 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.32.inc | 2 ++
.../binutils/binutils/CVE-2019-14250.patch | 33 ++++++++++++++++++++++
.../binutils/binutils/CVE-2019-14444.patch | 28 ++++++++++++++++++
3 files changed, 63 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 31c24a3..d3c5293 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,8 @@ SRC_URI = "\
file://CVE-2019-9077.patch \
file://CVE-2019-9071.patch \
file://CVE-2019-12972.patch \
+ file://CVE-2019-14250.patch \
+ file://CVE-2019-14444.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
new file mode 100644
index 0000000..c915a83
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch
@@ -0,0 +1,33 @@
+From df78be05daf4eb07f60f50ec1080cb979af32ec0 Mon Sep 17 00:00:00 2001
+From: marxin <marxin@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Tue, 23 Jul 2019 07:33:32 +0000
+Subject: [PATCH] libiberty: Check zero value shstrndx in simple-object-elf.c
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@273718 138bc75d-0d04-0410-961f-82ee72b054a4
+
+CVE: CVE-2019-14250
+Upstream-Status: Backport [from gcc: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
+index 502388991a08..bdee963634d6 100644
+--- a/libiberty/simple-object-elf.c
++++ b/libiberty/simple-object-elf.c
+@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
+ XDELETE (eor);
+ return NULL;
+ }
+-
++
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
new file mode 100644
index 0000000..85b9a9f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
@@ -0,0 +1,28 @@
+From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Aug 2019 10:40:35 +0100
+Subject: [PATCH] Catch potential integer overflow in readelf when processing
+ corrupt binaries.
+
+ PR 24829
+ * readelf.c (apply_relocations): Catch potential integer overflow
+ whilst checking reloc location against section size.
+
+CVE: CVE-2019-14444
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7]
+[Removed Changelog entry]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index b896ad9f406..e785fde43e7 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -13366,7 +13366,7 @@ apply_relocations (Filedata * filedata,
+ }
+
+ rloc = start + rp->r_offset;
+- if ((rloc + reloc_size) > end || (rloc < start))
++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+ {
+ warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
+ (unsigned long) rp->r_offset,
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 34/43] pango: fix CVE-2019-1010238
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (32 preceding siblings ...)
2019-09-01 14:36 ` [warrior 33/43] binutils: fix CVE-2019-14250 CVE-2019-14444 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 35/43] glib-2.0: fix CVE-2019-13012 Armin Kuster
` (8 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../pango/pango/CVE-2019-1010238.patch | 38 ++++++++++++++++++++++
meta/recipes-graphics/pango/pango_1.42.4.bb | 4 ++-
2 files changed, 41 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
diff --git a/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch b/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
new file mode 100644
index 0000000..5b0c342
--- /dev/null
+++ b/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
@@ -0,0 +1,38 @@
+From 490f8979a260c16b1df055eab386345da18a2d54 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Wed, 10 Jul 2019 20:26:23 -0400
+Subject: [PATCH] bidi: Be safer against bad input
+
+Don't run off the end of an array that we
+allocated to certain length.
+
+Closes: https://gitlab.gnome.org/GNOME/pango/issues/342
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54]
+CVE: CVE-2019-1010238
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ pango/pango-bidi-type.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/pango/pango-bidi-type.c b/pango/pango-bidi-type.c
+index 3e46b66c..5c02dbbb 100644
+--- a/pango/pango-bidi-type.c
++++ b/pango/pango-bidi-type.c
+@@ -181,8 +181,11 @@ pango_log2vis_get_embedding_levels (const gchar *text,
+ for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), i++)
+ {
+ gunichar ch = g_utf8_get_char (p);
+- FriBidiCharType char_type;
+- char_type = fribidi_get_bidi_type (ch);
++ FriBidiCharType char_type = fribidi_get_bidi_type (ch);
++
++ if (i == n_chars)
++ break;
++
+ bidi_types[i] = char_type;
+ ored_types |= char_type;
+ if (FRIBIDI_IS_STRONG (char_type))
+--
+2.21.0
+
diff --git a/meta/recipes-graphics/pango/pango_1.42.4.bb b/meta/recipes-graphics/pango/pango_1.42.4.bb
index f3be9f4..1e1a5b8 100644
--- a/meta/recipes-graphics/pango/pango_1.42.4.bb
+++ b/meta/recipes-graphics/pango/pango_1.42.4.bb
@@ -16,7 +16,9 @@ GNOMEBASEBUILDCLASS = "meson"
inherit gnomebase gtk-doc ptest-gnome upstream-version-is-even gobject-introspection
SRC_URI += "file://run-ptest \
- file://insensitive-diff.patch"
+ file://insensitive-diff.patch \
+ file://CVE-2019-1010238.patch \
+ "
SRC_URI[archive.md5sum] = "deb171a31a3ad76342d5195a1b5bbc7c"
SRC_URI[archive.sha256sum] = "1d2b74cd63e8bd41961f2f8d952355aa0f9be6002b52c8aa7699d9f5da597c9d"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 35/43] glib-2.0: fix CVE-2019-13012
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (33 preceding siblings ...)
2019-09-01 14:36 ` [warrior 34/43] pango: fix CVE-2019-1010238 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 36/43] gcc: reduce the variables in symtab Armin Kuster
` (7 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../glib-2.0/glib-2.0/CVE-2019-13012.patch | 40 ++++++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
new file mode 100644
index 0000000..c882cba
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,40 @@
+From 9fd6b4b21891adc318784f6a141f40d767b0d73c Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH] keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+CVE: CVE-2019-13012
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+
+ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+ g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ NULL, NULL, NULL);
+
+ compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+
+ kfsb->file = g_file_new_for_path (filename);
+ kfsb->dir = g_file_get_parent (kfsb->file);
+- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+
+ kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+ kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
index 733a2d4..2286d03 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
file://glib-meson.cross \
+ file://CVE-2019-13012.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 36/43] gcc: reduce the variables in symtab
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (34 preceding siblings ...)
2019-09-01 14:36 ` [warrior 35/43] glib-2.0: fix CVE-2019-13012 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 37/43] gcc: CVE-2018-12886 Armin Kuster
` (6 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Zhixiong Chi <zhixiong.chi@windriver.com>
Backport the patch from upstream:
https://github.com/gcc-mirror/gcc.git [commit beb921e]
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=269925
Add the premark_used_variables function, meanwhile do not mark
not premarked external variables in prune_unused_types_walk.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/gcc/gcc-8.3.inc | 1 +
.../gcc/gcc-8.3/0042-PR-debug-86964.patch | 94 ++++++++++++++++++++++
2 files changed, 95 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc
index a64f48a..7925337 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -72,6 +72,7 @@ SRC_URI = "\
file://0039-riscv-Disable-multilib-for-OE.patch \
file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \
file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
+ file://0042-PR-debug-86964.patch \
"
SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch b/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
new file mode 100644
index 0000000..d9b5d39
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0042-PR-debug-86964.patch
@@ -0,0 +1,94 @@
+From beb921e1106b5bcbb0c6e2be84b241327e2ffc51 Mon Sep 17 00:00:00 2001
+From: law <law@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Mon, 25 Mar 2019 21:19:09 +0000
+Subject: [PATCH] PR debug/86964 * dwarf2out.c
+ (premark_used_variables): New function. (prune_unused_types_walk): Do
+ not mark not premarked external variables. (prune_unused_types):
+ Call premark_used_variables.
+
+ * gcc.dg/debug/dwarf2/pr86964.c: New testcase.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@269925 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ gcc/ChangeLog | 8 ++++++
+ gcc/dwarf2out.c | 32 +++++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/gcc/ChangeLog b/gcc/ChangeLog
+index 2075480ca2b..cdce539ac6f 100644
+--- a/gcc/ChangeLog
++++ b/gcc/ChangeLog
+@@ -1,3 +1,11 @@
++2019-03-25 Johan Karlsson <johan.karlsson@enea.com>
++
++ PR debug/86964
++ * dwarf2out.c (premark_used_variables): New function.
++ (prune_unused_types_walk): Do not mark not premarked external
++ variables.
++ (prune_unused_types): Call premark_used_variables.
++
+ 2019-02-22 Release Manager
+
+ * GCC 8.3.0 released.
