[hardknott][PATCH 0/4] Review request

[hardknott][PATCH 0/4] Review request

[Anuj Mittal]

Please review these changes for hardknott. One intermittent ltp failure
seen for qemuarm64.

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2625

Thanks,

Anuj

The following changes since commit e99578cde6078828a3075e10f1bb97e1a373ce12:

  linux-yocto/5.4: update to v5.4.144 (2021-09-16 00:56:36 +0800)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/hardknott

Armin Kuster (1):
  tar: ignore node-tar CVEs

Kiran Surendran (1):
  ffmpeg: fix CVE-2021-38114

Mark Hatle (1):
  externalsrc: Work with reproducible_build

Richard Purdie (1):
  sstate: Avoid problems with recipes using SRCPV when fetching sstate

 meta/classes/externalsrc.bbclass              | 10 +++
 meta/classes/sstate.bbclass                   |  4 ++
 meta/recipes-extended/tar/tar_1.34.bb         |  1 +
 .../ffmpeg/ffmpeg/fix-CVE-2021-38114.patch    | 67 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb |  1 +
 5 files changed, 83 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch

-- 
2.31.1

[hardknott][PATCH 1/4] sstate: Avoid problems with recipes using SRCPV when fetching sstate

[Anuj Mittal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When fetching sstate, SRCPV can be expanded withuin PV which breaks the
sstate fetcher as other variables like SRC_URI are changed by the fetcher
code. Expand the variable before doing this to avoid those problems and
hence avoid setscene task failures with remote sstate storage in git
recipes.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0d9d7acebe0be42d4cf8a30ecbbbbcb2dfd16a4b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/sstate.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 4bf087b4e8..8b4bfc25b7 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -731,6 +731,7 @@ def pstaging_fetch(sstatefetch, d):
     localdata.setVar('FILESPATH', dldir)
     localdata.setVar('DL_DIR', dldir)
     localdata.setVar('PREMIRRORS', mirrors)
+    localdata.setVar('SRCPV', d.getVar('SRCPV'))
 
     # if BB_NO_NETWORK is set but we also have SSTATE_MIRROR_ALLOW_NETWORK,
     # we'll want to allow network access for the current set of fetches.
@@ -755,6 +756,9 @@ def pstaging_fetch(sstatefetch, d):
         except bb.fetch2.BBFetchException:
             pass
 
+pstaging_fetch[vardepsexclude] += "SRCPV"
+
+
 def sstate_setscene(d):
     shared_state = sstate_state_fromvars(d)
     accelerate = sstate_installpkg(shared_state, d)
-- 
2.31.1

[hardknott][PATCH 2/4] tar: ignore node-tar CVEs

[Anuj Mittal]

From: Armin Kuster <akuster808@gmail.com>

These three CVEs are specific to the Node package node-tar.

exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f9317a02d73c1e5aea026683a037e52c996c7bb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-extended/tar/tar_1.34.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb
index 66c11cbfea..f41e5b33d4 100644
--- a/meta/recipes-extended/tar/tar_1.34.bb
+++ b/meta/recipes-extended/tar/tar_1.34.bb
@@ -64,3 +64,4 @@ BBCLASSEXTEND = "native nativesdk"
 
 # These are both specific to the NPM package node-tar
 CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804"
+CVE_CHECK_WHITELIST += "CVE-2021-37701 CVE-2021-37712 CVE-2021-37713"
-- 
2.31.1

[hardknott][PATCH 3/4] externalsrc: Work with reproducible_build

[Anuj Mittal]

From: Mark Hatle <mark.hatle@xilinx.com>

Externalsrc removes do_fetch, do_unpack, and do_patch.  The system normally
discovers the correct reproducible date as a postfuncs of do_unpack, so this
date is never found, so it falls back to the default epoch.

Instead we can move the discovery function to a prefuncs on the epoch
deploy task.  This task will run before do_configure, and since the source
is already available can run safely at anytime.

Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b7dd711a54e92ce54abe99f59fc67e683d52dfe)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/classes/externalsrc.bbclass | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 3d6b80bee2..1ea938fb62 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -110,6 +110,16 @@ python () {
                 continue
             bb.build.deltask(task, d)
 
+        if bb.data.inherits_class('reproducible_build', d) and 'do_unpack' in d.getVar("SRCTREECOVEREDTASKS").split():
+            # The reproducible_build's create_source_date_epoch_stamp function must
+            # be run after the source is available and before the
+            # do_deploy_source_date_epoch task.  In the normal case, it's attached
+            # to do_unpack as a postfuncs, but since we removed do_unpack (above)
+            # we need to move the function elsewhere.  The easiest thing to do is
+            # move it into the prefuncs of the do_deploy_source_date_epoch task.
+            # This is safe, as externalsrc runs with the source already unpacked.
+            d.prependVarFlag('do_deploy_source_date_epoch', 'prefuncs', 'create_source_date_epoch_stamp ')
+
         d.prependVarFlag('do_compile', 'prefuncs', "externalsrc_compile_prefunc ")
         d.prependVarFlag('do_configure', 'prefuncs', "externalsrc_configure_prefunc ")
 
-- 
2.31.1

[hardknott][PATCH 4/4] ffmpeg: fix CVE-2021-38114

[Anuj Mittal]

From: Kiran Surendran <kiran.surendran@windriver.com>

backport from upstream

Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../ffmpeg/ffmpeg/fix-CVE-2021-38114.patch    | 67 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch
new file mode 100644
index 0000000000..3de7cf7e0f
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch
@@ -0,0 +1,67 @@
+CVE: CVE-2021-38114
+Upstream-Status: Backport
+Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com>
+
+From 662aef4aacf23b4be4c1cfaebd837e225b357e51 Mon Sep 17 00:00:00 2001
+From: maryam ebr <me22bee@outlook.com>
+Date: Tue, 3 Aug 2021 01:05:47 -0400
+Subject: [PATCH] avcodec/dnxhddec: check and propagate function return value
+
+Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed.
+crafted DNxHD data can cause unspecified impact.
+
+Reviewed-by: Paul B Mahol <onemda@gmail.com>
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavcodec/dnxhddec.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c
+index e5d01e2e71..54f894f81b 100644
+--- a/libavcodec/dnxhddec.c
++++ b/libavcodec/dnxhddec.c
+@@ -110,6 +110,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx)
+ 
+ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
+ {
++    int ret;
+     if (cid != ctx->cid) {
+         int index;
+ 
+@@ -129,19 +130,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
+         ff_free_vlc(&ctx->dc_vlc);
+         ff_free_vlc(&ctx->run_vlc);
+ 
+-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
++        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+                  ctx->cid_table->ac_bits, 1, 1,
+-                 ctx->cid_table->ac_codes, 2, 2, 0);
+-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
++                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
++            goto out;
++        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                  ctx->cid_table->dc_bits, 1, 1,
+-                 ctx->cid_table->dc_codes, 1, 1, 0);
+-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
++                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
++            goto out;
++        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                  ctx->cid_table->run_bits, 1, 1,
+-                 ctx->cid_table->run_codes, 2, 2, 0);
++                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
++            goto out;
+ 
+         ctx->cid = cid;
+     }
+-    return 0;
++    ret = 0;
++out:
++    if (ret < 0)
++        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
++    return ret;
+ }
+ 
+ static int dnxhd_get_profile(int cid)
+-- 
+2.31.1
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index 3162617336..2df8fc45cf 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://fix-CVE-2020-22033-CVE-2020-22019.patch \
            file://fix-CVE-2021-38291.patch \
            file://fix-CVE-2021-38171.patch \
+           file://fix-CVE-2021-38114.patch \
            "
 SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
 
-- 
2.31.1

Re: [OE-core] [hardknott][PATCH 3/4] externalsrc: Work with reproducible_build

[Richard Purdie]