+diff --git a/gcc/dwarf2out.c b/gcc/dwarf2out.c
+index ae8bdee9981..b9a624e1ac7 100644
+--- a/gcc/dwarf2out.c
++++ b/gcc/dwarf2out.c
+@@ -22658,6 +22658,21 @@ premark_types_used_by_global_vars (void)
+ ->traverse<void *, premark_types_used_by_global_vars_helper> (NULL);
+ }
+
++/* Mark all variables used by the symtab as perennial. */
++
++static void
++premark_used_variables (void)
++{
++ /* Mark DIEs in the symtab as used. */
++ varpool_node *var;
++ FOR_EACH_VARIABLE (var)
++ {
++ dw_die_ref die = lookup_decl_die (var->decl);
++ if (die)
++ die->die_perennial_p = 1;
++ }
++}
++
+ /* Generate a DW_TAG_call_site DIE in function DECL under SUBR_DIE
+ for CA_LOC call arg loc node. */
+
+@@ -29264,6 +29279,19 @@ prune_unused_types_walk (dw_die_ref die)
+
+ return;
+
++ case DW_TAG_variable:
++ if (flag_debug_only_used_symbols)
++ {
++ if (die->die_perennial_p)
++ break;
++
++ /* premark_used_variables marks external variables --- don't mark
++ them here. */
++ if (get_AT (die, DW_AT_external))
++ return;
++ }
++ /* FALLTHROUGH */
++
+ default:
+ /* Mark everything else. */
+ break;
+@@ -29390,6 +29418,10 @@ prune_unused_types (void)
+ /* Mark types that are used in global variables. */
+ premark_types_used_by_global_vars ();
+
++ /* Mark variables used in the symtab. */
++ if (flag_debug_only_used_symbols)
++ premark_used_variables ();
++
+ /* Set the mark on nodes that are actually used. */
+ prune_unused_types_walk (comp_unit_die ());
+ for (node = limbo_die_list; node; node = node->next)
+--
+2.21.0
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 37/43] gcc: CVE-2018-12886
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (35 preceding siblings ...)
2019-09-01 14:36 ` [warrior 36/43] gcc: reduce the variables in symtab Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 38/43] binutils: Fix mips patch which changes default emulation Armin Kuster
` (5 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Zhixiong Chi <zhixiong.chi@windriver.com>
Backprot CVE patch from the upstream:
https://github.com/gcc-mirror/gcc.git [commit f98495d]
https://nvd.nist.gov/vuln/detail/CVE-2018-12886
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/gcc/gcc-8.3.inc | 1 +
...vent-spilling-of-stack-protector-guard-s-.patch | 813 +++++++++++++++++++++
2 files changed, 814 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc
index 7925337..dce85a2 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -73,6 +73,7 @@ SRC_URI = "\
file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \
file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
file://0042-PR-debug-86964.patch \
+ file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
"
SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
new file mode 100644
index 0000000..f15207f
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch
@@ -0,0 +1,813 @@
+From f98495d90ba66f67fe922a4b9229ea787041c418 Mon Sep 17 00:00:00 2001
+From: thopre01 <thopre01@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 22 Nov 2018 14:46:17 +0000
+Subject: [PATCH] PR85434: Prevent spilling of stack protector guard's address
+ on ARM
+
+In case of high register pressure in PIC mode, address of the stack
+protector's guard can be spilled on ARM targets as shown in PR85434,
+thus allowing an attacker to control what the canary would be compared
+against. ARM does lack stack_protect_set and stack_protect_test insn
+patterns, defining them does not help as the address is expanded
+regularly and the patterns only deal with the copy and test of the
+guard with the canary.
+
+This problem does not occur for x86 targets because the PIC access and
+the test can be done in the same instruction. Aarch64 is exempt too
+because PIC access insn pattern are mov of UNSPEC which prevents it from
+the second access in the epilogue being CSEd in cse_local pass with the
+first access in the prologue.
+
+The approach followed here is to create new "combined" set and test
+standard pattern names that take the unexpanded guard and do the set or
+test. This allows the target to use an opaque pattern (eg. using UNSPEC)
+to hide the individual instructions being generated to the compiler and
+split the pattern into generic load, compare and branch instruction
+after register allocator, therefore avoiding any spilling. This is here
+implemented for the ARM targets. For targets not implementing these new
+standard pattern names, the existing stack_protect_set and
+stack_protect_test pattern names are used.
+
+To be able to split PIC access after register allocation, the functions
+had to be augmented to force a new PIC register load and to control
+which register it loads into. This is because sharing the PIC register
+between prologue and epilogue could lead to spilling due to CSE again
+which an attacker could use to control what the canary gets compared
+against.
+
+2018-11-22 Thomas Preud'homme <thomas.preudhomme@linaro.org>
+
+ gcc/
+ PR target/85434
+ * target-insns.def (stack_protect_combined_set): Define new standard
+ pattern name.
+ (stack_protect_combined_test): Likewise.
+ * cfgexpand.c (stack_protect_prologue): Try new
+ stack_protect_combined_set pattern first.
+ * function.c (stack_protect_epilogue): Try new
+ stack_protect_combined_test pattern first.
+ * config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
+ parameters to control which register to use as PIC register and force
+ reloading PIC register respectively. Insert in the stream of insns if
+ possible.
+ (legitimize_pic_address): Expose above new parameters in prototype and
+ adapt recursive calls accordingly. Use pic_reg if non null instead of
+ cached one.
+ (arm_load_pic_register): Add pic_reg parameter and use it if non null.
+ (arm_legitimize_address): Adapt to new legitimize_pic_address
+ prototype.
+ (thumb_legitimize_address): Likewise.
+ (arm_emit_call_insn): Adapt to require_pic_register prototype change.
+ (arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
+ (thumb1_expand_prologue): Likewise.
+ * config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
+ change.
+ (arm_load_pic_register): Likewise.
+ * config/arm/predicated.md (guard_addr_operand): New predicate.
+ (guard_operand): New predicate.
+ * config/arm/arm.md (movsi expander): Adapt to legitimize_pic_address
+ prototype change.
+ (builtin_setjmp_receiver expander): Adapt to thumb1_expand_prologue
+ prototype change.
+ (stack_protect_combined_set): New expander..
+ (stack_protect_combined_set_insn): New insn_and_split pattern.
+ (stack_protect_set_insn): New insn pattern.
+ (stack_protect_combined_test): New expander.
+ (stack_protect_combined_test_insn): New insn_and_split pattern.
+ (arm_stack_protect_test_insn): New insn pattern.
+ * config/arm/thumb1.md (thumb1_stack_protect_test_insn): New insn pattern.
+ * config/arm/unspecs.md (UNSPEC_SP_SET): New unspec.
+ (UNSPEC_SP_TEST): Likewise.
+ * doc/md.texi (stack_protect_combined_set): Document new standard
+ pattern name.
+ (stack_protect_set): Clarify that the operand for guard's address is
+ legal.
+ (stack_protect_combined_test): Document new standard pattern name.
+ (stack_protect_test): Clarify that the operand for guard's address is
+ legal.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@266379 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2018-12886
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ gcc/ChangeLog | 49 ++++++
+ gcc/cfgexpand.c | 17 +++
+ gcc/config/arm/arm-protos.h | 4 +-
+ gcc/config/arm/arm.c | 87 ++++++++---
+ gcc/config/arm/arm.md | 163 +++++++++++++++++++-
+ gcc/config/arm/predicates.md | 17 +++
+ gcc/config/arm/thumb1.md | 13 ++
+ gcc/config/arm/unspecs.md | 3 +
+ gcc/doc/md.texi | 55 ++++++-
+ gcc/function.c | 32 +++-
+ gcc/target-insns.def | 2 +
+ 11 files changed, 399 insertions(+), 43 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/arm/pr85434.c
+
+diff --git a/gcc/ChangeLog b/gcc/ChangeLog
+index e2ebfd34214..fa41e7112e0 100644
+--- a/gcc/ChangeLog
++++ b/gcc/ChangeLog
+@@ -1537,6 +1537,55 @@
+ * config/arm/neon.md (movv4hf, movv8hf): Refactored to..
+ (mov<mov>): ..this and enable unconditionally.
+
++2018-11-22 Thomas Preud'homme <thomas.preudhomme@linaro.org>
++
++ * target-insns.def (stack_protect_combined_set): Define new standard
++ pattern name.
++ (stack_protect_combined_test): Likewise.
++ * cfgexpand.c (stack_protect_prologue): Try new
++ stack_protect_combined_set pattern first.
++ * function.c (stack_protect_epilogue): Try new
++ stack_protect_combined_test pattern first.
++ * config/arm/arm.c (require_pic_register): Add pic_reg and compute_now
++ parameters to control which register to use as PIC register and force
++ reloading PIC register respectively. Insert in the stream of insns if
++ possible.
++ (legitimize_pic_address): Expose above new parameters in prototype and
++ adapt recursive calls accordingly. Use pic_reg if non null instead of
++ cached one.
++ (arm_load_pic_register): Add pic_reg parameter and use it if non null.
++ (arm_legitimize_address): Adapt to new legitimize_pic_address
++ prototype.
++ (thumb_legitimize_address): Likewise.
++ (arm_emit_call_insn): Adapt to require_pic_register prototype change.
++ (arm_expand_prologue): Adapt to arm_load_pic_register prototype change.
++ (thumb1_expand_prologue): Likewise.
++ * config/arm/arm-protos.h (legitimize_pic_address): Adapt to prototype
++ change.
++ (arm_load_pic_register): Likewise.
++ * config/arm/predicated.md (guard_addr_operand): New predicate.
++ (guard_operand): New predicate.
++ * config/arm/arm.md (movsi expander): Adapt to legitimize_pic_address
++ prototype change.
++ (builtin_setjmp_receiver expander): Adapt to thumb1_expand_prologue
++ prototype change.
++ (stack_protect_combined_set): New expander..
++ (stack_protect_combined_set_insn): New insn_and_split pattern.
++ (stack_protect_set_insn): New insn pattern.
++ (stack_protect_combined_test): New expander.
++ (stack_protect_combined_test_insn): New insn_and_split pattern.
++ (arm_stack_protect_test_insn): New insn pattern.
++ * config/arm/thumb1.md (thumb1_stack_protect_test_insn): New insn pattern.
++ * config/arm/unspecs.md (UNSPEC_SP_SET): New unspec.
++ (UNSPEC_SP_TEST): Likewise.
++ * doc/md.texi (stack_protect_combined_set): Document new standard
++ pattern name.
++ (stack_protect_set): Clarify that the operand for guard's address is
++ legal.
++ (stack_protect_combined_test): Document new standard pattern name.
++ (stack_protect_test): Clarify that the operand for guard's address is
++ legal.
++
+ 2018-11-22 Uros Bizjak <ubizjak@gmail.com>
+
+ Backport from mainline
+diff --git a/gcc/cfgexpand.c b/gcc/cfgexpand.c
+index 8fa392fcd8a..21bdcdaeaa3 100644
+--- a/gcc/cfgexpand.c
++++ b/gcc/cfgexpand.c
+@@ -6185,6 +6185,23 @@ stack_protect_prologue (void)
+ rtx x, y;
+
+ x = expand_normal (crtl->stack_protect_guard);
++
++ if (targetm.have_stack_protect_combined_set () && guard_decl)
++ {
++ gcc_assert (DECL_P (guard_decl));
++ y = DECL_RTL (guard_decl);
++
++ /* Allow the target to compute address of Y and copy it to X without
++ leaking Y into a register. This combined address + copy pattern
++ allows the target to prevent spilling of any intermediate results by
++ splitting it after register allocator. */
++ if (rtx_insn *insn = targetm.gen_stack_protect_combined_set (x, y))
++ {
++ emit_insn (insn);
++ return;
++ }
++ }
++
+ if (guard_decl)
+ y = expand_normal (guard_decl);
+ else
+diff --git a/gcc/config/arm/arm-protos.h b/gcc/config/arm/arm-protos.h
+index 8d6d2395b84..00f5f16ed02 100644
+--- a/gcc/config/arm/arm-protos.h
++++ b/gcc/config/arm/arm-protos.h
+@@ -28,7 +28,7 @@ extern enum unwind_info_type arm_except_unwind_info (struct gcc_options *);
+ extern int use_return_insn (int, rtx);
+ extern bool use_simple_return_p (void);
+ extern enum reg_class arm_regno_class (int);
+-extern void arm_load_pic_register (unsigned long);
++extern void arm_load_pic_register (unsigned long, rtx);
+ extern int arm_volatile_func (void);
+ extern void arm_expand_prologue (void);
+ extern void arm_expand_epilogue (bool);
+@@ -69,7 +69,7 @@ extern int const_ok_for_dimode_op (HOST_WIDE_INT, enum rtx_code);
+ extern int arm_split_constant (RTX_CODE, machine_mode, rtx,
+ HOST_WIDE_INT, rtx, rtx, int);
+ extern int legitimate_pic_operand_p (rtx);
+-extern rtx legitimize_pic_address (rtx, machine_mode, rtx);
++extern rtx legitimize_pic_address (rtx, machine_mode, rtx, rtx, bool);
+ extern rtx legitimize_tls_address (rtx, rtx);
+ extern bool arm_legitimate_address_p (machine_mode, rtx, bool);
+ extern int arm_legitimate_address_outer_p (machine_mode, rtx, RTX_CODE, int);
+diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
+index 8393f0b87f3..12417de5102 100644
+--- a/gcc/config/arm/arm.c
++++ b/gcc/config/arm/arm.c
+@@ -7379,21 +7379,34 @@ legitimate_pic_operand_p (rtx x)
+ return 1;
+ }
+
+-/* Record that the current function needs a PIC register. Initialize
+- cfun->machine->pic_reg if we have not already done so. */
++/* Record that the current function needs a PIC register. If PIC_REG is null,
++ a new pseudo is allocated as PIC register, otherwise PIC_REG is used. In
++ both case cfun->machine->pic_reg is initialized if we have not already done
++ so. COMPUTE_NOW decide whether and where to set the PIC register. If true,
++ PIC register is reloaded in the current position of the instruction stream
++ irregardless of whether it was loaded before. Otherwise, it is only loaded
++ if not already done so (crtl->uses_pic_offset_table is null). Note that
++ nonnull PIC_REG is only supported iff COMPUTE_NOW is true and null PIC_REG
++ is only supported iff COMPUTE_NOW is false. */
+
+ static void
+-require_pic_register (void)
++require_pic_register (rtx pic_reg, bool compute_now)
+ {
++ gcc_assert (compute_now == (pic_reg != NULL_RTX));
++
+ /* A lot of the logic here is made obscure by the fact that this
+ routine gets called as part of the rtx cost estimation process.
+ We don't want those calls to affect any assumptions about the real
+ function; and further, we can't call entry_of_function() until we
+ start the real expansion process. */
+- if (!crtl->uses_pic_offset_table)
++ if (!crtl->uses_pic_offset_table || compute_now)
+ {
+- gcc_assert (can_create_pseudo_p ());
++ gcc_assert (can_create_pseudo_p ()
++ || (pic_reg != NULL_RTX
++ && REG_P (pic_reg)
++ && GET_MODE (pic_reg) == Pmode));
+ if (arm_pic_register != INVALID_REGNUM
++ && !compute_now
+ && !(TARGET_THUMB1 && arm_pic_register > LAST_LO_REGNUM))
+ {
+ if (!cfun->machine->pic_reg)
+@@ -7409,8 +7422,10 @@ require_pic_register (void)
+ {
+ rtx_insn *seq, *insn;
+
++ if (pic_reg == NULL_RTX)
++ pic_reg = gen_reg_rtx (Pmode);
+ if (!cfun->machine->pic_reg)
+- cfun->machine->pic_reg = gen_reg_rtx (Pmode);
++ cfun->machine->pic_reg = pic_reg;
+
+ /* Play games to avoid marking the function as needing pic
+ if we are being called as part of the cost-estimation
+@@ -7421,11 +7436,12 @@ require_pic_register (void)
+ start_sequence ();
+
+ if (TARGET_THUMB1 && arm_pic_register != INVALID_REGNUM
+- && arm_pic_register > LAST_LO_REGNUM)
++ && arm_pic_register > LAST_LO_REGNUM
++ && !compute_now)
+ emit_move_insn (cfun->machine->pic_reg,
+ gen_rtx_REG (Pmode, arm_pic_register));
+ else
+- arm_load_pic_register (0UL);
++ arm_load_pic_register (0UL, pic_reg);
+
+ seq = get_insns ();
+ end_sequence ();
+@@ -7438,16 +7454,33 @@ require_pic_register (void)
+ we can't yet emit instructions directly in the final
+ insn stream. Queue the insns on the entry edge, they will
+ be committed after everything else is expanded. */
+- insert_insn_on_edge (seq,
+- single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun)));
++ if (currently_expanding_to_rtl)
++ insert_insn_on_edge (seq,
++ single_succ_edge
++ (ENTRY_BLOCK_PTR_FOR_FN (cfun)));
++ else
++ emit_insn (seq);
+ }
+ }
+ }
+ }
+
++/* Legitimize PIC load to ORIG into REG. If REG is NULL, a new pseudo is
++ created to hold the result of the load. If not NULL, PIC_REG indicates
++ which register to use as PIC register, otherwise it is decided by register
++ allocator. COMPUTE_NOW forces the PIC register to be loaded at the current
++ location in the instruction stream, irregardless of whether it was loaded
++ previously. Note that nonnull PIC_REG is only supported iff COMPUTE_NOW is
++ true and null PIC_REG is only supported iff COMPUTE_NOW is false.