On Wed, 2021-09-22 at 01:03 +0800, Anuj Mittal wrote:
> From: Mark Hatle <mark.hatle@xilinx.com>
> 
> Externalsrc removes do_fetch, do_unpack, and do_patch.  The system normally
> discovers the correct reproducible date as a postfuncs of do_unpack, so this
> date is never found, so it falls back to the default epoch.
> 
> Instead we can move the discovery function to a prefuncs on the epoch
> deploy task.  This task will run before do_configure, and since the source
> is already available can run safely at anytime.
> 
> Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 0b7dd711a54e92ce54abe99f59fc67e683d52dfe)
> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
> ---
>  meta/classes/externalsrc.bbclass | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
> index 3d6b80bee2..1ea938fb62 100644
> --- a/meta/classes/externalsrc.bbclass
> +++ b/meta/classes/externalsrc.bbclass
> @@ -110,6 +110,16 @@ python () {
>                  continue
>              bb.build.deltask(task, d)
>  
> +        if bb.data.inherits_class('reproducible_build', d) and 'do_unpack' in d.getVar("SRCTREECOVEREDTASKS").split():
> +            # The reproducible_build's create_source_date_epoch_stamp function must
> +            # be run after the source is available and before the
> +            # do_deploy_source_date_epoch task.  In the normal case, it's attached
> +            # to do_unpack as a postfuncs, but since we removed do_unpack (above)
> +            # we need to move the function elsewhere.  The easiest thing to do is
> +            # move it into the prefuncs of the do_deploy_source_date_epoch task.
> +            # This is safe, as externalsrc runs with the source already unpacked.
> +            d.prependVarFlag('do_deploy_source_date_epoch', 'prefuncs', 'create_source_date_epoch_stamp ')
> +
>          d.prependVarFlag('do_compile', 'prefuncs', "externalsrc_compile_prefunc ")
>          d.prependVarFlag('do_configure', 'prefuncs', "externalsrc_configure_prefunc ")
>  

I am a little concerned about this one. I think it may introduce a race. We saw
this on the autobuilder.

https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/2594/steps/14/logs/stdio

I did quickly put this patch together:

http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=rpurdie/t222&id=bcf46a5f12ae15713a53297342d8341b73c16d94

but I haven;t tested it or tried to debug/confirm as yet.

Cheers,

Richard

Re: [OE-core] [hardknott][PATCH 3/4] externalsrc: Work with reproducible_build

[Anuj Mittal]

On Tue, 2021-09-21 at 19:48 +0100, Richard Purdie wrote:
> On Wed, 2021-09-22 at 01:03 +0800, Anuj Mittal wrote:
> > From: Mark Hatle <mark.hatle@xilinx.com>
> > 
> > Externalsrc removes do_fetch, do_unpack, and do_patch.  The system
> > normally
> > discovers the correct reproducible date as a postfuncs of
> > do_unpack, so this
> > date is never found, so it falls back to the default epoch.
> > 
> > Instead we can move the discovery function to a prefuncs on the
> > epoch
> > deploy task.  This task will run before do_configure, and since the
> > source
> > is already available can run safely at anytime.
> > 
> > Signed-off-by: Mark Hatle <mark.hatle@xilinx.com>
> > Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit
> > 0b7dd711a54e92ce54abe99f59fc67e683d52dfe)
> > Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
> > ---
> >  meta/classes/externalsrc.bbclass | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/meta/classes/externalsrc.bbclass
> > b/meta/classes/externalsrc.bbclass
> > index 3d6b80bee2..1ea938fb62 100644
> > --- a/meta/classes/externalsrc.bbclass
> > +++ b/meta/classes/externalsrc.bbclass
> > @@ -110,6 +110,16 @@ python () {
> >                  continue
> >              bb.build.deltask(task, d)
> >  
> > +        if bb.data.inherits_class('reproducible_build', d) and
> > 'do_unpack' in d.getVar("SRCTREECOVEREDTASKS").split():
> > +            # The reproducible_build's
> > create_source_date_epoch_stamp function must
> > +            # be run after the source is available and before the
> > +            # do_deploy_source_date_epoch task.  In the normal
> > case, it's attached
> > +            # to do_unpack as a postfuncs, but since we removed
> > do_unpack (above)
> > +            # we need to move the function elsewhere.  The easiest
> > thing to do is
> > +            # move it into the prefuncs of the
> > do_deploy_source_date_epoch task.
> > +            # This is safe, as externalsrc runs with the source
> > already unpacked.
> > +            d.prependVarFlag('do_deploy_source_date_epoch',
> > 'prefuncs', 'create_source_date_epoch_stamp ')
> > +
> >          d.prependVarFlag('do_compile', 'prefuncs',
> > "externalsrc_compile_prefunc ")
> >          d.prependVarFlag('do_configure', 'prefuncs',
> > "externalsrc_configure_prefunc ")
> >  
> 
> I am a little concerned about this one. I think it may introduce a
> race. We saw
> this on the autobuilder.
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/2594/steps/14/logs/stdio
> 
> I did quickly put this patch together:
> 
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=rpurdie/t222&id=bcf46a5f12ae15713a53297342d8341b73c16d94
> 
> but I haven;t tested it or tried to debug/confirm as yet.
> 

Oh okay, I will drop this change for now in that case.

Thanks,

Anuj