++
++ Returns the register REG into which the PIC load is performed. */
++
+ rtx
+-legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
++legitimize_pic_address (rtx orig, machine_mode mode, rtx reg, rtx pic_reg,
++ bool compute_now)
+ {
++ gcc_assert (compute_now == (pic_reg != NULL_RTX));
++
+ if (GET_CODE (orig) == SYMBOL_REF
+ || GET_CODE (orig) == LABEL_REF)
+ {
+@@ -7480,9 +7513,12 @@ legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+ rtx mem;
+
+ /* If this function doesn't have a pic register, create one now. */
+- require_pic_register ();
++ require_pic_register (pic_reg, compute_now);
++
++ if (pic_reg == NULL_RTX)
++ pic_reg = cfun->machine->pic_reg;
+
+- pat = gen_calculate_pic_address (reg, cfun->machine->pic_reg, orig);
++ pat = gen_calculate_pic_address (reg, pic_reg, orig);
+
+ /* Make the MEM as close to a constant as possible. */
+ mem = SET_SRC (pat);
+@@ -7531,9 +7567,11 @@ legitimize_pic_address (rtx orig, machine_mode mode, rtx reg)
+
+ gcc_assert (GET_CODE (XEXP (orig, 0)) == PLUS);
+
+- base = legitimize_pic_address (XEXP (XEXP (orig, 0), 0), Pmode, reg);
++ base = legitimize_pic_address (XEXP (XEXP (orig, 0), 0), Pmode, reg,
++ pic_reg, compute_now);
+ offset = legitimize_pic_address (XEXP (XEXP (orig, 0), 1), Pmode,
+- base == reg ? 0 : reg);
++ base == reg ? 0 : reg, pic_reg,
++ compute_now);
+
+ if (CONST_INT_P (offset))
+ {
+@@ -7633,16 +7671,17 @@ static GTY(()) int pic_labelno;
+ low register. */
+
+ void
+-arm_load_pic_register (unsigned long saved_regs ATTRIBUTE_UNUSED)
++arm_load_pic_register (unsigned long saved_regs ATTRIBUTE_UNUSED, rtx pic_reg)
+ {
+- rtx l1, labelno, pic_tmp, pic_rtx, pic_reg;
++ rtx l1, labelno, pic_tmp, pic_rtx;
+
+ if (crtl->uses_pic_offset_table == 0 || TARGET_SINGLE_PIC_BASE)
+ return;
+
+ gcc_assert (flag_pic);
+
+- pic_reg = cfun->machine->pic_reg;
++ if (pic_reg == NULL_RTX)
++ pic_reg = cfun->machine->pic_reg;
+ if (TARGET_VXWORKS_RTP)
+ {
+ pic_rtx = gen_rtx_SYMBOL_REF (Pmode, VXWORKS_GOTT_BASE);
+@@ -8718,7 +8757,8 @@ arm_legitimize_address (rtx x, rtx orig_x, machine_mode mode)
+ {
+ /* We need to find and carefully transform any SYMBOL and LABEL
+ references; so go back to the original address expression. */
+- rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX);
++ rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX, NULL_RTX,
++ false /*compute_now*/);
+
+ if (new_x != orig_x)
+ x = new_x;
+@@ -8786,7 +8826,8 @@ thumb_legitimize_address (rtx x, rtx orig_x, machine_mode mode)
+ {
+ /* We need to find and carefully transform any SYMBOL and LABEL
+ references; so go back to the original address expression. */
+- rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX);
++ rtx new_x = legitimize_pic_address (orig_x, mode, NULL_RTX, NULL_RTX,
++ false /*compute_now*/);
+
+ if (new_x != orig_x)
+ x = new_x;
+@@ -18074,7 +18115,7 @@ arm_emit_call_insn (rtx pat, rtx addr, bool sibcall)
+ ? !targetm.binds_local_p (SYMBOL_REF_DECL (addr))
+ : !SYMBOL_REF_LOCAL_P (addr)))
+ {
+- require_pic_register ();
++ require_pic_register (NULL_RTX, false /*compute_now*/);
+ use_reg (&CALL_INSN_FUNCTION_USAGE (insn), cfun->machine->pic_reg);
+ }
+
+@@ -22006,7 +22047,7 @@ arm_expand_prologue (void)
+ mask &= THUMB2_WORK_REGS;
+ if (!IS_NESTED (func_type))
+ mask |= (1 << IP_REGNUM);
+- arm_load_pic_register (mask);
++ arm_load_pic_register (mask, NULL_RTX);
+ }
+
+ /* If we are profiling, make sure no instructions are scheduled before
+@@ -25237,7 +25278,7 @@ thumb1_expand_prologue (void)
+ /* Load the pic register before setting the frame pointer,
+ so we can use r7 as a temporary work register. */
+ if (flag_pic && arm_pic_register != INVALID_REGNUM)
+- arm_load_pic_register (live_regs_mask);
++ arm_load_pic_register (live_regs_mask, NULL_RTX);
+
+ if (!frame_pointer_needed && CALLER_INTERWORKING_SLOT_SIZE > 0)
+ emit_move_insn (gen_rtx_REG (Pmode, ARM_HARD_FRAME_POINTER_REGNUM),
+diff --git a/gcc/config/arm/arm.md b/gcc/config/arm/arm.md
+index c8dc9474b1b..f6196e93168 100644
+--- a/gcc/config/arm/arm.md
++++ b/gcc/config/arm/arm.md
+@@ -6021,7 +6021,8 @@
+ operands[1] = legitimize_pic_address (operands[1], SImode,
+ (!can_create_pseudo_p ()
+ ? operands[0]
+- : 0));
++ : NULL_RTX), NULL_RTX,
++ false /*compute_now*/);
+ }
+ "
+ )
+@@ -6309,7 +6310,7 @@
+ /* r3 is clobbered by set/longjmp, so we can use it as a scratch
+ register. */
+ if (arm_pic_register != INVALID_REGNUM)
+- arm_load_pic_register (1UL << 3);
++ arm_load_pic_register (1UL << 3, NULL_RTX);
+ DONE;
+ }")
+
+@@ -8634,6 +8635,164 @@
+ (set_attr "conds" "clob")]
+ )
+
++;; Named patterns for stack smashing protection.
++(define_expand "stack_protect_combined_set"
++ [(parallel
++ [(set (match_operand:SI 0 "memory_operand" "")
++ (unspec:SI [(match_operand:SI 1 "guard_operand" "")]
++ UNSPEC_SP_SET))
++ (clobber (match_scratch:SI 2 ""))
++ (clobber (match_scratch:SI 3 ""))])]
++ ""
++ ""
++)
++
++;; Use a separate insn from the above expand to be able to have the mem outside
++;; the operand #1 when register allocation comes. This is needed to avoid LRA
++;; try to reload the guard since we need to control how PIC access is done in
++;; the -fpic/-fPIC case (see COMPUTE_NOW parameter when calling
++;; legitimize_pic_address ()).
++(define_insn_and_split "*stack_protect_combined_set_insn"
++ [(set (match_operand:SI 0 "memory_operand" "=m,m")
++ (unspec:SI [(mem:SI (match_operand:SI 1 "guard_addr_operand" "X,X"))]
++ UNSPEC_SP_SET))
++ (clobber (match_scratch:SI 2 "=&l,&r"))
++ (clobber (match_scratch:SI 3 "=&l,&r"))]
++ ""
++ "#"
++ "reload_completed"
++ [(parallel [(set (match_dup 0) (unspec:SI [(mem:SI (match_dup 2))]
++ UNSPEC_SP_SET))
++ (clobber (match_dup 2))])]
++ "
++{
++ if (flag_pic)
++ {
++ /* Forces recomputing of GOT base now. */
++ legitimize_pic_address (operands[1], SImode, operands[2], operands[3],
++ true /*compute_now*/);
++ }
++ else
++ {
++ if (address_operand (operands[1], SImode))
++ operands[2] = operands[1];
++ else
++ {
++ rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
++ emit_move_insn (operands[2], mem);
++ }
++ }
++}"
++ [(set_attr "arch" "t1,32")]
++)
++
++(define_insn "*stack_protect_set_insn"
++ [(set (match_operand:SI 0 "memory_operand" "=m,m")
++ (unspec:SI [(mem:SI (match_operand:SI 1 "register_operand" "+&l,&r"))]
++ UNSPEC_SP_SET))
++ (clobber (match_dup 1))]
++ ""
++ "@
++ ldr\\t%1, [%1]\;str\\t%1, %0\;movs\t%1,#0
++ ldr\\t%1, [%1]\;str\\t%1, %0\;mov\t%1,#0"
++ [(set_attr "length" "8,12")
++ (set_attr "conds" "clob,nocond")
++ (set_attr "type" "multiple")
++ (set_attr "arch" "t1,32")]
++)
++
++(define_expand "stack_protect_combined_test"
++ [(parallel
++ [(set (pc)
++ (if_then_else
++ (eq (match_operand:SI 0 "memory_operand" "")
++ (unspec:SI [(match_operand:SI 1 "guard_operand" "")]
++ UNSPEC_SP_TEST))
++ (label_ref (match_operand 2))
++ (pc)))
++ (clobber (match_scratch:SI 3 ""))
++ (clobber (match_scratch:SI 4 ""))
++ (clobber (reg:CC CC_REGNUM))])]
++ ""
++ ""
++)
++
++;; Use a separate insn from the above expand to be able to have the mem outside
++;; the operand #1 when register allocation comes. This is needed to avoid LRA
++;; try to reload the guard since we need to control how PIC access is done in
++;; the -fpic/-fPIC case (see COMPUTE_NOW parameter when calling
++;; legitimize_pic_address ()).
++(define_insn_and_split "*stack_protect_combined_test_insn"
++ [(set (pc)
++ (if_then_else
++ (eq (match_operand:SI 0 "memory_operand" "m,m")
++ (unspec:SI [(mem:SI (match_operand:SI 1 "guard_addr_operand" "X,X"))]
++ UNSPEC_SP_TEST))
++ (label_ref (match_operand 2))
++ (pc)))
++ (clobber (match_scratch:SI 3 "=&l,&r"))
++ (clobber (match_scratch:SI 4 "=&l,&r"))
++ (clobber (reg:CC CC_REGNUM))]
++ ""
++ "#"
++ "reload_completed"
++ [(const_int 0)]
++{
++ rtx eq;
++
++ if (flag_pic)
++ {
++ /* Forces recomputing of GOT base now. */
++ legitimize_pic_address (operands[1], SImode, operands[3], operands[4],
++ true /*compute_now*/);
++ }
++ else
++ {
++ if (address_operand (operands[1], SImode))
++ operands[3] = operands[1];
++ else
++ {
++ rtx mem = XEXP (force_const_mem (SImode, operands[1]), 0);
++ emit_move_insn (operands[3], mem);
++ }
++ }
++ if (TARGET_32BIT)
++ {
++ emit_insn (gen_arm_stack_protect_test_insn (operands[4], operands[0],
++ operands[3]));
++ rtx cc_reg = gen_rtx_REG (CC_Zmode, CC_REGNUM);
++ eq = gen_rtx_EQ (CC_Zmode, cc_reg, const0_rtx);
++ emit_jump_insn (gen_arm_cond_branch (operands[2], eq, cc_reg));
++ }
++ else
++ {
++ emit_insn (gen_thumb1_stack_protect_test_insn (operands[4], operands[0],
++ operands[3]));
++ eq = gen_rtx_EQ (VOIDmode, operands[4], const0_rtx);
++ emit_jump_insn (gen_cbranchsi4 (eq, operands[4], const0_rtx,
++ operands[2]));
++ }
++ DONE;
++}
++ [(set_attr "arch" "t1,32")]
++)
++
++(define_insn "arm_stack_protect_test_insn"
++ [(set (reg:CC_Z CC_REGNUM)
++ (compare:CC_Z (unspec:SI [(match_operand:SI 1 "memory_operand" "m,m")
++ (mem:SI (match_operand:SI 2 "register_operand" "+l,r"))]
++ UNSPEC_SP_TEST)
++ (const_int 0)))
++ (clobber (match_operand:SI 0 "register_operand" "=&l,&r"))
++ (clobber (match_dup 2))]
++ "TARGET_32BIT"
++ "ldr\t%0, [%2]\;ldr\t%2, %1\;eors\t%0, %2, %0"
++ [(set_attr "length" "8,12")
++ (set_attr "conds" "set")
++ (set_attr "type" "multiple")
++ (set_attr "arch" "t,32")]
++)
++
+ (define_expand "casesi"
+ [(match_operand:SI 0 "s_register_operand" "") ; index to jump on
+ (match_operand:SI 1 "const_int_operand" "") ; lower bound
+diff --git a/gcc/config/arm/predicates.md b/gcc/config/arm/predicates.md
+index 7e198f9bce4..69718ee9c7a 100644
+--- a/gcc/config/arm/predicates.md
++++ b/gcc/config/arm/predicates.md
+@@ -31,6 +31,23 @@
+ || REGNO_REG_CLASS (REGNO (op)) != NO_REGS));
+ })
+
++; Predicate for stack protector guard's address in
++; stack_protect_combined_set_insn and stack_protect_combined_test_insn patterns
++(define_predicate "guard_addr_operand"
++ (match_test "true")
++{
++ return (CONSTANT_ADDRESS_P (op)
++ || !targetm.cannot_force_const_mem (mode, op));
++})
++
++; Predicate for stack protector guard in stack_protect_combined_set and
++; stack_protect_combined_test patterns
++(define_predicate "guard_operand"
++ (match_code "mem")
++{
++ return guard_addr_operand (XEXP (op, 0), mode);
++})
++
+ (define_predicate "imm_for_neon_inv_logic_operand"
+ (match_code "const_vector")
+ {
+diff --git a/gcc/config/arm/thumb1.md b/gcc/config/arm/thumb1.md
+index 19dcdbcdd73..cd199c9c529 100644
+--- a/gcc/config/arm/thumb1.md
++++ b/gcc/config/arm/thumb1.md
+@@ -1962,4 +1962,17 @@
+ }"
+ [(set_attr "type" "mov_reg")]
+ )
++
++(define_insn "thumb1_stack_protect_test_insn"
++ [(set (match_operand:SI 0 "register_operand" "=&l")
++ (unspec:SI [(match_operand:SI 1 "memory_operand" "m")
++ (mem:SI (match_operand:SI 2 "register_operand" "+l"))]
++ UNSPEC_SP_TEST))
++ (clobber (match_dup 2))]
++ "TARGET_THUMB1"
++ "ldr\t%0, [%2]\;ldr\t%2, %1\;eors\t%0, %2, %0"
++ [(set_attr "length" "8")
++ (set_attr "conds" "set")
++ (set_attr "type" "multiple")]
++)
+ \f
+diff --git a/gcc/config/arm/unspecs.md b/gcc/config/arm/unspecs.md
+index 19416736ef9..8f9dbcb08dc 100644
+--- a/gcc/config/arm/unspecs.md
++++ b/gcc/config/arm/unspecs.md
+@@ -86,6 +86,9 @@
+ UNSPEC_PROBE_STACK ; Probe stack memory reference
+ UNSPEC_NONSECURE_MEM ; Represent non-secure memory in ARMv8-M with
+ ; security extension
++ UNSPEC_SP_SET ; Represent the setting of stack protector's canary
++ UNSPEC_SP_TEST ; Represent the testing of stack protector's canary
++ ; against the guard.
+ ])
+
+ (define_c_enum "unspec" [
+diff --git a/gcc/doc/md.texi b/gcc/doc/md.texi
+index 295fc1f1143..895309b2f3c 100644
+--- a/gcc/doc/md.texi
++++ b/gcc/doc/md.texi
+@@ -7450,22 +7450,61 @@ builtins.
+ The get/set patterns have a single output/input operand respectively,
+ with @var{mode} intended to be @code{Pmode}.
+
++@cindex @code{stack_protect_combined_set} instruction pattern
++@item @samp{stack_protect_combined_set}
++This pattern, if defined, moves a @code{ptr_mode} value from an address
++whose declaration RTX is given in operand 1 to the memory in operand 0
++without leaving the value in a register afterward. If several
++instructions are needed by the target to perform the operation (eg. to
++load the address from a GOT entry then load the @code{ptr_mode} value
++and finally store it), it is the backend's responsibility to ensure no
++intermediate result gets spilled. This is to avoid leaking the value
++some place that an attacker might use to rewrite the stack guard slot
++after having clobbered it.
++
++If this pattern is not defined, then the address declaration is
++expanded first in the standard way and a @code{stack_protect_set}
++pattern is then generated to move the value from that address to the
++address in operand 0.
++
+ @cindex @code{stack_protect_set} instruction pattern
+ @item @samp{stack_protect_set}
+-This pattern, if defined, moves a @code{ptr_mode} value from the memory
+-in operand 1 to the memory in operand 0 without leaving the value in
+-a register afterward. This is to avoid leaking the value some place
+-that an attacker might use to rewrite the stack guard slot after
+-having clobbered it.
++This pattern, if defined, moves a @code{ptr_mode} value from the valid
++memory location in operand 1 to the memory in operand 0 without leaving
++the value in a register afterward. This is to avoid leaking the value
++some place that an attacker might use to rewrite the stack guard slot
++after having clobbered it.
++
++Note: on targets where the addressing modes do not allow to load
++directly from stack guard address, the address is expanded in a standard
++way first which could cause some spills.
+
+ If this pattern is not defined, then a plain move pattern is generated.
+
++@cindex @code{stack_protect_combined_test} instruction pattern
++@item @samp{stack_protect_combined_test}
++This pattern, if defined, compares a @code{ptr_mode} value from an
++address whose declaration RTX is given in operand 1 with the memory in
++operand 0 without leaving the value in a register afterward and
++branches to operand 2 if the values were equal. If several
++instructions are needed by the target to perform the operation (eg. to
++load the address from a GOT entry then load the @code{ptr_mode} value
++and finally store it), it is the backend's responsibility to ensure no
++intermediate result gets spilled. This is to avoid leaking the value
++some place that an attacker might use to rewrite the stack guard slot
++after having clobbered it.
++
++If this pattern is not defined, then the address declaration is
++expanded first in the standard way and a @code{stack_protect_test}
++pattern is then generated to compare the value from that address to the
++value at the memory in operand 0.
++
+ @cindex @code{stack_protect_test} instruction pattern
+ @item @samp{stack_protect_test}
+ This pattern, if defined, compares a @code{ptr_mode} value from the
+-memory in operand 1 with the memory in operand 0 without leaving the
+-value in a register afterward and branches to operand 2 if the values
+-were equal.
++valid memory location in operand 1 with the memory in operand 0 without
++leaving the value in a register afterward and branches to operand 2 if
++the values were equal.
+
+ If this pattern is not defined, then a plain compare pattern and
+ conditional branch pattern is used.
+diff --git a/gcc/function.c b/gcc/function.c
+index 85a5d9f43f7..69523c1d723 100644
+--- a/gcc/function.c
++++ b/gcc/function.c
+@@ -4937,18 +4937,34 @@ stack_protect_epilogue (void)
+ tree guard_decl = targetm.stack_protect_guard ();
+ rtx_code_label *label = gen_label_rtx ();
+ rtx x, y;
+- rtx_insn *seq;
++ rtx_insn *seq = NULL;
+
+ x = expand_normal (crtl->stack_protect_guard);
+- if (guard_decl)
+- y = expand_normal (guard_decl);
++
++ if (targetm.have_stack_protect_combined_test () && guard_decl)
++ {
++ gcc_assert (DECL_P (guard_decl));
++ y = DECL_RTL (guard_decl);
++ /* Allow the target to compute address of Y and compare it with X without
++ leaking Y into a register. This combined address + compare pattern
++ allows the target to prevent spilling of any intermediate results by
++ splitting it after register allocator. */
++ seq = targetm.gen_stack_protect_combined_test (x, y, label);
++ }
+ else
+- y = const0_rtx;
++ {
++ if (guard_decl)
++ y = expand_normal (guard_decl);
++ else
++ y = const0_rtx;
++
++ /* Allow the target to compare Y with X without leaking either into
++ a register. */
++ if (targetm.have_stack_protect_test ())
++ seq = targetm.gen_stack_protect_test (x, y, label);
++ }
+
+- /* Allow the target to compare Y with X without leaking either into
+- a register. */
+- if (targetm.have_stack_protect_test ()
+- && ((seq = targetm.gen_stack_protect_test (x, y, label)) != NULL_RTX))
++ if (seq)
+ emit_insn (seq);
+ else
+ emit_cmp_and_jump_insns (x, y, EQ, NULL_RTX, ptr_mode, 1, label);
+diff --git a/gcc/target-insns.def b/gcc/target-insns.def
+index 9a552c3d11c..d39889b3522 100644
+--- a/gcc/target-insns.def
++++ b/gcc/target-insns.def
+@@ -96,7 +96,9 @@ DEF_TARGET_INSN (sibcall_value, (rtx x0, rtx x1, rtx opt2, rtx opt3,
+ DEF_TARGET_INSN (simple_return, (void))
+ DEF_TARGET_INSN (split_stack_prologue, (void))
+ DEF_TARGET_INSN (split_stack_space_check, (rtx x0, rtx x1))
++DEF_TARGET_INSN (stack_protect_combined_set, (rtx x0, rtx x1))
+ DEF_TARGET_INSN (stack_protect_set, (rtx x0, rtx x1))
++DEF_TARGET_INSN (stack_protect_combined_test, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (stack_protect_test, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (store_multiple, (rtx x0, rtx x1, rtx x2))
+ DEF_TARGET_INSN (tablejump, (rtx x0, rtx x1))
+--
+2.21.0
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 38/43] binutils: Fix mips patch which changes default emulation
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (36 preceding siblings ...)
2019-09-01 14:36 ` [warrior 37/43] gcc: CVE-2018-12886 Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 39/43] glibc: Fix multilibs + usrmerge builds Armin Kuster
` (4 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Nathan Rossi <nathan@nathanrossi.com>
The patch incorrectly removes 'mips_elf32_ntrad_le_vec' from the
'targ_selvecs' replacing it with duplicate entries for
'mips_elf32_ntrad_be_vec'. Correct this so that the default binutils can
still handle 'mips_elf32_ntrad_le_vec' binaries.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../0010-Change-default-emulation-for-mips64-linux.patch | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch b/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
index ba5e4c2..5f4ac72 100644
--- a/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
+++ b/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch
@@ -1,4 +1,4 @@
-From d540e95d05cd7c4b8924ac7b257c14ae0105d0ab Mon Sep 17 00:00:00 2001
+From 958a49749b772660d3bafb80748829cba6bed065 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Mon, 2 Mar 2015 01:44:14 +0000
Subject: [PATCH 10/15] Change default emulation for mips64*-*-linux
@@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/bfd/config.bfd b/bfd/config.bfd
-index 0e1ddb659c..cc65547588 100644
+index 0e1ddb659c..d4f50f0a8d 100644
--- a/bfd/config.bfd
+++ b/bfd/config.bfd
@@ -919,12 +919,12 @@ case "${targ}" in
@@ -30,7 +30,7 @@ index 0e1ddb659c..cc65547588 100644
- targ_defvec=mips_elf32_ntrad_be_vec
- targ_selvecs="mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_be_vec mips_elf64_trad_le_vec"
+ targ_defvec=mips_elf64_trad_be_vec
-+ targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_be_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec"
++ targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec"
;;
mips*el-*-linux*)
targ_defvec=mips_elf32_trad_le_vec
@@ -54,6 +54,3 @@ index beba17ef51..917be6f8eb 100644
targ_extra_libpath=$targ_extra_emuls ;;
mips*el-*-linux-*) targ_emul=elf32ltsmip
targ_extra_emuls="elf32btsmip elf32ltsmipn32 elf64ltsmip elf32btsmipn32 elf64btsmip"
---
-2.20.1
-
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 39/43] glibc: Fix multilibs + usrmerge builds
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (37 preceding siblings ...)
2019-09-01 14:36 ` [warrior 38/43] binutils: Fix mips patch which changes default emulation Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 40/43] glibc-locale: Fix build error with PACKAGE_NO_GCONV = "1" Armin Kuster
` (3 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Jason Wessel <jason.wessel@windriver.com>
The build of glibc fails when you have multilibs enabled + the distro
feature usrmerge. Here is an example configuration:
===
MACHINE = "qemux86-64"
VIRTUAL-RUNTIME_init_manager = "systemd"
DISTRO_FEATURES_append = " systemd "
DISTRO_FEATURES_append += " usrmerge"
require conf/multilib.conf
MULTILIBS = "multilib:lib32"
DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
===
This will fail with the following error:
NOTE: Executing SetScene Tasks
NOTE: Executing RunQueue Tasks
ERROR: glibc-2.28-r0 do_poststash_install_cleanup: Function failed: do_poststash_install_cleanup (log file is located at /poky/build/tmp/work/core2-64-poky-linux/glibc/2.28-r0/temp/log.do_poststash_install_cleanup.107893)
ERROR: Logfile of failure stored in: /poky/build/tmp/work/core2-64-poky-linux/glibc/2.28-r0/temp/log.do_poststash_install_cleanup.107893
The fix is to not perform the rmdir check when using the multilib + usr/merge, namely:
if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != "${exec_prefix}/lib" ]; then
This will evaluate as follows (collecting the output from bitbake -e glibc)
* no multilibs no usrmerge
if [ "/usr/lib" != "/usr/lib" ] && [ "/lib" != "/usr/lib" ]; then
* no multilibs yes usrmerge
if [ "/usr/lib" != "/usr/lib" ] && [ "/usr/lib" != "/usr/lib" ]; then
* yes multilibs no usrmerge
if [ "/usr/lib64" != "/usr/lib" ] && [ "/lib" != "/usr/lib" ]; then
* yes multilibs yes user merge
if [ "/usr/lib64" != "/usr/lib" ] && [ "/usr/lib" != "/usr/lib" ]; then
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/glibc/glibc-package.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc-package.inc b/meta/recipes-core/glibc/glibc-package.inc
index b7c64a0..a1d79b3 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -214,7 +214,7 @@ do_poststash_install_cleanup () {
rm -rf ${D}${libdir}/gconv
rm -rf ${D}/${localedir}
rm -rf ${D}${datadir}/locale
- if [ "${libdir}" != "${exec_prefix}/lib" ]; then
+ if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != "${exec_prefix}/lib" ]; then
if [ -d "${D}${exec_prefix}/lib" ]; then
if [ -z "${ARCH_DYNAMIC_LOADER}" -o \
! -e "${D}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; then
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 40/43] glibc-locale: Fix build error with PACKAGE_NO_GCONV = "1"
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (38 preceding siblings ...)
2019-09-01 14:36 ` [warrior 39/43] glibc: Fix multilibs + usrmerge builds Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 41/43] glibc/glibc-locale: Fix do_stash_locale to work with usrmerge and multilibs Armin Kuster
` (2 subsequent siblings)
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Jason Wessel <jason.wessel@windriver.com>
When the PACKAGE_NO_GCONV is set to 1 an empty directory is left behind from the do_install rule:
=====
ERROR: glibc-locale-2.29-r0 do_package: QA Issue: glibc-locale: Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/locale
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
glibc-locale: 2 installed and not shipped files. [installed-vs-shipped]
ERROR: glibc-locale-2.29-r0 do_package: Fatal QA errors found, failing task.
=====
The simple fix is to prune the empty directory.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/glibc/glibc-locale.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc
index a985d26..17f5b78 100644
--- a/meta/recipes-core/glibc/glibc-locale.inc
+++ b/meta/recipes-core/glibc/glibc-locale.inc
@@ -89,6 +89,9 @@ do_install() {
if [ ${PACKAGE_NO_GCONV} -eq 0 ]; then
copy_locale_files ${libdir}/gconv 0755
copy_locale_files ${datadir}/i18n 0644
+ else
+ # Remove the libdir if it is empty when gconv is not copied
+ find ${D}${libdir} -type d -empty -delete
fi
copy_locale_files ${datadir}/locale 0644
install -m 0644 ${LOCALETREESRC}/SUPPORTED ${WORKDIR}/SUPPORTED
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 41/43] glibc/glibc-locale: Fix do_stash_locale to work with usrmerge and multilibs
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (39 preceding siblings ...)
2019-09-01 14:36 ` [warrior 40/43] glibc-locale: Fix build error with PACKAGE_NO_GCONV = "1" Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 42/43] glibc / glibc-locale: Fix stash_locale determinism problems Armin Kuster
2019-09-01 14:36 ` [warrior 43/43] gcc-8.3: Security fix for CVE-2019-14250 Armin Kuster
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Jason Wessel <jason.wessel@windriver.com>
The do_stash_locale was not working consistently across the 4 build
configurations and the multilib, usrmerge configuration would fail
entirely with the obscure message:
| DEBUG: Executing shell function do_prep_locale_tree
| tar: i18n: Cannot stat: No such file or directory
| tar: Exiting with failure status due to previous errors
| gzip: /poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.29-r0/locale-tree//usr/share/i18n/charmaps/*gz.gz: No such file or directory
| WARNING: /poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.29-r0/temp/run.do_prep_locale_tree.124690:1 exit 1 from 'gunzip $i'
Here is the 4 build configurations without the patch applied:
A) x86-64 no multilibs, no usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service |wc -l
909
B) x86-64 no multilibs, usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service |wc -l
909
C) x86-64 multilibs, no usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service |wc -l
885
D) x86-64 multilibs, usrmerge
find ./tmp/work/*/glibc/2.29-r0/stashed-locale -type f |grep -v nscd.service |wc -l
864
The issue here is that all the moves should be processed first, then a
copy should be made of the lib directories, but only in the case they
are different when using the usrmerge feature. Even though the build
worked for the multilib configuration without usrmerge, the content
was not the same.
After applying the patch the same number of files are in all the
configurations. The list of files was also diffed, after normalizing
the directory names to ensure all the correct files were copied.
Ultimately there are probably additional files that should be pruned
from what is copied to the stated_locale, but the purpose of this
patch is make it 100% consistent between the build types and fix the
builds.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/glibc/glibc-package.inc | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/meta/recipes-core/glibc/glibc-package.inc b/meta/recipes-core/glibc/glibc-package.inc
index a1d79b3..ff17a19 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -162,21 +162,28 @@ bashscripts = "mtrace sotruss xtrace"
do_stash_locale () {
dest=${LOCALESTASH}
install -d ${dest}${base_libdir} ${dest}${bindir} ${dest}${libdir} ${dest}${datadir}
- if [ "${base_libdir}" != "${libdir}" ]; then
- cp -fpPR ${D}${base_libdir}/* ${dest}${base_libdir}
- fi
+ # Hide away the locale data from the deployment
if [ -e ${D}${bindir}/localedef ]; then
mv -f ${D}${bindir}/localedef ${dest}${bindir}
fi
if [ -e ${D}${libdir}/gconv ]; then
mv -f ${D}${libdir}/gconv ${dest}${libdir}
fi
- if [ -e ${D}${exec_prefix}/lib ]; then
- cp -fpPR ${D}${exec_prefix}/lib ${dest}${exec_prefix}
- fi
if [ -e ${D}${datadir}/i18n ]; then
mv ${D}${datadir}/i18n ${dest}${datadir}
fi
+
+ # Make a copy of all the libraries into the locale stash
+ cp -fpPR ${D}${libdir}/* ${dest}${libdir}
+ if [ "${base_libdir}" != "${libdir}" ]; then
+ cp -fpPR ${D}${base_libdir}/* ${dest}${base_libdir}
+ fi
+ if [ -e ${D}${exec_prefix}/lib ]; then
+ if [ ${exec_prefix}/lib != ${base_libdir} ] && [ ${exec_prefix}/lib != ${libdir} ]; then
+ cp -fpPR ${D}${exec_prefix}/lib ${dest}${exec_prefix}
+ fi
+ fi
+
cp -fpPR ${D}${datadir}/* ${dest}${datadir}
rm -rf ${D}${datadir}/locale/
cp -fpPR ${WORKDIR}/SUPPORTED ${dest}
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 42/43] glibc / glibc-locale: Fix stash_locale determinism problems
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (40 preceding siblings ...)
2019-09-01 14:36 ` [warrior 41/43] glibc/glibc-locale: Fix do_stash_locale to work with usrmerge and multilibs Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
2019-09-01 14:36 ` [warrior 43/43] gcc-8.3: Security fix for CVE-2019-14250 Armin Kuster
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Jason Wessel <jason.wessel@windriver.com>
When using sstate, or performing an incremental build any change to
the do_stash_locale() will cause a build failure because
do_stash_locale() was destroying the results obtained from the
do_install() with several mv operations. A recent change to
do_stash_locale() for a different problem illustrated a number of
build failures for users in the community.
To fix the problem, do_stash_locale() must use copy operations instead
of the mv operations. Because this is changed to a copy, the sysroot
and package stage need to remove the files that would have been
previously removed. The correct "fixup" code to deal with the removal
already existed in the previous do_poststash_install_cleanup(). All
that needed change was the path to where to remove the files
from the sysroot and package stages.
In order to force a re-compilation of glibc some unused white space
was removed from do_compile() for glibc. I could not find any other
way around this and we don't want to have all the community folks to
have another iteration where they have to remove their tmp directories
or purge some portion of the sstate. It also makes this change
bisectable. If the change to the glibc is not included, it will fail
with the following message:
=====
| DEBUG: Executing shell function do_prep_locale_tree
| tar: i18n: Cannot stat: No such file or directory
| tar: Exiting with failure status due to previous errors
| gzip: /poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.29-r0/locale-tree//usr/share/i18n/charmaps/*gz.gz: No such file or directory
=====
After this one time change I tested changing only the
do_stash_locale() function and it now works well because it is
deterministically operating off the sstate data or a local build.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/glibc/glibc-package.inc | 40 ++++++++++++++++++-------------
meta/recipes-core/glibc/glibc_2.29.bb | 1 -
2 files changed, 24 insertions(+), 17 deletions(-)
diff --git a/meta/recipes-core/glibc/glibc-package.inc b/meta/recipes-core/glibc/glibc-package.inc
index ff17a19..5cfb1b6 100644
--- a/meta/recipes-core/glibc/glibc-package.inc
+++ b/meta/recipes-core/glibc/glibc-package.inc
@@ -164,13 +164,13 @@ do_stash_locale () {
install -d ${dest}${base_libdir} ${dest}${bindir} ${dest}${libdir} ${dest}${datadir}
# Hide away the locale data from the deployment
if [ -e ${D}${bindir}/localedef ]; then
- mv -f ${D}${bindir}/localedef ${dest}${bindir}
+ cp -a ${D}${bindir}/localedef ${dest}${bindir}
fi
if [ -e ${D}${libdir}/gconv ]; then
- mv -f ${D}${libdir}/gconv ${dest}${libdir}
+ cp -a ${D}${libdir}/gconv ${dest}${libdir}
fi
if [ -e ${D}${datadir}/i18n ]; then
- mv ${D}${datadir}/i18n ${dest}${datadir}
+ cp -a ${D}${datadir}/i18n ${dest}${datadir}
fi
# Make a copy of all the libraries into the locale stash
@@ -210,30 +210,38 @@ python do_stash_locale_setscene () {
}
addtask do_stash_locale_setscene
-do_poststash_install_cleanup () {
- # Remove all files which do_stash_locale would remove (mv)
- # since that task could have come from sstate and not get run.
+PACKAGE_PREPROCESS_FUNCS += "stash_locale_package_cleanup"
+SYSROOT_PREPROCESS_FUNCS += "stash_locale_sysroot_cleanup"
+stash_locale_cleanup () {
+ cleanupdir=$1
+ # Remove all files which do_stash_locale() copies
for i in ${bashscripts}; do
- rm -f ${D}${bindir}/$i
+ rm -f ${cleanupdir}${bindir}/$i
done
- rm -f ${D}${bindir}/localedef
- rm -rf ${D}${datadir}/i18n
- rm -rf ${D}${libdir}/gconv
- rm -rf ${D}/${localedir}
- rm -rf ${D}${datadir}/locale
+ rm -f ${cleanupdir}${bindir}/localedef
+ rm -rf ${cleanupdir}${datadir}/i18n
+ rm -rf ${cleanupdir}${libdir}/gconv
+ rm -rf ${cleanupdir}/${localedir}
+ rm -rf ${cleanupdir}${datadir}/locale
if [ "${libdir}" != "${exec_prefix}/lib" ] && [ "${root_prefix}/lib" != "${exec_prefix}/lib" ]; then
- if [ -d "${D}${exec_prefix}/lib" ]; then
+ if [ -d "${cleanupdir}${exec_prefix}/lib" ]; then
if [ -z "${ARCH_DYNAMIC_LOADER}" -o \
- ! -e "${D}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; then
+ ! -e "${cleanupdir}${exec_prefix}/lib/${ARCH_DYNAMIC_LOADER}" ]; then
# error out if directory isn't empty
# this dir should only contain locale dir
# which has been deleted in the previous step
- rmdir ${D}${exec_prefix}/lib
+ rmdir ${cleanupdir}${exec_prefix}/lib
fi
fi
fi
}
-addtask do_poststash_install_cleanup after do_stash_locale do_install before do_populate_sysroot do_package
+
+stash_locale_sysroot_cleanup() {
+ stash_locale_cleanup ${SYSROOT_DESTDIR}
+}
+stash_locale_package_cleanup() {
+ stash_locale_cleanup ${PKGD}
+}
pkg_postinst_nscd () {
if [ -z "$D" ]; then
diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb
index 073d153..c6b2caa 100644
--- a/meta/recipes-core/glibc/glibc_2.29.bb
+++ b/meta/recipes-core/glibc/glibc_2.29.bb
@@ -121,7 +121,6 @@ do_compile () {
echo "ldd \"${prevrtld} ${RTLDLIST}\" -> \"${newrtld}\""
sed -i ${B}/elf/ldd -e "s#^RTLDLIST=.*\$#RTLDLIST=\"${newrtld}\"#"
fi
-
}
require glibc-package.inc
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread* [warrior 43/43] gcc-8.3: Security fix for CVE-2019-14250
2019-09-01 14:35 [warrior 00/43] Patch review Armin Kuster
` (41 preceding siblings ...)
2019-09-01 14:36 ` [warrior 42/43] glibc / glibc-locale: Fix stash_locale determinism problems Armin Kuster
@ 2019-09-01 14:36 ` Armin Kuster
42 siblings, 0 replies; 46+ messages in thread
From: Armin Kuster @ 2019-09-01 14:36 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Affects < 9.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/gcc/gcc-8.3.inc | 1 +
.../gcc/gcc-8.3/CVE-2019-14250.patch | 44 ++++++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc
index dce85a2..80f716a 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -74,6 +74,7 @@ SRC_URI = "\
file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
file://0042-PR-debug-86964.patch \
file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \
+ file://CVE-2019-14250.patch \
"
SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
new file mode 100644
index 0000000..e327684
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch
@@ -0,0 +1,44 @@
+From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001
+From: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 25 Jul 2019 10:48:26 +0000
+Subject: [PATCH] 2019-07-25 Richard Biener <rguenther@suse.de>
+
+ PR lto/90924
+ Backport from mainline
+ 2019-07-12 Ren Kimura <rkx1209dev@gmail.com>
+
+ * simple-object-elf.c (simple_object_elf_match): Check zero value
+ shstrndx.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Affectes: < 9.2
+CVE: CVE-2019-14250
+Dropped changelog
+Signed-off-by: Armin Kuster <Akustre@mvista.com>
+
+---
+ libiberty/simple-object-elf.c | 8 ++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: gcc-8.2.0/libiberty/simple-object-elf.c
+===================================================================
+--- gcc-8.2.0.orig/libiberty/simple-object-elf.c
++++ gcc-8.2.0/libiberty/simple-object-elf.c
+@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h
+ return NULL;
+ }
+
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
--
2.7.4
^ permalink raw reply related [flat|nested] 46+ messages in thread